OpenWRT expressVPN setup

Install luci-app-openvpn and openvpn-openssl packages in OpenWRT. Download .ovpn configuration files from expressVPN. SCP them to /etc/openvpn. Change their name to this format: openvpn-my_vpn.conf. I initially didn't rename them and OpenVPN was looking for files of this format, so I just changed it to match. Maybe not necessary *shrug*. You have to make one modification to make it use your username/password from a file instead of prompting for it at the command line. Open the config file you got from expressVPN and find the "auth-user-pass" line. Change it to "auth-user-pass auth.txt". Now make a file named auth.txt and put the username ExpressVPN gave you in the first line, and the password in the second line. This is a random looking string of characters, not the email/password you use to login to expressvpn. /etc/init.d/openvpn restart should pick up the new config and login to the VPN successfully. logread -e openvpn to see the result. There should be some new routes created, along with a new network interface tun0.

The openvpn config file sets up the VPN itself and points at the config file from express.

config openvpn 'my_vpn'
        option enabled '1'
        option config '/etc/openvpn/openvpn-my_vpn.conf'

Edit the network config file to make a new interface called vpn0. I'm not sure if you use the tun0 interface directly or not, but this does work.

config interface 'vpn0'
        option proto 'none'
        option ifname 'tun0'

Edit the firewall config file and add a zone and forwarding section. This is necessary to forward the LAN traffic over the VPN. Without this there is no access to the outside world when the VPN is active.

config zone
        option name 'vpnclient'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'vpn0'

config forwarding
        option src 'lan'
        option dest 'vpnclient'