In an attempt to secure my internet connection, I setup OpenVPN on a OpentWRT enabled router: a good old Linksys WRT54G v3.1.
The best firmware for this router seems to be OpenWRT Backfire 10.03.1 (brcm-2.4) (LuCI 0.10.0) (also in attachment of this page). The upgrade is very easy from the Linksys or (DD-WRT) web GUI as you just need to follow the regular upgrade procedure.
After the router reboot, I put a password which effectively disabled telnet but enabled SSH on the server. From there, I SSH to the server:
ssh 192.168.1.1 -l root
It's now time to install OpenVPN and the OpenVPN LuCI GUI:
opkg update opkg install openvpn luci-app-openvpn
However I didn't use LuCI to setup the VPN -- it was too buggy. I copied the config files from my PC to the router using SCP:
scp /etc/openvpn/* root@192.168.1.1:/etc/openvpn/
I then tweaked the openVPN "main" config file (to remain compatible with LuCI) at /etc/config/openvpn by inserting the following and putting the rest in comments (with #)
config 'openvpn' 'IPredator'
option 'config' /etc/openvpn/IPredator.conf
In LuCI should look like:
I ran openvpn manually to check its status:
openvpn --configfile /etc/openvpn/IPredator.conf
Everything went fine. Next step is to configure the firewall by creating a new zone and forwarding internet traffic from lan to it:
- in Luci go Network → Interfaces
- Create new Interface
- Add new interface → VPN → Protocol = Unmanaged on Tab Physical Settings click Ehternet Adapter: tun0 and Save
- Go to Network → Firewall → General Settings
- Add new zone
- Name: vpn
- Input: accept
- Output: accept
- Forward: reject
- Masquerading: ☑
- MSS clamping: ☑
- In wan zone
- Disable masquerading and MSS clamping
- Lan zone must forward to vpn zone
Finally, enable OpenVPN to start when OpenWRT starts:
- Go to System → Startup
- Enable initscript for OpenVPN
Bonus step: to prevent DNS leaking, I setup the DNS to use IPredator ones and disable preset ones:
- Set DNS forwardings: 194.132.32.32 and 46.246.46.246
- Ignore resolve file
