TL;DR: Need a router firmware compatible with Asus RT-3200 that can run an OpenVPN client AND obfuscating software like Obfsproxy so that my other devices don’t have to.
Hey all! I figured this would be the best place to ask this. I’ve been using my Asus RT-AC3200 router as an OpenVPN server just as a deterrent for when I need to access public hotspots, but recently started looking into getting an off-site setup for more privacy- centric reasons.
At the moment my plan is to set up an OpenVPN AS on an AWS EC2 instance, which I’ve used before comfortably for other projects. My question is more on the client side: for my own sanity I would much rather use my router as the client for this server and have all my other devices connected to it, as I’d also be trying to connect other devices I don’t have immediate access to (e.g. fiancee’s phone and laptop). It also occured to me that I would have to use something like Obfsproxy to help get around the whole blocking VPN issue with sites like Netflix, which would also be a problem to maintain on devices not strictly mine to access.
I’ve been trying the internet all day to see if any router firmware like Asuswrt-merlin (currently running) or OpenWRT supports obfuscating software so it doesn’t have to be run by my computer’s or phones (I don’t even know if it CAN run on phones), and have run into nothing except dad forum posts form people asking similar questions 2-3 years ago with zero responses. I can’t imagine that no one here hadn’t at least thought of it though. I would appreciate any pointers to the right direction! It didn’t necessarily have to be compatible with my current router but it would be much easier for me if it was. Buying additional hardware like a Raspberry Pi is also not out of the question for me.
I am also very interested in this
https://www.ubnt.com/edgemax/edgerouter-lite/
90% sure this can do what you’re asking for with stock firmware. I’ve only ever used them as OpenVPN servers but I don’t see any reason why you can’t just configure as a client and set routing tables appropriately.
Side note: It comes with a web GUI but you have to configure OpenVPN in the CLI. You should also be able to do this with any other device running VyOS (open source, can run on standard x86 machines as well as some hardware routers.)
EDIT: Can confirm it does 100% work. Just got it to connect to my OpenVPN server and set as the default route for my LAN. This is my interface config:
show interfaces openvpn vtun0
encryption aes256
mode client
openvpn-option "--resolv-retry infinite"
openvpn-option --nobind
openvpn-option "--remote-cert-tls server"
openvpn-option "--tls-auth /config/auth/ta.key 1"
openvpn-option "--verb 3"
protocol udp
remote-host xx.xx.xx.xx
remote-port xxxx
tls {
ca-cert-file /config/auth/ca.crt
cert-file /config/auth/cert.crt
key-file /config/auth/key.key
}
I also got hung up on a firewall rule. Need to be sure to allow related and esablished connections. Apply this to your eth1/local or whatever you wan port is:
default-action drop
description ""
rule 1 {
action accept
description "Allow Established and Related"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
Finally, you need to set your default NAT masquerade rule from your wan port to vtun0:
This rule is set by default you probably already have it if you’re doing any kind of LAN → WAN NAT. Mine was set to rule 5000 so just:
set service nat rule 5000 outbound-interface vtun0
BlackHoleCloud does this so it is possible. They use OpenWRT on the device and it connects to three dedicated servers they set up for me. I cant log onto the hardware to see what they did in the code since they remove the ssh server from the box after they provision it. It is not noticably slower than running straight openvpn.
If your router runs the OpenVPN 2.4 fork, you can run tls-crypt in OpenVPN natively and have obfuscation.
The latest versions of DD-WRT and pfSense have no issue with this. I’m not sure about Merlin / AsusWRT.
Thank you everyone for all the responses, in particular to u/Youknowimtheman for pointing me toward tls-crypt. Set it up yesterday and it works perfectly, no IP or DNS leaks. Only issue is that it seems to be cutting down my connection speeds to 1/5th of what they normally are, not sure if that’s due to the connection itself or the capabilities of the chosen server, but that’s a different issue I can play around with later.
Also for those wondering, my testing hasn’t been extensive but I have yet to be blocked by any service for using this OpenVPN setup.
Sweet, I’ll look into this. Thank you!
Cool, glad to know that it’s at least possible! Looked them up and it seems interesting. I’d presume there must be someway to do this on one’s own though.
If there’s a native way to do this I’ll definitely try this first. IIRC the lastest Merlin supports 2.4 so I’ll update that and see if it works, if not I’ll try some other things folks suggested. Thank you!
What kind of speeds are we talking about? 1000 => 200 is pretty normal, but 10 => 2 is not.
Thanks for the heads up; I only care about obfuscation exclusively against my ISP, but looking into it Netflix seems to have gotten MUCH more aggressive in the past year with carpet-banning IPs including AWS ones, so this project just got harder. I’m gonna continue simply for the sake of knowing it’s possible but not sure my GF is gonna be as willing to sacrifice Netflix as me 
Add a NAT rule to have Netflix traffic go out your normal WAN interface.
What is the make/model of router? it sounds like you are CPU limited.
It’s an Asus RT-AC3200. That wouldn’t be surprising.
It is common for routers to not be able to keep up with heavy encryption because consumer level routers cheap out on processing power.
RT-AC3200 CPU1: Broadcom BCM4709A0 running at 1GHz.
Which is about the speed of an iPhone 4 (2010) as far as OpenVPN is concerned.
That is almost certainly the cause of your speed drop. You can drop the cipher to 128-bit which will help some.
Cool, thanks again! If that isn’t sufficient, I’ve always wanted to look into building a custom box
An x86 processor and pfSense is good to 190+ in ideal conditions. (very close to server, no network congestion on the VPNs end, etc)
