Pptp server

Соединение по протоколу PPTP

1. Проверить наличие пакета ppp-mod-pptp и в случае его отсутствия установить из репозитория

2. Выполнить настройки согласно скриншоту ниже. Логин и пароль для туннеля необходимо получить на персональной странице пользователя vpnki

 3. Снять галочку «Использовать шлюз по умолчанию»

4. В случае соединения VPN туннеля через уже существующий туннель к провайдеру для выхода в Интернет (например по технологии PPPoE) имеет смысл изменить размер пакета MTU на 1453 (см. скриншот выше)

5. В файле /etc/ppp/options.pptp

необходимо отключить строку: mppe required,no40,no56,stateless.

Содержание рабочего файла options.pptp ниже:

noipdefault

noauth

nobsdcomp

nodeflate

idle 0

#mppe required,no40,no56,stateless

nomppe

maxfail 0

#refuse-eap

6. Статус подключенного соединения

 

 7. В заключение настройте маршруты устройства таким образом, чтобы маршрут к сети 172.16.0.0/16 вел во вновь созданный интерфейс pptp. Более подробно понять использование маршрутов можно на этом примере.

Route-Based VPNs

The instructions above are for a policy-based VPN. Some VPNs (such as Azure gateways supporting IKEv2) are route-based and do not use traffic selectors. All traffic entering the tunnel is sent to the peer. The Strongswan wiki has some
information regarding route-based VPNs. In general, the steps for configuring a route-based VPN are as follows:

  1. Disable installation of routes in the charon daemon (install_routes = no in /etc/strongswan.conf)
  2. Add an updown script to each route-based connection. The updown script must accomplish the following:
  3. Create a tunnel interface for the connection (VTI is currently the only supported tunnel type; XFRM is not currently available in OpenWRT)
  4. Add routes to the remote peer using the newly created tunnel device. Ensure the source ip is correct! The tunnel device will only encapsulate packages whose source matches the “leftsubnet” parameter.

Here is an example script. You can save this (perhaps as /etc/strongswan.d/ipsec-notify.sh) and invoke it using the “local_updown” option for the tunnel configuration. This script is more advanced than most of the examples found elsewhere. It will attempt to automatically configure the source IP address when routing into the tunnel (this might matter if you have multiple interfaces on your OpenWRT device).

#!/bin/bash

set -o nounset
set -o errexit

VTI_IF="vti${PLUTO_UNIQUEID}"


case "${PLUTO_VERB}" in
    up-client)
        ip tunnel add "${VTI_IF}" local "${PLUTO_ME}" remote "${PLUTO_PEER}" mode vti key "${PLUTO_MARK_OUT%%/*}"
        sysctl -w net.ipv4.conf.${VTI_IF}.disable_policy=1
        ip link set "${VTI_IF}" up
        dev=`ip -4 -o route get ${PLUTO_MY_CLIENT} | awk '{ print $5; }'`
        addr=`ip -4 -o address show ${dev} | awk '{ split($4, fields, "/"); print fields; }'`
        ip route add "${PLUTO_PEER_CLIENT}" dev "${VTI_IF}" src "${addr}"
        ;;
    down-client)
        ip tunnel del "${VTI_IF}"
        ;;
esac

Important! This code requires that the kmod-ip-vti package is installed. It also requires that a unique mark be set on all tunnel traffic. This is accomplished in /etc/ipsec.conf by adding the mark parameter to the connection section, e.g. “mark=%unique”. There is not currently any UCI analogue for this connection option.

Strongswan Configuration

To reach the ACME infrastructure we have to tell racoon all the details about the tunnel and the remote networks. We provide all informations in the central /etc/config/ipsec file. The required informations for Phase 1 (initial handshake) are:

  • IP of the remote gateway: 7.7.7.7
  • Aggressive Negotiation: Always a good idea if our router has a changing outside IP.
  • The local identfier. “bratwurst” was choosen in this case. Also needed with a changing outside IP.
  • Proposal: The most common standard for medium security level. A preshared key with Diffie Hellman group 2 and AES 128 Bit encryption.

For the tunnels we need security policies. There are two different subnets we want to reach so two sainfo blocks have to be created in our file. These define the so called Phase 2 proposals. We provide:

  • Definiton of the connected local and remote subnets
  • Security parameters (similar to phase 1)
#/etc/config/ipsec
config 'ipsec'
  list listen ''
  
config 'remote' 'acme'
  option 'enabled' '1'
  option 'gateway' '7.7.7.7'
  option 'pre_shared_key' 'yourpasswordhere'
  option 'exchange_mode' 'aggressive'
  option 'local_identifier' 'bratwurst'
  list   'p1_proposal' 'pre_g2_aes_sha1'
  list   'tunnel' 'acme_dmz'
  list   'tunnel' 'acme_lan'

config 'p1_proposal' 'pre_g2_aes_sha1'
  option 'encryption_algorithm' 'aes128'
  option 'hash_algorithm' 'sha1'
  option 'dh_group' '2'

config 'tunnel' 'acme_lan'
  option 'local_subnet' '192.168.2.64/26'
  option 'remote_subnet' '10.1.2.0/24'
  option 'p2_proposal' 'g2_aes_sha1'

config 'tunnel' 'acme_dmz'
  option 'local_subnet' '192.168.2.64/26'
  option 'remote_subnet' '66.77.88.192/26'
  option 'p2_proposal' 'g2_aes_sha1'

config 'p2_proposal' 'g2_aes_sha1'
  option 'pfs_group' '2'
  option 'encryption_algorithm' 'aes128'
  option 'authentication_algorithm' 'sha1'
...

Restart Charon and firewall afterwards. If everything was setup correctly according to the basics and firewall guide you should be able to see the new configuration.

… pictures with checks …

VPNs that don’t work with OpenWrt

The VPN providers we’ve included in our list have confirmed that their services work with OpenWrt. They either offer online tutorials or customer support to help with setup. Other providers we contacted confirmed that they don’t currently support use with OpenWrt firmware:

  • CyberGhost
  • IPVanish
  • VPNArea
  • StrongVPN

However, it’s worth bearing in mind that due to the relative newness of the OpenWrt firmware, it’s understandable that it’s off the radar for many providers. As it grows in popularity and there is more demand for compatible VPNs, we could well see this list shrink as providers update their services.

Old stable series: OpenWrt 19.07

The OpenWrt Community is proud to present the OpenWrt 19.07 stable version series. It is the successor of the previous 18.06 stable major release.

The OpenWrt 19.07 series focuses on bringing all supported targets to Linux kernel version 4.14 and introducing initial device tree based ath79 support.

Current Stable Release — OpenWrt 19.07.8

The current stable version series of OpenWrt is 19.07, with v19.07.8 being the latest release of the series. It was released on 7 August 2021.

  • Release Notes

  • Download a firmware image for your device (Table of Hardware)

  • Download a firmware image for your device (firmware selector)

  • All firmware images

  • Detailed Changelog

  • Browse Source

PrivateVPN

Apps Available:

  • PC

  • Mac

  • IOS

  • Android

  • Linux

Money-back guarantee: 30 DAYS

PrivateVPN is a newer, smaller provider, but is actually a great all-rounder. It works with OpenWrt, although you’ll probably need to contact customer support for help with setup. The support is all in-house and there’s no live chat, so you may not get a prompt response, but it will be knowledgeable. PrivateVPN can also be configured with routers running a variety of other firmware, including DD-WRT or Tomato.

This service performs extremely well when it comes to speed testing, which is welcome news to those wanting to stream or torrent. It has also proven to be good at unblocking geo-restricted content such as that provided by Netflix, Hulu, HBO, and Amazon Prime Video.

If you’re concerned about security and privacy, as its name suggests, PrivateVPN has you covered. It uses 128-bit or 256-bit encryption, depending on which protocol you choose (OpenVPN is recommended). This is alongside perfect forward secrecy, DNS leak protection, and a kill switch. The latter will kill the internet connection should the VPN connection drop.

Like NordVPN, PrivateVPN allows six simultaneous connections, which is one more than the industry standard of five. Apps are available for Windows, MacOS, iOS, and Android.

Pros:

  • Work with OpenWrt, in house support assistance will get you going
  • Fast servers, also great for unblocking streaming sites securely and privately
  • They log no personally identifiable information on their users
  • Kill switch and automatic wifi protection activate when connection drops

Бонусом настроим DNSCrypt

Зачем? Ваш провайдер может заботливо подменять ip-адрес заблокированного ресурса, таким образом перенаправляя вас на свой ip с заглушкой, ну и наш обход по ip в данном случае не поможет. Для подмены не всегда даже нужно использовать dns сервер провайдера, ваши запросы могут перехватываться и ответы подменяться. Ну и к слову, это может делать не только провайдер.

Настраиваем конфиг /etc/config/dnscrypt-proxy примерно так:

Таким образом у нас есть сервис dnscrypt на порту 5353 доступный на localhost.

Resolver — это dns, сервер поддерживающий шифрование. На роутере в файле /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv содержится список доступных, на момент выпуска установленной версии dnscrypt, серверов. А вот здесь https://dnscrypt.info/public-servers/ вообще все доступные серверы dnscrypt. Можете выбрать другого резолвера и/или добавить серверов для отказоустойчивости. Имейте в виду, что бы DNSCrypt работал с выбраным резолвером, он должен быть указан в dnscrypt-resolvers.csv.

Настраиваем dnsmasq на работу с dnscrypt. В /etc/config/dhcp комментируем строчку:

для того что бы не были задействованы dns серверы провайдера.

И добавляем:

Запись list server ‘domain/ip_dns’ указывает какой dns сервер использовать для резолва указанного домена

Таким образом мы не задействуем dnscrypt для синхронизации ntp — для работы службе dnscrypt важно иметь актуальное время

При загрузке роутера, скрипт hirkn запускается быстрее чем стартует dnscrypt, таким образом домен antifilter.download не резолвится и списки не скачиваются. Можно сделать задержку или ещё что придумать, но пока что не вижу смысла.UPD: необходимо добавить строку

в скрипт hirkn

В итоге мы получаем такую вставку в конфиг:

UPD: На некоторых устройствах DNSCrypt запускается всё-равно после скрипта. Самый простой способ исправить это — добавить в /etc/config/dhcp строку

Отключаем использование провайдерских DNS для интерфейса wan
В /etc/config/network добавляем строку

к интерфейсу wan.
Получаем такую конфигурацию

Рестартуем сеть

Добавляем в автозагрузку и стартуем dnscrypt:

Рестартуем dnsmasq:

Илюстрация работы без DNSCrypt и c DNSCrypt

Create VPN Network Interface

A new network interface ‘’ which will interface a tunnel device ‘’ can be created by using the following commands.

Copy Code

uci set network.ovpn='interface'
uci set network.ovpn.proto='none'
uci set network.ovpn.ifname='tun0'

uci commit network

Add ‘’ interface to ‘’ firewall zone.

Copy Code

uci show firewall.@zone
uci add_list firewall.@zone.network='ovpn'

uci commit firewall

/etc/init.d/firewall restart
/etc/init.d/network restart

Now that the network interface is setup, let us continue with configuring . We will open tunnel ‘’ after configuring . Meanwhile, ‘Network device is not present’ will show up in interface page due to non-existent ‘’.

Настройка WireGuard на сервере

Я проделываю всё на Ubuntu 18.04, но в официальной документации есть инструкции по установке для всех известных и не очень ОС.

Установка

Генерируем ключи для сервера. Ключи сохраним в директории WireGuard для удобства

Соответственно в файле privatekey-server будет приватный ключ, а в publickey-server — публичный.
Так же сгенерируем сразу ключ для клиента:

Конфигурация

Конфиг хранится в /etc/wireguard/wg0.conf. Серверная часть выглядит так:

Address — адрес для интерфейса wg (адрес внутри туннеля)PrivateKey — Приватный ключ (privatekey-server)ListenPort — Порт на котором служба ожидает подключения

Ну и делаем маскарадинг, потому что мы будем использовать этот сервер для выхода в интернет
Обратите внимание, что имя интерфейса в вашем случае может отличаться:

Клиентская часть

PublicKey — публичный ключ нашего роутера (publickey-client)AllowedIPs — подсети, которые будут доступны через этот туннель. Серверу требуется доступ только до адреса клиента.

Обе части хранятся в одном конфиге.

Включаем автозапуск при перезагрузке:

Делаем сервер маршрутизатором:

Настроим фаервол. Предположим, что у нас на сервере только WireGuard и ssh:

Сохраним конфигурацию iptables:

Поднимаем wg интерфейс первый раз вручную:

WireGuard сервер готов.

UPD 27.06.19 Если ваш провайдер до сих пор использует PPoE, то нужно добавить правило. Спасибо denix123

NordVPN

Apps Available:

  • PC

  • Mac

  • IOS

  • Android

  • Linux

Money-back guarantee: 30 DAYS

NordVPN is our first choice for router setup. You can manually configure the VPN to a compatible router or you can opt to purchase a pre-configured router sold by third-party affiliate, FlashRouter. Although, the latter only makes NordVPN routers using the Tomato and DD-WRT firmware. For OpenWrt, you’ll have to manually configure.

NordVPN has posted a tutorial for configuring the VPN with a router running OpenWrt firmware (we’ve included it in our tutorial list below). And if you have any issues, the live chat team is just a click away to offer assistance.

NordVPN operates a huge network of more than 5,000 servers in 59 countries. Many are optimized for specific purposes, including P2P traffic and double VPN connections. It offers fast speeds and reliable service so you can carry out your everyday online activities without worrying about poor, slow connections. It can also provide access to plenty of streaming sites, including Netflix, BBC iPlayer, Hulu, HBO, and Amazon Prime Video.

This service uses “military-grade” 256-bit encryption with perfect forward secrecy. The OpenVPN protocol is recommended and used by default. A kill switch and DNS leak protection are built-in. This means you can rest assured your information will never leave the encrypted tunnel. NordVPN keeps no logs at all. A newer feature is automatic wifi protection, which is a big bonus if you travel or are often on-the-go.

A plan enables you to connect to six devices simultaneously, which makes it ideal for families or those with a lot of devices. Desktop clients are available for Windows and MacOS and mobile apps can be downloaded for iOS and Android.

Pros:

  • Manual configuration available for OpenWrt with tutorial assistance
  • Live chat can assist you with manual configurations
  • Vast server network is very capable at unblocking most geo-restricted content
  • The fastest speeds of any VPN we’ve tested
  • Strong encryption and no logs make for top security and privacy

OpenWrt wants you!

Like any open source project, OpenWrt thrives on the efforts of its users and developers.

If you want to develop the software, please refer to our Developer Guide to learn how to get the source code, build it, and contribute your changes back to the project.

If you’re not a developer, you can still help. The documentation can always be improved (even if it’s to verify that the instructions match your experience), or you can help other community members with questions. Don’t hesitate to Register yourself in the wiki, or join our mailing list and IRC channels to get in touch.

https://sfconservancy.org/news/2020/sep/10/openwrt-joins/

Конфигурация OpenVPN

OpenVPN может быть настроен как с помощью интерфейса UCI(характерного для OpenWrt), так и с помощью традиционных конфигурационных файлов OpenVPN (*.conf). OpenVPN будет автоматически подгружать все *.conf файлы из /etc/openvpn/.

Пользователи, знакомые с OpenVPN, вероятно, предпочитают использовать файлы конфигурации, и этот выбор, вероятно, будет более простым и удобным для тех кто планирует запускать несколько экземпляров OpenVPN.

Для простоты и последовательности, остальная часть этого руководства будет использовать интерфейс OpenWRT UCI для настройки OpenVPN, как описано ниже. Следует отметить, что раздел содержит инструкции для UCI интерфейса (Пользователям, использующим традиционные файлы конфигурации, придется подкорректировать эти команды под свою систему).

Традиционный (TUN) Сервер

echo > etcconfigopenvpn # очистите UCI конфигурацию для OpenVPN
uci set openvpn.myvpn=openvpn
uci set openvpn.myvpn.enabled=1
uci set openvpn.myvpn.verb=3
uci set openvpn.myvpn.port=1194
uci set openvpn.myvpn.proto=udp
uci set openvpn.myvpn.dev=tun
uci set openvpn.myvpn.server='10.8.0.0 255.255.255.0'
uci set openvpn.myvpn.keepalive='10 120'
uci set openvpn.myvpn.ca=etcopenvpnca.crt
uci set openvpn.myvpn.cert=etcopenvpnmy-server.crt
uci set openvpn.myvpn.key=etcopenvpnmy-server.key
uci set openvpn.myvpn.dh=etcopenvpndh2048.pem
uci commit openvpn

Сервер в режиме моста (TAP)

echo > etcconfigopenvpn # очистите UCI конфигурацию для OpenVPN
uci set openvpn.myvpn=openvpn
uci set openvpn.myvpn.enabled=1
uci set openvpn.myvpn.verb=3
uci set openvpn.myvpn.proto=udp
uci set openvpn.myvpn.port=1194
uci set openvpn.myvpn.dev=tap
uci set openvpn.myvpn.mode=server
uci set openvpn.myvpn.tls_server=1
uci add_list openvpn.myvpn.push='route-gateway dhcp'
uci set openvpn.myvpn.keepalive='10 120'
uci set openvpn.myvpn.ca=etcopenvpnca.crt
uci set openvpn.myvpn.cert=etcopenvpnmy-server.crt
uci set openvpn.myvpn.key=etcopenvpnmy-server.key
uci set openvpn.myvpn.dh=etcopenvpndh2048.pem
uci commit openvpn

Клиент

Конфигурация клиента очень сильно зависит от настроек сервера. Вам необходимо откорректировать их в соответствии с данными сервера, к которому вы подключаетесь.

echo > etcconfigopenvpn # очистите UCI конфигурацию для OpenVPN
uci set openvpn.myvpn=openvpn
uci set openvpn.myvpn.enabled=1
uci set openvpn.myvpn.dev=tun
uci set openvpn.myvpn.proto=udp
uci set openvpn.myvpn.verb=3
uci set openvpn.myvpn.ca=etcopenvpnca.crt
uci set openvpn.myvpn.cert=etcopenvpnmy-client.crt
uci set openvpn.myvpn.key=etcopenvpnmy-client.key
uci set openvpn.myvpn.client=1
uci set openvpn.myvpn.remote_cert_tls=server
uci set openvpn.myvpn.remote="SERVER_IP_ADDRESS 1194"
uci commit openvpn

Если ваш сервер требует проверки подлинности пароля:

uci set openvpn.myvpn.auth_user_pass=pathtopassword.txt

Файл password.txt должен содержать в себе логин на первой строке и пароль на второй. Этот файл следует хранить в безопасном месте.

Вы можете также использовать опцию route.nopull. Это отключит автоматическую маршрутизацию. Имейте ввиду, что вам придётся самостоятельно прописывать все маршруты, к тому же сервер по-прежнему будет сам определять свойства TCP/IP для вашего TUN/TAP устройства:

uci set openvpn.myvpn.route_nopull=1

На этом вы закончили базовую настройку. Запустите OpenVPN:

etcinit.dopenvpn enable
etcinit.dopenvpn start

Protocol «pppossh» (Point-to-Point over SSH)

The package pppossh must be installed to use this protocol.

Name Type Required Default Description
server string yes (none) SSH server name
port integer no 22 SSH server port
sshuser string yes (none) SSH login username
identity list no list of client private key files. The defaults will be used if no identity file was specified and at least one of them must be valid for the public key authentication to proceed.
ipaddr string yes (none) local ip address to be assigned
peeraddr string yes (none) peer ip address to be assigned
ssh_options list yes (none) peer ip address to be assigned
use_hostdep bool no 1 set it to 0 to disable the use of proto_add_host_dependency. This is mainly for the case that the appropriate route to server is not registered to netifd and thus causing a incorrect route being setup

For configuration see current README.

Surfshark

Apps Available:

  • PC

  • Mac

  • IOS

  • Android

  • Linux

Money-back guarantee: 30 DAYS

Surfshark is a speedy, low-cost option that works well with routers. The service’s website offers step-by-step tutorials for OpenWrt, ASUS-WRT, Mikrotik, Tomato, and DD-WRT routers, plus with over 3,000 servers to choose from, you shouldn’t have any issues getting a low-latency, high-speed connection.

So what else does this VPN have to offer? First, it excels at unblocking geo-restricted streaming platforms like Netflix. Second, it allows you to secure any number of devices at once, something very few major providers do.

Finally, it offers an impressive array of security features. These include 256-bit encryption, a kill switch, and protection against DNS and IPv6 leaks, not to mention a feature that turns the VPN on automatically whenever you use an unsecured wifi network. Crucially, Surfshark doesn’t keep any logs.

Surfshark offers iOS, Android, MacOS, Windows, and Linux apps.

Pros:

  • Works great on routers, well-documented setup procedures
  • Fast speeds and unlimited bandwidth
  • Connect as many devices as you like
  • Great unblocking ability
  • Impressive security offering

Command-line instructions

1. Preparation

Install the required packages.
Specify the VPN client configuration parameters.

# Install packages
opkg update
opkg install wireguard
 
# Configuration parameters
WG_IF="vpn"
WG_SERV="SERVER_ADDRESS"
WG_PORT="51820"
WG_ADDR="192.168.9.2/24"
WG_ADDR6="fdf1:e8a1:8d3f:9::2/64"

2. Key management

Generate and exchange keys between server and client.

# Generate keys
umask go=
wg genkey | tee wgserver.key | wg pubkey > wgserver.pub
wg genkey | tee wgclient.key | wg pubkey > wgclient.pub
wg genpsk > wgclient.psk
 
# Client private key
WG_KEY="$(cat wgclient.key)"
 
# Pre-shared key
WG_PSK="$(cat wgclient.psk)"
 
# Server public key
WG_PUB="$(cat wgserver.pub)"

3. Firewall

Consider VPN network as public.
Assign VPN interface to WAN zone to minimize firewall setup.

# Configure firewall
uci rename firewall.@zone="lan"
uci rename firewall.@zone1="wan"
uci del_list firewall.wan.network="${WG_IF}"
uci add_list firewall.wan.network="${WG_IF}"
uci commit firewall
etcinit.dfirewall restart

4. Network

Configure VPN interface and peers.

# Configure network
uci -q delete network.${WG_IF}
uci set network.${WG_IF}="interface"
uci set network.${WG_IF}.proto="wireguard"
uci set network.${WG_IF}.private_key="${WG_KEY}"
uci add_list network.${WG_IF}.addresses="${WG_ADDR}"
uci add_list network.${WG_IF}.addresses="${WG_ADDR6}"
 
# Add VPN peers
uci -q delete network.wgserver
uci set network.wgserver="wireguard_${WG_IF}"
uci set network.wgserver.public_key="${WG_PUB}"
uci set network.wgserver.preshared_key="${WG_PSK}"
uci set network.wgserver.endpoint_host="${WG_SERV}"
uci set network.wgserver.endpoint_port="${WG_PORT}"
uci set network.wgserver.route_allowed_ips="1"
uci set network.wgserver.persistent_keepalive="25"
uci add_list network.wgserver.allowed_ips="0.0.0.0/0"
uci add_list network.wgserver.allowed_ips="::/0"
uci commit network
etcinit.dnetwork restart

Resolve and configure if necessary.

Routing

You should now be able to use both VPNs.
You can start both and check whether it works.

ping -I tun0 openwrt.org
ping -I tun1 openwrt.org

But all traffic for tun1 gets routed through WAN not WAN2, therefore we need static routes to make traffic destined for VPN2 go through WAN2.

Take the remotes VPNX_IPX from the VPN config and route them through the appropriate interface in LuCI → Network → Static Routes.

Now start both VPNs and unplug WAN and check:

# Should not work
ping -I tun0 openwrt.org
 
# Should work
ping -I tun1 openwrt.org

If you unplug WAN2 and plug in WAN it is the other way around.
Congratulations both VPNs work and traffic for the VPN1 remote gets routed through WAN and VPN2 through WAN2

If both VPNs are running the routes should look like this:

# route
Kernel IP routing table
Destination    Gateway    Genmask         Flags Metric Ref    Use Iface
default        $WAN_GW    0.0.0.0         UG    10              eth1.2
default        $WAN2_GW   0.0.0.0         UG    20              eth1.3
10.50.0.0      *          255.255.0.0     U                    tun1
10.52.0.0      *          255.255.0.0     U                    tun0
$VPN1_IP1      $WAN_GW    255.255.255.255 UGH   10              eth1.2
$VPN1_IP2      $WAN_GW    255.255.255.255 UGH   10              eth1.2
$VPN1_IP3      $WAN_GW    255.255.255.255 UGH   10              eth1.2
$VPN2_IP1      $WAN2_GW   255.255.255.255 UGH   20              eth1.3
$VPN2_IP2      $WAN2_GW   255.255.255.255 UGH   20              eth1.3
$VPN2_IP3      $WAN2_GW   255.255.255.255 UGH   20              eth1.3
$WAN           *          255.255.255.0   U     10              eth1.2
$WAN2          *          255.255.255.0   U     20              eth1.3
$LAN           *          255.255.255.0   U                    br-lan

Configure multi-wan (mwan3)

The default configuration contains some dummy configuration, hence will be emptying the file before configuration.

Copy Code

rm /etc/config/mwan3
touch /etc/config/mwan3

Enter the following commands to create multi-wan that uses both ‘’ and ‘’ networks.

Copy Code

uci set mwan3.globals='globals'
uci set mwan3.globals.mmx_mask='0x3F00'
uci set mwan3.globals.rtmon_interval='5'

uci set mwan3.ovpn='interface'
uci set mwan3.ovpn.enabled='1'
uci set mwan3.ovpn.family='ipv4'
uci set mwan3.ovpn.initial_state='offline'
uci add_list mwan3.ovpn.track_ip='8.8.8.8'
uci add_list mwan3.ovpn.track_ip='8.8.4.4'
uci set mwan3.ovpn.track_method='ping'
uci set mwan3.ovpn.reliability='2'
uci set mwan3.ovpn.count='1'
uci set mwan3.ovpn.size='56'
uci set mwan3.ovpn.max_ttl='60'
uci set mwan3.ovpn.check_quality='0'
uci set mwan3.ovpn.failure_interval='5'
uci set mwan3.ovpn.recovery_interval='5'
uci set mwan3.ovpn.timeout='5'
uci set mwan3.ovpn.interval='5'
uci set mwan3.ovpn.down='3'
uci set mwan3.ovpn.up='3'

uci set mwan3.wan=interface
uci set mwan3.wan.enabled='1'
uci add_list mwan3.wan.track_ip='8.8.8.8'
uci add_list mwan3.wan.track_ip='8.8.4.4'
uci set mwan3.wan.family='ipv4'
uci set mwan3.wan.reliability='2'
uci set mwan3.wan.count='1'
uci set mwan3.wan.timeout='2'
uci set mwan3.wan.failure_latency='1000'
uci set mwan3.wan.recovery_latency='500'
uci set mwan3.wan.failure_loss='20'
uci set mwan3.wan.recovery_loss='5'
uci set mwan3.wan.interval='5'
uci set mwan3.wan.down='3'
uci set mwan3.wan.up='8'

uci set mwan3.wan_m1=member
uci set mwan3.wan_m1.interface='wan'
uci set mwan3.wan_m1.metric='2'
uci set mwan3.wan_m1.weight='3'

uci set mwan3.ovpn_m1=member
uci set mwan3.ovpn_m1.interface='ovpn'
uci set mwan3.ovpn_m1.metric='1'
uci set mwan3.ovpn_m1.weight='6'

uci set mwan3.wan_policy=policy
uci set mwan3.wan_policy.last_resort='default'
uci add_list mwan3.wan_policy.use_member='wan_m1'

uci set mwan3.default_policy=policy
uci set mwan3.default_policy.last_resort='default'
uci add_list mwan3.default_policy.use_member='ovpn_m1'
uci add_list mwan3.default_policy.use_member='wan_m1'

uci set mwan3.default_rule_v4=rule
uci set mwan3.default_rule_v4.dest_ip='0.0.0.0/0'
uci set mwan3.default_rule_v4.family='ipv4'
uci set mwan3.default_rule_v4.use_policy='default_policy'

uci commit mwan3
/etc/init.d/mwan3 restart

The is configured at this point, you can see status at http://openwrt.lan/cgi-bin/luci/admin/status/overview at the bottom of page. » interface status will show as disabled, and opening a tunnel ‘’ will fix that.

Reboot router with reboot if you can’t see the two interfaces. The next step is to open the tunnel ‘’, so that ‘’ interface starts working.

Protocol «relay» (Relayd Pseudo Bridge)

The package relayd must be installed to use this protocol.

Name Type Required Default Description
list of logical interface names yes (none) Specifies the networks between which traffic is relayed
IPv4 address no (network default) Override the gateway address sent to clients within DHCP responses
integer no 30 Host expiry timeout in seconds
integer no 5 Number of ARP ping retries before a host is considered dead
integer no 16800 Table ID for automatically added routes
boolean no 1 Enables forwarding of broadcast traffic, disables it
boolean no 1 Enables forwarding of DHCP requests and responses, disables it

Alternative guide for OpenVPN client using LuCI

The link below is to a tutorial which was written for the BT Home Hub 5A and Windows Users in mind, but is sufficiently generic to apply to most other OpenWrt routers with a working internet connection.
It has been tested with Asus RT-AC57u, Linksys EA6350v3, TPlink Archer C50 v4, Western Digital MyNet N750 etc.

The original v1.1 guide supports LEDE 17 and OpenWrt 18.
The later v1.2 guide is for OpenWrt 19.07 using its new ovpn file upload function.
Includes information on DNS resolver, Kill switch, and popular VPN providers.

If you are having difficulties getting openvpn client to work using the instructions contained on this wiki page, please download and study the tutorial PDF from the Dropbox folder found in the ebilan forum.