Setting up a Router running LEDE Firmware

SECTION 1: DOWNLOADS

To start, we will download all the items required to perform this configuration.

If you are a Windows user, first, we need the capability of connecting to the router by SSH to transfer files. Once installed, Putty will allow you to do so, it can be downloaded for free here: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

*If you are a Linux or Mac user, you will be able to use the build in SSH client to perform the same operations. This can be done from the terminal window with the command

ssh root@192.168.1.1

where root would be replaced by your SSH admin username and 192.168.1.1 would be replaced by your default gateway if you have changed them. Any time this guide references using PuTTY, you may instead use terminal and ssh.

Download the certification files available here: (This can be done by right clicking each of the following links and selecting “Save link as…”)

 

SECTION 2: CREATE FILES CREDENTIALS

Next, we will make a folder containing everything needed to most easily manage a PIA LEDE configuration.

  1. In the file explorer, navigate to your ‘Downloads’ folder.
  2. Click the first file downloaded, ‘ca.crt’.
  3. While holding down ‘Ctrl’ left click the other two files, ‘ca.rsa.2048.crt’, and ‘ca.rsa.4096.crt’.
  4. Press ‘Ctrl + C’. This will copy the files.
  5. Navigate to the ‘Documents/’ folder.
  6. Right click in blank space in the folder and click ‘New > Folder’.
  7. Name this new folder ‘PIA_Setup’.
  8. Double click the folder to open it.
  9. Press ‘Ctrl + V’. This will create copies of the downloaded files in the new folder we created.

 Now, we will create a file with your login credentials for your router to utilize.

  1. Press ‘Windows Key + R’
  2. Type ‘notepad’
  3. Press ‘Enter’
  4. On the first line of this document, type your PIA username. (ex: p1234567)
  5. On the second line of this document, type your PIA ‘p-login’ password. (If you have an ‘x-login’ this is a different password, do not use it.)
  6. Click ‘File’
  7. Click ‘Save as…’
  8. Navigate to your new ‘Documents/PIA_Setup/’ folder.
  9. Name the file ‘credentials.txt’
  10. Make sure the Encoding selection is set to ‘ANSI’
  11. Click ‘Save’

 

SECTION 3: ROUTER UPDATES

Next, we will add OpenVPN to the LEDE firmware on the router, by logging in to the router with SSH through PuTTY.

  1. These commands will install the necessary packages to perform the configuration and allow OpenVPN to run on the device. Highlight the following:
    opkg update; opkg install openssh-sftp-server luci-app-openvpn openvpn-openssl
  2. Press ‘Ctrl + C’ to copy.
  3. Press ‘Windows Key + R’.
  4. Type ‘putty’.
  5. Press ‘Enter’.
  6. In the field labeled Host Name (or IP address) type ‘192.168.1.1’ (unless you have changed the IP of your router, then input that IP here)
  7. Make sure Port is set to ‘22’.
  8. Make sure ‘SSH’ is selected.
  9. Click ‘Open’.
  10. A warning will appear, this is expected and nothing to worry about. Select ‘Yes’.
  11. This will open a text based command window.
    1. The default the username is ‘root’.
      Type ‘root’ (or the admin username if you have changed it).
      Press ‘Enter’.
    2. By default there is no password and you will not be prompted for one.
      If you have set a password, type it now.
      Press ‘Enter’.
  12. You should now be logged in to your router.
  13. Right click once in the PuTTY window to paste the commands we copied earlier.
  14. Press ‘Enter’. This will start executing the commands, which may take a few minutes.
  15. Leave the PuTTY window open, we will use it again shortly. You can proceed to the following steps while these commands run.

 

SECTION 4: UPLOAD CREDENTIALS AND CERTIFICATES

Now, we need to upload the credentials and security certificates to your router, then format the credentials file so the router can read it properly.

  1. Highlight the following:
    pscp Documents/PIA_Setup/* root@192.168.1.1:/etc/openvpn
    (if you have changed your router IP or admin login you will need to change this accordingly)
  2. Press ‘Ctrl + C’.
  3. Press ‘Windows Key + R’.
  4. Type ‘cmd’.
  5. Press ‘Enter’. A command line window will open.
  6. Press ‘Ctrl + V’.
  7. Press ‘Enter’.
  8. This may ask you for your router password, type if if you have set one and press ‘Enter’.
  9. Type ‘exit’.
  10. Press ‘Enter’.

 Now, we need to format the credentials file. *If you are on Linux or Mac you can skip the following 8 steps.

  1. Highlight the following:
    tr -d '\15\32' < /etc/openvpn/credentials.txt > /etc/openvpn/credentials.txt
  2. Press ‘Ctrl + C’.
  3. Click on the PuTTY window we left open earlier. If it has not finished updating, wait for it to do so before continuing.
  4. Right click in this window. This will paste the new command we copied.
  5. Press ‘Enter’.
  6. Type ‘reboot’.
  7. Press ‘Enter’.
  8. You can now close the PuTTY window.

 

SECTION 5: CONFIGURE NETWORK INTERFACES

Next, we will create a new network interface for the VPN tunnel and set the DNS to the PIA servers for appropriate resolution.

  1. Open a web browser.
  2. In the address bar type ‘192.168.1.1’ (or the default gateway of your router if you have set it to something else).
  3. Press ‘Enter’. This will bring you to the login for the GUI of your router.
  4. Log in to the router, if you have not set login credentials the username will be ‘root’ and there will be no password.
  5. Click ‘Login’.
  6. Click on the ‘Network > Interfaces’ tab at the top of the page.
  7. Click ‘Add new network interface...’.
  8. In the field ‘Name of the new interface’ type ‘PIA_VPN’
  9. For the field ‘Protocol of the new interface ‘ select ‘Unmanaged’.
  10. Select ‘Custom Interface:’ and type ‘tun0’.
  11. Click ‘Submit’.

01_CreateTUNInterface.png

  1. Next, still in the ‘Network > Interfaces’ tab, select ‘WAN’
  2. In the ‘Advanced Settings’ we need to ‘Use Custom DNS Servers’
  3. Type ‘209.222.18.222’.
  4. Click on the icon with the green + next to the text input.
  5. In the new input field that appears type ‘209.222.18.218’.
  6. Click ‘Save & Apply’.

02_InterfacesWANAdvanced.png

 

SECTION 6: CONFIGURE FIREWALL - ZONE SETTINGS

Next, we will configure the way the network interfaces communicate to allow secure traffic through the VPN.

WANZone.png

FirewallZoneSettings.png

 

SECTION 7: CONFIGURE OPENVPN CONNECTION

Next, we will configure a PIA VPN connection. Before we jump into this, there is some important information about port, protocol, and cryptography settings. These are the necessary pairings:

 

 

Auth Cipher Cert UDP Port TCP Port
SHA1 BF-CBC ca.crt 53, 8080, 9201 80, 110, 443
SHA1 AES-128-CBC ca.rsa.2048.crt 1198 502
SHA256 AES-256-CBC ca.rsa.4096.crt 1197 501

 

  1. Click on the ‘Services > OpenVPN’ tab at the top of the browser GUI.
  2. At the bottom of the page, enter a name for your new VPN connection.
  3. Select ‘Simple client configuration for routed point-to-point VPN’.
  4. Click the ‘Add’ button.
  5. This will load a new page, near the top of this, click ‘Switch to advanced configuration >>’.
  6. On the ‘Service’ page, nothing should be selected and ‘verb’ can be set to any number, though lower numbers are suggested.

04_OpenVPNService.png

On the ‘Networking’ page, you will need to add some fields and specify settings. To add a field select it from the drop down near the bottom of the page and click ‘Add’. Make sure the following are specified but nothing else:

port 1197
nobind
dev tun
comp_lzo yes
persist_tun
persist_key

05_OpenVPNNetworking.png

On the ‘VPN’ page, you will again need to add some fields and specify settings. The field ‘remote’ on this page should contain the address of the server you want to connect to, in this case us-california.privateinternetaccess.com has been used. Otherwise make sure the following are specified but nothing else:

client
auth_user_pass /etc/openvpn/credentials/txt
remote us-california.privateinternetaccess.com
proto udp
resolv_retry infinite

OpenVPNVPN.png

On the ‘Cryptography’ page, you will again need to add some fields and specify settings. Make sure the following are specified but nothing else:

auth SHA1
cipher AES-128-CBC
mute_replay_warnings
tls_client
ca /etc/openvpn/ca.rsa.2048.crt
auth_nochache
remote_tls server

07_OpenVPNCryptography.png

Click ‘Save & Apply’.

 

SECTION 8: FIX THE OPENVPN FILE

Next, we need to edit the configuration file to remove an unwanted setting which has been included without our specification.

  1. This command will open the openvpn file in an editor on the router. Highlight the following:
    vi /etc/config/openvpn
  2. Press 'Ctrl + C' to copy the text.
  3. Press ‘Windows Key + R’.
  4. Type ‘putty’.
  5. Press ‘Enter’.
  6. In the field labeled Host Name (or IP address) type ‘192.168.1.1’ (unless you have changed the IP of your router, then input that IP here)
  7. Make sure Port is set to ‘22’.
  8. Make sure ‘SSH’ is selected.
  9. Click ‘Open’.
  10. A warning will appear, this is expected and nothing to worry about. Select ‘Yes’.
  11. This will open a text based command window.
    1. The default the username is ‘root’.
      Type ‘root’ (or the admin username if you have changed it).
      Press ‘Enter’.
    2. By default there is no password and you will not be prompted for one.
      If you have set a password, type it now.
      Press ‘Enter’.
  12. You should now be logged in to your router.
  13. Right click once in the PuTTY window to paste the commands we copied earlier.
  14. Press ‘Enter’. This will open the openvpn config file.
  15. Press “I” to enter edit mode.
  16. Use the arrow keys to navigate to the line that reads option secret 'shared-secret.key' and delete the entire line.
  17. Press ‘esc’ to exit edit mode.
  18. While holding ‘Shift’ tap ‘Z’ twice, to save and exit the editor.
  19. Type ‘exit’.
  20. Press ‘Enter’.

 

SECTION 9: START AND TEST YOUR CONNECTION

You are ready to connect and test your security!

  1. You should now be ready to establish a VPN connection!
  2. Return to the router GUI in your browser.
  3. Click on ‘Services > OpenVPN’.
  4. Select ‘Enabled’ for your new connection.
  5. Click ‘Save & Apply’.
  6. Click ‘start’ for your new connection.
  7. Visit the following websites and perform the security tests to confirm your security:
Have more questions? Submit a request