Raspberry Pi OpenWRT (LEDE fork - ROOter build) PIA OpenVPN Client

bnhf

Regular Contributor
Background

Believe it or not the Raspberry Pi can be a pretty nifty little router. Not so much as a single all-in-one solution like the typical residential router, but more as part of a routing solution combined with one or more WAPs and gigabit ethernet switches. It runs a forked version of OpenWRT called LEDE, and for this guide, a build from a group of Canadians and Australians called ROOter that focuses on being ready-to-deploy with strong support for USB cellular modems.

I've had to tweak things a bit though to get the OpenVPN Client support configured for ease of use with Private Internet Access (PIA), so I'm documenting that here. This could be a good solution too, for anyone that has an existing router that doesn't have either cellular modem or VPN Client support built-in. That router could become an AP and the Raspberry Pi the new router.

I'm assuming here that you're familar with Raspberry Pi basics and that you know how to flash an SD card with a distro image. Here's the page for "Of Modems and Men" where you can find the ROOter downloads for your particular RPi:

https://ofmodemsandmen.com/downloadsp.html

Flash your SD card, boot, and configure the router basics (not covered here). You'll want a PC based file management and editing tool like WinSCP (use with WINE on Mac) to make moving and editing files as easy as possible. WinSCP treats your ROOter file system much like Windows File Explorer. You can browse the ROOter file system and perform all of the usual file management and creation.

Disable OpenVPN Respawn Daemon

The first tweak I'm recommending is to stop OpenVPN from respawning when you kill the process. It's OK for those that want a full-time VPN that starts at boot -- but for those that want start and stop client instances respawn makes them impossible to kill.

Navigate to /etc/init.d and open "openvpn" with your WinSCP editor. Look for these four lines to comment out by adding a "#" at the beginning of the line and save your changes.

Code:
#    procd_set_param respawn
#    procd_append_param respawn 3600
#    procd_append_param respawn 5
#    procd_append_param respawn -1

Create Private Internet Access OpenVPN Recipe (Template)

Navigate to /etc/config and open "openvpn_recipes". Add these lines to the end of the file to create a new PIA template in the ROOter LuCI GUI for new OpenVPN Client instances:

Code:
#
# Private Internet Access Client
#
config openvpn_recipe pia_client_tun
    option _description "Client configuration for Private Internet Access"
    option _role "client"
    option client "1"
    option dev "tun"
    option proto "udp"
    list remote "us-example.privateinternetaccess.com"
    option port "1198"
    option resolv_retry "infinite"
    option nobind "1"
    option persist_key "1"
    option persist_tun "1"
    option cipher "aes-128-cbc"
    option auth "sha1"
    option tls_client "1"
    option remote_cert_tls "server"
    option auth_user_pass "/etc/openvpn/pia_userpass.txt"
    option comp_lzo "yes"
    option verb "1"
    option reneg_sec "0"
    option crl_verify "/etc/openvpn/crl.rsa.2048.pem"
    option ca "/etc/openvpn/ca.rsa.2048.crt"
    option disable_occ "1"

Download PIA OpenVPN Keys and Certificates

If you don't already have the latest PIA OpenVPN settings files and certficates, get them from here. The above template is for the (DEFAULT) version, so download that to your PC.

https://helpdesk.privateinternetacc...een-the-OpenVPN-config-files-on-your-website-

Move Keys to Router and Create Username and Password File

Extract the zip and copy the two keys (.crt and .pem) using WinSCP to /etc/openvpn on your ROOter. While you're in that directory right-click to create a new file named "pia_userpass.txt" (all lower case) with the first line consisting of your PIA username and the second your PIA password. Save the file. Your security keys and password file should now be in in the /etc/openvpn directory.

That's it for the work that's needed using WinSCP. From here on we'll be in the ROOter LuCI GUI interface adding your PIA Client instances and starting or stopping them as needed.

Disable OpenVPN Startup Process

Open your browser and navigate to the setup page for your Raspberry Pi ROOter (192.168.1.1 if you didn't change it during setup). Go to System - Startup, scroll down to OpenVPN, and click on "ENABLED" so that it changes to "DISABLED". Earlier we eliminated the OpenVPN respawn daemon, and now we're turning OpenVPN off at startup so that we can start and stop client instances at will.

ROOter Startup Initscripts OpenVPN Disabled.png


Create OpenVPN Client Instances Based on Newly Created PIA Recipe

Next we'll go to Services - OpenVPN and your screen should look like this:

screenshot-192.168.2.1-2017-09-02-21-51-00.png


Type in the name of the client instance you'd like to create (I'm calling mine pia_midwest), select "Client configuration for Private Internet Access" from the dropdown and click "ADD".

On the "Basic Configuration" screen add the name of the PIA VPN server you'd like to connect to in the "Remote" field in place of the example. A list of available servers can be found here:

https://www.privateinternetaccess.com/pages/network/

screenshot-192.168.2.1-2017-09-02-22-02-19.png


(continued on next post)
 
Last edited:

bnhf

Regular Contributor
(continued from previous post)

Create a New Interface and Firewall Zone for VPN

Next stop is the Network - Interfaces page to create a new interface for our VPN. Click the "ADD NEW INTERFACE..." button and on the settings page add an "Unmanaged" interface named "VPN" to cover a new custom interface named tun0.

ROOter VPN and tun0 Interface Creation.png


Click "SUBMIT" and on the following page click the "Firewall Settings" tab and create a new firewall zone also called VPN. Click "SAVE & APPLY" to add the new interfaces and new firewall zone.

ROOter VPN Firewall Zone Creation.png


Configure the VPN Firewall Zone

Now navigate to the Network - Firewall page and you'll see the newly created zone. Change "Input" and "Forward" to "reject" and "Output" to "accept". Tick the two boxes labeled "Masquerading" and "MSS clamping". Next, click "SAVE" followed by "EDIT" for the VPN firewall zone.

ROOter VPN Firewall Zone Configuration.png


In Firewall - Zone Settings verify that "VPN" is ticked as a "Covered network", and tick the box for "VPN" under "Allow forward from source zones".

ROOter VPN Firewall Zone Settings.png


Modify DNS to Prevent Leaks

To prevent DNS leaks go to the Network - Interfaces page and next to LAN click "EDIT". Scroll down and select the "Advanced Settings" tab under "DHCP Server". Modify the DHCP-Options field to reflect the DNS servers you'd like to use. The correct entry for Google's DNS servers would be "6,8.8.8.8,8.8.4.4". Other options include special DNS servers provided by your VPN service, or the local gateway IP address of the VPN tunnel, which is often in the format 10.x.x.x. Whatever you choose start with "6," the IP of the DNS1 followed by another comma and the IP address of DNS2.

screenshot-192.168.45.88-2017-10-12-20-05-25-257.png


(continued on next post)
 
Last edited:

bnhf

Regular Contributor
(continued from previous post)

Enable and Start the OpenVPN Client

Now we can return to Services - OpenVPN and click the "Enable" box and then "SAVE & APPLY" on our VPN client we created a few steps back. And finally to begin running your client instance click the "START" button. If it's working the "START" button will change to "STOP" and you'll see "yes" under "Started" with the Process ID displayed too.

screenshot-192.168.2.1-2017-09-02-21-54-15.png


So that's it! You can create additional OpenVPN client instances using this, or other templates, covering other server locations, encryption, port numbers or whatever.
 

bnhf

Regular Contributor
If your version of OpenWRT/LEDE/ROOter is missing OpenVPN server parameters under "Services – OpenVPN – Edit – Switch to Advanced Configuration – VPN" in the LuCI GUI, you can either update your router (which may fix it), or you need to edit the following script:

/usr/lib/lua/luci/model/cbi/openvpn-advanced.lua

Find all instances of (in the VPN section):

Code:
server_mode="1
And replace with:

Code:
client="0" }, { client="
And, find the line that contains:

Code:
translate("Configure client mode"), { server_mode="0" }, { server_mode="" } },
And replace with:

Code:
translate("Configure client mode") },
If you've brought the file over to a Windows machine with WinSCP, and edited it with something like jEdit, and copied it back — be sure to right click on the script in WinSCP and fix the "Properties" to 0664. In my case, I renamed the original to openvpn-advanced.lua.old before copying the repaired script back.
 

blades

Occasional Visitor
That is what worked for installing openvpn on LEDE 17.01 Linksys WRT160NL and on LEDE snapshot on Asus RT-AC51U(on snapshot there is missing a kernel module so never worked but anyway)
 

sfx2000

Part of the Furniture
Believe it or not the Raspberry Pi can be a pretty nifty little router. Not so much as a single all-in-one solution like the typical residential router, but more as part of a routing solution combined with one or more WAPs and gigabit ethernet switches. It runs a forked version of OpenWRT called LEDE, and for this guide, a build from a group of Canadians and Australians called ROOter that focuses on being ready-to-deploy with strong support for USB cellular modems.

I've been tracking OpenWRT (and ex-LEDE) for quite some time.

Pi3 can be a nice little box - it's bandwidth constrained due to the HW arch itself, but SW wise, it's quite capable - and the OpenWRT team has made Pi a supported platform.
 

Mark Kelly

New Around Here
I am stumped (and I normally can pick things like this)...

I follow instructions here and here
https://www.snbforums.com/threads/o...client-setup-for-various-vpn-providers.41268/

What I am trying to do is setup linksysWRT3200ACM as a VPN router /smart dns.....

Ultimately plan is
1) to have VPN client lists one can choose aka different servers that the three VPN providers I got subscriptions have.
2) To have a VPN server up, so if need be I can connect to the VPN server and control the tv in my mum house using the harmony remote app.
3) Use one of few smart DNS so mum, for example, can watch TV without worrying about VPN when not there.

Anyway I can enclose screenshots but in summary using instructions above, I created a VPN client for windscribe USA EAST.

Now when I click on start next to it, it says "YES" and give a PID JOB. But if refresh the page it says NO. If go to say myipaddress.com the IP address still shows my ISP IP not the VPN.

Can anyone help please?
 

bnhf

Regular Contributor
Now when I click on start next to it, it says "YES" and give a PID JOB. But if refresh the page it says NO. If go to say myipaddress.com the IP address still shows my ISP IP not the VPN.

Most of the instructions in these posts of mine are no longer required with the latest version of ROOter. I worked with the guys there to get the fixes and "recipes" for popular VPN services incorporated into the release.

That being said, given that the process starts but quickly ends, you're going to want to check the System Log to see what's going on. Feel free to post relevant snippets of the log here and we'll help you figure out what's happening. A screenshot or two from the Services - OpenVPN page would probably help as well.
 

Mark Kelly

New Around Here
Is there a firmware for Rooter on the linksys WRT3200ACM?

Got the PID job staying on and think found the source, it is something to do in the VPN. wife waiting in car now, but here is the VPN LOG


Wed May 9 16:16:20 2018 OpenVPN 2.4.5 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Wed May 9 16:16:20 2018 library versions: OpenSSL 1.0.2o 27 Mar 2018, LZO 2.10
Wed May 9 16:16:20 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed May 9 16:16:20 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed May 9 16:16:20 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]207.189.2.3:443
Wed May 9 16:16:20 2018 Socket Buffers: R=[163840->163840] S=[163840->163840]
Wed May 9 16:16:20 2018 UDP link local: (not bound)
Wed May 9 16:16:20 2018 UDP link remote: [AF_INET]207.189.2.3:443
Wed May 9 16:17:20 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed May 9 16:17:20 2018 TLS Error: TLS handshake failed
Wed May 9 16:17:20 2018 SIGTERM[soft,tls-error] received, process exiting

Will post the scripts etc tomorrow
 

bnhf

Regular Contributor
Is there a firmware for Rooter on the linksys WRT3200ACM?

Got the PID job staying on and think found the source, it is something to do in the VPN. wife waiting in car now, but here is the VPN LOG

In case you missed it, this thread and the one you used for setting up OpenVPN, are both using ROOter (which is a special build of OpenWRT/LEDE oriented towards cellular modem users). I take it you're using vanilla OpenWRT/LEDE, rather than ROOter. The instructions would be mostly the same, but there are likely some differences. However, for the most recent version of ROOter these instructions would no longer apply.

Based on your log, it appears you're not making a connection to the Windscribe server. Lots of possibilities here, including an incorrect URL or IP address for the server. Are you able to post the OpenVPN config file you're using?
 
Last edited:

Mark Kelly

New Around Here
thanx bnhf, before your last post, in morning after reading about rooter night before. I flash the router with rooter firmware. since feel it more suitable for router need now and future.

also like u said feel maybe some subtle difference that causing problem.

anyway tried new rooter, and filled in windscribe details and this time not even starting. was going to post the scripts aka might see for example . in server url for example, but than got busy at work. will look again tomorrow / sat and post update.
 

Mark Kelly

New Around Here
sorry for the long delay, things came up at work and with my mum who I am caring for since father passed away.

heres the openvpn config file


config settings 'settings'
option country 'CA'
option city 'Abbotsford'
option organ 'ROOter'
option days '3650'

config openvpn 'windscribeUSAeast'
option nobind '1'
option port '443'
option redirect_gateway 'def1'
option client '1'
option reneg_sec '432000'
option comp_lzo 'yes'
option dev 'tun0'
option verb '2'
option cipher 'aes-256-cbc'
option resolv_retry 'infinite'
option key_direction '1'
option remote_cert_tls 'server'
option tls_client '1'
option persist_tun '1'
option proto 'udp'
option persist_key '1'
option auth 'sha512'
list remote 'us-east.windscribe.com'
option auth_user_pass '/etc/luci-uploads/windscribe/userpass.txt'
option tls_auth '/etc/luci-uploads/windscribe/ta.key'
option ca '/etc/luci-uploads/windscribe/ca.crt'
option enabled '1'
option log '/var/log/openvpn.log'


log from openvpn log file


Wed May 23 10:21:43 2018 OpenVPN 2.4.3 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Wed May 23 10:21:43 2018 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09
Wed May 23 10:21:43 2018 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed May 23 10:21:43 2018 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed May 23 10:21:43 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]207.189.25.3:443
Wed May 23 10:21:43 2018 UDP link local: (not bound)
Wed May 23 10:21:43 2018 UDP link remote: [AF_INET]207.189.25.3:443
Wed May 23 10:21:43 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed May 23 10:21:43 2018 VERIFY OK: depth=1, C=CA, ST=ON, L=Toronto, O=Windscribe Limited, OU=Operations, CN=Windscribe Node CA
Wed May 23 10:21:43 2018 VERIFY KU OK
Wed May 23 10:21:43 2018 Validating certificate extended key usage
Wed May 23 10:21:43 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed May 23 10:21:43 2018 VERIFY EKU OK
Wed May 23 10:21:43 2018 VERIFY OK: depth=0, C=CA, ST=ON, O=Windscribe Limited, OU=Operations, CN=Windscribe Node Server 4096
Wed May 23 10:21:43 2018 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1602', remote='link-mtu 1550'
Wed May 23 10:21:43 2018 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher AES-256-GCM'
Wed May 23 10:21:43 2018 WARNING: 'auth' is used inconsistently, local='auth SHA512', remote='auth [null-digest]'
Wed May 23 10:21:43 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Wed May 23 10:21:43 2018 [Windscribe Node Server 4096] Peer Connection Initiated with [AF_INET]207.189.25.3:443
Wed May 23 10:21:44 2018 AUTH: Received control message: AUTH_FAILED
Wed May 23 10:21:44 2018 SIGTERM[soft,auth-failure] received, process exiting
 

eibgrad

Part of the Furniture
Your OpenVPN log is indicating that your username/password authentication has failed. And that's either because the file pointed to by the option auth_user_path doesn't exist, or doesn't contain the correct username/password, or perhaps it's not formatted correctly (username and password have to be on separate lines).
 

Mark Kelly

New Around Here
thanx eibgrad that what I was thinking after I posted but it was correct. but I think possibility it might what my password is made of. so recently change it, just need to upload it and see if it now works. will do so soon and report back :)
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top