Gargoyle Router and PIA OpenVPN config

OK, its been quite sometime since by last post, lots has happened in the world , stupid is on the rise , evil continues to try to get in the way of our day today,and everyone seems to want to know what YOU are doing (google, crackers , governments, and others)

One way to mitigate this is to use a VPN service , like PIA (Private Internet Access) and the most useful way to do this is by using a router configured to use the service exclusively.

There are many 3rd party router firmwares , however not all routers are compatible, so do check compatibility if you choose to use DD-Wrt , Advanced Tomato, Tomato – by Shibby, OpenWrt, LEDE or as I have for my TP-Link router Gargoyle.

OK for the most part it is REAL easy to set up Gargoyle-Router as a VPN client. the following assume you have Gargoyle-Router  set up and in use ( my network uses the Gargole-Router as a Subnet to another router that handles the ISP connection) . It also assumes that you have ssh access to the router.

before doing anything with the GUI , first ssh into the router and get to the OpenVPN folder

ssh root@192.168.x.x

root@Gargoyle:~# cd /etc/openvpn


then use the echo command to create the auth.txt file ( contains username and password) and confirm it using the cat command.

root@Gargoyle:/etc/openvpn#echo “<username>” >> auth.txt

root@Gargoyle:/etc/openvpn#echo “<password>” >> auth.txt

root@Gargoyle:/etc/openvpn#cat auth.txt



It then get s little tedious as you also have to have a “cat crl.rsa.XXXX.pem” file, if you know how to use vim, good on you , cuz do not except how to delete lines and then save ( see later)

to set up the .pem file , I used the echo command with the >> switch to add each of the 15 lines individually like

root@Gargoyle:/etc/openvpn#echo “—–BEGIN X509 CRL—–” >> crl.rsa.2048.pem
root@Gargoyle:/etc/openvpn#echo “MIICWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI” >> crl.rsa.2048.pem
root@Gargoyle:/etc/openvpn#echo “HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0” >> crl.rsa.2048.pem
root@Gargoyle:/etc/openvpn#echo “each line in turn” >> crl.rsa.2048.pem

ending with:
root@Gargoyle:/etc/openvpn#echo “—–END X509 CRL—–” >> crl.rsa.2048.pem

then confirming it with

root@Gargoyle:/etc/openvpn#cat crl.rsa.2048.pem

now you can ( for a while go to the GUI and log in.

Once logged in, go to Connections >OpenVPN  and select OpenVPN client. then complete all the required boxes.


One this is done Save changes, on doing so it will advise that the configuration has been saved but failed to connect (bummer) , at which point go back to your terminal that you ssh’d into the router with.

The reason why it fails is that Gargoyle writes its own OpenVPN configuration , that points to two files that PIA does not use , some will get round this by making phantom config files ( although as the files are keys, and certs) , this does not seem wise to me.

When back at the terminal you can check the gaining config directly by using

root@Gargoyle:/etc/openvpn# openvpn grouter_client_<randonstringybit>.conf

which will confirm the error, to fix it we need to remove two lines from the .conf file, and the only editor onboard is .. vi

The two lines you need to remove are

cert /etc/openvpn/grouter_client_<randonstringybit>.crt
key /etc/openvpn/grouter_client_<randonstringybit>.keyroot

to do this use vi on the config file

root@Gargoyle:/etc/openvpn# vi grouter_client_<randonstringybit>.conf

then move the cursor to the fist line and tap d twice , it wil remove the line , and then repeat again for the second line, after removing both lines press <esc> :wq <enter>.

you can the retry the config manually again

root@Gargoyle:/etc/openvpn# openvpn grouter_client_<randonstringybit>.conf &

which should now get to the initialisation confirmation and start the VPN client.

when you  rebook you shoudl see a confirmation that the VPN is connceted on the login page , and on the Connections > OpenVPN page.

Mine has now been up for about 2 hours without issue, please post back if you have any success with this.






Upgraded/Updated(?) to Chaos Calmer

I have just successfully upgraded my OpenWRT powered TL-WDR3600 from Barrier Breaker to Chaos Calmer.

I Downloaded the “sysupgrade.bin” version of the firmware, logged in went to system>backup/flash firmware kept the tick in place to keep settings and flashed the update…

Then the lights went off and only 3 came on… feeling of slight panic set in , had I bricked the router? (again)

I waited for a while (5 minutes or so, and thought damn it , and switched the router off and then after a short wait on….

After what seemed to be an age, all the lights came on , I logged back in , and SUCCESS!!

Model: TP-Link TL-WDR3600 v1
Firmware Version: OpenWrt Chaos Calmer 15.05 / LuCI (git-15.248.30277-3836b45)
Kernel Version: 3.18.20

Lovin’ having an OpenWRT Router


Of bricked routers and recovery

This is the epic tale of flashing a TP-Link TL-WDR3600

I was excited, the router I had ordered from Amazon had arrived, I knew after LOTS of research that I was going to Flash a compatible alternative firmware on it, I had looked at DD-WRT, Gargoyle-Router, SuperWrt, ofmodemsandmen but had decided to go for OpenWRT as I thought it would represent a nice learning curve that I could learn from installing and configuring.

I waited for the kids to be in bed , then I started after reading the warnings about being careful, I had located the correct OpenWRT firmware and downloaded it ready, I had been in two minds about whether I could be bothered actually updating the the stock firmware, but thought “what the heck lets do it!”, later this action would pay off, big-time.

So I updated to the latest stock firmware , and after a thorough restart and factory reset had a clean router ready for OpenWRT, every thing went smoothly it was about 2230 at this point , and my two youngest had decided to have a loud conversation/disagreement on something, I was due to start configuring , but wanted to connect to my ISP first , so I had selected LAN, and changed the setting to PPPoE , the kids got louder, so I hastily confirmed the setting and went through to the room to quiet them down as it was late.

It was just as I reached my desk that I realised, I had selected LAN, not WAN! and as it was confirmed , it had changed , I tried many ways to get back into the settings and but was unable to get in access, no LAN, WLAN, SHH or telnet connection was possible, so I stared , almost in tears of stupidity at my recently purchased paperweight with lights…

Unbricking a TP-Link TL-WDR3600

I had bricked my brand new router, it was not a nice feeling, and I was caught in a mix of anger and a state of panic. Then just as I was trying to think of a way to claim under the warranty , I remembered, one of the functions that the latest stock firmware had given the router.

TFTP recovery mode!!

I got my phone and googled for OpenWRT TL-WDR3600 recovery , there was a section on the OpenWRT wiki for recovering the router in this circumstance, however it was not 100% clear what to do , as the section ended with (paraphrasing here) – “once you see this behaviour place the renamed file in to tftp root ”

I did not fully understand , however after reconnecting via the previous router I installed both tcpdump and tftp-hpa, the following is a condensed/abridged version of how I managed to get the router re-flashed with the latest stock firmware to enable the re-flashing of OpenWRT.

 pacman -S tcpdump tftp-hda 

I then reconnected to the LAN1 port with the router off, then typed

tcdummp -ni enp3s0 arp

then switched the router on while holding the reset/wps button, releasing when the wps light come on (its the one end that that looks like refresh/reload arrows) at this point you should see

ARP, Request who-has tell, length 46

which confirms that the router is looking for a TFTP server with a file , but times out as its not able to see where it should be (at

so now you have to have a TFTP server running with the firmware available at the TFTP server root. knowing that my pc would need to have the right IP address I changed it and made it ready.

ip addr add dev <ethernetdevice>

ip link set <ethernetdevice> up 

After trying what follows a few times with the OpenWRT firmware and failing , I decided to try the stock firmware. however as the firmware had the word “boot” in it , I had to “trim” the firmware as per the OpenWRT wiki.

dd if=downloaded_firmware_with_boot_in_name.bin of=wdr3600v1_tp_recovery.bin skip=257 bs=512 

I then needed to put the recovery firmware into the “root” of teh TFTP server,

cp /wdr3600v1_tp_recovery.bin /srv/tftp/

and then started the TFTP server

 systemctl start tftpd 

then with the router OFF I used the following as noted in the OpenWRT wiki

tcpdump -npi enp3s0 udp

Then once again while holding the wps button turned on the router, releasing the button once the wps arrows light came on.

Then after a flurry of lights , the router restarted !

I quickly stopped the TFTP server

systemctl stop tftpd

I then waited for the lights to settle and launched Firefox and logged into the router stock firmware! , at this point it was 0200hours and time for bed.

I was able to re-complete and configure the Flash to OpenWRT the following day. (today)

I really, really hope that my Tale helps others in a similar position, and serves as a warning not to rush or be distracted by other things while flashing firmware in a device