How I made my travel router/VPN in less than $100
Public internet and wifi are really such a blessing for people who does not have enough access to have an internet connection installed on their home. You go on a coffee shop, or a shopping mall, or even a park (yes, some parks in Japan have free wifi), and you can easily get a free wifi connection. But you may have seen some in the internet how madly unsafe it is to connect to a public wifi. Someone can easily host their rogue AP (wifi) and have you connected to a ‘public wifi’ that sounds legit. You connect to the that public wifi, you type in a password, username, or even email address, and voila! Your personal information has been breached already.
This is the main reason why I started this mini project of mine. I’ve researched how am I able to be safe from the internet while not breaking my bank. As just I realized, I have a Raspberry Pi 4 at home, and so the tinkering begins.
I will be showing you how I was able to setup my own travel router, with safe VPN install that connects to my NordVPN subscription so I can use it anywhere I go, and not thinking about my credentials getting stolen. This may or may not work on you, so please do your own research as well. This will only serves as a guide to setup your own router and VPN, and trust me, it is worth it! This is one of the best things I’ve ever created.
Things you need:
- Raspberry Pi — You will need a Raspberry Pi board that has built-in wifi chipset on it. I recommend Raspberry Pi 4B so it has better CPU module and RAM chipset, but you can start on Pi 3. I got mine on auction for $40.
Raspberry Pi 4 or from https https://www.raspberrypi.com/products/
2. OpenWRT Raspberry Pi — This will be your operating system that you will build your router and VPN. Note that this is Linux-based system. You will need to find the correct image for your model. This is open-source so it is free. $0.
https://openwrt.org/toh/raspberry_pi_foundation/raspberry_pi
3. WIFI6 USB adapter — You can use whichever WIFI USB adapter you like as long as it is compatible to OpenWRT. You can buy any brands or models you like but this is the chipset that I preferred because this is the fastest I can get from Japan, and this is proven that it has withstand the work I needed. I got mine for $13. To know more about compatible wifi adapter chipsets for OpenWRT, look further here.
4. MicroSD card — Pretty basic stuff but at least get a 32GB card so have everything running without worrying. Here is a link where you can get it. You can get it below $10 from here.
5. Raspberry Pi 4 Cooling Fan Hat GPIO extension (optional) — You don’t have to buy this but it would just make you stop worrying about overheating Pi board. Plus it looks cooler, you’ll see later. I have it too! You can get it from here for a $1.
Install OpenWRT on your Raspberry Pi
- Assuming you already have the Raspberry Pi Imager installed on your computer and your OpenWRT image on your computer, start up Raspberry Pi Imager. From the bottom option, click on the Custom OS, and choose the newly downloaded image.
NOTE: I have here from my previous post on how to install Raspberry Pi Imager if you have not downloaded it yet.
2. Make sure you choose the correct SD card! Don’t make the same mistake I did. :D .
3. It should take about 3–5 minutes to finish creating the image. After it is done, insert it to your Raspberry Pi, connect to an external monitor and power it up. BTW, I used a MicroSD card reader to install this image so you might need one of these card readers.
Configuration begins (THE AWESOME PART!)
- When you are inside the OpenWRT, login as the root. There will be no password so make sure to at least create a password using the ‘passwd’ command. You are now welcomed with the OpenWRT initialization screen. Go to the/etc/config repository and create a backup of all the files that you will be making changes with.
cd /etc/config
cp network network.bk
cp wireless wireless.bk
cp firewall firewall.bk
2. Now we‘re going to do some configurations to these files that we just created a backup with. OpenWRT is equipped by ‘vi’ as its text editor by default so we are initially using this. While you are at the /etc/config, type:
vi network
If you want to know more about VIM and how to use it, check my other post.
Now you will need to add and change new interfaces and information from here. Note that the ‘lan’ interface, you will need to change it on one of the IP addresses from your own network. For the ‘wwan’, I used Cloudfare and Google DNS servers because how could it go wrong, right? Let’s hope not. For the ‘vpnclient’ interface, we will use this later for our VPN configuration.
config interface ‘lan’
ipaddr 192.168.0.200
option force_link ‘1’config interface ‘wwan’
option proto ‘dhcp’
option peerdns ‘0’
option dns ‘1.1.1.1 8.8.8.8’config interface ‘vpnclient’
option ifname ‘tun0’
option proto ‘none’
Now it is time to save and exit the file. I know you are scared since it is vim. I was, too. For now, just click on ‘ESC’ button and when you see something from the lower left screen, type :wq and click enter. This will save your configuration changes and exit the text editor.
3. Next we will edit the firewall file. Again type this to open the file. We will only change one thing here, for now.
vi firewall
When you are inside, find the ‘config zone’ and change ‘REJECT’ to ‘ACCEPT’. This will allow the traffic from outside network. When done, save the file and exit.
config zone
option input ACCEPT
4. Lastly, we will be editing the wireless file. Open the file by typing this:
vi wireless
From here, you will add these options under the ‘radio0’. This is the one that will be connected to the ‘wwan’ or the outside internet.
config wifi-device ‘radio0’
option disabled ‘0’
option channel ‘7
option hwmode ‘11g’
option htmode ‘HT20’
option short_gi_40 ‘0’
When done, save the file and exit.
5. Now for these changes to be applied, we need to enter this command. After entering these commands, there will be no output. Reboot the machine.
uci commit wireless
wifi
6. After your Pi has booted up, you should now be able to access the OpenWRT web GUI. Open up a browser and enter the IP address that you set on the ‘network’ file.
7. From the top bar, navigate to Network -> Wireless.
Here, you will see the radio interfaces already broadcasting and getting feeds to your Pi. Click on your wifi network, for now.
You should be able to see your WiFi SSID here. If so, click the blue ‘Scan’ button, and click ‘Join Network’.
Put your WiFi password to it and from the botttom drop-down menu, click on the ‘wwan’. This is all you need to do here. Remember the interface you created on the network file? Here it is. Now, click Submit and Save.
Now we’re not done yet here. When you come back to the Wireless Overview screen, make sure that you click the ‘Save&Apply’ button from this screenshot.
8. We now have internet so we can get all the OPKG and OpenVPN packages and files needed to get the wireless adapter running.
opkg update
reboot
opkg updateopkg install kmod-rt2800-lib kmod-rt2800-usb kmod-rt2x00-lib kmod-rt2x00-usb kmod-usb-core kmod-usb-uhci kmod-usb-ohci kmod-usb2 kmod-mt7921u usbutils openvpn-openssl luci-app-openvpn nano ip-full
Now plug in the wifi adapter. You should be able to see the USB Wifi adapter here.
lsusb
Enable the wireless adapter using this command below. Now, in theory, if your wireless adapter was accepted and compatible, this should work. I’ve had my own mistakes from here so I had to wait a month for my new USB wifi adapter to arrive.
ifconfig wlan1 up
ifconfig
9. Now, edit the wifi adapter configuration. You need to do this to manually set the SSID, password, encryption method for your 2nd wireless interface. You can decide for your new WiFI SSID and password.
nano /etc/config/wireless
Under config wifi-device ‘radio1’ , change this.
option disabled ‘0’
Under config wifi-iface ‘default_radio0’
option ssid ‘WIFI_NAME’
option encryption ‘psk2’
option key ‘password’
We used nano text editor this editor so this is much easier to save and exit. Type in ‘CTRL’ + X + Y + ‘Enter’ . After you saved the configuration and exit, you have apply the changes made again. Enter this command below.
uci commit wireless
wifi
10. By this part, you should now be able to use your travel router anywhere you go. But what good will it be if it was not safe, right? This is the part where we do some VPN configuration. I used NordVPN since they have the Linux config file which is perfect for this scenario.
VPN Configuration
Note that this step is optional. You can do it or not but I would like to make things complicated sometimes. You can try to use PiVPN or WireGuard but I cannot vouch for it, if it works or not.
- First is I got the OVPN UDP config from the NordVPN website. I picked one of the Japan VPN configuration files since that is where I resided. I got it from here.
Now you go to the CLI of the OpenWRT again and enter this command below. This command will take the OVPN config file from the NordVPN server and save it to your local file.
wget -P /etc/openvpn https://downloads.nordcdn.com/configs/files/ovpn_udp/servers/jp674.nordvpn.com.udp.ovpn
2. The OpenVPN configuration for NordVPN requires you to enter your NordVPN service credential username and password everytime OpenVPN starts. However, I made some adjustments so the credentials would be provided automatically. Now, open the downloaded server configuration file using the nano text editor.
nano /etc/openvpn/jp674.nordvpn.com.udp.ovpn
3. After that, I appended the word ‘secret’ (without quotation marks) to the string ‘auth-user-pass’. Result should be like this:
auth-user-pass secret
4. Now, we need to create a new file named secret, where the NordVPN service credentials will be stored. To do so, run the following command:
nano /etc/openvpn/secret
In the first line of the file enter your NordVPN service username, and the second — NordVPN service password.
5. I configured OpenVPN using the downloaded configuration file
Change the file’s extension from .ovpn to .conf, which will allow OpenVPN to find it automatically by its extension.
To do so, you can use the mv command:
mv /etc/openvpn/jp674.nordvpn.com.udp.ovpn /etc/openvpn/jp674.nordvpn.com.udp.conf
Or you can however do this. Specify the file name in “/etc/config/openvpn” by using the following “uci” commands:
uci set openvpn.nordvpn=openvpn
uci set openvpn.nordvpn.enabled=’1'
uci set openvpn.nordvpn.config=’/etc/openvpn/uk2054.nordvpn.com.udp.ovpn’
uci commit openvpn
6. Create a new network interface by running the following commands:
uci set network.nordvpntun=interface
uci set network.nordvpntun.proto=’none’
uci set network.nordvpntun.ifname=’tun0'
uci commit network
7. Created a new firewall zone and add a forwarding rule from LAN to VPN by running the following commands:
uci add firewall zone
uci set firewall.@zone[-1].name=’vpnfirewall’
uci set firewall.@zone[-1].input=’REJECT’
uci set firewall.@zone[-1].output=’ACCEPT’
uci set firewall.@zone[-1].forward=’REJECT’
uci set firewall.@zone[-1].masq=’1'
uci set firewall.@zone[-1].mtu_fix=’1'
uci add_list firewall.@zone[-1].network=’nordvpntun’
uci add firewall forwarding
uci set firewall.@forwarding[-1].src=’lan’
uci set firewall.@forwarding[-1].dest=’vpnfirewall’
uci commit firewall
8. Now I configured the DNS servers. The simplest approach is to use NordVPN DNS for the WAN interface of the router. To add NordVPN DNS, run the following commands:
uci set network.wan.peerdns=’0'
uci del network.wan.dns
uci add_list network.wan.dns=’103.86.96.100'
uci add_list network.wan.dns=’103.86.99.100'
uci commit
You can also use the Google DNS servers which are 8.8.8.8 and 8.8.4.4 or Cloudfare which is 1.1.1.1.
(Optional) To prevent traffic leakage in case the VPN tunnel disconnects, I opened the “/etc/firewall.user” file using a text editor and add the following content to it:
# This file is interpreted as a shell script.
# Put your custom iptables rules here, and they will be executed with each firewall (re-)start
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains, e.g. INPUT or FORWARD, or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
iptables -I forwarding_rule -j REJECT
fi
Additionally, you should create a file called “99-prevent-leak” in the folder “/etc/hotplug.d/iface” by running nano /etc/hotplug.d/iface/99-prevent-leak and adding the following content to the file:
#!/bin/sh
if [ “$ACTION” = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j REJECT); then
iptables -D forwarding_rule -j REJECT
fi
if [ “$ACTION” = ifdown ] && (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
iptables -I forwarding_rule -j REJECT
fi
In some cases, the OpenVPN connection can crash with a log output similar to “couldn’t resolve host…”. In this case, the VPN tunnel itself remains, however, the connection is lost. To reconnect to it automatically, first open the “/etc/rc.local” file using a text editor and add the following line:
/etc/openvpn/reconnect.sh &
In addition, you need to create the “reconnect.sh” file in the “/etc/openvpn” directory. It can be done by running the nano /etc/openvpn/reconnect.sh command.
In the file, enter the following script contents:
#!/bin/sh
n=10
while sleep 50; do
t=$(ping -c $n 8.8.8.8 | grep -o -E ‘[0–9]+ packets r’ | grep -o -E ‘[0–9]+’)
if [ “$t” -eq 0 ]; then
/etc/init.d/openvpn restart
fi
done
When you have followed these instructions, you should be connected using the configured connection.
PHEW! That was a lot! I hope you enjoyed this ‘little’ project of mine. If you want more contents like, please don’t hesitate to follow for more.
