I was recently asked how hard it would be to create a home network that is completely secure (as close as it gets anyways) from snooping ISPs or third parties so that the user can browse any site they want without risking anyone finding out about it. This means both tunneling all traffic through a VPN connection but also blocking any and all traffic that tries to get around the VPN. That is, no traffic should go directly to the ISP even if the VPN connection goes down.
There are several use cases for this, the most common probably being:
- Circumvent school or office firewalls.
- Get around ISP blocks.
- Peace of mind that no one can see what you are downloading.
The only downside to using a VPN is that your internet will be slightly slower, but if you use a good VPN provider you will only ever notice this if you are playing online action FPS games such as Counterstrike or Battlefield, for regular surfing or watching movies you will not notice any difference.
What we are really doing is creating a secure tunnel through your ISP to the VPN redirecting all the traffic so that it seems to come from the VPN provider, leaving your ISP clueless to what you are doing and anyone on the internet only ever sees your VPN providers IP and never your real one.
Part 0: The requirements
To get this to work you need:
- A DD-WRT Mega compatible router (I am using a Asus RT-N16 that I had laying around).
- An account with a VPN provider that supports OpenVPN (don't use PPTP as it is not secure).
I'm using Anonine, my favorite Swedish VPN provider. Heres a referal link if you want use them and support me: Anonine referal link.
- About 1 hour of your time.
Part 1: Configuring the VPN connection
I will assume that you have installed DD-WRT and are connected to the router at this point.
- Start by getting the Open VPN configuration files from your VPN provider. If you are using Anonine like me they are available here: https://anonine.com/en/account/server-info. Open the file you downloaded in wordpad or notepad (or whatever text editor you have handy).
The file should look similar to this:
- Log into your router and Navigating to Services > VPN and Enable the OpenVPN Client.
- Using the configuration file from above configure the following OpenVPN settings.
- Copy IP/Name and Port (it is the part I have highlighted in my file above).
- Check that your open VPN provider is using UDP as Tunneling Protocol (it should say "proto UDP" in the beginning of the file you downloaded, otherwise change it to TCP).
- Enable NAT if it is not already enabled.
- Set Hash Algorithm to SHA1
This is what my OpenVPN client settings looked like after doing the above.
- Then, turn on Advanced options and enter the following in the Additional Config field.
- The next thing to do is to copy over the CA Certificate. In the configuration file you will have an area that looks similar to this, although the text between the Begin and end will be alot longer.
Copy everything between the <ca></ca> tags including the begin and end text with their ---- lines and paste it into the CA Cert field.
- Click Save and Apply Settings at the botttom of the page
- Once this is done we need to create a file containing your username and password for the VPN service. Navigate to Administration > Commands and enter the following text, replacing username and password with your VPN providers username and password. Note that the newline between username and password is intentional.
password" > /tmp/auth.conf
chmod 600 /tmp/auth.conf
- Click Save Startup
- Next, navigate to Setup > Basic Setup and enter the DNS 126.96.36.199 or 188.8.131.52 (google DNS servers, or any other DNS you want) in the field Local DNS and Static DNS 1. You need to do this because once the VPN tunnel is up your local DNS will be blocked.
- Reboot your router using Administration > Management > Reboot Router button at the bottom of the page.
- Once the router has rebooted you can verify that the VPN connection is working by navigating to Status > OpenVPN. You should see something similar to this:
- You can also verify that you are no longer disclosing your real ISP by browsing to http://whatismyipaddress.com/.
Part 2: Blocking all non VPN traffic
Once you have done all of the above steps you should be hidden behind a VPN. The VPN might however go down, and in such cases I wanted to make sure I am not leaking any information by accident. The solution for this is simple and called firewalls and iptables.
- Navigate to Administration > Commands on your router and paste the following code into the commands box.
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan2 -j DROP
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
This will allow all connections between tun0 (the VPN) and br0 (your LAN) and also block all traffic between br0 and vlan2 (the WAN port)
- Press Save Firewall. The commands tab should look similar to the below picture.
- Reboot the router using Administration > Management > Reboot Router button at the bottom of the page.
- You can verify that this works by going to Services > VPN and disabling OpenVPN (your settings will not be lost). If everything worked out correctly you should no longer be able to browse to any websites. Enabling (and possibly rebooting) the router should allow you to browse websites again.