A Recipe for Routing Wireless Network Traffic via a Personal VPN

November 5th, 2017 Permalink

This short post is a high level overview that covers the setup of a personal VPN server in the cloud with Streisand, followed by the use of a suitably configured wireless router to send network traffic via that VPN. The instructions here assume the use of Digital Ocean and ASUS RT-AC68U router, but Streisand works with a number of different cloud providers, and a fair number of ASUS routers support configuration as a VPN client. Note that other than the ASUS selection of models, routers that can be set up as VPN clients are unfortunately fairly thin on the ground.

Why Use a VPN?

In more civilized countries, one primary reason to send all traffic through a VPN is because ISPs, especially mobile carriers, are starting to sell real time associations between customer data and IP addresses. It seems like a bad idea for every website owner and all of their third party advertisers and data warehouses to be able to easily obtain that information. In less civilized countries, it should hopefully be fairly obvious as to why using a VPN is a good plan, ranging from bypassing restrictions on access to the more serious business of ensuring personal safety.

Open a Digital Ocean Account

Set up an account with Digital Ocean, and add a payment method. The VPN server will be the smallest model and cost $5/month. This is fine for a personal VPN server carrying the usual level of home network traffic.

Next create a key pair:

ssh-keygen -t rsa -b 4096 -C 'streisand' -f ~/.ssh/streisand_id_rsa

Upload the public key to the Digital Ocean control panel to apply to the VPN server that will be created. Give it the name streisand.

Create a Streisand Server

Streisand is a useful all-in-one VPN and proxy server, loaded with a variety of tools. Clone the Streisand repository, and edit global_vars/noninteractive/digitalocean-site.yml to set at least the following values:

# The SSH private key that Ansible will use to connect to the Streisand node.
streisand_ssh_private_key: "~/.ssh/streisand_id_rsa"

# The name given to the key in the DigitalOcean control panel.
do_ssh_name: streisand

# Add the Digital Ocean access token here.
do_access_token_entry: "insert your access token here"

Now run the deployment, which should run through and complete without any need for intervention:

deploy/streisand-new-cloud-server.sh \
  --provider digitalocean \
  --site-config global_vars/noninteractive/digitalocean-site.yml

This will generate instructions on how to connect to the Streisand webserver and place them in the generated-docs directory.

Log in to the Streisand Server to Obtain OpenVPN Instructions and Credentials

Using the instructions, username, and password from generated-docs/streisand.html, log in to view the website hosted on the Streisand server. Once there, navigate to the OpenVPN documentation and download all of the various .ovpn and certificate files.

Set up the ASUS RT-AC68U Router

Follow the router instruction manual to set up the router in the usual fashion. A typical setup for a home network is for the router to connect to a modem (cable, DSL, etc) via ethernet cable, with the modem WAN gateway at 192.168.0.1 and router LAN gateway at 192.168.1.1. Don't go too far beyond simply establishing a working connection, securing and hiding the wireless network, and securing the router with administrator credentials, as the next step is to update the router firmware.

The ASUSWRT firmware used in ASUS routers derives from Tomato, but in turn has been extended and improved into the open third party Asuswrt-Merlin firmware. This updates dependent software versions, fixes bugs, and in particular is necessary to connect as a client to a Streisand server via OpenVPN.

To update the firmware, download the latest stable Asuswrt-Merlin version for the ASUS RT-AC68U, unzip it, and then follow the instructions in the router administration interface to upload the .trx file. The router will then update. The existing settings should be retained. Now all of the personal touches can be applied; the user interface and feature set is quite rich in comparison to most home routers. If questions arise, answers can usually be found online. The Asuswrt-Merlin site has a good set of documentation and a friendly user community.

Configure and Enable the Open VPN Client

The easiest way to configure the OpenVPN client on the router is to start by uploading one of the .ovpn files to fill in most of the details. Unless facing an overly restrictive ISP or other interference in VPN connections, then the standard *-direct.ovpn is fine. The Streisand documentation and server materials provide other options as well, tailored to more restricted or dangerous environments.

Once that is done, adjust the following settings in the router's OpenVPN client configuration:

  • Set Start with WAN to Yes.
  • Set Accept DNS Configuration to Exclusive. This ensures that the Streisand server's DNS servers are used.
  • Set Block routed clients if tunnel goes down to Yes, as otherwise there will be no notice that traffic is falling back to non-VPN routing.
  • Set Redirect Internet traffic to Policy rules (not Policy rules (strict), as that will not allow the WAN rules below to work), and add the following rules:
LAN     192.168.1.0/24  0.0.0.0         VPN	
Router  192.168.1.1     0.0.0.0         WAN
Local   192.168.1.0/24  192.168.1.0/24  WAN

These rules will prevent entirely traffic within the local network from being sent out to the VPN and back again, which will slow things down noticeably. It is a good idea to read the documentation on policy-based routing before attempting any other needed changes.

Test the Connection

At this point everything should be set up and functional. Run a test of the connection, and the VPN server IP address should appear:

curl https://ipinfo.io