Connecting to Njalla VPN using WireGuard and a ThinkPenguin mini wireless router

Warning: These directions have not been updated to include how to protect yourself against the TunnelVision / DHCP option 121 attack like our instructions for our Penguin VPN 2.0 Wireguard instructions have. However, we have added instructions here that you can follow after completing the initial VPN setup below.

These directions have been thoroughly tested on a TPE-R1200 and TPE-R1300 mini wireless router running libreCMC v1.5.8 and njalla VPN with a WireGuard configuration (and many newer releases as well). WireGuard is similar to OpenVPN, but newer and faster. njalla VPN is a privacy friendly VPN service that aims to protect your privacy and has support for WireGuard.

Please note that you will need to flash the latest release of libreCMC in order to install WireGuard packages from the libreCMC repository.

Note: If the links are broken below replace v1.5.8 with whatever the latest version of libreCMC is. You can find that out by visiting https://www.librecmc.org/

The firmware image for TPE-R1200 is:

https://librecmc.org/librecmc/downloads/snapshots/v1.5.8/targets/ath79/g...

The firmware for TPE-R1300 is:

https://librecmc.org/librecmc/downloads/snapshots/v1.5.8/targets/ath79/g...

0. Directions on flashing the above nor image are here (please note that the directions suggest flashing the OEM ISO version, but that will or may not work due to the need to install software from the libreCMC repository, utilize the image above instead): https://www.thinkpenguin.com/gnu-linux/vpn-mini-wireless-router-firmware...

1. Turn off wifi on your computer
2. Plug in an ethernet cable to the LAN port on your mini wireless router and the other end into a computer where you will be configuring your router from
3. Plug the power (micro USB cable) cable in on the mini wireless router and wait for the computer to show it's connected/activated/has an IP address
4. Open a browser (Firefox) and go to https://192.168.10.1/
5. When you see a warning message "Warning: Potential Security Risk Ahead" (Firefox) click the "Advanced..." button, and then click "Accept the Risk and Continue" button
6. Click Login button (initially no password is set so no password needs be entered to login)
7. Go to System > Administration and set a password, click Save button, click Dismiss button, click Logout button, then log back in with new password
8. Go to Network > Interfaces
9. Click Edit button next to LAN
10. Set IPv4 box to 192.168.3.1
11. Click Save & Apply button
12. Wait for the Configuration has been rolled back! error message to appear and then click the Apply anyway button
13. Wait for the Device unreachable! message to appear and then disconnect and reconnect your ethernet connection on your computer followed by going to the new address for the router in your web browser https://192.168.3.1 and when you see a warning message "Warning: Potential Security Risk Ahead" (Firefox) click on the "Advanced..." button and then click "Accept the Risk and Continue" button
14. Enter your previously chosen password and click the Login button
15. Go to System > Software
16. Plug in ethernet cable from WAN on the router to a modem or other upstream router with an internet connection
Click Update lists.. button
17. When updates done click Dismiss button
18. Go to the Filter box and search for luci-proto-wireguard
19. Click the Install... button next to luci-proto-wireguard (under where it says Package name)
20. Click Install button to proceed
21. Click Dismiss button
22. Repeat steps 18-21, but replace luci-proto-wireguard with wireguard and then do it again with luci-app-wireguard
23. Go to Network > Interfaces
24. Click Add new interface button..
25. In Name of new interface box enter WireGuard
26. In Protocol of the new interface drop down select WireGuard VPN
27. Click the Submit button
28. Go to VPN provider: https://njal.la/
29. To get started creating an njalla account click the Get Started button in the top right corner

30. Select Use your email
31. Enter your password twice
32. Click the Sign up button
33. Check your email as directed "Please confirm your email to login to Njalla."
34. Click the + Add funds button
35. We recommend adding at least €15 to start

If you utilize a cryptocurrency to pay and we highly recommend you do then click the Wallet button to see the status of the funds confirmation (it takes some amount of time to confirm)

Once you see the funds, example: Added 15 € via Monero then click the VPN link at the top of the page

36. Clck the + Add VPN button

37. By default they automatically add many clients, but you probably only want one, so remove the rest, then click the Pay Now button

38. Next set a name VPN Client name in the VPN Name box or leave it as is and click the Save name button

39. Next click the Use WireGuard button

40. Next Click the Download Config button (save it and open it in a text editor, or just open it in a text editor, we're copying the info from it into the router anyway)

41. Go back to your router configuration tab with the new interface and WireGuard VPN configuration screen and enter the PrivateKey from the .conf file into the Private Key box.
42. In the IP Addresses box enter the Address from the conf file (example: 10.67.153.173/32) and then click the + button to add the IP
43. Click the Add button under the Peers section and do the same for the Public Key in the Peers section
44. In the Peers section do the same for Allowed IPs
45. In peers section make sure you have checked the Route Allowed IPs box
46. Copy the Endpoint = ip/domain address (example: 185.216.33.114 or wg00.njalla.no) into the Endpoint Host box
47. Copy the Endpoint = port into the Endpoint Port box (everything that comes after the : on the Endpoint = line)
48. Enter 25 into the Persistent Keep Alive box
49. Click Save & Apply button
50. Go to System > Reboot and click Perform reboot button
51. After the router reboots log back in and Go to Network > Firewall
52. Click Add button at bottom
53. In the Name box enter VPN
54. In the Input, Output, and Forward box select Accept
55. Check the boxes that say Masquerading and MSS clamping
56. Under Covered networks select WireGuard:
57. Under Allow forward from source zones: select lan: lan:
58. Click Save & Apply button
59. Go to Network > Interfaces and Click the Edit button next to WIREGUARD
60. Make sure the box that says Bring up on boot is checked
61. Click Save & Apply
62. Go to Network > Firewall
63. Under Zones click Edit button next to lan > wan VPN
64. Remove wan: wan: wan6 from Allowed forward to destination zones: drop down
65. Click Save & Apply button
66. For security lets clean up: go to Network > Interfaces and remove the WAN that has Protocol: DHCPv6 client next to it.
67. Click Delete button to remove
68. Click Save & Apply button
69. Go to Network > Interfaces and next to LAN click the Edit button
70. Copy the DNS from the .conf file and paste it into the Use custom DNS servers box and click the + arrow to add
71. Under IPv6 assignment length select disabled
72. Under the DHCP Sever section go to the IPv6 Settings and select disabled in the drop down for Router Advertisement-Service and DHCPv6-Service
73. Click Save & Apply button

74. Go to Network > Interfaces
75. Click Edit button next to WAN
76. Click the Advanced Settings tab
77. Uncheck the box that says "Use DNS servers advertised by peer"
78. Enter 8.8.8.8 or some other DNS server of your preference
79. Click Save & Apply button

80. Go to System > Reboot and click the Perform reboot button

After the router has rebooted you can now go to infosniper.net and it should appear that you are coming from a location other than the city/state/country where you actually are connecting from.

81. Now you probably want to setup wireless so go to Network > Wireless and click the Edit button next to where it says SSID: libreCMC
81b. Click the Enable button in Network > Wireless next to where it now says libreCMC-VPN (if that is the name of the SSID that you chose)
82. Scroll down to the Interface Configuration section and enter a ESSID into the ESSID box like libreCMC-VPN
83. Go to the Wireless Security tab and under Encryption select WPA2-PSK
. In the Key box enter a password (this is the password you will utilize to access the VPN through your new libreCMC-VPN wireless access point)
84. Click Save & Apply button
85. On the computer disconnect your wired connection and select the new libreCMC-VPN access point that appears

You should now be able to visit infosniper.net again and see that others think you are located or coming from somewhere that you are not