Advertisements

OpenVPN And DD-WRT Part 1

tunnel-429456_640Wouldn’t it be great if you could use free internet and not worry if the goof ball at the next table or stranger in the hotel room next door is recording everything you do? Well, you can if you use a properly secured VPN. The term’VPN’ refers to a Virtual Private Network. Think of your internet session as being enclosed by a tunnel.  Some VPNs are more secure than others. One locked down by a free program called OpenVPN is as private as you can get.

With OpenVPN, you can use a public internet connection to privately connect to your home router and flow through your home internet connection just as if you were sitting at home all along. Your internet session will be as secure as your home internet.

OpenVPN uses SSL, which is the same security method used by the most secure shopping sites. Fortunately, SSL encryption using OpenVPN is much easier to set up and use than SSL based solutions that involve web servers and knowledge of certificate servers. There’s still some busywork involved, but far far less and it’s much less complicated.

OpenVPN has two parts: the client part you install on your PC and the server part that’s pre-loaded on many devices. The server part is available on some home routers. Not many router manufacturers include it by default. You can get OpenVPN server if you install alternate firmware, such as DD-WRT and a few others, on your home router.

 I’ve Read About This Before and It Looked Complicated

That’s exactly what I said until I learned how to set up and use an OpenVPN connection. The problem for me was that too many articles threw a lot of details against the wall and expected the reader to make sense of how they connected together. I also had to ignore everything I learned previously about certificate servers and certificate authorities. OpenVPN hides most of that from the user. You still have to get your hands dirty using copy and paste on a few files created by OpenVPN, but, otherwise, you don’t have to know what they are or how they work.

Long ago in school, someone said the best way to teach someone something is

  • Tell Them What You Are Going To Say
  • Say It
  • Tell Them What You Just Said

And that’s what I’m going to do here. First I will provide an overview. Then I will spill all the details. Finally, I will give you some charts that summarize much of what has been said. I’m going to split the full lesson into three parts. Part 1, this part, is the overview and the details about how to install OpenVPN on your PC and create all the certificates you will need. Part 2 will tell you how to configure OpenVPN server on your DD-WRT router and make the VPN connection. Part 3 is the summary.

A Funny Story. These articles were first posted in early November, 2014. OpenVPN appeared to work great. A couple of weeks later I was using public wi-fi and noticed that NO internet traffic was going out over the VPN. All traffic was out in the open. I took the three articles down for repair and then started my research into why OpenVPN via DD-WRT offered no browsing security.

The most important thing I discovered was, by default, OpenVPN via DD-WRT directs NO traffic over the encrypted connection. All still goes out over public wi-fi unless you add a few commands that are not universally included in available instructions. In addition, those that do describe the additional requirements conflict with each other. Basically, most don’t work … or at least didn’t work for me. My fix was made of several bits from several articles and a lot of trial and error. The installation documented in Parts 1,2, and 3 work well for me .. or at least as well as OpenVPN works.

The tricky parts I discovered are pointed out as you read. I also fixed a few typos that would have otherwise caused problems. I won’t point them out. Sorry about that.

The end goal is to be able to browse securely using public wi-fi by creating an encrypted connection from your laptop through your home router. The session should be as secure as your home network. You will not be able to interact with other resources on your home network. For that, you should consider OpenVPN on a NAS box, a remote desktop application such as TeamViewer, or some other encrypted tunnel.

Before I Start, Is There An Easier Way To Safely Use Public WiFi?

Why, yes there is. OpenVPN protects anything that goes out over your internet connection. A different method that uses DD-WRT and its built in SSH Server allows you to browse safely with encryption. Only programs that can use an alternate port, such as browsers, can try it. Take a look.

 OK, How Do I Do Start With OpenVPN?

Before anything else, get a public internet address that leads back to your home router. During the final stage of configuration, you will have to tell OpenVPN the URL of your home router. If you’re using DD-WRT then you will need to get one from a vendor of DDNS services that DD-WRT supports on the Setup/DDNS tab. You may have to pay for it. The DDNS service will link the IP address from your ISP to a name you create.

For example, no-IP.com is a popular provider of DDNS services. You will use their naming guidelines and create a URL of your own that always points back to the IP address assigned to you by your ISP. More information about DDNS and home networking in general can be read here.

Next, download and install a copy of OpenVPN, checking all the boxes when asked which parts you wish to install.

[Update March 9, 2015: OpenVPN client for Windows has a security vulnerability for versions prior to 2.3.6-I002/I602, called Freak. It allows an extremely motivated hacker to perform a man-in-the-middle attack. The likelihood of attack for most people is slim. To completely eliminate it, according to OpenVPN, load the most recent version of OpenVPN for Windows.]

Then you open a Command Window using Administrator level privileges and navigate to the ..\OpenVPN\easy-rsa folder. While there you will …

  1. Open a Command prompt with Administrator privileges.
  2. Run a batch file.
  3. Open Notepad with Administrator privileges to edit a file that you just created in step 1. You will type standard configuration values that later batch files will read for default values.
  4. Run a few more batch files that each create certificates or keys for various purposes. These files will be written to ..\OpenVPN\easy-rsa\keys.

Now you configure DD-WRT.

  1. Go to the Services/VPN tab
  2. Enable the OpenVPN server
  3. Configure the fields as described later
  4. Copy and paste the text from four of the OpenVPN files created earlier into big boxes that are well marked
  5. Copy and paste some ‘additional configuration’ text and modify it as required to match your particular network
  6. Go to the Administration/Commands tab to copy and paste some firewall text, modifying it afterward to support your network.
  7. Reboot your router, making sure to save and apply changes first.

Finally, you configure OpenVPN on each PC that will connect remotely.

  1. Install OpenVPN
  2. Copy some files you just created from ..\OpenVPN\easy-rsa\keys into ..\OpenVPN\config on the PC that will connect remotely
  3. Open Notepad with Administrator privileges to modify file client.ovpn, telling OpenVPN your URL and a few other things
  4. Start OpenVPN with Administrator privileges. Without using Administrator level privileges, OpenVPN will connect and look like it works,  but will offer no default browsing security whatsoever. (One of the tricky bits.)

Connect.

The Details With Pictures

Go to the OpenVPN download page and select the correct file for your operating system.

DDWRT-OpenVPN-01

***

Download and install, checking all boxes.

DDWRT-OpenVPN-02

***

Open a command window with Administrator privileges and navigate to ..\OpenVPN\easy-rsa

DDWRT-OpenVPN-03

***

Run batch file init-config.bat

DDWRT-OpenVPN-04

***

Edit file vars.bat using Notepad or any other text editor. This is the file of default values all subsequent batch files will use for reference. Most values may be overridden when the later batch files are run.

Many people set the key size to 2048. Users who are familiar with OpenSSL should relax a bit. OpenVPN is far less sensitive about field names than if you were  using OpenSSL to set up a secure web site on your web server. No values here need to tie back to your URL. Practically any values here are fine. Avoid using spaces between words because some values in later programs will also be used for file names and it’s unclear if OpenVPN will have issues down the road in that instance.

Other than KEY_SIZE, the values to consider changing are those at the bottom, starting with set KEY_COUNTRY. Leave the others alone. Just about any value is acceptable. CN stands for Common Name. This field is important later because it MUST MATCH the parameter used when later batch files are run.

DDWRT-OpenVPN-05

.***

This is how mine looks.

DDWRT-OpenVPN-05a

***

Run vars.bat

Run clean-all.bat

Run build-ca.bat

DDWRT-OpenVPN-06

***

Next, build the certificate and key files that will be copied to the PC(s) that connect(s) remotely. If more than one PC will connect, you may choose to create separate file sets for each one.  In the examples below, I created three file sets for three PCs.

When you invoke the batch file that creates the client files, you pass a client computer name as a parameter. This name MUST MATCH the Common Name field that is prompted for as the batch file runs. (The instructions and practice runs made it unclear if Name should also match. I also used the same value in that field.)

OpenVPN gives you a choice at this stage. You can build the client files so that they prompt for a password every time you call OpenVPN from your remote PC. This is optional. I used the names Laptop01, Laptop02, and Laptop03. You can name them anything you want. Many other articles on OpenVPN use the names Client1, Client2, and Client3.

Examples:

build-key.bat Laptop01

or

build-key-pass.bat Laptop01

Note that Laptop01 is entered as the Common Name and Name below.

The password is the first thing asked for.  It will ask for confirmation. Ignore any password requests that might be prompted for toward the bottom of the file. Answer ‘Y’ to the two questions at the end asking you to sign and commit..

Follows are all three  client certificate requests.

DDWRT-OpenVPN-07

 DDWRT-OpenVPN-08DDWRT-OpenVPN-09

***

Next you create the server certificate. I named this one DDWRTrouter. Most other lessons use the name server. You can call it anything you want. Just like the client batch file, you pass the name of the server as a parameter AND type it into the Common Name field. Like before, I also typed it into the Name field.

Run build-key-server.bat DDWRTrouter

DDWRT-OpenVPN-10

***

Lastly, run build-dh.bat. It takes a couple of minutes to finish.

DDWRT-OpenVPN-11

***

When done, folder ..\OpenVPN\easy-rsa\keys will look similar to this.

DDWRT-OpenVPN-12

***

Easy-RSA is fussy about going back a step or two if you want to change something or add another client certificate. You may have to clear everything out and start over.

Four of the files above will be copied into DD-WRT via notepad and copy and paste. The boxes they are copied into are clearly marked.

  • ca.crt
  • DDWRTrouter.crt
  • DDWRTrouter.key
  • dh2048.pem

Three files will be copied as-is (using whatever naming convention you used for the client files)  to each remote client computer. (..\OpenVPN\config)

  • ca.crt
  • Laptop01.key
  • Laptop01.crt

Now, on to DD-WRT and OpenVPN – Part 2

Advertisements

2 Comments on “OpenVPN And DD-WRT Part 1”

  1. Alex Ivanov says:

    I have to add something here (maybe needs to be added in the tutorial).
    Some may have problems when they run build-ca.bat or any other bat that uses openssl.
    Since i received an error that openssl is not a valid command when creating a certificate or key, i added the full path into the bat as:

    “C:\Program Files\OpenVPN\bin\openssl.exe” req -days 3650 -nodes -new -x509 -keyout %KEY_DIR%\ca.key -out %KEY_DIR%\ca.crt -config %KEY_CONFIG%

    instead of

    openssl req -days 3650 -nodes -new -x509 -keyout %KEY_DIR%\ca.key -out %KEY_DIR%\ca.crt -config %KEY_CONFIG%

    This is from the newer version of OpenVPN client (2.3.8). If someone uses the newest version and encounters this problem, check that the path is in “FULL_PATH” and not without, otherwise you will receive the error:

    C:\Program is not a valid command…. because the ” ” are missing.

    Change everywhere, in each bat when openssl is by itself.

    • Carl Rinker says:

      I’ll take a look. I navigated to the directory where OpenSSL lives before entering the commands. That enabled me to type less when I entered them. If they changed something, I’ll make a note. Thanks.


Have Something To Add?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s