Sunday, 10 July 2011

Getting astrill vpn to work with OpenWRT (the hard way)!

I've just subscribed to Astrill vpn service with a thought that they've openwrt scripting works as per the old twitter post that saying they're working on it. But to my dismay, they still doesn't have one that work. I created a support ticket as suggested by a twitter reply from Astrill support but it came back saying that they only support DD-WRT, so, no openwrt, fonera or tomato support at the moment.

The reason why I'm sticking with OpenWRT on my WZR-HP-G300NH router is, I've got the VLAN port & tagging to work on this router with the latest OpenWRT trunk. And reading many DD-WRT related notes, they still couldn't get the VLAN port/tagging to work on the router, hence, I'm stuck.

So, what did I do today? Searching for more information on the net on how to get the openvpn client to work on OpenWRT. If you know the way, surely, it is not hard.. but it took me few hours to figure out what I need to get this thing working.

So, what you need to get astrillvpn working on your openwrt router (in my case the WZR-HP-G300NH)?

  1. Get the latest trunk release of OpenWRT (or probably this will work with the official release firmware too). 
  2. Install OpenVPN support, there is LUCI interface for OpenVPN configuration (at least on trunk release it has it).
  3. Download the Astrill's openvpn certificates from the member page. It should be under Servers -> OpenVPN Certificate generator.
  4. Unzip the certificates file, there will be load of them. If you're interested to use the Los Angeles server, there are five of them, choose one. There are 4 sections that will be of our interest from this configuration file. The OpenVPN and the 3 certificates.
  5. Copy and paste the certificates and copied them into /etc/openvpn directory of your router. I created three standard files as per the example I found in the /etc/config/openvpn, they are:
    • /etc/openvpn/ca.crt (copy the content from Astrill openvpn file, anything between the ca and /ca.
    • /etc/openvpn/client.crt (anything between the cert and /cert)
    • /etc/openvpn/client.key (anything between the key and /key)
  6. Done with the certificate, now, we need to configure the openvpn. Easiest is to edit it manually, here is the example I've:

    config 'openvpn' 'astrill_west_cost'
    option 'client' '1'
    option 'dev' 'tun'
    option 'proto' 'udp'
    option 'resolv_retry' 'infinite'
    option 'nobind' '1'
    option 'persist_key' '1'
    option 'persist_tun' '1'
    option 'comp_lzo' '1'
    option 'verb' '3'
    option 'enable' '1'
    option 'ca' '/etc/openvpn/ca.crt'
    option 'cert' '/etc/openvpn/client.crt'
    option 'key' '/etc/openvpn/client.key'
    option 'remote' 'XX.XX.XX.XX 8292'

    Replace the remote with the correct vpn server IP address and save the file.

  7. I've no idea if this is required, but during my first hour of testing, I could use ping to ping out outside IP/sitename but I couldn't use my browser to browse anything. So, I've added the following into my /etc/firewall.user. To tell you the truth, I've copied this from somewhere. I know nut about firewall & iptable etc. I'm not good at all these, at all.
    iptables -I FORWARD -o tun+ -j ACCEPT
    iptables -t nat -I POSTROUTING -o tun+ -j MASQUERADE

  8. Go to your LUCI interface. You'll find your configuration shown as the following:

  9. Click on the Start to start your vpn connection, and Stop to stop it. 
I believe that should be all about it on how to get Astrill's openvpn to work with OpenWRT. Good luck!


9W2TPT said...

Found the following link if you've strongvpn account.. why oh why I didn't find this much earlier :(

Charity475 said...

I tried your tutorial, but with no success. I can connect to the Astrill server, but not with the internet.

New project - Ubitx - Radi2cino

I've always been interested in building my own radio. I've seen many projects available on the net which I could get my hands dirty ...