How to Set Up OpenVPN Client on NETGEAR R7800 with Voxel's Custom Firmware

OpenVPN Logo

I would like to share my configuration and setup with people who want a secure, private and stable connection to the internet using an OpenVPN client connection to the internet on this forum.

I would like to thank the following people:

  • Voxel - for his excellent firmware and pointing me in the right direction when I had no clue where to begin!
  • kinakuta - for his insight and scripts for maintaining the OpenVPN tunnel always-on and the bypass VPN tunnel functionality.
  • Sven Taylor - for sharing honest and vital VPN information, views and reviews on https://restoreprivacy.com

I received my Netgear r7800 X4S in early December and didn't waste more than an hour on the stock firmware. I flashed the latest Voxel's Custom Firmware for this router, available at Voxel's site or here on MyOpenRouter.

The mandatory and consice README is provided here: https://www.voxel-firmware.com/Downloads/Voxel/readme.docx

After flashing Voxel's firmware, don't forget to restore factory settings in the router WebGUI!

Start by setting up the following:

  1. SSH access to router (Well documented in Voxel's README)
  2. Setup of Entware on a USB stick (Documented in Voxel's README)

Note:

Now, you can configure DNS and DNSCRYPT.

VPN Settings for Voxel's Firmware

DNS queries are THE primary source of your ISP's tracking strategy. I highly recommend NOT using their DNS servers.

  1. Configure your DNS servers in the WEBGUI. I used 208.67.222.222, 208.67.220.220 and 8.8.8.8 as the DNS servers.
  2. Enable dnscrypt-proxy (Documented in Voxel's README) Simply edit /etc/dnscrypt.conf with one entry "adguard-dns" to wipe out any and all publicity.

Testing for DNS Leaks

Note:

Now, for the OpenVPN client on the R7800!

The reasons why I chose Voxel's firmware was because it maintains NETGEAR's propriety (and speedy) drivers, all stock functionality (ReadyShare, QoS, DNLA, etc.) and adds the OpenVPN client functionality. Centralizing the VPN client connection on the router guarantees encrypted internet access on all connected devices in your home.

Don't forget to follow Voxel's README!

 

  1. Download your VPN providers OVPN file and place them in the /etc/openvpn/config/client directory. Use full path directory filenames on any referenced files in the OVPN file. Example: change "auth-user-pass credentials.txt" to"auth-user-pass /etc/openvpn/config/client/credentials.txt"
  2. Test "/etc/init.d/openvpn-client start/stop" thoroughly and read the log file /var/log/openvpn-client.log before you advance.

Bypassing OpenVPN client tunnel (Thank you, kinakuta)

You can bypass the OpenVPN client tunnel of the outgoing traffic for specific IP's in two simple steps:

1. Reserve DHCP addresses in the WEBGUI (Advanced -> Configuration -> LAN Configuration)

1. Change the /etc/openvpn/ovpnclient-up.sh file to:

#!/bin/sh
# Don't forget to reserve the list of IPs for exclusion devices on the DHCP server
# Edit the following IP list to bypass the VPN. Seperate individual IP's using a single space between them.
NO_VPN_LST="192.168.1.7 192.168.1.3"
WAN_GWAY=`nvram get wan_gateway`
for excludeip in $NO_VPN_LST; do
   /usr/sbin/ip rule add from $excludeip table 200
done
/usr/sbin/ip route add table 200 default via $WAN_GWAY dev brwan
/usr/sbin/ip route flush cache
exit 0

Create a OpenVPN client tunnel monitoring script (Thank you, kinakuta)

You will do this because the OpenVPN client connection can sometimes disconnect or even cease to respond.

/usr/bin/vpncmon.sh:
#!/bin/sh
IP_FOR_TEST="8.8.8.8"
PING_COUNT=1
INTERFACE="tun0"
FFLAG="/tmp/vpn_stuck.fflg"
LOGFILE="/var/log/vpncmon.log"
NOW=$(date +"%H:%M, %d-%m-%Y")
restartvpnc()
{
    /etc/init.d/openvpn-client restart
    /bin/sleep 5
    /etc/init.d/dnscrypt-proxy restart
}
# check logfile
if [ ! -f $LOGFILE ]; then
  /bin/touch $LOGFILE
  /bin/echo "$NOW - VPN client LOGFILE $LOGFILE created.\n" >> $LOGFILE
fi
#Check if date is at least 2016 to validade VPN certificates
YEAR=`date "+%Y"`
while [ $YEAR -le 2016 ]; do
   /bin/echo "We do not have a valid date.\n" >> $LOGFILE
   /etc/init.d/ntpclient stop
   /usr/sbin/ntpclient -s -h pool.ntp.org
   /bin/sleep 2
   /etc/init.d/ntpclient start
   NOW=$(date +"%H:%M, %d-%m-%Y")
   YEAR=`date "+%Y"`
done
# check if interface is up
FOUND=`grep "$INTERFACE" /proc/net/dev`
if [ ! "$FOUND" ]; then
    /bin/echo "$NOW - $INTERFACE not up, restarting OpenVPN client.\n" >> $LOGFILE
    restartvpnc
fi
# check if successful with ping test
/bin/ping -c $PING_COUNT $IP_FOR_TEST 2>/dev/null 1>/dev/null
if [ $? -ne 0 ]; then
   if [ -f $FFLAG ]; then
      /bin/echo "$NOW - Network and OpenVPN client down. Rebooting router!\n" >> $LOGFILE
      /bin/rm -f $FFLAG 2>/dev/null
      /opt/sbin/reboot
   else
      /bin/touch $FFLAG
      /bin/echo "$NOW - IP $IP_FOR_TEST can't be pinged, restarting OpenVPN client.\n" >> $LOGFILE
      restartvpnc
   fi
else
   if [ -f $FFLAG ]; then
      /bin/rm -f $FFLAG # 2>/dev/null
   fi
fi
exit 0

Finally, automate the script execution.

First, change /etc/rc.local to run /usr/bin/vpncmon.sh on every boot.

/etc/rc.local:
# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.
/usr/bin/vpncmon.sh
exit 0

Then, add a crontab entry to run it every 5 minutes:

*/5 * * * * /usr/bin/vpncmon.sh

  • Note that the Entware crontab is mandatory

I hope this guide helps the community and thank you for reading!

Tags: 

nilugeator
nilugeator's picture
Hi 

Hi 

thx for this nice tutorial !

I am already using openvpn client with my r7800 set up with ddwrt, but it would be great to do it with the original firmware (best speed...)

BUT I realy need to bypass the openvpn client tunnel, not only for ip adress (I ve seen it in your tuto, nice!) but also for some ports that I need to access from outside.

 

In DDWRT it is wrote like that :

 

# some ports bypassing VPN

iptables -t mangle -A OUTPUT -p tcp -m multiport --sports 9091,32400,80,22 -j MARK --set-mark 1

 

Would it be possible to do that with Voxel's firmlware, and how??

 

thx in advance!

jslicerz@gmail.com
jslicerz@gmail.com's picture
Hey Voxel -

Hey Voxel -

Bare with me - I've been trying to teach myself this stuff and getting overwhelmed. Maybe I'm overthinking it, but I haven't found any examples that match my setup. I have an r7800 connected to a comcast modem/gateway combo in bridge mode. My Windows computer is the client plugged directly into the router acting as the server. I either haven't been able to get the client to connect to the server or it messes with my internet connection. I've been getting TLS handshake errors. When I do get it to connect I still see shit that bugs me like "recursive routing" - is that normal? And when testiing my online visibility my public IP and Location are still exposed.

I'm trying to setup a tap VPN connection with bridged ethernet to download torrents. By the way if there's a better setup for that let me know, it just seems like tap/proto udp/bridged ethernet VPN is the way to go if you're directly plugged into the router. The Netgear instructions are for setting up the openvpn client and config files in Windows, but your instructions are the opposite - installing the openvpn client on the router instead.

Isn't the server included in your firmware? We just enable it in the WebGUI and set the ports, correct? Do I still need to set up a server config file on the router end? Another guide on openvpn is saying to create an alternate IP address for the server, like 10.8.0.0 - is this done in the config file or Netgear GUI, or both? What remote IP address do I use? - I set up a static IP and currently i'm using the LAN gateway for the server (i.e. remote 192.168.7.1 11294). Or Is it easier to setup the client on the router as per your instructions?

There's too many VPN setup guides with conflicting information for different scenarios which has made this a lot more difficult than I anticipated. Now I'm resorting to posting in a thread. So be gentle. I suppose you'll need a copy of my config and log files, which I can provide. Any help you can provide would be awesome.

Thanks,

wildpumpkin
wildpumpkin's picture
Hi @XuniLinuX,

Hi @XuniLinuX,

I've got problem following the tuto. Im
unable to use entware on the router. Maybe you can help me. I made a
post in voxel tread :

https://www.myopenrouter.com/forum/custom-firmware-r7800-extend-its-functionality?page=9#comment-42185

By the way, thanks for your share.

Wp.

wildpumpkin
wildpumpkin's picture
And just for information, if

And just for information, if i copy/paste the link page 404 :

https://archive.openwrt.org/attitude_adjustment/12.09-rc1/ipq806x/generi...

GiGNet
GiGNet's picture
Dumb question. So the

Dumb question. So the monitoring script when run bombs. Seems like a formatting issue but can't be 100% sure. It throws various errors that seem like format and/or syntax. Ideas?