Finally…after a lot of blood sweat and tears 😀
Setting up a 2nd router as VPN Gateway
…in this guide to the VPN provider Private Internet Access…
Router: TP-Link TL-MR11U
…cheap Chinese travel router with only 4 MB flash…
This guide is a rip off based on the excellent guide by Logan Marchione:
My background is not IT/programming so the below is based on a lot of trial and error and might not be the easiest way to get this going and for sure…there are some errors in there 😉
Flash MR11U with an OpenWrt image
Firmware images are available at openwrt.org – however for MR11U, these are older images with the Attitude Adjustment version of OpenWrt and all the needed packages are not built in (yes…I tried!). MR11U images are available here.
Therefore an image with a newer version of OpenWrt is needed – e.g. Barrier Braker – either search the web to find one or build your own – how to build your own image is explained here.
An image made by Gargoyle is available here:
…this is with Gargoyle version 1.7.2 – a newer one might be available for your router…
Download the image from Gargoyle
Gargoyle is making free firmware for routers with their own web management interface ‘Gargoyle’.
Note: OpenWrt images comes with the web interface LuCI. It seems LuCI offers more options of changing the router parameters.
Help needed: How to switch the web interface from Gargoyle to LuCI??
Switch off wifi on the computer, plug a lan cable into the router (the other end goes to the computer) and then go to http://192.168.1.1:
Login with default username and password
Flash the image to the router:
The software restore/update option is available under the system menu – choose the downloaded image and do a restore
## remember to make a backup of the current image first!
Set time zone and configure a wireless network in Gargoyle
The router has restarted and now:
Log into Gargoyle – the password is: password
Change only a few parameters through the Gargoyle web interface – the rest will be set up directly on the router through SSH – command line interface.
Router password – new Admin Password:
Set a new router password
Set up NTP to your time zone (remember to save)
Device as Gateway and Internet/WAN disabled:
Basic wireless configuration:
The router’s LAN address has been changed to 192.168.2.1 to avoid an IP address conflict with the primary/ADSL router – many router’s default address is 192.168.1.1. IP address is free to choose but subnet must match.
Save Changes and restart the router.
The rest is according to Logan Marchione’s guide – with a few modifications and add-ons…
Set up WAN, network and firewall / routing profiles and unbridge LAN
Unplug the lan cable and connect through wifi to the router (remember the IP address is now 192.168.2.1 and the password is the one entered for wifi).
From here it is through the command line interface.
Use a terminal program e.g. Putty under Windows and establish a SSH connection:
Password: …the one entered for the router in Garoyle…
Looks like this:
uci set network.WAN=interface
uci set network.WAN.proto=dhcp
uci set network.WAN.ifname=eth0
uci commit network
Skip this one:
On the next screen, under Common Configuration, go to the Firewall Settings tab and select WAN. Press Save & Apply to continue.
Not available in Gargoyle’s web interface and the firewall zones will be set up later anyway.
Firewall zone for WAN (leave out wan and wan6):
uci set firewall.@zone.network=’WAN’
uci commit firewall
uci delete network.lan.ifname
uci delete network.lan.type
uci commit network
…remember to check your internet access at this point…
Create VPN config files
Create a folder for the VPN config files:
Set up a network interface for the tunnel = PIA_VPN:
cat >> /etc/config/network << EOF
config interface ‘PIA_VPN’
option proto ‘none’
option ifname ‘tun0’
Download PIA’s configuration files to your computer – zip file:
Create a new zip with the needed country profiles – openvpn_cl.zip – containing the settings for US East, Netherlands and Brazil – place the zip file on a non secure web server through FTP.
…this is not mandatory – the ‘original’ openvpn.zip can be used instead – remember to replace openvpn_cl.zip with openvpn.zip in the below…
Reason is that wget from a secure site (https) is not working even with –no-check-certificate (why??).
opencpn_cl.zip is available here:
Create authuser – insert your own PIA credentials. Replace PIA_USERNAME with your username and PIA_PASSWORD with your password:
cat >> /etc/openvpn/authuser << EOF
Create the piageneric profile but with the full path to ca.crt, authuser and crl-perm:
cat >> /etc/openvpn/piageneric.ovpn << EOF
keepalive 10 120
Create a new firewall zone VPN_FW for the VPN connection:
cat >> /etc/config/firewall << EOF
option name ‘VPN_FW’
option input ‘REJECT’
option output ‘ACCEPT’
option forward ‘REJECT’
option masq ‘1’
option mtu_fix ‘1’
option network ‘PIA_VPN’
option dest ‘VPN_FW’
option src ‘lan’
To avoid warning messages when starting the VPN connection, permissions for authuser must be changed:
chmod 600 /etc/config/openvpn/authuser
Run openvpn-ssl in RAM and configure DNS servers
Next is to get openvpn-ssl installed but there is not enough memory available on the TL-MR11U – and there is not even memory enough to install the packages needed to access a USB flash drive (the extroot part in LM’s guide) – e.g. kmod-usb-storage.
Instead openvpn-ssl will be loaded into the RAM at startup.
Another approach is to load kmod-usb-storage into the RAM and then carry out the extroot exercise. It will require kmod-usb-storage to be loaded into the RAM at startup and openvpn-ssl will then have to be stored on the flash drive. This way openvpn-ssl will not have to be dowloaded at startup.
The following is based on n0pin’s guide (thanks!):
Create libraries for openvpn-ssl running in RAM:
ln -s /tmp/usr/lib/libssl.so.1.0.0 /lib
ln -s /tmp/usr/lib/libcrypto.so.1.0.0 /lib
ln -s /tmp/usr/lib/liblzo2.so.2 /lib
Add commands to /etc/rc.local so openvpn-ssl is downloaded and loaded into the RAM at startup – connection is to US East:
echo -e “while ! ping -c1 www.google.com &>/dev/null; do :; done\nopkg update\nwget -O /tmp/openvpn-openssl.ipk “$OPENVPNURL”\nopkg install /tmp/openvpn-openssl.ipk -d ram\nrm /tmp/openvpn-openssl.ipk\n/tmp/usr/sbin/openvpn –cd /etc/openvpn –config /etc/openvpn/piageneric.ovpn –remote us-east.privateinternetaccess.com 1194 & exit 0\n\n$(cat /etc/rc.local)” > /etc/rc.local
Add IP tables to /etc/firewall.user (is this needed??):
echo -e “iptables -t nat -A prerouting_wan -p $PROTOCOL –dport $PORT -j ACCEPT\niptables -A input_wan -p $PROTOCOL –dport $PORT -j ACCEPT\niptables -I INPUT -i tun+ -j ACCEPT\niptables -I FORWARD -i tun+ -j ACCEPT\niptables -I OUTPUT -o tun+ -j ACCEPT\niptables -I FORWARD -o tun+ -j ACCEPT\n\n$(cat /etc/firewall.user)” > /etc/firewall.user
Set the VPN connection to use PIA’s DNS servers:
uci add_list dhcp.lan.dhcp_option=”6,188.8.131.52,184.108.40.206″
uci commit dhcp
Power off the router, pray to the VPN gods and then power it on!
Check IP address:
Check for DNS leaks:
Success – we are now safe out there and able to watch US Netflix – happy happy 🙂
Checkpoints and (other) open issues
Check if the tunnel has been established – tun0 – should be in the list when issuing the ifconfig command:
Check that etc/rc.local is correct:
It should look like this (correct it if not):
while ! ping -c1 www.google.com &>/dev/null; do :; done
wget -O /tmp/openvpn-ssl.ipk “http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/base/openvpn-openssl_2.3.6-2_ar71xx.ipk”
opkg install /tmp/openvpn-ssl.ipk -d ram
/tmp/usr/sbin/openvpn –cd /etc/openvpn –config /etc/openvpn/piageneric.ovpn –remote us-east.privateinternetaccess.com 1194 & exit 0
# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.
Sometimes the VPN tunnel is not established when the router is restarted (RAM is cleared) – the openvpn-ssl is not loaded into /tmp/user/sbin – maybe an idea to add an extra delay in rc.local before pinging google – insert a 1 min do-nothing on the first line in rc.local??
Access another server e.g. the one in Brazil – just execute the following from the command line – us-east is replaced with brazil:
/tmp/usr/sbin/openvpn –cd /etc/openvpn –config /etc/openvpn/piageneric.ovpn –remote brazil.privateinternetaccess.com 1194 & exit 0
Check network and firewall settings (thanks ‘guest’!):
Again…vi is your friend if something needs to be corrected.