A Recipe for Routing Wireless Network Traffic via a Personal VPN
This short post is a high level overview that covers the setup of a personal VPN server in the cloud with Streisand, followed by the use of a suitably configured wireless router to send network traffic via that VPN. The instructions here assume the use of Digital Ocean and ASUS RT-AC68U router, but Streisand works with a number of different cloud providers, and a fair number of ASUS routers support configuration as a VPN client. Note that other than the ASUS selection of models, routers that can be set up as VPN clients are unfortunately fairly thin on the ground.
Why Use a VPN?
In more civilized countries, one primary reason to send all traffic through a VPN is because ISPs, especially mobile carriers, are starting to sell real time associations between customer data and IP addresses. It seems like a bad idea for every website owner and all of their third party advertisers and data warehouses to be able to easily obtain that information. In less civilized countries, it should hopefully be fairly obvious as to why using a VPN is a good plan, ranging from bypassing restrictions on access to the more serious business of ensuring personal safety.
Open a Digital Ocean Account
Set up an account with Digital Ocean, and add a payment method. The VPN server will be the smallest model and cost $5/month. This is fine for a personal VPN server carrying the usual level of home network traffic.
Next create a key pair:
ssh-keygen -t rsa -b 4096 -C 'streisand' -f ~/.ssh/streisand_id_rsa
Upload the public key to the Digital Ocean control panel to apply to the VPN server that will be created. Give it the name streisand
.
Create a Streisand Server
Streisand is a useful all-in-one VPN and proxy server, loaded with a variety of tools. Clone the Streisand repository, and edit global_vars/noninteractive/digitalocean-site.yml
to set at least the following values:
# The SSH private key that Ansible will use to connect to the Streisand node. streisand_ssh_private_key: "~/.ssh/streisand_id_rsa" # The name given to the key in the DigitalOcean control panel. do_ssh_name: streisand # Add the Digital Ocean access token here. do_access_token_entry: "insert your access token here"
Now run the deployment, which should run through and complete without any need for intervention:
deploy/streisand-new-cloud-server.sh \ --provider digitalocean \ --site-config global_vars/noninteractive/digitalocean-site.yml
This will generate instructions on how to connect to the Streisand webserver and place them in the generated-docs
directory.
Log in to the Streisand Server to Obtain OpenVPN Instructions and Credentials
Using the instructions, username, and password from generated-docs/streisand.html
, log in to view the website hosted on the Streisand server. Once there, navigate to the OpenVPN documentation and download all of the various .ovpn
and certificate files.
Set up the ASUS RT-AC68U Router
Follow the router instruction manual to set up the router in the usual fashion. A typical setup for a home network is for the router to connect to a modem (cable, DSL, etc) via ethernet cable, with the modem WAN gateway at 192.168.0.1 and router LAN gateway at 192.168.1.1. Don't go too far beyond simply establishing a working connection, securing and hiding the wireless network, and securing the router with administrator credentials, as the next step is to update the router firmware.
The ASUSWRT firmware used in ASUS routers derives from Tomato, but in turn has been extended and improved into the open third party Asuswrt-Merlin firmware. This updates dependent software versions, fixes bugs, and in particular is necessary to connect as a client to a Streisand server via OpenVPN.
To update the firmware, download the latest stable Asuswrt-Merlin version for the ASUS RT-AC68U, unzip it, and then follow the instructions in the router administration interface to upload the .trx
file. The router will then update. The existing settings should be retained. Now all of the personal touches can be applied; the user interface and feature set is quite rich in comparison to most home routers. If questions arise, answers can usually be found online. The Asuswrt-Merlin site has a good set of documentation and a friendly user community.
Configure and Enable the Open VPN Client
The easiest way to configure the OpenVPN client on the router is to start by uploading one of the .ovpn
files to fill in most of the details. Unless facing an overly restrictive ISP or other interference in VPN connections, then the standard *-direct.ovpn
is fine. The Streisand documentation and server materials provide other options as well, tailored to more restricted or dangerous environments.
Once that is done, adjust the following settings in the router's OpenVPN client configuration:
- Set
Start with WAN
toYes
. - Set
Accept DNS Configuration
toExclusive
. This ensures that the Streisand server's DNS servers are used. - Set
Block routed clients if tunnel goes down
toYes
, as otherwise there will be no notice that traffic is falling back to non-VPN routing. - Set
Redirect Internet traffic
toPolicy rules
(notPolicy rules (strict)
, as that will not allow the WAN rules below to work), and add the following rules:
LAN 192.168.1.0/24 0.0.0.0 VPN Router 192.168.1.1 0.0.0.0 WAN Local 192.168.1.0/24 192.168.1.0/24 WAN
These rules will prevent entirely traffic within the local network from being sent out to the VPN and back again, which will slow things down noticeably. It is a good idea to read the documentation on policy-based routing before attempting any other needed changes.
Test the Connection
At this point everything should be set up and functional. Run a test of the connection, and the VPN server IP address should appear:
curl https://ipinfo.io