Jump to content
Company Name

directnupe

Members
  • Content count

    7
  • Joined

  • Last visited

  • Days Won

    2

directnupe last won the day on April 30

directnupe had the most liked content!

Community Reputation

3 Neutral

About directnupe

  • Rank
    Newbie
  1. Dear Staff aka Mike and Company, my pleasure God Bless and Peace directnupe
  2. Yes I run GETDNS and STUBBY. For those who wish to explore GETDNS and STUBBY - this method is the one recommended by DNSPRIVACY - see here : https://getdnsapi.net/ 5 https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby 2 https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Clients#DNSPrivacyClients-Unbound 3 - please read this carefully - you will note that it indicates : Unbound As A DNS TLS Client Features: Unbound can be run as a local caching forwarder, configured to use SSL upstream, however it cannot yet authenticate upstreams, re-use TCP/TLS connections, be configured for Opportunistic mode or send several of the privacy related options (padding, ECS privacy) etc. Some users combine Unbound (as a caching proxy with other features such as DNS Blacklisting) and Stubby (as a fully featured TLS forwarder). These are the reasons I choose to use GETDNS and STUBBY with Unbound. Those reasons being so that I can take full advantage of all of the most secure privacy features available when running DNS OVER TLS. What I give you here is the absolute best method of implementation and deployment of DNS OVER TLS. For any and all who may be wondering why DNS OVER TLS is all the rage - read this: https://tenta.com/blog/post/2017/12/dns-over-tls-vs-dnscrypt So here we go. FYI, David Mora aka iamperson347 the developer and maintainer of GETDNS and STUBBY package for OpenWRT / LEDE assisted me in putting this all together. Dave strongly suggested using DNSMASQ for DHCP and UNBOUND and STUBBY for DNS OVER TLS. Dave's reason was that OpenWrt / Lede performs best when configured in this fashion. This method combines Unbound (as a caching proxy) and Stubby (as fully featured TLS forwarder). Stubby is essential - please read the following: Stubby' is an application that acts as a local DNS Privacy stub resolver (using DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine (desktop or laptop) to a DNS Privacy resolver increasing end user privacy. Stubby is developed by the getdns project. I run GETDNS and STUBBY with Unbound DNS and Dnsmasq for DHCP. You can use odhcpd which will handle both DNS and DHCP where you disable and/ or remove DNSMASQ - but you will experience a performance hit. This why I use Unbound DNS and Dnsmasq . Here is a basic guide as to how to do it - https://blog.grobox.de/2018/what-is-dns-privacy-and-how-to-set-it-up-for-openwrt/ 5 However a few modifications are necessary in order to to have GetDns and Stubby up and running and successfully integrated with Unbound DNS and Dnsmasq for DHCP. I will write up a guide here - but don’t give me a hard time later on. By the way I run Davidc502 LEDE Snapshots - Moderately Customized LEDE Development Builds for Linksys 1900ac v.1 and 1900ac v.2, 1900acs v.1 v.2, 3200acm, and 1200ac v.1 v.2 series routers. These builds keep up to date packages. GetDns and Stubby are included. Daily Snapshots also provide GetDns and Stubby; I imagine next Lede / OpenWrt will as well. Lede Stable 17.01.4/ does not. So, if you are on Davidc502 or another Community updated build or use Snapshots you can use latest Unbound and GetDns and Stubby. Otherwise - well - you get the picture. As always - opkg update first and foremost Prerequisite You have a ca cert bundle installed on your router. You can do this by running the following opkg install ca-certificates Now Let’s Move On 1 - opkg install unbound odhcpd unbound-control unbound-control-setup luci-app-unbound unbound-anchor 2 - opkg install getdns stubby 2A - ( run command ) unbound-anchor -a “/etc/unbound/root.key” 2B - ( run command ) unbound-control-setup - ( for secure keys ) 3- My WORKING CONFIGS /etc/unbound/unbound_srv.conf ( Must Adjust For Your Router - I Run WRT1900ACS and WRT3200ACM So I Have Plenty Of Ram, Storage and 2 CPU's ) ( Simply Copy and Paste Into Your SSH Session and Hit Enter ) cat >> /etc/unbound/unbound_srv.conf <<UNBOUND_SERVER_CONF server: # use all CPUs num-threads: 2 # power of 2 close to num-threads msg-cache-slabs: 4 rrset-cache-slabs: 4 infra-cache-slabs: 4 key-cache-slabs: 4 # more cache memory, rrset=msg*2 rrset-cache-size: 200m msg-cache-size: 200m # more outgoing connections # depends on number of cores: 1024/cores - 50 outgoing-range: 1998 # Larger socket buffer. OS may need config. so-rcvbuf: 4m so-sndbuf: 4m cache-min-ttl: 3600 cache-max-ttl: 86400 qname-minimisation: yes num-queries-per-thread: 4096 minimal-responses: yes rrset-roundrobin: yes do-tcp: yes do-ip6: no use-caps-for-id: yes edns-buffer-size: 4096 prefetch: yes prefetch-key: yes outgoing-range: 8192 so-reuseport: yes unwanted-reply-threshold: 10000000 interface: 127.0.0.1 do-not-query-localhost: no access-control: 127.0.0.0/8 allow verbosity: 1 private-domain: "yourdomain" hide-identity: yes hide-version: yes so-reuseport: yes harden-referral-path: yes UNBOUND_SERVER_CONF As per guide :# Don’t let each server know the next recursion uci set ‘[email protected][0].query_minimize=1’ 4 - My WORKING CONFIG /etc/stubby/stubby.yml nano /etc/stubby/stubby.yml - replace contents of file with configuration below: resolution_type: GETDNS_RESOLUTION_STUB dns_transport_list: - GETDNS_TRANSPORT_TLS tls_authentication: GETDNS_AUTHENTICATION_REQUIRED dnssec_return_status: GETDNS_EXTENSION_TRUE dnssec_trust_anchors: "/var/lib/unbound/root.key" tls_query_padding_blocksize: 256 edns_client_subnet_private : 1 idle_timeout: 10000 listen_addresses: - [email protected] # STUBBY/UNBOUND ADDRESS/PORT round_robin_upstreams: 1 upstream_recursive_servers: # IPv4 DNS TLS Servers #Quad9 'secure' - address_data: 9.9.9.9 tls_port: 853 tls_auth_name: "dns.quad9.net" #Cloudflare DNS TLS - address_data: 1.0.0.1 tls_port: 853 tls_auth_name: "cloudflare-dns.com" 5 - MY WORKING CONFIG /etc/unbound/unbound_ext.conf ( Simply Copy and Paste Into Your SSH Session and Hit Enter ) cat >> /etc/unbound/unbound_ext.conf <<UNBOUND_FORWARD_CONF forward-zone: name: "." # Allow all DNS queries forward-addr: [email protected] # Forward Unbound To Stubby Address/Port UNBOUND_FORWARD_CONF 6 - From The Guide referred to in the link above - self explanatory: # Move dnsmasq to port 53535 where it will still serve local DNS from DHCP# Network -> DHCP & DNS -> Advanced Settings -> DNS server port to 53535 uci set ‘[email protected][0].port=53535’ uci add_list “dhcp.lan.dhcp_option=option:dns-server,$(uci get network.lan.ipaddr)” uci set ‘[email protected][0].dhcp_link=dnsmasq’ uci commit /etc/init.d/unbound restart 7 - From https://github.com/openwrt/packages/tree/master/net/unbound/files HOW TO Integrate with DHCP Parallel DNSMASQ /etc/config/dhcp After Some Reflection and Observations - Fine Tuning Your DNS Resolver After reading System Logs I realized that there is a need to amend DNSMASQ ( DHCP ) after implementing option noresolv ‘1’ in /etc/config/dhcp configuration file. This dawned on me from my years of running DNSCRYPT Proxy on OpenWrt. I referred to this guide: https://www.leowkahman.com/2016/05/23/openwrt-encrypted-dns-lookup-using-multiple-dnscrypt-servers/ option noresolv ‘1’ is to prevent using any upstream DNS server other than those specified in this file # this file being: /etc/config/dhcp Solution is as follows add these four lines to /etc/config/dhcp: nano /etc/config/dhcp - enter these lines before / option domain ‘yourdomain’ list server '127.0.0.1#5453' # Stubby/Unbound Default Address/Port list server '/pool.ntp.org/84.200.69.80' # DNS WATCH SECURE option noresolv ‘1’ # Make sure to change this as indicated option allservers '1' 8 - Under Interfaces > WAN > then Remove Check For Automatic DNS Servers. As Custom DNS SERVER you should choose to only use 127.0.0.1 for your Router. Things Will Work Fine and as Intended. I have found that is best to use 127.0.0.1 as the sole DNS Server address for your OpenWrt / LEDE Router. 9 - Working /etc/config/unbound file nano /etc/config/unbound config unbound option add_extra_dns ‘0’ option add_local_fqdn ‘1’ option add_wan_fqdn ‘0’ option dhcp4_slaac6 ‘0’ option dns64 ‘0’ option dns64_prefix ‘64:ff9b::/96’ option domain ‘yourdomain’ option domain_type ‘static’ option edns_size ‘4096’ option extended_luci ‘1’ option extended_stats ‘0’ option hide_binddata ‘1’ option listen_port ‘53’ option localservice ‘1’ option luci_expanded ‘1’ option manual_conf ‘0’ option protocol ‘mixed’ option query_min_strict ‘0’ option rebind_localhost ‘0’ option rebind_protection ‘1’ option recursion ‘passive’ option resource ‘small’ option root_age ‘9’ option ttl_min ‘120’ option unbound_control ‘2’ option validator ‘1’ option validator_ntp ‘1’ list trigger_interface ‘lan’ list trigger_interface ‘wan’ option query_minimize ‘1’ option dhcp_link ‘dnsmasq’ You will now be running DNS OVER TLS with GETDNS and Stubby on LEDE / OpenWrt Make sure to follow this guide precisely and it works GREAT!!! with ANYCAST SERVICES: Quad9 (9.9.9.9 ) and Cloudflare ( 1.0.0.1 ) offer DNS-over-TLS on port 853 Peace and God Bless - My Pleasure For You and The Entire Community - much better than DnsCrypt in my opinion - you can use other DNS Servers from here: DNS Privacy Test Servers https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers 3 You can and should also check real time status of DNS Privacy Servers as they are experimental and are not always stable - you can monitor Dns Servers Real Time Status here below: https://dnsprivacy.org/jenkins/job/dnsprivacy-monitoring/ 5 but I have found after much experimentation that Quad9 (9.9.9.9) and Cloudflare (1.1.1.1 ) work best for Lede Here is a list of all DNS Privacy Servers in the raw. Add ( tls_port: 853 ) after ( - address_data: ) entry: https://raw.githubusercontent.com/getdnsapi/stubby/release/0.2.2/stubby.yml.example You can check logs under Services > Recursive DNS > Status > Log - you will see that you have a caching encrypted DNS Resolver !!! You can install - opkg install bind-dig or opkg install bind-tools in order to be able to issue dig commands in order to check DNS resolution if you opt to - as you test you will see that your cache is working also On boot, in case GetDns and Stubby fails to start VERY IMPORTANT !! It has come to my attention that my internet connection does not connect without my manually restarting several services at boot time. In order to fix this I had to expand the list of services to automatically restart at boot. Here is how to do that for the most important networking services: nano /etc/rc.local - and enter - # Wait until Internet connection is available for i in {1..60}; do ping -c1 -W1 84.200.69.80 &> /dev/null && break; done # Restart DNS Privacy Daemon - Stubby as it requires a successful #time sync for its encryption to work /etc/init.d/system restart /etc/init.d/dnsmasq restart /etc/init.d/firewall restart /etc/init.d/unbound restart /etc/init.d/network restart /etc/init.d/stubby restart /etc/init.d/openvpn restart #If you run VPN as you should /etc/init.d/adblock restart /etc/init.d/unbound restart exit 0 You can check any other running services you may wish to restart at boot by issuing command - ls /etc/init.d/ from your SSH terminal Now all you need to do is run is a properly configured VPN Service. By doing so, running DNS over TLS with Stubby and GetDns will keep your VPN provider from spying on your encrypted DNS look ups - and also your DNS providers both the ISP ( replaced by encrypted Stubby ) and your Encrypted TLS DNS Service Provider will see your IP as the one from your encrypted tunneled VPN provider. I am convinced this setup is the right strategy for both security and privacy. I think it to be the best practice for all those most serious about multi-layered cyber security. Lastly, you can check your DNS at GRC Spoofability Test - DNS Leak - or any of such service. You will see that your DNS results render WoodyNet ( Quad 9 ) and Cloudflare respectively if you followed this guide step by meticulous step. You are now running DNS OVER TLS with GETDNS plus STUBBY ( a fully featured TLS forwarder ) along with an Unbound DNS Caching Server. https://www.dnsleaktest.com/ http://www.vpninsights.com/dns-leak-test https://www.grc.com/dns/dns.htm and last but not least https://cmdns.dev.dns-oarc.net/ for a thorough in depth DNS Test See here for TorGuard Open VPN Setup https://torguard.net/forums/index.php?/topic/1247-lede-openwrt-torguard-vpn-setup/ And now you are cooking with plenty of Gas - c'est fini c'est manifique c'est ci bon
  3. LEDE - OPENWRT TORGUARD VPN SETUP

    Dear Griffon, So did you get the TorGuard OpenVpn up and running? I made a couple of edits ( quite a few actually ) in order to make this tutorial more specific and clearer. Hopefully - you were able to make it work. Let me know your feedback. If you need any assistance - just let me know. Happy Holidays and God Bless, DIT
  4. LEDE - OPENWRT TORGUARD VPN SETUP

    Dear Mike - Thanks for the appreciation but I could not have done it without your help. Happy Holidays to You and Yours - Always In Peace and God's Grace, DIT
  5. LEDE - OPENWRT TORGUARD VPN SETUP

    Dear Griffon, It was my pleasure and thanks for your appreciation. We are all in this together - and that means we all work to help one another. Happy and Safe Holidays to You and Yours - God Bless In Peace, DIT
  6. LEDE - OPENWRT TORGUARD VPN SETUP Regards Mike OK - I decided to put this up on the TorGuard Forum as I could not find a tutorial anywhere with specific step by step instructions for getting Torguard OPENVPN working with OpenWrt/ Lede. In advance, I want to thank the excellent support team at TorGuard ( especially Mike & Andy ) for assisting me with getting my Lede/Openwrt VPN router up and running. I use davidc502 firmware which is described as Moderately Customized LEDE Development Builds found here - https://davidc502sis.dynamic-dns.net/releases/ and here - https://davidc502sis.dynamic-dns.net/snapshots/ -- davidc502's forum found here - https://forum.openwrt.org/viewtopic.php?id=64949&p=164b - Dave's builds are for Linksys WRT1900AC v1 Linksys WRT1900AC v2 Linksys WRT1900ACS Linksys WRT3200ACM Linksys WRT1200AC models ONLY !!! One of the many benefits of using Dave's custom firmware is that it comes with many pre-installed and configured software packages - including OpenVpn and Dnscrypt - I use both in conjunction on my router. For full list of packages see Dave's configuration seed found here - https://davidc502sis.dynamic-dns.net/releases/config.seed - However, the guide tutorial here will work on any and every OpenWrt/ Lede firmware based router. I also tested this with Lede stable firmware ( current version 17.01.4 ) found here - https://lede-project.org/downloads - Anyway - here we go - this is Mike's detailed original answer to my inquiry concerning my request for assistance in setting up OpenVpn on OpenWrt /Lede. I have added a few edits in order to make this more comprehensible and easier to implement. This guide will work Guaranteed if you follow instructions step by step. Mike // Staff Thank you, can you check if the steps below works ok for you 1) Then in Luci Gui go to System > Software, do update first ( ssh command opkg update ) then search for openvpn and install openvpn-openssl and luci-app-openvpn. ( uci ssh command - opkg install openvpn-openssl luci-app-openvpn ) These are necessary - Luci is GUI frontend for Openwrt - it comes pre-installed with davidc502's firmware. Also installed on Lede stable. 2) Here you Generate OpenVpn config on https://torguard.net/tgconf.php?action=vpn-openvpnconfig choosing openwrt. 3) Login using ftp client like winscp to the router (openwrt) and the config file downloaded from the tool to be uploaded to box and renamed as /etc/config/openvpn To make this simpler - you can copy and paste the newly generated text file to a text file on your desktop and /or download config file to your desktop. Install nano ( preferred text editor ) - opkg install nano - if you need to install nano - ( if not already there / comes pre-installed in davidc502's builds ) to your router. SSH into router then type ( copy and paste ) -" nano /etc/config/openvpn " ( without parenthesis ) - erase all contents of file ( hold Ctrl + k ) and replace ( copy and paste ) with contents of config file you copied and downloaded earlier. Sample of my /etc/config/openvpn config file - adjust yours as you see fit but stick with config from https://torguard.net/tgconf.php?action=vpn-openvpnconfig as your basic guide - config openvpn 'TorGuard_AES256GCM_SHA256' option client '1' option dev 'tun' option proto 'udp' option resolv_retry 'infinite' option nobind '1' option persist_key '1' option persist_tun '1' option ca '/etc/openvpn/torguard/ca.crt' option remote_cert_tls 'server' option tls_auth '/etc/openvpn/torguard/ta.key 1' option cipher 'AES-256-GCM' option comp_lzo 'adaptive' # AS of March 2018 and OpenVpn 2.4.5 use option compress 'lzo' otherwise you can not connect option verb '4' option fast_io '1' option auth_user_pass '/etc/openvpn/torguard/userpass.txt' option remote_random '0' option auth 'SHA256' option reneg_sec '0' option port '1195' list remote 'ny.east.usa.torguardvpnaccess.com' option sndbuf '393216' option rcvbuf '393216' option enabled '1' option keepalive '10 120' option auth_nocache '1' option tls_client '1' option setenv 'CLIENT_CERT 0' option tls_version_min '1.2' option tls_cipher 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384' option ncp_ciphers 'AES-256-GCM:AES-128-GCM' option tun_mtu '1500' option tun_mtu_extra '32' option ncp_disable '1' option engine 'dynamic' option mute_replay_warnings '1' option disable_occ '1' option keysize '256' option mssfix '1450' option script_security '2' option reneg_bytes '1073741824' option mute '20' option pull '1' option log '/tmp/openvpn.log' Then hit Ctrl + o - you will be asked to write file - hit enter to save file - then Ctrl + x to close file and go back into shell 4) create folder /etc/openvpn/torguard and add under it the ca.crt, ta.key from https://torguard.net/downloads/ta.key and https://torguard.net/downloads/ca.crt and create new file userpass.txt where in it put on first line your vpn username and second you vpn password. Create /etc/openvpn/torguard folder ( in ssh session into router - type - " mkdir /etc/openvpn/torguard " ( without parenthesis ) - in order to proceed - opkg install wget ( if you need to install wget ) ssh into router use wget ( install wget if not already there / comes pre-installed in davidc502's builds ) to issue following commands in order to install necessary files to /etc/openvpn/torguard folder which you just created : type the following commands in shell A - " wget -P /etc/openvpn/torguard https://torguard.net/downloads/ta.key " ( without parenthesis ) - copy and paste - ( ta.key is downloaded to /etc/openvpn/torguard folder ) B - " wget -P /etc/openvpn/torguard https://torguard.net/downloads/ca.crt " ( without parenthesis ) - copy and paste - ( ca.crt is downloaded to /etc/openvpn/torguard folder ) C - type ( copy and paste ) " nano /etc/openvpn/torguard/userpass.txt " ( without parenthesis ) - in new text file type ( copy and paste ) in first line your TorGuard Vpn username and on second line your TorGuard Vpn password - Then hit ( Ctrl + o ) - you will be asked to write file - hit enter to save file - then ( Ctrl + x ) to close file and go back into shell - userpass.txt is now added under /etc/openvpn/torguard/ folder as well Now - these commands are required from my past experience - still in SSH type ( copy and paste ) chmod 0777 /etc/openvpn/torguard/ta.key chmod 0777 /etc/openvpn/torguard/ca.crt chmod 0400 /etc/openvpn/torguard/userpass.txt There are two alternative methods available in order to create the necessary openvpn network interface and complimentary firewall rules. The first one I will feature is through the command line shell - using uci commands. The second is simply done through the Luci Web GUI. Personally, I use the uci command line approach as I feel the firewall rules for the vpn connection are more secure in nature using this method. For the sake of this tutorial, consider command line - uci - Scenario A - and Luci Web Gui method - Scenario B. Both will create an interface and working firewall rules and in the end - and leave you with a working TorGuard OpenVpn configuration and subsequent connection. GUARANTEED ! Remember this is either A or B - not A AND B !!! - you can not use both. It is one or the other. Scenario A - TorGuard OpenVpn Network Interface Creation and Setup via command line - uci uci set network.myvpnc=interface uci set network.myvpnc.proto=none uci set network.myvpnc.ifname=tun0 uci commit network TorGuard OpenVpn Firewall Rules Setup via command line - uci uci add firewall zone uci set [email protected][-1]=zone uci set [email protected][-1].name=myvpnc_fw uci set [email protected][-1].network=myvpnc uci set [email protected][-1].input=REJECT uci set [email protected][-1].output=ACCEPT uci set [email protected][-1].forward=REJECT uci set [email protected][-1].masq=1 uci set [email protected][-1].mtu_fix=1 uci add firewall forwarding uci set [email protected][-1]=forwarding uci set [email protected][-1].src=lan uci set [email protected][-1].dest=myvpnc_fw uci commit firewall reboot Scenario B - TorGuard OpenVpn - Luci ( Web Gui ) Network Interface Creation and Setup and Firewall Rules Setup 1 ) Back on Luci ( Lede/OpenWrt Gui ). Go to Network > Interfaces and add new interface name the interface " MYVPN " - make sure the " Protocol of the new interface " at top of page is set to " Unmanaged " and at bottom of page select " Custom " and enter " tun0 " ( tun number zero ) in the field next to custom radio button. Click On Submit then Save and Save and Apply Settings 2 ) Go to Network > Firewall section, click add " new zone " and make it to " "accept " ( all three up top - accept all options ) input/output/forward/masquarde, ( check " masquerade " box under where you accepting all . Then choose - enter check mark in box next to interface VPN ( Covered networks ). Then in bottom box " Inter-Zone Forwarding " ( Allow forward to destination zones: ) = LAN and then ( Allow forward from source zones: ) = LAN This means click both radio buttons next to lan in last section on firewall " newzone " you just created. Lastly, Click On Save and Save and Apply Settings - 3 ) Go to Services > Openvpn and start the VPN service. All should be up and running after this. Support said they would post this in tutorials for Openwrt/Lede firmware. As I said, I just put this up to save folks time if they run TorGuard VPN. By the way, it is an excellent VPN service. Easier setup than PIA VPN - specifically on Lede/Openwrt. Again - thanks to TorGuard Support. Let us know if you have any further questions. Regards Mike LEDE - OPENWRT TORGUARD VPN SETUP
  7. LEDE - OPENWRT TORGUARD VPN SETUP Regards Mike OK - I decided to put this up on the TorGuard Forum as I could not find a tutorial anywhere with specific step by step instructions for getting Torguard OPENVPN working with OpenWrt/ Lede. In advance, I want to thank the excellent support team at TorGuard ( especially Mike & Andy ) for assisting me with getting my Lede/Openwrt VPN router up and running. I use davidc502 firmware which is described as Moderately Customized LEDE Development Builds found here - https://davidc502sis.dynamic-dns.net/releases/ and here - https://davidc502sis.dynamic-dns.net/snapshots/ -- davidc502's forum found here - https://forum.openwrt.org/viewtopic.php?id=64949&p=164b - Dave's builds are for Linksys WRT1900AC v1 Linksys WRT1900AC v2 Linksys WRT1900ACS Linksys WRT3200ACM Linksys WRT1200AC models ONLY !!! One of the many benefits of using Dave's custom firmware is that it comes with many pre-installed and configured software packages - including OpenVpn and Dnscrypt - I use both in conjunction on my router. For full list of packages see Dave's configuration seed found here - https://davidc502sis.dynamic-dns.net/releases/config.seed - However, the guide tutorial here will work on any and every OpenWrt/ Lede firmware based router. I also tested this with Lede stable firmware ( current version 17.01.4 ) found here - https://lede-project.org/downloads - Anyway - here we go - this is Mike's detailed original answer to my inquiry concerning my request for assistance in setting up OpenVpn on OpenWrt /Lede. I have added a few edits in order to make this more comprehensible and easier to implement. This guide will work Guaranteed if you follow instructions step by step. Mike // Staff Thank you, can you check if the steps below works ok for you 1) Then in Luci Gui go to System > Software, do update first ( ssh command opkg update ) then search for openvpn and install openvpn-openssl and luci-app-openvpn. ( uci ssh command - opkg install openvpn-openssl luci-app-openvpn ) These are necessary - Luci is GUI frontend for Openwrt - it comes pre-installed with davidc502's firmware. Also installed on Lede stable. 2) Here you Generate OpenVpn config on https://torguard.net/tgconf.php?action=vpn-openvpnconfig choosing openwrt. 3) Login using ftp client like winscp to the router (openwrt) and the config file downloaded from the tool to be uploaded to box and renamed as /etc/config/openvpn To make this simpler - you can copy and paste the newly generated text file to a text file on your desktop and /or download config file to your desktop. Install nano ( preferred text editor ) - opkg install nano - if you need to install nano - ( if not already there / comes pre-installed in davidc502's builds ) to your router. SSH into router then type ( copy and paste ) -" nano /etc/config/openvpn " ( without parenthesis ) - erase all contents of file ( hold Ctrl + k ) and replace ( copy and paste ) with contents of config file you copied and downloaded earlier. Sample of my /etc/config/openvpn config file - adjust yours as you see fit but stick with config from https://torguard.net/tgconf.php?action=vpn-openvpnconfig as your basic guide - config openvpn 'TorGuard_AES256GCM_SHA256' option client '1' option dev 'tun' option proto 'udp' option resolv_retry 'infinite' option nobind '1' option persist_key '1' option persist_tun '1' option ca '/etc/openvpn/torguard/ca.crt' option remote_cert_tls 'server' option tls_auth '/etc/openvpn/torguard/ta.key 1' option cipher 'AES-256-GCM' option comp_lzo 'adaptive' # AS of March 2018 and OpenVpn 2.4.5 use option compress 'lzo' otherwise you can not connect option verb '4' option fast_io '1' option auth_user_pass '/etc/openvpn/torguard/userpass.txt' option remote_random '0' option auth 'SHA256' option reneg_sec '0' option port '1195' list remote 'ny.east.usa.torguardvpnaccess.com' option sndbuf '393216' option rcvbuf '393216' option enabled '1' option keepalive '10 120' option auth_nocache '1' option tls_client '1' option setenv 'CLIENT_CERT 0' option tls_version_min '1.2' option tls_cipher 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384' option ncp_ciphers 'AES-256-GCM:AES-128-GCM' option tun_mtu '1500' option tun_mtu_extra '32' option ncp_disable '1' option engine 'dynamic' option mute_replay_warnings '1' option disable_occ '1' option keysize '256' option mssfix '1450' option script_security '2' option reneg_bytes '1073741824' option mute '20' option pull '1' option log '/tmp/openvpn.log' Then hit Ctrl + o - you will be asked to write file - hit enter to save file - then Ctrl + x to close file and go back into shell 4) create folder /etc/openvpn/torguard and add under it the ca.crt, ta.key from https://torguard.net/downloads/ta.key and https://torguard.net/downloads/ca.crt and create new file userpass.txt where in it put on first line your vpn username and second you vpn password. Create /etc/openvpn/torguard folder ( in ssh session into router - type - " mkdir /etc/openvpn/torguard " ( without parenthesis ) - in order to proceed - opkg install wget ( if you need to install wget ) ssh into router use wget ( install wget if not already there / comes pre-installed in davidc502's builds ) to issue following commands in order to install necessary files to /etc/openvpn/torguard folder which you just created : type the following commands in shell A - " wget -P /etc/openvpn/torguard https://torguard.net/downloads/ta.key " ( without parenthesis ) - copy and paste - ( ta.key is downloaded to /etc/openvpn/torguard folder ) B - " wget -P /etc/openvpn/torguard https://torguard.net/downloads/ca.crt " ( without parenthesis ) - copy and paste - ( ca.crt is downloaded to /etc/openvpn/torguard folder ) C - type ( copy and paste ) " nano /etc/openvpn/torguard/userpass.txt " ( without parenthesis ) - in new text file type ( copy and paste ) in first line your TorGuard Vpn username and on second line your TorGuard Vpn password - Then hit ( Ctrl + o ) - you will be asked to write file - hit enter to save file - then ( Ctrl + x ) to close file and go back into shell - userpass.txt is now added under /etc/openvpn/torguard/ folder as well Now - these commands are required from my past experience - still in SSH type ( copy and paste ) chmod 0777 /etc/openvpn/torguard/ta.key chmod 0777 /etc/openvpn/torguard/ca.crt chmod 0400 /etc/openvpn/torguard/userpass.txt There are two alternative methods available in order to create the necessary openvpn network interface and complimentary firewall rules. The first one I will feature is through the command line shell - using uci commands. The second is simply done through the Luci Web GUI. Personally, I use the uci command line approach as I feel the firewall rules for the vpn connection are more secure in nature using this method. For the sake of this tutorial, consider command line - uci - Scenario A - and Luci Web Gui method - Scenario B. Both will create an interface and working firewall rules and in the end - and leave you with a working TorGuard OpenVpn configuration and subsequent connection. GUARANTEED ! Remember this is either A or B - not A AND B !!! - you can not use both. It is one or the other. Scenario A - TorGuard OpenVpn Network Interface Creation and Setup via command line - uci uci set network.myvpnc=interface uci set network.myvpnc.proto=none uci set network.myvpnc.ifname=tun0 uci commit network TorGuard OpenVpn Firewall Rules Setup via command line - uci uci add firewall zone uci set [email protected][-1]=zone uci set [email protected][-1].name=myvpnc_fw uci set [email protected][-1].network=myvpnc uci set [email protected][-1].input=REJECT uci set [email protected][-1].output=ACCEPT uci set [email protected][-1].forward=REJECT uci set [email protected][-1].masq=1 uci set [email protected][-1].mtu_fix=1 uci add firewall forwarding uci set [email protected][-1]=forwarding uci set [email protected][-1].src=lan uci set [email protected][-1].dest=myvpnc_fw uci commit firewall reboot Scenario B - TorGuard OpenVpn - Luci ( Web Gui ) Network Interface Creation and Setup and Firewall Rules Setup 1 ) Back on Luci ( Lede/OpenWrt Gui ). Go to Network > Interfaces and add new interface name the interface " MYVPN " - make sure the " Protocol of the new interface " at top of page is set to " Unmanaged " and at bottom of page select " Custom " and enter " tun0 " ( tun number zero ) in the field next to custom radio button. Click On Submit then Save and Save and Apply Settings 2 ) Go to Network > Firewall section, click add " new zone " and make it to " "accept " ( all three up top - accept all options ) input/output/forward/masquarde, ( check " masquerade " box under where you accepting all . Then choose - enter check mark in box next to interface VPN ( Covered networks ). Then in bottom box " Inter-Zone Forwarding " ( Allow forward to destination zones: ) = LAN and then ( Allow forward from source zones: ) = LAN This means click both radio buttons next to lan in last section on firewall " newzone " you just created. Lastly, Click On Save and Save and Apply Settings - 3 ) Go to Services > Openvpn and start the VPN service. All should be up and running after this. Support said they would post this in tutorials for Openwrt/Lede firmware. As I said, I just put this up to save folks time if they run TorGuard VPN. By the way, it is an excellent VPN service. Easier setup than PIA VPN - specifically on Lede/Openwrt. Again - thanks to TorGuard Support. Let us know if you have any further questions. Regards Mike LEDE - OPENWRT TORGUARD VPN SETUP
×