RT-N66U, how to configure VPN client for IBvpn ?

Discussion in 'Asuswrt-Merlin' started by northernpal, Nov 24, 2012.

  1. northernpal

    northernpal New Around Here

    Joined:
    Nov 24, 2012
    Messages:
    1
    Ok, I had IBvpn working on DD-WRT (on WRT54GL) by following the directions provided by IBvpn. Now I would like to get it working on my "Merlin" powered N66U.

    The directions IBvpn gives for setting up on DD-WRT are here:
    http://www.ibvpn.com/billing/knowledgebase/36/DD-WRT-routers-OpenVPN-setup.html

    I will paraphrase them into 3 steps below (hopefully) for convenience:

    1. In Command shell box paste this script and then click "Save Startup"
    --------------
    sleep 5

    mkdir /tmp/ibvpn

    echo "-----BEGIN CERTIFICATE-----
    MIIDeDCCAuGgAwIBAgIJAMVKgpjMPUfxMA0GCSqGSIb3DQEBBQUAMIGFMQswCQYD
    VQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMG
    A1UEChMMRm9ydC1GdW5zdG9uMRgwFgYDVQQDEw9Gb3J0LUZ1bnN0b24gQ0ExITAf
    BgkqhkiG9w0BCQEWEm1lQG15aG9zdC5teWRvbWFpbjAeFw0xMDA3MjExOTU5MzVa
    Fw0yMDA3MTgxOTU5MzVaMIGFMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFTAT
    BgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMGA1UEChMMRm9ydC1GdW5zdG9uMRgwFgYD
    VQQDEw9Gb3J0LUZ1bnN0b24gQ0ExITAfBgkqhkiG9w0BCQEWEm1lQG15aG9zdC5t
    eWRvbWFpbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAz23m3BXY5Asiw8Dx
    T4F6feqsp+pIx6ivftTniyUCbSAxI1J1s1x75DzxmUpIwPu5xavzgPXgZr8FT81X
    JGqF9km4AE95iddJawKx0wNgdTo7GximQq9rw0dsQIB5hZZQ9TJwHC3VOnmEic5A
    OawKOCybMcRs8saLakZOgh7Xc+UCAwEAAaOB7TCB6jAdBgNVHQ4EFgQUeRhE2N4l
    XwL4H1dbjkZ4ou6fj3AwgboGA1UdIwSBsjCBr4AUeRhE2N4lXwL4H1dbjkZ4ou6f
    j3ChgYukgYgwgYUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMM
    U2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24xGDAWBgNVBAMTD0Zv
    cnQtRnVuc3RvbiBDQTEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWlu
    ggkAxUqCmMw9R/EwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQASt0pl
    WzVseQLTNM8Mlgw4ZnGAv/x2xnijmMqrkE+F7pnaOicGpxgCfMKzjZuJu0TNJqF2
    fibE7GhMdomD4dLFgIu8Wb5E7iQ1CSBEOGumRhK8qCsDzjr7WXUdhqA6Xvo+ylU6
    DMzy0Wn3NNvfGC+qxOgybYCJwDnVPi0CEDSbzQ==
    -----END CERTIFICATE-----" > /tmp/ibvpn/ibvpn.com.crt

    echo "#!/bin/sh
    case \"\$1\" in
    up) export action=\"up\" ;;
    down) export action=\"down\" ;;
    *) echo \"No action specified.\" && exit 1 ;;
    esac

    if [ \"\$action\" = \"up\" ]; then
    mv /tmp/resolv.conf /tmp/resolv.conf.bak
    echo \$foreign_option_1 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' > /tmp/resolv.conf
    echo \$foreign_option_2 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf
    echo \$foreign_option_3 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf
    iptables --table nat --append POSTROUTING --out-interface \$2 --jump MASQUERADE
    fi

    if [ \"\$action\" = \"down\" ]; then
    mv /tmp/resolv.conf.bak /tmp/resolv.conf
    iptables --table nat --delete POSTROUTING --out-interface \$2 --jump MASQUERADE
    fi" > /tmp/ibvpn/change_resolv_conf.sh

    chmod 755 /tmp/ibvpn/change_resolv_conf.sh

    echo "remote us4.ibvpn.com 1194 udp
    client
    dev tap
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    mute-replay-warnings
    ca /tmp/ibvpn/ibvpn.com.crt
    log-append /tmp/ibvpn/vpn.log
    comp-lzo
    verb 3
    mute 20
    ns-cert-type server
    fragment 1300
    route-method exe
    route-delay 2
    auth-user-pass /tmp/ibvpn/user.conf
    reneg-sec 0
    script-security 3 system
    up \"/tmp/ibvpn/change_resolv_conf.sh up\"
    down \"/tmp/ibvpn/change_resolv_conf.sh down\"" > /tmp/ibvpn/server.ovpn

    echo "#!/bin/sh
    if [ \$(ps | grep openvpn | grep -v grep | wc -l | tr -s \"\n\") -eq 0 ];
    then openvpn --daemon --config /tmp/ibvpn/server.ovpn;
    fi" > /tmp/ibvpn/check_vpn

    chmod 755 /tmp/ibvpn/check_vpn

    echo "#!/bin/sh
    case \$1 in
    \"start\" )
    ntpclient pool.ntp.org
    killall openvpn
    echo \"Launching OpenVPN process\"
    sed -i 's/remote.*/remote '\$2' 1194 udp/g' /tmp/ibvpn/server.ovpn
    openvpn --daemon --config /tmp/ibvpn/server.ovpn
    sleep 10
    if [ \$(route -n | grep '0.0.0.0.*tap' | wc -l) = 2 ]; then
    echo "VPN ON"
    else
    echo "VPN Error"
    fi
    echo \"* * * * * root /tmp/ibvpn/check_vpn\" > /tmp/crontab
    stopservice cron && startservice cron
    ;;
    \"stop\" )
    echo \"Stoping OpenVPN Process\"
    sed -i 's/.*check_vpn.*//' /tmp/crontab
    stopservice cron && startservice cron
    killall openvpn
    ;;
    esac
    return 0" > /tmp/ibvpn/vpn

    chmod 755 /tmp/ibvpn/vpn

    echo "My-Email-Address@gmail.com
    VPNPassword" > /tmp/ibvpn/user.conf

    -------------

    2. On the Setup, Basic Setup tab, on the Network Address Server Settings (DHCP), change the Static DNS 1 and Static DNS 2 to 8.8.8.8 and 8.8.4.4

    3. On the Security page, select Firewall tab and make sure "SPI Firewall" is Disabled.

    When you want to start the vpn connection you just paste
    "/tmp/ibvpn/vpn start aaa.bbb.ccc.ddd" (replace aaa.bbb.ccc.ddd with the server IP you want to connect) into the command shell and click "Run Commands".

    When when you want to start the vpn connection you just paste
    "/tmp/ibvpn/vpn stop" into the command shell and click "Run Commands".

    ---------------------------------------
    Ok, can anyone offer any help/advice as to how I get the above working in the Merlin VPN client (I actually want it on all the time for all hardwired and wireless traffic).

    Thanks to anyone who can offer some insights into how to accomplish this.
     
  2. Log in / Register to remove this ad

  3. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    13,033
    Location:
    Canada
    That howto is way too complicated - it pretty much has you do everything manually.

    Look at this tutorial aimed at Tomato rather, since Asuswrt-Merlin's OpenVPN is directly based off Tomato's OpenVPN. A lot of things can be configured on the webui.

    http://tomatousb.org/tut:openvpn-via-password-authentication
     
  4. marcmkkoy

    marcmkkoy New Around Here

    Joined:
    Jan 1, 2013
    Messages:
    1
    TomatoUSB (and Merlin) with ibVPN.com

    I would recommend TomatoUSB. I can't get Merlin installed on my N66U so I went with Tomato. DD-WRT would also not load. I'm having great success on TomatoUSB. It took a couple of days of trial and error with DD-WRT, Merlin, TomatoUSB.... to get connected to ibVPN but now it is working like a dream.

    Here are the steps I followed. The thing about TomatoUSB is that it uses a /jffs partition. I'm not sure if Merlin does, but with Putty and SSH into the command window this went very quickly:

    How to use Asus RT-N66u with OpenVPN on TomatoUSB for ibVPN.com
    Despite what the below post says, I could not get it to load with DD-WRT.

    With a new router, upgrade to TomatoUSB following the instructions here:
    http://www.dd-wrt.com/phpBB2/viewtopic.php?t=153609&postdays=0&postorder=asc&start=60

    I used this version of TomatoUSB
    tomato-K26USB-1.28.RT-N5x-MIPSR2-097-Tor-VPN-64K.trx
    Downloaded from here:
    http://tomato.groov.pl/download/K26...K26USB-1.28.RT-N5x-MIPSR2-097-Tor-VPN-64K.trx


    Basic Instructions:
    - Use a static IP adress. 192.168.1.12 for example.
    - From the latest Asus Firmware installed on your router: Upgrade CFE 1.0.3!!! TO BE DONE ONLY ONCE... NO WAY BACK!!!

    Step #1:

    - Reset NVRAM: just press the WPS button 5 seconds while your router boots. (yep no need to do the 30/30/30 old trick...). Then wait till the router reboot.
    - Put the router in recovery mode: Press the reset button 10 seconds while your router boots.
    - Go to http://192.168.1.1/
    - Now that you have access to the http://192.168.1.1/ page restore to RT-N66U_3.0.0.4_260.trx (this step is not required, but just in case... follow it).
    - Put the router in recovery mode: Press the reset button 10 seconds while your router boots.
    - Go to http://192.168.1.1/ and restore to tomato-K26USB-1.28.RT-N5x-MIPSR2-097-Tor-VPN-64K.trx.

    NOW WAIT FOR THIS MESSAGE:

    Receive file size=8081473
    Upload completed. System is going to reboot.
    Please wait a few moments.

    The button power button will stop blinking when the upload is finished... Then you need to wait till the router reboots by itself... between 3 and 10 minutes. Just in case you don't want to wait starring at the router's leds: ping 192.168.1.1, if you got a reply then the router has rebooted and is up and running .

    Once the router has rebooted, it will have some more configuration work to do, so be patient.

    The router will then reboot once again (all leds will flash at the same time), this time the WiFi leds (2.4Ghz and 5Ghz) will be on... and if you scan your WiFi network you'll see Tomato24 and Tomato50 access points.

    Step #2:

    - Go to Tomato admin panel.
    - Verify that we have 64KB of NVRAM:

    Status -> Overview :
    Total / Free NVRAM: 64.00 KB / 22.36 KB (34.94%)

    This is where I finally stopped since upgrading to DD-WRT would not work, so I stuck with TomatoUSB.

    TomatoUSB will work with OpenVPN and ibVPN.com service.

    Once logged into the administration panel, go to Administration>JFFS
    Considering your local subnet is 192.168.1.1 you should be able to click on these url's to bring up the pages.
    If you're on a different subnet then append the url with your IP.

    http://192.168.1.1/admin-jffs2.asp

    Check "Enable" and then "Format/Erase".
    Wait for the partition to format.

    You're going to need an SSH client like Putty to get to the router's config.
    The admin login is root.
    The admin password is whatever you set it to in the TomatoUSB config.
    http://192.168.1.1/admin-access.asp

    Make sure you have the SSH Daemon running with "Allow Password Login" checked.

    Open Putty and SSH to your router's IP.
    Login with root/password.

    Type or copy/paste these commands into the Putty terminal window in the following order. They will create the necessary files in the necessary locations:

    Command: cd /jffs

    Command: mkdir etc

    Command: mkdir /etc/openvpn

    Command: chmod 777 /jffs/etc

    Command: chmod 777 /jffs/etc/openvpn

    Command: cd /etc/openvpn

    Command: echo "-----BEGIN CERTIFICATE-----
    MIIDeDCCAuGgAwIBAgIJAMVKgpjMPUfxMA0GCSqGSIb3DQEBBQUAMIGFMQswCQYD
    VQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMG
    A1UEChMMRm9ydC1GdW5zdG9uMRgwFgYDVQQDEw9Gb3J0LUZ1bnN0b24gQ0ExITAf
    BgkqhkiG9w0BCQEWEm1lQG15aG9zdC5teWRvbWFpbjAeFw0xMDA3MjExOTU5MzVa
    Fw0yMDA3MTgxOTU5MzVaMIGFMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFTAT
    BgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMGA1UEChMMRm9ydC1GdW5zdG9uMRgwFgYD
    VQQDEw9Gb3J0LUZ1bnN0b24gQ0ExITAfBgkqhkiG9w0BCQEWEm1lQG15aG9zdC5t
    eWRvbWFpbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAz23m3BXY5Asiw8Dx
    T4F6feqsp+pIx6ivftTniyUCbSAxI1J1s1x75DzxmUpIwPu5xavzgPXgZr8FT81X
    JGqF9km4AE95iddJawKx0wNgdTo7GximQq9rw0dsQIB5hZZQ9TJwHC3VOnmEic5A
    OawKOCybMcRs8saLakZOgh7Xc+UCAwEAAaOB7TCB6jAdBgNVHQ4EFgQUeRhE2N4l
    XwL4H1dbjkZ4ou6fj3AwgboGA1UdIwSBsjCBr4AUeRhE2N4lXwL4H1dbjkZ4ou6f
    j3ChgYukgYgwgYUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMM
    U2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24xGDAWBgNVBAMTD0Zv
    cnQtRnVuc3RvbiBDQTEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWlu
    ggkAxUqCmMw9R/EwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQASt0pl
    WzVseQLTNM8Mlgw4ZnGAv/x2xnijmMqrkE+F7pnaOicGpxgCfMKzjZuJu0TNJqF2
    fibE7GhMdomD4dLFgIu8Wb5E7iQ1CSBEOGumRhK8qCsDzjr7WXUdhqA6Xvo+ylU6
    DMzy0Wn3NNvfGC+qxOgybYCJwDnVPi0CEDSbzQ==
    -----END CERTIFICATE-----" > /jffs/etc/openvpn/ibvpn.com.crt

    Command: echo "#!/bin/sh
    [ "$1" = "up" -o "$1" = "down" ] || (echo "No action specified." && exit 1 )
    action="$1"
    shift
    [ -z "$1" ] && echo "Failed to specify table." && exit 1
    table="$1"
    shift
    [ -z "$1" ] && echo "Failed to specify subnet." && exit 1
    ip route flush table $table
    for i in '^127\.' '^172\.31\.' '^192\.168\.'
    do
    ip route add $(ip route list|grep "$i") table $table 2>>/dev/null
    done
    [ "$action" = "down" ] && ip route add default via $route_net_gateway table $table
    [ "$action" = "up" ] && ip route add default via $route_vpn_gateway dev $dev table $table
    for subnet in $*
    do
    ip rule del from $subnet table $table 2>>/dev/null
    [ "$action" != "up" ] || ip rule add from $subnet table $table
    done" > /jffs/etc/openvpn/route.sh

    Command: chmod ugo+rx /jffs/etc/openvpn/route.sh

    Command: chmod +x /jffs/etc/openvpn/route.sh
    This may seem redundant, but for some reason my first command did not work and I had connection issues. I had to make sure the file is executable so it does not hurt to type this command to make sure it is set properly.

    Command: echo "<USERNAME>" > /jffs/etc/openvpn/auth1.txt

    Command: echo "<PASSWORD>" >> /jffs/etc/openvpn/auth1.txt

    Command: chmod 600 /jffs/etc/openvpn/auth1.txt

    Note: That <USERNAME> should be your actual username. For ibVPN <USERNAME> is your e-mail address. <PASSWORD> should be your actual password.

    Now, go to the administration panel in TomatoUSB under VPN Tunneling>OpenVPN Client
    http://192.168.1.1/vpn-client.asp

    Click "Client 1"
    Go to "Basic" tab.

    Follow these settings:
    Start with Wan: not checked
    Interface Type: TAP
    Protocol: UDP
    Server Address/Port: 172.234.43.202 1194 - This should be the server you want to connect to from the list here: (Use one of the listed IP addresses)
    http://www.ibvpn.com/billing/knowledgebase.php?action=displayarticle&id=4

    Firewall: Automatic
    Authorization Mode: TLS
    Extra HMAC authorization (tls-auth): Disabled
    Service is on the same subnet: not checked
    Create NAT on tunnel: checked

    Go to the "Advanced" tab.
    Follow these settings:
    Redirect Internet traffic: unchecked
    Accept DNS configuration: Disabled
    Encryption cipher: Use Default
    Compression: Adaptive
    TLS Renegotiation Time: -1
    Connection retry: 30

    There is a box for "Custom Configuration".
    Copy/paste the following into this box, substituting the 192.168.1.0/24 with your subnet.

    script-security 3 system
    ca /jffs/etc/openvpn/ibvpn.com.crt
    verb 3
    mute 20
    ns-cert-type server
    fragment 1300
    route-noexec
    route-delay 2
    redirect-private
    auth-user-pass /jffs/etc/openvpn/auth1.txt
    auth-nocache
    reneg-sec 0
    route-up "/jffs/etc/openvpn/route.sh up 1 192.168.1.0/24"
    down "/jffs/etc/openvpn/route.sh down 1 192.168.1.0/24"

    You should now be able to click the "Start Now" button and have your router connect to the VPN server.
    Go to
    http://www.ibvpn.com/
    and see your ip address and location from the one you selected and entered in the Server Address/Port.
     
  5. maddawg

    maddawg New Around Here

    Joined:
    Jan 29, 2013
    Messages:
    2
    Running tomato-K26USB-1.28.RT-N5x-MIPSR2-105-AIO-64K.trx . Tried following the instruction but getting error when I run the command: chmod 777 /jffs/etc/openvpn. Error states:chmod: /jffs/etc/openvpn: No such file or directory. Any help would be appreciated.
     
  6. maddawg

    maddawg New Around Here

    Joined:
    Jan 29, 2013
    Messages:
    2
    Looks like this kicked my butt....time to get a refund and find another vpn provider that's easier to setup with merlin/tomato.
     

Share This Page