Note 2016/12/07: Since this article was written PIA have updated their config. While I have not personally tested this out, some commentators have reported success by doing 2 additional steps:
- With the new CA file, you now need to specify the port under VPN settings (1198).
- Specify encryption (AES-128-CBC) and authentication (SHA1).
Configuring OpenVPN to work on OpenWRT is relatively easy and straight forward, just not very well documented. This is an in depth, step-by-step guide to configure OpenVPN (VPN provider Private Internet Access – commonly called PIA) on an OpenWRT router.
- You already have OpenWRT installed on your router
- You know how to connect to your router via SSH and Web panel
- Router is connecting to another device (Modem, other router, direct to ISP) that is supplying internet access
This tutorial will cover:
- Installing and configuring OpenVPN
- Configuring a network interface
- Setting up some firewall rules & DNS Leak protection
- Verify everything works
- First step, open a SSH connection to your router, login as root. You should see something like Figure 1 below.
- Next we have to update packages and installed some required libraries, enter the following commands in the terminal:
- Next, download the OpenVPN config files from PIA – https://www.privateinternetaccess.com/openvpn/openvpn.zip somewhere to your local machine. Extract all the files from the zip file. You are only interested in 2 files (ca.crt and crl.pem, we will get back to them later). You can safely delete the *.ovpn files.
- Now open your broswer and go to your router web panel, by default this should be: http://192.168.1.1
- Once logged in you should notice a new menu item called Services, goto it and click the OpenVPN option, see Figure 2 below.
- Time to add our new configuration. At the bottom, in the text field, enter a new name “pia_client”, select “Simple client configuration for a routed point-to-point VPN” and click Add button (Figure 3)
- You will immediately be taken to the config page, click the link “Switch to advanced configuration”
- All settings on the Service page should be fine. Click the “Networking” link at the top.
- See Figure 5 below for how the settings should look like. A few notes:
- If there is a line missing, use the “Additional Field” drop down at the bottom, select the missing field and press Add button
- Ensure that “dev” is set to “tun” and not “tap”
- If there is a field called “ifconfig” with an IP address, remove the address (i.e. make field blank)
- Click blue Save button on the bottom
- Now click on the “VPN” link to change to the VPN tab. As in Networking, there will be some fields missing, use the “Additional Field” drop down at the bottom again to add them. A few notes:
- “auth_user_pass” field value should be “/etc/openvpn/userpass.txt” (It doesn’t exist yet, but we will get back to it in a few minutes)
- The “remote” field should be the hostname of which ever exit node you want to use – see PIA Networking page for a complete list.
- Now click on the “Cryptography”. As before, use the “Additional Field” drop down at the bottom to add missing fields.
- IMPORTANT: for the “ca” field, you will need to browse to the location of the ca.crt file from the openvpn.zip you downloaded in step 3.
- The “crl_verify” path should be set to “/etc/openvpn/crl.pem”
- We have the VPN configuration done now, but we still need to configure the interface as well as the Firewall.
- From the Menu at the top select Networking -> Interfaces.
- Click the “Add new interface…” button.
- Name: “PIA_VPN”(IMPORTANT: Name must be exactly this)
- Protocol of the new interface: Unmanaged
- Cover the following interface: Custom Interface: tun0
- Enter in the details and click the Save button.
- For the final few steps, we will switch back to SSH.
- Next we have to create a file that will store your PIA username and password. It is just a simple text file, with first line username and second line your password. Then we will chmod it to set correct permissions.
- Now have to add the crl.pem file (from the openvpn.zip), just open it in a text editor like notepad and copy the contents
- Now we need to setup some firewall rules to forward the VPN traffic
- Almost done!
- In order to protect against DNS Leaks, we need to update the DHCP server to supply the PIA DNS servers instead of your ISP’s DNS.
- From the main menu, goto: Network -> Interfaces -> LAN -> DHCP Server (below the “Common Configuration” section) -> Advanced Settingss. In the “DHCP-Options” field enter the value: “6,22.214.171.124,126.96.36.199”.
- Click “Save & Supply”
- All done! Now we can start the VPN connection.
- Goto: Services -> OpenVPN, check the Enabled checkbox beside our”pia_client”, then press the Start button, your VPN should now start up.
Verify it works…
- To verify your traffic is going over VPN you can use the PIA What is My IP tool
- If it isn’t working then you may have missed a step. Try going to Status -> System Log in the main menu, it may contain useful information.
- To verify your DNS is not leaking use something like DNS Leak site (you may have to release & renew your DHCP IP before this will work)
Congratulations, your VPN tunnel is now setup!