A lot of the instructions for OpenVPN are terrible. I have added this one to clear up a few things. The main issue I want to address is DNS leak resolution. This howto includes the use of Luci for at a minimum starting the connection. This was tested using OpenWrt Designated Driver 50097 in a virtual machine. The configuration was done using Private Internet Access VPN.
These scripts are only required to stop DNS leaking. This information was taken from https://github.com/jlund/streisand/wiki/Setting-an-OpenWrt-Based-Router-as-OpenVPN-Client. You will need to be able to log in to the router using SSH and create these files.
Create ovpn-up script
cat<<'EOF' > /usr/bin/ovpn-up #!/bin/sh mv /tmp/resolv.conf.auto /tmp/resolv.conf.auto.hold echo $foreign_option_1 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' > /tmp/resolv.conf.auto echo $foreign_option_2 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf.auto echo $foreign_option_3 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf.auto EOF
Create ovpn-down script
cat<<'EOF' > /usr/bin/ovpn-down #!/bin/sh mv /tmp/resolv.conf.auto.hold /tmp/resolv.conf.auto EOF
Make the scripts executable
chmod 0100 /usr/bin/ovpn-up chmod 0100 /usr/bin/ovpn-down
You will need the .pem and .crt files supplied by your VPN provider. I placed mine under /etc/openvpn directory. The way I do this is to download the certificates on my computer and then do the following.
cat<<'EOF' > /etc/openvpn/ovpn.crt
Open the .crt file in a text editor on your computer and copy and paste its contents into the SSH session, followed by:
You will need to do the same for the .pem file.
cat<<'EOF' > /etc/openvpn/ovpn.pem
Paste in contents of the .pem file
You need to create a text file with your VPN connections username and password. The easiest way to do this is as follows.
cat<<'EOF' > /etc/openvpn/userpass.txtYou will then enter your username, press enter, type password, press enter, type EOF, press enter. This will create a file with your username on the first line and your password on the second.
Since there are a lot of problems with the OpenVPN Luci App it will probably be easier to modify your /etc/config/openvpn configuration file to be something similar to below.
config openvpn 'Private_Internet_Access' option float '1' option client '1' option remote_random '0' option proto 'udp' option dev 'tun0' option comp_lzo 'yes' option auth 'sha256' option cipher 'aes-256-cbc' option auth_user_pass '/etc/openvpn/userpass.txt' option resolv_retry 'infinite' option remote 'aus-melbourne.privateinternetaccess.com 1197' option crl_verify '/etc/openvpn/ovpn.pem' option nobind '1' option persist_tun '1' option persist_key '1' option tls_client '1' option remote_cert_tls 'server' option reneg_sec '0' option up '/usr/bin/ovpn-up' option down '/usr/bin/ovpn-down' option script_security '2' option down_pre '1' option up_restart '1' option up_delay '5' option log '/var/log/openvpn.log' option ca '/etc/openvpn/ovpn.crt' option enabled '1'