This guide will help you set up OpenVPN on your Linksys OpenWRT router. By following these steps, you will be able to securely connect to your router from anywhere in the world using a VPN.
If you encounter any issues or need further assistance, please refer to the OpenWRT Forum or OpenVPN Documentation.
- OpenWRT Router: Ensure your router is MBE70 model running OpenWRT
- SSH Access: Enable SSH Access on the router
- Check NAT-Traversal situation: If you are in this situation, there is an additional step to perform.
1. Download the Setup Script
- Access the Router: Use an SSH client to connect to your router.
ssh root@<router_ip>
- Download the Script: Download the setup script to your router.
wget -O /tmp/setup_openvpn_server.sh <link_to_script>
Note: Please check the IPs used in the VPN_POOL and VPN_DNS variables for conflicts with your network. The above script is using network 10.8.0.0/24. If this network is already in use, either on the router side, or on the client side, you will not be able to establish a VPN connection. In that case, you just need to edit these variables.
2. Make the Script Executable
chmod +x /tmp/setup_openvpn_server.sh
3. Run the Setup Script
sh /tmp/setup_openvpn_server.sh
This script will:
- Install necessary packages (openvpn-openssl and openvpn-easy-rsa).
- Generate keys and certificates.
- Configure OpenVPN server.
- Set up firewall rules.
4. Transfer the Client Configuration File
After running the script, you need to transfer the client configuration file to your local machine:
scp root@<router_ip>:/etc/openvpn/openvpn_client.ovpn /path/to/local/machine
5. Check NAT traversal
You will need to download the check nat script and run it on your router. It will tell you if you are in a NAT situation:
wget -O /tmp/check_nat.sh <link_to_script>
chmod +x /tmp/check_nat.sh
/tmp/check_nat.sh
The script provides the diagnostic. If you get the result below, then your router is behind a NAT:
The device is likely behind a NAT.
If you are not in this situation, you can directly move to step 6.
If you are in this situation, you need to follow the below instructions. Note that step 5.a is only mandatory if you do not have a static public IP. If you know for sure that you have a static public IP, you can directly move to step 5.b.
a. Setup a Dynamic DNS service
There are many free dynamic DNS services. You may choose whichever you want. For the sake of the example we are going to choose https://www.dynu.com. You will be asked to choose a domain name. Let’s say that I chose “remote_me.ddnsfree.com”.
Now, you need to configure your router to push its address to the service. This way, if your IP changes, you do not need to set that up manually on dynu.com, the router does that for you automatically.
To do that, connect to your router and select “Dynamic DNS”:
Then edit your my_ddns_IPv4 service or create a new one:
Then go to advance settings and configure as follows:
If you do not do that, the router will try to share its private IP address, which will be rejected by the Dynamic DNS service.
Once you are done, click “save and apply” and go back to the DynamicDNS page. There you will need to start the service and click on “Start”:
b. Edit OpenVPN file
For those who did not need the dynamic DNS service as they have a static IP, please retrieve your static IP. You can ask your most favorite internet search engine or run a more minimalist command:
curl ifconfig.me
Now that we know our IP, we need to edit the opvn file describing the connection. open file “openvpn_client.ovpn” which you retrieved earlier on and edit line 4:
remote 192.168.1.22 1194
becomes: (the above IP address is just an example):
remove my_own_chosen_ddns_name.my_ddns_service.com 1194
or if you know your static public IP:
remote x.x.x.x 1194
Alright, now save your file. You can move to next step.
c. Configure ISP router
That’s the most tricky part and it really depends on your ISP, so that’s where providing clear explanations will be complicated. First of all, you need to connect to the router performing NAT. To find the IP of that router, you can hit the following command on your OpenWRT router:
route
You will get something like this:
Kernel IP routing table
You need to look for the default gateway. In the above case, the default gateway is 192.168.1.1.
Now, you need to connect to that device and find the routing / NAT setup. Then you need to configure the port 1194 coming from outside, to be transferred to port 1194 inside your private network to your OpenWRT device. This is how that shows up in my case:
Again, this will be different depending on your ISP. If you were able to achieve that part, you can finally move to step 6!
If you are not able to pass this step, don’t panic, another setup is possible, please look at Remote Access Setup with ZeroTier VPN.
6. Connect Using the OpenVPN Client
- Install OpenVPN Client: Download and install the OpenVPN client for your operating system from OpenVPN's official site.
- Import Configuration File: Open the OpenVPN client and import the openvpn_client.ovpn file you transferred to your local machine.
- Connect to VPN: Select the imported configuration and click "Connect".
7. Verify the Connection
Once connected, verify your IP address has changed and you can access internal resources on your network. If you did not edit the script OpenVPN_Remote.sh provided at the beginning of this article, then you can try to SSH your router with the following IP: 10.8.0.1
Common Issues
- Connection Refused: Ensure your router's firewall allows incoming connections on the OpenVPN port.
Configuration Errors: Check the OpenVPN logs for any configuration errors:
logread -e openvpn
For advanced users, you may want to customize the OpenVPN configuration further. Edit the server configuration file located at /etc/openvpn/openvpn_server.conf and make any necessary changes.
- Use Strong Passwords: Ensure all passwords are strong and secure.
- Keep Software Updated: Regularly update OpenWRT and installed packages to the latest versions.
Monitor Logs: Regularly check OpenVPN and system logs for any unusual activity.
