Turris Omnia with NordVPN ( openVPN client )

Software SW help
1

Hello all,

I’m trying to get my turris omnia to work as client for NordVPN service so all outgoing traffic is over VPN, but I must be missing something simple as as soon as I connect to the VPN I loose all internet connection.

So far I tested just with command:
openvpn cz1.nordvpn.com.udp1194.ovpn ( the file is config they provide for each of their servers )
It asked for user and password…and then logged in, no problem.

It create tun0 interface
.
.
.
Mon Nov 28 14:16:16 2016 /sbin/ifconfig tun0 10.8.8.198 pointopoint 10.8.8.197 mtu 1500
Mon Nov 28 14:16:16 2016 /sbin/route add -net 87.236.196.99 netmask 255.255.255.255 gw 10.10.10.1
Mon Nov 28 14:16:16 2016 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.8.197
Mon Nov 28 14:16:16 2016 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.8.197
Mon Nov 28 14:16:16 2016 /sbin/route add -net 10.8.8.1 netmask 255.255.255.255 gw 10.8.8.197
.
.
.

Finishes initialization and I loose internet completely… I can ctrl+c the program and net will be back.

I have not yet used openVPN on embended devices or any servers I had but its requested now, I would like to have it service that is always running, but in service setup its just enable and point me to config file ( where do I add user and pass? )

Any help would be greatly appreciated.

2

It looks like you’ve successfully opened a VPN connection, but you haven’t told your Omnia to forward all traffic originating from your LAN through the VPN.

I recommend following these instructions and adapting them to your situation: https://github.com/jlund/streisand/wiki/Setting-an-OpenWrt-Router-as-OpenVPN-Client

Something like this:

# a new OpenVPN instance:
uci set openvpn.nordvpn=openvpn
uci set openvpn.nordvpn.enabled='1'
uci set openvpn.nordvpn.config='/etc/openvpn/nordvpn.ovpn' # drop your ovpn here

# a new network interface for tun:
uci set network.nordvpn=interface
uci set network.nordvpn.proto='none' #dhcp #none
uci set network.nordvpn.ifname='tun0'

# a new firewall zone (for VPN):
uci add firewall zone
uci set firewall.@zone[-1].name='vpn'
uci set firewall.@zone[-1].input='REJECT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci set firewall.@zone[-1].masq='1'
uci set firewall.@zone[-1].mtu_fix='1'
uci add_list firewall.@zone[-1].network='nordvpn'

# enable forwarding from LAN to VPN:
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='vpn'

# Finally, you should commit UCI changes:
uci commit

Now if your VPN service requires password authentication, you can add the following to your ovpn file:

auth-user-pass /etc/openvpn/nordvpn-auth.txt

And put your username and password in that file on separate lines, like this: (and hope no one finds it there)

username
password

Re DNS: If you have your Omnia setup to resolve DNS requests itself (i.e. Foris -> DNS -> “use forwarding” is unchecked), then Omnia will resolve through the VPN when it is active, and you don’t need to worry about DNS leaks. (Make sure to test this, e.g. https://www.dnsleaktest.com/)

2 Likes
3

Huge thanks, I think I had everything except the forwarding set. I will give it a try tomorrow morning.

4

@tomnia It works perfectly, just made it happen :smiley: many thanks !

5

If I would set up a openVPN config for my NordVPN account and then bridge the NORDVPN interface but with dhcp with a specific wireless network which have been setup like an ordinary guest wifi.

That would give me a dedicated wireless network, separeated from my lan with a pure VPN connection, right?

6

Hi @tomnia, thank you very much for the great tutorial! I would like to route my guest-wifi through the vpn instead of lan. Do I only have to change ‘lan’ to something else? Is it eth0?