OpenWRT with OpenVPN on TL-WR841N router
The problem with the TL-WR841N router (v9 in my case) is that there’s only 4MB of flash memory and after the OpenWRT firmware, there’s only about 300KB left for personal use, which is not enough to install OpenVPN. The solution to this problem is in the post OpenWrt + VPNclient for a router with 4mb ROM, but several years have passed and scripts require changes.
I will describe in steps how to make OpenVPN client work on this router
1) OpenVPN client files should be placed in the /etc/openvpn/ directory on the router. To do this, pack the files ca.crt, client.conf, client.crt, client.key and ta.key into the tar archive and send them to the router via scp:
scp openvpn_client.tar root@192.168.1.1:/tmp/openvpn_client.tar
After that, go to the router via SSH and unpack the archive to the /etc/openvpn/ directory:
mkdir /etc/openvpn
tar xf /tmp/openvpn_client.tar -C /etc/openvpn
2) Settings of the OpenVPN client on the router in the file /etc/openvpn/client.conf:
client
dev tun
proto udp
remote your-server.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key
remote-cert-tls server
tls-auth /etc/openvpn/ta.key 1
cipher AES-256-CBC
verb 3
3) Installing the tun module from the OpenWRT repository:
opkg update
opkg install kmod-tun
4) Create autorun script /etc/init.d/openvpn:
#!/bin/sh /etc/rc.common
START=99
. /etc/profile
install_pkg() {
# install pkg
cd /tmp
tar xzf $(opkg download $1 |grep Downloaded |cut -d\ -f4 |sed '$s/.$//')
tar xzf data.tar.gz
# delete unnecessary things (save space)
rm -f *.ipk control.tar.gz data.tar.gz debian-binary
}
install() {
command opkg update || exit 1
install_pkg openvpn-openssl
install_pkg libopenssl
install_pkg liblzo
}
start () {
if [ -z "$(which openvpn)" ]
then
sleep 10
install
fi
command openvpn --writepid /tmp/run/ovpn.pid --daemon --config /etc/openvpn/client.conf
}
stop() {
PIDOF=$(ps |egrep openvpn |egrep -v grep |awk '{print $1}')
kill ${PIDOF}
}
5) Edit the PATH variable in the /etc/profile file and add LD_LIBRARY_PATH:
export PATH=/usr/sbin:/usr/bin:/sbin:/bin:/tmp/usr/sbin
export LD_LIBRARY_PATH=/tmp/usr/lib
6) Enable openvpn script autostart:
chmod +x /etc/init.d/openvpn
/etc/init.d/openvpn enable
7) Next, you need to go to the OpenWRT web interface in the “Network -> Interfaces” section and add a new interface with the “Add new interface…” button. Then specify the following parameters:
General Setup
Protocol: Unmanaged
Advanced Settings
Bring up on boot: checked
Use builtin IPv6-management: unchecked
Physical Settings
Custom Interface: tun0
Firewall Settings
Create / Assign firewall-zone -> unspecified -or- create: vpn
8) In the web interface, go to the “Network -> Firewall -> Zones” section and click the “Edit” button next to the line with the name “vpn”. On the zone editing page, specify the following parameters:
General Settings
Input: reject
Output: accept
Forward: reject
Masquerading: checked
MSS clamping: checked
Covered networks: vpn
Inter-Zone Forwarding
Allow forward from source zones: lan
9) Now you can reboot the router, the VPN should work for all customers of the local network.
Comments