WT3020 vpn roadwarrior micro router box to keep in your pocket

Written by Matej Drolc

Configuration recipe for NEXX WT3020H micro router as a vpn roadwarrior setup. This guide involves two OpenWrt devices both running OpenVpn with SSL, one in client and one in server mode. In this case WT3020 as the client and WDR3600 as server. The WT3020 device is a perfect candidate for such use case. It is cheap, very small and can be powered via any micro USB charger. Perfect for taking on business trips, vacations and so on.

On the client side (WT3020), wlan and lan internet traffic will be routed through the vpn tunnel thus making a vpn tunnel establishment as easy as plugging the WT3020’s WAN port into any dhcp-enabled LAN with internet access. The tunnel uses tcp protocol over port 443 since this outbound port is usually not blocked by firewalls.

The purpose of this setup is to provide:

  • a tunnel with the purpose of encrypting the traffic,
  • allowing apps (Skype, Hangouts, Steam) to connect to the internet regardless of how the firewall of the network we are a guest at is configured.

This setup does not bridge lan subnets on both end points. It only provides an encrypted tunnel that acts as a gateway for internet traffic.

Prerequisites

  • NEXX WT3020 with 8MB flash, running OpenWrt (grab it here) also see Howto flash instructions edit: apparently the image can now be flashed directly via web interface without physically opening the device.
  • Another OpenWrt device running OpenVpn server (in this case WDR3600)

OpenVpn Server Setup (wdr3600)

install OpenVpn (about 1.5MB of space required)

opkg update; opkg install openvpn-openssl openvpn-easy-rsa

Generate CA, keys and certs (last command takes a while)

source /etc/easy-rsa/vars
clean-all
pkitool --initca
pkitool --server my-server
pkitool wt3020-client
build-dh

Copy generated CA cert, server keys and Diffie-Hellman parameters to where OpenVpn expects them

cd $KEY_DIR
mkdir -p /etc/openvpn
cp ca.crt my-server.* dh*.pem  /etc/openvpn/

ca.key can now be moved to some safe place, it is only needed for generating new keys

/etc/config/network

Append the following section:

config interface 'vpn0'
        option ifname 'tun0'
        option proto 'none'

Reload network config

/etc/init.d/network reload

/etc/config/firewall

Append the following sections:

#config rule
#        option name 'Allow-OpenVPN-Inbound'
#        option target 'ACCEPT'
#        option src '*'
#        option proto 'udp'
#        option dest_port '1194'

config rule
        option name 'Allow-OpenVPN-443tcp-Inbound'
        option target 'ACCEPT'
        option src '*'
        option proto 'tcp'
        option dest_port '443'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option network 'vpn0'

config forwarding
        option src 'vpn'
        option dest 'wan'

Reload firewall config

/etc/init.d/firewall reload

/etc/config/openvpn

config openvpn 'myvpn'
        option enabled '1'
        option dev 'tun'
        option proto 'tcp'
        option log '/tmp/openvpn.log'
        option verb '3'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/my-server.crt'
        option key '/etc/openvpn/my-server.key'
        option server '10.8.0.0 255.255.255.0'
        option port '443'
        option keepalive '10 120'
        option dh '/etc/openvpn/dh2048.pem'
        option push 'redirect-gateway def1'

Run OpenVpn server

/etc/init.d/openvpn enable
/etc/init.d/openvpn start

OpenVpn Client Setup (wt3020)

Install OpenVpn

opkg update; opkg install openvpn-openssl

Transfer client keys to from your server device to your client device (NEXX WT3020) then on the client:

cp ca.crt wt3020-client.*          /etc/openvpn/     ## this is done on wt3020 (the openvpn client device)

/etc/config/network

Append the following section:

config interface 'vpn0'
        option ifname 'tun0'
        option proto 'none'

Reload network config

/etc/init.d/network reload

/etc/config/firewall

Change the following section:

config forwarding
        option src 'lan'
        option dest 'wan'

To this:

config forwarding
        option src 'lan'
        option dest 'vpn'

Note: this step is missing in the official OpenWrt guide (see link at bottom), but is necessary.

Also whenever you want to bypass the vpn, simply change the above option from ‘vpn’ back to ‘wan’, reload firewall and network or if you want to make it permanent, disable OpenVpn and reboot.

Append the following sections:

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option network 'vpn0'
        option masq '1'

Note: ip masquerading is enabled. This option is missing in the official OpenWrt guide (see link at bottom), but is necessary.

Reload firewall config

/etc/init.d/firewall reload

/etc/config/openvpn

config openvpn 'myvpn'
        option enabled '1'
        option dev 'tun'
        option proto 'tcp'
        option log '/tmp/openvpn.log'
        option verb '3'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/wt3020-client.crt'
        option key '/etc/openvpn/wt3020-client.key'
        option client '1'
        option remote_cert_tls 'server'
        option remote 'xxx.xxx.xxx.xxx 443'

Where xxx.xxx.xxx.xxx is the public IP address of your OpenVpn server.

Run OpenVpn client

/etc/init.d/openvpn enable
/etc/init.d/openvpn start

You should soon be able to ping the OpenVpn server (10.8.0.1) and traffic should all be routed through it

ping -c4 10.8.0.1
traceroute 8.8.8.8

If problems arise check the log in /tmp/openvpn.log for hints.

Adapted from OpenWrt wiki

Bonus: making it work in China

A friend reported to me that OpenVpn communication does not seem to work in China. However, ssh does seem to work fine at this time (January 2015) so we decided to tunnel the vpn tunnel over a ssh tunnel.

Create a ssh tunnel:

ssh -L 127.0.0.1:6666:OVpnServerIP:443 -l sshUser SshServerIP

In OpenVpn client config replace

option remote OVpnServerIP 443

with:

option remote 127.0.0.1 6666

OVpnServerIP and SshServerIP can be the same machine.

Bonus 2: Adding a “Dumb AP” option

Turns out there is interest for another use case for this little device. And that is acting as a dumb AP by plugging it into an ethernet port of a network and allowing access over wifi to that network (same subnet). This can be done without breaking our tunnelling configuration by simply creating an additional wifi interface with a different SSID and bridging it to wan.

In /etc/config/network under the

config interface 'wan'

add the line:

option type 'bridge'

In /etc/config/wireless create a new interface and bridge it to wan by adding the following section:

config wifi-iface
        option device 'radio0'
        option network 'wan'
        option mode 'ap'
        option ssid 'DumbAP'
        option encryption 'psk2'
        option key 'mysuperpassword'

Then type

/etc/init.d/network/reload
wifi

And it should start working (if not, try reboot).

Now you can use the default wifi for tunnelled connections to the internet and accessing the router for configuration purposes and the secondary wifi for accessing the network that the wan port attaches to.

Keywords

Openwrt, OpenVpn tunnel, Firewall tunnel, SSL tunnel, nexx wt3020.