In this post we will detail how to configure an E205 router as an OpenVPN client and make the connection to the Internet through the VPN tunnel. It is assumed that an installed OpenVPN server is already available and the corresponding certificates for the connection of the clients to the VPN. In case you do not have an OpenVPN server, it is recommended to follow this tutorial: How to set up an OpenVPN server on Ubuntu.
To configure the E205 as an OpenVPN client it is necessary to access the web interface of the router and follow these steps:
1.- From Services > OpenVPN, click on Edit to configure the interface:
2.- Switch to advanced configuration:
3.- Access to the VPN tab:
4.- Enable the pull setting and enter the public IP address of your OpenVPN server:
5.- Open the tab Cryptography:
6.- Click on Additional field and add the fields ca, cert and key. For each one of these parameters, you will need to upload the corresponding file generated by the OpenVPN server. Confirm the settings by clicking on Save & Apply:
7.- Again from Services > OpenVPN, check Enabled and click on Start. Click on Save & Apply to start the OpenVPN client daemon on the router E205:
8.- One the service is started, the PID assigned to the OpenVPN interface will be displayed:
9.- From Network > Interfaces we can check the IP address assigned to the router by the OpenVPN server:
10.- From the Ubuntu server, we can run command cat /etc/openvpn/openvpn-status.log and check the list of clients connected to the VPN:
Check connectivity through the VPN tunnel
As shown on the above screenshot, the actual public IP address of the router is in the range 31.4.x.x (it is the IP address assigned by the mobile network to the SIM card). Nevertheless, if we use a computer connected to the router and check our IP address on Google, we will see the IP address of the OpenVPN server and not the mobile network one:
Access the router web interface via the VPN tunnel
In most cases, when a router is installed in the field it will not be accessible remotely because the mobile operator does not allow incoming connections to the public IP address assigned to the SIM card. This implies that any incidence or change of configuration that is required it would be necessary to visit the installation to be able to access the device locally. This is precisely what the OpenVPN connection offers, local communication through the router’s own 3G interface.
This functionality can be enabled from Network > Firewall > Traffic rules. For the rule AllowWanPing, check Accept Input and then click Save & Apply at the bottom of the page. Once this rule has been activated, it will be possible to ping the router from the OpenVPN server to check whether it is up or not:
To enable the access to the web interface of the router from the OpenVPN server, it is needed to enable a second rule from Network > Firewall > Traffic rules. For the rule AcceptWebAccessWanP, check Accept input and click Save & Apply at the bottom of the page.
After doing this configuration, it will be possible to access the web interface of the router through the VPN tunnel. This will allow us to control the unit remotely regardless of where it is installed and no matter what kind of IP address is assigned by the mobile operator:
Remote access via SSH
It is also possible to get SSH access to the router through the VPN tunnel. This will allow us to execute commands directly from the OpenWRT’s command line. This access is deactivated by default as a security measure. To activate it, go to Network > Firewall > Traffic rules and enable the rule AcceptSSHWAN (check on Accept input and then click Save & Apply):
From the Ubuntu server, just type ssh firstname.lastname@example.org (this is the IP address that the OpenVPN server assigned to the router) in order to get SSH access:
Remote access to LAN equipment
In addition to greatly facilitating the management and maintenance tasks of the router, the VPN tunnel also allows access to other devices that are connected to the E205 router via Ethernet or Wi-Fi. For example, the following screenshots show how to access the web server of a PC that is connected to the E205 by LAN (local IP 192.168.1.104).
In this case, from Network> Firewall> Port forwarding it is necessary to redirect an external port (in this case 3000) to the local IP of the PC to be controlled remotely (192.168.1.104):
Once the port redirection is enabled, the PC connected to the E205 router can be accessed from the OpenVPN server through the VPN tunnel:
It is a fairly simple example that just shows a “Hello World!” message to verify that the connection with the PC connected to the LAN interface of the E205 has been established. Following the same principle could be accessed remotely control panels or Dashboards of PLCs, microcontrollers, Raspberry Pi devices and the likes or any peripheral that communicates with the E205 router via LAN or Wi-Fi.