Setting up an OpenVPN client for your OpenWrt router
Background
Indonesian ISPs have been criticized for DNS hijacking and eavesdropping. In 2019, Kominfo (Indonesian Ministry of Communication and Information Technology) was found to be redirecting DNS queries for certain websites to its own servers, which allowed it to collect data on users’ browsing activity. Kominfo claimed that this was done to block access to illegal websites, but critics argued that it was a violation of users’ privacy.
In 2022, it was revealed that several Indonesian ISPs were eavesdropping on their customers’ internet traffic. This was done by installing a device on customers’ routers that allowed the ISPs to collect data on websites visited, emails sent and received, and other online activity. The ISPs claimed that this was done to improve their customers’ internet experience, but critics argued that it was a serious privacy violation.
These incidents have raised concerns about the government’s and ISPs’ ability to track and monitor internet users in Indonesia. In response to the criticism, Kominfo has said that it will no longer redirect DNS queries and that it will only collect data on users’ browsing activity if they have given their consent. However, it is unclear whether these promises will be kept.
In addition, there have also been reports of DNS hijacking and eavesdropping by other actors in Indonesia, such as law enforcement agencies and private companies. This has led to calls for stronger privacy protections in the country.
Also, In 2022, the Ministry of Communication and Information Technology (Kominfo) proposed a Presidential Regulation on Quality Journalism (Perpres Jurnalisme Berkualitas). The Perpres would require Google, or even Meta, to pay news publishers a licensing fee for displaying their content in Google News. Google is concerned that the Perpres would make it too expensive and difficult for it to provide free and open access to news in Indonesia. The company is willing to work with the government to find a solution that is fair to both parties, but it has warned that it will leave Indonesia if the Perpres is not changed. The possibility of Google leaving Indonesia is relatively low, but it is not impossible. Google has a large presence in Indonesia, and it would be a major loss for the country if Google were to leave. Using a VPN in another region can help you access Google services if Google leaves Indonesia.
Moving to a different region can give you access to uncensored, transparent, more reputable news sources, and better news contents. In this case, by using a VPN all the time, directly from your router.
Infrastructure and Testing
I recently set up a VPN server on DigitalOcean, which is located in Singapore. I have a Mi Router 4A 100M (Chinese version) with custom firmware OpenWRT installed. My LAN network gateway IP is 192.168.5.1, and my WAN network gateway IP is 192.168.1.1, which is my Indonesian ISP built-in router and modem. I have configured my Mi Router 4A as an OpenVPN client, so all devices in my LAN network, within 192.168.5.1/24, are tunneled to my DigitalOcean OpenVPN server via my ISP modem 192.168.1.1/24.
This means that all devices in my LAN network have a Singapore public IP address, and I don’t need to set up VPN software on each device. My connections are also encrypted end-to-end to my DigitalOcean OpenVPN server.
OpenWRT and OpenVPN
OpenVPN is a VPN protocol that encrypts all of your internet traffic, including DNS queries. This prevents your ISP, government entities, or any other third party from seeing what websites you visit or what data you send and receive.
OpenWRT is a custom firmware for routers that provides a number of security features, including the ability to use OpenVPN. By installing OpenVPN on your router and configuring it to use a reputable VPN provider, or even a self-deployed OpenVPN server, you can effectively prevent DNS hijacking and eavesdropping.
Here are some of the powerful features of OpenWRT:
- DNS over HTTPS (DoH): DoH is a privacy-preserving method of resolving domain names. It encrypts DNS queries and responses, preventing your ISP or other third parties from seeing what websites you are visiting. OpenWRT supports DoH, so you can configure your router to use it.
- DNSCrypt: DNSCrypt is another privacy-preserving method of resolving domain names. It encrypts DNS queries and responses using a public key infrastructure, making it more secure than DoH. OpenWRT also supports DNSCrypt.
- OpenVPN client modules support: OpenWRT supports OpenVPN client modules, which allow you to connect your router to a VPN server. This can be useful for protecting your privacy and security, or for bypassing censorship.
- WireGuard support: WireGuard is a newer VPN protocol that is more efficient and secure than OpenVPN. OpenWRT supports WireGuard, so you can use it to protect your privacy and security.
- Ad blocking: OpenWRT supports ad blocking, which can help to improve your internet browsing experience and protect your privacy.
- Security features: OpenWRT includes a number of security features, such as firewall, intrusion detection system, and denial-of-service protection. These features can help to protect your router and your network from attack.
- Customization: OpenWRT is highly customizable, so you can tailor it to your specific needs. You can choose from a variety of firmware images, add additional features, and change the look and feel of your router.
An OpenVPN client in an OpenWRT router is a software application that allows the router to connect to an OpenVPN server. This allows all of the devices connected to the router to be protected by the VPN, even if they do not have OpenVPN software installed themselves.
Result
I have successfully tested the OpenVPN client on Mi Router 4A 100M (Chinese version) with OpenWRT installed. My OpenVPN server is a DigitalOcean VM that’s running in Singapore, which is the closest point of presence to Indonesia. One of my Samsung Smart TVs is connected to Singapore, so every device in my home doesn’t need VPN software anymore, since VPN tunneling is done via my OpenWRT router.
Therefore, my ISP cannot see my traffic. This is important because it protects my privacy and security. In addition, by using a VPN, I am immune from DNS hijacking or poisoning. This is a type of attack where an attacker redirects your DNS queries to a malicious server. This can be used to steal your personal information or redirect you to fake websites. By using a VPN, my traffic is routed through the VPN server, which prevents attackers or ISP from hijacking my DNS queries.
Also, my online gaming experience (tested on Rainbow Six Siege and GTA Online) has been getting better since I started using the OpenVPN OpenWRT client, I assume that my ISP also throttles online gaming connections.
Additionally, for https://www.meter.net/ping-test/ testing:
The ping results from meter.net (over Websocket protocol) show that the VPN had a positive impact on the network connection. The average ping time decreased from 42ms to 27ms, and the jitter decreased from 7ms to 1.5ms. This means that the VPN connection is more stable and has less latency than the direct connection.
If you want to use DNS over HTTPS (DoH) instead of VPN in your OpenWrt router, you can check for OpenWrt DoH setup here.
Reference
- OpenVPN installation script for my VPN server
- OpenWRT installation for Xiaomi Mi Router 4A 100M (Chinese version)
- OpenVPN OpenWRT client