In this article we will be setting up an OpenVPN client on OpenWrt.
In this article we will be setting up an OpenVPN client on OpenWrt.
OpenWrt is an open-source project for embedded operating systems based on Linux, primarily used on embedded devices to route network traffic.
It is fairly easy to install OpenWRT on MR8300 router. All we need to do is to follow the official guide.
Installing Windscribe on OpenWRT is not a simple task though. The only (mostly) working guide has been removed from the net but can still be found in the archives.
Requirements
- A router running OpenWrt (22.03 or 23.05 for MR8300 box)
- Windscribe Pro account
- ssh access to the router
OpenVPN Installation
- Login / ssh to the router.
ssh root@192.168.1.1orssh root@openwrt.lan - Update package lists
opkg updateInstall luci, if neededopkg install luci - Install required OpenVPN packages
opkg install luci-app-openvpnopkg install openvpn-openssl
- If luci is already installed, the same steps can be performed via the UI.
- System -> Software
Firewall Configuration
We will do it by adding the TUN device to an existing WAN zone.
uci set firewall.@zone[1].device="tun0"
uci commit firewall
service firewall restart@zone[0] is lan and @zone[1] is wan A cooler way of doing the same thing would be:
uci rename firewall.@zone[1]="wan"
uci del_list firewall.wan.device="tun0"
uci add_list firewall.wan.device="tun0"
uci commit firewall
service firewall restartDownload OpenVPN profile
- Go to https://windscribe.com/getconfig/openvpn (must be a pro user)
- Choose a location in the dropdown
- Select
UDPfor the protocol - Select
443for the port - Select
2.4.6 or newer for OpenVPN - Download the config and save under some name
For exmaple
Windscribe-Ashdod-YamPark.ovpn - Get the credentials
username: qsano128-yoluknz
password: 4zrfc6e2uaInstall the profile
-
From router’s luci UI go to
Services > OpenVPNhttp://192.168.1.1/cgi-bin/luci/admin/vpn/openvpn -
In the
OVPN configuration file uploadsection choose the profile downloaded in the previous step. For example:Windscribe-Ashdod-YamPark.ovpn -
Enter a name (
windscribe-ashdodin our case) into theInstance nametext field. -
Click
Upload -
Under OpenVPN instances, it will now show an entry for
windscribe-ashdod. Put a checkmark on Enabled. This will enable and start the connection later when we click onSave & Applybutton. -
Now we need to update the profile. Select
Editandwindscribe-ashdodconfiguration will appear. -
Find the line that reads
auth-user-passand change toauth-user-pass /etc/openvpn/windscribe_ashdod.auth -
Also add following configuration:
script-security 2 up "/etc/openvpn/updns" down "/etc/openvpn/downdns" -
Add username & password to the second session. For example:
qsano128-yoluknz 4zrfc6e2ua- please note that the first line is the username and the second line is the password.
-
Click the
Savebutton
Add Start-up Scripts
Login / ssh to the router and enter the following commands:
-
Create the first script
cat<<'EOF' > /etc/openvpn/updns #!/bin/sh mv /tmp/resolv.conf.auto /tmp/resolv.conf.auto.hold echo $foreign_option_1 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >/tmp/resolv.conf.auto echo $foreign_option_2 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf.auto echo $foreign_option_3 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf.auto EOF -
Create the second script
cat<<'EOF' > /etc/openvpn/downdns #!/bin/sh mv /tmp/resolv.conf.auto.hold /tmp/resolv.conf.auto EOF -
chmod 755 /etc/openvpn/updns -
chmod 755 /etc/openvpn/downdns -
This part is a bit tricky as you need to know how to use a command line editor:
vi /etc/config/dhcp- add this line (properly aligned) at the end of the
config dhcp 'lan'section:
list dhcp_option '6,10.255.255.1,208.67.222.222,208.67.220.220'
Apply OpenVPN settings
This is a short but an absolutely critical step.
Click on Save Apply button on OpenVPN UI page.
- note: hopefully you did not forget to Put a checkmark on
Enabledfield in theInstall the profilestep.
We are done, almost!
Test It
We need to deploy our QA skills now.
- Go to ipleak.net
- Please make sure that you are not seeing your ISPs IP address there.
Now we are done. Have questions - please shoot me an email (qas @ blog domain).
You are still here? Why?
OVPN config file (/etc/openvpn/windscribe_ashdod.ovpn) file (excluding the certificate):
client
dev tun
proto udp
remote tlv-218.whiskergalaxy.com 443
verify-x509-name tlv-218.windscribe.com name
nobind
auth-user-pass /etc/openvpn/windscribe_ashdod.auth
resolv-retry infinite
script-security 2
up "/etc/openvpn/updns"
down "/etc/openvpn/downdns"
cipher AES-256-GCM
ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM
auth SHA512
verb 2
mute-replay-warnings
remote-cert-tls server
persist-key
persist-tun
key-direction 1
<ca>Nothing is easy, but who wants nothing?
FAQ
- How do I set up a Windscribe OpenVPN client on an OpenWrt MR8300 router?
- Install luci and luci-app-openvpn, add the OpenVPN profile from Windscribe, attach the TUN interface to the WAN firewall zone, enable the client in LuCI, and verify that traffic flows through the VPN interface instead of your ISP.
- Why does the guide create custom updns and downdns scripts for OpenVPN?
- The updns script rewrites /tmp/resolv.conf.auto so the router uses the DNS servers pushed by Windscribe while the VPN is up, and the downdns script restores the original DNS configuration when the tunnel disconnects. This avoids DNS leaks and keeps name resolution working correctly.
Welcome to The infinite monkey theorem
Somewhere a monkey just typed Shakespeare in TypeScript. Be the first to read the masterpieces (and the hilarious misfires) landing on the blog.
