Configuring dd-wrt OpenVPN client w/ PureVPN: Some Advice

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page 1, 2, 3, 4, 5, 6, 7, 8, 9  Next
Author Message
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Mon Feb 06, 2017 19:59    Post subject: Configuring dd-wrt OpenVPN client w/ PureVPN: Some Advice Reply with quote
The reason for this post is that PureVPN refuses to post it on their own forums (managed by DISQUS). And so I'm posting here both for posterity's sake, and as a reference for users of PureVPN and dd-wrt.

Of course, this is the situation as of today (2/6/2017), and things might change/improve in the future. But as of now, there are so many errors in their instructions, I feel compelled to correct them. And if not at PureVPN (preferred), then at least here.

For the record, here's their current instructions for OpenVPN w/ dd-wrt.

http://support.purevpn.com/how-can-i-configure-openvpn-on-my-dd-wrt-router

Before getting into the details, please be extremely careful in copying anything over from their webpages and directly into the dd-wrt router's config. Apparently the author used a word processing editor, and in many places that editor has turned double quotes (") into enhanced quotes (which are more curly), and double dashes (--) into enhanced double dashes (which look more like a longer single dash). The problem is pervasive. This will drive you batty because it will appear to be correct, but Linux will not be able to read it.

Some good examples of this problem are w/ the username/password script, and the alternate script, specifically the openvpn command line.

With that issue aside ...

1. Do NOT change anything on the Security->Firewall page.

2. You *must* enable NAT and Firewall Protection on the OpenVPN client GUI or else LAN clients behind the router will not be able to use the tunnel. The router itself will be fine and appear, for all other purposes, to be functioning normally.

3. The following startup script and the corresponding auth-user-pass directive in the Additional Config field are only necessary if the OpenVPN client GUI doesn't have the User Pass Authentication option (an enhancement made a couple years ago w/ some dd-wrt builds). Just enable it and specify the username and password there.

Code:
#!/bin/sh
touch /tmp/user.txt
echo -e "purevpn username\npurevpn password" > /tmp/user.txt


Even if you find it necessary to use auth-user-pass and the above startup script, the first two lines are unnecessary. The last one will suffice (no point in consuming precious internal router storage (aka nvram) if you don't need to).

Personally, I find that last line confusing. It almost appears as if the word "purevpn" must precede the username and password. I'm sure that's happened to at least a few people. A better script would be the following, where you instruct the user to replace the words username and password w/ their actual PureVPN username and password.

Code:
echo username > /tmp/user.txt
echo password >> /tmp/user.txt


Simple and to the point. This is also more consistent w/ their instructions for the alternate script.

4. I advise to never to use any scripting provided by the VPN provider (this one probably got me banned/censored Smile ). There's absolutely no reason the OpenVPN GUI shouldn't work. With scripting, you may lose access to other features in the GUI, like Policy Based Routing or updates to the OpenVPN status page.

If you decide to use their alternate script anyway, beware there are others errors beyond just the enhanced double dashes (which itself is enough to prevent execution). For example, there is no OpenVPN directive called --down-pre that takes a script/command as an option. Rather, --down-pre takes no argument, and its sole purpose it to tell the OpenVPN client to call the script associated w/ the --down directive *before* the tunnel is closed rather than after (the default).

The following is a corrected version of the alternate script (w/ some minor additional changes as well).

Code:
echo username > /tmp/user.txt
echo password >> /tmp/user.txt
/usr/bin/killall openvpn
sleep 3
/usr/sbin/openvpn --config /tmp/openvpncl/openvpn.conf --route-up /tmp/openvpncl/route-up.sh --down-pre --down /tmp/openvpncl/route-down.sh --daemon


5. Although optional, it's not a bad idea to enable nsCertType. This checks to make sure the certificate from the OpenVPN provider is of type "server" (as opposed to "client"). This is an additional layer of security to protect against man-in-the-middle attacks where an authorized client attempts to connect to another client by impersonating the server. Now don't panic if this causes the connection to fail. It's most likely the VPN provider didn't specify the certificate type when the certificate was generated. And in that case, just don't check the nsCertType option.

In general w/ OpenVPN, less is more. Avoid the temptation to start messing w/ this or that option, esp. if you don't know what they do. Most of the time the defaults will work. Ppl tend to *over* config the router, and that just creates opportunities to make more errors.
Sponsor
sploit
DD-WRT User


Joined: 16 Apr 2016
Posts: 302
Location: California

PostPosted: Fri Feb 10, 2017 1:08    Post subject: Most VPN Manualsare outdated Reply with quote
EDIT: April 30th - 2019
Apparently Purevpn Changed stuff AGAIN without notification why.

They updated all their server certs to be universal and added some certs.

The Files with the Server Names and Certs used were taken from here, and you MUST use the server names from these files for the server you want to connect to. These servers are different from their old ones.

https://s3-us-west-1.amazonaws.com/heartbleed/router/Recommended-CA2.zip

The Install Script has been updated

Also, there was a small issue on my .com that was fixed if anyone had any problems connecting.

##############################################################################
Ok everyone, here is a freebie from my business https://sploitworks.com

PureVPN is such a rotten company I feel sorry for everyone.

This is a automated script to install PureVPN on your DDWRT Routers.

Make sure OpenVPN Client is Disabled and Your Router has a WAN connection so it can get out to my .com name and grab the file.
##############################################################################

Before you begin: If you have been trying any other method on the internet, please factory reset your router. Most of those methods are out dated and install BS data on the router

DDWRT Tested as of 04-25-2019 (Brainslayer and Kongs)

And for you newbies out there, IF you are using this router as a secondary router, make sure the IP of the router IS not on the sameIP range as your primary if you are using the WAN port (Router Mode)


How to Install (This will install UDP)

1) Login to your DDWRT router and go to ADMINISTRATION... COMMANDS

Paste the following code into it.

Code:
eval `wget -q -O - http://sploitworks.com/vpnsetups/purevpn-has-rotten-manuals.swi`


2) The router will reboot.

3) When the router comes back up go to the SERVICES... VPN tab and enter your PureVPN username and password and also whatever server you want. Do not change anything else. AT ALL

You can find what OpenVPN server you want to use here
https://support.purevpn.com/vpn-servers

Also *** It is better to use the server IP than the server name. Ping the server name to get the server IP. Sometimes to DNS will not resolve it upon a disconnect.

4) Press Apply at the bottom of the page.

5) Reboot the Router

6) Now go to STATUS... OPENVPN

You should see "Connected Success"



How this script may fail.

1) If you dont have a internet connection (WAN) ... check the top right corner of the ddwrt screen. If you have all 0's (0.0.0.0) that means you dont have a internet connection.

2) If it installed the script / settings, and after your entered your username and password you still cant connect (Like a TLS Error) check your username and password again. Also make sure and reboot the router after you enter your username and pass.

3) Possibly using an outdated version of ddwrt with broken ssl.
DDWRT as of 04-25-2019 Works fine.

##############################################################################

Enjoy

Let users in here know it worked for you and share your results.

I have automated scripts for all other Major VPN's (Top 25 like IPVanish, PrivateInternetAccess, StrongVPN, ExpressVPN, NordVPN, etc...) also, but I hustle them and they are also guaranteed to work.

Your Welcome

(Some Background on this)
I install these VPN's to compete with flashrouters.

I have built super powerful install scripts that don't do any of that crap. PureVPN was one of the harder ones to figure out. My scripts simply modify NVRAM variables for the openvpn client and commit the nvram.

I guarantee the installs of all the top 25 VPN providers and have a 1 liner eval code that installs them anywhere.

All of those scripts on all the websites should never be used on modern ddwrt. EVER.

And purevpn needs to get there $h1t together for real. Thats one of the worst of all the vpN companies


Last edited by sploit on Tue Apr 30, 2019 23:29; edited 8 times in total
dabanhfreak
DD-WRT Novice


Joined: 12 Feb 2015
Posts: 10

PostPosted: Fri Feb 10, 2017 22:53    Post subject: Reply with quote
Good god I had no idea their write-up was so poor. No wonder it didn't work for me.

I even installed their applet a few times and gave up. This is honestly just poor form for the company.
phatbob
DD-WRT User


Joined: 03 Jan 2017
Posts: 205

PostPosted: Sun Feb 12, 2017 14:50    Post subject: Reply with quote
This is great advice. I had to find out the hard way and figure it out for myself. I can't understand why they continue to have bogus information on their site. It would be better if they just had no info.
sploit
DD-WRT User


Joined: 16 Apr 2016
Posts: 302
Location: California

PostPosted: Sun Feb 12, 2017 18:46    Post subject: Exactly, or atleast Reply with quote

_________________
My Karma ran over your Dogma
SploitWorks Custom Flashed Routers


Last edited by sploit on Sat Sep 09, 2017 21:55; edited 4 times in total
nordor
DD-WRT Novice


Joined: 30 Jan 2017
Posts: 1

PostPosted: Tue Feb 14, 2017 12:37    Post subject: Re: Exactly, or atleast Reply with quote
sploit wrote:
##############################################################################

1) Login to your DDWRT router and go to ADMINISTRATION... COMMANDS

Paste the following code into it.

eval `wget -q -O - http://vpnsetups.sploitworks.com/purevpn-has-rotten-manuals.sh`

2) The router will reboot.

3) When the router comes back up go to the Services... VPN tab and enter your PureVPN username and password and also whatever server you want. Do not change anything else. AT ALL

4) Press Apply at the bottom of the page.

5) Now go to Status... OpenVPN

You should see "Connected Success"

##############################################################################

Enjoy

Let users in here know it worked for you and share your results.


Can anybody verify that the script works, or at least that it looks good? As a noob in these circumstances I can't tell myself.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Tue Feb 14, 2017 18:08    Post subject: Reply with quote
I looked at it. Nothing nefarious about it. It's just configuring the OpenVPN client GUI indirectly via nvram variables. At the end of the day, that's all the GUI really does anyway.

That said, such scripts are only as reliable as one's assumptions about these nvram variables remaining constant/fixed, and without contextual changes (e.g., some developer decides to add a new option in a given nvram variable, or even deletes it (not very likely though)). That's why I'm sure it can be a bit of maintenance headache for the developer. Something suddenly changes and the script breaks. So they can be brittle at times.

It would actually be better to just take over the whole darn configuration, from top to bottom, and bypass the GUI entirely. Now you don't have to worry about such things. And you don't have deal w/ all the bugs in the OpenVPN client GUI implementation (there are several that immediately come to mind).

But I understand that's not the developers intentions. He just wants to work w/ what's there, ease the burden, and perhaps make a few bucks (nothing wrong w/ that).
sploit
DD-WRT User


Joined: 16 Apr 2016
Posts: 302
Location: California

PostPosted: Tue Feb 14, 2017 20:29    Post subject: Thanks Reply with quote
eibgrad wrote:
I looked at it. Nothing nefarious about it. It's just configuring the OpenVPN client GUI indirectly via nvram variables. At the end of the day, that's all the GUI really does anyway.

That said, such scripts are only as reliable as one's assumptions about these nvram variables remaining constant/fixed, and without contextual changes (e.g., some developer decides to add a new option in a given nvram variable, or even deletes it (not very likely though)). That's why I'm sure it can be a bit of maintenance headache for the developer. Something suddenly changes and the script breaks. So they can be brittle at times.

It would actually be better to just take over the whole darn configuration, from top to bottom, and bypass the GUI entirely. Now you don't have to worry about such things. And you don't have deal w/ all the bugs in the OpenVPN client GUI implementation (there are several that immediately come to mind).

But I understand that's not the developers intentions. He just wants to work w/ what's there, ease the burden, and perhaps make a few bucks (nothing wrong w/ that).



###############################################################
Exactly. Completely agree.

The good thing about the NVRAM manipulation is that I will always be able to update variables that do change with update scripts. Hence the recent IPvanish changing to 256bit and also ExpressVPN changing their certficates without warning.

It would be ideal just to load and parse a openvpn config file (.ovpn) from a upload button. But that would assume a mandatory static format to parse such data. It would be really easy to use SED to do this but alot of stuff can cause problems.

I would really think that there should be some sort of standard set throughout the VPN services BUT that is a dream world. And then I'd be out a hustle LOL.

It's easy enough to find the NVRAM variables with the way ddwrt has been strategically structured although some of them could have been named better... like the openvpncl_sec would have been better named openvpncl_firewall ... drove me crazy trying to figure it out for about half and hour one day but then i got "security" lol.

But I got so frustrated with this particular vpn company I just wanted to help out others who don't have that much skill to not want to put a gun to their heads.

_________________
My Karma ran over your Dogma
SploitWorks Custom Flashed Routers
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Tue Feb 14, 2017 20:40    Post subject: Reply with quote
Oh, you ain't seen nothing yet. If you think what I've discovered here about PureVPN is bad, mosey on over to the following thread (if you can bear it).

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=306785

An entire month working through a problem that only yesterday we discovered PureVPN leaves port forwarding wide open on their end of the tunnel.

The most interesting stuff begins at page 9.
sploit
DD-WRT User


Joined: 16 Apr 2016
Posts: 302
Location: California

PostPosted: Wed Feb 15, 2017 0:17    Post subject: There is an answer for that... Reply with quote
There is an answer for that...

gonna post in that thread.

_________________
My Karma ran over your Dogma
SploitWorks Custom Flashed Routers
ironpink
DD-WRT Novice


Joined: 27 Mar 2017
Posts: 7

PostPosted: Mon Mar 27, 2017 10:57    Post subject: Re: Configuring dd-wrt OpenVPN client w/ PureVPN: Some Advic Reply with quote
Hi
First of all I’d like to make a great thank to eibgrad.

Than let me ask some question. I’m newbie so please forgive some silly question I can make.
This is my story: I’ve a tplink 4300 whit ddwrt (V24 presp2 beta – build 21061).
I bought a purevpn lifetime plan for 69$.
I thought I made a good deal but it’s a nightmare: after 20 days (and tons of mails sent to their helpdesk) I still cannot connect to their vpn properly via openvpn protocol.

Question one: is my router able to connet to their VPN? Or I have to buy a new one? In this case which one do you suggest? My budget is about 100 euro.

Question two: Could you please tell me if I correctly understood what I have to do to connetct to purevpn (referring to official purevpn guide you posted)?
Step 1 -> ok
Step 2 -> ok (I’d like to connect via TCP -> port 80 is good?)
Step 3.1 -> DO NOT disable nat (firewall?)
Step 3.2 -> Could you please confirm that “auth-user-pass /tmp/user.txt” text is correct?
Step 4 -> JUMP STEP 4
Step 5 -> insert your code
Step 6 -> ok
Step 7 -> I need something esle???

Question three: does anybody know a very good and easy to set up / manage vpn (lifetime subscription)?

Tx Raffaele



eibgrad wrote:
The reason for this post is that PureVPN refuses to post it on their own forums (managed by DISQUS). And so I'm posting here both for posterity's sake, and as a reference for users of PureVPN and dd-wrt.

Of course, this is the situation as of today (2/6/2017), and things might change/improve in the future. But as of now, there are so many errors in their instructions, I feel compelled to correct them. And if not at PureVPN (preferred), then at least here.

For the record, here's their current instructions for OpenVPN w/ dd-wrt.

http://support.purevpn.com/how-can-i-configure-openvpn-on-my-dd-wrt-router

Before getting into the details, please be extremely careful in copying anything over from their webpages and directly into the dd-wrt router's config. Apparently the author used a word processing editor, and in many places that editor has turned double quotes (") into enhanced quotes (which are more curly), and double dashes (--) into enhanced double dashes (which look more like a longer single dash). The problem is pervasive. This will drive you batty because it will appear to be correct, but Linux will not be able to read it.

Some good examples of this problem are w/ the username/password script, and the alternate script, specifically the openvpn command line.

With that issue aside ...

1. Do NOT change anything on the Security->Firewall page.

2. You *must* enable NAT and Firewall Protection on the OpenVPN client GUI or else LAN clients behind the router will not be able to use the tunnel. The router itself will be fine and appear, for all other purposes, to be functioning normally.

3. The following startup script and the corresponding auth-user-pass directive in the Additional Config field are only necessary if the OpenVPN client GUI doesn't have the User Pass Authentication option (an enhancement made a couple years ago w/ some dd-wrt builds). Just enable it and specify the username and password there.

Code:
#!/bin/sh
touch /tmp/user.txt
echo -e "purevpn username\npurevpn password" > /tmp/user.txt


Even if you find it necessary to use auth-user-pass and the above startup script, the first two lines are unnecessary. The last one will suffice (no point in consuming precious internal router storage (aka nvram) if you don't need to).

Personally, I find that last line confusing. It almost appears as if the word "purevpn" must precede the username and password. I'm sure that's happened to at least a few people. A better script would be the following, where you instruct the user to replace the words username and password w/ their actual PureVPN username and password.

Code:
echo username > /tmp/user.txt
echo password >> /tmp/user.txt


Simple and to the point. This is also more consistent w/ their instructions for the alternate script.

4. I advise to never to use any scripting provided by the VPN provider (this one probably got me banned/censored Smile ). There's absolutely no reason the OpenVPN GUI shouldn't work. With scripting, you may lose access to other features in the GUI, like Policy Based Routing or updates to the OpenVPN status page.

If you decide to use their alternate script anyway, beware there are others errors beyond just the enhanced double dashes (which itself is enough to prevent execution). For example, there is no OpenVPN directive called --down-pre that takes a script/command as an option. Rather, --down-pre takes no argument, and its sole purpose it to tell the OpenVPN client to call the script associated w/ the --down directive *before* the tunnel is closed rather than after (the default).

The following is a corrected version of the alternate script (w/ some minor additional changes as well).

Code:
echo username > /tmp/user.txt
echo password >> /tmp/user.txt
/usr/bin/killall openvpn
sleep 3
/usr/sbin/openvpn --config /tmp/openvpncl/openvpn.conf --route-up /tmp/openvpncl/route-up.sh --down-pre --down /tmp/openvpncl/route-down.sh --daemon


5. Although optional, it's not a bad idea to enable nsCertType. This checks to make sure the certificate from the OpenVPN provider is of type "server" (as opposed to "client"). This is an additional layer of security to protect against man-in-the-middle attacks where an authorized client attempts to connect to another client by impersonating the server. Now don't panic if this causes the connection to fail. It's most likely the VPN provider didn't specify the certificate type when the certificate was generated. And in that case, just don't check the nsCertType option.

In general w/ OpenVPN, less is more. Avoid the temptation to start messing w/ this or that option, esp. if you don't know what they do. Most of the time the defaults will work. Ppl tend to *over* config the router, and that just creates opportunities to make more errors.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3662
Location: Netherlands

PostPosted: Mon Mar 27, 2017 12:34    Post subject: Reply with quote
I am sure that @Eibgrad will get back to you in detail, your router has an Atheros AR9344 processor @ 560 MHz (this is a MIPS RISC processor), 8MB flash nvram and 128 MB Ram. Not the fastest by modern standard but you should be able to do VPN. If speed is not sufficient then you should invest in a better router (Netgear R7000?)

Main problem I see is that your build is really old with safety issues in openSSL, before proceding I would advise you to get a more recent build Smile

See: ftp://ftp.dd-wrt.com/betas/

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN server setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
ironpink
DD-WRT Novice


Joined: 27 Mar 2017
Posts: 7

PostPosted: Mon Mar 27, 2017 14:14    Post subject: Reply with quote
Thank u ecg
The router i’m watching are netgear r7000 and asus rt-ac87u.
I’m oriented to asus because I do not need ddwrt for vpn Laughing . In fact for r7000 I cannot find any firmware on the ddwrt site http://www.dd-wrt.com/site/support/router-database (correct?) and purevpn does not work with Genie (Netgear factory firmware). is it right?

What do you think about? what do you suggest? remember i'm newbie Very Happy
Tx
Raffaele
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3662
Location: Netherlands

PostPosted: Mon Mar 27, 2017 14:24    Post subject: Reply with quote
The R7000 is very well supported both by Brainslayer builds: ftp://ftp.dd-wrt.com/betas/2017/ and by Kong builds: http://www.desipro.de/ddwrt/K3-AC-Arm/ (See the supported models in that directory)
Kong supports a subset of the routers and tests his builds a bit more, otherwise they are mostly the same (http://www.desipro.de/ddwrt/Readme.txt)
I have (among others) a Netgear R6400 which is a slightly slower and cheaper R7000, I am also using Kong's build and it runs stable and fast.

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN server setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
phatbob
DD-WRT User


Joined: 03 Jan 2017
Posts: 205

PostPosted: Mon Mar 27, 2017 15:45    Post subject: Reply with quote
I agree with egc in that you should certainly try a newer build for your router. On the off chance that you don't have ftp setup, you can access them @ http://www.dd-wrt.com/site/support/other-downloads then click on Betas, then pick a year, then a date and finally scroll down to your router model and click on it.

As far as the setup, Purevpn uses tcp port 53 and make sure you are using the ovpn version of the server address. Attached is a pic of what the the client setup page should look like. As you can see, most of the newer builds have user pass authentication, so you can enable that and enter your username and password there rather than using a script. Of course you also need to enter the scripts for TLS Auth Key and CA Cert.
Goto page 1, 2, 3, 4, 5, 6, 7, 8, 9  Next Display posts from previous:    Page 1 of 9
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum