Sunday, August 20, 2017

Step-by-Step: Base Install - VPN Client Router using LEDE (or OpenWRT)

PUBLISHED 2017 August 14
INTRODUCTION
This step-by-step is designed to install LEDE with the most common packages and protocols needed for it to act as a VPN Client (it connects to a VPN endpoint, it is not a VPN server accepting incoming connections).  The current VPN clients that are supported in this build are:

I only use the packages in the LEDE repository since they support UCI commands.  This unfortunately means that they are not the latest binaries available, but for support I personally think it's better to use these editions.

Note: LEDE also has packages for the "OpenConnect", "softethervpn", "openvpn-easy-rsa", and more - however I do not have providers to test these protocols against. If I ever do, I'll update this document.

To run these commands you'll need an SSH client on your computer.  PuTTY works fine on Windows, but I'm using Linux and all of my commands will assume that you are too.

I am using the Xiaomi Mini Wifi router since I live in China and can get them easily; they've also got lots of RAM and Storage. I highly recommend them if you can find one.  The downside is that there's a bug in the wifi driver support and the Wifi signal is not very strong; but it's still usable.  For instructions on the initial setup of the Xiaomi Mini, please see my other article on the subject HERE.

NOTES ON SYNTAX (My standards)
For all commands in the Linux shell, I color code them BLUE.
For all commands in the SSH shell inside the router, I color code them RED.

INSTALL LEDE 17.01.2
If you are running an older version of LEDE or you are running OpenWRT, please first upgrade to LEDE (it is a fork of OpenWRT that has essentially replaced it - it seems like they will re-merge in the future though). [LEDE Instructions]

Note: Even if you are already running on LEDE 17.01.2, I recommend a clean wipe of the device from within the LUCI webapp or with the following command (run via SSH): firstboot && reboot

ssh root@192.168.1.1

SNAPSHOT1="https://downloads.lede-project.org/snapshots/targets/ramips/mt7620/openwrt-ramips-mt7620-miwifi-mini-squashfs-sysupgrade.bin" ; SNAPSHOTSHA256SUMS="https://downloads.lede-project.org/snapshots/targets/ramips/mt7620/sha256sums" ; cd /tmp ; wget $SNAPSHOT1 ; wget $SNAPSHOTSHA256SUMS ; sha256sum -c sha256sums 2> /dev/null | grep OK

sysupgrade -v -n /tmp/*.bin


The router will install the new operating system and reboot.

INITIAL ROUTER CONFIGURATION

Sign into the router with SSH and set the administrator password

ssh root@192.168.1.1

passwd

Set the router name, timezone, and custom NTP servers for your region (or preference)

uci set system.@system[0].hostname='KABENEKO' && uci set system.@system[0].timezone='HKT-8' && uci set system.@system[0].zonename='Asia/Hong Kong' && uci set system.ntp.enable_server='1' && uci delete system.ntp.server && uci add_list system.ntp.server='stdtime.gov.hk' && uci add_list system.ntp.server='time.nist.gov' && uci add_list system.ntp.server='us.pool.ntp.org' && uci add_list system.ntp.server='time.google.com'

uci set system.led_power=led && uci set system.led_power.name='power' && uci set system.led_power.sysfs='miwifi-mini:blue:status' && uci set system.led_power.default='1' && uci commit

Configure the Wireless Network and Enable it

uci set wireless.radio0.hwmode='11a' && uci set wireless.radio0.channel='48' && uci set wireless.radio0.country='00' && uci set wireless.default_radio0.ssid='MYWIFINETWORK-AC' && uci set wireless.default_radio0.encryption='psk2' && uci set wireless.default_radio0.key='MYWIFINETWORKPASSWD'

uci set wireless.radio1.hwmode='11g' && uci set wireless.radio1.channel='8' && uci set wireless.radio1.country='00' && uci set wireless.default_radio1.ssid='MYWIFINETWORK' && uci set wireless.default_radio1.encryption='psk2' && uci set wireless.default_radio1.key='MYWIFINETWORKPASSWD'


uci delete wireless.radio0.disabled && uci delete wireless.radio1.disabled && uci commit && service network restart


Now... check your settings.

uci show wireless

SET LAN IP TO NEW RANGE (AVOID ISP CONFLICTS AT 192.168.1.1) and Reboot

uci set network.lan.ipaddr='192.168.55.1' && uci commit && reboot


The router's IP address will change, so you will exit from the SSH shell and you will need a new IP address.  Here's the command on my Linux box:

sudo dhclient -r && sudo dhclient

ssh root@192.168.55.1

Install all of the base packages for running ShadowSock or OpenVPN plus a few other goodies.

opkg update ; opkg install luci-theme-material luci-app-openvpn luci-app-shadowsocks-libev luci-app-uhttpd luci-app-adblock luci-app-wifischedule luci-ssl-openssl openvpn-openssl shadowsocks-libev ca-certificates wifischedule mtr rng-tools dnscrypt-proxy

Almost done!  Let's just turn off some things that shouldn't be running until we have time to configure them:

uci set shadowsocks-libev.@shadowsocks-libev[0].enable='0' && uci set adblock.global.adb_enabled='0' && uci commit && service shadowsocks-libev enable && service shadowsocks-libev stop

And we'll create the OpenVPN Interface for any future needs

uci set network.openvpn=interface ; uci set network.openvpn.proto='none' ; uci set network.openvpn.ifname='tun0' ; uci set firewall firewall.@zone[1].network='wan openvpn' && uci commit

Your router is now ready for a VPN client configuration to be added.

LINK Step-by-Step: Setup a ShadowSocks-libev Client on OpenWRT
LINK Step-by-Step: Setup a OpenVPN Client on OpenWRT