Setting up your router with OpenWRT users/developers can run a BitTorrent client, enable VPN, create a guest Wi-Fi network, monitor network traffic, execute traffic shaping, and apply QoS rules to packets using their router. The router can also run servers such as SSH (including SSH tunnelling), IRC, HTTP, FTP, and e-mail.
However, here you’ll learn how to set up the OysterVPN tunnel on your OpenWRT router, if you have devices that don’t support VPNs or if you want to safeguard all of your Wi-Fi-connected devices at once. Here’s how you can do it:
- Start with one of the following websites in your browser to gain access to your router:
- Because routers loaded with the OpenWRT firmware image only accept telnet connections at first, you should connect to telnet with the following IP address. Change the root password with the command “passwd” at 192.168.1.1. The router will allow the SSH connection after this command. OpenVPN isn’t included by default in the firmware package, and you’ll need to install it with opkg:
- opkg update opkg
- install openvpn-openssl
- The luci-component of OpenVPN configuration can also be installed, although not required.
- opkg install install luci-app-openvpn
- OpenVPN can also be used to create a firmware image. This one will not necessitate the Client’s installation. Below is a link to a helpful handbook for configuring the OpenVPN client: https://github.com/StreisandEffect/streisand/wiki/Setting-an-OpenWrt-Based-Router-as-OpenVPN-Client
- We’ll update it with OysterVPN-specific tweaks. You can set OpenVPN to start automatically when the router boots up after installing it: /etc/init.d/openvpn enable
- The OysterVPN server configuration files you obtained in the Choose an OysterVPN server section are required. Copy the file you downloaded to the /etc/OpenVPN/ folder of the router filesystem using the PSCP or WinSCP tools on Windows or the SCP command on Linux. In the event of a copy failure, you should force it using the SCP protocol (you can also use sftp).
- Find auth-user-pass and attach “cred.txt” to it in the file line: “auth-user-pass cred.txt”. It would help to input the credentials you gathered in the Find your login details section.
- It would help if you used the service username and password to connect with this connection type. In the /etc/OpenVPN/ folder, create a text file with your OysterVPN’s username on the first line and your service password on the second line.
- Now put your favorite OpenVPN configuration file into action. This could be accomplished in one of two ways:
- Change the file’s extension from “ovpn” to “conf.” In this instance, the addon will automatically locate OpenVPN.
- Using uci, specify the file name in /etc/config/openvpn:
- uci set openvpn.oystervpn=openvpn
- uci set openvpn.oystervpn.enabled=’1′
- uci set openvpn. oystervpn.config=’/etc/openvpn/ae-dub.prod. oystervpn.com_tcp.ovpn’
- UCI commit OpenVPN.
- Then the following strings should be appended to the file /etc/config/OpenVPN:
- config OpenVPN oystervpn
- option enabled ‘1′
- option config ‘/etc/openvpn/ae-dub.prod.oystervpn.com_tcp.ovpn’
- Make a new network interface now. It’s important to note that there are two ways to accomplish this, and we don’t recommend attempting both simultaneously.
- uci set network.oystervpntun =interface
- uci set network.oystervpntun.proto=’none’
- uci set network.oystervpntun.ifname=’tun0′
- UCI commit network
- Then the following strings should be inserted into the file /etc/config/network:
- config interface oystervpntun
- option proto ‘none.’
- option ifname ‘tun0′
- After that, create a new firewall zone as shown below, and add the following LAN to the VPN forwarding rule:
- UCI add firewall zone
- uci set @zone[-1].name=’vpnfirewall‘
- uci set @zone[-1].input=’REJECT‘
- uci set @zone[-1].output=’ACCEPT‘
- uci set @zone[-1].forward=’REJECT‘
- uci set @zone[-1].masq=’1‘
- uci set @zone[-1].mtu_fix=’1‘
- uci add_list @zone[-1].network=’oysternvpnktun‘
- UCI adds firewall forwarding
- uci set @forwarding[-1].src=’lan‘
- uci set @forwarding[-1].dest=’vpnfirewall‘
- UCI commit firewall
- Then the following strings should be appended to the file /etc/config/firewall:
- option-name ‘vpnfirewall’
- option input ‘REJECT’
- option output ‘ACCEPT’
- option forward ‘REJECT’
- option masq ‘1′
- option mtu_fix ‘1′ list
- config forwarding
- option dest ‘vpnfirewall.’
- Now you have to set up the DNS servers. The simplest solution is to use OysterVPN’s DNS for the router’s WAN interface. As illustrated below, you can add the OysterVPN DNS:
- uci set network.wan.peerdns=’0′
- UCI del network.wan.DNS
- uci add_list network.wan.dns=’126.96.36.199′
- uci add_list network.wan.dns=’188.8.131.52′
- UCI commit
- option ifname ‘eth0.2′
- option force_link ‘1′
- option proto ‘DHCP’
- option peerdns ‘0′
- list DNS ‘184.108.40.206′
- list DNS ‘220.127.116.11′
- You can also set the “masquerading” option for the wan zone to “0,” which comes after the lan zone, so the command is:
- After you’ve finished configuring, you should commit your changes and the uci commit firewall. You can also disable forwarding to a specific interface by editing the /etc/firewall.user:
# This file is interpreted as a shell script.
# Put your custom iptables rules here, they will
# Be executed with each firewall (re-)start.
# Internal UCI firewall chains are flushed and recreated on reload, so
# Put custom rules into the root chains e.g. INPUT or FORWARD, or into the
# Special user chains, e.g. input_wan_rule or postrouting_lan_rule.
if (! iptables -C forwarding_lan_rule ! -o tun+ -j REJECT);
then iptables -I forwarding_lan_rule ! -o tun+ -j REJECT
- Then do the following steps to add the lines to the file /etc/firewall.user:
if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT);
then iptables -I forwarding_rule -j REJECT
- Create the following file 99-prevent-leak in the /etc/hotplug.d/iface/ folder:
if [ "$ACTION" = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j REJECT); then
iptables -D forwarding_rule -j REJECT
if [ "$ACTION" = ifdown ] && (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
iptables -I forwarding_rule -j REJECT
- After you’ve finished configuring the router, reboot your router using the following command
- With log lines like (couldn’t resolve host…), OpenVPN hangs. A tunnel is maintained in this situation, but the link is lost. It needs to be manually reconnected using the script /etc/OpenVPN/reconnect.sh, which should be included to /etc/RC.local as:
- The following is the content of the script reconnect.sh:
while sleep 50; do
t=$(ping -c $n 18.104.22.168 | grep -o -E '\d+ packets r' | grep -o -E '\d+')
if [ "$t" -eq 0 ]; then
Done, now you have successfully set up the OysterVPN tunnel on your OpenWRT router.