Gargoyle Router and PIA OpenVPN config

OK, its been quite sometime since by last post, lots has happened in the world , stupid is on the rise , evil continues to try to get in the way of our day today,and everyone seems to want to know what YOU are doing (google, crackers , governments, and others)

One way to mitigate this is to use a VPN service , like PIA (Private Internet Access) and the most useful way to do this is by using a router configured to use the service exclusively.

There are many 3rd party router firmwares , however not all routers are compatible, so do check compatibility if you choose to use DD-Wrt , Advanced Tomato, Tomato – by Shibby, OpenWrt, LEDE or as I have for my TP-Link router Gargoyle.

OK for the most part it is REAL easy to set up Gargoyle-Router as a VPN client. the following assume you have Gargoyle-Router  set up and in use ( my network uses the Gargole-Router as a Subnet to another router that handles the ISP connection) . It also assumes that you have ssh access to the router.

before doing anything with the GUI , first ssh into the router and get to the OpenVPN folder

ssh root@192.168.x.x

root@Gargoyle:~# cd /etc/openvpn


then use the echo command to create the auth.txt file ( contains username and password) and confirm it using the cat command.

root@Gargoyle:/etc/openvpn#echo “<username>” >> auth.txt

root@Gargoyle:/etc/openvpn#echo “<password>” >> auth.txt

root@Gargoyle:/etc/openvpn#cat auth.txt



It then get s little tedious as you also have to have a “cat crl.rsa.XXXX.pem” file, if you know how to use vim, good on you , cuz do not except how to delete lines and then save ( see later)

to set up the .pem file , I used the echo command with the >> switch to add each of the 15 lines individually like

root@Gargoyle:/etc/openvpn#echo “—–BEGIN X509 CRL—–” >> crl.rsa.2048.pem
root@Gargoyle:/etc/openvpn#echo “MIICWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI” >> crl.rsa.2048.pem
root@Gargoyle:/etc/openvpn#echo “HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0” >> crl.rsa.2048.pem
root@Gargoyle:/etc/openvpn#echo “each line in turn” >> crl.rsa.2048.pem

ending with:
root@Gargoyle:/etc/openvpn#echo “—–END X509 CRL—–” >> crl.rsa.2048.pem

then confirming it with

root@Gargoyle:/etc/openvpn#cat crl.rsa.2048.pem

now you can ( for a while go to the GUI and log in.

Once logged in, go to Connections >OpenVPN  and select OpenVPN client. then complete all the required boxes.


One this is done Save changes, on doing so it will advise that the configuration has been saved but failed to connect (bummer) , at which point go back to your terminal that you ssh’d into the router with.

The reason why it fails is that Gargoyle writes its own OpenVPN configuration , that points to two files that PIA does not use , some will get round this by making phantom config files ( although as the files are keys, and certs) , this does not seem wise to me.

When back at the terminal you can check the gaining config directly by using

root@Gargoyle:/etc/openvpn# openvpn grouter_client_<randonstringybit>.conf

which will confirm the error, to fix it we need to remove two lines from the .conf file, and the only editor onboard is .. vi

The two lines you need to remove are

cert /etc/openvpn/grouter_client_<randonstringybit>.crt
key /etc/openvpn/grouter_client_<randonstringybit>.keyroot

to do this use vi on the config file

root@Gargoyle:/etc/openvpn# vi grouter_client_<randonstringybit>.conf

then move the cursor to the fist line and tap d twice , it wil remove the line , and then repeat again for the second line, after removing both lines press <esc> :wq <enter>.

you can the retry the config manually again

root@Gargoyle:/etc/openvpn# openvpn grouter_client_<randonstringybit>.conf &

which should now get to the initialisation confirmation and start the VPN client.

when you  rebook you shoudl see a confirmation that the VPN is connceted on the login page , and on the Connections > OpenVPN page.

Mine has now been up for about 2 hours without issue, please post back if you have any success with this.






OpenWRT for guests

This morning I finally got round to setting up a guest wireless network on my OpenWRT router (a TP-Link TL WDR-3600 v1.5)

The goal of the guest wireless was to provide my kids friends with a connection they can use with their (mostly PAYG) smartphones

This was relatively simple as I followed the guide on the OpenWRT wiki

The only real difference I made was to select OpenDNS FamilyShield for the guest network.

So now I have a guest network that is safe for all to use.

If you have a router that is capable of having a Guest network and want to set up a guest wifi network in brief the steps taken (at your own risk) are:

login to the OpenWRT router

Navigate to: Network > WiFi >
click Add on the radio entry you want to have the guest network on (if you have 2.4Ghz and 5Ghz Radios , its normally the 2.4Ghz radio that carries the guest network)

Configure the new wireless entry , create a "guest" entry under the "network" section and make sure you set up encryption / change the name of guest wireless ssid.

Then Navigate to : Network > Interfaces >
Click on the edit button for "guest" and change the protocol to "Static address" fill in the ip address for the interface , (avoid or as these may be reserved already or in the future). I chose (this will result in guests having an ip of and set a Netmask from the dropdown, this where you add any alternate DNS lookups (I added and Make sure you enable DHCP and lower the lease time to an Hour.

Click on the firewall settings tab within the "Guest" interface
Create a "Guest" firewall zone.

Then Navigate to: Network > Firewall and Click Edit on the "Guest" Zone
Change "Input" to "Reject" and mark the Wan entry in the "allow forward to destination zone"

At this point Click "Save and Apply" , but we are not done yet, now you have a network that goes nowhere we need to set up 2 firewall rules.

One rule for DNS and another for DHCP.

Navigate to: Network > Firewall >traffic rules
Locate the subsection titled "open ports on router"

rule 1 DNS:
set a name for the first rule eg:"GuestDNS" select "TCP+UDP" in the protocol dropdown and external port "53". and click "add", and then "edit" to configure this rule.
In the "source Zone" select "Guest" and "input(device)" in Destination Zone
and save

rule2 DHCP:
Set a name for the rule "GuestDHCP" select "UPD" in teh protocol dropdown and external port "67-68" and click "add", and then "edit" to configure this rule
In the "source Zone" select "Guest" and "input(device)" in Destination Zone
and save

Check there are no unsaved changes (in Chaos Calmer there is a green "unsaved Changes" button in the top-right of the Luci webpage, click that and make sure all changes are saved

after all changes are saved reboot the router, and you are done