Skip to main content

Getting astrill vpn to work with OpenWRT (the hard way)!

I've just subscribed to Astrill vpn service with a thought that they've openwrt scripting works as per the old twitter post that saying they're working on it. But to my dismay, they still doesn't have one that work. I created a support ticket as suggested by a twitter reply from Astrill support but it came back saying that they only support DD-WRT, so, no openwrt, fonera or tomato support at the moment.

The reason why I'm sticking with OpenWRT on my WZR-HP-G300NH router is, I've got the VLAN port & tagging to work on this router with the latest OpenWRT trunk. And reading many DD-WRT related notes, they still couldn't get the VLAN port/tagging to work on the router, hence, I'm stuck.

So, what did I do today? Searching for more information on the net on how to get the openvpn client to work on OpenWRT. If you know the way, surely, it is not hard.. but it took me few hours to figure out what I need to get this thing working.

So, what you need to get astrillvpn working on your openwrt router (in my case the WZR-HP-G300NH)?

  1. Get the latest trunk release of OpenWRT (or probably this will work with the official release firmware too). 
  2. Install OpenVPN support, there is LUCI interface for OpenVPN configuration (at least on trunk release it has it).
  3. Download the Astrill's openvpn certificates from the member page. It should be under Servers -> OpenVPN Certificate generator.
  4. Unzip the certificates file, there will be load of them. If you're interested to use the Los Angeles server, there are five of them, choose one. There are 4 sections that will be of our interest from this configuration file. The OpenVPN and the 3 certificates.
  5. Copy and paste the certificates and copied them into /etc/openvpn directory of your router. I created three standard files as per the example I found in the /etc/config/openvpn, they are:
    • /etc/openvpn/ca.crt (copy the content from Astrill openvpn file, anything between the ca and /ca.
    • /etc/openvpn/client.crt (anything between the cert and /cert)
    • /etc/openvpn/client.key (anything between the key and /key)
  6. Done with the certificate, now, we need to configure the openvpn. Easiest is to edit it manually, here is the example I've:

    config 'openvpn' 'astrill_west_cost'
    option 'client' '1'
    option 'dev' 'tun'
    option 'proto' 'udp'
    option 'resolv_retry' 'infinite'
    option 'nobind' '1'
    option 'persist_key' '1'
    option 'persist_tun' '1'
    option 'comp_lzo' '1'
    option 'verb' '3'
    option 'enable' '1'
    option 'ca' '/etc/openvpn/ca.crt'
    option 'cert' '/etc/openvpn/client.crt'
    option 'key' '/etc/openvpn/client.key'
    option 'remote' 'XX.XX.XX.XX 8292'

    Replace the remote with the correct vpn server IP address and save the file.

  7. I've no idea if this is required, but during my first hour of testing, I could use ping to ping out outside IP/sitename but I couldn't use my browser to browse anything. So, I've added the following into my /etc/firewall.user. To tell you the truth, I've copied this from somewhere. I know nut about firewall & iptable etc. I'm not good at all these, at all.
    iptables -I FORWARD -o tun+ -j ACCEPT
    iptables -t nat -I POSTROUTING -o tun+ -j MASQUERADE

  8. Go to your LUCI interface. You'll find your configuration shown as the following:

  9. Click on the Start to start your vpn connection, and Stop to stop it. 
I believe that should be all about it on how to get Astrill's openvpn to work with OpenWRT. Good luck!


9W2TPT said…
Found the following link if you've strongvpn account.. why oh why I didn't find this much earlier :(
Charity475 said…
I tried your tutorial, but with no success. I can connect to the Astrill server, but not with the internet.

Popular posts from this blog

Raspberry Pi + svxlink = Low power echolink node

What is the easiest way to get echolink node up and running on raspberry pi? Surely, get a premade image which has everything inside. I've created one image which can fit into 2GB SD card for this, just follow the following steps to get it up and running:

For hardware, you need to have the following:
Raspberry Pi for sure, with a minimum 4GB SD cardA USB echolink interface, can be commercially sourced or DIY. There are many DIY schematics out there that you could follow.  Here is the configuration on how to get the things working together, courtesy of website:

For software:
Download the following prepared image from google drive, it is based on raspbian-2015-02-16 image and has pre-installed svxlink-14.08. raspi-wheezy-svxlink.img.zipUnzip the file and copy it to your SD card using the following instructions that can be found here.Boot up the RasPi, if you do not have an HDMI monitor, you may want to access the RasPi from your terminal emulator (putty or the like), connec…

Configuring TechniColor TG784N V3 (Maxis issued broadband router) to use different DNS servers

Previous write up deleted. It seems to change the DNS servers in as shown on the status, but it does not really work.

Check the following website, this seems to work:

This can be done from the WEB GUI too, go into the following configuration path:

In my example above, I'm using paid service unblock-us instead of google public DNS servers.

Debugging DMEE

I've come across many posting on the Internet (via google search), people asking on how to debug a DMEE for payment program. One of the few suggestion was to create a user exit just before the node that we would like to debug and put our breakpoint there. It seems that SAP has built-in this feature without needing us to create a user exit (available in ECC 6, have no idea if this is available on prior releases). Here is how you can put your breakpoint without any coding.

1. Display your DMEE tree using transaction: DMEE_DEBUG.

2. Click on the node that you would like to debug.
3. Go to conditions tab, you could see the Set Breakpoint button. Click to set.

4. Run the SAPFPAYM and specified the payment run date/id, payment format etc. SAP will stop at the node which you point your breakpoint at, as in 2.
5. To remove your breakpoint, just run the DMEE_DEBUG again, there is an option to delete all own breakpoints or all.