Thursday, May 3, 2018

How To: Free Private VPN On Home Router

Being able to appear as if you're in a different country online is a common issue for expats. Several services such as Netflix, Amazon, and Hulu have region locked content, while some websites completely block access from some foreign countries. Most people pay a VPN provider to help with this issue, but that is not always ideal. This guide is designed to walk you through setting up a free private VPN on a common consumer router that will be placed in the other country.

Pros Cons
  • Free
  • No usage caps
  • Extremely customizable setup
  • Nearly impossible to be blocked by a content provider
  • Only one location
  • No technical support
  • Internet traffic is not anonymous
  • Speed is limited by the upload bandwidth of the host



The following steps are to setup SoftEther VPN running on a Linksys EA6700 with an AdvancedTomato GUI.

Table of Contents


Router Details

Linksys EA6700 - Amazon
  • Wireless AC
  • CPU: 2x 800MHz
  • RAM: 256MB
  • Flash: 128MB

Configuration

Flash AdvancedTomato

  1. Download the necessary files - https://drive.google.com/drive/folders/15Rf7KnH-kBqjTqcJ4eX0DXuKj7EYjRYS
  2. Disconnect or disable internet connection(s) on computer
  3. Set a static IP for the ethernet connection on the computer
    • IP address = 192.168.1.100
    • Subnet mask = 255.255.255.0
    • Default gateway = 192.168.1.1
  4. Run tftp.exe and fill in fields:
    • Server = 192.168.1.1
    • Password = admin
    • File = FW_EA6700_1.1.40.166281_prod.img
  5. Connect computer to router’s Ethernet 1 port
  6. Open a PowerShell/Terminal window
    • ping -t 192.168.1.1
  7. Plug in router power
  8. Wait until the TTL from the ping command is 100
  9. Click Upgrade (if there is an error, try again)
  10. Click OK
  11. Click Close
  12. Wait until the TTL from the ping command is 64
  13. Navigate browser to 192.168.1.1
  14. Select both checkboxes and click Next
  15. Click Login
  16. Default password = admin
  17. Click Sign In
  18. Click Troubleshooting
  19. Click Diagnostics
  20. Click Restore previous firmware
  21. Click Yes
  22. After the router restarts, sign in again
  23. Click Connectivity
  24. Click Choose File and select linksys-ea6700-webflash.bin
  25. Click Start
  26. Click Yes
  27. Click Ok
  28. Wait until the TTL from the ping command is 64
  29. Navigate browser to 192.168.1.1
  30. All three fields = admin
  31. Click Change Password
  32. Services > Secure Shell > Enable
  33. Click Apply Settings
  34. Navigate browser to http://192.168.1.1/backup/cfe.bin and save the file in case of necessary recovery
  35. Run cfe_edit.exe and open cfe.bin
  36. Click on Advanced Mode and edit the values for the specific router
    • et0macaddr = MAC address from the bottom of the router
    • 0:macaddr = MAC address + 2
    • 1:macaddr = MAC address + 4
    • secret_code = WPS code on the bottom of the router below the MAC address (no hyphen)
  37. Save the file
  38. Open a PowerShell/Terminal window on computer
    • cd <the downloaded directory>
      scp .\cfe.bin root@192.168.1.1:~
      ssh root@192.168.1.1 "mtd -f write cfe.bin /dev/mtd0"
      
  39. Unplug the router, hold the reset button, plug in the router, and release the button when the TTL from the ping command is 100
  40. Navigate browser to 192.168.1.1
  41. Click Restore default NVRAM values.
  42. Click Continue
  43. Click Choose File and select tomato-EA6700-AT-ARM-3.5-140-AIO-64K.trx
  44. Click Upload
  45. Wait until the TTL from the ping command is 64
  46. Click Continue
  47. Administration > Configuration > Restore Default Configuration > Erase all data in NVRAM memory (thorough) > OK > OK
  48. Wait until the TTL from the ping command is 64
  49. Navigate browser to 192.168.1.1
  50. Administration > Admin Access > Authorization Settings
    1. Enter a unique password
    2. Click Save
  51. Connect ISP connection to Internet port
  52. Set the ethernet connection on the computer to obtain an IP address automatically

Install SoftEther

  1. Login to router
  2. Administration > JFFS
    1. JFFS Partition > Enable > Enable
    2. JFFS Partition > Format / Erase…
    3. Click Ok
    4. Click Save
  3. Open a PowerShell/Terminal window on computer
    • cd <the downloaded directory>
      ssh root@192.168.1.1 "mkdir -p /jffs/etc/softether"
      scp .\<vpnserver or vpnbridge> .\hamcore.se2 root@192.168.1.1:/jffs/etc/softether
      ssh root@192.168.1.1 "chmod 700 /jffs/etc/softether/*"
      

Setup VPN Server

  1. Administration > Scripts
    1. Init =
      • modprobe tun
        openvpn --mktun --dev tap_soft
        
    2. Firewall =
      • iptables -A INPUT -p tcp --dport 443 -j ACCEPT
        iptables -A INPUT -p tcp --dport 992 -j ACCEPT
        iptables -A INPUT -p tcp --dport 1194 -j ACCEPT
        iptables -A INPUT -p tcp --dport 5555 -j ACCEPT
        iptables -A INPUT -p udp --dport 500 -j ACCEPT
        iptables -A INPUT -p udp --dport 1194 -j ACCEPT
        iptables -A INPUT -p udp --dport 1701 -j ACCEPT
        iptables -A INPUT -p udp --dport 4500 -j ACCEPT
        
    3. WAN Up =
      • brctl addif br0 tap_soft
        /jffs/etc/softether/vpnserver start
        
    4. Click Save
  2. Basic Settings > Network
    1. WAN Settings > DNS Server = Manual
    2. WAN Settings > DNS 1 = 8.8.8.8
    3. WAN Settings > DNS 2 = 1.1.1.1
    4. LAN > br0 > IP Address = 192.168.###.1 (### is a random number 2-255)
    5. LAN > br0 > IP Range = 192.168.###.101-199 (### to match the IP Address)
    6. Click OK
    7. Wireless (2.4 GHz / eth1) > Enable Wireless > Disable
    8. Wireless (5 GHz / eth2) > Enable Wireless > Disable
    9. Click Save
  3. Reboot router
  4. Download SoftEther VPN Server Manager - http://www.softether-download.com
  5. Run SoftEther VPN Server Manager
  6. Click New Setting
    1. Host Name = Router IP
    2. Click OK
  7. Click Connect
  8. Enter a new password
  9. Click Remote Access VPN Server
  10. Click Next
  11. Click Yes
  12. Click OK
  13. Enter a unique Dynamic DNS Hostname
  14. Click Exit
  15. Click Enable L2TP Server Function (L2TP over IPSec)
  16. Click OK
  17. Click Disable VPN Azure
  18. Click OK
  19. Click Create Users
  20. Create a user for the client router
    1. User Name = EA6700
    2. Auth Type = Individual Certificate Authentication
    3. Click Create Certificate
    4. Click OK
    5. Click OK
    6. Save the file
    7. Click OK
  21. Click OK
  22. Create as many users as wanted with User Name, Full Name, and Password
  23. Click Exit
  24. Click Close
  25. Click Local Bridge Setting
  26. Click the Virtual Hub from the dropdown
  27. Click Bridge with New Tap Device
  28. New Tap Device Name = soft
  29. Click Create Local Bridge
  30. Click OK
  31. Click Exit
  32. Click Exit
  33. Click Exit SoftEther VPN Server Manager

Connect VPN Router to Host Router

  1. Connect Internet port on VPN router to Ethernet port on host router
  2. Connect computer to host router
  3. Login to host router
  4. Set reserved IP for VPN router in DHCP settings
  5. Forward following ports to VPN router
    • TCP: 443, 992, 1194, 5555
    • UDP: 500, 1194, 1701, 4500

Setup VPN Client

  1. Administration > Scripts
    1. WAN Up =
      • /jffs/etc/softether/vpnbridge start
    2. Click Save
  2. Basic Settings > Network
    1. WAN Settings > DNS Server = Manual
    2. WAN Settings > DNS 1 = 8.8.8.8
    3. WAN Settings > DNS 2 = 1.1.1.1
    4. LAN > br0 > IP Address = 192.168.###.1 (### is a random number 2-255)
    5. LAN > br0 > DHCP = Disabled
    6. OK
    7. Wireless (2.4 GHz / eth1) & Wireless (5 GHz / eth2)
      • SSID = Any name
      • Channel = Auto
      • Security = WPA2 Personal
      • Shared Key = Choose a password
    8. Click Save
  3. Reboot router
  4. Download SoftEther VPN Server Manager - http://www.softether-download.com
  5. Run SoftEther VPN Server Manager
  6. Click New Setting
    1. Host Name = Router IP
    2. OK
  7. Click Connect
  8. Enter a new password
  9. Click Next
  10. Click Yes
  11. Click Configure Connection Setting
    1. Setting Name = VPN
    2. Host Name = Dynamic DNS Hostname
    3. Virtual Hub Name = VPN
    4. Auth Type = Client Certificate Authentication
    5. User Name = EA6700
    6. Click Specify Client Certificate
    7. Select the file saved when creating the user
    8. Click OK
  12. Click Exit
  13. Click br0 under Set Local Bridge
  14. Click Close
  15. Click Exit
  16. Click Exit SoftEther VPN Server Manager

Optional Client Settings

Separate Local Network

  1. Basic Settings > Network > LAN
    1. Bridge = 1 (or any other unused available bridge)
    2. IP Address = 192.168.###.1 (### is a random number 2-255, different than existing bridges)
    3. Netmask = 255.255.255.0
    4. DHCP = Enabled
    5. IP Range = 192.168.###.101-199 (### to match the IP Address)
    6. Click Add
    7. Click Save
  2. Advanced Settings > Virtual Wireless > Virtual Wireless Interfaces
    1. Interface = wl0.1 (or any other unused available interface)
    2. Enabled = yes
    3. SSID = Name that will show up on devices
    4. Bridge = LAN1 (br1) (to match bridge that was just created)
    5. Click Add
    6. Security = WPA2 Personal
    7. Shared Key = new wireless password
    8. Click Save
    9. Repeat the above steps for wl1.1 interface with the exact same SSID and Shared Key
    10. Click Save
  3. Advanced Settings > VLAN > VLAN Setting
    1. VLAN = 11 (or any other unused available VLAN)
    2. VID = 11 (match VLAN)
    3. Port 1-4 = Yes (for the ports that should not use the VPN; must be unselected for other VLAN)
    4. Bridge = LAN1 (br1) (to match bridge that was just created)
    5. Click Add
    6. Click Save

Separate Guest Network

  1. Basic Settings > Network > LAN
    1. Bridge = 2 (or any other unused available bridge)
    2. IP Address = 192.168.###.1 (### is a random number 2-255, different than existing bridges)
    3. Netmask = 255.255.255.0
    4. DHCP = Enabled
    5. IP Range = 192.168.###.101-199 (### to match the IP Address)
    6. Click Add
    7. Click Save
  2. Advanced Settings > Virtual Wireless > Virtual Wireless Interfaces
    1. Interface = wl0.2 (or any other unused available interface)
    2. Enabled = yes
    3. SSID = Name that will show up on devices
    4. Bridge = LAN2 (br2) (to match bridge that was just created)
    5. Click Add
    6. Security = WPA2 Personal
    7. Shared Key = new wireless password
    8. Click Save
    9. Repeat the above steps for wl1.2 interface with the exact same SSID and Shared Key
    10. Click Save
  3. Advanced Settings > VLAN > VLAN Setting
    1. VLAN = 12 (or any other unused available VLAN)
    2. VID = 12 (match VLAN)
    3. Bridge = LAN2 (br2) (to match bridge that was just created)
    4. Click Add
    5. Click Save



Additional Resources

1 comment:

  1. I've always wanted to do this. Thank you!!!

    ReplyDelete