Afterwards create the file userpass.txt in the /etc/openvpn/ directory using WinSCP (of course alternatively the ssh terminal may be used). Enter your Perfect Privacy username in the first row and your Perfect Privacy password in the second row.
In the same directory create the file up.sh with the following lines as content
env | sed -n -e "
" | sort -u > /tmp/resolv.conf.vpn
uci set dhcp.@dnsmasq.resolvfile="/tmp/resolv.conf.vpn"
and the file down.sh with the following content
uci set dhcp.@dnsmasq.resolvfile="/tmp/resolv.conf.auto"
Open the properties of the files userpass.txt, up.sh and down.sh to set the permissions to 755.
Using WinSCP open the file openvpn in the /etc/config/ directory. Delete the contents of the file and instead enter the following rows:
Save the file. In /var/log/openvpn.log you later may view the log, in case any issues with the OpenVPN connections should occur.
config openvpn 'PP_Basel1_Stunnel'
option config '/etc/openvpn/Basel1.ovpn'
Replace the SERVER_IP with the stunnel-specific IP address of the respective server. You can look it up in the overview of stunnel ports and IPs.
For the STUNNEL_PORT you can choose between the following ports: 22, 53, 443, 8085, 9009, 36315. To circumvent blocking, ports 53 and 443 are particularly recommended. The schema is:
To use the VPN server in Basel, use WinSCP (or the terminal) to open the file stunnel.conf in the /etc/stunnel/ directory and on the bottom add the data for Basel1 as shown in this example. Then save the file:
Should you later decide to disable OpenVPN, then do not forget to also disable Stunnel. To do so open the file stunnel in the /etc/config/ directory and change the line:
option alt_config_file '/etc/stunnel/stunnel.conf'
#option alt_config_file '/etc/stunnel/stunnel.conf'
Log in on your OpenWRT router using a web browser (192.168.1.1). Change to the Network=>Interfaces=>WAN=>Edit=>Advanced Settings tab and deactivate Use DNS servers advertised by peer. At Use custom DNS servers enter at least two publicly usable IPv4 DNS servers (e.g. 188.8.131.52 and 184.108.40.206) and click on the Save button.
Do the same in the WAN6 tab and enter at least two IPv6 DNS servers. Then click the Save & Apply button. You can either use the DNS servers from Google (IPv4: 220.127.116.11 and 18.104.22.168 IPv6: 2001:4860:4860::8888 and 2001:4860:4860::8844) or use some of the OpenNIC project.
Note: If you want, you can also use Perfect Privacy DNS servers (you can find the IPs on the DNS server page in the customer area). These DNS servers will only resolve *.perfect-privacy.com domains when VPN is not connected which means that Internet access will not work without the VPN being connected. However, there will be no IP leak when using public name servers instead, since all DNS requests will be sent anonymized over the VPN tunnel while a VPN connection is established.
Afterwards navigate to Network=>Firewall and to the right of
Underneath Inter-Zone Forwarding select the following:
Use the Save button to accept the settings.
Attention: This step activates the firewall protection ("kill switch"), which ensures in case off an interruption of the internet service no data can bypass the VPN tunnel. If you want to access the internet via your router without VPN too, you have to skip this step.
Navigate to Network=>Firewall and underneath Zones open lan using the Edit button.
Scroll down to Inter-Zone Forwarding and next to Allow forward to destination zones activate only PP_Firewall. Then click on the button Save & Apply.
If you want to disable the firewall protection ("kill switch") again, next to Allow forward to destination zones: PP-Firewall additionally activate WAN and WAN6.
You can verify that the VPN connection is working correctly by visiting our Check-IP website from any device connected to the router.