The following directions are our lengthier set of directions and apply to any router running libreCMC 6.x and newer. These directions have been verified on TPE-R1300 and TPE-R1400 model routers running libreCMC 6.1. The directions should be applicable to any router running libreCMC 6.x however. These directions include protection from TunnelVision or DHCP Option 121 attacks as well.
Note: We have a shorter set of directions for TPE-R1100, TPE-R1300, and TPE-R1400 routers
Grab the SHORTER SET OF DIRECTIONS FOR THE TPE-R1400 model.
Grab the SHORTER SET OF DIRECTIONS FOR THE TPE-R1100, TPE-R1200, TPE-R1300 series models.
1. Connect power to the router and an ethernet cable from the LAN port on the mini router to a computer's ethernet port
2. Use your network applet to connect to the router via DHCP and open a web browser
3. The IP for a new or freshly flashed router running libreCMC is 192.168.10.1, enter https://192.168.10.1 into the address bar and hit enter
3. libreCMC uses a self signed certificate which means you will see a warning message and need to accept the "security risk" to continue, in Firefox and similar browsers click the Advanced... button and then click the the Accept Risk and Continue button
4. There is no password set by default, so click the Log in button
5. Click the Go to password configuration... button and set a router login password, click the Save button to continue
6. On the same page, in the SSH Access section, set the interface to LAN. Click the Save & Apply button.
7. We're going to set a different IP for the router to ensure it does not conflict with any upstream router, go to Network > Interfaces and click the Edit button next to LAN
8. In the IPv4 address box change 192.168.10.1 to 192.168.3.1, then click the Save button to continue, then click the Save & Apply button, and then the Apply and keep settings button
9. Wait 90 seconds for the Device unreachable! message to appear and then use your network applet on your computer to disconnect from the ethernet, then reconnect
10. Open the web browser and enter the router's new IP address https://192.168.3.1 and hit enter, you will need to accept the security warning message again, ie click the Advanced button and Accept Risk and Continue button
11. Log into the router using the password you previously set
12. Connect an ethernet cable from the WAN port on the mini router to a modem or upstream router LAN port that has internet connectivity
If you've installed the libreCMC.org version rather than the OEM version you may need to install a few packages manually
13. If so click "Update lists...", then when finished updating click "Dismiss"
14. In the Download and install package field enter: luci-proto-wireguard and click OK, click Install. Then Dismiss the windows when installed. Repeat and make sure wireguard-tools is installed also.
15. Click System - Reboot
16. Locate the WireGuard configuration for PenguinVPN 2.0, this should have been sent via email, or if service was purchased with a router then included on paperwork with the router
17. Go to Network > Interfaces and click the Add new interface.. button at the bottom
18. In the Name box enter WGINTERFACE and then select WireGuard VPN from the Protocol drop down box, then click the Create interface button
19. In the General Settings tab make sure Bring up on boot is checked
20. In the Advanced Settings tab, set Use MTU on tunnel interface to 1280.
21. Click the Force link box and make sure the setting is set to checked
22. Navigate to Firewall Settings and click on Create/Assign firewall-zone. Enter VPN as the name and click Enter.
23. In the General Settings tab copy the Private Key to the associated box from the PenguinVPN 2.0 Wireguard configuration credentials, make sure not include any space before or after
24. In the General Settings tab copy the Public Key to the associated box from the PenguinVPN 2.0 Wireguard configuration credentials, make sure not include any space before or after
25. Copy the Address to the IP Addresses box, example 10.10.100.200/32
26. In the Peers tab click the Add peer button
27. Enter a description, like Europe, then copy the Public Key to the Public Key box, repeat for the Private Key
28. Copy the PresharedKey over to the Preshared Key box
29 Copy the AllowedIPs over to the Allowed IPs box, example 0.0.0.0/0
30. Check the box that says Route Allowed IPs
31. In the Endpoint Host box copy the Endpoint over, example europe.penguinvpn.com
32. In the Endpoint Port box copy everything after the ":" character in Endpoint section, example 1637
33. In the Perssistent Keep Alive box enter 25
34. Click the Save button, then the Save button again, then the Save & Apply button
35. Go to Network > Firewall
36. In the VPN zone check and verify the VPN zone has the following configuration:
Input: Reject
Output: Accept
Forward: Reject
37. Click the Save button
38. Click the Edit button for the VPN
39. Check the box that says Masquerading and MSS clamping
30. Make sure WGINTERFACE is selected in the Covered networks box
41. Also make sure LAN is selected in the Allow forward from source zones box
42. Click the Save button
43. Now click the Edit button for the LAN zone
44. Under Allow forward to destination zones, make sure WGINTERFACE is selected and that WAN is deselected. This will avoid any potential leaks.
45. Click the Save button
46. Under Network > Interfaces delete DHCPv6 WAN interface
47. Click the Save & Apply button
48. To hinder TunnelVision or DHCP Option 121 attacks we're going to ssh into the router and add a manual tweak to the network configuration file:
ssh root@192.168.3.1
49. Now to stop TunnelVision edit /etc/config/network and under config interface 'wan' add option option classlessroute '0':
vi /etc/config/network
option classlessroute '0'
DISABLE IPv6
50. Back in the luci web user interface for the router Under Network > Interface click the Edit button for the LAN
51. Go to the Advanced Settings tab and change IPv6 assignment length to disabled
52. Uncheck Delegate IPv6 prefixes
53. Under the DHCP Sever section go to the IPv6 Settings and select disabled in the drop down for RA-Service and DHCPv6-Service
54. Click the Save button and Save & Apply button
55. Go to System > Reboot and click the Perform reboot button
56. After the router reboots go to Network > Interfaces > LAN > DHCP Server > Advanced Settings > "Force DHCP on this network even if another server is detected" (enable). Click the Save button. Click the Save & Apply button.
57. System > Reboot and click Perform reboot button
58. Click on your network applet and disconnect from the network, then click the applet again and reconnect to the network
59. Open a web browser and go to a site like https://infosniper.net/ to confirm that your connection appears to be coming from a city/state/country other than your own