Thursday, May 3, 2018

How To: Free Private VPN On Home Router

Being able to appear as if you're in a different country online is a common issue for expats. Several services such as Netflix, Amazon, and Hulu have region locked content, while some websites completely block access from some foreign countries. Most people pay a VPN provider to help with this issue, but that is not always ideal. This guide is designed to walk you through setting up a free private VPN on a common consumer router that will be placed in the other country.

Pros Cons
  • Free
  • No usage caps
  • Extremely customizable setup
  • Nearly impossible to be blocked by a content provider
  • Only one location
  • No technical support
  • Internet traffic is not anonymous
  • Speed is limited by the upload bandwidth of the host


UPDATE (February 2019): Although all the instructions on this page will still work, I have found that using a Raspberry Pi for the VPN server is usually a better option. Instructions on how to use a Pi have been added below under VPN Server on Raspberry Pi.


The following steps are to setup SoftEther VPN running on a Linksys EA6700 with an AdvancedTomato GUI.

Table of Contents


Router Details

Linksys EA6700 - Amazon
  • Wireless AC
  • CPU: 2x 800MHz
  • RAM: 256MB
  • Flash: 128MB

Configuration

Flash AdvancedTomato

  1. Download the necessary files - https://drive.google.com/drive/folders/15Rf7KnH-kBqjTqcJ4eX0DXuKj7EYjRYS
  2. Disconnect or disable internet connection(s) on computer
  3. Set a static IP for the ethernet connection on the computer
    • IP address = 192.168.1.100
    • Subnet mask = 255.255.255.0
    • Default gateway = 192.168.1.1
  4. Run tftp.exe and fill in fields:
    • Server = 192.168.1.1
    • Password = admin
    • File = FW_EA6700_1.1.40.166281_prod.img
  5. Connect computer to router’s Ethernet 1 port
  6. Open a PowerShell/Terminal window
      7. ping -t 192.168.1.1
  7. Plug in router power
  8. Wait until the TTL from the ping command is 100
  9. Click Upgrade (if there is an error, try again)
  10. Click OK
  11. Click Close
  12. Wait until the TTL from the ping command is 64
  13. Navigate browser to 192.168.1.1
  14. Select both checkboxes and click Next
  15. Click Login
  16. Default password = admin
  17. Click Sign In
  18. Click Troubleshooting
  19. Click Diagnostics
  20. Click Restore previous firmware
  21. Click Yes
  22. After the router restarts, sign in again
  23. Click Connectivity
  24. Click Choose File and select linksys-ea6700-webflash.bin
  25. Click Start
  26. Click Yes
  27. Click Ok
  28. Wait until the TTL from the ping command is 64
  29. Navigate browser to 192.168.1.1
  30. All three fields = admin
  31. Click Change Password
  32. Services > Secure Shell > Enable
  33. Click Apply Settings
  34. Navigate browser to http://192.168.1.1/backup/cfe.bin and save the file in case of necessary recovery
  35. Run cfe_edit.exe and open cfe.bin
  36. Click on Advanced Mode and edit the values for the specific router
    • et0macaddr = MAC address from the bottom of the router
    • 0:macaddr = MAC address + 2
    • 1:macaddr = MAC address + 4
    • secret_code = WPS code on the bottom of the router below the MAC address (no hyphen)
  37. Save the file
  38. Open a PowerShell/Terminal window on computer
      39. cd <the downloaded directory>
scp .\cfe.bin root@192.168.1.1:~
ssh root@192.168.1.1 "mtd -f write cfe.bin /dev/mtd0"
  39. Unplug the router, hold the blue WPS button, plug in the router, and release the button when the Linksys logo starts flashing quickly
  40. Repeat the last step, but press the reset button immediately after releasing the WPS button, and hold it until the TTL from the ping command is 100
  41. Navigate browser to 192.168.1.1
  42. Click Restore default NVRAM values.
  43. Click Continue
  44. Click Choose File and select tomato-EA6700-AT-ARM-3.5-140-AIO-64K.trx
  45. Click Upload
  46. Wait until the TTL from the ping command is 64
  47. Click Continue
  48. Administration > Configuration > Restore Default Configuration > Erase all data in NVRAM memory (thorough) > OK > OK
  49. Wait until the TTL from the ping command is 64
  50. Navigate browser to 192.168.1.1
  51. Administration > Admin Access > Authorization Settings
    1. Enter a unique password
    2. Click Save
  52. Connect ISP connection to Internet port
  53. Set the ethernet connection on the computer to obtain an IP address automatically

Install SoftEther

  1. Login to router
  2. Administration > JFFS
    1. JFFS Partition > Enable > Enable
    2. JFFS Partition > Format / Erase…
    3. Click Ok
    4. Click Save
  3. Open a PowerShell/Terminal window on computer
      4. cd <the downloaded directory>
ssh root@192.168.1.1 "mkdir -p /jffs/etc/softether"
scp .\<vpnserver or vpnbridge> .\hamcore.se2 root@192.168.1.1:/jffs/etc/softether
ssh root@192.168.1.1 "chmod 700 /jffs/etc/softether/*"

Setup VPN Server

  1. Administration > Scripts
    1. Init =
        2. modprobe tun
openvpn --mktun --dev tap_soft
    2. Firewall =
        3. iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 992 -j ACCEPT
iptables -A INPUT -p tcp --dport 1194 -j ACCEPT
iptables -A INPUT -p tcp --dport 5555 -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -p udp --dport 1701 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
    3. WAN Up =
        4. brctl addif br0 tap_soft
/jffs/etc/softether/vpnserver start
    4. Click Save
  2. Basic Settings > Network
    1. WAN Settings > DNS Server = Manual
    2. WAN Settings > DNS 1 = 8.8.8.8
    3. WAN Settings > DNS 2 = 1.1.1.1
    4. LAN > br0 > IP Address = 192.168.###.1 (### is a random number 2-255)
    5. LAN > br0 > IP Range = 192.168.###.101-199 (### to match the IP Address)
    6. Click OK
    7. Wireless (2.4 GHz / eth1) > Enable Wireless > Disable
    8. Wireless (5 GHz / eth2) > Enable Wireless > Disable
    9. Click Save
  3. Reboot router
  4. Download SoftEther VPN Server Manager - http://www.softether-download.com
  5. Run SoftEther VPN Server Manager
  6. Click New Setting
    1. Host Name = Router IP
    2. Click OK
  7. Click Connect
  8. Enter a new password
  9. Click Remote Access VPN Server
  10. Click Next
  11. Click Yes
  12. Click OK
  13. Enter a unique Dynamic DNS Hostname
  14. Click Exit
  15. Click Enable L2TP Server Function (L2TP over IPSec)
  16. Click OK
  17. Click Disable VPN Azure
  18. Click OK
  19. Click Create Users
  20. Create a user for the client router
    1. User Name = EA6700
    2. Auth Type = Individual Certificate Authentication
    3. Click Create Certificate
    4. Click OK
    5. Click OK
    6. Save the file
    7. Click OK
  21. Click OK
  22. Create as many users as wanted with User Name, Full Name, and Password
  23. Click Exit
  24. Click Close
  25. Click Local Bridge Setting
  26. Click the Virtual Hub from the dropdown
  27. Click Bridge with New Tap Device
  28. New Tap Device Name = soft
  29. Click Create Local Bridge
  30. Click OK
  31. Click Exit
  32. Click Exit
  33. Click Exit SoftEther VPN Server Manager

Connect VPN Router to Host Router

  1. Connect Internet port on VPN router to Ethernet port on host router
  2. Connect computer to host router
  3. Login to host router
  4. Set reserved IP for VPN router in DHCP settings
  5. Forward following ports to VPN router
    • TCP: 443, 992, 1194, 5555
    • UDP: 500, 1194, 1701, 4500

Setup VPN Client

  1. Administration > Scripts
    1. WAN Up =
        2. /jffs/etc/softether/vpnbridge start
    2. Click Save
  2. Basic Settings > Network
    1. WAN Settings > DNS Server = Manual
    2. WAN Settings > DNS 1 = 8.8.8.8
    3. WAN Settings > DNS 2 = 1.1.1.1
    4. LAN > br0 > IP Address = 192.168.###.1 (### is a random number 2-255)
    5. LAN > br0 > DHCP = Disabled
    6. OK
    7. Wireless (2.4 GHz / eth1) & Wireless (5 GHz / eth2)
      • SSID = Any name
      • Channel = Auto
      • Security = WPA2 Personal
      • Shared Key = Choose a password
    8. Click Save
  3. Reboot router
  4. Download SoftEther VPN Server Manager - http://www.softether-download.com
  5. Run SoftEther VPN Server Manager
  6. Click New Setting
    1. Host Name = Router IP
    2. OK
  7. Click Connect
  8. Enter a new password
  9. Click Next
  10. Click Yes
  11. Click Configure Connection Setting
    1. Setting Name = VPN
    2. Host Name = Dynamic DNS Hostname
    3. Virtual Hub Name = VPN
    4. Auth Type = Client Certificate Authentication
    5. User Name = EA6700
    6. Click Specify Client Certificate
    7. Select the file saved when creating the user
    8. Click OK
  12. Click Exit
  13. Click br0 under Set Local Bridge
  14. Click Close
  15. Click Exit
  16. Click Exit SoftEther VPN Server Manager

Optional Configurations

Separate Local Network

  1. Basic Settings > Network > LAN
    1. Bridge = 1 (or any other unused available bridge)
    2. IP Address = 192.168.###.1 (### is a random number 2-255, different than existing bridges)
    3. Netmask = 255.255.255.0
    4. DHCP = Enabled
    5. IP Range = 192.168.###.101-199 (### to match the IP Address)
    6. Click Add
    7. Click Save
  2. Advanced Settings > Virtual Wireless > Virtual Wireless Interfaces
    1. Interface = wl0.1 (or any other unused available interface)
    2. Enabled = yes
    3. SSID = Name that will show up on devices
    4. Bridge = LAN1 (br1) (to match bridge that was just created)
    5. Click Add
    6. Security = WPA2 Personal
    7. Shared Key = new wireless password
    8. Click Save
    9. Repeat the above steps for wl1.1 interface with the exact same SSID and Shared Key
    10. Click Save
  3. Advanced Settings > VLAN > VLAN Setting
    1. VLAN = 11 (or any other unused available VLAN)
    2. VID = 11 (match VLAN)
    3. Port 1-4 = Yes (for the ports that should not use the VPN; must be unselected for other VLAN)
    4. Bridge = LAN1 (br1) (to match bridge that was just created)
    5. Click Add
    6. Click Save

Separate Guest Network

  1. Basic Settings > Network > LAN
    1. Bridge = 2 (or any other unused available bridge)
    2. IP Address = 192.168.###.1 (### is a random number 2-255, different than existing bridges)
    3. Netmask = 255.255.255.0
    4. DHCP = Enabled
    5. IP Range = 192.168.###.101-199 (### to match the IP Address)
    6. Click Add
    7. Click Save
  2. Advanced Settings > Virtual Wireless > Virtual Wireless Interfaces
    1. Interface = wl0.2 (or any other unused available interface)
    2. Enabled = yes
    3. SSID = Name that will show up on devices
    4. Bridge = LAN2 (br2) (to match bridge that was just created)
    5. Click Add
    6. Security = WPA2 Personal
    7. Shared Key = new wireless password
    8. Click Save
    9. Repeat the above steps for wl1.2 interface with the exact same SSID and Shared Key
    10. Click Save
  3. Advanced Settings > VLAN > VLAN Setting
    1. VLAN = 12 (or any other unused available VLAN)
    2. VID = 12 (match VLAN)
    3. Bridge = LAN2 (br2) (to match bridge that was just created)
    4. Click Add
    5. Click Save

VPN Server on Raspberry Pi

Using a Raspberry Pi as the VPN server hardware provides more benefits (e.g. better hardware for similar cost, remote access, smaller footprint, etc.), but it is slightly more technical than using a router. The below steps are meant to replace the steps above under Flash AdvancedTomato and Install SoftEther. These steps are designed for a headless setup (no display needed), and include TeamViewer for remote access. Although most Raspberry Pi models can be used, I recommend the Pi 4, as it includes a true gigabit ethernet port. Here is one possible kit that includes all the parts you would need to create a complete Raspberry Pi setup - CanaKit
  1. Download and install NOOBS to the SD card (Some SD cards come pre-installed with NOOBS) - https://www.raspberrypi.org/downloads/noobs
  2. Edit the recovery.cmdline file and add silentinstall
      3. sed -i '$s/$/ silentinstall/' recovery.cmdline
  3. Add a file named ssh to the root of the SD card (the contents do not matter)
  4. Insert SD card into the Pi
  5. Connect an ethernet cable between the Pi and router
  6. Connect the power cable to the Pi
  7. The Pi will now take up to half an hour to install the operating system
  8. Get the IP of the Pi from router once it is available
  9. Open a PowerShell/Terminal window on computer
      10. ssh pi@<IP of the Pi> #password = raspberry
sudo raspi-config nonint do_change_locale en_US.UTF-8
sudo raspi-config nonint do_change_timezone America/New_York
sudo raspi-config nonint do_configure_keyboard us
sudo raspi-config nonint do_wifi_country US
sudo apt update -y
sudo apt full-upgrade -y
sudo apt autoremove -y
wget https://download.teamviewer.com/download/linux/teamviewer-host_armhf.deb
sudo apt install ./teamviewer-host_armhf.deb -y
sudo teamviewer setup
curl -s https://api.github.com/repos/SoftEtherVPN/SoftEtherVPN_Stable/releases/tags/v4.34-9745-beta |
grep "browser_download_url.*vpnserver.*linux-arm_eabi-32bit.tar.gz" |
cut -d : -f 2,3 | tr -d \" | wget -O vpnserver.tar.gz -i -
tar zxvf vpnserver.tar.gz
cd vpnserver
make
1
1
1
sudo chmod 600 *
sudo chmod 700 vpncmd vpnserver
cd ..
sudo mv vpnserver /usr/local/
  10. Create /etc/init.d/vpnserver with the below content
      11. #!/bin/sh
### BEGIN INIT INFO
# Provides:          vpnserver
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: SoftEther VPN Server
# Description:       SoftEther VPN Server
### END INIT INFO
DAEMON=/usr/local/vpnserver/vpnserver
LOCK=/var/lock/subsys/vpnserver
test -x $DAEMON || exit 0
case "$1" in
start)
$DAEMON start
touch $LOCK
;;
stop)
$DAEMON stop
rm $LOCK
;;
restart)
$DAEMON stop
sleep 3
$DAEMON start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0
  11. Set the VPN server to start automatically
      12. sudo chmod 755 /etc/init.d/vpnserver
sudo /etc/init.d/vpnserver start
sudo update-rc.d vpnserver defaults
  12. Continue from step 4 under Setup VPN Server above, but skip steps 27 and 28


Additional Resources

Posted by at
Labels:

24 comments:

  1. MeggersMay 3, 2018 at 3:25 PM

    I've always wanted to do this. Thank you!!!

    ReplyDelete
  2. joachimvbJune 16, 2019 at 9:55 AM

    Hi there,

    Can you clarify the advantages of the raspberry pi in practical terms? Does it allow significantly better bandwidth than running the VPN client on the router. You say VPN server, but you mean VPN client, right?

    ReplyDelete
    Replies
    1. MJune 16, 2019 at 4:29 PM

      I do in fact mean VPN server, not client. A Raspberry Pi will generally have a faster processor and more RAM than a router would at the same price point, which will improve VPN performance. Since none of the wireless capabilities are being used for the server side of the setup, those features of a router are useless anyway.

      If you have an existing router that you are trying to use, then it will still work fine, but if you're buying new hardware for the VPN server anyway, a Raspberry Pi is the better option.

      Delete
    2. joachimvbJune 16, 2019 at 6:17 PM

      Wait, so is the idea that the solution on this page would be placing the router or raspberry pi in the United States, to take the place of a commercial VPN service? Or would you have this in your home abroad and it would still get Hulu, etc to work?

      Delete
    3. MJune 17, 2019 at 1:10 AM

      Correct, the "VPN server" on this page is meant to replace a commercial paid service by having your own VPN service in the U.S. running on the Pi. Only the client router would by in your home abroad, allowing you to connect to the Pi and stream U.S. content.

      Delete
  3. Trash CollectorJune 29, 2019 at 3:46 PM

    Hi M!
    Thanks so much for posting this information. I think I successfully got the Pi server up and running, but I was wondering if you could give me some advice on the client piece. I currently have a LinkSys WRT3200ACM router flashed with DD-WRT. Tomato doesn't support this model. Do you think the same setup is possible using the equipment I already have, or do you think I should forget it and buy the EA6700?
    Thanks so much for your help!
    -Nate

    ReplyDelete
    Replies
    1. MJune 30, 2019 at 6:33 AM

      You can definitely use your router. I haven't used DD-WRT in a bit, but these changes to the guide should work:
      1) For Install SoftEther step 2, you can use the these instructions to enable JFFS.
      2) For Setup VPN Client step 1 you can use these instructions to enter the command for the firewall.

      Everything else should pretty much be the same. Let me know if you have any issues. We can also message directly if you need more specific guidance.

      Delete
  4. Trash CollectorJuly 3, 2019 at 11:15 AM

    Thanks again, M.
    I think I got everything set up, but something was wrong with the link in your comment about the firewall command instructions, so I'm not sure if I did that part right.
    Also, I don't know how to replicate this portion in DD-WRT because I don't see any options like this. Do you have any advice?
    LAN > br0 > IP Address = 192.168.###.1 (### is a random number 2-255)
    LAN > br0 > DHCP = Disabled

    One more question for you... My wife is going to bring the Pi with her when she goes back to the States for the summer. I would like to test everything before she leaves to see if I set it up properly. Is there a recommended way to do this? I was thinking of bringing the client router over to a friend's place and trying to connect to the Pi (currently in my house overseas) to see if the VPN connection works. Should this happen automatically if I did everything right?

    Thanks again for your help with this!
    -Nate

    ReplyDelete
    Replies
    1. MJuly 3, 2019 at 11:43 AM

      Sorry about that link, not sure what happened. It was supposed to be this: https://wiki.dd-wrt.com/wiki/index.php/Startup_Scripts

      `LAN > br0 > IP Address` is going to be equivalent to `Basic Setup > Router IP > Local IP Address` and `LAN > br0 > DHCP` is the same as `Basic Setup > Network Address Server Settings (DHCP) > DHCP Server` in DD-WRT.

      The easiest way to test the VPN server is to try and connect from a mobile device using cellular data. If it works, your public IP address should change from the cellular provider to the IP of your home internet connection. Also, if you set up TeamViewer on the Pi, then you can always make changes to the device remotely to fix any issues or modify the configuration. The client router will indeed automatically connect to the server if there are no issues.

      Delete
  5. Trash CollectorJuly 4, 2019 at 4:20 PM

    Thanks for clearing that up. I think I got everything set up correctly, but I wanted to make sure I could connect to the server through the client, so I connected the Pi to the internet in my friend's house. Unfortunately, I can't get to the internet when I try to go through the client router in my house. One of my friends thinks restrictions on certain types of traffic in our host country might be preventing the connection. Do you think that's possible, or is it more likely that I made a mistake somewhere? I may try to message you directly if this isn't a simple fix/answer.

    Thanks again for all your help, and happy 4th!

    ReplyDelete
    Replies
    1. MJuly 5, 2019 at 12:55 AM

      Did you follow the steps in Connect VPN Router to Host Router? If the client router doesn't connect to the server then you won't get any internet connection on your devices, since there is no DHCP to assign them an IP address. It's possible but unlikely that it's being blocked in the country, but there are ways around that as well. We can direct message if that still doesn't work for you.

      Delete
  6. joachimvbJuly 21, 2019 at 4:18 PM

    I'm going to ask some friends and family about this. Is there any way you estimate how much of their bandwidth we'll need and what speed they should have? We do a good amount of streaming in our household. I could offer to chip in to their internet bill, but then I'm back to a monthly fee.

    ReplyDelete
    Replies
    1. MJuly 23, 2019 at 3:58 PM

      It can really vary. Netflix recommends 5Mbps per HD stream. Streaming music is negligible. If you want accurate numbers, you can see if your existing router does bandwidth monitoring, and check the statistics there.

      If you are having others test their speed, make sure they are looking at the upload speed, as that will be what affects the VPN the most. It's rare that they would be able to notice your usage at all. Also keep in mind any timezone difference. If you're overseas, your peak streaming may often be when they are asleep or at work.

      Delete
  7. OliverOctober 14, 2019 at 2:22 PM

    Hi M
    Thanks for this guide, I decided to give it a try. Unfortunately I'm stuck pretty early. I get an error message when installing the Linksys firmware file. This firmware file won't work on this router. I tried downloading again but it didn't work. Any ideas?
    Thanks!

    ReplyDelete
    Replies
    1. MOctober 15, 2019 at 5:24 PM

      That sounds like something went wrong somewhere in steps 1-22. If the firmware isn't on version 166281, then it will fail to install the file since it's not from Linksys. Did you get any errors in those earlier steps?

      Delete
  8. OliverOctober 15, 2019 at 7:04 PM

    1-22 went smoothly. I can try running tftp.exe again. Otherwise I'm not sure what it could be.

    Thanks for your response.

    ReplyDelete
  9. UnknownAugust 31, 2020 at 1:56 PM

    hi, I already connected trough sofether l2tp vpn, but i cannot access netflix and hulu pages. Can you help me? When i try to access netflix and hulu i get this error: you are using anonymous proxy or VPN. How I could fix it?

    ReplyDelete
    Replies
    1. MAugust 31, 2020 at 2:02 PM

      First check and make sure the VPN is actually working for you. If you check your public IP address (you can search online for "what's my ip address"), it should be different between when you are connected to the VPN and when you're not. If it's different, then the question is where you have the VPN server running. Is it in a residential location?

      Delete
    2. UnknownAugust 31, 2020 at 3:25 PM

      Hi, thanks for your reply. Yes I already checked this, I have a new IP address but i still not having access netflix or hulu. Are you use the softehter and works?

      Delete
    3. MAugust 31, 2020 at 3:31 PM

      Yes. Are you using a residential location for the server? If you set up SoftEther on a cloud server or somewhere with a commercial IP address where many people might be using the same IP, there's a good chance it will be blocked. A house will only have a few users at most, which shouldn't cause any errors.

      Delete
    4. UnknownAugust 31, 2020 at 3:50 PM

      Thank you, Yes I'm using softether with AWS Ec2. I will try to install the softether VPN server from residential location. In this case I need to put the ip address that my ISP assigns me?

      Delete
    5. MAugust 31, 2020 at 4:13 PM

      I would recommend using the Dynamic DNS that SoftEther provides for free. That way if your ISP changes your residential IP address, your VPN will still work. You can change the DDNS url from the SoftEther Server Manager.

      Delete
  10. TylerDurdenFebruary 28, 2021 at 9:02 AM

    Does the VPN give users access to the LAN where the VPN Server is installed? Or just access to the internet? I'm hosting the server for a friend and want to make sure I'm not exposing my LAN to anyone who gains access to the VPN.

    ReplyDelete
    Replies
    1. MFebruary 28, 2021 at 4:56 PM

      The VPN creates a bridge to the LAN, so it does expose the other devices. If you don't want that then you can set up a separate subnet on the host router/modem.

      Delete

Subscribe to: Post Comments (Atom)