OpenVPN client setup guide using Voxel's Firmware on a Nighthawk X4S R7800

47 posts / 0 new
Last post
XunilinuX
XunilinuX's picture
OpenVPN client setup guide using Voxel's Firmware on a Nighthawk X4S R7800

I would like to share my configuration and setup with people who want a secure, private and stable connection to the internet using an OpenVPN client connection to the internet on this forum.

I would like to thank the following people:
Voxel - for his excelent firmware and pointing me in the right direction when I had no clue where to begin.
kinakuta - for his insite and scripts for maintaining the OpenVPN tunnel always-on and the bypass VPN tunnel functionality.
Sven Taylor - for sharing honest and vital VPN information, views and reviews on https://restoreprivacy.com

I received my Netgear R7800 X4S in early December and didn't waste more than an hour on the stock firmware.
I flashed the latest Voxel's Custom Firmware for this router - https://www.voxel-firmware.com/Downloads/Voxel/R7800-Voxel-firmware
The mandatory and consice README is provided (https://www.voxel-firmware.com/Downloads/Voxel/readme.docx).
After flashing Voxel's firmware, don't forget to restore factory settings in the router WebGUI.

Start by setting up the following:
1- SSH access to router (Well documented in Voxel's README)
2- Setup of Entware on a USB stick (Documented in Voxel's README)
PS: The crontab provided by Entware is essential.
PS2: I chose to use Voxel's optimized repository (https://www.voxel-firmware.com/Downloads/Voxel/Entware/entware-cortex-a1...)

Configure DNS and DNSCRYPT
DNS queries are THE primary source of your ISP's tracking startegy. I highly recomend NOT using their DNS servers.
1- Configure your DNS servers in the WEBGUI
I used 208.67.222.222, 208.67.220.220 and 8.8.8.8 as the DNS servers.
2- Enable dnscrypt-proxy (Documented in Voxel's README)
Simply edit /etc/dnscrypt.conf with one entry "adguard-dns" to wipe out any and all publicity.
Don't forget to test DNS leaks (https://www.dnsleaktest.com/) and make sure you do NOT use any of your ISP's DNS servers.

OpenVPN client
The reasons why I chose Voxel's firmware was because it maintains NETGEAR's propriety (and speedy) drivers, all stock functionality (ReadyShare, QoS, DNLA, etc.) and adds the OpenVPN client functionality. Centralizing the VPN client connection on the router guarantees encrypted internet access on all connected devices in your home.
Don't forget to follow Voxel's README.
1- Download your VPN providers OVPN file and place them in the /etc/openvpn/config/client directory
PS: Use full path directory filenames on any referenced files in the OVPN file. Example: change "auth-user-pass credentials.txt" to "auth-user-pass /etc/openvpn/config/client/credentials.txt"
2- Test "/etc/init.d/openvpn-client start/stop" thoroughly and read the log file /var/log/openvpn-client.log before you advance.

Bypassing OpenVPN client tunnel (Thank you, kinakuta)
You can bypass the OpenVPN client tunnel of the outgoing traffic for specific IP's in two simple steps:
1- Reserve DHCP addresses in the WEBGUI (Advanced -> Configuration -> LAN Configuration)
2- Change the /etc/openvpn/ovpnclient-up.sh file to:
#!/bin/sh
# Don't forget to reserve the list of IPs for exclusion devices on the DHCP server
# Edit the following IP list to bypass the VPN. Seperate individual IP's using a single space between them.
NO_VPN_LST="192.168.1.7 192.168.1.3"
WAN_GWAY=`nvram get wan_gateway`
for excludeip in $NO_VPN_LST; do
   /usr/sbin/ip rule add from $excludeip table 200
done
/usr/sbin/ip route add table 200 default via $WAN_GWAY dev brwan
/usr/sbin/ip route flush cache
exit 0

Create a OpenVPN client tunnel monitoring script (Thank you, kinakuta)
The OpenVPN client connection can sometimes disconnect or even cease to respond.
/usr/bin/vpncmon.sh:
#!/bin/sh
IP_FOR_TEST="8.8.8.8"
PING_COUNT=1
INTERFACE="tun0"
FFLAG="/tmp/vpn_stuck.fflg"
LOGFILE="/var/log/vpncmon.log"
NOW=$(date +"%H:%M, %d-%m-%Y")
restartvpnc()
{
    /etc/init.d/openvpn-client restart
    /bin/sleep 5
    /etc/init.d/dnscrypt-proxy restart
}
# check logfile
if [ ! -f $LOGFILE ]; then
  /bin/touch $LOGFILE
  /bin/echo "$NOW - VPN client LOGFILE $LOGFILE created.\n" >> $LOGFILE
fi
#Check if date is at least 2016 to validade VPN certificates
YEAR=`date "+%Y"`
while [ $YEAR -le 2016 ]; do
   /bin/echo "We do not have a valid date.\n" >> $LOGFILE
   /etc/init.d/ntpclient stop
   /usr/sbin/ntpclient -s -h pool.ntp.org
   /bin/sleep 2
   /etc/init.d/ntpclient start
   NOW=$(date +"%H:%M, %d-%m-%Y")
   YEAR=`date "+%Y"`
done
# check if interface is up
FOUND=`grep "$INTERFACE" /proc/net/dev`
if [ ! "$FOUND" ]; then
    /bin/echo "$NOW - $INTERFACE not up, restarting OpenVPN client.\n" >> $LOGFILE
    restartvpnc
fi
# check if successful with ping test
/bin/ping -c $PING_COUNT $IP_FOR_TEST 2>/dev/null 1>/dev/null
if [ $? -ne 0 ]; then
   if [ -f $FFLAG ]; then
      /bin/echo "$NOW - Network and OpenVPN client down. Rebooting router!\n" >> $LOGFILE
      /bin/rm -f $FFLAG 2>/dev/null
      /opt/sbin/reboot
   else
      /bin/touch $FFLAG
      /bin/echo "$NOW - IP $IP_FOR_TEST can't be pinged, restarting OpenVPN client.\n" >> $LOGFILE
      restartvpnc
   fi
else
   if [ -f $FFLAG ]; then
      /bin/rm -f $FFLAG # 2>/dev/null
   fi
fi
exit 0

All that is left to do is automate the script execution
1- Change /etc/rc.local to run /usr/bin/vpncmon.sh on every boot
/etc/rc.local:
# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.
/usr/bin/vpncmon.sh
exit 0
2- Add a crontab entry to run it every 5 minutes:
*/5 * * * * /usr/bin/vpncmon.sh
PS: The Entware crontab is mandatory

I hope this guide helps somebody.

kamoj
kamoj's picture
Great guide and really good

Great guide and really good information, thank you very much for sharing! smiley

A comment: In the latest Voxel FWs you don't need to specity the path to the files referenced in the OVPN file. 

And a question: Why do you need Entware and it's crontab? The vanilla cron in Voxels latest FW is not working?
Example:
crontab -l
crontab -e

Add (using vi-commands):
*/5 * * * * /usr/bin/vpncmon.sh
 
ps w | grep cron
If you don't need Entware (I love Entware) , you don't need ssh and its crypto key generation, which makes all a lot easier for newbies.
Telnet is there, once enabled from the Netgear Genie GUI.
 

Thank you again, I appreciate you shared this!
I will try some of your findings when I get the time.

Voxel
Voxel's picture
Yes, very good guide. Thanks

Yes, very good guide. Thanks for sharing your experience.

Voxel.

XunilinuX
XunilinuX's picture
I forgot to mention the fact

I forgot to mention the fact that I manually installed the haveged package to speed up the DNSCRYPT service startup time.
Now that Voxel's new build (1.0.2.43F) includes haveged, it becomes irrelevant in my/our guide.

Regarding CRON, @kamoj - I could never get the default CRON to trigger any actions using the stock/Voxel's version.
I read somewhere (myopenrouter or snbforums) that using the Entware CRON everything just worked. That was my experience.

Regarding TELNET vs SSH, @kamoj - Yes, TELNET is "easier" for the less experienced. But once configured, SSH saves me the time to repeatedly authenticate on the command line. SSH is also encrypted, TELNET is not. If you configure remote access to your router, will you risk using an unencrypted protocol?

Thank you for your feedback @kamoj

kamoj
kamoj's picture
The telnet thing is only used

The telnet thing is only used locally while installing your script and starting cron.
During this time there is no need to have internet/remote access. Just pull out that cable...
I love this Voxel FW, but I know that for many people it's too complicated;
To not installl ssh/keys and Entware makes the FW easier to spread.
I had no problem with the Voxel vanilla cron at all.
Else I agree with you and feel very good for what  you share!
Thanks again!
 

nilugeator
nilugeator's picture
 

 

Hi 

thx for this nice tutorial !

I am already using openvpn client with my R7800 set up with ddwrt, but it would be great to do it with the original firmware (best speed...)

BUT I realy need to bypass the openvpn client tunnel, not only for ip adress (I ve seen it in your tuto, nice!) but also for some ports that I need to access from outside.

 

In DDWRT it is wrote like that :

 

# some ports bypassing VPN

iptables -t mangle -A OUTPUT -p tcp -m multiport --sports 9091,32400,80,22 -j MARK --set-mark 1

 

Would it be possible to do that with Voxel's firmlware, and how??

 

thx in advance!

Hi 

thx for this nice tutorial !

I am already using openvpn client with my R7800 set up with ddwrt, but it would be great to do it with the original firmware (best speed...)

BUT I realy need to bypass the openvpn client tunnel, not only for ip adress (I ve seen it in your tuto, nice!) but also for some ports that I need to access from outside.

 

In DDWRT it is wrote like that :

 

# some ports bypassing VPN

iptables -t mangle -A OUTPUT -p tcp -m multiport --sports 9091,32400,80,22 -j MARK --set-mark 1

 

Would it be possible to do that with Voxel's firmlware, and how??

 

thx in advance!

Voxel
Voxel's picture
Hi,

Hi,

Probably you should try to use new feature of 1.0.2.44SF:
 

https://www.myopenrouter.com/comment/41948#comment-41948
 

d. Possibility to use your own iptables rules w/o modification of /usr/sbin/net-wall script. If you have /root/firewall-start.sh script (executable) with your iptable commands it will be called automatically at the end of “net-wall start” command.​

 

Voxel.

nilugeator
nilugeator's picture
hi

hi

thanks for your answer but i dont know how to do that specificly :(

Hope someone will add it to the tutorial (how to bypass vpn for a specific port)

 

kamoj
kamoj's picture
Hi again and again many

Hi again XunilinuX and again many thanks for your information!

I have started to use the functionality.
I had to change one line to get "Bypassing OpenVPN client tunnel" working:

WAN_GWAY=`nvram get wan_gateway`  --> WAN_GWAY=`nvram get wan_dhcp_gateway` 

PS

There is absolutely no need to use either SSH or Entware.
Also: There is no need to specify "full path directory filenames on any referenced files in the OVPN file"

Try to keep simple!

rafamars
rafamars's picture
Thanks XunilinuX for the tuto

Thanks XunilinuX for the tuto.

I was trying to bypass the openvpn tunnel for a couple of IPs and i followed your instructions reserving the IPs in the gui before changing /etc/openvpn/ovpnclient-up.sh. l even tried to replace WAN_GWAY=`nvram get wan_gateway`  --> WAN_GWAY=`nvram get wan_dhcp_gateway`as suggested by kamoj. Unfortunately my reserved IP's are recognised by the router but it does not allow internet access to them. Does anyone have any suggestion where to look? Apologies if it is a rookie question.

Also if I manually stop the openvpn i still can't get internet access for my reserved IP's. i need to remove them from the gui first then it is working again.

Regards

rafamars

rafamars
rafamars's picture
Hi 

Hi 

Do you have any suggestion? Should I reset the rooter and start from scratch or is there some command I can run to debug and try to find a solution to the problem?

Regards

rafamars

kamoj
kamoj's picture
An alternative way to get the

An alternative way to get the correct wan ip is:

WAN_GWAY=`ip route | awk '/^default/{print $3}'`

rafamars
rafamars's picture
I tried that but but the

I tried that but the value returned for WAN_GWAY is always 0.0.0.0. The reserved ip i used is 192.168.1.12.

Before running the openvpn client ip route returns:

default via 172.16.14.27 dev ppp0

172.16.14.27 dev ppp0  proto kernel  scope link  src 86.145.62.137
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
239.0.0.0/8 dev br0  scope link
 
After starting the open vpn client ip route returns
0.0.0.0/1 via 10.125.2.249 dev tun0
default via 172.16.14.27 dev ppp0
10.125.0.1 via 10.125.2.249 dev tun0
10.125.2.249 dev tun0  proto kernel  scope link  src 10.125.2.250
85.203.13.5 via 172.16.14.27 dev ppp0
128.0.0.0/1 via 10.125.2.249 dev tun0
172.16.14.27 dev ppp0  proto kernel  scope link  src 86.145.62.137
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
239.0.0.0/8 dev br0  scope link
kamoj
kamoj's picture
Good! Now we now one thing

Good! Now we now one thing that is wrong!

Your example output should give a proper value of 172.16.14.27 for WAN_GWAY!

It might be that you do not copy the command, but are rather typing the wrong keys.
There are 4 types of similar "quote"-characters - here with a blank in between:(" ' ´ `), and you must use the correct ones...
Outside it should be ` and within that '
Try e.g. this command in the router: ip route | awk '/^default/{print $3}'

until you get it right.

Then try the full command again, and check the result with: echo $WAN_GWAY
Then correct your script and try again.

gallo
gallo's picture
Thanks for the time and

Thanks for the time and research you put into that guide XunilinuX, i recently got my 7800 and am havin a blast configuring it thanx to Voxel's excellent firmware. Looking forward to settin up the vpn next and i think you just simplified the setup. ;)

rafamars
rafamars's picture
HI kamoj,

HI kamoj,

Thanks to you i went a bit further and actually the synthax was correct.

Writing nvram get wan_gateway returns 0.0.0.0 and writing ip route | awk '/^default/{print $3}' returns 172.16.14.27 but I don't understand why.

I ran the script line by line and actually i have an error message after running the command /usr/sbin/ip route add table 200 default via $WAN_GWAY dev brwan which returns RTNETLINK answers: No such process.

I would be grateful if you could point out any direction.

Regards

rafamars

 

 

 

kamoj
kamoj's picture
I have some code built on

I have some code built on XunilinuX findings, that is a bit different.
One different thing is that you can make change ip-addresses through the Netgear web-interface.
At some time when I find out how to go on with it, me or Voxel might make it available as a Voxel Add-on.
But the time is not right, so for the moment I'll give you the part of my code that you can try instead of your current version.
(And as I wrote before, my way(s) of setting the WAN_GWAY might work better ;-).
So try this:

PATH=/bin:/sbin:/usr/bin:/usr/sbin:$PATH
NO_VPN_LST="192.168.1.7 192.168.1.3"
while [ $(ip route list table 200 default | grep "default" | wc -l) != "0" ]; do ip route del table 200 default 2>/dev/null; done
while [ $(ip route list table 200 | grep "default" | wc -l) != "0" ]; do ip route del table 200 2>/dev/null; done
while [ $(ip rule list | grep "lookup 200" | wc -l) != "0" ]; do ip rule del table 200 2>/dev/null; done
 
ip route flush cache
sleep 1
 
# Get wan gateway ip address:
WAN_GWAY=`ip route | awk '/^default/{print $3}'`
 
for excludeip in $NO_VPN_LST; do
   [ $(ip rule list | grep "${excludeip} lookup 200" | wc -l) = "0" ] && ip rule add from ${excludeip} table 200
done
 
ip route add table 200 default via $WAN_GWAY dev brwan
ip route flush cache
 
kamoj
kamoj's picture
I have tried to reply

I have tried to reply repeated times now, but this forum is not so good...:

Access Denied
You are not authorized to access this page.

So now I try again, since other people seem to be able to post:
I have some code built on XunilinuX findings, that is a bit different.
One different thing is that you can make change ip-addresses through the Netgear web-interface.
At some time when I find out how to go on with it, me or Voxel might make it available as a Voxel Add-on.
But the time is not right, so for the moment I'll give you the part of my code that you can try instead of your current version.
(And as I wrote before, my way(s) of getting the WAN_GWAY works better).
So try this:

PATH=/bin:/sbin:/usr/bin:/usr/sbin:$PATH
NO_VPN_LST="192.168.1.7 192.168.1.3"
while [ $(ip route list table 200 default | grep "default" | wc -l) != "0" ]; do ip route del table 200 default 2>/dev/null; done
while [ $(ip route list table 200 | grep "default" | wc -l) != "0" ]; do ip route del table 200 2>/dev/null; done
while [ $(ip rule list | grep "lookup 200" | wc -l) != "0" ]; do ip rule del table 200 2>/dev/null; done

ip route flush cache
sleep 1

# Get wan gateway ip address:
WAN_GWAY=`ip route | awk '/^default/{print $3}'`

for excludeip in $NO_VPN_LST; do
[ $(ip rule list | grep "${excludeip} lookup 200" | wc -l) = "0" ] && ip rule add from ${excludeip} table 200
done

ip route add table 200 default via $WAN_GWAY dev brwan
ip route flush cache

MyOpenRouter Team
MyOpenRouter Team's picture
@kamoj -- looks like some of

@kamoj -- looks like some of the code included in your post must have flagged our filters, I approved the post and you should be good to go. Let us know if you have any problems in the future.

rafamars
rafamars's picture
Thanks Kamoj for your code,

Thanks kamoj for your code,

I still have the same error after ip route add table 200 default via $WAN_GWAY dev brwan which is RTNETLINK answers: No such process and i think it might be due to dev brwan. I tried to cd dev directory but could not find brwan.

I also tried in the gui under advanced setup -> static route but no luck so far

running arp -a gives: (192.168.1.12 is the static IP address)

IP address       HW type     Flags       HW address            Mask     Device

192.168.1.2      0x1         0x2         f8:1e:df:e9:e6:46     *        br0
192.168.1.12     0x1         0x2         94:65:2d:c9:19:58     *        br0

and running netstat -r gives:

Kernel IP routing table

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         10.125.2.249    128.0.0.0       UG        0 0          0 tun0
default         172.16.14.27    0.0.0.0         UG        0 0          0 ppp0
10.125.0.1      10.125.2.249    255.255.255.255 UGH       0 0          0 tun0
10.125.2.249    *               255.255.255.255 UH        0 0          0 tun0
85.203.13.5     172.16.14.27    255.255.255.255 UGH       0 0          0 ppp0
128.0.0.0       10.125.2.249    128.0.0.0       UG        0 0          0 tun0
172.16.14.27    *               255.255.255.255 UH        0 0          0 ppp0
192.168.1.0     *               255.255.255.0   U         0 0          0 br0
239.0.0.0       *               255.0.0.0       U         0 0          0 br0

I might tried to reset everything because I seem to be the only one to experience this problem.

Best regards

rafamars

kamoj
kamoj's picture
Thank you for being patient

Thank you for being patient and giving more information:
I have updated my add-on script as a result of your problem!
Try to change one line in "my" script:
From:
ip route add table 200 default via $WAN_GWAY dev brwan
to:
ip route add table 200 default via $WAN_GWAY dev `ip route | awk '/^default/{print $NF}'`

rafamars
rafamars's picture
Hi kamoj,

Hi kamoj,

It seems that it did the trick as I can by pass the vpn tunnel now.

Out of curiosity, why the original script posted by xunilinux was not working?

Again thanks for your patience in helping me.

Regards

rafamars

kamoj
kamoj's picture
I'm happy to hear we sorted

I'm happy to hear we sorted it out together. 
I figured out that xunilinux, you and me were using the Router in different modes.

Me DHCP - xunilinux not DHCP (?), and you were using PPPoE to login to your ISP.
So I changed my script to work with different modes.
Hope you understand this simple explanation.

So thanks not only to xunilinux, Sven Taylor and Voxel.
You too - rafamars - has contributed to this success!

 

sunmenone
sunmenone's picture
I have one question regarding

I have one question regarding the moitoring script. Is there a way to get notified?

rafamars
rafamars's picture
Hi kamoj,

Hi kamoj,

I am getting there setting up all my devices on the router. Thanks to you and voxel the VPN functionality is working and is fast. I am also able to bypass the vpn for some devices.

However i am having some ports opening issues. Indeed i have a security camera which is bypassing the vpn. I am able to live stream so the camera has internet access however because some ports are being closed, the camera is not able to send notifications.

I tried to open the required ports but no luck. I also tried to place the camera in the DMZ but no luck. I tried to reset the router and loading the backup file and still no luck.

I am also experiencing the same issue with anything that require communication with a server such as a gaming console. Here the gaming console can access internet but cant log with the gaming server. I have been trying to check if ports were opened using websites but the answer returned was always closed

If however i let the dhcp to manage ip adresses then everything is working.

Is there anything i can do to check that the ports are open apart from using websites? should i reset and instead of loading the config file, should i start everything from scratch?

Let me know if you hints any hints I can explore.

Thanks

rafamars

kamoj
kamoj's picture
Just a thought before we dig

Just a thought before we dig to deep into this:

Have you asked your VPN provider which ports they support/pass-on?
Many VPN-providers restrict the usage of ports, and you need to "order" open ports from your provider.

Have you tried e.g. torrenting, and succeeded to open ports, so that you get "completely connectable"?
Have you tried with another router?

rafamars
rafamars's picture
Hi kamoj,

Hi kamoj,

The couple of devices i have tried to forward ports to are bypassing the vpn. Otherwise yes i can torrent. I also tried turning the vpn off but no luck. 

I also tried flashing to the stock firmware and reconfigure from scratch but it is not working either using fix or automatic IP.

I will try with another router and let you know.

Also looking at the readme doc from voxel, section 5 is about opening the firewall by editing the netwall.conf file. It is imperative to edit that file or using the router netgear interface is sufficient enough? Also it looks like like i cannot open port for specific IP in the netwall.conf.

Also netgear support think it can be a hardware issue which i found hard to believe as I think it must be myself doing something wrong.

Thanks for your ideas

rafamars

 

rafamars
rafamars's picture
Hi kamoj,

Hi kamoj,

Reseting the modem has worked and port forwarding is working on the stock firmware.

I will try on the Voxel firmware. Should I open ports using the router interface or the netwall.conf file or both?

Cheers,

rafamars

WhoIsHomer
WhoIsHomer's picture
My router is in the mail and

My router is in the mail and I plan on flashing to Voxel's latest build once I get it.

I've looked over this thread, downloaded the latest firmware and the readme.  Plan on using it as an OpenVPN client.  Any gotcha's or pointers I should be aware of before I get started with this?  For loading Voxel's firmware, is it really just as simple as updaing the firmware to the costume one through the GUI?

 

 

WhoIsHomer
WhoIsHomer's picture
Ok, I got the router.  I've

Ok, I got the router.  I've gotten into it and am trying to configure it as an OpenVPN client.

So following these instructions:

 

1- Download your VPN providers OVPN file and place them in the /etc/openvpn/config/client directory 

Got that step done, simple to copy the file.  That is the only file I get from my VPN provider (Nord VPN)  Where do I enter my username/password?

 

NORD VPN insturctions state (For DD-WRT anyway):

 the Username and Password fields are missing, go to Administration > Commands, and enter this code:

echo "YOURUSERNAME
YOURPASSWORD" > /tmp/openvpncl/user.conf
/usr/bin/killall openvpn
/usr/sbin/openvpn --config /tmp/openvpncl/openvpn.conf --route-up /tmp/openvpncl/route-up.sh --down-pre /tmp/openvpncl/route-down.sh --daemon

 

Should I be saving that as a file somehwere??

 

They also have a blurb of text that is supoosed to go in additional config box.  Should I be saving that file as something, somehwere?

 

Any ideas?

WhoIsHomer
WhoIsHomer's picture
Ok, so I am trying to get

Ok, so I am trying to get openVPN client up and running

 

Following these steps:

 

1- Download your VPN providers OVPN file and place them in the /etc/openvpn/config/client directory

 

Great, got step 1 done.

 

But where do I put in my credentials?  from the line below it sounds like I create some sort of txt file, but what has to be in that file?

And my VPN provider (NORD VPN) has some configuration that are supposed to go in the additional config section (at least on dd-wrt)

So where would I put that, and what would I name it?
 

 


PS: Use full path directory filenames on any referenced files in the OVPN file. Example: change "auth-user-pass credentials.txt" to "auth-user-pass /etc/openvpn/config/client/credentials.txt"
2- Test "/etc/init.d/openvpn-client start/stop" thoroughly and read the log file /var/log/openvpn-client.log before you advance.

Pages