search

StreisandEffect / streisand

Streisand sets up a new server running your choice of WireGuard, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, or a Tor bridge. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.
https://twitter.com/streisandvpn
Other
23.19k stars 1.99k forks source link

OpenWRT Config #166

Closed CalHenze closed 7 years ago

CalHenze commented 9 years ago

I'm working to try and create an OpenWRT config on a TP-Link TL-WR1043ND that will maintain an always on, fail-safe OpenVPN connection to a Streisand server. Will write up a public tutorial if I can get it working...

I'm attempting to modify these two: https://www.privateinternetaccess.com/forum/discussion/3519/openwrt-router-config-for-always-up-vpn-with-pia https://blog.ipredator.se/howto/openwrt/configuring-openvpn-on-openwrt.html

I've successfully done the first of them for a PIA connection.

Created this config (Have not even changed the iPredator name - just file contents replaced):

cat >> /etc/config/openvpn << EOF config openvpn 'IPredator' option enabled '1' option client '1' option remote '111.111.111.11 111' option dev 'tun1337' option proto 'tcp' list auth 'SHA256' option resolv_retry 'infinite' option nobind '1' option persist_key '1' option persist_tun '1' option cert '/etc/openvpn/IPredator.se.client.crt' option key '/etc/openvpn/IPredator.se.client.key' option ca '/etc/openvpn/IPredator.se.ca.crt' option ns_cert_type 'server' list tls_auth '/etc/openvpn/IPredator.se.ta.key' option cipher 'AES-256-CBC' option comp_lzo '1' option key-direction '1' option route '111.111.111.11 255.255.255.255 net_gateway' option tls_client '1' option verb '3' EOF

When I run a logread -f, I get the following (Note: Actual IP address replaced):

root@OpenWrt:/etc# logread -f Jun 11 10:18:05 OpenWrt authpriv.info dropbear[2701]: Child connection from 192. 168.2.189:55518 Jun 11 10:18:10 OpenWrt daemon.info dnsmasq-dhcp[1127]: DHCPINFORM(br-lan) 192.1 68.2.189 00:1b:21:16:77:c7 Jun 11 10:18:10 OpenWrt daemon.info dnsmasq-dhcp[1127]: DHCPACK(br-lan) 192.168. 2.189 00:1b:21:16:77:c7 QUADXPPC Jun 11 10:18:12 OpenWrt authpriv.notice dropbear[2701]: Password auth succeeded for 'root' from 192.168.2.189:55518 Jun 11 10:19:11 OpenWrt daemon.info dnsmasq-dhcp[1127]: DHCPINFORM(br-lan) 192.1 68.2.189 00:1b:21:16:77:c7 Jun 11 10:19:11 OpenWrt daemon.info dnsmasq-dhcp[1127]: DHCPACK(br-lan) 192.168. 2.189 00:1b:21:16:77:c7 QUADXPPC Jun 11 10:19:27 OpenWrt daemon.notice openvpn(IPredator)[4249]: OpenVPN 2.2.2 mips-openwrt-linux [SSL] [LZO2] [EPOLL] built on Mar 14 2013 Jun 11 10:19:27 OpenWrt daemon.warn openvpn(IPredator)[4249]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Jun 11 10:19:27 OpenWrt daemon.warn openvpn(IPredator)[4249]: WARNING: file '/etc/openvpn/IPredator.se.client.key' is group or others accessible Jun 11 10:19:27 OpenWrt daemon.warn openvpn(IPredator)[4249]: WARNING: file '/etc/openvpn/IPredator.se.ta.key' is group or others accessible Jun 11 10:19:27 OpenWrt daemon.notice openvpn(IPredator)[4249]: Control Channel Authentication: using '/etc/openvpn/IPredator.se.ta.key' as a OpenVPN static key file Jun 11 10:19:27 OpenWrt daemon.notice openvpn(IPredator)[4249]: Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication Jun 11 10:19:27 OpenWrt daemon.notice openvpn(IPredator)[4249]: Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication Jun 11 10:19:27 OpenWrt daemon.notice openvpn(IPredator)[4249]: LZO compression initialized Jun 11 10:19:27 OpenWrt daemon.notice openvpn(IPredator)[4249]: Control Channel MTU parms [ L:1572 D:180 EF:80 EB:0 ET:0 EL:0 ] Jun 11 10:19:27 OpenWrt daemon.notice openvpn(IPredator)[4249]: Socket Buffers: R=[87380->131072] S=[16384->131072] Jun 11 10:19:27 OpenWrt daemon.notice openvpn(IPredator)[4249]: Data Channel MTU parms [ L:1572 D:1450 EF:72 EB:135 ET:0 EL:0 AF:3/1 ] Jun 11 10:19:27 OpenWrt daemon.notice openvpn(IPredator)[4249]: Attempting to establish TCP connection with 111.111.111.11:111 [nonblock] Jun 11 10:19:28 OpenWrt daemon.notice openvpn(IPredator)[4249]: TCP connection established with 111.111.111.11:111 Jun 11 10:19:28 OpenWrt daemon.notice openvpn(IPredator)[4249]: TCPv4_CLIENT link local: [undef] Jun 11 10:19:28 OpenWrt daemon.notice openvpn(IPredator)[4249]: TCPv4_CLIENT link remote: 111.111.111.11:111 Jun 11 10:19:28 OpenWrt daemon.err openvpn(IPredator)[4249]: Connection reset, restarting [0] Jun 11 10:19:28 OpenWrt daemon.notice openvpn(IPredator)[4249]: TCP/UDP: Closing socket Jun 11 10:19:28 OpenWrt daemon.notice openvpn(IPredator)[4249]: SIGUSR1[soft,connection-reset] received, process restarting Jun 11 10:19:28 OpenWrt daemon.notice openvpn(IPredator)[4249]: Restart pause, 5 second(s) Jun 11 10:19:33 OpenWrt daemon.warn openvpn(IPredator)[4249]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Jun 11 10:19:33 OpenWrt daemon.notice openvpn(IPredator)[4249]: Re-using SSL/TLS context Jun 11 10:19:33 OpenWrt daemon.notice openvpn(IPredator)[4249]: LZO compression initialized Jun 11 10:19:33 OpenWrt daemon.notice openvpn(IPredator)[4249]: Control Channel MTU parms [ L:1572 D:180 EF:80 EB:0 ET:0 EL:0 ]

What am I missing? Can anyone point me in the right direction here?

FYI, this works with PIA:

cat >> /etc/config/openvpn << EOF config openvpn 'IPredator' option enabled '1' option client '1' option dev 'tun1337' option proto 'udp' list auth_user_pass '/etc/openvpn/IPredator.auth' option resolv_retry 'infinite' option float '1' option nobind '1' option persist_key '1' option persist_tun '1' option ca '/etc/openvpn/IPredator.se.ca.crt' option remote_cert_tls 'server' option reneg_sec '0' option remote 'us-west.privateinternetaccess.com 1194' option tls_client '1' option verb '3' option comp_lzo '1' EOF

braian87b commented 8 years ago

I have some experience with OpenWRT and I have up and running a streisand test server, will try to make it work this week and will post here the complete steps to replicate. I'll keep you updated.

hydrandt commented 8 years ago

I use openwrt-shadowsocks (shadowsocks-libev modified to be configured in openwrt way + luci administration), works really well. https://github.com/shadowsocks/openwrt-shadowsocks

braian87b commented 8 years ago

Cool!, I'm not familiar with shadowsocks, very welcome your solution, anyway I will try to make it work using OpenVPN (I have currently done many OpenVPN tunnels on OpenWRT). Thanks!

CalHenze commented 8 years ago

I'd given up and moved onto a (much less secure) DDWRT + vpn up/down script based solution but, yes, still very interested!

braian87b commented 8 years ago

I'm making the foundations of an App with local web ui that allow easily flash and configure OpenWRT for many different uses and model, I want to be able to achieve a working one with 3 SSID, one free, one with AdsBlock filter, and I need the third, the transparent OpenVPN one...

CalHenze commented 8 years ago

Fascinating! It would be really cool to have each of those bridged to a separate ethernet port on the router as well!

braian87b commented 8 years ago

I have done that too, just need to have a hardware switch, if you see "switch" feature on web ui or UCI config then you probably could make it work. I have tested separate ethernet ports succesfully so far on TL-WDR3600, TL-WR1043ND V1/V2, but others may work too.

CalHenze commented 8 years ago

Right now, I have one of my TL-WR1043ND units laying around with nothing to do -- when you have it ready, would be very interested in beta testing it!

df-sh commented 8 years ago

I have been trying off and on for more than 6 months to get openwrt and shadowsocks working for me... so far I have had no success.

I have a couple Netgear WNDR3800 sitting waiting for a day that I can set them up properly... would be incredibly grateful for handholding setup :P

braian87b commented 8 years ago

Hi Guys, I had little time to play with OpenWrt last weeks, since I got married recently and have a lot of tasks on my Workplace, but I got it working and I write down every step and make a tutorial for this... I hope it will be useful for you!

Please, I am open to any remarks, editing and corrections that you have, feel free to share it.

https://github.com/jlund/streisand/wiki/Setting-an-OpenWrt-Based-Router-as-OpenVPN-Client

In a few days I will add the next steps to have different Router ethernet port with and without VPN, and multiple SSID with and without VPN (I am testing right now these configuration on some Routers) and someone give me the idea to have one SSID linked to one VPN server and other SSID to another VPN server.

I am investigating about the Netflix Proxy/VPN Block Issue too, some people says that DigitalOcean NY and SF are blocked (people says that is because blocked IP ranges or reverse IP lookup ISP name query (that resolves to "DigitalOcean") are blocked. I am currently studing some interesting readings about this: https://medium.com/@ValdikSS/detecting-vpn-and-its-configuration-and-proxy-users-on-the-server-side-1bcc59742413

bpinto commented 8 years ago

@braian87b Is there something we could do to bypass the detection mechanism? The witch tool does recognise I'm using OpenVPN.

braian87b commented 8 years ago

Yes, I'm currently working on it... this article says that the key is on mssfix setting:

https://medium.com/@ValdikSS/detecting-vpn-and-its-configuration-and-proxy-users-on-the-server-side-1bcc59742413#c917

witch tool: http://witch.valdikss.org.ru/

jamesspi commented 8 years ago

@braian87b Thanks for the OpenWRT config! Any updates on the dual SSID's linked to different VPN servers?

braian87b commented 8 years ago

I had run out of spare time last days... probably this week I will come here with updates, have plans to play with OpenWRT at nights.

jamesspi commented 8 years ago

Awesome. No rush, I can probably play with it myself at some point too, just wondering if you've gone ahead and done it yet :).

On 29 Aug 2016, at 17:12, braian87b notifications@github.com wrote:

I had run out of spare time last days... probably this week I will came here with updates, had plans to play with OpenWRT at nights.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

jamesspi commented 8 years ago

@braian87b I bought a WRT1900ACS and slapped on OpenWRT last night, managed to get dual SSID's linked to different VPN's, and added guest + VPN bypass. Let me know if you want a hand with the config!

braian87b commented 8 years ago

@jamesspi Cool!, can you post here the relevant config files? /etc/config/network /etc/config/openvpn or openvpn config files, /etc/config/firewall or firewall.user entries, etc..

jamesspi commented 8 years ago

@braian87b Sure! I'll do it tonight. I used iproute2 to get this done, so I'll include the configs for that too.

jamesspi commented 8 years ago

@braian87b Oh, I also needed to make some changes on the streisand side for the second server (change the subnet for OpenVPN so it doesn't clash). I'll send that too.

braian87b commented 8 years ago

@jamesspi Please! don't forget ! thanks!

jamesspi commented 8 years ago

@braian87b Sorry! Will get to it as soon as I can.

braian87b commented 8 years ago

@jamesspi No hurry, thanks!

braian87b commented 7 years ago

@jamesspi Hi! I will have some spare time this days, can you sent me the config files using uci export or in Luci Web UI, System, Backup, Generate Archive, just take care to remove any private key's and any hardcoded passwords, I will do a step by step tutorial with all the explanations and put it here, ready to let you publish on the wiki as a contribution from yourself.

jamesspi commented 7 years ago

@braian87b - I think I may have some time, I'll keep you posted.

braian87b commented 7 years ago

@jamesspi great!, but please, if you don't have time, just try to copy the config as raw, I already know by experience that documentation writing could take a lot of work, But I'll be delighted to do it, by seen how you achieve it and replicate on my router.

braian87b commented 7 years ago

Hi @jamesspi Any news? I need to prepare a Router with similar config on Openwrt now, I just wanted to ask for it again in case you had time to copy the config, but if don't I will see to do some more tests by myself. Thanks in advance!

jamesspi commented 7 years ago

Hey @braian87b, apologies - I had some major power issues over the last few days. I have a backup of my config ready, just need to find the time to upload it here!

braian87b commented 7 years ago

@jamesspi No problem! Last night I was working on selective bandwidth limit (speed limitation) based on some iptables rules with ipset's, to slow down some websites to some users using a domain list on dnsmasq (dnsmasq do the translation domain -> ip and fill up the ipset), at 3:30 am it seemed to work very well !!! Next thing to add to that router will be the vpn's thing, so let me know when you have it, that should save me many hours of trial and error.

braian87b commented 7 years ago

Hi @jamesspi how are you? sorry to bother you again... any news? can you run these commands when connected to ssh:

uci export
ip route show table all

if you remember some other file in /etc but I think that will be sufficient. This could help me too:

ifconfig
dmesg
logread
cat /etc/rc.local
cat /tmp/sysinfo/*
cat /proc/version
cat /proc/cpuinfo

Thanks!

cpu commented 7 years ago

I'm going to close this issue for now. I think OpenWRT instructions are outside of the scope of what we can manage right now. Please open a new issue on https://github.com/jlund/streisand-discussions for further discussion (or submit a PR that can be reviewed).

Thanks!