OpenWrt with OpenVPN client on TP-Link TL-MR3020

Hey! Listen! There are a few posts about installing OpenWrt on these travel routers. Make sure you’re reading the latest version, below.

DateURLUpdates
2015-08-26OpenWrt with OpenVPN server on TP-Link Archer C7
  • Initial post
  • 2015-02-15OpenWrt with OpenVPN client on TP-Link TL-MR3020
  • Setup entirely through SSH instead of LuCI
  • Small tweaks
  • 2015-01-24OpenWrt with OpenVPN client on TP-Link TL-MR3020
  • Added SAMBA share
  • Added alerting scripts
  • 2014-10-19OpenWrt with OpenVPN client on TP-Link TL-MR3020
  • Replaced PPTP client with OpenVPN client
  • Replaced my home server with PIA server
  • 2014-06-28OpenWrt with PPTP VPN on TP-Link TL-MR3020
  • Replaced WR703n with MR3020
  • 2014-06-08OpenWrt on TP-Link TL-WR703n
  • Initial post
  •  

    A few weeks ago, the team at OpenWrt released version 14.07 of OpenWrt, called Barrier Breaker. I’m going to be installing Barrier Breaker on my MR3020 and replacing the PPTP VPN client with an OpenVPN client. If you don’t know the difference between PPTP/IPSec/OpenVPN, IVPN has a great comparison chart.

    Before we get started, I need to get up on my soapbox and say a few things. If you’re not using a VPN, you should be. VPNs aren’t just for hackers, thieves, or people doing illegal things (you wouldn’t download a car, would you?). VPNs are great for:

    • Adding a layer of security to your browsing (VPNs encrypt everything!)
    • Securely connecting two routers to create one large network over the internet (businesses do this all the time)
    • Students/employees connecting back to their university/office to work remotely (again, a common practice)
    • Circumventing geoblocking (i.e., content blocked based on your physical location)
      • Watch Netflix from outside the US
      • Watch BBC iPlayer from outside the UK
    • FREEDOM OF SPEECH! Use a VPN to circumvent government restrictions put on the internet (e.g., China, Iran, North Korea, etc…)

    Anyway, I better stop. VPNs are great. If you don’t have one, get one. Personally, I like using Private Internet Access (I’m not compensated, just a happy customer). If you don’t know where to start, TorrentFreak has a great article on which VPN services take your anonymity seriously (newsflash, PIA is at the top of their list).

    That was the “why”, this is the “how”.

    My plan for this router is to use it when I travel. I plan on plugging it into the Ethernet port in a hotel (or my house/friend’s house/Airbnb host) and having it broadcast a wireless network. Since the router is an OpenVPN client, any devices that join that wireless network will be VPNed into PIA’s servers. Eventually, when I install OpenVPN on my home router, I can route my connection back home. It’s probably easier illustrated than explained, as below.

    20141018_002

    There are a few advantages to this setup, as opposed to installing the OpenVPN client on each device:

    • Devices that don’t support OpenVPN can be protected (XBox, Roku, etc…)
    • Multiple machines (phone, laptop, Roku, etc…) can share one VPN connection
    • You can switch between an insecure wireless network (home/friend’s house/hotel) and a secure wireless network (OpenWrt) whenver needed

    Ready? Let’s get started!

     

    Install OpenWrt

    I’m going to assume you’re already running Attitude Adjustment (AA) and want to upgrade to Barrier Breaker (BB). If you’re installing OpenWrt for the first time, see my older post on how to login and install OpenWrt from the factory firmware.

    Disconnect your PC from all wired and wireless networks, then connect your MR3020 to your PC. Because of the way I have this router setup from my previous post (eth0 is a DHCP client), I’m going to connect to the WiFi network it’s broadcasting (the DHCP server). I checked my IP, opened my browser, and navigated to 10.80.1.1 (your address may be different). I then logged in with the username and password I had set before.

     

    Once you’re logged into OpenWrt, go to the System tab, then the Backup/Flash Firmware tab. At this point, it’s a good idea to make a backup of your config by pressing Generate Archive.

    20140614_022

     

    As-of this writing, the OpenWrt wiki page for the MR3020 doesn’t list BB as the newest firmware. There are two options for the BB download: a file for the factory firmware, and a file for upgrading. We’ll choose the upgrade.

    Back at your router, under Flash new firmware image, make sure Keep settings is checked to keep your current settings. I’m going to uncheck this, since I want to start from scratch. Browse to your downloaded firmware, and press Flash image to upgrade it.

    20141018_004

     

    Verify the checksum, and press Proceed to continue.

    20141018_005

     

    Wait a few minutes and the router will reboot. Check your IP again after it’s back up, as mine had changed since I erased my settings.

    20141018_006

     

    At this point, my MR3020 is running stock BB and I’m going to reconfigure it from scratch. Since the wireless network was wiped out, I’m going to reconnect with Ethernet.

     

    Configure OpenWrt

    From here, the OpenWrt wiki page recommends going through the basic configuration for any OpenWrt installation. I’m going to be combining some of the basic configuration with my configuration for the VPN client.

    Navigate to 192.168.1.1 in your browser and you’ll be greeted by LuCI, the web interface for OpenWrt. OpenWrt recently switched to the Unified Configuration Interface, also known as UCI. The UCI is basically a collection of easy-to-read configuration files that are all centrally located, making OpenWrt much easier to configure. What’s nice about LuCI is that it reads/writes from/to the UCI files. Any changes you make in LuCI are reflected in the UCI files, and vice versa, meaning you can configure the MR3020 from the web interface, or from the command line.

    Anyway, moving on. Leave the username as  “root” and the password field empty. Press Login to continue.

    20141018_007

     

    Set a password

    From the main status screen, we’re going to set a root password by using the link in the yellow box at the top of the page. If you haven’t noticed, LuCI is a lot easier on the eyes in BB than AA.

    20141018_008

     

    Here, you can (and should) set a root password, as well as setup SSH access (which we’ll need later). Press Save & Apply to continue.

    20141018_009

     

    Look for Password successfully changed! at the top of the screen.

    20141018_010

     

    Verify SSH access by using PuTTY or another SSH client.

    logan@fedora20 ~$ ssh root@192.168.1.1
    The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.
    RSA key fingerprint is ff:cd:03:c1:bd:b2:e4:cc:12:d8:45:12:29:b1:b1:65.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '192.168.1.1' (RSA) to the list of known hosts.
    root@192.168.1.1's password: 
    
    
    BusyBox v1.22.1 (2014-09-20 22:01:35 CEST) built-in shell (ash)
    Enter 'help' for a list of built-in commands.
    
      _______                     ________        __
     |       |.-----.-----.-----.|  |  |  |.----.|  |_
     |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
     |_______||   __|_____|__|__||________||__|  |____|
              |__| W I R E L E S S   F R E E D O M
     -----------------------------------------------------
     BARRIER BREAKER (14.07, r42625)
     -----------------------------------------------------
      * 1/2 oz Galliano         Pour all ingredients into
      * 4 oz cold Coffee        an irish coffee mug filled
      * 1 1/2 oz Dark Rum       with crushed ice. Stir.
      * 2 tsp. Creme de Cacao
     -----------------------------------------------------
    root@OpenWrt:~#

     

    Setup NTP

    The MR3020 doesn’t have a real-time clock or CMOS battery. Because of this, every time it loses power, the clock resets to October 1st. To circumvent this, we’re going to use NTP to get our time from the internet. You don’t have to setup NTP, but it makes troubleshooting easier when you’re looking at timestamped log files. Keep in mind, since the MR3020 is connected directly to your PC (not the internet), this won’t take effect until after we get it online. Don’t freak out if it’s not working right away.

    Go to the System dropdown, then select System. Under System Properties, select the General Settings tab. Here, you can set a hostname, as well as select a timezone. Then, under Time Synchronization, make sure the box is checked for Enable NTP client and provide a few NTP servers in the boxes below. I’m using US servers from the NTP Pool Project. Press Save & Apply to continue.

    20141018_011

     

    Set default IP

    Next, we’re going to change the default IP of the router from 192.168.1.1 to 10.80.1.1 (or whatever scheme you want). Most devices ship with 192.168.1.1 as the default, and since we’re going to be double-NATed, we can’t have two identical IPs on the same network.

    Go to the Network dropdown, then select Interfaces. Select Edit on the LAN interface (which is actually a bridge of the wired and wireless interfaces). Under Common Configuration, then the General Setup tab, change the IPv4 address field from 192.168.1.1 to 10.80.1.1 (or whatever scheme you want).

    20141018_012

     

    Under DHCP Server, then the General Setup tab, you can also limit the number of addresses available in the DHCP pool (optional). Press Save & Apply to continue.

    20141018_013

     

    You’ll have to reboot your MR3020, and then check your IP settings again to verify the change. Log back into the web interface at the new address using your new root password.

     

    Create wireless network

    We need to create a wireless network for the MR3020 to broadcast. Eventually, we’re going to turn off LAN access on the Ethernet port, and we’ll need a way to connect to the router locally.

    Go to the Network dropdown, then select Wifi. Select Enable on the wireless network. Once enabled, select Edit. Setup your network as needed (name, channel, etc…).

    20141018_014

     

    Under Interface Configuration, then the Wireless Security tab, you can choose a WiFi password, preferably WPA2-PSK. Remember, this device may be a direct link back to your home network. Even if you have a strong VPN password, a weak WiFi password with weak encryption (e.g., WEP) could compromise your network. Press Save & Apply to continue.

    20141018_015

     

    At this point, you should disconnect the Ethernet cable from the MR3020 and connect to the WiFi network we just setup. Normally, it’s not recommended to configure routers over wireless, but since we’re not going to be transferring files or upgrading firmware, we should be ok.

     

    Setup WAN interface

    We need the MR3020 to request an IP address from another router when it is plugged in. For this, we’ll need to make a new interface that will act as a DHCP client.

    Go to the Network dropdown, then select Interfaces. Here, you can see the default interface, br-lan, which is a bridge of the wired and wireless interfaces. We’re going to create the WAN interface by pressing Add new interface at the bottom of the screen. Name the interface something like WAN, with the protocol being set to DHCP client, covering the eth0 interface. Press Submit to continue.

    20141018_016

     

    On the next screen, under Common Configuration, go to the Firewall Settings tab and select WAN. Press Save & Apply to continue.

    20141018_017

     

    Unbridge LAN interfaces

    By default, the wired and wireless interfaces are bridged. I want them to be separate, so that I can plug the MR3020 into another router and use the wireless interface of the MR3020 to broadcast a SSID. Essentially, I making it so that only another router can use the Ethernet port, and only clients can use the wireless network. If you don’t unbridge the interfaces, you’ve basically just created a wireless AP for the other router.

    Go to the Network dropdown, then select Interfaces. Select Edit on the LAN interface. Under Common Configuration, then the Physical Settings tab, uncheck the box for Bridge interfaces. Then, check the radio button next to the OpenWrt (or whatever you named it) wireless network. Press Save & Apply to continue, then reboot your MR3020.

    20141018_018

     

    Verify internet access

    At this point, plug your MR3020 into a LAN port on your other router, and connect your PC to the MR3020’s wireless network. It doesn’t matter what IP your MR3020 gets from the other router, as your PC should see the MR3020 as 10.80.1.1 (or whatever your made it). You should be able to access the internet, as well as ping websites through SSH.

    In addition, go to the Status dropdown, then select Overview to make sure your Local Time field is updated with the correct time, now that we’re on the internet.

    20141018_019

    Congratulations, you are now double-NATed.

     

    Make some space

    Before we get started, we need to make some space for OpenVPN. The MR3020 only has 4MB of flash. After OpenWrt is installed, we’re only left with about 400KB, which won’t be enough for the 600KB+ of OpenSSL libraries we’ll need, in addition to other packages that will make life easier.

    root@OpenWrt:~# df -h
    Filesystem                Size      Used Available Use% Mounted on
    rootfs                  640.0K    228.0K    412.0K  36% /
    /dev/root                 2.3M      2.3M         0 100% /rom
    tmpfs                    14.1M    448.0K     13.7M   3% /tmp
    /dev/mtdblock3          640.0K    228.0K    412.0K  36% /overlay
    overlayfs:/overlay      640.0K    228.0K    412.0K  36% /
    tmpfs                   512.0K         0    512.0K   0% /dev

     

    There are two ways around this:

    1. ExtRoot, which can either extend or move the root filesystem to a USB flash drive
    2. Build a custom image of OpenWrt from scratch, leaving out unnecessary packages

    My first instinct was to build a custom image, leaving out PPP. However, after a few hours of trying and multiple images, it still didn’t give me the space I needed. The only way to get OpenVPN on the MR3020 would be to leave LuCI out of the image, and I’m not willing to give that up.

    That leaves me with using a USB flash drive to extend or move the filesystem. Thankfully, setting up ExtRoot is pretty easy, and we won’t need a huge flash drive since we’re only after a few extra MB. I plan on picking up something like this, since it’s small.

    Start by reading the theory on ExtRoot, then go over the how-to guide. You need to decide whether you’ll be using external overlay (also called pivot-overlay) or external root (also called pivot-root). Essentially, external overlay extends the root filesystem to include the flash drive, while external root copies the root filesystem to the flash drive, then boots from the flash drive. External root has a couple advantages (that I can see):

    • You can boot from multiple flash drives, each with a different config (one flash drive with a config for home, another with a config for traveling, etc…)
    • If the flash drive dies, OpenWrt still boots from the internal root filesystem

    In this guide, I’m going to be using external root.

     

    Get stared by formatting your flash drive with an ext4 (or ext3) filesystem from your PC. If you’re running Windows, use this to format the drive. Then, SSH into your router, and install a few packages.

    opkg update
    opkg install block-mount kmod-usb-storage kmod-fs-ext4

     

    There’s a good chance your kernel modules didn’t load.

    kmod: failed to insert /lib/modules/3.10.49/sd_mod.ko
    Configuring kmod-usb-storage.
    Configuring kmod-crypto-hash.
    Configuring kmod-lib-crc16.
    Configuring block-mount.
    Configuring kmod-fs-ext4.
    kmod: failed to insert /lib/modules/3.10.49/ext4.ko

    If that’s the case, reboot your router and then plug in your flash drive.

     

    Find the name of your flash drive with the block info command. Mine was /dev/sda1.

    root@OpenWrt:~# block info
    /dev/mtdblock2: UUID="20ad40ea-d33a421e-785b7d2d-ada99230" VERSION="4.0" TYPE="squashfs"
    /dev/mtdblock3: TYPE="jffs2"
    /dev/sda1: UUID="9fa36631-ac09-42a0-b090-f61efe6c1bfb" NAME="EXT_JOURNAL" VERSION="1.0" TYPE="ext4"

     

    Create a directory and mount your device on it. Create a mount point of your choosing, and substitute /dev/sda1 with your device name.

    mkdir /mnt/batman
    mount /dev/sda1 /mnt/batman

     

    Now, copy the router’s internal flash to the flash drive. Obviously, replace /mnt/batman with whatever mount point you’re using.

    mkdir -p /tmp/cproot
    mount --bind / /tmp/cproot
    tar -C /tmp/cproot -cvf - . | tar -C /mnt/batman -xf -
    umount /tmp/cproot

     

    Your flash drive now has a copy of the router’s root filesystem on it (don’t lose it). But, the router will still boot from its internal memory, so we need to change that by editing the /etc/config/fstab file.

    cat >> /etc/config/fstab << EOF
    config mount
            option target        /
            option device        /dev/sda1
            option fstype        ext4
            option options       rw,sync
            option enabled       1
            option enabled_fsck  0
    EOF

     

    Reboot your router. When it starts up, check your mount points and you should see that /dev/sda1 has been mounted on /.

    root@OpenWrt:~# mount
    rootfs on / type rootfs (rw)
    /dev/root on /rom type squashfs (ro,noatime)
    proc on /proc type proc (rw,noatime)
    sysfs on /sys type sysfs (rw,noatime)
    tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noatime)
    /dev/sda1 on / type ext4 (rw,relatime,data=ordered)
    tmpfs on /dev type tmpfs (rw,relatime,size=512k,mode=755)
    devpts on /dev/pts type devpts (rw,relatime,mode=600)
    debugfs on /sys/kernel/debug type debugfs (rw,noatime)

     

    If you check your space again, you’ll see that your root filesystem is now much larger.

    root@OpenWrt:~# df -h
    Filesystem                Size      Used Available Use% Mounted on
    rootfs                   14.7G     47.0M     13.9G   0% /
    /dev/root                 2.3M      2.3M         0 100% /rom
    tmpfs                    14.1M    360.0K     13.7M   2% /tmp
    /dev/sda1                14.7G     47.0M     13.9G   0% /
    tmpfs                   512.0K         0    512.0K   0% /dev

    20141018_003

    Setup VPN

    Now we need to install the OpenVPN client and configure it. The VPN termination point is going to be one of PIA’s servers, but it could be any OpenVPN server. You should read OpenWrt’s VPN overview, as well the OpenVPN beginner’s guide and the client guide.

    First, we’ll need to install a couple packages: openvpn-openssl for obvious reasons, the real version of wget to downlad the configuration files from PIA, and unzip to unzip the downloaded files. This is easiest done by connecting through SSH and running the commands below.

    opkg update
    opkg install openvpn-openssl wget unzip
    mv /etc/config/openvpn /etc/config/openvpn_old

     

    Unfortunately, there is no LuCI package for OpenVPN in BB, like there is in AA. As-of this writing, the package luci-app-openvpn is marked as broken. There appears to be a package for Chaos Calmer, located here, but I don’t think that will work in BB. That means we’re doing everything from the command line, which isn’t as intimidating as it may sound. Plus, since LuCI runs from the UCI files, we’ll be able to see some of our changes in LuCI when we log back in.

    We’ll need to create a new interface for the VPN by using the commands below. Name the network interface, as well as the physical (even though it’s virtual) interface.

    cat >> /etc/config/network << EOF
    config interface 'PIA_VPN'
        option proto 'none'
        option ifname 'tun0'
    EOF

     

    Download the OpenVPN configuration files from PIA.

    cd /etc/openvpn
    wget --no-check-certificate https://www.privateinternetaccess.com/openvpn/openvpn.zip
    unzip openvpn.zip
    rm openvpn.zip

     

    Now, we need to edit each .ovpn file in /etc/openvpn to include your username and password. However, it’s a pain editing all those files manually. Instead, we’ll create a single file that stores your login credentials. The file I created is called authuser. Substitute your username and password, obviously.

    cat >> /etc/openvpn/authuser << EOF
    PIA_USERNAME
    PIA_PASSWORD
    EOF

     

    However, now we’ll have to go back and edit each .ovpn file to look for the authuser file, which is still too much work for me. If you look at each .ovpn file, you’ll see the only difference between them is the server address. What if we created a generic .ovpn connection file which omitted the server address (and port), but specified to use the authuser file? We could pass the server address and port as an option in our command to start the VPN connection.

    Create the file with the command below. See how we removed the line for the server/port, and added a line for the authuser file and auth-nocache options?

    cat >> /etc/openvpn/piageneric.ovpn << EOF
    client
    dev tun
    proto udp
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca.crt
    tls-client
    remote-cert-tls server
    auth-user-pass authuser
    auth-nocache
    comp-lzo
    verb 1
    reneg-sec 0
    crl-verify crl.pem
    keepalive 10 120
    EOF

    To compare, this is the US East.ovpn file…

    client
    dev tun
    proto udp
    remote us-east.privateinternetaccess.com 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca.crt
    tls-client
    remote-cert-tls server
    auth-user-pass
    comp-lzo
    verb 1
    reneg-sec 0
    crl-verify crl.pem

     

    Now, we need to create a new firewall zone for this VPN connection. This is actually the same config as the WAN zone, but it’s easier to make a new zone in case we need to change anything in the future. Name the firewall zone, and substitute the network interface name you created above. We’ll also be forwarding LAN traffic to the VPN.

    cat >> /etc/config/firewall << EOF
    config zone
        option name 'VPN_FW'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'PIA_VPN'
    
    config forwarding                               
            option dest 'VPN_FW'                    
            option src 'lan' 
    EOF

     

    Reboot your router. If you’d like, you can login to LuCI and see the new network interface, physical (but really, it’s virtual) interface, and firewall zone. Back on the command line, use the following command to start the VPN. Specify your generic configuration file, and choose a server from PIA.

    openvpn --cd /etc/openvpn --config /etc/openvpn/piageneric.ovpn --remote us-east.privateinternetaccess.com 1194

     

    If everything went well, you should see something like below, ending in Initialization Sequence Completed. If not, you did something wrong. Check your logs and start looking here.

    root@OpenWrt:~# openvpn --cd /etc/openvpn --config /etc/openvpn/piageneric.ovpn --remote us-east.privateinternetaccess.com 1194
    Sun Oct 19 20:27:00 2014 OpenVPN 2.3.4 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Sep 20 2014
    Sun Oct 19 20:27:00 2014 library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.08
    Sun Oct 19 20:27:00 2014 WARNING: file 'authuser' is group or others accessible
    Sun Oct 19 20:27:00 2014 UDPv4 link local: [undef]
    Sun Oct 19 20:27:00 2014 UDPv4 link remote: [AF_INET]216.155.129.59:1194
    Sun Oct 19 20:27:06 2014 [Private Internet Access] Peer Connection Initiated with [AF_INET]216.155.129.59:1194
    Sun Oct 19 20:27:09 2014 TUN/TAP device tun0 opened
    Sun Oct 19 20:27:09 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Sun Oct 19 20:27:09 2014 /sbin/ifconfig tun0 10.137.1.6 pointopoint 10.137.1.5 mtu 1500
    Sun Oct 19 20:27:09 2014 Initialization Sequence Completed

     

    Check ifconfig to see if you have a tunnel interface. If you do, that’s good!

    tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
              inet addr:10.137.1.6  P-t-P:10.137.1.5  Mask:255.255.255.255
              UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
              RX packets:646 errors:0 dropped:0 overruns:0 frame:0
              TX packets:693 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:100 
              RX bytes:289558 (282.7 KiB)  TX bytes:181814 (177.5 KiB)

     

    Next, try to get on the internet. If you can’t, there’s a good chance it’s a DNS issue. To resolve this, we’ll set our DNS servers on this connection to use PIA’s DNS servers. It looks like we can set the DNS servers for a specific interface, so we’ll add them for the LAN interface.

    uci add_list dhcp.lan.dhcp_option="6,209.222.18.222,209.222.18.218"
    uci commit dhcp
    reboot

    Now we should have DNS working, and since we’re using PIA VPN and PIA DNS servers, we shouldn’t have any DNS leaks.

     

    Restart your VPN connection and try it again! Check your IP with an external tool, like WhatIsMyIP, both on your local wireless network, as well as the OpenWrt network. You should see the difference, meaning you are successfully connected!

    Before (on my local network)…

    20141018_020

    After (VPNed in)…

    20141018_021

     

    Now is a good time to check for DNS leaks while on the VPN.

    20141018_022

     

    Extras

    Run at startup

    If you’d like your VPN connection to run at startup, go to the System dropdown, then select Startup. In the box at the bottom, paste the following command before exit 0. The ampersand tells OpenWrt not to output anything to the screen.

    openvpn --cd /etc/openvpn --config /etc/openvpn/piageneric.ovpn --remote us-east.privateinternetaccess.com 1194 &
    

     

    Backup your config

    You did all this work, don’t lose it. Go to the System dropdown, then select Backup/Flash Firmware and press Generate Archive to download a backup of all your configuration files.

    20141018_023

     

    Failsafe mode

    At some point during this build, you’ll probably break something and lock yourself out of your router. Thankfully, you’re not left with a paper-weight. OpenWrt includes a failsafe mode that will let you telnet to your router. Steps for the MR3020 are below.

    1. Power off your MR3020 and connect it to your PC via Ethernet
    2. Set your PC’s IP to 192.168.1.2 with a subnet of 255.255.255.0 and a gatway of 192.168.1.1
    3. Plug in the power to the MR3020
    4. When the WPS button starts to flash, slide the switch labeled 3G/4G/WISP/AP back and forth really fast. At this point, the WPS button will start blinking faster than it was before. You are in failsafe mode.
    5. Connect to the router via telnet and you should see that you are in failsafe mode.
      logan@fedora20 ~$ telnet 192.168.1.1
      Trying 192.168.1.1...
      Connected to 192.168.1.1.
      Escape character is '^]'.
       === IMPORTANT ============================
        Use 'passwd' to set your login password
        this will disable telnet and enable SSH
       ------------------------------------------
      
      
      BusyBox v1.22.1 (2014-09-20 22:01:35 CEST) built-in shell (ash)
      Enter 'help' for a list of built-in commands.
      
        _______                     ________        __
       |       |.-----.-----.-----.|  |  |  |.----.|  |_
       |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
       |_______||   __|_____|__|__||________||__|  |____|
                |__| W I R E L E S S   F R E E D O M
       -----------------------------------------------------
       BARRIER BREAKER (14.07, r42625)
       -----------------------------------------------------
        * 1/2 oz Galliano         Pour all ingredients into
        * 4 oz cold Coffee        an irish coffee mug filled
        * 1 1/2 oz Dark Rum       with crushed ice. Stir.
        * 2 tsp. Creme de Cacao
       -----------------------------------------------------
    6. Now, you should be able to change your password by entering passwd, but you may get an error about the filesystem being read-only, like below.
      passwd: /etc/passwd: Read-only file system
      passwd: can't update password file /etc/passwd
    7. If that happens, enter mount_root, then try the passwd command again. At this point, you should be able to SSH into the MR3020.
    8. If you installed too many packages and filled up the filesystem, you can wipe it and do a factory reset with the command below.
      firstboot
    9. Reboot the router, as below.
      reboot -f
    10. Try to SSH in. If it doesn’t work (mine didn’t), telnet in again, set your password again, and then try SSH again.
    11. If you want to transfer a new firmware file to the router, you can do that with the SCP utility on your PC.
      scp /path/to/file.bin root@192.168.1.1:/path/to/file.bin
    12. Then, flash the new firmware file with the command below.
      sysupgrade -v /path/to/file.bin

     

    HTTPS Support

    Out of the box, LuCI does not support HTTPS. For that, you’ll need a couple packages.

    opkg update
    opkg install luci-ssl uhttpd-mod-tls

     

    First, backup the original /etc/config/uhttpd file. Then, edit the file to change your certificate settings as needed.

    cp -p /etc/config/uhttpd /etc/config/uhttpd_old
    vi /etc/config/uhttpd

    Before…

    config cert 'px5g'
            option days '730'
            option bits '1024'
            option country 'DE'
            option state 'Berlin'
            option location 'Berlin'
            option commonname 'OpenWrt'

    After…

    config cert 'px5g'
            option days '730'
            option bits '2048'
            option country 'US'
            option state 'Pennsylvania'
            option location 'Pennsylvania'
            option commonname '10.80.1.1'

     

    Once you have your certificate setup, restart the webserver.

    /etc/init.d/uhttpd restart

    You should see a message similar to the one below.

    Generating RSA private key, 2048 bit long modulus
    Generating selfsigned certificate with subject 'C=US;ST=Pennsylvania;L=Pennsylvania;CN=10.80.1.1;' and validity 20141021000526-20161020000526

    If you navigate to /etc, you should see a certificate and a key file.

    -rw-r--r--    1 root     root           828 Oct 20 20:50 /etc/uhttpd.crt
    -rw-r--r--    1 root     root          1192 Oct 20 20:50 /etc/uhttpd.key

     

    Open your browser, and instead of going to http://10.80.1.1, go to https://10.80.1.1. If you get a scary looking error message, that’s ok. Click Advanced.

    20141018_024

    Then, proceed to your site.

    20141018_025

    In the URL bar, you’ll still probably see some intimidating red error message.

    20141018_026

    Upon further inspection, we can see this error is because the certificate wasn’t generated by a trusted CA (Thawte, Symatec, etc…).

    20141018_027

    If you inspect the actual certificate, you can see it’s the certificate we created, so you know it can be trusted.

    20141018_028

     

    That’s it! I’ll be tweaking this guide as I go, but let me know if anything is incorrect or missing. Also, a couple useful posts and sources I used when stuck are located here, here, and here.

    -Logan

    132 thoughts on “OpenWrt with OpenVPN client on TP-Link TL-MR3020”

    1. Hi Logan,

      Nice POST helped alot!

      One note: After i configured the firewall and rebooted the router could not resolve the PIA site for the vpn “us-east.privateinternetaccess.com”. i think it is because the firewall rule routes all LAN traffic to the tunnel, but at this point the tunnes was not up. I substituted the IP address and it worked. Not a great work around.

      • Don, sorry for the late response. Is this still an issue? I’m thinking you should be able to resolve us-east.privateinternetaccess.com even if the tunnel is down…

        • Worried about internet security and privacy, I am looking for a way to protect my 3 computers. Your write up is intriguing and seems daunting since it’s been a while (5 or more years) that I dabbled with configuring my computers beyond antivirus and backups. What about the firewall inside routers and windows? Are they not sufficient?

          Supposing, I am able to pull this off, how do I put your setup to use? Just surf the web and use email as usual? I also see a lot of talk about TOR, TAILS. Does your setup handle them? If so how?

          OR will I be in over my head? Almost ready to order the Travel router, but I would like to get some advice first.

          Thanks

          • Glad you’re interested in it! The purpose of a VPN is not to protect you from viruses/malware. In fact, you could very easily get a virus while using a VPN. Instead, a VPN is used to secure/encrypt your communication while in transit and change your IP address (and thus, your perceived location). This protects you when you’re using public wifi, want to circumvent geoblocking, or want to keep your communication secret (in transit) from hackers/governments.

            This setup would basically put another router behind your current router. This 2nd router would connect to a VPN server. The connection between the 2nd router and the VPN server would be encrypted. Any device (laptop, phone, etc…) that connects to the wifi of the 2nd router would then have its internet connection encrypted as well. The real advantage of this setup is that you don’t need to setup the VPN on each device. You set it up on the 2nd router, and any device that connects to it is protected. You could then connect back to your 1st router when you don’t need the extra privacy. But yes, you can do almost anything you normally do online, it just may be a little slower (due to overhead of the encryption process).

            Tor works by sending your traffic through multiple servers, obfuscating your IP address (and thus your identity). Tor does not encrypt your data.
            A VPN, however, does not protect your identity (assuming your VPN provider keeps logs), but does encrypt your data. They are two different sides of the same coin, so to speak. Check out this link for an explanation. Tails is a Linux-based operating system that uses Tor by default in its web browser.

            Setting up this router requires basic Linux command-line skills and basic knowledge of networking. It’s not difficult, but there is a steep learning curve, especially if you’ve only ever used a Windows-based operating system. You would also need to purchase a VPN subscription for a few dollars a month. If you’re interested in an easier option, this VPN provider has desktop/mobile apps to encrypt traffic on a per-device basis. They’re very easy to setup and use, especially if you’re not comfortable with the command-line.

            Hope this helps!

            • Thanks.

              Sometime ago I thought I was writing anonymously to a group of people. It was in disagreement with a vociferous couple of people. To make it short, someone called me to say that they have proof that I wrote it. And they proceeded to bully and terrorize me. It was nasty and I left the group and city.

              Well, I want to start engaging again. I have a new laptop. I don’t want anyone to access it. I have some friends and family that are quite computer savvy, but I don’t even want them to know what else I use by asking for their help. So I am going to learn as much as possible and avoid serious mistakes. I have subscribed to a VPN and installed TOR today. After I get comfortable I will look in here again.

    2. Hey, I really wanted to thank you for this post. I’d been having issues getting openVPN-AS to work nicely with my router running DD-WRT (even though I could use something like ExpressVPN just fine with it, I preferred to have my own server). I ended up flashing OpenWRT instead thinking it might help. Your post helped make a few of the steps SUPER easy. Next two steps for me are to get it to be easy to turn the VPN on and off, and to get my VPN to pass IPv6 traffic :).

      Cheers!

    3. Awesome post! It’s exactly what I had in mind when I ordered the device.

      I also want to try and figure out how I can put it into a Client+AP mode. This would be the scenario if I was staying at a hotel or other place while I’m traveling and there is no LAN cable to plug into. I would still like to utilize the AP mode for my wireless devices. I also want it to be a Client and connect to the hotels wifi. And over that wifi, establish an OpenVPN connection that’s available to all my wifi devices connected to it’s AP

      • Thanks! After installing OpenWrt, I realized that most hotels don’t offer ethernet jacks anymore, and only offer wireless. I don’t see why you couldn’t setup your router in client+AP mode, but, you’ll need to make sure your hotel doesn’t have a captive portal sitting in front of it’s internet access.

        • I just can’t figure out how to get OpenWRT to do it. Whenever I make it a client, it freaks out and drops the AP. I am using the option to create an additional virtual wifi adapter and I’m NOT overwriting the AP settings. I’ve managed to get it working ONCE. I saved those configs and rebooted. Everything was still working. Then I decided to change which AP I wanted the client to connect to (simulating the change of moving hotels,etc) and it freaked out and stopped broadcasting. I’ve run firstboot about 10 times because I keep losing connectivity. Very frustrated. Anywho, that’s not your problem. Just thought you may have some insight on a TL-MR3020 and a Client+AP mode. Thanks.

          • If I get some time, I may try to set it up myself. What’s really weird is that it worked once, but not again. Just thinking out loud here…

            • When you reboot, is it possible to make OpenVPN wait until it has an address from the router?
            • When you change APs, are you re-starting the tunnel?
            • When you change APs, does the AP on OpenWrt just die (i.e., you can’t see it from your phone?). Might be a bug in OpenWrt…
            • Logan, thanks for the follow-up. The funny part is I haven’t even made it to the part of putting root on an external drive and installing openvpn. I’m still stuck at just getting it to operate in Client+AP mode. I’ll keep tinkering.

              • Hoss,

                A user sent me this in regard to your issue and I figured it would be helpful if I posted it publicly…

                I was unable to get this comment to post underneath Hoss’ latest on https://loganmarchione.com/2014/10/openwrt-with-openvpn-client-on-tp-link-tl-mr3020/

                I’m in the same situation on the tl-mr3020 – wanting a wired or wireless client, then presenting an openvpn-secured AP. Seeing this, I tested out client+ap. I used the settings here http://blog.philippklaus.de/2011/04/openwrt-configure-wifi-client-as-wan-and-set-up-a-2nd-ap-to-redistribute-the-wan-access/ and got it to work, however, yes it does appear that if the client wifi ever goes down, the AP goes down (or won’t start) either. (I tested it with the mr3020 a client of my android hotspot which I can turn on and off easily.) Perhaps this is a problem with OpenWRT?

                Simply disabling the “sta” wifi-iface in /etc/config/wireless before the wireless signal is lost is enough to keep the AP up. Or disabling it after it is lost is enough to make it come back without restarting, it seems. So I’m thinking I’ll need multiple sets of settings, perhaps switched by the physical switch (this link looks like useful code: https://gist.github.com/jefferyto/8010733 from http://wiki.openwrt.org/toh/tp-link/tl-mr3020#buttons) or perhaps hook up the WPS button to a little script that simply disables that client wifi.

                • Very, very nice guide, Logan! – It really helped me kick-start my new MR3020! Thank you!

                  I also found it useful to be able to switch configs on this nifty little router. I had two minor issues with the nice groundwork made by Jeffery To:

                  1. It was not very well commented and there seems to be an error in the setup instructions (regarding the order of paths for the ‘ln’ command), making it difficult for a noob like me to setup
                  2. Changes made in LuCI (at least with Barrier Breaker) would overwrite the symbolic links, that these scripts relied on for switching config, with the plain config file. This a) broke the config switching functionality and b) made it cumbersome to retain the updated config (manually copy file to appropriate subfolder, re-created symbolic link)

                  I have forked Jeffery’s work and changed the scripts, so the configuration files are copied instead of linked. I have then added a new script, executed when pressing the WPS button between 1 and 3 seconds, that copies the (updated) ‘network’ and ‘wireless’ config files, to the subfolder of the currently selected mode (3g, ap or wisp).

                  If anyone’s interested: https://gist.github.com/abstrask/6a65184ca52d4b0c3c98. Comes of course with no warranties what so ever, but seems to work just as intended on my box :).

                  Any feedback is most welcome!

          • This blog is helpful on the configuration for a wireless client and access point setup.

            http://www.ediy.com.my/index.php/blog/item/110-setting-up-a-wireless-hotspot-using-tp-link-tl-mr3020-wireless-n-router

            Do the setup indicated in the blog, but call the wwan the WAN. Once internet connectivity is achieved, keep following Logan’s guide. As far as I understand with a wireless setup you don’t remove the bridge on the LAN.

            Mine is working great. All I need to do now is work out how to stop the blue led flashing constantly on my WR703N. Previously it would not light up at all. With the VPN setup it is like I am in a disco.

    4. Hi. Great tutorial. I got my VPN working, i.e. to the stage where it says “Initialization Sequence Completed”.

      But if I open a web browser and go to WhatsMyIP, I am not hidden – it still shows my real ISP. If I do an ‘ifconfig’, the tun0 interface shows 0 bytes RX and 0 bytes TX.

      What have I missed? Thanks!

      • Do you see any error messages before “Initialization Sequence Completed”? If not, I would try to set the log option described here. When you do ‘ifconfig’, are you getting an IP from the VPN server? Also, double check your firewall settings and DNS settings.

    5. Thanks for the excellent guide, got it all working with minimal fuss.

      What config is required to be able to specify at an IP level whether to go through the VPN, or, to bypass the VPN and go straight through the WAN? I’m using reserved IP’s, so, I’ll always know which device is which.

      Second question. What would the command be to terminate the VPN session? At the moment, I’m rebooting the router.

      Thanks in advance.

      • Thanks, good to hear!

        The current setup routes all traffic over the VPN, due to the firewall setup. I believe what you’re referring to is split tunneling. In all honesty, this is something I would like to setup myself but haven’t yet. If you get it setup before me, let me know!

        Currently, I SSH into the router, to do ps | grep openvpn to find the process ID and then kill the OpenVPN PID with kill #####.

    6. Hi guys, I congratulate you for this simple and complete guide … the best on the Internet!

      I wanted to ask LOGAN if I can ‘help me … I have a problem, I have to reach my ROUTER CONTROL PANEL (OpenWrt Barrier Breaker) Remote Management (Weather Station Package OpenWrt “FOWSR”) wanted to know if just install OpenVPN on the router, or you must have a SERVER. OpenVPN ago also SERVER ?? **

      Thanks in advance.

      Rocco

      • In this tutorial, I’m installing an OpenVPN client on my router, which is connecting back to an OpenVPN server that is run by Private Internet Access.

    7. Hello Logan and the rest here,

      as a “Christmas Eve” Project I wanted to use your tutorial to have a PIA router for location “issues” 😉

      But I have a few issues with it… Everything goes well until the “Verify internet Access” part. Before that, i can access the router through LAN and Wifi. But as soon as i connect it to my “Main Router” (Speedport W700V, pretty old (7-8 years) router i got from “Deutsche Telekom”. I live in Germany) i cannot access it via wifi anymore.
      My main Routers IP is 192.168.2.1 so i gave the MR3020 the 192.168.2.150. I did everything as your tutorial says… Its quite frustrating now.
      The DHCP range on the Speedport is set to 192.168.2.100 to 192.168.2.199 so the “150” should be OK.

      There was only ONE time when I was able to see the MR3020 Luci Interface. But when I tried using the Internet it didn’t work. (The Time was also wrong) But that only happened once…

      One thing i found searching on google was to disable DHCP on the MR3020. Still no success.

      Do you have any tips you can give me? I have a feeling that somethings wrong with the Speedport?

      Thank you in advance!

      P.S.: When the Mr3020 was connected to the Speedport I also had issues connecting to the Speedports 192.168.2.1. Maybe that helps.

      • Hey Daniel,

        With my setup, the LAN port on the MR3020 becomes used exclusively for the outside connection (in your case, from the Speedport), while the WLAN interface is used only for the internal connection (like your laptop/PC). You shouldn’t be able to access the MR3020 over the LAN and WLAN at that point. It sounds to me like there is an issue with the firewall or the LAN and WLAN interfaces are still bridged (we want them to be separate).

        It shouldn’t make a difference, but my MR3020 is outside my main router’s DHCP range. But, like you should, it should still be ok.

        The fact that the time was wrong, and you couldn’t access your Speedport at 192.168.2.1 makes me think it’s either a firewall issue, or issue with the LAN/WLAN interfaces. I would say double-check your setup (possibly start over) and try again.

        Good luck!

        • Hey Logan,

          I finally managed to get the MR3020 to work! Very nice to have a “US-Router” at home.
          The problem was that I gave the MR3020 the wrong IP… weird. When I gave it the IP of 192.168.1.xxx it worked pefectly. Although its outside of the speedports DHCP range. But I´m pretty much a noob regarding network-stuff and just getting into the Linux/BSD/Opensource world.

          But I have one little issue with my touter still. My Speedport has to reconnect every 24 hours. ( so I don´t host a website or something, guess its the same in the US)
          When that happens, the MR either disconnects completely or the VPN “crashes” and i have my German IP again. After I reboot the MR everything is fine again.
          So is there a way to reboot the MR3020 automatically every day?
          The Speedport is set to reconnect between 4 and 5 am every morning. So it would be great when the MR does that a little later (6am maybe)

          Thanks again!

          • That’s a weird fix, but I’m glad to hear it’s working!

            Yes, you could use cron to setup an automatic reboot of the MR3020 at 6:00am every day. Your entry would look like this:
            0 6 * * * reboot
            Some material to get you started is here and here.

    8. Hi,
      Just want to say a big thank you for this steps. I know very little about computers and stuffs like this but I was able to follow the instructions and it worked perfectly for me. Thank you again

    9. To complete DNS leak setup, I had to go to the “Advanced Settings” of the WAN interface, uncheck “Use DNS servers advertised by peer” and insert the Private Internet Access DNS servers in the newly revealed custom DNS fields.

        • Yes it was. I set it up again on a WR703N last night (this time as a wireless client and wireless access point). This time I didn’t include any custom DNS for the LAN at all and only set custom DNS for the WAN as described above. The result was no dns leak and my IP at the PIA servers.

      • Thanks Ben! This is something I’ve been meaning to setup as well. I should have some time this weekend or next week to play with it. Just thinking out loud here…
        1) You’d need to create a partition for OpenWrt to expand onto, as well as one for your network drive. Maybe do this using gparted on another PC?
        4GB–>OpenWrt–>/dev/sda1
        12GB–>Network–>/dev/sda2
        2) Then create mountpoints for each and mount them on your router.
        mkdir /mnt/openwrt
        mount /dev/sda1 /mnt/openwrt
        mkdir /mnt/network
        mount /dev/sda2 /mnt/network

        3) Continue like normal to copy the router’s internal memory onto OpenWrt partition of the flash drive
        mkdir -p /tmp/cproot
        mount --bind / /tmp/cproot
        tar -C /tmp/cproot -cvf - . | tar -C /mnt/openwrt -xf -
        umount /tmp/cproot

        4) Create 2 fstab entries
        cat >> /etc/config/fstab < < EOF config mount option target / option device /dev/sda1 option fstype ext4 option options rw,sync option enabled 1 option enabled_fsck 0 option target /mnt/network option device /dev/sda2 option fstype ext4 option options rw,sync option enabled 1 option enabled_fsck 1 EOF
        5) Then I think you'd have to do the last step in your guide to share it via SAMBA.
        Like I said, I can try next week. If you do it before me, let me know how it goes.

        • I have nearly finished setting it up but will probably not finish tonight as it is late. It looks from the mount points like it will work. I am just zeroing and storing an image of the USB before I go further and will set up the share tomorrow.

          I had a little trouble with the fstab file. It appeared I had to put in the entry for /dev/sda1 reboot, then do it again with both entries. However it now recognises both partitions.

        • I stayed up. I have set up the share but it is still not discoverable by any of my other devices. It would be good to hear how you go.

          • Hey Ben, I got it working. I think I gave you bad code for the fstab file. Specifically, I forgot config mount on the /mnt/network share. I’m going to have a new post up in a day or so with my code and screenshots.

            • I have got it working by making the samba service active under System/Startup then ssh’ing to the /mnt directory and doing a chmod 777 on it.

              I’m looking forward to reading your updated post as I am likely to have done something wrong, albeit it is working.

              Time to get a 64gb Sandisk fit usb key as the extra space won’t be wasted.

              • Post is up. One part for creating the partition and another for creating the share.

                I don’t think you did anything “wrong”, just went about it in a different way. I have the SAMBA share up and accessible, but I can’t write to it. I didn’t even think about permissions though, I’d bet mine is still 444. I’d make it 666 instead of 777, as you probably don’t want execute permission on that directory, right? I’ll check later today. Good call though, I wouldn’t have thought of it otherwise!

                • It didn’t work for me using chmod 666. If I use 666 I can’t connect to the network share. If I do chmod 777 it works. I am not a chmod expert so I am not sure why 777 works when 666 doesn’t.

                  • I tried 666 as well and it didn’t work. I’d assume you need some sort of execute permission to get into the directory.

    10. Logan –
      Your tutorial has been an awesome help! I have had a VPN endpoint (OpenVPN on DD-WRT) setup at home to allow me to have normal (read: US-grade) internet access when I’m in China for work. Previously I had initiated VPN connections on each device, but I had been thinking about doing exactly this… I’ve got a working setup now, and I’m sure it’ll help a lot when I’m next in China!

      I’ve made a bunch of minor additions and modifications to the setup, including one to address what I believe is an issue with the Atheros Wifi implementation when the client-mode connection from the MR3020 to another SSID cannot be established (as has been described in some of the comments above):

      – I’ve setup the network interfaces to give me WAN (ethernet port) + WWAN (Wifi client mode WAN), and WLAN + LAN (on the same ethernet port as the WAN, but using a vastly different – and hopefully unlikely to ever conflict – static IP address w/ DHCP server disabled on the LAN interface).
      – I made the ‘3G’ LED (the one with the globe) a basic indicator of my connection to the internet.
      – The ‘WPS’ LED is a VPN status indicator (off = tunnel down, on = tunnel up, heartbeat blink = connection initiated but not up).
      – I’ve used the 3-position slider to determine the boot mode (AP = AP only*, WISP = connect to last known network + AP, 3G/4G = connect to last known network + AP + auto-initiate VPN + firewall blocks all LAN->WAN traffic, only allows LAN -> TUN).

      * AP only mode copies “safe” versions of the network and wireless config files, guaranteeing that the wireless AP will come up without further interaction. This way, I know I can *always* configure the network/wireless basics for a given location without having to resort to failsafe (particularly important when I don’t have any ethernet enabled devices with me). What I did was save a wireless config file that has the Wifi client interface setup, but cleared (disabled, no SSID, no passphrase, and security set to ‘none’). The AP side of the config remains the same, so my devices will always connect to the MR3020 (and I can use SSH or the web GUI to add the details for the client connection).

      Once everything was working, I actually made an instal script that will take you from ‘firstboot’ to fully configured with all of the interfaces, LEDs, and other configuration options ready to go. It is a 4 stage process with reboots in between, and it might be a bit brute-force (it moves some configuration files into place, some of which are custom-configurable prior to installation, and it is pretty dumb – doesn’t detect problems… but it works for me). I’d be happy to share it with you (and you may post it here for others) if you’re interested.

      The only thing I have been completely unable to get working is the hotplug events for the WPS button and slider switch (post boot time, that is). Specifically, I cannot seem to get the button presses to register as events (I know the buttons are working, though, since I can manually poll them – but I want hotplug.d to handle that for me). If you’ve got them working, would you mind sharing the scripts?

      • Thanks Pete, good to hear! Your use case is perfect for this kind of setup. Not sure what device you’re using, but keep in mind that most of the cheaper routers only have 10/100 NICs and b/g WiFi, so that might limit your bandwidth if you’re using multiple devices.

        I’m really interested to hear what it’s like in China. Is the censorship really as bad as I everyone says? I’d also be interested in seeing your setup/scripts, if you don’t mind sharing. There were a couple users here who were trying for something similar to what you’re doing.

        Unfortunately, I haven’t been able to dive into the hardware buttons/switches yet. You’re way ahead of me on that.

        • Logan –

          I’d be happy to share. I’ll send you an email so we can go over everything I’ve done so far offline first and you/we can figure out if anything should be improved before sharing it more widely (I’m happy to share as-is, but would hate to cause people grief if I’ve done some sloppy work).

          For the benefit of those reading, my main purpose for the VPN setup at my own home is to create a secure link between an untrusted network environment (public wifi, etc.) to the internet at large, but I can also use it for remote access/admin when I’m away from the house. (On the tech support side, I have a similar configuration installed at my parent’s house so I can tunnel into their network, and I’ll be doing the same with my in-laws soon).

          I’m using a Cisco/Linksys E2000 (used via CraigsList for $15) with DD-WRT as my OpenVPN endpoint at home. It is connected behind my main router with the appropriate ports forwarded. It’s a nice, simple setup with a small physical footprint and low energy consumption. If I needed better bandwidth performance, I could have used pretty much any computer or even something like a rasberry pi, but I kind of like the setup with a router.

          As far as China is concerned, there are two things to consider: 1) always assume you’re being watched/monitored, and 2) some services/sites are explicitly blocked by the Great Firewall (http://en.wikipedia.org/wiki/Websites_blocked_in_Mainland_China). Knowing those two things, I felt it would just be easier/safer/more reliable to use a VPN solution to have ‘normal’ internet access that, thanks to the VPN tunnel, effectively originates from my home in the US. And FWIW, China has started to block common VPN solutions such as StrongVPN, so having a home setup means I am less likely to be blocked (although who knows). Previously, I connected my devices individually to the VPN, but next time I’ll be using the MR3020.

          Since I’m using relatively low-end devices, I know that my bandwidth will be impacted – in some cases somewhat severely. But that’s okay for my purposes since I’m just looking for the security and reliability of a VPN link for basic communications (email, social media, basic web browsing).

      • I’ve found an issue where if the WISP connection is OPEN (no encryption) everything works ok, but if I try to connected to a WPA protected network and enter a pre-shared key, I am no longer able to connect to the router over wireless and the only option is to go back into AP (safe) mode.

        This is completely repeatable every time.

        Any ideas?

        • Are you talking about using the wireless in client mode, trying to connect to a WPA network? Or your router is broadcasting WPA and you can’t connect?

          • Using the wireless client to connect to WPA network, whilst simultaneously broadcasting in AP mode for end device to connect to.

            If the “internet side” WiFi is anything other than open, the TP-Link gives up on all WiFi and needs to be restarted in Pete S’s Safe mode (switch in AP)

            • Stuart – Sorry I didn’t see your comments for the past 8 months!
              I have some guesses about what might be happening to your connection. The network will fail to come up on the MR3020 if there is any reason it cannot connect to the upstream AP if the “Client” mode is enabled.

              – In Network -> Wifi -> [Client mode interface -> Edit] -> Interface Configuration -> General Setup, you will see 2 fields for entering the network name. Be sure you are using the ESSID field if you are using a human-readable network name. The BSSID field should usually be left empty. The BSSID field should only be used if you are actually connecting to a network using the MAC address of the upstream Wifi AP.

              -Double check that you are using the right encryption type and that the password is correct.

              -Also, keep in mind that the MR3020 is 2.4GHz only. Therefore, if the upstream network is a 5GHz network (802.11n, a, or ac with 5GHz only), the MR3020 radio will be unable to connect and it’ll just stall.

              I can reproduce the hanging/stalled symptom when I attempt to connect to a WPA2 protected network with either the wrong password or the network name is entered into the BSSID field. And I have been in environments where the upstream network is 5GHz only… in which case the only option remaining is Ethernet, if available.

              I hope this helps!

              • Pete – As chance would have it, I have been reviewing my install and came back here as a refresher.

                Following your pointers I can now connect consistently. It was a while ago I first looked at this, so not 100%, but I think the falling point was that I was not manually setting the cipher. It seems leaving set to “auto” on a non-broadcasting network results in failure.

                Thanks for coming back and updating.

                Next step – I’d really like to do something like this:

                https://www.youtube.com/watch?v=ipdXKPUVOVE

                • Hey Stuart – Glad to hear things are working properly for you now! Your next goal seems like a lot of fun… totally silly, but very cool :-). I wish you luck and much fun… post back if/when you get that running.

    11. Hey Logan,

      thanks for the great tutorial. Will be my lifesaver on my 4 weeks business trip to china;). I’ve also got the issue that Reset/WPS Led on my MR3020 keeps flashing after i set the command to start the connection on startup. If i comment this out again, leds are working as usual. Any suggestions on this?

      Best wishes from germany,

      Felix

      • Thanks Felix, glad to help! That’s what another commenter plans to use OpenVPN for as well.

        What does your /etc/rc.local file look like? If you go into LuCI–>System–>Startup and scroll to the bottom, does that match your /etc/rc.local file? They should be identical. Mine is below, as an example.

        # Put your custom commands here that should be executed once
        # the system init finished. By default this file does nothing.
        openvpn --cd /etc/openvpn --config /etc/openvpn/piageneric.ovpn --remote us-east.privateinternetaccess.com 1194 &
        exit 0

        Does the LED flashing affect the performance at all (e.g., the tunnel is down)? If you just want to change what the LED does, you can look here and make your changes in the /etc/config/system file, or under LuCI–>System–>LED Configuration. I haven’t had the chance yet, but I want to start changing the LEDs on mine as well. Pete, who commented earlier, might be able to shed some light on that.

      • Felix –

        What is your desired LED behavior — I’ll try to help out. I’ve got my LEDs set as follows:

        3G => Internet connectivity (solid = successful ping to my VPN; flashing 500ms on/500ms off = can’t ping VPN, but can ping another domain; heartbeat blink = can’t ping domain, but can ping IP address; off = no internet connectivity). The VPN address, domain, and IP address for pinging are all configurable in my setup.

        WPS => VPN tunnel status (on = tunnel up; heartbeat blink = VPN tunnel not up, but connection attempt is initiated; off = tunnel down, not attempting to connect).

        The LEDs ethernet (blink on activity), wifi (blink on activity), and power (on solid) are left as default.

        I can post my code snippets if this is what you’re looking to do… let me know.

    12. One more question at this point. Seems that the “Stop Interface” in the Luci GUI works for the VPN Connection, but the reconnect doesn’t. Is it because it does not know what configuration to use? Is there any option to reconnect the VPN except from using SSH or reboot the router? And somehow it seems that the device does not reboot by the System>Reboot button in the GUI, but only by disconnection power supply.

      Thx a lot! I hope these questions are not too dumb, but I’m actualy quite new to stuff like that and especially Linux.

      • Are you referring to LuCI–>Status–Processes or LuCI–>System–>Statup? Either way, you are correct in that the GUI doesn’t know which config to use. In my tutorial, I’m doing everything manually via SSH. In my newer version of this post, I’m using three scripts to manage the VPN status: one to alert when the VPN is down, one to alert when the VPN is up, and one to check that status of the VPN every 10 minutes, then start it if it is down. To make use of the GUI, I suppose you could start writing custom init scripts, but that’s a little too over my head to address.

        I haven’t run into the rebooting problem. You can check how long the system has been up (after a reboot) with the command uptime, as seen below.

        root@mr3020_home:/etc/init.d# uptime
        22:16:29 up 1 day, 1:42, load average: 0.00, 0.02, 0.04

        You can also see this by going to LuCI–>Status–>Overview.

        There is no such thing as a dumb question. If you’re interested in learning about Linux, check out this subreddit or consider taking this free (formerly $2400 USD) course through edX.

      • Felix –

        I created VPN init scripts that allow the GUI to start/stop/restart the service. Create a file (possibly named “VPN”) with the contents shown below, add execute permissions on the file (chmod +x VPN) and save it in the /etc/init.d/ directory. You will then see VPN in the list of the startup features. If you click “enable” it will launch automatically at the completion of every boot cycle (I don’t think this is the best option – configure scripts to do this with the slide switch instead). Start/Stop/Restart are self explanatory.

        Oh – and regarding the reboot – when you select reboot (from the status or system menu, don’t remember off hand), you also have to click a link (not a button) to actually force the reboot. Slightly hidden, so it is possible to miss the fact that you have to click the link. I have had situations where a process actually prevented a reboot, so if the link doesn’t work, try to figure out what might be preventing the reboot.

        #!/bin/sh /etc/rc.common
        # Copyright (C) 2006 OpenWrt.org

        START=99

        start() {
        openvpn –config [insert your configuration here] &
        }

        stop() {
        killall -SIGINT openvpn &
        }

        restart() {
        killall -SIGUSR1 openvpn &
        }

    13. Hi Logan:

      Think I have a fairly dumb comment, but can’t seem to get past it. I’ve been successful setting up the router through what you call the “Unbridge LAN interfaces”. However at that point I can’t access the router while it is connected to the internet. Basically meaning, while the router is on the internet, I can’t SSH in to it or access it from my browser. I can however if I unplug it from the internet. Any ideas what I am doing wrong?

      Thanks
      Luke

      • Hi Luke,

        Before you connect to the internet, are you connected to the router’s wireless network? After you plug in the ethernet cable, does it disconnect you? Do you still get an IP from the router? I would verify a couple things:
        1) SSH access is setup on the correct interface(s)
        2) Both your LAN and WAN interfaces are in the correct firewall zone

        Let me know how it goes.

    14. Hi Logan,

      If I get a HooToo TM02 with 8MB of built-in flash, it looks like I can install OpenVPN without needing a USB stick and ExtRoot. I’m thinking that the form factor of a USB sticking out of the device might be less than ideal for a travel router but am wondering if I am going to regret making this choice as software upgrades become available.

      I found some information online about installing OpenWRT on that device but the author wants to use a USB stick because he installs a large number of packages and that is overkill for me.

      Thanks.

      • Unmesh,

        I’ve never heard of that brand. It looks to be a clone of the WR703N, but with twice the flash! Very nice! It also appears to support OpenWRT. I’m using a small flash drive, so it doesn’t stick out of the router. I’m not in front of my router, so I can’t check how much flash I’m using, but I’d imagine it’s not more than 8MB. But then again, you do want to make sure you have the room to install packages if you need them. Personally, I’d prefer to have more space than I need and just share the rest out at a SAMBA share.

        Let me know how you proceed.

        Logan

    15. Hi Logan. Are you extending this (as mentioned) to have an OpenVPN SERVER at your home? This is what I’m trying to do but apparently failing miserably. There are so many tutorials out there that I find hard to follow and each tells me a different config. Your tutorial is perfect for me up to the VPN client part, whereby I need someone knowledgeable to hold my hand through the server config. I’ve managed to generate keys but can’t get the server to run. Fingers crossed this is on your hitlist soon! Thanks

      • Hi Mike,

        Great email address btw, haha. I will be setting up an OpenVPN server eventually, but I’d like to get new hardware first. Until then, I’m using PIA’s OpenVPN servers. A couple things:

        • It’s dry, but I’d start with the OpenVPN documentation. They have some example client/server configs, as well as a good how-to section.
        • What kind of hardware/software are you using for the OpenVPN server? I’m running DD-WRT at home for my PPTP server, and it appears that there is a pretty good wiki on the subject. I would Google “openvpn server” and whatever kind of device you’re using.
        • You’ll need a dynamic DNS provider, since you’re running this out of your home and your IP will be likely to change. You’ll need to make sure either your server or a machine on your network can run the client. On my PPTP server, the DD-WRT router runs the DDNS client and updates my IP when it changes.

        If I get anything up and running (it likely won’t be anytime soon), I’ll let you know.

        Logan

    16. I got my new MR3020 running as an AP with a wired uplink following these instructions. Before installing OpenVPN, I looked at the link in the posting by Ben in January to set up a wireless uplink since what I’m really trying to get to is an OpenVPN client between a WLAN and a WWAN.

      Not having noted the caution about possibly first bridging back the wired interface, I rebooted the router and it neither broadcast a WLAN SSID nor would it give me an IP address when connected to the wired port.

      I went into failsafe mode and got it back to the OpenWRT “factory state” and will have to do some more research into WLAN to WWAN routing.

      Thanks.

    17. I managed to figure out how to get WLAN to WWAN routing working through LuCI though the setup has to be redone every time I change the WWAN.

      Logan, I’m wondering if I can use your VPN instructions even though eth0 is still bridged to “lan”. Also, I call my uplink interface WWAN and not WAN. but it does not look like this interface is referenced in your scripts.

      Pete S., if I understand your setup correctly, you connect to an unknown wireless network using the switch in AP mode first, then establishing a connection including possibly responding to the ISP’s portal. Do you then have to reboot with the switch in WISP or 3G mode? I am a bit mystified as to the magic that occurs with eth0 being on both the WAN and LAN sides and somehow doing the right thing depending on what it is plugged into.

      Would you be willing to share your files/scripts?

      Thanks.

      • Unmesh –

        I’d be happy to share the files with you. Logan has a copy of my scripts, and hopefully he can provide a convenient means of sharing them. If not, I’ll try posting them here or we can figure out another way.

        In the meantime, to answer your question (based on how I’ve set things up in my scripts):

        If I’m in a new location, I set the switch on AP mode before powering up the device. This clears the previous wifi client connection config so that the wifi will come up as an AP. From there, use one of your client devices (phone, tablet, or computer to connect to the MR3020’s network and navigate to the wifi config page. You’ll be able to enter in the SSID and security for the network that you want the MR3020 to attach to. Once you click apply, the wifi connection will drop for a moment while it connects to the desired network, and then everything should be up and running. You do not need to restart the router at this point, but keep in mind that the next time you restart, you will need to repeat this process if the switch is still in AP mode. The other 2 modes will effectively save the configuration you’ve set, but remember that you will not be able to connect to wifi at all if the network you setup in AP mode is not available. That is why I made the ‘safe config’ and tied it to the switch in AP mode.

        As far as the eth0 question — I’m actually not convinced that it works as I had originally planned. I think that it is only working by default as a WAN port, despite the fact that I assigned 2 configurations to the physical port (this is theoretically possible to do, but either I didn’t do it correctly or it might not work with this hardware). My original plan was to have it behave as a WAN port (request a DHCP lease, treat all traffic on this config as WAN (from a firewall perspective)) AND I wanted it to work as a LAN port (it has a static IP address that I can use to communicate with the device and I can set it as the default gateway for LAN traffic; the DHCP server is turned off so that it does’t conflict with DHCP servers that might be present on the wired network – a concern if you are using it as a WAN port — this means that all devices on the wired-client side would need to be manually configured with static IPs). But, it seems that the LAN configuration gets ‘back-burnered’ for whatever reason — if I connect via wifi and click the ‘connect’ button in that interface, it springs to life, otherwise it does not respond. So the magic here is not working, but maybe someone will figure out why and suggest a better way of doing this. For now, it is really a WAN port without user interaction, and It would not be hard to make it LAN port instead.

        Hope this answers your questions. Let me know if I can help you more.

    18. Thank you, Logan Marchione!

      With the help of your article I configured my Asus RT-n13 B1 to establish openvpn connection to my VSP server! Really clear and step-by-step guide for newbies! I killed my whole day before, reading “official” open-wrt manuals but my connection was not success.
      Reading your article in about 30 minutes and everything is works as I need!

    19. Hi Logan,

      Great guide but I have some challenges getting it to work in my 703n. Hoping you can give me some guidance. Using it as a travel router, I have 2 wireless adapters (1 usb, 1 built in) where one connects to a hotspot and the other is an AP. pptp works fine. I can implement the above but I am struggling to get it to reroute traffic through the VPN (once connected, it just reports my ISP’s IP). Also, I find that my vpn reconnects regularly which requires me to reconnect my VPN interface again. Since I use a cable to configure, I have not unbridged it.
      In the firewall settings, I took the WAN out of the LAN forwarding so it only forwards to the VPN but then I cannot connect to anything. The tunnel is up, (Init..completed) and I have added the VPN DNS servers.

    20. Hi Logan,

      I came across your post today, and this is more or less precisely what I have been searching for, namely a router that I could plugin to our Spanish holiday house, and gain access to my home router and watch Netflix/Viaplay/local TV wireless without those silly georestrictions.

      However, you are focusing on setting up the router to be used locally, but what about setting up the home router with OpenVPN server? As far as what I have read so far this is quite a mess with certificate keys, but your connection to – PIA in your simplified example – seems to jump over this. Am I right, or have I missed something in your guide?

      • Mogens,

        This was already asked in a previous comment here.

        You are correct in that I’m only configuring an OpenVPN client. In my case, PIA is the OpenVPN server I’m connecting to. However, PIA doesn’t use certificates for authentication, only username/password.

        If you wanted, you could setup an OpenVPN server on a home machine and use that instead of PIA. I’m going to assume that since it’s a router, you’ll be using some flavor of *Wrt (e.g., OpenWrt, DD-WRT, etc…). Unfortunately, the official wiki’s for this process are usually outdated. Your best bet is to Google “openvpn server openwrt”. As I mentioned in my comment, you’ll also need to setup port forwarding to your OpenVPN server (if you’re behind a modem) and you’ll need a dynamic DNS entry, since your ISP will usually change your IP address on a regular basis.

        As far as certificates go, they’re not too messy to setup. The only catch is, if you want to use a new device, the certificate has to be on that device prior to you connecting. On your OpenVPN server, you’d generate a certificate for your OpenVPN client, then move the certificate to the client and specify the certificate path in your OpenVPN client config file.

        Let me know if you have any questions.

    21. In BARRIER BREAKER (14.07, r42625) it’s also possible to use vanila /etc/init.d/openvpn init script to start VPN durring boot and put pia config into /etc/config/openvpn
      But first, one fix have to be done in /etc/init.d/openvpn script, just move “comp_lzo” param to another place. Details here –
      // ————————————————————————————————————–
      Second, modify your “/etc/config/openvpn”. Here my config:

      package openvpn

      #################################################
      # Include a custom config file. #
      #################################################
      #config openvpn provider
      # option enabled 1
      # option config ‘/etc/openvpn/provider/config.ovpn’
      config openvpn provider
      option enabled 1
      option client 1
      option dev tun
      option proto udp
      option log ‘/huge_logs/openvpn-pia.log’
      option verb 3
      option ca ‘/etc/openvpn/pia/auth/ca.crt’
      option remote_cert_tls server
      option auth_user_pass /etc/openvpn/pia/auth/user
      option comp_lzo 1
      option persist_key 1
      option persist_tun 1
      option reneg_sec 0
      option tls_client 1
      option nobind 1
      option resolv_retry ifinite
      option crl_verify ‘/etc/openvpn/pia/auth/crl.pem’
      option remote ‘104.238.169.122 1194’
      #option remote ‘uk-london.privateinternetaccess.com 1194’
      // ————————————————————————————————————–
      Third, enable the script launching on boot:
      # /etc/init.d/openvpn enable

      Not required to reboot to check if it works:
      # /etc/init.d/openvpn start

    22. Very nice article. Is there a way via a firewall rule or network configuration to authorize internet access to wireless clients only over a VPN tunnel ?
      At the moment, if the tunnel is down then the wireless clients can still get online. Since I want this box to be a VPN-only AP, it would be safer to not have any internet access if the VPN tunnel is not established. Thanks

      • Alphazo,

        Yes. OpenVPN has the –up and –down commands. You could write a script for each so when the VPN tunnel goes up/down, the script adds/remove static routes. If the tunnel is down, you could have it deny/drop all traffic.

        Logan

        • Thanks for the suggestion. I thought it was just a matter of adding the right firewall table so the clients connected to the wireless AP are permanently denied from accessing the internet except through the VPN tunnel. The up/down script seems risky.

          • Solution was pretty straightforward. I only had to clear the WAN:wan box in the “Allow forward to destination zones” found in the lan zone configuration and my wireless clients could only go to internet through the VPN tunnel (if open). They also lost access to local network as well. While this can be good in some cases it can also be enabled back by adding a simple firewall rule to allow such traffic.

    23. I use the /etc/init.d/openvpn init script to start VPN during boot and it is working fine. However my VPN tunnel gets disconnected from time to time and I manually have to restart it through the GUI or terminal. Is there a way to automatically reopen the tunnel if it goes down ?

      • I got a much more reliable setup by adding the following cron job from the GUI that checks if VPN daemon is up every minute

        * * * * * /usr/bin/vpncheck

        And added the following /usr/bin/vpncheck and chmod +x it

        #!/bin/ash
        ps | grep -v grep | grep openvpn
        if [ $? -eq 1 ] ; then
        /etc/init.d/openvpn start
        fi

        I also added the following to my vpn client config file in order to reconnect if communication is lost (but daemon still up).
        ping 15
        ping-restart 45
        ping-timer-rem

    24. Hello,

      this is really a great tutorial and everythings works fine! To be more exact, its in my opinion the best tutorial covering OpenVPN on OpenWrt!

      I was able to configure a MR3020 this way and – with some changes – also a WDR4900, both with OpenWrt and your informations. Thank you very much!

      There is one question left: Although the device now works great and tunnels all traffic to PIA, I need an additional feature. Incoming traffic on my internet connection on some ports should be forwarded to a server in my LAN. I did the port forwardings in OpenWrt, but it is not working together with the configurations of OpenVPN.
      I did the forwarding rule (for example): Port 80 on WAN forward to Port 80 on LAN, but its not working.

      You have any ideas about that? Or am I allowed to post my configs here in the hope, somebody is able to help?

      Thank you!
      Stefan

      • Thanks, glad to hear!

        To be honest, I’m not sure how you would do that. I have it setup to send all traffic over the VPN (which runs over port 1194). If you’re trying to do a port forward, I’m not sure if you need another interface, or need to forward from TUN to LAN. Feel free to post your configs, hopefully someone will be able to answer.

    25. Hi Logan,
      i hv tried to format usb flash drive with minitool partion wizard but when i type block info di putty (ssh) it doesn’t show the usb flash drive? can you help me?

      • Did you format the drive as ext3 or ext4? Do you have the corresponding kmod package (kmod-fs-ext3 or kmod-fs-ext4) installed? Also, what are you seeing when you run block info?

    26. can I get this done on skype for 20.00 usd, I have the rootext installed and openvpn but the rest is too much for me, would really appreciate a quick response, should take 1 hour to get going, I am computer savy but networking is not my thing, thanks!

      • I appreciate the offer, but I don’t have the time to invest in one-on-one help. There’s plenty of tutorials online, and my instructions can almost be copy/pasted verbatim.

    27. I have two exceptions. First I have TP-Link WR740N with custom build OpenWRT and second my VPN provider is ExpressVPN.
      Anyways I followed your tutorial and managed to get VPN working: Initialization Sequence Completed.

      But I think firewall is not rerouting traffic to the VPN:
      RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

        • Matt,

          I don’t see anything glaring in the OpenVPN log. What is custom about your OpenWrt build? But yes, I’d agree that it’s something with your firewall. Do you have the correct firewall zone set for the WAN interface? Also, did you create a firewall zone for your VPN interface?

          Logan

          • I’ve installed Attitude Adjustment 12.09-beta (r33312) using this tutorial ( https://phobosk.wordpress.com/2012/10/21/how-to-turn-your-tp-link-tl-wrt740n-router-into-a-fully-functional-one-using-openwrt/ ), because TP-Link WR740N has limited memory as well and no option for USB.

            I connected LAN to WAN from my ADSL modem and followed your tutorial, except some part about VPN config, since my ExpressVPN uses keys instead of user/pass.

            So now I have VPN working, internet working, but not through the VPN.

            • It could be an issue with your build, but I’m leaning towards a missing firewall rule/zone. Can you post your firewall config?
              cat /etc/config/firewall

              • Hello Logan,

                I’ve bricked my router and restored it as you’ve described 🙂
                So I followed your tutorial once again, but this time I used just SSH and .ovpn file to configure openvpn and it WORKED! Before I used Luci interface.

                I’m still testing, but so far it works flawlessly.

                Thank you! You made it happen 🙂

                P.S. What happens if modem looses the internet connection or vpn disconnects for some reason?

                • Good to hear! If you look at the newest post in this series, I have created scripts that run in crontab to check the VPN status. See below…

                  The whole point of this build was to create a connection that is always on and safe for you to use. But, what if the VPN tunnel goes down? You’d still be able to pass traffic, but it would be over the regular internet, not the encrypted VPN connection. There are a couple ways around this, including putting a route in that denies traffic when not on the VPN, as well as setting up alerting scripts to let you know when the tunnel goes down. Here, I’ll be doing the latter.

                  On the The OpenVPN 2.3 man page, there are options called –up and –down, which as they sound, run scripts when the VPN tunnel comes up or goes down. Basically, we’re going to create a script to email us when the tunnel comes up, and another script that will run when the tunnel goes down, but we still have internet access. Obviously, if the tunnel goes down as a result of the router being powered off or the WAN connection dying, the email isn’t going to work. We’re also going to implement a third script that will run out of root’s crontab to check for VPN connection status every 10 minutes.

    28. Hi Logan,

      Firstly….. brilliant brilliant guide, i couldn’t have done it without you.

      I’ve managed to get my MR3020 router to dial up my VPN as you have in your guide, with one exception, i copy all of my keys etc to the openvpn folder on the router, and then just run the normal Openvpn file provided by my VPN provider. Anyway, the point is……. If I start OpenVPN via SSH and use….

      “openvpn –cd /etc/openvpn –config /etc/openvpn/myvpnconfigfile.ovpn”

      everything works fine, all the normal ethernet and wifi light swork as expected and i can remotely reboot the router via luci or ssh, but if then go into luci and put the same string in the startup commands window and save it things go a bit funny.

      After saving the new startup string I reboot the router. It starts the reboot fine, but the WPS button never stops flashing and only the power light is lit the other lights do nothing, the router appears to power up ok and the VPN works fine, but if i log into luci or use ssh and try to reboot the router nothing happens until I kill the OpenVPN process.

      Whats happening?

      Thankyou in advance for any help you can give me.

      Adam

      • Thanks, Adam! Can you cat out the rc.local file?
        cat /etc/rc.local
        So you’re able to log into the router via SSH or LuCI, but you can’t reboot it while the OpenVPN process is running? Are you starting the OpenVPN process as root? When you try to reboot, are you logging in as root and issuing the reboot command as root?

    29. Heey man ^^

      Thanks for this easy tutorial 😀

      Would you have any idea why I loose my internet-connection during this setup?
      (modem is still connected with server and router is still connected to pc but i have no internet between modem and router?)

      Hope to hear from you 😀
      -Michel

      • If you have no internet between modem and router, you’ll need to troubleshoot both. Is your modem getting an IP from your ISP? Is your router getting an IP from the modem? At what step in the guide did you lose connection?

    30. HI Logan, I followed your instructions it sets up perfectly but then after a while the VPN connection drops and the internet becomes inaccessible.. all i get in the logs are:

      Sun Oct 25 05:23:52 2015 /sbin/ifconfig tun0 10.113.1.6 pointopoint 10.113.1.5 mtu 1500
      Sun Oct 25 05:23:53 2015 Initialization Sequence Completed
      Sun Oct 25 05:31:04 2015 write UDPv4: Operation not permitted (code=1)
      Sun Oct 25 05:31:04 2015 write UDPv4: Operation not permitted (code=1)

      • John,

        After some Google-ing, it looks like it’s related to firewall rules. Can you double-check your setup?

        Logan

    31. Hello. I’ve been using this setup for a while now. It is working great.

      Do you know how to exclude traffic by domain mask “*.nl” or IP-range from the VPN?

      • Glad you’re enjoying it!

        I’m not positive, but I don’t think OpenVPN has that capability. I would think you’d need to use some sort of proxy and route all your OpenVPN traffic through it, then use the proxy server to block domains.

    32. Thanks a lot for the instructions. Got it working with my MR3040. My VPN connection has been quite unstable as the provider kill my connection from their side after a period of inactive connection. Is it possible to get the router to reconnect to the VPN server automatically when the connection is dropped? Thanks

    33. Hi
      Is there an easy way to disable VPN connection for one of the LAN devices? I would like all my traffic to go through VPN except for one device of LAN. I guess that it is possible by using iptables but I don’t know the proper command.

    34. Is there a way to split the wifi into 2 vlans, so one could connect to a public wifi and the other would allow clients to connect? Trying to not be constrained to only connecting to wired networks.

      • I’d assume you could make a second interface and have one be tied to the VPN and one not. However, I don’t have a device anymore, so I can’t test yet.

    35. Thank you sooooo much for putting the effort into this! It is fantastic! I have my MR3020 running OpenWRT with basic settings at this point and will be setting up OpenVPN shortly. I read the comments and came across Pete S. mentioning complete scripts for setup including switch-based functions. I did not see where they were posted and was wondering if I can get a copy of those?

      Also I read where you retired your MR3020 – what are you using now?

      • I reached out to Pete to see if he would mind. They’re not my scripts, so I’d like to get his permission first.

        Right now I’m just using an OpenVPN client on my laptop. However, a commenter mentioned a brand called HooToo. Their TM02 seems to be a MR3020 clone that supports OpenWrt. I’d like to pick up one of these in the future.

    36. Logan,

      Would I have to go through the whole extroot procedure if I were to update to Chaos Calmer or will the GUI based firmware update keep everything on the USB stick?

      Thanks.

      • Unmesh,

        Good question. I’m not sure myself, but a quick Google shows it is doable, but apparently you shouldn’t update kernel modules. The OpenWrt wiki seems to confirm this. However, if you go this route, I would most definitely have a backup of your config files, in case you need to rebuild from scratch. I wrote a quick script a while back for backing up OpenWrt.

        Either way, let me know how it goes!
        Logan

        • Logan & Unmesh – FWIW, shortly after it came out, I tried to update to CC. It effectively disabled my extroot and I found that I was not able to re-enable it because the CC install plus the necessary pieces to install (clock-mount, mod-fs-ext4, kmod-usb-storage) required just a tiny bit more space than the MR3020 has (4MB flash). It would be possible to build a CC installer that includes the stuff necessary to get extroot working but LuCI (to save space), but I didn’t try. I just reverted back to BB (and once there, I actually re-installed/re-configured everything else from scratch using the scripts I had made previously).

          If you figure out a good way to upgrade to CC, please share how you did it and if you’ve experienced any issues.

    37. Dear Logan,

      what I would like to achieve is to use the tl-mr3020 as a 4G/LTE router that has the VPN client on it. This way every device connected to it through wifi would be tunneled through that VPN connection. The only problem I see that if I have to use an external flash storage for the router to boot from, the USB port will be occupied by that and I will have no means to connect my 4G/LTE dongle/modem. Any sollutions?

      Thanks

        • I suppose an externally powered USB would be the way to go. Do you think that it is possible to use the 4G dongles built-in SD card reader to boot the router from?

          • I don’t even know if you would need an externally powered USB hub, since the USB port may be able to provide enough power (not sure on this). As for your question, I’m not sure. I’d think it would work, but you’d have to test it.

    38. Dear Logan,
      Really appreciate your effort.
      I have TL-WDR4300.
      I have working VPN account with Digital Ocean (without cert in it).
      I have the .ovpn file (works for android and PC version).
      What I would like to achieve is to use the TL-WDR4300 as a router that has the VPN client on it. This way every device connected to it through wifi would be tunneled through that VPN connection. And I want to load my .ovpn file configuration into the WDR4300.

      Would you mind to show me how to do that?!
      Thanks

      • RD,

        I don’t have my MR3020 anymore, so I can’t comment on your setup specifically. However, it should be as simple as downloading the .OVPN file to your WDR4300 (I assume you’re running OpenWrt) and then running OpenVPN with that file called in the command line. My guides pretty much walk you through that setup.

        Logan

    39. Dear Logan,
      Thank you very much for this document, I tried another GUI instructions i did not work and i spent many days for troubleshooting without success ,Your instruction worked fine and i could connect to the VPN except for one part (Firewall role) when I configured it i did not get access to the internet so i dropped it ,Just for your information I’m using PureVPN service
      Thank you again

    40. Dear Logan i isntall everything correct when i log in luci ask for password i put my user and pass and cant connect why this happens? i can still login to ssh fine

      • I haven’t used the MR3020 in quite some time. Are you using the same username/password in the web GUI that you’re using on SSH?

    Leave a Reply to Adam Cancel reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.