Update OpenWrt OpenVPN setup guide, add OpenWrt TunnelVision mitigat…

src/content/en/pages/knowledgebase/routers/openwrt-tunnelvision-mitigation-cve-2024-3661.md

@@ -0,0 +1,31 @@
+---
+title: OpenWrt - TunnelVision Mitigation (CVE-2024-3661) - IVPN Help
+h1: OpenWrt - TunnelVision Mitigation (CVE-2024-3661)
+url: /knowledgebase/routers/openwrt-tunnelvision-mitigation-cve-2024-3661/
+sections:
+    - routers
+    - troubleshooting
+sectionTitle: Routers
+layout: help-details
+weight: 30
+---
+# OpenWrt - TunnelVision Mitigation (CVE-2024-3661)
+
+The [TunnelVision vulnerability](https://nvd.nist.gov/vuln/detail/CVE-2024-3661) relates to loose DHCP rules, specifically DHCP option 121 and routes to bypass the VPN connection.
+
+For OpenWrt, this exploit can be mitigated by setting the `classlessroute` [interface option](https://openwrt.org/docs/guide-user/network/ipv4/configuration#protocol_dhcp) to `0` (zero).  It might be enough to set this option on interfaces with DHCP enabled, though consider enabling the option on all interfaces, just to be on the safe side.
+
+There is currently no LuCI graphical interface to set the option (as of OpenWrt 23.05.5, 2024-09-23), so SSH into your router to access the command line.
+
+Check available interfaces using `uci show network`, then toggle the interface option to `0`, commit the changes, and reload the network:
+
+```
+uci set network.wan.classlessroute=0
+uci set network.wan6.classlessroute=0
+uci set network.lan.classlessroute=0
+uci set network.ivpnAustria.classlessroute=0
+uci commit
+service network reload
+```
+
+**Note:** The `ivpnAustria` interface name is an example in the command above. Verify the name of your VPN interface using the `uci show network` command and replace it in the `uci set ...` command above.

src/content/en/pages/setup/router/openwrt.md

@@ -10,42 +10,35 @@ weight: 20
 ## OpenWrt OpenVPN Setup Guide
 
 <div markdown="1" class="notice notice--warning">
-This guide was produced using OpenWrt v.19.07.2
+This guide was produced using OpenWrt v.23.05.5
 </div>
 
 ### Install required packages
 
-1. In your router's webUI, navigate to `System` - `Software`, click `Update lists`
+1. In your router's webUI, navigate to `System` - `Software`, click `Update lists`.
 
 2. In the **Filter** field, type **OpenVPN**, locate and install **openvpn-openssl** & **luci-app-openvpn** packages<br></br>
 ![](/images-static/uploads/install-openvpn-openwrt-01.png)
 
-3. Restart your router
+3. Restart your router.
     <div markdown="1" class="notice notice--info">
     If you receive an error while attempting to install the 'luci-app-openvpn' package, check the 'Overwrite files from other package(s)' checkbox
     </div>
 
 ### Create a VPN profile
 
-1. Download and extract our [config files](/openvpn-config) to your computer
+1. Download and extract our [config files](/openvpn-config) to your computer.  Choose the IP address option on the configuration generator.  Choose OpenVPN 2.5.
 
-2. In your router, navigate to `VPN` - `OpenVPN`
+2. In your router, navigate to `VPN` - `OpenVPN`.
 
-3. Under the **OVPN configuration file upload** section, `Browse` for the .ovpn config file with the VPN server you would like to connect to, give it any name, then click `Upload`
+3. Under the **OVPN configuration file upload** section, `Browse` for the .ovpn config file with the VPN server you would like to connect to, give it any name, then click `Upload`.
 
-4. Click the `Edit` button next to the created OpenVPN instance and enter your IVPN account ID that begins with letters 'ivpnXXXXXXXX' or 'i-XXXX-XXXX-XXXX' (case-sensitive) and any password (e.g. ivpn) in 2 separate lines in the text box at the bottom
+4. Click the `Edit` button next to the created OpenVPN instance and enter your IVPN account ID that begins with letters 'ivpnXXXXXXXX' or 'i-XXXX-XXXX-XXXX' (case-sensitive) and any password (e.g. ivpn) in 2 separate lines in the text box at the bottom.
 
 5. Append the credentials file path to the **auth-user-pass** line in the first text box. The full path is visible just above the second text box, e.g. - `auth-user-pass /etc/openvpn/Austria.auth`. Click `Save`<br></br>
 ![](/images-static/uploads/install-openvpn-openwrt-02.png)
 
-6. Replace the hostname of the VPN server in line 4 with its IP address - `remote 185.244.212.66 2049`.<br></br>
-To turn the hostname of the server into an IP address use, e.g. the `nslookup at.gw.ivpn.net` command in your computer's terminal:
-	> $ nslookup at.gw.ivpn.net  
-	> ...  
-	> Name:   at.gw.ivpn.net  
-	> Address: 185.244.212.66
-
-7. Click `Save`. Return to main `OpenVPN` section, check the `Enabled` checkbox and click on the `Save & Apply` button. 
+6. Click `Save`. Return to main `OpenVPN` section, check the `Enabled` checkbox and click on the `Save & Apply` button. 
 
 ### Create an Interface
 
@@ -82,7 +75,7 @@ To turn the hostname of the server into an IP address use, e.g. the `nslookup at
 
 ### Configure a Kill-switch (optional)
 
-To ensure the traffic on your LAN devices travels strictly via the VPN tunnel and to prevent any possible leaks if the router disconnects from the VPN server for any reason, edit your lan firewall zone and remove **WAN** from the `Allow forward to destination zones` field, then click `Save` & `Save & Apply` buttons.<br></br>
+To ensure the traffic on your LAN devices travels strictly via the VPN tunnel and to prevent any possible leaks if the router disconnects from the VPN server for any reason, edit your **lan** firewall zone and remove **WAN** from the `Allow forward to destination zones` field, then click `Save` & `Save & Apply` buttons.<br></br>
 ![](/images-static/uploads/install-openvpn-openwrt-05.png)
 
 ### DNS
@@ -91,11 +84,8 @@ To ensure the traffic on your LAN devices travels strictly via the VPN tunnel an
 
 2. Click on the `Edit` button next to the **WAN** interface
 
-3. In the `Advanced Settings` tab, uncheck the `User DNS servers advertised by peer` and specify one of the following DNS servers in the `Use custom DNS servers` field:
+3. In the `Advanced Settings` tab, uncheck the `User DNS servers advertised by peer` and specify one IVPN DNS server in the `Use custom DNS servers` field.  The list of IVPN DNS server IP addresses, including the AntiTracker, is available [here](/knowledgebase/troubleshooting/what-is-the-ip-address-of-your-dns-servers/).
 
-    - *10.0.254.1* = regular DNS with no blocking
-    - *10.0.254.2* = standard AntiTracker to block advertising and malware domains
-    - *10.0.254.3* = Hardcore Mode AntiTracker to also block Google and Facebook domains<br></br>
 ![](/images-static/uploads/install-openvpn-openwrt-06.png)
 
 3. Click `Save` & `Save & Apply` buttons.
@@ -105,4 +95,7 @@ To ensure the traffic on your LAN devices travels strictly via the VPN tunnel an
 1. A device reboot is not required, though it may be useful to confirm that everything behaves as expected.
 2. Run a leak test at [https://www.dnsleaktest.com](https://www.dnsleaktest.com) via one of the internal network clients attached to your OpenWRT router.
 
-**Please note:** If you plan to use a Multi-hop setup please see [this guide](/knowledgebase/general/how-can-i-connect-to-the-multihop-network/) and make the required changes in the .ovpn config file. 
+### Useful Links
+
+- If you plan to use a Multi-hop connection, please see [this guide](/knowledgebase/general/how-can-i-connect-to-the-multihop-network/) to make the required changes in the `.ovpn` config file.
+- To mitigate the [TunnelVision vulnerability](https://nvd.nist.gov/vuln/detail/CVE-2024-3661), check [this IVPN knowledge base article](/knowledgebase/routers/openwrt-tunnelvision-mitigation-cve-2024-3661/).