Securely route all internet traffic through VPN router: A guide
Hello all,
An issue that plagues the internet currently is a lack of security. In my country (Australia), all metadata from internet browsing is retained by the government for nebulous reasons. In other countries less fortunate, governments actively prosecute individuals for their browsing habits (an example, but there seem to be many more popping up every day).
While it does not address the underlying issues, you can protect yourself from this kind of implicit interrogation with some simple and cheap tools. This guide outlines how to install custom firmware on a router that will allow you to encrypt all traffic from connected computers (both on ethernet and wifi) to an external VPN. While there are some guides around on the internet, I have found most of them out of date, incomplete, or flat out wrong. This process worked as of about a month ago, so I think it's the most up to date on the internet right now.
Step 1:
Acquire an OpenWRT-compatible router.
The first step is to find the hardware that you'll be using for this project. The requirements of OpenWRT are very low, so if you're lucky you may already have a compatible device laying around. For this process I used a TP-Link TL-WR1043ND, which I sourced for $59 AUD (about $40 USD) from umart. Here it is on newegg if that helps.
Whatever device you choose, it would be wise to search for it beforehand here. There are about 1000 devices on that page, so finding a compatible device shouldn't be tricky. Click through to the "OWrt Device Page" link and read through all of it before continuing. Some devices have serious gotchas that won't be suitable for you.
(Note: For the rest of the guide I'll continue as though I was working with the TL-WR1043ND, but the guide should be pretty device-agnostic)
Step 2:
Install OpenWRT on router.
Now that you have your hardware, we'll need to install OpenWRT on it. The instructions should be present on the relevant wiki page. Example, at https://openwrt.org/toh/tp-link/tl-wr1043nd, scroll down to "Installation".
The process for these normally boils down to:
- Logging into your router's web interface (normally accessible by navigating to "192.168.0.1" or "192.168.1.1" in your preferred browser (without quotes)).
- Finding the "Update firmware" button (all routers should have this).
- Uploading the specific OpenWRT firmware package.
- Restarting the router.
I can't foresee all router configurations though so I stress: read the installation instructions.
(Note: For the rest of the guide I'll assume that your router can be found at 192.168.1.1. Please update all references to the IP if this is not the case)
Step 3:
Connecting to your newly-flashed OpenWRT router.
OpenWRT is a pretty barebones router firmware, so does not provide a web interface by default. You will need a copy of SSH to continue.
For Windows:
- I recommend installing Cygwin. During installation process you can tick the relevant packages to install (tick openssh and putty).
- Alternatively you can install putty directly, but this guide does not cover that.
For Mac:
- I do not have a mac to test with, but it looks like terminal comes with ssh preinstalled. This guide may be of some use to you.
For Linux:
- You will need ssh and pscp available. Ubuntu and related distros may be able to obtain them with "sudo apt install ssh putty". I assume that if you're not using Ubuntu you know what you're doing in this regard anyway.
Now that that is sorted, you will need to install LuCI on the router. We can do this by opening your chosen command line application and running
ssh [email protected]
opkg update
opkg install luci
opkg install luci-ssl
(The original LuCI guide is here if you would like to read further)
Once you have done this, you can navigate your browser to 192.168.1.1 and the web interface to the router will be available. Note that any time you reset the router (if you mix up a step, for example), you will need to do this again before you will have a web interface again.
(Note that this step is not really needed, but can be useful for establishing that the router can be connected to)
Step 4:
Purchase a VPN connection.
There are many VPN services around the world to choose from, but for this guide I've selected NordVPN. They have fast servers all over the world, have never had a security issue reported, claim to not keep logs of web traffic and are fairly cheap. A win in my books.
You will be able to complete this step by yourself at https://nordvpn.com/
Step 5:
Configure OpenWRT router to route through NordVPN.
The final step!
I've made this one easy for you all. Download these scripts that I've written. Ensure they are all in the same directory. Some temporary files will be created so I'd recommend using an empty directory.
Run "./do.sh". You will be prompted for any relevant details. This is when you will be able to choose your server, and provide your NordVPN username and password for authentication. The scripts will copy all relevant encryption keys and set up all relevant firewall/routing options for you. If in doubt about server choice, refer to this page. It will recommend a server for you, or allow you to pick a server in a specific country that has favourable speeds. In the script, enter the 2 letter country code (eg, Australia = au) and udp/tcp (just pick tcp if you are not sure).
Note that my scripts are an automated version of this guide (but there were a few things in there I had to tweak, is out of date a little).
If you have correctly followed this procedure, you should now be able to navigate to https://nordvpn.com/ again. Look at the top bar. It should read "Your status: Protected". If not, something went wrong. Check the script log output for errors.
And that's it! This ended up taking me a couple of months to figure out the whole process on my own, so hopefully will streamline the process for all of you. Code review is welcome, if people are so inclined. Please feel free to ask any questions and I'll answer to the best of my abilities.
-- salami