Hi. I'm a privacy enthusiast, and my goal is to setup OpenVPN client on a TomatoUSB router... "properly". I know how to do most things listed here, but I'm wondering if there are better/easier ways to do all these. So what I'm looking for are suggestions and cosmic discussions. Here's what I want: - After the router boots, perhaps after an optware partition is mounted, an OpenVPN client is started on the router. - Kids, partners, guests running around with hacked devices shall not know the WAN IP. - No LAN traffic (including DNS) shall ever go out on WAN, except what is minimally needed or explicilty allowed. - Kill switch. - The VPN client shall try to reconnect automatically following a network hiccup with minimal need for intervention. - Incoming SSH on WAN. Putting 2 and 2 together, WAN traffic should be limited to: - encrypted VPN traffic, obviously - traffic to preselected IPs, e.g VoIP, work VPN - traffic started by incoming SSH on WAN - DNS traffic exclusively related to VPN operation I don't think this set of goals is too uncommon, but I'm a bit surprised at how much networking is needed to implement all this. There are several things in the TomatoUSB interface I don't understand, perhaps there are easier ways to achieve some of these things. Here is what I have in mind: - In Administration, firewall script: `iptables -A wanout -j REJECT`. This takes care of all LAN traffic never leaving on WAN, with the notable exception of DNS, which leaves the router as local, so it must be dealt with separately. - In /opt/etc/config wanup, also called from /opt/mount.autorun: Create novpn routing table by removing all references to tun devices. Also `ip rule add fwmark 1 table novpn`. - In /opt/etc/config fire: extensive iptables stuff, mostly mangle prerouting but others as well, setting marks on traffic that should go on WAN. - Dnsmasq. This is getting messy. Existing 'strict' is useless and misleading IMHO because of leaks. Existing 'exclusive' is better, with the notable exception that to survive a network hiccup, I have to resolve myvpnprovidercom some other way, otherwise the client hangs/exits and manual restart is needed. Right now I'm leaking. What I'm thinking of is: custom config `server=/myvpnprovidercom/10.8.8.8`, plus disable WAN DNS to prevent leaks when VPN is down, plus packet marks and DNAT to 22.214.171.124, so that only those queries go out to Google on WAN. Questions: 1) Any suggestions how to do some things better/easier? Are there any features in the TomatoUSB GUI that could help? I'm putting some of the scripts in /opt because nvram is pretty low. 2) Is there any reference to properly dealing with this dnsmasq issue? I hacked my solution together by reading manuals and such, but it seems other people with more network knoledge should have solved it before. 3) Don't you find 'strict' totally misleading, given that dnsmasq provides only a query ordering guarantee? 4) In TomatoUSB, how do the VPN DNS servers make their way from /etc/openvpn/dns/client1.resolv into /etc/resolv.dnsmasq? I see the openvpn script wirting the former, and dnsmasq reading the latter. 5) Why doesn't the kernel/iptables return packets belonging to a certain connection (incoming SSH on WAN) back to where they came from by default, so that all this marks nonsense is needed for those? 6) Why does this have to be so compilcated? People, enthusiasts, work on these setups. I know it's not immediate but still, I would expect that there is progress. The dnsmasq and openvpn interaction seems so very obscure.