Friday, May 20, 2016

Configuring your OpenWRT router to use ExpressVPN to provide unrestricted internet access to all your devices

Problem statement:
I am in China. I have subscribed to ExpressVPN access to check my gmail and facebook. I have a pocket router (TL-MR3020). How can I use that VPN for all my devices (laptop, mobile, tab, Android TV box). TL-MR3020 can run OpenWrt. It has a USB port, an Ethernet port and 802.11bg WiFi

Here are the steps. They involve downloading packages to your OpenWrt router. OpenWrt repositories are blocked in China as well. So complete these steps in your home country before you fly to China. (If you are already in China, you can install the ExpressVPN client on your laptop, and share that VPN Connection with your OpenWrt Router. Refer to this blog post on steps on how to do that)

  1. Install OpenWrt on your TL-MR3020 router. (Refer to this blog post on how to do that - the latest version is a bit big and requires an external flash drive for extra memory size)
  2. Connect your OpenWrt router to unrestricted internet. Make sure you can access the router's console over SSH or serial (using PuTTY)
  3. Install OpenVPN packages on your TL-MR3020, issue the following commands using the console:
    # opkg update
    # opkg install openvpn-openssl luci-app-openvp ca-certificates
  4. Reboot the router.
  5. After this point, your router does not neet unrestricted internet access, you can now connect the TL-MR3020 router to the restricted network - just make sure your laptop and your router are on the same network. In my case I connected my TL-MR3020 to my set-top box which has a builtin WiFi router. The set top box has been provided by my Chinese ISP.
    My TL-MR3020 connected to my Chinese ISP's set top box
  6. Using a web browser, login to your ExpressVPN account and download the OpenVPN configuration file corresponding to the VPN server that you want to connect to. These .ovpn files are specific to your account and do not require modifications (like editing password or login). They will work as long as you keep renewing your subscription.

    I downloaded "my_expressvpn_uk_-_berkshire_-_2_udp.ovpn" for my use
    Downloading the .ovpn files
  7. Use WinSCP  to connect to your router and upload this .ovpn file to /etc/openvpn folder. You can upload more .ovpn files in case you think that you will need to switch servers in the future.
    uploading the .ovpn files to TL-MR3020 using WinSCP
  8. Configure the various files using nano editor over PuTTY SSH:

    /etc/config/wireless
     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    config wifi-device 'radio0'
     option type 'mac80211'
     option hwmode '11g'
     option path 'platform/ar933x_wmac'
     option htmode 'HT20'
     option disabled '0'
     option channel '4'
     option txpower '15'
     option country 'US'
    
    config wifi-iface
     option device 'radio0'
     option mode 'ap'
     option ssid 'YOUR_SSID'
     option network 'wifi'
     option encryption 'psk2'
     option key 'YOUR_PASSWORD'
    
    /etc/config/network
     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    config interface 'loopback'
     option ifname 'lo'
     option proto 'static'
     option ipaddr '127.0.0.1'
     option netmask '255.0.0.0'
    
    config globals 'globals'
     option ula_prefix 'fd59:92ba:e14c::/48'
    
    config interface 'lan'
     option ifname 'eth0'
     option proto 'dhcp'
    
    config interface 'wifi'
     option _orig_ifname 'wlan0'
     option _orig_bridge 'false'
     option proto 'static'
     option ipaddr '172.16.0.1'
     option netmask '255.255.255.0'
    
    config interface 'EXP_VPN'
     option proto 'none'
     option ifname 'tun0'
    

    /etc/config/firewall
     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    config defaults
     option syn_flood '1'
     option input 'ACCEPT'
     option output 'ACCEPT'
     option forward 'REJECT'
    
    config zone
     option name 'lan'
     option input 'ACCEPT'
     option output 'ACCEPT'
     option forward 'ACCEPT'
     option network 'wifi'
    
    config include
     option path '/etc/firewall.user'
    
    config zone
     option name 'VPN_FW'
     option network 'EXP_VPN'
     option input 'REJECT'
     option output 'ACCEPT'
     option forward 'REJECT'
     option masq '1'
     option mtu_fix '1'
    
    config forwarding
     option dest 'VPN_FW'
     option src 'lan'
    
    config zone
     option name 'wan'
     option input 'ACCEPT'
     option forward 'REJECT'
     option output 'ACCEPT'
     option network 'lan'
    
  9. Issue the following commands to set Google DNS

    # uci add_list dhcp.lan.dhcp_option="6,8.8.8.8,8.8.4.4"
    # uci commit dhcp
    # reboot
  10. Using web login to LuCI on your OpenWrt router, configure a startup task instructing OpenVPN to initiate a VPN connection at bootup using the following lines:

    openvpn --cd /etc/openvpn --config /etc/openvpn/my_expressvpn_south_korea_udp.ovpn
    Configuring a startup task

    Please note that OpenVPN will try to connect to VPN server only once failing which it will
    stop trying. So you may need to reboot your router manually by power cycling if you arent able to access the internet.
  11. Now connect your devices to TL-MR3020's wifi signal and try accessing the internet.



Some more screenshots of LuCI's configuration pages - these correspond to the settings in the configuration files present in /etc/config








References:
  1. https://www.robertkehoe.com/2015/08/setup-openvpn-using-openwrt/
  2. https://www.loganmarchione.com/2014/10/openwrt-with-openvpn-client-on-tp-link-tl-mr3020/
  3. https://wiki.openwrt.org/doc/howto/vpn.client.openvpn.tun


3 comments:

Charles Gardner said...

Thank you for this great guide, its exactly what I have been trying to do. Quick question, I followed all of the steps, but for some reason I am unable to get on the internet from any connected device now, I can ping sites from the router though. Is there anyplace you would recommend checking?

Anurag Chugh said...

Hello Charles,
Thank you for pointing that out. I just noticed a mistake in step 9. Instead of dhcp.lan.dhcp_option="6,209.222.18.222,209.222.18.218"

it should be

dhcp.lan.dhcp_option="6,8.8.4.4,8.8.8.8"

I think that might be the issue. I think I had mistakenly retained the DNS servers of my Chinese service provider instead of Googles Public DNS (8.8.8.8 and 8.8.4.4)

Anurag Chugh said...

I changed it in the blog post above as well

Post a Comment