Good [insert time of day here],

I have a Linksys WRT1200AC on it's way to me. I am no novice in configuring routers, and I have a deal of experience with VPN configurations, mostly on the client side. That being said, this will be my first time moving away from the stock firmware; I'm not really concerned about that process as I've flashed other devices before with high success rates, but I need some clarification on the VPN aspect.

I'm reading through the various documentation available for configuring OpenWRT to use my VPN service, and have a few questions.

Currently I run my VPN (IPVanish) locally on each of my machines that require anonymity. My goal with this router is to relieve the need to run VPN clients locally (VPN clients crash often -- not so much since I've moved from IPVanish's client to OpenVPN, but it still happens), and just have all of my LAN->WAN connectivity encrypted at the router... Hopefully I'm not too far off.

As it normally happens with this sort of subject, much of the information out there is outdated, conflicting with other documentation, or just difficult to understand even with a good deal of knowledge about the subjects.

From what I can tell, I'll set my router up with the VPN connection to IPVanish. It seems like it should end there as everything going out the WAN port should be encrypted... otherwise, what's the point? Much of the documentation I'm going over has instruction, or states requirement of setting up the devices to use it (still requiring a local VPN client). This just doesn't seem right to me unless I'm missing something entirely, or misinterpreting the purpose of the guide(s) I'm reviewing.

Are the devices being set up to pre-encrypt the data at layer 2, then send it to the router to be encrypted again at layer 3 (If we're talking OSI here)? Or is it taking the encryption labor off of the router, so it's only job is to tunnel the data hence saving precious resources from lower end routers? Or am I completely missing something, and the router can/will do all of the encryption/tunneling with no OpenVPN configuration on the client-side?

In my situation, the tertiary would be preferred. It is a private home network so I'm not concerned about the data's state from client-to-gateway, but I want the gateway-to-WAN encrypted. Unless I find a gross reduction in speeds with this method, I will be happy. If speed is greatly reduced, the second is preferred -- I'll only know after implementation so I'm just spit balling here.

Do I have all of these options available to me, and I just need to find the correct set of instructions for what I want to do?

I'm sure these concerns have been addressed before, I just want to make sure I completely understand, and have my expectations set correctly, so I'm sorry for the new topic. I am definitely willing to do my own research, but I have little time available to actually experiment.

Hello, and welcome to the forums.

The OpenVPN-related documentation on OpenWRT's wiki is somewhat difficult to follow. There are instructions for the two primary use-case scenarios. The first is about running an OpenVPN server that's facing the WAN, and allows one or more remote devices to open a VPN tunnel to the router over a public Internet. The second is about setting up an OpenVPN client on the OpenWRT router that is connected over the public Internet to a remote OpenVPN server.

For the first use case, the documentation at https://wiki.openwrt.org/doc/howto/vpn.openvpn is the most recent.

However, from your description, I think it is the second case that you're after. Since you have previous experience from VPN-tunnels and networks, I'd suggest checking out https://wiki.openwrt.org/doc/howto/vpn. … penvpn.tap and https://wiki.openwrt.org/doc/howto/vpn. … penvpn.tun articles. You can ignore the warnings on these two Wiki pages. They might be outdated, but most of the information looks quite valid even for Chaos Calmer builds.

Note that for the 'TUN' page, there are instructions on configuring the OpenVPN client using LuCI, which might not be possible anymore. If you want a TUN client, follow the TAP client article, but replace the protocol with 'udp' and the device with 'tun0'.

Note that before you begin with the OpenVPN installation or configuration, you will need to have the physical network primed and ready to go. This means LAN and WAN are properly designed and implemented, including but not limited to all in-built switches found from your routers, correct firewall rules for traffic passing etc.

When the physical network configuratio is top-notch and everything is checked, setting up OpenVPN on top is quite a breeze, especially if you use the SSH prompt directly instead of LuCI. You can accomplish pretty much anything you need by editing the /etc/config/network, /etc/config/openvpn, /etc/config/firewall and /etc/config/dhcp files, and then using the scripts in /etc/init.d/ folder to restart the corresponding services.

Thank you for the quick reply, and good information!

That is definitely where I will start. I've never understood why I would choose UDP over TCP for VPN applications. I usually just stick with TCP because I'm ignorant, and it seems a full handshake with the receiving server would be better than just sending data out there hoping it gets where I need it to be. I suppose I should read into the pro/cons before deploying this configuration though.

I'm looking forward to being able to interface with a customer grade router like it's a linux box!

Enormously helpful post Antek, thank you very much!

I think this answers the question about TCP vs UDP pretty nicely: https://torguard.net/blog/openvpn-servi … is-better/