ExpressVPN Setup using OpenVPN on Xiaomi Mini Wifi running
LEDE 17.01.2
(NOTE: Sorry...I'm super lazy on this post. I wrote it in MS Word and copy and pasted it here...spacing is bad)
This
tutorial assumes that you have LEDE with the luci webif (web interface)
installed. Visit lede-project.org for more information.
Please
note that I use a Linux desktop for these instructions to work (I do not want
the hassel of Windows based versions of SSH and SCP … although this is possible
using WinSCP and Putty)
1.
Install
LEDE r17.01.2 on the Xiaomi Mini Router
(this is a whole other document, see HERE)
Note: Download LEDE images here: https://downloads.lede-project.org/releases/17.01.2/targets/ramips/mt7620/
2.
Download
all the files you will need from ExpressVPN’s
website.
a.
Sign-in
to ExpressVPN’s subscriber area: https://www.expressvpn.com/users/sign_in
b.
Once
you’ve clicked the link in the welcome email or logged in to the website, click
on Set Up ExpressVPN on the Active Subscriptions page. This will
take you to the Downloads page.
c.
Click
on Manual Config on the left side of
the screen and then select the OpenVPN
tab on the right. You will first see your username and password and then a list
of OpenVPN configuration files.
d.
Copy
the username and password from this
website to a text file on your computer; you will be asked to enter them later
in the setup process.
e.
Download
and save the .ovpn file(s) or
locations (e.g. Los Angeles, New York, etc.) that you wish to connect to. Copy
as many as you like…within reason J
f.
Download
the ZIP file that contains copies of
your certificates and keys separately.
3.
Open
the Luci web app in a browser, the default LEDE router address is http://192.168.1.1, username is root and password
is blank
4.
Set
the Administrator’s password to miwifipass135 by clicking System | Administration, entering the
password and confirmation, and then clicking Save & Apply.
5.
Click
Logout, and then log back in to the web interface with the new password
6.
From
a command line on the computer, connect to the router via ssh with this
command:
ssh root@192.168.1.1
Note:
If you’ve reset the router after using ssh before, use this command to clea the
SSH logs:
ssh-keygen -f
/home/username/.ssh/known_hosts -R 192.168.1.1
If
you sucessfully sign in, you will see a screen like this:
BusyBox v1.25.1 () built-in shell (ash)
_________
/ /\
_ ___ ___ ___
/ LE
/ \ | |
| __| \| __|
/ DE
/ \ | |__| _|| |) | _|
/________/ LE
\ |____|___|___/|___| lede-project.org
\ \
DE /
\ LE
\ / -----------------------------------------------------------
\ DE
\ / Reboot (17.01.2, r3435-65eec8bd5f)
\________\/
-----------------------------------------------------------
root@LEDE:~#
7.
Run
the following command to install the basic set of software packages for the
router:
opkg update ;
opkg install openvpn-openssl luci-app-openvpn ca-certificates
luci-theme-material mtr ; reboot
Note:
A successful installation will have the following text in the command line at
the end of the process:
Configuring terminfo.
Configuring luci-theme-material.
Configuring kmod-tun.
Configuring libncurses.
Configuring mtr.
Configuring liblzo.
Configuring zlib.
Configuring libopenssl.
Configuring openvpn-openssl.
Configuring ca-certificates.
Configuring luci-app-openvpn.
8.
After
the route reboots, sign into the router using SSH again (see step 5)
9.
Run
the following command to create a new “expressvpn” network interface:
uci set
network.expressvpn=interface ; uci set network.expressvpn.proto='none' ; uci
set network.expressvpn.ifname='tun0' ; uci commit
10.
Sign
into the LUCI web interface (see step 2)
11.
Add
the EXPRESSVPN interface to a firewall zone by going to Network | Interfaces
and click Edit for the correct line.
12.
Chose
the Firewall
Settings tab and chose the wan
radio button. Click Save & Apply.
13.
Extract
the contents of the my_expressvpn_keys.zip
to a new folder of your choosing. I extracted mine to a folder called expvpn
which is on my Desktop.
14.
For
convenience, move an *.ovpn config file of your choice to the same folder that
holds your keys. The *.ovpn config file I'm going to choose for this example
is: my_expressvpn_hong_kong_-_1_udp.ovpn
15.
Create password
file. Create
a new text file using Notepad++
(Windows) and put your user-name in line 1 and your pass in line 2 and save it
as "pass.txt". Make sure
you choose UNIX file format when saving!! (See Screen Shot Below) Put the
pass.txt in your keys folder as well.
16.
Using
Notepad++ edit your *.ovpn file; in this case, it's the my_expressvpn_hong_kong_-_1_udp.ovpn. Make the following edits to the OVPN file.
a.
Change
line auth-user-pass to
auth-user-pass
./pass.txt
17.
ADD the following lines
to the OVPN file after the auth-user-pass line
ca ./ca2.crt
cert ./client.crt
key ./client.key
tls-auth ./ta.key
18.
Delete
the section below this with the certificate information (<cert>, <key>,
<tls-auth>,
<ca>)
The OVPN file contents will now look
something like:
dev tun
fast-io
persist-key
persist-tun
nobind
remote hongkong1-ca-version-2.expressnetw.com 1195
remote-random
pull
comp-lzo
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
key-direction 1
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1450
verb 3
cipher AES-256-CBC
keysize 256
auth SHA512
sndbuf 524288
rcvbuf 524288
auth-user-pass ./pass.txt
ca ./ca2.crt
cert ./client.crt
key ./client.key
tls-auth ./ta.key
19.
Verify
that inside your keys folder you should now have the following files:
·
ca2.crt
·
client.crt
·
client.key
·
my_expressvpn_hong_kong_-_1_udp.ovpn
·
pass.txt
·
ta.key
20.
Use
SCP to copy all of these files into
/etc/openvpn folder on the router.
scp /home/username/Desktop/expvpn/*.*
root@192.168.1.1:/etc/openvpn
username@computername ~ $ scp /home/username/Desktop/expvpn/*.*
root@192.168.1.1:/etc/openvpn
root@192.168.1.1's password:
ca2.crt 100%
2130 2.1KB/s 00:00
client.crt 100%
1207 1.2KB/s 00:00
client.key 100%
1679 1.6KB/s 00:00
my_expressvpn_hong_kong_-_1_udp.ovpn 100%
451 0.4KB/s 00:00
pass.txt 100% 50
0.1KB/s 00:00
ta.key
100% 636 0.6KB/s
00:00
21.
Now
it's time to run the OpenVPN service on the router. We do this by issuing
commands via the SSH protocol.
cd
/etc/openvpn/
openvpn
--config My_expressvpn_hong_kong_-_1_udp.ovpn
Your vpn service should now be up and
running. YOU MUST GET THE "Initialization
Sequence Completed"
message before proceeding!
22.
To
start the service automatically when the router powers on, add the openvpn commands
to the System | Startup | Local Startup command box in the Web UI (http://192.168.1.1)
# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.
openvpn --cd /etc/openvpn
--config /etc/openvpn/my_expressvpn_hong_kong_-_1_udp.ovpn
exit 0
23.
Edit
the rest of the ovpn files that you are interested in using following steps
16-18.
openvpn --cd /etc/openvpn
--config /etc/openvpn/my_expressvpn_hong_kong_-_1_udp.ovpn
Note: Keep a list of
these files on your computer. If you are
interested in using a different server, replace the file name in the start-up
line with the new filename.
24.
Use
SCP to copy all of the new OVPN files to the same folder in the router
(etc/openvpn)
scp /home/username/Desktop/expvpn/*.ovpn
root@192.168.1.1:/etc/openvpn
# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.
openvpn --cd /etc/openvpn --config /etc/openvpn/my_expressvpn_hong_kong_-_1_udp.ovpn
#openvpn --cd /etc/openvpn --config /etc/openvpn/my_expressvpn_hong_kong_-_2_udp.ovpn
#openvpn --cd /etc/openvpn --config /etc/openvpn/my_expressvpn_hong_kong_-_4_udp.ovpn
#openvpn --cd /etc/openvpn --config /etc/openvpn/my_expressvpn_hong_kong_-_4_udp.ovpn
exit 0
25. Change the DNS settings on the LAN interface so that your devices that connect to Wifi get their internet addresses from an unrestricted source; Google. At the SSH command line (see Step 4), enter the following two commands:
26. By
default, the Wifi is disabled on LEDE routers.
Go into the Network | Wireless section and ENABLE both radio.0 and
radio.1, then setup the wifi SSID and password with your preferred network name and password. If you need more help with this, please see LEDE's Help page on Wireless configuration HERE.
27. To prevent a conflict with the ISP's modem, it is a good practice to change the LAN IP range from 192.168.1.1 to another subnet, like 192.168.100.1. This can be done in the LUCI webapp under Networking > Interfaces > LAN and then edit. Look for 192.168.1.1, edit it, and then Save and Apply. You will have to renew your DHCP lease to reconnect to the router after the change takes place. Give that router a good old fashion reboot when you're done just to make sure everything is reconfigured.
Thanks to the LEDE community, the HMA help page on OpenWRT, and the Streisand developers who all wrote good documentation that I've incorporated in this article.
uci add_list dhcp.lan.dhcp_option='6,8.8.8.8,8.8.4.4'
uci commit
27. To prevent a conflict with the ISP's modem, it is a good practice to change the LAN IP range from 192.168.1.1 to another subnet, like 192.168.100.1. This can be done in the LUCI webapp under Networking > Interfaces > LAN and then edit. Look for 192.168.1.1, edit it, and then Save and Apply. You will have to renew your DHCP lease to reconnect to the router after the change takes place. Give that router a good old fashion reboot when you're done just to make sure everything is reconfigured.
Thanks to the LEDE community, the HMA help page on OpenWRT, and the Streisand developers who all wrote good documentation that I've incorporated in this article.