How-to / Guide: TP-Link TL-MR11U Router with OpenWrt – Barrier Braker 14.07 – as VPN Gateway to Private Internet Access.

Finally…after a lot of blood sweat and tears 😀

Setting up a 2nd router as VPN Gateway
…in this guide to the VPN provider Private Internet Access…

Router: TP-Link TL-MR11U
…cheap Chinese travel router with only 4 MB flash…

This guide is a rip off based on the excellent guide by Logan Marchione:
https://www.loganmarchione.com/2015/02/openwrt-with-openvpn-client-on-tp-link-tl-mr3020-3/

My background is not IT/programming so the below is based on a lot of trial and error and might not be the easiest way to get this going and for sure…there are some errors in there 😉

Flash MR11U with an OpenWrt image

Firmware images are available at openwrt.org  – however for MR11U, these are older images with the Attitude Adjustment version of OpenWrt and all the needed packages are not built in (yes…I tried!). MR11U images are available here.

Therefore an image with a newer version of OpenWrt is needed – e.g. Barrier Braker – either search the web to find one or build your own – how to build your own image is explained here.

An image made by Gargoyle is available here:
https://www.gargoyle-router.com/downloads/images/ar71xx/gargoyle_1.7.2-ar71xx-generic-tl-mr11u-v2-squashfs-sysupgrade.bin
…this is with Gargoyle version 1.7.2 – a newer one might be available for your router…

Download the image from Gargoyle

Gargoyle is making free firmware for routers with their own web management interface ‘Gargoyle’.
Note: OpenWrt images comes with the web interface LuCI. It seems LuCI offers more options of changing the router parameters.
Help needed: How to switch the web interface from Gargoyle to LuCI??

Switch off wifi on the computer, plug a lan cable into the router (the other end goes to the computer) and then go to http://192.168.1.1:

http://192.168.1.1
Login with default username and password

Flash the image to the router:

The software restore/update option is available under the system menu – choose the downloaded image and do a restore
## remember to make a backup of the current image first!

Set time zone and configure a wireless network in Gargoyle

The router has restarted and now:

http://192.168.1.1
Log into Gargoyle – the password is: password

Change only a few parameters through the Gargoyle web interface – the rest will be set up directly on the router through SSH – command line interface.

Router password – new Admin Password:

Set a new router password

Time Zone:

Set up NTP to your time zone (remember to save)

Device as Gateway and Internet/WAN disabled:

gw_internet-wan

Basic wireless configuration:

wireless_settings

The router’s LAN address has been changed to 192.168.2.1 to avoid an IP address conflict with the primary/ADSL router – many router’s default address is 192.168.1.1. IP address is free to choose but subnet must match.

Save Changes and restart the router.

The rest is according to Logan Marchione’s guide – with a few modifications and add-ons…

Set up WAN, network and firewall / routing profiles and unbridge LAN

Unplug the lan cable and connect through wifi to the router (remember the IP address is now 192.168.2.1 and the password is the one entered for wifi).

From here it is through the command line interface.
Use a terminal program e.g. Putty under Windows and establish a SSH connection:

SSH root@192.168.2.1
Password: …the one entered for the router in Garoyle…

Looks like this:

busybox

WAN:

uci set network.WAN=interface
uci set network.WAN.proto=dhcp
uci set network.WAN.ifname=eth0
uci commit network

Skip this one:
On the next screen, under Common Configuration, go to the Firewall Settings tab and select WAN. Press Save & Apply to continue.
Not available in Gargoyle’s web interface and the firewall zones will be set up later anyway.

Firewall zone for WAN (leave out wan and wan6):

uci set firewall.@zone[1].network=’WAN’
uci commit firewall
/etc/init.d/network restart
/etc/init.d/firewall restart

Un-bridge LAN:

uci delete network.lan.ifname
uci delete network.lan.type
uci commit network
/etc/init.d/network restart

…remember to check your internet access at this point…

Create VPN config files

Create a folder for the VPN config files:

mkdir /etc/config/openvpn

Set up a network interface for the tunnel = PIA_VPN:

cat >> /etc/config/network << EOF
config interface ‘PIA_VPN’
option proto ‘none’
option ifname ‘tun0’
EOF
/etc/init.d/network restart

Download PIA’s configuration files to your computer – zip file:

https://www.privateinternetaccess.com/openvpn/openvpn.zip

Workaround:

Create a new zip with the needed country profiles – openvpn_cl.zip – containing the settings for US East, Netherlands and Brazil – place the zip file on a non secure web server through FTP.

…this is not mandatory – the ‘original’ openvpn.zip can be used instead – remember to replace openvpn_cl.zip with openvpn.zip in the below…

Reason is that wget from a secure site (https) is not working even with –no-check-certificate (why??).

opencpn_cl.zip is available here:
http://www.dnul.dk/openvpn_cl.zip

Create authuser – insert your own PIA credentials. Replace PIA_USERNAME with your username and PIA_PASSWORD with your password:

cat >> /etc/openvpn/authuser << EOF
PIA_USERNAME
PIA_PASSWORD
EOF

Create the piageneric profile but with the full path to ca.crt, authuser and crl-perm:

cat >> /etc/openvpn/piageneric.ovpn << EOF
client
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/config/openvpn/ca.crt
tls-client
remote-cert-tls server
auth-user-pass /etc/openvpn/authuser
auth-nocache
comp-lzo
verb 1
reneg-sec 0
crl-verify /etc/config/openvpn/crl.pem
keepalive 10 120
EOF

Create a new firewall zone VPN_FW for the VPN connection:

cat >> /etc/config/firewall << EOF
config zone
option name ‘VPN_FW’
option input ‘REJECT’
option output ‘ACCEPT’
option forward ‘REJECT’
option masq ‘1’
option mtu_fix ‘1’
option network ‘PIA_VPN’
config forwarding
option dest ‘VPN_FW’
option src ‘lan’
EOF
/etc/init.d/network restart
/etc/init.d/firewall restart

To avoid warning messages when starting the VPN connection, permissions for authuser must be changed:

chmod 600 /etc/config/openvpn/authuser

Run openvpn-ssl in RAM and configure DNS servers

Workaround:

Next is to get openvpn-ssl installed but there is not enough memory available on the TL-MR11U – and there is not even memory enough to install the packages needed to access a USB flash drive (the extroot part in LM’s guide) – e.g. kmod-usb-storage.

Instead openvpn-ssl will be loaded into the RAM at startup.

Another approach is to load kmod-usb-storage into the RAM and then carry out the extroot exercise. It will require kmod-usb-storage to be loaded into the RAM at startup and openvpn-ssl will then have to be stored on the flash drive. This way openvpn-ssl will not have to be dowloaded at startup.

The following is based on n0pin’s guide (thanks!):
https://forum.openwrt.org/viewtopic.php?id=48866

Define variables:

OPENVPNURL=”http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/base/openvpn-openssl_2.3.6-2_ar71xx.ipk”
PORT=”1194″
PROTOCOL=”udp”

Create libraries for openvpn-ssl running in RAM:

ln -s /tmp/usr/lib/libssl.so.1.0.0 /lib
ln -s /tmp/usr/lib/libcrypto.so.1.0.0 /lib
ln -s /tmp/usr/lib/liblzo2.so.2 /lib

Add commands to /etc/rc.local so openvpn-ssl is downloaded and loaded into the RAM at startup – connection is to US East:

echo -e “while ! ping -c1 www.google.com &>/dev/null; do :; done\nopkg update\nwget -O /tmp/openvpn-openssl.ipk “$OPENVPNURL”\nopkg install /tmp/openvpn-openssl.ipk -d ram\nrm /tmp/openvpn-openssl.ipk\n/tmp/usr/sbin/openvpn –cd /etc/openvpn –config /etc/openvpn/piageneric.ovpn –remote us-east.privateinternetaccess.com 1194 & exit 0\n\n$(cat /etc/rc.local)” > /etc/rc.local

Add IP tables to /etc/firewall.user (is this needed??):

echo -e “iptables -t nat -A prerouting_wan -p $PROTOCOL –dport $PORT -j ACCEPT\niptables -A input_wan -p $PROTOCOL –dport $PORT -j ACCEPT\niptables -I INPUT -i tun+ -j ACCEPT\niptables -I FORWARD -i tun+ -j ACCEPT\niptables -I OUTPUT -o tun+ -j ACCEPT\niptables -I FORWARD -o tun+ -j ACCEPT\n\n$(cat /etc/firewall.user)” > /etc/firewall.user

Set the VPN connection to use PIA’s DNS servers:

uci add_list dhcp.lan.dhcp_option=”6,209.222.18.222,209.222.18.218″
uci commit dhcp
/etc/init.d/network restart

Showtime 🙂

Power off the router, pray to the VPN gods and then power it on!

Check IP address:

http://vpngate.nethttp://dnsleak.com

Check for DNS leaks:

http://vpngate.nethttp://dnsleak.com

Success – we are now safe out there and able to watch US Netflix – happy happy 🙂


 

Checkpoints and (other) open issues

Check if the tunnel has been established – tun0 – should be in the list when issuing the ifconfig command:

ifconfig

Check that etc/rc.local is correct:

vi /etc/rc.local

It should look like this (correct it if not):

while ! ping -c1 www.google.com &>/dev/null; do :; done
opkg update
wget -O /tmp/openvpn-ssl.ipk “http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/base/openvpn-openssl_2.3.6-2_ar71xx.ipk”
opkg install /tmp/openvpn-ssl.ipk -d ram
rm /tmp/openvpn-ssl.ipk
/tmp/usr/sbin/openvpn –cd /etc/openvpn –config /etc/openvpn/piageneric.ovpn –remote us-east.privateinternetaccess.com 1194 & exit 0
# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.

Sometimes the VPN tunnel is not established when the router is restarted (RAM is cleared) – the openvpn-ssl is not loaded into /tmp/user/sbin – maybe an idea to add an extra delay in rc.local before pinging google – insert a 1 min do-nothing on the first line in rc.local??

sleep 1m

Access another server e.g. the one in Brazil – just execute the following from the command line – us-east is replaced with brazil:

/tmp/usr/sbin/openvpn –cd /etc/openvpn –config /etc/openvpn/piageneric.ovpn –remote brazil.privateinternetaccess.com 1194 & exit 0

Check network and firewall settings (thanks ‘guest’!):

http://pastebin.com/C0d4pudk

Again…vi is your friend if something needs to be corrected.

Network config:

vi /etc/config/network

Firewall config:

vi /etc/config/firewall

 

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *