Столкнулся с проблемой настройки OpenVPN на роутере Nexx 3020. В качестве провайдера VPN выступает PIA (кто использует поймет о чем речь). Перелопатил кучу мануалов. Большая часть устаревшие. Надеюсь текст ниже поможет заблудшей душе Ставим openvpn Code: opkg update opkg install openvpn Скачиваем конфигурационные файлы OpenVPN Распаковываем их в директорию /etc/openvpn Создаем в папке /etc/openvpn файл pia.auth и записываем туда логин и пароль вида Code: p7777777 abcdqwerty В /etc/config/ кладем файл openvpn с таким содержимым Code: config openvpn 'PIA always-up-vpn-with-pia package openvpn config openvpn pia option enabled 1 option client 1 option dev tun1337 option proto udp option resolve_retry infinite option nobind 1 option persist_key 1 option persist_tun 1 option ca /etc/openvpn/ca.rsa.2048.crt option crl_verify /etc/openvpn/crl.rsa.2048.pem option tls_client 1 option comp_lzo yes option auth_user_pass /etc/openvpn/pia.auth option auth 'SHA1' option cipher 'AES-128-CBC' option verb 3 # Указываем нужные сервера. list remote "us-seattle.privateinternetaccess.com 1198" list remote "hk.privateinternetaccess.com 1198" list remote "uk-london.privateinternetaccess.com 1198" list remote "ro.privateinternetaccess.com 1198" list remote "nl.privateinternetaccess.com 1198" list remote "us-texas.privateinternetaccess.com 1198" list remote "in.privateinternetaccess.com 1198" list remote "nz.privateinternetaccess.com 1198" list remote "us-east.privateinternetaccess.com 1198" list remote "ireland.privateinternetaccess.com 1198" list remote "sweden.privateinternetaccess.com 1198" list remote "japan.privateinternetaccess.com 1198" list remote "ca.privateinternetaccess.com 1198" list remote "denmark.privateinternetaccess.com 1198" list remote "brazil.privateinternetaccess.com 1198" list remote "germany.privateinternetaccess.com 1198" list remote "aus.privateinternetaccess.com 1198" list remote "us-california.privateinternetaccess.com 1198" list remote "mexico.privateinternetaccess.com 1198" list remote "us-siliconvalley.privateinternetaccess.com 1198" list remote "us-midwest.privateinternetaccess.com 1198" list remote "us-florida.privateinternetaccess.com 1198" list remote "ca-toronto.privateinternetaccess.com 1198" list remote "fi.privateinternetaccess.com 1198" list remote "uk-southampton.privateinternetaccess.com 1198" list remote "france.privateinternetaccess.com 1198" list remote "israel.privateinternetaccess.com 1198" list remote "us-newyorkcity.privateinternetaccess.com 1198" list remote "us-west.privateinternetaccess.com 1198" list remote "no.privateinternetaccess.com 1198" list remote "italy.privateinternetaccess.com 1198" list remote "turkey.privateinternetaccess.com 1198" list remote "us-chicago.privateinternetaccess.com 1198" list remote "sg.privateinternetaccess.com 1198" list remote "swiss.privateinternetaccess.com 1198" list remote "aus-melbourne.privateinternetaccess.com 1198" Создаем интерфейс Code: cat >> /etc/config/network << EOF config interface 'PIA' option ifname 'tun1337' option proto 'none' EOF Настраиваем файрвол Code: cat >> /etc/config/firewall << EOF config defaults option syn_flood '1' option input 'ACCEPT' option output 'ACCEPT' option forward 'REJECT' config zone option name 'lan' option network 'lan' option input 'ACCEPT' option output 'ACCEPT' option forward 'REJECT' config zone option name 'wan' option output 'ACCEPT' option forward 'REJECT' option network 'wan' option input 'ACCEPT' config zone option name 'ipr' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' option network 'IPredator' config rule option name 'Allow-DHCP-Renew' option src 'wan' option proto 'udp' option dest_port '68' option target 'ACCEPT' option family 'ipv4' config rule option name 'Allow-Ping' option src 'wan' option proto 'icmp' option icmp_type 'echo-request' option family 'ipv4' option target 'ACCEPT' config rule option name 'Allow-DHCPv6' option src 'wan' option proto 'udp' option src_ip 'fe80::/10' option src_port '547' option dest_ip 'fe80::/10' option dest_port '546' option family 'ipv6' option target 'ACCEPT' config rule option name 'Allow-ICMPv6-Input' option src 'wan' option proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' list icmp_type 'router-solicitation' list icmp_type 'neighbour-solicitation' list icmp_type 'router-advertisement' list icmp_type 'neighbour-advertisement' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT' config rule option name 'Allow-ICMPv6-Forward' option src 'wan' option dest '*' option proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT' config include option path '/etc/firewall.user' config forwarding option dest 'ipr' option src 'lan' EOF Перезагружаем роутер
