Let’s do this!
I’m finally taking the time to show you how use your own VPN Location as well as adding/changing/removing VPN Locations on your InvizBox Go (Go). This should help you if you have VPN setup requirements that are not available by default in our firmware to match your everyday use.
In this exercise, I’m explain a bunch of things so you get a feel for it:
- Remove all the VPN Locations from Brazil
- Rename Brussels to Bruxelles in the Belgian VPN Locations
- Add my own VPN Location with my work VPN
For each step, I’ll propose 3 ways which are identical in results, you only need to use the one that suits you most. I’ll show manual editing of files, using the UCI commands from shell and using the Lua programming language.
SSH Access
First, I need to set up SSH access to my Go. To do so, I use the following technote:
https://support.invizbox.com/hc/en-us/articles/115001828205
Since I’m planning to access this quite a bit, I decided to paste my public key in the SSH-Keys section of the SSH-Access area.
As a side note, I use a simple alias (in my .bash_aliases file) to get my public-key:
alias getpublickey='cat ~/.ssh/id_rsa.pub | xclip'
You don’t have to do this but then depending on your ssh client, you may have to enter the root password each time you connect.
By the way, if you are a Windows user, you may want to consider putty for ssh access.
I’m also connected to my normal network over Ethernet during this, so I can’t use the inviz.box address as it doesn’t resolve to my Go. That means I have to use the IP address when connecting:
ssh root@10.153.146.1
Get the latest version
Before we get going, we need to make sure that we are running a version at least as new as 3.0.9.
First, leave the Go running (and connected) for a couple of hours. You can also manually trigger an update from the button in the Update Log page (Expert Mode – System – Update Log) and make sure there is no update available (don’t worry about the errors in that page see: Errors in Update Log).
VPN Settings structure
Once I’m in, I can start by looking at the VPN settings that are used in the VPN Location page. I can interact with them by editing the /etc/config/vpn file or using the UCI interface (Reference Documentation is here: https://wiki.openwrt.org/doc/uci). I’m going to use UCI here as it makes things simpler to script.
uci show vpn
output:
vpn.active=active vpn.active.username='this_is_my_user_name@invizbox' vpn.active.password='this_is_my_password' vpn.active.name='para08' vpn.active.mode='vpn' vpn.aklc09=server vpn.aklc09.country='NZ' vpn.aklc09.city='Auckland' vpn.aklc09.name='akl-c09' vpn.aklc09.template='/etc/openvpn/templates/invizbox.ovpn.template' … … vpn.zurc02=server vpn.zurc02.country='CH' vpn.zurc02.city='Zurich' vpn.zurc02.name='zur-c02' vpn.zurc02.template='/etc/openvpn/templates/invizbox.ovpn.template'
From here, we can see that the structure is listing VPN Locations with:
- a type – server
- a name – vpn.zurc02
- and 4 options:
- country
- city
- name
- template
So to add/remove/edit them, we’ll have to deal with these 5 elements.
You can also look at them in the config file where they look nicely organised:
tail /etc/config/vpn
output:
option city 'Zurich'
option name 'zur-c01'
option template='/etc/openvpn/templates/invizbox.ovpn.template'
config server 'zurc02'
option country 'CH'
option city 'Zurich'
option name 'zur-c02'
option template='/etc/openvpn/templates/invizbox.ovpn.template'
Remove Brazilian VPN Locations
So, now that we know the structure (and have checked how to use UCI from the reference, we can work on removing the Brazilian locations).
A quick
grep BR- /etc/config/vpn
shows that I have 20 VPN Locations in Brazil, one of them is called grua01 (Sao Paulo – server a01).
uci show vpn.grua01
will display the properties of one of that particular named configuration entry.
Manual Editing
The simplest here is most probably to edit the /etc/config/vpn file if you have vi skills.
Just find and delete all entries related to Brazil (each entry is made of 5 lines).
UCI command line (shell script)
You can also remove all the entries from UCI one by one by checking all Brazilian entries:
grep BR- /etc/config/vpn
This will give you a list of filenames and you can see there are two patterns (“gig” for Rio de Janeiro servers and “gru” for Sao Paulo servers)
You can then remove them by explicitely deleting each entry in UCI as follow:
uci delete vpn.giga01 uci delete vpn.giga02 uci delete vpn.giga03 uci delete vpn.giga04 … uci delete vpn.grua01 uci delete vpn.grua02 uci delete vpn.grua03 uci delete vpn.grua04 … uci delete vpn.grua14 uci commit
If you want to keep this handy, drop these lines into a shell script. The first line of that script becomes #!/bin/sh and don’t forget to make the script executable.
Lua
If you are familiar with Lua as a programming language, there is a nice interface to UCI in Lua.
You can then run the following in the Lua console or as a script:
uci = require("uci").cursor()
uci:load("vpn")
uci:foreach("vpn", "server", function(s)
if s.country == 'BR' then
uci:delete("vpn", s['.name'])
end
end)
uci:save("vpn")
uci:commit("vpn")
Rename Brussels to Bruxelles
grep BE- /etc/config/vpn
will give you a list of Belgian VPN Locations
Manual Editing
Use vi and change Brussels to Bruxelles in the city field only (if you change the ovpn file, you need to go and rename the file as well otherwise you have a mismatch)
UCI command line (shell script)
You can also remove all the entries from UCI one by one as such:
uci set vpn.brub01.city=Bruxelles uci commit vpn
Lua
You can then run the following in the Lua console or as a script:
uci = require("uci").cursor()
uci:load("vpn")
uci:foreach("vpn", "server", function(s)
if s.city == 'Brussels' then
uci:set("vpn", s['.name'], "city", "Bruxelles")
end
end)
uci:save("vpn")
uci:commit("vpn")
Add my own VPN Location
Set up DNS when connected to VPN
The Go is setup to use a specific set of DNS servers when connected (to avoid DNS leaking). Those servers are only accessible when connected to the InvizBox VPN. Since this is not going to be the case on your own VPN connection, you will have to set your own DNS servers.
The file with the DNS servers is /etc/resolv.conf.vpn. It’s a standard resolv.conf file that gets used when connected.
You can edit this file and slot in your DNS servers (either recommended by your DNS provider or your favourite ones).
You can use the following command to modify the file (using OpenDNS servers in this example – replace IPs with yours):
echo -e "search lan\nnameserver 208.67.222.222\nnameserver 208.67.220.220" > /etc/resolv.conf.vpn
If you want to revert to the original file, you can run:
cp /rom/etc/resolv.conf.vpn /etc/resolv.conf.vpn
Important Note about modifying the DNS servers:
Since you are modifying the DNS servers, they are now going to be used for all your VPN locations.
So if you use one of the original VPN Location from your InvizBox subscription after that change, you will not be using the recommended DNS servers for these connections anymore.
Let’s be clear, you are doing these modifications at your own risk. If you don’t understand the impact this has on your privacy, I would recommend that you do not add your own VPN Locations! Or at least that you set up all VPN Locations from the same VPN subscription.
Copy ovpn file and dependencies
First, you have to have a functional ovpn file (usable by openvpn).
That files is either self contained (certificate and credentials included) or links to a certificate file or a credentials file (or both).
You then need to copy that file to the /etc/openvpn directory. If needed, you will also need to copy your certificate file and/or credentials file to the /etc/openvpn directory.
In my case, the ovpn file is self contained so I copied it to /etc/openvpn/office.ovpn
Manual Editing
Here, once more, I’ll trust vi and add the following to the /etc/config/vpn file. Notice how I use “filename” as opposed to “template” in the options as this file is self contained.
config server 'work' option country 'Work' option city 'office' option name 'work' option filename '/etc/openvpn/configs/office.ovpn'
UCI command line (shell script)
You can add an entry from UCI as such:
uci set vpn.work=’server’ uci set vpn.work.country=’Work’ uci set vpn.work.city=’office’ uci set vpn.work.name=’work’ uci set vpn.work.filename=’/etc/openvpn/configs/office.ovpn’ uci commit vpn
Lua
You can then run the following in the Lua console or as a script:
uci = require("uci").cursor()
uci:load("vpn")
uci:set("vpn", "work", "server")
uci:set("vpn", "work", "country", "Work")
uci:set("vpn", "work", "city", "office")
uci:set("vpn", "work", "name", "work")
uci:set("vpn", "work", "filename", "/etc/openvpn/configs/office.ovpn")
uci:save("vpn")
uci:commit("vpn")
My final script
So, considering I only wanted to patch my box to add my office VPN, here is what my final script looks like:
#!/bin/sh # change DNS servers echo -e "search lan\nnameserver 208.67.222.222\nnameserver 208.67.220.220" > /etc/resolv.conf.vpn # create new UCI entry uci set vpn.work='server' uci set vpn.work.country='Work' uci set vpn.work.city='office' uci set vpn.work.name='work' uci set vpn.work.filename='/etc/openvpn/office.ovpn' uci commit vpn
And to use that script, I do the following:
- Set up SSH as described above
- Run on my local desktop (linux):
chmod +x myscript.sh scp myscript.sh root@10.153.146.1:/tmp scp office.ovpn root@10.153.146.1:/etc/openvpn/office.ovpn
- SSH to the Go:
ssh root@10.153.146.1
- Run my script on the Go:
/tmp/myscript.sh
- That’s it! I just need to go to the VPN Location page and select my new Work Location.
Once more, after running that script, if I use one of the InvizBox VPN Locations, I’m going to be using the OpenDNS servers.
Done!
Once the above has been done, you should see the changes that you have made in the VPN Location page in the Administration UI.
This didn’t work :'(
Have a look at your changes and figure out what you did wrong (most likely a typo or a missing option).
And after, that, … well…, the simplest way to get back to a working device is to reset it.
From the command line, you can reset with the following:
firstboot # and say yes (y) to the "Are you sure?" question reboot