Recently, there is a need to access intranet of my company from another intranet via OpenVPN. As you know, I am not a fan of clicking connect on my computer every time I need to visit a resource on the other side, I decide to deploy it on my router.

If you happen to have a Gee Go router, it already has the OpenVPN built in. Follow the guide and you're ready to go. Otherwise, you need to install and configure it yourself just like I did.

The first thing you need to do is root your router. You can either root it via official developer mode (with the cost of losing your warranty) or install a custom plugin by registering as a developer~

  • Now you rooted your router. SSH into it and edit /etc/opkg.conf. Add

    arch all 100
arch ramips 200
arch ramips_24kec 300

    at the end of the file and do opkg update. Failed or not is not important, you just need to ensure it is completed.

  • Download OpenVPN ipk from https://archive.openwrt.org/barrier_breaker/14.07/ramips/mt7620a/packages/base/
    try openvpn-openssl first, then openvpn-polarssl, since the openssl version has better compatibility and performance.
  • Install with command opkg install xxxxx.ipk. It will download and install dependencies automatically.
  • Upload your OpenVPN config to anywhere you like. It's "/root/vpn/demo.ovpn" in my case.

  • Try to connect with command openvpn --cd /ovpn/path --config /config/full/path. Correct all problems if there is any. If your key file needs password, you can decrypt it with openssl as following:

    $ openssl rsa -in neo.key -out nopassword.key
Enter pass phrase for neo.key:
writing RSA key

  • Now you can connect to your company intranet within the router shell, but not any device connected to the router. You need iptables to route it through the router.
    Try the following rules if it works and tweak it as you need.

    #!/bin/sh
iptables -I FORWARD -o tun0 -j ACCEPT
iptables -t nat -I POSTROUTING -s local.CIDR/24 -d remote.CIDR/24 -o tun0 -j MASQUERADE

    If you have multiple IP ranges to visit, append new iptables command to the script.
    Once you made the script working, save it as up.sh.

  • Write a script to remove all above rules and save it as down.sh. In my case, it is:

    #!/bin/sh
iptables -D FORWARD -o tun0 -j ACCEPT
iptables -t nat -D POSTROUTING -s source.CIDR/24 -d remote.CIDR/24 -o tun0 -j MASQUERADE

  • Append command to your ovpn file (you have to run openvpn as root after scripts are used)

    script-security 2
up ./up.sh
down ./down.sh

  • Edit OpenVPN config located at /etc/config/openvpn. Remove all the content and write down

    package openvpn

config openvpn custom_config   
  option enabled 1    
  option config /path/to/your/ovpn/config
  • Run the openvpn command again to give it a final test. Check if iptables rules exist and everything is working well.
  • Run /etc/init.d/openvpn start to see if the daemon works.
  • Run /etc/init.d/openvpn enable to enable autorun on boot.

Enjoy.