[root@rhce-ryanrudolf]# rm -rf / 2> /dev/null

things I break/fix for fun and learning

Jul 26, 2019 - 5 minute read - Comments

Windscribe VPN on OpenWRT WDR3600

I’ve been using Windscribe VPN for several weeks now, and it works OK for my needs. I use it to watch geographically blocked content (N3tflix). Windscribe has awesome apps for Android / iOS and they also have a command line client for Linux. This works OK for most of the part except when I want to watch N3tflix on the TV as my SmartTV does not have a VPN client (yet). The easier way to solve this is to connect my laptop to the TV or to cast my phone to the TV, but where is the fun in that? I have a spare OpenWRT router and this will be perfect for this scenario. Running a VPN client at the router level means that all devices connected to the router will automatically be utilizing the VPN connection.

I will be using a TPLink WDR3600. I had this router for a while and it is unbrickable as I had modified the bootloader (u-boot). It has an embedded webserver that can be used to recover from bricks. The current stable version of OpenWRT 18.06.4 does not support importing OpenVPN connection profiles, however the latest snapshot build does. In addition to that, the stable build uses the old ar71xxx for my device, while the snapshot build uses the newer ath79. Since my router is unbrickable, I decided to use the ath79 snapshot build for WDR3600. (What’s the difference of ar71xx and ath79?) Once the firmware flashing is done, it is just a matter of installing packages, uploading the OpenVPN profile, setting firewall rules and DNS entries!

Preparing the router / Flashing the router with latest snapshot build

  1. Download latest snapshot of ath79 WDR3600 firmware here.

  2. Flash the firmware using u-boot embedded webserver or via router GUI.

  3. Once completed, router will reboot.

  4. Snapshot builds do not have a GUI by default. Need to install packages for the GUI.

Installing additional packages

  1. Login / ssh to the router.

  2. Perform opkg update and opkg install luci to install the GUI.

  3. Perform opkg install luci-app-openvpn openvpn-openssl to install the OpenVPN components.

Configuring firewall rules

  1. Now it’s time to set the firewall rules. Consider VPN network as public and assign VPN interface to WAN zone to minimize firewall setup.

    uci set firewall.@zone[1].device="tun0"
    uci commit firewall
    service firewall restart

Getting the OpenVPN profile (ovpn) and importing it to the router

  1. Go to https://windscribe.com/getconfig/openvpn and download the configuration. It will be saved as ovpn file.

  2. On that page, take note also of username / password.

  3. On the router GUI, go to Services > OpenVPN.

  4. Under OVPN configuration file upload, enter Windscribe. Click on Choose File and then navigate to the ovpn file downloaded earlier. Finally select Upload.

  5. Under OpenVPN instances, it will now show an entry for Windscribe. Put a checkmark on Enabled. This will enable and start the connection whenever the router reboots.

  6. Now we need to enter our username / password for Windscribe. Select EDIT and the Windscribe configuration will appear.

  7. On the first box, look for the line that reads auth-user-pass and change it so that it reads auth-user-pass /etc/openvpn/Windscribe.auth. Still on the first box, enter the following additional configuration -

    script-security 2
    up "/etc/openvpn/updns"
    down "/etc/openvpn/downdns"

  8. On the second box, enter the username / password.

  9. Once everything is done, press SAVE. The final configuration should look like this -

Additional scripts

  1. Login / ssh to the router.
  2. Enter the following commands to create the up / down DNS script and to make them executable -

    cat<<'EOF' > /etc/openvpn/updns
    mv /tmp/resolv.conf.auto /tmp/resolv.conf.auto.hold
    echo $foreign_option_1 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >/tmp/resolv.conf.auto
    echo $foreign_option_2 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf.auto
    echo $foreign_option_3 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf.auto
    cat<<'EOF' > /etc/openvpn/downdns
    mv /tmp/resolv.conf.auto.hold /tmp/resolv.conf.auto
    chmod 755 /etc/openvpn/updns
    chmod 755 /etc/openvpn/downdns

Setting DNS entries

  1. The clients connected to the router needs to use the DNS servers from Windscribe VPN. Login / ssh to the router.

  2. Edit the file /etc/config/dhcp and add these entries at the end of the config dhcp 'lan'

    list dhcp_option '6,,,'
  3. Reboot the router. Once the router reboots, go to Services > OpenVPN to verify if Windscribe is running.

  4. It’s all done! Windscribe VPN is now running on OpenWRT router!

Testing the VPN connection

  1. Go to ipleak.net to verify the IP address and DNS. I am based in Canada, but my IP address now shows I’m located in New York, which means the VPN connection is working ok.

  2. Head over to Netflix, and US shows are now available. Example is Supernatural - this is not available in Canadian Netflix but now I can watch it because of my VPN connection.

  3. Connect phone to the VPN router and Pandora content is now accessible. Pandora is only available to US residents but I can accessit now in Canada because of the VPN connection.

Final Thoughts

My SmartTV connects exclusively to this VPN router so that it can have access to US Netflix content. Aside from this, the VPN connection also provides many benefits, and from time to time I use my phone / laptop with this VPN connection.

ISP Cable modem (left) is connected to WDR3500 (green LED). WDR3500 is my main router running the latest stable OpenWRT 18.06.4. This also have DMZ VLAN for several VMs exposed to the Internet. WDR3500 is cascaded to WDR3600 (blue LED). This is running the latest snapshot of OpenWRT and configured to use Windscribe VPN connection. All devices connected to the WDR3600 receives a US IP address.

Like this page? Share it!

Revisiting VoIP After 18months of Use

comments powered by Disqus