Joined: 16 Apr 2016 Posts: 307 Location: California
Posted: Fri Feb 10, 2017 1:08 Post subject: Configuring dd-wrt OpenVPN client w/ PureVPN: Some Advice
EDIT: April 30th - 2019
Apparently Purevpn Changed stuff AGAIN without notification why.
They updated all their server certs to be universal and added some certs.
The Files with the Server Names and Certs used were taken from here, and you MUST use the server names from these files for the server you want to connect to. These servers are different from their old ones.
Also, there was a small issue on my .com that was fixed if anyone had any problems connecting.
##############################################################################
Ok everyone, here is a freebie from my business https://sploitworks.com
PureVPN is such a rotten company I feel sorry for everyone.
This is a automated script to install PureVPN on your DDWRT Routers.
Make sure OpenVPN Client is Disabled and Your Router has a WAN connection so it can get out to my .com name and grab the file.
##############################################################################
Before you begin: If you have been trying any other method on the internet, please factory reset your router. Most of those methods are out dated and install BS data on the router
DDWRT Tested as of 04-25-2019 (Brainslayer and Kongs)
And for you newbies out there, IF you are using this router as a secondary router, make sure the IP of the router IS not on the sameIP range as your primary if you are using the WAN port (Router Mode)
How to Install (This will install UDP)
1) Login to your DDWRT router and go to ADMINISTRATION... COMMANDS
3) When the router comes back up go to the SERVICES... VPN tab and enter your PureVPN username and password and also whatever server you want. Do not change anything else. AT ALL
Also *** It is better to use the server IP than the server name. Ping the server name to get the server IP. Sometimes to DNS will not resolve it upon a disconnect.
4) Press Apply at the bottom of the page.
5) Reboot the Router
6) Now go to STATUS... OPENVPN
You should see "Connected Success"
How this script may fail.
1) If you dont have a internet connection (WAN) ... check the top right corner of the ddwrt screen. If you have all 0's (0.0.0.0) that means you dont have a internet connection.
2) If it installed the script / settings, and after your entered your username and password you still cant connect (Like a TLS Error) check your username and password again. Also make sure and reboot the router after you enter your username and pass.
3) Possibly using an outdated version of ddwrt with broken ssl.
DDWRT as of 04-25-2019 Works fine.
Let users in here know it worked for you and share your results.
I have automated scripts for all other Major VPN's (Top 25 like IPVanish, PrivateInternetAccess, StrongVPN, ExpressVPN, NordVPN, etc...) also, but I hustle them and they are also guaranteed to work.
Your Welcome
(Some Background on this)
I install these VPN's to compete with flashrouters.
I have built super powerful install scripts that don't do any of that crap. PureVPN was one of the harder ones to figure out. My scripts simply modify NVRAM variables for the openvpn client and commit the nvram.
I guarantee the installs of all the top 25 VPN providers and have a 1 liner eval code that installs them anywhere.
All of those scripts on all the websites should never be used on modern ddwrt. EVER.
And purevpn needs to get there $h1t together for real. Thats one of the worst of all the vpN companies
Last edited by sploit on Tue Apr 30, 2019 23:29; edited 8 times in total
This is great advice. I had to find out the hard way and figure it out for myself. I can't understand why they continue to have bogus information on their site. It would be better if they just had no info.
PureVPN is such a rotten company I feel sorry for everyone.
This is a automated script to install PureVPN on your DDWRT Routers.
Make sure OpenVPN Client is Disabled and Your Router has a WAN connection so it can get out to my .com name and grab the file.
Pre-requisites:
1) It is highly recommended to make sure your router is running the newest stable builds of ddwrt. If you are using OLD ddwrt builds this script probably wont work. Please Upgrade your routers to atleast June of 2016 Builds of DDWRT. Highly recommend current if stable.
*** UPDATE *** Brainslayer builds 08-22-2017 through 08-29-2017 (and maybe newer) broke the TLS cipher. Use Builds 08-03-2017 or earlier. You will get a TLS error with PureVPN and go crazy.
2) If you have installed any other crap scripts from other places, please factory reset your router. They can cause all kinds of conflicts. It is best to start with a cleaned factory reset router.
3) My script will attempt to restart the router when it is done running. On some routers it may not work correctly because the reboot commands don't work right. You may need to restart manually.
3) When the router comes back up go to the Services... VPN tab and enter your PureVPN username and password and also whatever server you want. Do not change anything else. AT ALL
4) Press Apply at the bottom of the page.
5) Now go to Status... OpenVPN
You should see "Connected Success"
*** Notes ***
This script was setup to install UDP.
For TCP change the proto to TCP and use port 80 (do this under... SERVICES...VPN)
Let users in here know it worked for you and share your results.
I have automated scripts for all other Major VPN's (Top 25 like IPVanish, PrivateInternetAccess, StrongVPN, ExpressVPN, NordVPN, etc...) also, but I hustle them and they are also guaranteed to work.
Your Welcome
Also @ eibgrad...
Please edit your top post to remove all that crap. It isn't needed and will only confuse people. _________________ My Karma ran over your Dogma
SploitWorks Custom Flashed Routers
Last edited by sploit on Sat Sep 09, 2017 21:55; edited 4 times in total
3) When the router comes back up go to the Services... VPN tab and enter your PureVPN username and password and also whatever server you want. Do not change anything else. AT ALL
Joined: 16 Apr 2016 Posts: 307 Location: California
Posted: Tue Feb 14, 2017 20:29 Post subject: Thanks
eibgrad wrote:
I looked at it. Nothing nefarious about it. It's just configuring the OpenVPN client GUI indirectly via nvram variables. At the end of the day, that's all the GUI really does anyway.
That said, such scripts are only as reliable as one's assumptions about these nvram variables remaining constant/fixed, and without contextual changes (e.g., some developer decides to add a new option in a given nvram variable, or even deletes it (not very likely though)). That's why I'm sure it can be a bit of maintenance headache for the developer. Something suddenly changes and the script breaks. So they can be brittle at times.
It would actually be better to just take over the whole darn configuration, from top to bottom, and bypass the GUI entirely. Now you don't have to worry about such things. And you don't have deal w/ all the bugs in the OpenVPN client GUI implementation (there are several that immediately come to mind).
But I understand that's not the developers intentions. He just wants to work w/ what's there, ease the burden, and perhaps make a few bucks (nothing wrong w/ that).
The good thing about the NVRAM manipulation is that I will always be able to update variables that do change with update scripts. Hence the recent IPvanish changing to 256bit and also ExpressVPN changing their certficates without warning.
It would be ideal just to load and parse a openvpn config file (.ovpn) from a upload button. But that would assume a mandatory static format to parse such data. It would be really easy to use SED to do this but alot of stuff can cause problems.
I would really think that there should be some sort of standard set throughout the VPN services BUT that is a dream world. And then I'd be out a hustle LOL.
It's easy enough to find the NVRAM variables with the way ddwrt has been strategically structured although some of them could have been named better... like the openvpncl_sec would have been better named openvpncl_firewall ... drove me crazy trying to figure it out for about half and hour one day but then i got "security" lol.
But I got so frustrated with this particular vpn company I just wanted to help out others who don't have that much skill to not want to put a gun to their heads. _________________ My Karma ran over your Dogma
SploitWorks Custom Flashed Routers
Posted: Mon Mar 27, 2017 10:57 Post subject: Re: Configuring dd-wrt OpenVPN client w/ PureVPN: Some Advic
Hi
First of all I’d like to make a great thank to eibgrad.
Than let me ask some question. I’m newbie so please forgive some silly question I can make.
This is my story: I’ve a tplink 4300 whit ddwrt (V24 presp2 beta – build 21061).
I bought a purevpn lifetime plan for 69$.
I thought I made a good deal but it’s a nightmare: after 20 days (and tons of mails sent to their helpdesk) I still cannot connect to their vpn properly via openvpn protocol.
Question one: is my router able to connet to their VPN? Or I have to buy a new one? In this case which one do you suggest? My budget is about 100 euro.
Question two: Could you please tell me if I correctly understood what I have to do to connetct to purevpn (referring to official purevpn guide you posted)?
Step 1 -> ok
Step 2 -> ok (I’d like to connect via TCP -> port 80 is good?)
Step 3.1 -> DO NOT disable nat (firewall?)
Step 3.2 -> Could you please confirm that “auth-user-pass /tmp/user.txt” text is correct?
Step 4 -> JUMP STEP 4
Step 5 -> insert your code
Step 6 -> ok
Step 7 -> I need something esle???
Question three: does anybody know a very good and easy to set up / manage vpn (lifetime subscription)?
Tx Raffaele
eibgrad wrote:
The reason for this post is that PureVPN refuses to post it on their own forums (managed by DISQUS). And so I'm posting here both for posterity's sake, and as a reference for users of PureVPN and dd-wrt.
Of course, this is the situation as of today (2/6/2017), and things might change/improve in the future. But as of now, there are so many errors in their instructions, I feel compelled to correct them. And if not at PureVPN (preferred), then at least here.
For the record, here's their current instructions for OpenVPN w/ dd-wrt.
Before getting into the details, please be extremely careful in copying anything over from their webpages and directly into the dd-wrt router's config. Apparently the author used a word processing editor, and in many places that editor has turned double quotes (") into enhanced quotes (which are more curly), and double dashes (--) into enhanced double dashes (which look more like a longer single dash). The problem is pervasive. This will drive you batty because it will appear to be correct, but Linux will not be able to read it.
Some good examples of this problem are w/ the username/password script, and the alternate script, specifically the openvpn command line.
With that issue aside ...
1. Do NOT change anything on the Security->Firewall page.
2. You *must* enable NAT and Firewall Protection on the OpenVPN client GUI or else LAN clients behind the router will not be able to use the tunnel. The router itself will be fine and appear, for all other purposes, to be functioning normally.
3. The following startup script and the corresponding auth-user-pass directive in the Additional Config field are only necessary if the OpenVPN client GUI doesn't have the User Pass Authentication option (an enhancement made a couple years ago w/ some dd-wrt builds). Just enable it and specify the username and password there.
Even if you find it necessary to use auth-user-pass and the above startup script, the first two lines are unnecessary. The last one will suffice (no point in consuming precious internal router storage (aka nvram) if you don't need to).
Personally, I find that last line confusing. It almost appears as if the word "purevpn" must precede the username and password. I'm sure that's happened to at least a few people. A better script would be the following, where you instruct the user to replace the words username and password w/ their actual PureVPN username and password.
Simple and to the point. This is also more consistent w/ their instructions for the alternate script.
4. I advise to never to use any scripting provided by the VPN provider (this one probably got me banned/censored ). There's absolutely no reason the OpenVPN GUI shouldn't work. With scripting, you may lose access to other features in the GUI, like Policy Based Routing or updates to the OpenVPN status page.
If you decide to use their alternate script anyway, beware there are others errors beyond just the enhanced double dashes (which itself is enough to prevent execution). For example, there is no OpenVPN directive called --down-pre that takes a script/command as an option. Rather, --down-pre takes no argument, and its sole purpose it to tell the OpenVPN client to call the script associated w/ the --down directive *before* the tunnel is closed rather than after (the default).
The following is a corrected version of the alternate script (w/ some minor additional changes as well).
5. Although optional, it's not a bad idea to enable nsCertType. This checks to make sure the certificate from the OpenVPN provider is of type "server" (as opposed to "client"). This is an additional layer of security to protect against man-in-the-middle attacks where an authorized client attempts to connect to another client by impersonating the server. Now don't panic if this causes the connection to fail. It's most likely the VPN provider didn't specify the certificate type when the certificate was generated. And in that case, just don't check the nsCertType option.
In general w/ OpenVPN, less is more. Avoid the temptation to start messing w/ this or that option, esp. if you don't know what they do. Most of the time the defaults will work. Ppl tend to *over* config the router, and that just creates opportunities to make more errors.
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Mon Mar 27, 2017 12:34 Post subject:
I am sure that @Eibgrad will get back to you in detail, your router has an Atheros AR9344 processor @ 560 MHz (this is a MIPS RISC processor), 8MB flash nvram and 128 MB Ram. Not the fastest by modern standard but you should be able to do VPN. If speed is not sufficient then you should invest in a better router (Netgear R7000?)
Main problem I see is that your build is really old with safety issues in openSSL, before proceding I would advise you to get a more recent build
Thank u ecg
The router i’m watching are netgear r7000 and asus rt-ac87u.
I’m oriented to asus because I do not need ddwrt for vpn . In fact for r7000 I cannot find any firmware on the ddwrt site http://www.dd-wrt.com/site/support/router-database (correct?) and purevpn does not work with Genie (Netgear factory firmware). is it right?
What do you think about? what do you suggest? remember i'm newbie
Tx
Raffaele
I agree with egc in that you should certainly try a newer build for your router. On the off chance that you don't have ftp setup, you can access them @ http://www.dd-wrt.com/site/support/other-downloads then click on Betas, then pick a year, then a date and finally scroll down to your router model and click on it.
As far as the setup, Purevpn uses tcp port 53 and make sure you are using the ovpn version of the server address. Attached is a pic of what the the client setup page should look like. As you can see, most of the newer builds have user pass authentication, so you can enable that and enter your username and password there rather than using a script. Of course you also need to enter the scripts for TLS Auth Key and CA Cert.
so
1. if already have ddwrt, i just need to update the firmware, right? No particular issue, isn’t?
2. what I have to put in the additional config? I assume nothing
3. what I have to set in the security -> firewall?
4. Administration -> command: I assume nothing
hi
thank a lot to all.
finally i connect to purevpn.
anyway thre're two issues:
1. speed halved (udp). how can i improve it?
2. if i connect to tcp prococol, it seem to connect to the vpn but i cannot surf the web. any ideas? moreover, does anybody used port 443 to connect tcp?