Sunday, March 16, 2014

Installing IPVanish openvpn on a E4200v1 running DD-WRT

The idea of the setup is to sent a specific device through the IPVanish tunnel while still sending the others through the regular internet connection.
The idea behind this is that internet connection through VPN is slower and you may not want to send all you traffic through the tunnel.


The script below was tested on a E4200v1 linksys router running
Firmware: DD-WRT v24-sp2 (10/31/12) mega

The script needs to run as a startup script (Administration -> Commands -> startup).
One special feature of this script is that it makes sure that in case anything happens to openvpn, the router will not fall back to the default connection but will stop routing instead. As a result, you will not end up sending packets through your regular internet connection if openvpn goes down for any reason: if your packet is delivered, it is delivered through openvpn.

#!/bin/sh

USERNAME="XXXXX"
PASSWORD="XXXXX"
VPNHOST="sto-a01.ipvanish.com"
IPTOVPN="192.168.1.102"

#### DO NOT CHANGE below this line unless you know exactly what you're doing ####

CA_CRT='-----BEGIN CERTIFICATE-----
MIIErTCCA5WgAwIBAgIJAMYKzSS8uPKDMA0GCSqGSIb3DQEBBQUAMIGVMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCRkwxFDASBgNVBAcTC1dpbnRlciBQYXJrMREwDwYD
VQQKEwhJUFZhbmlzaDEVMBMGA1UECxMMSVBWYW5pc2ggVlBOMRQwEgYDVQQDEwtJ
UFZhbmlzaCBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBpcHZhbmlzaC5jb20w
HhcNMTIwMTExMTkzMjIwWhcNMTcwMTEwMTkzMjIwWjCBlTELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkZMMRQwEgYDVQQHEwtXaW50ZXIgUGFyazERMA8GA1UEChMISVBW
YW5pc2gxFTATBgNVBAsTDElQVmFuaXNoIFZQTjEUMBIGA1UEAxMLSVBWYW5pc2gg
Q0ExIzAhBgkqhkiG9w0BCQEWFHN1cHBvcnRAaXB2YW5pc2guY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt9DBWNr/IKOuY3TmDP5x7vYZR0DGxLbX
U8TyAzBbjUtFFMbhxlHiXVQrZHmgzih94x7BgXM7tWpmMKYVb+gNaqMdWE680Qm3
nOwmhy/dulXDkEHAwD05i/iTx4ZaUdtV2vsKBxRg1vdC4AEiwD7bqV4HOi13xcG9
71aQ55Mj1KeCdA0aNvpat1LWx2jjWxsfI8s2Lv5Fkoi1HO1+vTnnaEsJZrBgAkLX
pItqP29Lik3/OBIvkBIxlKrhiVPixE5qNiD+eSPirsmROvsyIonoJtuY4Dw5K6pc
NlKyYiwo1IOFYU3YxffwFJk+bSW4WVBhsdf5dGxq/uOHmuz5gdwxCwIDAQABo4H9
MIH6MB0GA1UdDgQWBBRL/RQliR3nwXCD1/afERwlThnurjCBygYDVR0jBIHCMIG/
gBRL/RQliR3nwXCD1/afERwlThnurqGBm6SBmDCBlTELMAkGA1UEBhMCVVMxCzAJ
BgNVBAgTAkZMMRQwEgYDVQQHEwtXaW50ZXIgUGFyazERMA8GA1UEChMISVBWYW5p
c2gxFTATBgNVBAsTDElQVmFuaXNoIFZQTjEUMBIGA1UEAxMLSVBWYW5pc2ggQ0Ex
IzAhBgkqhkiG9w0BCQEWFHN1cHBvcnRAaXB2YW5pc2guY29tggkAxgrNJLy48oMw
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAho5ynpvtXISz3neqGXpL
BBlOM35pd1ZSNHLCb2yHQwAjZbfYqfX2MDs9ytH4Cf1OfaVqwe777QyyIC2XR2QK
kw4c2hCT8wPzWhmkLx8Q+jnKdOKkdz+L8+Ji9/vjtaFOcYjMDalI6CbjBiuMFWhB
IzOaYljmA2UeQCVIz9aW80BC8+sLQ6oeWVnFjx7zqK1gbbc2bNuy3slOMdyoEj2m
hkxfiffuHKV+GQoR7tFIr3M7KFFwYgkXeyLh1Pc0rZu7dGe4fUAbR1okB1DgelBd
n6rWTZ8XcNzT/YngtH4bXB9DM7pKWpDWc94va4hFrGgaOxjE861TdoDqHaMO9bW+
Pg==
-----END CERTIFICATE-----
'

OPVPNENABLE=`nvram get openvpncl_enable | awk '$1 == "0" {print $1}'`

if [ "$OPVPNENABLE" != 0 ]; then
nvram set openvpncl_enable=0
nvram commit
fi

sleep 10
mkdir /tmp/ipvanish; cd /tmp/ipvanish
echo -e "$USERNAME\n$PASSWORD" > userpass.conf
echo "$CA_CRT" > ca.crt
echo "$IPTOVPN" > policy_ips

for IP in \`cat /tmp/ipvanish/policy_ips\` ; do
iptables -A OUTPUT -d \$IP -j DROP
done

echo "#!/bin/sh
iptables -I INPUT -i tun1 -j logaccept
iptables -I POSTROUTING -t nat -o tun1 -j MASQUERADE
ifconfig_remote=\`ifconfig tun1 | sed -rn 's/.*r:([^ ]+) .*/\1/p'\`
ip route add default via \$ifconfig_remote table 10
echo "ip route add default via \$ifconfig_remote table 10" > toto
for IP in \`cat /tmp/ipvanish/policy_ips\` ; do
ip rule add from \$IP table 10
iptables -D OUTPUT -d \$IP -j DROP
done
" > route-up.sh
echo "#!/bin/sh
iptables -D INPUT -i tun1 -j logaccept
iptables -D POSTROUTING -t nat -o tun1 -j MASQUERADE
ip route flush table 10
for IP in \`cat /tmp/ipvanish/policy_ips\` ; do
iptables -A OUTPUT -d \$IP -j DROP
done
" > route-down.sh
chmod 644 ca.crt; chmod 600 userpass.conf; chmod 700 route-up.sh route-down.sh
sleep 10
echo "client
ca /tmp/ipvanish/ca.crt
management 127.0.0.1 5001
management-log-cache 50
verb 4
mute 3
log-append /var/log/openvpncl
writepid /var/run/openvpncl.pid
client
resolv-retry infinite
nobind
persist-key
persist-tun
script-security 2
mtu-disc yes
dev tun1
proto tcp-client
cipher aes-256-cbc
auth sha256
remote $VPNHOST 443
comp-lzo yes
redirect-private def1
route-noexec
tls-client
tun-mtu 1500
tls-cipher AES256-SHA
persist-remote-ip
keysize 256
tls-remote $VPNHOST
auth-user-pass /tmp/ipvanish/userpass.conf
script-security 3 system
dhcp-option DNS 8.8.8.8
dhcp-option DNS 8.8.4.4
" > ipvanish.conf
(/tmp/ipvanish/route-up.sh; killall openvpn; openvpn --config /tmp/ipvanish/ipvanish.conf --route-up /tmp/ipvanish/route-up.sh --down /tmp/ipvanish/route-down.sh) &
exit



EDIT 14/03/2015: adding the google openDNS servers in there as I was having DNS issues.
EDIT 18/11/2015: added /tmp/ipvanish/route-up.sh; at teh last line as it lookslike under some circumstances route-up was not excuted resulting in packets sent otside of VPN