OpenVPN And DD-WRT Part 2
We’re better than half way there. You’ve made arrangements with a DDNS provider and have your own URL that points to your DD-WRT router. You’ve downloaded and installed OpenVPN. You’ve used OpenVPN to create some certificates and keys that you’ll later copy to various places. And you’ve done it all without having to learn anything complicated about certificate authorities or web servers or SSL. Easy as pie.
This is the home stretch. First, you’ll go to your DD-WRT router and tell it you want to create an OpenVPN server.To do that, you’ll fill in a few fields, copy and paste four of the files created in the last lesson into well marked text boxes, copy and paste some ‘additional configuration’ into another text box, then, finally, copy and paste some firewall settings into another text box on different DD-WRT tab.
Afterward, you will return to OpenVPN, use Notepad to to edit a configuration file, then copy three files into the same folder as the configuration file.
The Road So Far
In OpenVPN And DD-WRT Part 1, you read an overview of the full project. The introduction above summarized the article pretty well.
Now we’ll configure DD-WRT. Before starting, here’s a few things you’ll encounter.
Four of the files you created in Part 1 will be imported into DD-WRT using Notepad and copy and paste. The files look similar to this …
Some will start with ‘—–BEGIN CERTIFICATE—–‘ and end with ‘—–END CERTIFICATE—–‘. Others will have different but similar verbiage. The server certificate will have a lot of content you can ignore. It stands out … you can’t miss it.
The text to copy and paste starts with ‘—–BEGIN CERTIFICATE—–‘ and ends with ‘—–END CERTIFICATE—–‘ (or similar verbiage) INCLUDING the BEGIN and END captions and ALL of the dashes. Ignore the extra text on the server certificate and only copy the certificate part.
There will be more text to copy and paste into DD-WRT. It’s below. You may have to modify it a little depending on your network configuration. The text you copy is taken from my network configuration. Thus, I can say it works for me and, hopefully, it will work well for you.
A copy of my OpenVPN configuration file is also below. Use it for reference or use it as-is. You will have to add your URL in this file.
DD-WRT and OpenVPN Server
Go to the Services/VPN tab in DD-WRT and configure it as shown below. Explanations follow.
Selected certificates and keys are copied and pasted into the following 4 text boxes. Using the naming convention from Part 1;
- Public Server Cert: DDWRTrouter.crt
- CA Cert: ca.crt
- Public Server Key: DDWRTrouter.key
- DH PEM: dh2048.pem
Additional Config (modify as needed, then copy and paste into DD-WRT. Do not change the certificate names below.)
push “route 192.168.1.0 255.255.255.0”
push “dhcp-option DNS 220.127.116.11”
push “redirect-gateway def1”
server 10.1.1.0 255.255.255.0
keepalive 10 120
Save and Apply Settings.
A couple of the tricky bits described in Part 1 are included in the Additional Configuration settings.
push “dhcp-option DNS 18.104.22.168” was included originally, but I didn’t know how important the DNS option was. OpenVPN via DD-WRT needs access to a DNS server; otherwise it won’t serve web pages. 22.214.171.124 is Google’s public DNS server. Use it or any other one you know you can reach. Don’t use one that you ‘just read about’. Under worst case scenarios, a DNS request for Amazon.com could return an IP address for NotReallyAmazon.com. Taking control of the DNS server reduces the risk of DNS spoofing. If you have a prefered DNS server, use it instead. I had no success directing it to my local gateway. Originally, I believed that ignoring this option would direct you to the DNS server used by the public wi-fi., which may be a very bad idea.
push “redirect-gateway def1” was not included. The Advanced Options has a radio button that states you can direct all traffic through the gateway by selecting it. That button adds this line. I just typed it in myself because, to me, it’s more clear. Unfortunately, this is not all you need. Just adding this directive will do nothing special. You need the DNS option mentioned above AND a specific firewall directive. Additionally, there are variations of this line in the documentation. I have no idea if they work. Most articles use this variation. OpenVPN documentation uses two versions of this directive interchangeably.
Altering the DD-WRT Firewall
Move to the Administration/Commands tab.
Copy and paste the following text into the open text box. Change as required. The network below is your OpenVPN network.
iptables -I INPUT 1 -p tcp –dport 443 -j ACCEPT
iptables -I FORWARD 1 –source 10.1.1.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -j MASQUERADE
The last tricky bit is in the firewall directives. There are almost innumerable variations of the POSTROUTING line. The most common version is almost identical to the one above except it is longer due to having more detail. It didn’t work. This one is the only one that worked for me. Many references offer a set of several POSTROUTING lines, all of which you are asked to include. Other references state that more than one line is redundant. I never tried the mult-line versions, preferring to keep my configuration as simple as possible. I found this line in a forum reply somewhere and later figured out why it worked.
I suspect this line appended to the POSTROUTING chain worked because I told iptables to alter the nat table from source 10.1.1.0/24 and MASQUERADE everything, not just output for a specific interface. Specifying the wrong interface was the problem. Since 10.1.1.0/24 is the VPN subnet, dealing with all output seems OK. Anyway, it worked.
Saving your firewall changes in a live environment will knock your router out of commission while it digests the changes. Your wireless on the machine making the changes will act loopy for a while. It always cleared up in a few minutes, except once. I downloaded an application that was designed to help with client OpenVPN connections, just to see if any OpenVPN gateway to the router was possible. It appeared to pull a lot of configuration down to the client so that it would work even if the server configuration had issues. It proved OpenVPN was a good product, but I suspect having too many things messing with my laptop network connection fouled something up. The wireless never returned after one firewall alteration. Rather than waste time trying to figure it out, I restored the partition from a recent bare metal backup and picked up without the OpenVPN client helper app. The helper app also proved the client configuration file had no problems I needed to deal with. It’s fixes were all behind the scene on my laptop.
After rebooting the router, go to the Status/OpenVPN tab. You should see that the VPN is active on the router.
Configuring OpenVPN on the Client PC
The hard work is done. Here’s what’s left:
- Install OpenVPN on the client PC (assuming it’s a different one than the one you’ve been working on all along.)
- Copy three files from …\OpenVPN\easy-rsa\keys to ..\OpenVPN\config. Using the naming conventions from Part 1:
- Navigate to ..\OpenVPN\config. Open Notepad with Administrator privileges and modify client.ovpn as pictured. As an alternative, you can copy and paste the provided text and change it to match your configuration.
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
# file for Laptop01
remote YOUR_URL.COM 443
The biggest gotcha with client.ovpn are Window’s text editors. This is a text file and Windows may try to name it client.ovpn.txt. If this happens, OpenVPN gui will just stare at you and offer nothing to connect to. Windows Explorer will probably be of no help discovering this problem since it hides file types by default.
OpenVPN gui will allow you to connect to any file with a .ovpn file type. If more than one are in the folder, it will offer a choice.
If OpenVPN offers a sample configuration file with a different extension than .ovpn, you should rename it to .ovpn if you use it.
If successful, you should now be able to start OpenVPN. Double Click the OpenVPN icon. You will need to Run As Administrator. Find the OpenVPN icon at the bottom right of the taskbar. Right click on it. Select Connect. You will be prompted for a password if you asked for that option when building client certificates. If successful, a little bubble will appear above the icon and tell you that you are connected.
After starting OpenVPN and connecting to your tunnel, open a command window and run ipconfig /all.
Next run tracert 126.96.36.199.
You should see your OpenVPN server at the top, followed by the route to your destination, the Google DNS server.
Any browser windows open BEFORE you start OpenVPN will remain outside the tunnel. Make sure your browser is closed before starting OpenVPN client.
A visit to WhatIsMyIP.com will present your home IP address if the tunnel is active and functioning properly.
Assuming OpenVPN works as described, you will now be able to securely pass through your home internet connection from any public internet connection. SSL encryption will keep the session as private as if you were at home. (By inference, this also means that if your home connection is as loose as a goose, so will be your browsing session, except for the part from public wi-fi to your home internet.)