note: this configuration will also block all IPv6 network traffic at the router level, to protect against out-of tunnel information transmission.
OK, not quite a "how-to" - more of a "mostly already preconfigured for you."
I did this setup on a Ubiquity Nanostation Loco M2. It has a single WLAN and a single LAN. I am using the ethernet port as the WAN and the WiFi was the LAN side. I have configured the setup using bridge interfaces, so all you need to do is add and remove physical interfaces to the virtual WAN or LAN bridge and you are now configured exactly how you want.
You will need to do some reconfiguration after installation. The WiFi SSID is OpenWrt and the password is changeme. I also set the WiFi to 10dbm to give it broad compatibility and not overload anyone's radio, this means you had better be close when you initially configure it.
The LAN subnet is 10.13.37.0/24. This is unlikely to be in use on the WAN side and I thought I may as well have a little fun adding a 1337 in there somewhere. The DHCP server will assign you 18.104.22.168 and 22.214.171.124 as your DNS servers, if anyone has a better idea for default DNS servers, let me know.
Speed is not ideal, but it is very usable. The 400MHz Atheros chipset in my device can push about 5MBps over the OpenVPN link to Cryptostorm:
The upload is limited by my own 1MBps upload combined with the VPN overhead.
I ran some popular torrents and averaged about 350K/sec down and 30K/sec up simultaneously.
If you want more speed, you are going to have to go with a more powerful router.
I tested with OpenWRT on an old AMD powered laptop with a second USB NIC(Exact config I am posting, just replaced wifi with ethernet) and my results were consistently 20% below my line speed. That is, I have a 10/1 and going through the VPN I get 8/0.8. Ran some popular torrents off the bay and managed a solid 975K/sec download rate. I would recommend throttling things, because it saturated the link and my ping times effectively tripled. Considering the OpenVPN process never peaked above 16% CPU (versus 50% on the Atheros router), if my connection were fast enough I could easily push 25MBps real throughput(31MBps inc overhead), assuming a linear scale and capping out at 50% cpu.
Setting up a new router consists of the following steps:
- Load OpenWRT (See specific guides for your router)
- Telnet into the router
- passwd -- set your root passwd
- reboot - lets router initialize SSH
- SSH into router and change the IP settings so it can access the internet. The following example is based on your home router having an IP of 192.168.1.254.
- ifconfig br-lan 192.168.1.253
- Your SSH session will freeze because the router has a new IP, close it and reopen it to 192.168.1.253 to continue
- route add default gw 192.168.1.254
- echo 'nameserver 126.96.36.199' >> /etc/resolv.conf
- opkg update
- opkg install luci
- opkg install openvpn-openssl
- /etc/init.d/uhttpd start
- /etc/init.d/uhttpd enable
- Your web-ui is now setup and accessible at http://192.168.1.253
- Once logged in (root/password you set earlier), go to System-->Backup/Flash Firmware
- Browse for the config backup attached to this post, and restore the backup from the flash
- Once booted again, your router will be broadcasting a Wireless Access point with the SSID 'OpenWrt' and a password of 'changeme'. Connect to the access point.
- Open your browser to http://10.13.37.1 and login with root/password you set earlier
- Go to System-->Startup
- Scroll down to the bottom of the page and in the text box and replace 'your_lowercase_SHA512_hash_goes_here' with your Token Hash.
- You can leave the lines there after the router reboots, or delete them.
- Change your WiFi settings to whatever your preference is.
Here is the startup script that sets firewall rules every boot. It blocks all IPv6 traffic and makes the router nearly a black hole. With this configuration, there should be virtually no way into the router other than SSH and HTTP on the LAN side(The part you physically control).
Critiques of my iptables rules are very much welcome. I do not claim to be an expert and could have missed something.
Code: Select all
# This will place your username and password in a file to be read by the OpenVPN client and auto-connect.
# You can remove or comment out these lines after the first reboot with the correct value.
echo your_lowercase_SHA512_hash_goes_here > /etc/config/openvpn.key
echo 93b66e7059176bbfa418061c5cba87dd >> /etc/config/openvpn.key
chmod 600 /etc/config/openvpn.key
# FLUSH (clear) any IPv6 rules
ip6tables -F INPUT
ip6tables -F FORWARD
ip6tables -F OUTPUT
# DROP all IPv6 traffic
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP
# ALLOW two-way traffic from LAN to VPN
iptables -I FORWARD -i br-lan -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br-lan -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# DROP all traffic to the WAN that originates from the LAN clients #
# This prevents LAN traffic from going out unencrypted! #
iptables -I FORWARD -i br-lan -o br-wan -j DROP
iptables -I FORWARD -i br-wan -o br-lan -j DROP
# ALLOW NAT to VPN
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
# ALLOW HTTP, SSH, and DHCP access to router only over LAN interface
iptables -A INPUT -p tcp -i br-lan --dport 80 -d 10.13.37.1 -j ACCEPT
iptables -A INPUT -p tcp -i br-lan --dport 22 -d 10.13.37.1 -j ACCEPT
iptables -A INPUT -p udp -i br-lan --dport 68 -j ACCEPT
iptables -A INPUT -p udp -i br-lan --dport 67 -j ACCEPT
# ALLOW solicited traffic on WAN/VPN interface
iptables -A INPUT -i br-wan -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# DROP unsolicited traffic on ALL interfaces
iptables -A INPUT -i br-lan -j DROP
iptables -A INPUT -i br-wan -j DROP
iptables -A INPUT -i tun0 -j DROP
# REJECT all other access to router, prevents any services being pulled from router to possibly leak over WAN (DNS) - Probably a redundant rule
iptables -A INPUT -d 10.13.37.1 -j REJECT
# Connect to OpenVPN using openvpn.conf with the username and password stored in openvpn.key
openvpn --config /etc/config/openvpn.conf --auth-user-pass /etc/config/openvpn.key &