Jump to content
Company Name
  • 0
Sign in to follow this  
directnupe

LEDE - OPENWRT TORGUARD VPN SETUP

Rate this question

Question

LEDE - OPENWRT TORGUARD VPN SETUP

Regards
Mike

OK - I decided to put this up on the TorGuard Forum as I could not find a tutorial anywhere with specific step by step instructions for getting Torguard OPENVPN working with OpenWrt/ Lede. In advance, I want to thank the excellent support team at TorGuard ( especially Mike & Andy ) for assisting me with getting my Lede/Openwrt VPN router up and running.
I use davidc502 firmware which is described as  Moderately Customized LEDE Development Builds found here - https://davidc502sis.dynamic-dns.net/releases/ and here - https://davidc502sis.dynamic-dns.net/snapshots/ -- davidc502's forum found here - https://forum.openwrt.org/viewtopic.php?id=64949&p=164b  - Dave's builds are for Linksys WRT1900AC v1 Linksys WRT1900AC v2 Linksys WRT1900ACS Linksys WRT3200ACM Linksys WRT1200AC models ONLY !!! One of the many benefits of using Dave's custom firmware is that it comes with many pre-installed and configured software packages - including OpenVpn and Dnscrypt - I use both in conjunction on my router. For full list of packages see Dave's configuration seed found here -   https://davidc502sis.dynamic-dns.net/releases/config.seed - However, the guide tutorial here will work on any and every OpenWrt/ Lede firmware based router. I also tested this with Lede stable firmware ( current version 17.01.4 ) found here - https://lede-project.org/downloads -

Anyway - here we go - this is Mike's detailed original answer to my inquiry concerning my request for assistance in setting up OpenVpn on OpenWrt /Lede. I have added a few edits in order to make this more comprehensible and easier to implement. This guide  will work Guaranteed if you follow instructions step by step.

Mike // Staff

Thank you, can you check if the steps below works ok for you

1) Then in Luci Gui  go to System > Software, do update first ( ssh command opkg update )
then search for openvpn and install openvpn-openssl and luci-app-openvpn. ( uci ssh command -  opkg install openvpn-openssl luci-app-openvpn )

These are necessary - Luci is GUI frontend for Openwrt - it comes pre-installed with davidc502's firmware. Also installed on Lede stable. 

2) Here you Generate OpenVpn config on https://torguard.net/tgconf.php?action=vpn-openvpnconfig choosing openwrt.

3) Login using ftp client like winscp to the router (openwrt) and the config file downloaded from the tool to be uploaded to box and renamed as /etc/config/openvpn
 
To make this simpler - you can copy and paste the newly generated text file to a text file on your desktop and /or download config file to your desktop. Install 

nano ( preferred text editor ) -  opkg install nano - if you need to install nano - (  if not already there / comes pre-installed in davidc502's builds )

to your router. SSH into router then type ( copy and paste ) -"  nano /etc/config/openvpn " ( without parenthesis )  - erase all contents of file ( hold Ctrl + k )  and replace ( copy and paste ) with contents of config file you copied and downloaded earlier. 

Sample of my  /etc/config/openvpn config file -  adjust yours as you see fit but stick with config from https://torguard.net/tgconf.php?action=vpn-openvpnconfig as your basic guide -


config openvpn 'TorGuard_AES256GCM_SHA256'
        option client '1'
        option dev 'tun'
        option proto 'udp'
        option resolv_retry 'infinite'
        option nobind '1'
        option persist_key '1'
        option persist_tun '1'
        option ca '/etc/openvpn/torguard/ca.crt'
        option remote_cert_tls 'server'
        option tls_auth '/etc/openvpn/torguard/ta.key 1'
        option cipher 'AES-256-GCM'
        option comp_lzo 'adaptive'
        option verb '4'
        option fast_io '1'
        option auth_user_pass '/etc/openvpn/torguard/userpass.txt'
        option remote_random '0'
        option auth 'SHA256'
        option reneg_sec '0'
        option port '1195'
        list remote 'ny.east.usa.torguardvpnaccess.com'
        option sndbuf '393216'
        option rcvbuf '393216'
        option enabled '1'
        option keepalive '10 120'
        option auth_nocache '1'
        option tls_client '1'
        option setenv 'CLIENT_CERT 0'
        option tls_version_min '1.2'
        option tls_cipher 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384'
        option ncp_ciphers 'AES-256-GCM:AES-128-GCM'
        option tun_mtu '1500'
        option tun_mtu_extra '32'
        option ncp_disable '1'
        option engine 'dynamic'
        option mute_replay_warnings '1'
        option disable_occ '1'
        option keysize '256'
        option mssfix '1450'
        option script_security '2'
        option reneg_bytes '1073741824'
        option mute '20'
        option pull '1'
        option log '/tmp/openvpn.log'

 
Then hit Ctrl + o - you will be asked to write file - hit enter to save file  - then Ctrl + x to close file and go back into shell

4) create folder /etc/openvpn/torguard and add under it the ca.crt, ta.key from https://torguard.net/downloads/ta.key and https://torguard.net/downloads/ca.crt   and create new file userpass.txt where in it put on first line your vpn username and second you vpn password. 

Create /etc/openvpn/torguard folder ( in ssh session into router - type - " mkdir /etc/openvpn/torguard "  ( without parenthesis )   - in order to proceed  -   

opkg install wget ( if you need to install wget )

ssh into router use wget ( install wget if not already there / comes pre-installed in davidc502's builds ) to issue following commands in order to install necessary

files to /etc/openvpn/torguard folder which you just created : type the following commands in shell 

A - "  wget -P /etc/openvpn/torguard https://torguard.net/downloads/ta.key "  ( without parenthesis ) - copy and paste - (  ta.key is downloaded to 

/etc/openvpn/torguard folder )

B - " wget -P /etc/openvpn/torguard https://torguard.net/downloads/ca.crt "  ( without parenthesis ) - copy and paste - ( ca.crt is downloaded to 

/etc/openvpn/torguard folder )

C - type ( copy and paste ) " nano /etc/openvpn/torguard/userpass.txt "  ( without parenthesis )  - in new text  file type ( copy and paste ) in first line your 

TorGuard Vpn username and on second line your TorGuard  Vpn password  - Then hit ( Ctrl + o ) - you will be asked to write file - hit enter to save file  - then ( 

Ctrl + x ) to close file and go back into shell -   userpass.txt is now added under /etc/openvpn/torguard/ folder as well 

Now - these commands are required from my past experience - still in SSH type ( copy and paste )


chmod 0777 /etc/openvpn/torguard/ta.key     chmod 0777 /etc/openvpn/torguard/ca.crt   chmod 0400 /etc/openvpn/torguard/userpass.txt


There are two alternative methods available in order to create the necessary openvpn network interface and complimentary firewall rules. The first one I will 

feature is through the command line shell - using uci commands. 

The second is simply done through the Luci Web GUI. Personally, I use the uci command line approach as I feel the firewall rules for the vpn connection are more 

secure in nature using this method. For the sake of this tutorial, consider command line - uci - Scenario A - and Luci Web Gui method - Scenario B. Both will create 

an interface and working firewall rules and in the end - and leave you with a working TorGuard OpenVpn configuration and subsequent connection. GUARANTEED !

Remember this is either A or B - not A AND B !!! - you can not use both. It is one or the other.

Scenario A -

TorGuard OpenVpn Network Interface Creation and Setup via command line - uci 

uci set network.myvpnc=interface
uci set network.myvpnc.proto=none
uci set network.myvpnc.ifname=tun0
uci commit network

TorGuard OpenVpn Firewall Rules Setup via command line - uci

uci add firewall zone
uci set [email protected][-1]=zone
uci set [email protected][-1].name=myvpnc_fw
uci set [email protected][-1].network=myvpnc
uci set [email protected][-1].input=REJECT
uci set [email protected][-1].output=ACCEPT
uci set [email protected][-1].forward=REJECT
uci set [email protected][-1].masq=1
uci set [email protected][-1].mtu_fix=1
uci add firewall forwarding
uci set [email protected][-1]=forwarding
uci set [email protected][-1].src=lan
uci set [email protected][-1].dest=myvpnc_fw
uci commit firewall
reboot


Scenario B - 

TorGuard OpenVpn - Luci ( Web Gui ) Network Interface Creation and Setup and Firewall Rules Setup

1 ) Back on Luci ( Lede/OpenWrt Gui ). Go to Network > Interfaces and add new interface name the interface " MYVPN " - make sure the " Protocol of the new interface "  at top of page is set to  " Unmanaged " and at bottom of page select " Custom " and enter "  tun0 " ( tun number zero ) in the field next to custom radio button.

Click On Submit then Save and Save and Apply Settings

2 ) Go to Network > Firewall section, click add " new zone " and make it to " "accept " ( all three up top - accept all options )  input/output/forward/masquarde, ( check " masquerade " box under where you accepting all .
Then choose - enter check mark in box next to  interface VPN  ( Covered networks ).
Then in bottom box " Inter-Zone Forwarding " (  Allow forward to destination zones: ) = LAN and  then

( Allow forward from source zones: ) = LAN

This means click both radio buttons next to lan in last section on firewall " newzone " you just created.

Lastly, Click On Save and Save and Apply Settings -

3 ) Go to Services > Openvpn and start the VPN service.

All should be up and running after this. Support said they would post this in tutorials for Openwrt/Lede firmware. As I said, I just put this up to save folks time 

if they run TorGuard VPN. By the way, it is an excellent VPN service.  Easier setup than PIA VPN - specifically on Lede/Openwrt. Again - thanks to TorGuard Support.

Let us know if you have any further questions.

Regards
Mike

LEDE - OPENWRT TORGUARD VPN SETUP

Share this post


Link to post
Share on other sites

4 answers to this question

Recommended Posts

  • 0

Thank you for taking the time to do this.  I had always wondered if I could get LEDE to work with Tourguard, and now I know. 

I also use the davidc502 builds, and they work great. 

 

Share this post


Link to post
Share on other sites
  • 0
13 minutes ago, Griffon said:

Thank you for taking the time to do this.  I had always wondered if I could get LEDE to work with Tourguard, and now I know. 

Dear Griffon,

It was my pleasure and thanks for your appreciation. We are all in this together - and that means we all work to help one another. Happy and Safe Holidays to You and Yours - 

God Bless In Peace,

DIT

Share this post


Link to post
Share on other sites
  • 0
5 hours ago, Griffon said:

Okay, I stepped through the process and so far so good. 

Griffon

Dear Griffon, 

So did you get the TorGuard OpenVpn up and running? I made a couple of edits ( quite a few actually ) in order to make this tutorial more specific and clearer. Hopefully - you were able to make it work. Let me know your feedback. If you need any assistance - just let me know.

Happy Holidays and God Bless,

DIT

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×