Step-by-Step: Base Install - VPN Client Router using LEDE (or OpenWRT)

PUBLISHED 2017 August 14
INTRODUCTION
This step-by-step is designed to install LEDE with the most common packages and protocols needed for it to act as a VPN Client (it connects to a VPN endpoint, it is not a VPN server accepting incoming connections).  The current VPN clients that are supported in this build are:

• OpenVPN (SSL) [LEDE]
• Shadowsocks-libev [github]

I only use the packages in the LEDE repository since they support UCI commands.  This unfortunately means that they are not the latest binaries available, but for support I personally think it's better to use these editions.

Note: LEDE also has packages for the "OpenConnect", "softethervpn", "openvpn-easy-rsa", and more - however I do not have providers to test these protocols against. If I ever do, I'll update this document.

To run these commands you'll need an SSH client on your computer.  PuTTY works fine on Windows, but I'm using Linux and all of my commands will assume that you are too.

I am using the Xiaomi Mini Wifi router since I live in China and can get them easily; they've also got lots of RAM and Storage. I highly recommend them if you can find one.  The downside is that there's a bug in the wifi driver support and the Wifi signal is not very strong; but it's still usable.  For instructions on the initial setup of the Xiaomi Mini, please see my other article on the subject HERE.

NOTES ON SYNTAX (My standards)

For all commands in the Linux shell, I color code them BLUE.

For all commands in the SSH shell inside the router, I color code them RED.

INSTALL LEDE 17.01.2

If you are running an older version of LEDE or you are running OpenWRT, please first upgrade to LEDE (it is a fork of OpenWRT that has essentially replaced it - it seems like they will re-merge in the future though). [LEDE Instructions]

Note: Even if you are already running on LEDE 17.01.2, I recommend a clean wipe of the device from within the LUCI webapp or with the following command (run via SSH): firstboot && reboot

ssh root@192.168.1.1

SNAPSHOT1="https://downloads.lede-project.org/snapshots/targets/ramips/mt7620/openwrt-ramips-mt7620-miwifi-mini-squashfs-sysupgrade.bin" ; SNAPSHOTSHA256SUMS="https://downloads.lede-project.org/snapshots/targets/ramips/mt7620/sha256sums" ; cd /tmp ; wget $SNAPSHOT1 ; wget $SNAPSHOTSHA256SUMS ; sha256sum -c sha256sums 2> /dev/null | grep OK

sysupgrade -v -n /tmp/*.bin

The router will install the new operating system and reboot.

INITIAL ROUTER CONFIGURATION

Sign into the router with SSH and set the administrator password

ssh root@192.168.1.1

passwd

Set the router name, timezone, and custom NTP servers for your region (or preference)

uci set system.@system[0].hostname='KABENEKO' && uci set system.@system[0].timezone='HKT-8' && uci set system.@system[0].zonename='Asia/Hong Kong' && uci set system.ntp.enable_server='1' && uci delete system.ntp.server && uci add_list system.ntp.server='stdtime.gov.hk' && uci add_list system.ntp.server='time.nist.gov' && uci add_list system.ntp.server='us.pool.ntp.org' && uci add_list system.ntp.server='time.google.com'

uci set system.led_power=led && uci set system.led_power.name='power' && uci set system.led_power.sysfs='miwifi-mini:blue:status' && uci set system.led_power.default='1' && uci commit

Configure the Wireless Network and Enable it

uci set wireless.radio0.hwmode='11a' && uci set wireless.radio0.channel='48' && uci set wireless.radio0.country='00' && uci set wireless.default_radio0.ssid='MYWIFINETWORK-AC' && uci set wireless.default_radio0.encryption='psk2' && uci set wireless.default_radio0.key='MYWIFINETWORKPASSWD'

uci set wireless.radio1.hwmode='11g' && uci set wireless.radio1.channel='8' && uci set wireless.radio1.country='00' && uci set wireless.default_radio1.ssid='MYWIFINETWORK' && uci set wireless.default_radio1.encryption='psk2' && uci set wireless.default_radio1.key='MYWIFINETWORKPASSWD'

uci delete wireless.radio0.disabled && uci delete wireless.radio1.disabled && uci commit && service network restart

Now... check your settings.

uci show wireless

SET LAN IP TO NEW RANGE (AVOID ISP CONFLICTS AT 192.168.1.1) and Reboot

uci set network.lan.ipaddr='192.168.55.1' && uci commit && reboot

The router's IP address will change, so you will exit from the SSH shell and you will need a new IP address.  Here's the command on my Linux box:

sudo dhclient -r && sudo dhclient

ssh root@192.168.55.1

Install all of the base packages for running ShadowSock or OpenVPN plus a few other goodies.

opkg update ; opkg install luci-theme-material luci-app-openvpn luci-app-shadowsocks-libev luci-app-uhttpd luci-app-adblock luci-app-wifischedule luci-ssl-openssl openvpn-openssl shadowsocks-libev ca-certificates wifischedule mtr rng-tools dnscrypt-proxy

Almost done!  Let's just turn off some things that shouldn't be running until we have time to configure them:

uci set shadowsocks-libev.@shadowsocks-libev[0].enable='0' && uci set adblock.global.adb_enabled='0' && uci commit && service shadowsocks-libev enable && service shadowsocks-libev stop

And we'll create the OpenVPN Interface for any future needs

uci set network.openvpn=interface ; uci set network.openvpn.proto='none' ; uci set network.openvpn.ifname='tun0' ; uci set firewall firewall.@zone[1].network='wan openvpn' && uci commit

Your router is now ready for a VPN client configuration to be added.

LINK Step-by-Step: Setup a ShadowSocks-libev Client on OpenWRT
LINK Step-by-Step: Setup a OpenVPN Client on OpenWRT

Step-by-Step: Shadowsocks Client on LEDE (OpenWRT) Router - Config with LUCI

UPDATE: I am writing a SSH version of this document since it's much easier to run commands that way.  Please see that document HERE.

PREREQUISITES
A. A computer with a web browser.
B. Router running LEDE or OpenWRT (Xiaomi Mini w/ LEDE 17.01.2, r3435)
     Note: For instructions on installing OpenWRT on a the Xiaomi, please see this article HERE.
C. Shadowsocks account from provider (I'm testing Catswall.net)
D. Router should be connected to an unrestricted Internet connection to reach LEDE package repositories, aka NOT filtered internet

SETUP ROUTER
Reset the router to defaults if it has been used for something else before.  Also consider updating it to the current "stable" release of LEDE if you're running an older OpenWRT or LEDE build.  (I've tested the snapshot versions of LEDE and the necessary packages are not available yet; you'll have to know how to compile your own software if you don't use the stable release...if you know how to do that, you're probably don't need this post.)

• A. To upgrade your router to the LEDE 17.01.2 release: Sign into the router web console, navigate to System | Backup/Flash Firmware | Uncheck the "Keep settings" option, click Choose File, find the .bin file on your computer that you've already downloaded (see point C for a download link), click FLASH IMAGE..., and then when the verification window appears, click PROCEED.
• B. To reset your router to all defaults: Sign into the router web console, navigate to System | Backup/Flash Firmware | click PERFORM RESET, and click OK at the pop-up.

NOTES:

• For more instructions on setting up a new Xiaomi Mini router with OpenWRT or LEDE, please see my article on that subject HERE.
• For more instructions on setting all base software on a LEDE/OpenWRT router, please see my article on the Base Installation for a VPN Client Router HERE.

INSTALL SOFTWARE AND ADD SERVER
After installing all necessary software packages as outlined in the Base Install Guide for Routers, we need to setup the Shadowsocks client options.

1. Under the Services menu option, select ShadowSocks-libev.

2. Enter the correct Shadowsocks server information, port, password, Encrypt Method, etc. from your provider, then save and restart the service by clicking SAVE & APPLY.

3. To force DNS resolution through the Shadowsocks tunnel (SS-TUNNEL) by selecting the "Enable" option under UDP Forward.  The UDP Local Port should be 5300, and the Forward Tunnel can be any valid DNS server, but we'll use Google's in this example and enter 8.8.8.8:53.
4. Add this UDP port address to the Network | DHCP and DNS | General Settings option for "DNS Forwardings" in this format:
127.0.0.1#5300

5. Select the Non-wildcard option and click SAVE & APPLY.
6. Select the Resolve and Hosts Files menu option.  Select the Ignore resolve file and the Ignore /etc/hosts options.  Click SAVE & APPLY.

If the VPN server information is correct you should now be connected to your server and DNS lookups should be going through the tunnel as well.  For best results... reboot the router.  I just unplug the little monster and plug it back in to make sure it's a nice "hard" reboot.

To check if you are browsing the Internet thought your SS connection go to a website like ipinfo.io or ipleak.net.  The IP adress shown on these websites should be the server address you entered in the ShadowSocks menu.

OPTION: ADD A SECONDARY DNS SERVICE FOR BACKUP; DNSCRYPT-PROXY
I'm writing another guide to setup a backup DNS server in-case the Shadowsocks lookups fail or are delayed. The link will be here later!

How-to setup ExpressVPN using OpenVPN on a Xiaomi Mini Wifi running LEDE 17.01.2

ExpressVPN Setup using OpenVPN on Xiaomi Mini Wifi running LEDE 17.01.2

(NOTE: Sorry...I'm super lazy on this post. I wrote it in MS Word and copy and pasted it here...spacing is bad)

This tutorial assumes that you have LEDE with the luci webif (web interface) installed. Visit lede-project.org for more information.

Please note that I use a Linux desktop for these instructions to work (I do not want the hassel of Windows based versions of SSH and SCP … although this is possible using WinSCP and Putty)

1.       Install LEDE r17.01.2 on the Xiaomi Mini Router (this is a whole other document, see HERE)

       Note: Download LEDE images here: https://downloads.lede-project.org/releases/17.01.2/targets/ramips/mt7620/

2.       Download all the files you will need from ExpressVPN’s website.

a.        Sign-in to ExpressVPN’s subscriber area: https://www.expressvpn.com/users/sign_in

b.       Once you’ve clicked the link in the welcome email or logged in to the website, click on Set Up ExpressVPN on the Active Subscriptions page. This will take you to the Downloads page.

c.        Click on Manual Config on the left side of the screen and then select the OpenVPN tab on the right. You will first see your username and password and then a list of OpenVPN configuration files.

d.       Copy the  username and password from this website to a text file on your computer; you will be asked to enter them later in the setup process.

e.        Download and save the .ovpn file(s) or locations (e.g. Los Angeles, New York, etc.) that you wish to connect to. Copy as many as you like…within reason J

f.         Download the ZIP file that contains copies of your certificates and keys separately.

3.       Open the Luci web app in a browser, the default LEDE router address is http://192.168.1.1, username is root and password is blank

4.       Set the Administrator’s password to miwifipass135 by clicking System | Administration, entering the password and confirmation, and then clicking Save & Apply.

5.       Click Logout, and then log back in to the web interface with the new password

6.       From a command line on the computer, connect to the router via ssh with this command:

ssh root@192.168.1.1

Note: If you’ve reset the router after using ssh before, use this command to clea the SSH logs:

ssh-keygen -f /home/username/.ssh/known_hosts -R 192.168.1.1

If you sucessfully sign in, you will see a screen like this:

BusyBox v1.25.1 () built-in shell (ash)

     _________

    /        /\      _    ___ ___  ___

   /  LE    /  \    | |  | __|   \| __|

  /    DE  /    \   | |__| _|| |) | _|

 /________/  LE  \  |____|___|___/|___|                      lede-project.org

 \        \   DE /

  \    LE  \    /  -----------------------------------------------------------

   \  DE    \  /    Reboot (17.01.2, r3435-65eec8bd5f)

    \________\/    -----------------------------------------------------------

root@LEDE:~#

7.       Run the following command to install the basic set of software packages for the router:

opkg update ; opkg install openvpn-openssl luci-app-openvpn ca-certificates luci-theme-material mtr ; reboot

Note: A successful installation will have the following text in the command line at the end of the process:

Configuring terminfo.

Configuring luci-theme-material.

Configuring kmod-tun.

Configuring libncurses.

Configuring mtr.

Configuring liblzo.

Configuring zlib.

Configuring libopenssl.

Configuring openvpn-openssl.

Configuring ca-certificates.

Configuring luci-app-openvpn.

8.       After the route reboots, sign into the router using SSH again (see step 5)

9.       Run the following command to create a new “expressvpn” network interface:

uci set network.expressvpn=interface ; uci set network.expressvpn.proto='none' ; uci set network.expressvpn.ifname='tun0' ; uci commit

10.    Sign into the LUCI web interface (see step 2)

11.    Add the EXPRESSVPN interface to a firewall zone by going to Network | Interfaces and click Edit for the correct line.

12.    Chose the Firewall Settings tab and chose the wan radio button. Click Save & Apply.

13.    Extract the contents of the my_expressvpn_keys.zip to a new folder of your choosing. I extracted mine to a folder called expvpn which is on my Desktop.

14.    For convenience, move an *.ovpn config file of your choice to the same folder that holds your keys. The *.ovpn config file I'm going to choose for this example is: my_expressvpn_hong_kong_-_1_udp.ovpn

15.    Create password file. Create a new text file using Notepad++ (Windows) and put your user-name in line 1 and your pass in line 2 and save it as "pass.txt". Make sure you choose UNIX file format when saving!! (See Screen Shot Below) Put the pass.txt in your keys folder as well.

16.    Using Notepad++ edit your *.ovpn file; in this case, it's the my_expressvpn_hong_kong_-_1_udp.ovpn.  Make the following edits to the OVPN file.

a.        Change line           auth-user-pass to

auth-user-pass ./pass.txt

17.    ADD the following lines to the OVPN file after the auth-user-pass line

ca ./ca2.crt

cert ./client.crt

key ./client.key

tls-auth ./ta.key

18.    Delete the section below this with the certificate information (<cert>, <key>, <tls-auth>, <ca>)

The OVPN file contents will now look something like:

dev tun

fast-io

persist-key

persist-tun

nobind

remote hongkong1-ca-version-2.expressnetw.com 1195

remote-random

pull

comp-lzo

tls-client

verify-x509-name Server name-prefix

ns-cert-type server

key-direction 1

route-method exe

route-delay 2

tun-mtu 1500

fragment 1300

mssfix 1450

verb 3

cipher AES-256-CBC

keysize 256

auth SHA512

sndbuf 524288

rcvbuf 524288

auth-user-pass ./pass.txt

ca ./ca2.crt

cert ./client.crt

key ./client.key

tls-auth ./ta.key

19.    Verify that inside your keys folder you should now have the following files:

·         ca2.crt

·         client.crt

·         client.key

·         my_expressvpn_hong_kong_-_1_udp.ovpn

·         pass.txt

·         ta.key

20.    Use SCP to copy all of these files into /etc/openvpn folder on the router.

scp /home/username/Desktop/expvpn/*.* root@192.168.1.1:/etc/openvpn

username@computername ~ $ scp /home/username/Desktop/expvpn/*.* root@192.168.1.1:/etc/openvpn

root@192.168.1.1's password:

ca2.crt                                       100% 2130     2.1KB/s   00:00   

client.crt                                    100% 1207     1.2KB/s   00:00   

client.key                                    100% 1679     1.6KB/s   00:00   

my_expressvpn_hong_kong_-_1_udp.ovpn          100%  451     0.4KB/s   00:00   

pass.txt                                      100%   50     0.1KB/s   00:00   

ta.key                                        100%  636     0.6KB/s   00:00   

21.    Now it's time to run the OpenVPN service on the router. We do this by issuing commands via the SSH protocol.

cd /etc/openvpn/

openvpn --config My_expressvpn_hong_kong_-_1_udp.ovpn

Your vpn service should now be up and running. YOU MUST GET THE "Initialization Sequence Completed" message before proceeding!

22.    To start the service automatically when the router powers on, add the openvpn commands to the System | Startup | Local Startup command box in the Web UI (http://192.168.1.1)

# Put your custom commands here that should be executed once

# the system init finished. By default this file does nothing.

openvpn --cd /etc/openvpn --config /etc/openvpn/my_expressvpn_hong_kong_-_1_udp.ovpn

exit 0

23.    Edit the rest of the ovpn files that you are interested in using following steps 16-18.

openvpn --cd /etc/openvpn --config /etc/openvpn/my_expressvpn_hong_kong_-_1_udp.ovpn

Note: Keep a list of these files on your computer.  If you are interested in using a different server, replace the file name in the start-up line with the new filename.

24.    Use SCP to copy all of the new OVPN files to the same folder in the router (etc/openvpn)

scp /home/username/Desktop/expvpn/*.ovpn root@192.168.1.1:/etc/openvpn

25. Add entries to the Local Startup for each configuration, but insert a "#" in front of them to preven them from running.  If you want to change the server your router connects to, simply remove the "#" from the location you want to use and ADD a "#" to the front of the previous one.  The Local Startup will look something like this when you are done:

# Put your custom commands here that should be executed once

# the system init finished. By default this file does nothing.

openvpn --cd /etc/openvpn --config /etc/openvpn/my_expressvpn_hong_kong_-_1_udp.ovpn

#openvpn --cd /etc/openvpn --config /etc/openvpn/my_expressvpn_hong_kong_-_2_udp.ovpn
#openvpn --cd /etc/openvpn --config /etc/openvpn/my_expressvpn_hong_kong_-_4_udp.ovpn

exit 0

25.   Change the DNS settings on the LAN interface so that your devices that connect to Wifi get their internet addresses from an unrestricted source; Google.  At the SSH command line (see Step 4), enter the following two commands:

uci add_list dhcp.lan.dhcp_option='6,8.8.8.8,8.8.4.4'

uci commit

26. By default, the Wifi is disabled on LEDE routers.  Go into the Network | Wireless section and ENABLE both radio.0 and radio.1, then setup the wifi SSID and password with your preferred network name and password.  If you need more help with this, please see LEDE's Help page on Wireless configuration HERE.
27. To prevent a conflict with the ISP's modem, it is a good practice to change the LAN IP range from 192.168.1.1 to another subnet, like 192.168.100.1.  This can be done in the LUCI webapp under Networking > Interfaces > LAN and then edit.  Look for 192.168.1.1, edit it, and then Save and Apply.  You will have to renew your DHCP lease to reconnect to the router after the change takes place.  Give that router a good old fashion reboot when you're done just to make sure everything is reconfigured.

Thanks to the LEDE community, the HMA help page on OpenWRT, and the Streisand developers who all wrote good documentation that I've incorporated in this article.