Wednesday, August 2, 2017

How-to setup ExpressVPN using OpenVPN on a Xiaomi Mini Wifi running LEDE 17.01.2

ExpressVPN Setup using OpenVPN on Xiaomi Mini Wifi running LEDE 17.01.2
(NOTE: Sorry...I'm super lazy on this post. I wrote it in MS Word and copy and pasted it here...spacing is bad)

This tutorial assumes that you have LEDE with the luci webif (web interface) installed. Visit lede-project.org for more information.
Please note that I use a Linux desktop for these instructions to work (I do not want the hassel of Windows based versions of SSH and SCP … although this is possible using WinSCP and Putty)

1.       Install LEDE r17.01.2 on the Xiaomi Mini Router (this is a whole other document, see HERE)
       Note: Download LEDE images here: https://downloads.lede-project.org/releases/17.01.2/targets/ramips/mt7620/
2.       Download all the files you will need from ExpressVPN’s website.
a.        Sign-in to ExpressVPN’s subscriber area: https://www.expressvpn.com/users/sign_in
b.       Once you’ve clicked the link in the welcome email or logged in to the website, click on Set Up ExpressVPN on the Active Subscriptions page. This will take you to the Downloads page.

c.        Click on Manual Config on the left side of the screen and then select the OpenVPN tab on the right. You will first see your username and password and then a list of OpenVPN configuration files.
d.       Copy the  username and password from this website to a text file on your computer; you will be asked to enter them later in the setup process.
e.        Download and save the .ovpn file(s) or locations (e.g. Los Angeles, New York, etc.) that you wish to connect to. Copy as many as you like…within reason J
f.         Download the ZIP file that contains copies of your certificates and keys separately.

3.       Open the Luci web app in a browser, the default LEDE router address is http://192.168.1.1, username is root and password is blank
4.       Set the Administrator’s password to miwifipass135 by clicking System | Administration, entering the password and confirmation, and then clicking Save & Apply.
5.       Click Logout, and then log back in to the web interface with the new password
6.       From a command line on the computer, connect to the router via ssh with this command:

ssh root@192.168.1.1

Note: If you’ve reset the router after using ssh before, use this command to clea the SSH logs:

ssh-keygen -f /home/username/.ssh/known_hosts -R 192.168.1.1

If you sucessfully sign in, you will see a screen like this:

BusyBox v1.25.1 () built-in shell (ash)

     _________
    /        /\      _    ___ ___  ___
   /  LE    /  \    | |  | __|   \| __|
  /    DE  /    \   | |__| _|| |) | _|
 /________/  LE  \  |____|___|___/|___|                      lede-project.org
 \        \   DE /
  \    LE  \    /  -----------------------------------------------------------
   \  DE    \  /    Reboot (17.01.2, r3435-65eec8bd5f)
    \________\/    -----------------------------------------------------------

root@LEDE:~#

7.       Run the following command to install the basic set of software packages for the router:

opkg update ; opkg install openvpn-openssl luci-app-openvpn ca-certificates luci-theme-material mtr ; reboot

Note: A successful installation will have the following text in the command line at the end of the process:

Configuring terminfo.
Configuring luci-theme-material.
Configuring kmod-tun.
Configuring libncurses.
Configuring mtr.
Configuring liblzo.
Configuring zlib.
Configuring libopenssl.
Configuring openvpn-openssl.
Configuring ca-certificates.
Configuring luci-app-openvpn.

8.       After the route reboots, sign into the router using SSH again (see step 5)
9.       Run the following command to create a new “expressvpn” network interface:

uci set network.expressvpn=interface ; uci set network.expressvpn.proto='none' ; uci set network.expressvpn.ifname='tun0' ; uci commit

10.    Sign into the LUCI web interface (see step 2)
11.    Add the EXPRESSVPN interface to a firewall zone by going to Network | Interfaces and click Edit for the correct line.

12.    Chose the Firewall Settings tab and chose the wan radio button. Click Save & Apply.



13.    Extract the contents of the my_expressvpn_keys.zip to a new folder of your choosing. I extracted mine to a folder called expvpn which is on my Desktop.
14.    For convenience, move an *.ovpn config file of your choice to the same folder that holds your keys. The *.ovpn config file I'm going to choose for this example is: my_expressvpn_hong_kong_-_1_udp.ovpn
15.    Create password file. Create a new text file using Notepad++ (Windows) and put your user-name in line 1 and your pass in line 2 and save it as "pass.txt". Make sure you choose UNIX file format when saving!! (See Screen Shot Below) Put the pass.txt in your keys folder as well.
16.    Using Notepad++ edit your *.ovpn file; in this case, it's the my_expressvpn_hong_kong_-_1_udp.ovpn.  Make the following edits to the OVPN file.
a.        Change line           auth-user-pass to
auth-user-pass ./pass.txt
17.    ADD the following lines to the OVPN file after the auth-user-pass line
ca ./ca2.crt
cert ./client.crt
key ./client.key
tls-auth ./ta.key
18.    Delete the section below this with the certificate information (<cert>, <key>, <tls-auth>, <ca>)

The OVPN file contents will now look something like:

dev tun
fast-io
persist-key
persist-tun
nobind
remote hongkong1-ca-version-2.expressnetw.com 1195

remote-random
pull
comp-lzo
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
key-direction 1
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1450
verb 3
cipher AES-256-CBC
keysize 256
auth SHA512
sndbuf 524288
rcvbuf 524288
auth-user-pass ./pass.txt
ca ./ca2.crt
cert ./client.crt
key ./client.key
tls-auth ./ta.key

19.    Verify that inside your keys folder you should now have the following files:
·         ca2.crt
·         client.crt
·         client.key
·         my_expressvpn_hong_kong_-_1_udp.ovpn
·         pass.txt
·         ta.key

20.    Use SCP to copy all of these files into /etc/openvpn folder on the router.

scp /home/username/Desktop/expvpn/*.* root@192.168.1.1:/etc/openvpn


username@computername ~ $ scp /home/username/Desktop/expvpn/*.* root@192.168.1.1:/etc/openvpn
root@192.168.1.1's password:
ca2.crt                                       100% 2130     2.1KB/s   00:00   
client.crt                                    100% 1207     1.2KB/s   00:00   
client.key                                    100% 1679     1.6KB/s   00:00   
my_expressvpn_hong_kong_-_1_udp.ovpn          100%  451     0.4KB/s   00:00   
pass.txt                                      100%   50     0.1KB/s   00:00   
ta.key                                        100%  636     0.6KB/s   00:00   

21.    Now it's time to run the OpenVPN service on the router. We do this by issuing commands via the SSH protocol.

cd /etc/openvpn/
openvpn --config My_expressvpn_hong_kong_-_1_udp.ovpn

Your vpn service should now be up and running. YOU MUST GET THE "Initialization Sequence Completed" message before proceeding!

22.    To start the service automatically when the router powers on, add the openvpn commands to the System | Startup | Local Startup command box in the Web UI (http://192.168.1.1)

# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.

openvpn --cd /etc/openvpn --config /etc/openvpn/my_expressvpn_hong_kong_-_1_udp.ovpn

exit 0



23.    Edit the rest of the ovpn files that you are interested in using following steps 16-18.

openvpn --cd /etc/openvpn --config /etc/openvpn/my_expressvpn_hong_kong_-_1_udp.ovpn

Note: Keep a list of these files on your computer.  If you are interested in using a different server, replace the file name in the start-up line with the new filename.

24.    Use SCP to copy all of the new OVPN files to the same folder in the router (etc/openvpn)

scp /home/username/Desktop/expvpn/*.ovpn root@192.168.1.1:/etc/openvpn

25. Add entries to the Local Startup for each configuration, but insert a "#" in front of them to preven them from running.  If you want to change the server your router connects to, simply remove the "#" from the location you want to use and ADD a "#" to the front of the previous one.  The Local Startup will look something like this when you are done:

# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.

openvpn --cd /etc/openvpn --config /etc/openvpn/my_expressvpn_hong_kong_-_1_udp.ovpn
#openvpn --cd /etc/openvpn --config /etc/openvpn/my_expressvpn_hong_kong_-_2_udp.ovpn
#openvpn --cd /etc/openvpn --config /etc/openvpn/my_expressvpn_hong_kong_-_4_udp.ovpn



exit 0
25.   Change the DNS settings on the LAN interface so that your devices that connect to Wifi get their internet addresses from an unrestricted source; Google.  At the SSH command line (see Step 4), enter the following two commands:



uci add_list dhcp.lan.dhcp_option='6,8.8.8.8,8.8.4.4'


uci commit

26. By default, the Wifi is disabled on LEDE routers.  Go into the Network | Wireless section and ENABLE both radio.0 and radio.1, then setup the wifi SSID and password with your preferred network name and password.  If you need more help with this, please see LEDE's Help page on Wireless configuration HERE.
27. To prevent a conflict with the ISP's modem, it is a good practice to change the LAN IP range from 192.168.1.1 to another subnet, like 192.168.100.1.  This can be done in the LUCI webapp under Networking > Interfaces > LAN and then edit.  Look for 192.168.1.1, edit it, and then Save and Apply.  You will have to renew your DHCP lease to reconnect to the router after the change takes place.  Give that router a good old fashion reboot when you're done just to make sure everything is reconfigured.

Thanks to the LEDE community, the HMA help page on OpenWRT, and the Streisand developers who all wrote good documentation that I've incorporated in this article.