RT-N66U, how to configure VPN client for IBvpn ?

[northernpal]

Ok, I had IBvpn working on DD-WRT (on WRT54GL) by following the directions provided by IBvpn. Now I would like to get it working on my "Merlin" powered N66U.

The directions IBvpn gives for setting up on DD-WRT are here:
http://www.ibvpn.com/billing/knowledgebase/36/DD-WRT-routers-OpenVPN-setup.html

I will paraphrase them into 3 steps below (hopefully) for convenience:

1. In Command shell box paste this script and then click "Save Startup"
--------------
sleep 5

mkdir /tmp/ibvpn

echo "-----BEGIN CERTIFICATE-----
MIIDeDCCAuGgAwIBAgIJAMVKgpjMPUfxMA0GCSqGSIb3DQEBBQUAMIGFMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMG
A1UEChMMRm9ydC1GdW5zdG9uMRgwFgYDVQQDEw9Gb3J0LUZ1bnN0b24gQ0ExITAf
BgkqhkiG9w0BCQEWEm1lQG15aG9zdC5teWRvbWFpbjAeFw0xMDA3MjExOTU5MzVa
Fw0yMDA3MTgxOTU5MzVaMIGFMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFTAT
BgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMGA1UEChMMRm9ydC1GdW5zdG9uMRgwFgYD
VQQDEw9Gb3J0LUZ1bnN0b24gQ0ExITAfBgkqhkiG9w0BCQEWEm1lQG15aG9zdC5t
eWRvbWFpbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAz23m3BXY5Asiw8Dx
T4F6feqsp+pIx6ivftTniyUCbSAxI1J1s1x75DzxmUpIwPu5xavzgPXgZr8FT81X
JGqF9km4AE95iddJawKx0wNgdTo7GximQq9rw0dsQIB5hZZQ9TJwHC3VOnmEic5A
OawKOCybMcRs8saLakZOgh7Xc+UCAwEAAaOB7TCB6jAdBgNVHQ4EFgQUeRhE2N4l
XwL4H1dbjkZ4ou6fj3AwgboGA1UdIwSBsjCBr4AUeRhE2N4lXwL4H1dbjkZ4ou6f
j3ChgYukgYgwgYUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMM
U2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24xGDAWBgNVBAMTD0Zv
cnQtRnVuc3RvbiBDQTEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWlu
ggkAxUqCmMw9R/EwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQASt0pl
WzVseQLTNM8Mlgw4ZnGAv/x2xnijmMqrkE+F7pnaOicGpxgCfMKzjZuJu0TNJqF2
fibE7GhMdomD4dLFgIu8Wb5E7iQ1CSBEOGumRhK8qCsDzjr7WXUdhqA6Xvo+ylU6
DMzy0Wn3NNvfGC+qxOgybYCJwDnVPi0CEDSbzQ==
-----END CERTIFICATE-----" > /tmp/ibvpn/ibvpn.com.crt

echo "#!/bin/sh
case \"\$1\" in
up) export action=\"up\" ;;
down) export action=\"down\" ;;
*) echo \"No action specified.\" && exit 1 ;;
esac

if [ \"\$action\" = \"up\" ]; then
mv /tmp/resolv.conf /tmp/resolv.conf.bak
echo \$foreign_option_1 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' > /tmp/resolv.conf
echo \$foreign_option_2 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf
echo \$foreign_option_3 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf
iptables --table nat --append POSTROUTING --out-interface \$2 --jump MASQUERADE
fi

if [ \"\$action\" = \"down\" ]; then
mv /tmp/resolv.conf.bak /tmp/resolv.conf
iptables --table nat --delete POSTROUTING --out-interface \$2 --jump MASQUERADE
fi" > /tmp/ibvpn/change_resolv_conf.sh

chmod 755 /tmp/ibvpn/change_resolv_conf.sh

echo "remote us4.ibvpn.com 1194 udp
client
dev tap
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca /tmp/ibvpn/ibvpn.com.crt
log-append /tmp/ibvpn/vpn.log
comp-lzo
verb 3
mute 20
ns-cert-type server
fragment 1300
route-method exe
route-delay 2
auth-user-pass /tmp/ibvpn/user.conf
reneg-sec 0
script-security 3 system
up \"/tmp/ibvpn/change_resolv_conf.sh up\"
down \"/tmp/ibvpn/change_resolv_conf.sh down\"" > /tmp/ibvpn/server.ovpn

echo "#!/bin/sh
if [ \$(ps | grep openvpn | grep -v grep | wc -l | tr -s \"\n\") -eq 0 ];
then openvpn --daemon --config /tmp/ibvpn/server.ovpn;
fi" > /tmp/ibvpn/check_vpn

chmod 755 /tmp/ibvpn/check_vpn

echo "#!/bin/sh
case \$1 in
\"start\" )
ntpclient pool.ntp.org
killall openvpn
echo \"Launching OpenVPN process\"
sed -i 's/remote.*/remote '\$2' 1194 udp/g' /tmp/ibvpn/server.ovpn
openvpn --daemon --config /tmp/ibvpn/server.ovpn
sleep 10
if [ \$(route -n | grep '0.0.0.0.*tap' | wc -l) = 2 ]; then
echo "VPN ON"
else
echo "VPN Error"
fi
echo \"* * * * * root /tmp/ibvpn/check_vpn\" > /tmp/crontab
stopservice cron && startservice cron
;;
\"stop\" )
echo \"Stoping OpenVPN Process\"
sed -i 's/.*check_vpn.*//' /tmp/crontab
stopservice cron && startservice cron
killall openvpn
;;
esac
return 0" > /tmp/ibvpn/vpn

chmod 755 /tmp/ibvpn/vpn

echo "My-Email-Address@gmail.com
VPNPassword" > /tmp/ibvpn/user.conf

-------------

2. On the Setup, Basic Setup tab, on the Network Address Server Settings (DHCP), change the Static DNS 1 and Static DNS 2 to 8.8.8.8 and 8.8.4.4

3. On the Security page, select Firewall tab and make sure "SPI Firewall" is Disabled.

When you want to start the vpn connection you just paste
"/tmp/ibvpn/vpn start aaa.bbb.ccc.ddd" (replace aaa.bbb.ccc.ddd with the server IP you want to connect) into the command shell and click "Run Commands".

When when you want to start the vpn connection you just paste
"/tmp/ibvpn/vpn stop" into the command shell and click "Run Commands".

---------------------------------------
Ok, can anyone offer any help/advice as to how I get the above working in the Merlin VPN client (I actually want it on all the time for all hardwired and wireless traffic).

Thanks to anyone who can offer some insights into how to accomplish this.

 

[RMerlin]

That howto is way too complicated - it pretty much has you do everything manually.

Look at this tutorial aimed at Tomato rather, since Asuswrt-Merlin's OpenVPN is directly based off Tomato's OpenVPN. A lot of things can be configured on the webui.

http://tomatousb.org/tut:openvpn-via-password-authentication

 

[marcmkkoy]

TomatoUSB (and Merlin) with ibVPN.com

I would recommend TomatoUSB. I can't get Merlin installed on my N66U so I went with Tomato. DD-WRT would also not load. I'm having great success on TomatoUSB. It took a couple of days of trial and error with DD-WRT, Merlin, TomatoUSB.... to get connected to ibVPN but now it is working like a dream.

Here are the steps I followed. The thing about TomatoUSB is that it uses a /jffs partition. I'm not sure if Merlin does, but with Putty and SSH into the command window this went very quickly:

How to use Asus RT-N66u with OpenVPN on TomatoUSB for ibVPN.com
Despite what the below post says, I could not get it to load with DD-WRT.

With a new router, upgrade to TomatoUSB following the instructions here:
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=153609&postdays=0&postorder=asc&start=60

I used this version of TomatoUSB
tomato-K26USB-1.28.RT-N5x-MIPSR2-097-Tor-VPN-64K.trx
Downloaded from here:
http://tomato.groov.pl/download/K26...K26USB-1.28.RT-N5x-MIPSR2-097-Tor-VPN-64K.trx


Basic Instructions:
- Use a static IP adress. 192.168.1.12 for example.
- From the latest Asus Firmware installed on your router: Upgrade CFE 1.0.3!!! TO BE DONE ONLY ONCE... NO WAY BACK!!!

Step #1:

- Reset NVRAM: just press the WPS button 5 seconds while your router boots. (yep no need to do the 30/30/30 old trick...). Then wait till the router reboot.
- Put the router in recovery mode: Press the reset button 10 seconds while your router boots.
- Go to http://192.168.1.1/
- Now that you have access to the http://192.168.1.1/ page restore to RT-N66U_3.0.0.4_260.trx (this step is not required, but just in case... follow it).
- Put the router in recovery mode: Press the reset button 10 seconds while your router boots.
- Go to http://192.168.1.1/ and restore to tomato-K26USB-1.28.RT-N5x-MIPSR2-097-Tor-VPN-64K.trx.

NOW WAIT FOR THIS MESSAGE:

Receive file size=8081473
Upload completed. System is going to reboot.
Please wait a few moments.

The button power button will stop blinking when the upload is finished... Then you need to wait till the router reboots by itself... between 3 and 10 minutes. Just in case you don't want to wait starring at the router's leds: ping 192.168.1.1, if you got a reply then the router has rebooted and is up and running .

Once the router has rebooted, it will have some more configuration work to do, so be patient.

The router will then reboot once again (all leds will flash at the same time), this time the WiFi leds (2.4Ghz and 5Ghz) will be on... and if you scan your WiFi network you'll see Tomato24 and Tomato50 access points.

Step #2:

- Go to Tomato admin panel.
- Verify that we have 64KB of NVRAM:

Status -> Overview :
Total / Free NVRAM: 64.00 KB / 22.36 KB (34.94%)

This is where I finally stopped since upgrading to DD-WRT would not work, so I stuck with TomatoUSB.

TomatoUSB will work with OpenVPN and ibVPN.com service.

Once logged into the administration panel, go to Administration>JFFS
Considering your local subnet is 192.168.1.1 you should be able to click on these url's to bring up the pages.
If you're on a different subnet then append the url with your IP.

http://192.168.1.1/admin-jffs2.asp

Check "Enable" and then "Format/Erase".
Wait for the partition to format.

You're going to need an SSH client like Putty to get to the router's config.
The admin login is root.
The admin password is whatever you set it to in the TomatoUSB config.
http://192.168.1.1/admin-access.asp

Make sure you have the SSH Daemon running with "Allow Password Login" checked.

Open Putty and SSH to your router's IP.
Login with root/password.

Type or copy/paste these commands into the Putty terminal window in the following order. They will create the necessary files in the necessary locations:

Command: cd /jffs

Command: mkdir etc

Command: mkdir /etc/openvpn

Command: chmod 777 /jffs/etc

Command: chmod 777 /jffs/etc/openvpn

Command: cd /etc/openvpn

Command: echo "-----BEGIN CERTIFICATE-----
MIIDeDCCAuGgAwIBAgIJAMVKgpjMPUfxMA0GCSqGSIb3DQEBBQUAMIGFMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMG
A1UEChMMRm9ydC1GdW5zdG9uMRgwFgYDVQQDEw9Gb3J0LUZ1bnN0b24gQ0ExITAf
BgkqhkiG9w0BCQEWEm1lQG15aG9zdC5teWRvbWFpbjAeFw0xMDA3MjExOTU5MzVa
Fw0yMDA3MTgxOTU5MzVaMIGFMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFTAT
BgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMGA1UEChMMRm9ydC1GdW5zdG9uMRgwFgYD
VQQDEw9Gb3J0LUZ1bnN0b24gQ0ExITAfBgkqhkiG9w0BCQEWEm1lQG15aG9zdC5t
eWRvbWFpbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAz23m3BXY5Asiw8Dx
T4F6feqsp+pIx6ivftTniyUCbSAxI1J1s1x75DzxmUpIwPu5xavzgPXgZr8FT81X
JGqF9km4AE95iddJawKx0wNgdTo7GximQq9rw0dsQIB5hZZQ9TJwHC3VOnmEic5A
OawKOCybMcRs8saLakZOgh7Xc+UCAwEAAaOB7TCB6jAdBgNVHQ4EFgQUeRhE2N4l
XwL4H1dbjkZ4ou6fj3AwgboGA1UdIwSBsjCBr4AUeRhE2N4lXwL4H1dbjkZ4ou6f
j3ChgYukgYgwgYUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMM
U2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24xGDAWBgNVBAMTD0Zv
cnQtRnVuc3RvbiBDQTEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWlu
ggkAxUqCmMw9R/EwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQASt0pl
WzVseQLTNM8Mlgw4ZnGAv/x2xnijmMqrkE+F7pnaOicGpxgCfMKzjZuJu0TNJqF2
fibE7GhMdomD4dLFgIu8Wb5E7iQ1CSBEOGumRhK8qCsDzjr7WXUdhqA6Xvo+ylU6
DMzy0Wn3NNvfGC+qxOgybYCJwDnVPi0CEDSbzQ==
-----END CERTIFICATE-----" > /jffs/etc/openvpn/ibvpn.com.crt

Command: echo "#!/bin/sh
[ "$1" = "up" -o "$1" = "down" ] || (echo "No action specified." && exit 1 )
action="$1"
shift
[ -z "$1" ] && echo "Failed to specify table." && exit 1
table="$1"
shift
[ -z "$1" ] && echo "Failed to specify subnet." && exit 1
ip route flush table $table
for i in '^127\.' '^172\.31\.' '^192\.168\.'
do
ip route add $(ip route list|grep "$i") table $table 2>>/dev/null
done
[ "$action" = "down" ] && ip route add default via $route_net_gateway table $table
[ "$action" = "up" ] && ip route add default via $route_vpn_gateway dev $dev table $table
for subnet in $*
do
ip rule del from $subnet table $table 2>>/dev/null
[ "$action" != "up" ] || ip rule add from $subnet table $table
done" > /jffs/etc/openvpn/route.sh

Command: chmod ugo+rx /jffs/etc/openvpn/route.sh

Command: chmod +x /jffs/etc/openvpn/route.sh
This may seem redundant, but for some reason my first command did not work and I had connection issues. I had to make sure the file is executable so it does not hurt to type this command to make sure it is set properly.

Command: echo "<USERNAME>" > /jffs/etc/openvpn/auth1.txt

Command: echo "<PASSWORD>" >> /jffs/etc/openvpn/auth1.txt

Command: chmod 600 /jffs/etc/openvpn/auth1.txt

Note: That <USERNAME> should be your actual username. For ibVPN <USERNAME> is your e-mail address. <PASSWORD> should be your actual password.

Now, go to the administration panel in TomatoUSB under VPN Tunneling>OpenVPN Client
http://192.168.1.1/vpn-client.asp

Click "Client 1"
Go to "Basic" tab.

Follow these settings:
Start with Wan: not checked
Interface Type: TAP
Protocol: UDP
Server Address/Port: 172.234.43.202 1194 - This should be the server you want to connect to from the list here: (Use one of the listed IP addresses)
http://www.ibvpn.com/billing/knowledgebase.php?action=displayarticle&id=4

Firewall: Automatic
Authorization Mode: TLS
Extra HMAC authorization (tls-auth): Disabled
Service is on the same subnet: not checked
Create NAT on tunnel: checked

Go to the "Advanced" tab.
Follow these settings:
Redirect Internet traffic: unchecked
Accept DNS configuration: Disabled
Encryption cipher: Use Default
Compression: Adaptive
TLS Renegotiation Time: -1
Connection retry: 30

There is a box for "Custom Configuration".
Copy/paste the following into this box, substituting the 192.168.1.0/24 with your subnet.

script-security 3 system
ca /jffs/etc/openvpn/ibvpn.com.crt
verb 3
mute 20
ns-cert-type server
fragment 1300
route-noexec
route-delay 2
redirect-private
auth-user-pass /jffs/etc/openvpn/auth1.txt
auth-nocache
reneg-sec 0
route-up "/jffs/etc/openvpn/route.sh up 1 192.168.1.0/24"
down "/jffs/etc/openvpn/route.sh down 1 192.168.1.0/24"

You should now be able to click the "Start Now" button and have your router connect to the VPN server.
Go to
http://www.ibvpn.com/
and see your ip address and location from the one you selected and entered in the Server Address/Port.

 

[maddawg]

Running tomato-K26USB-1.28.RT-N5x-MIPSR2-105-AIO-64K.trx . Tried following the instruction but getting error when I run the command: chmod 777 /jffs/etc/openvpn. Error states:chmod: /jffs/etc/openvpn: No such file or directory. Any help would be appreciated.

 

[maddawg]

Looks like this kicked my butt....time to get a refund and find another vpn provider that's easier to setup with merlin/tomato.