OpenVPN And DD-WRT Part 3

book-tunnel-11287160032j7BOThe biggest problems with learning how to set up an OpenVPN server on a DD-WRT router are all the details that have to be waded through. Even my articles throw a lot of mud against the wall. Wouldn’t it be nice if there was one separate article that contained only the high points and skipped the details you  don’t need to slog through more than once?

Look no further. The details aren’t going away. If you want them you can review DD-WRT and OpenVPN – Part 1 and/or DD-WRT and OpenVPN – Part 2.

A different, but quite easy to install, method that uses DD-WRT and its built in SSH Server also allows you to browse safely using encryption. Only programs that can use an alternate port, such as browsers, can try it. Take a look.

This is the Quickie-Mart version. Concise summaries of how to install and configure OpenVPN server on DD-WRT are below. Actual configurations are included. I know they work because they came from my router and OpenVPN installation. Any changes needed so the text will work with your home network are  your responsibility.

Please direct your attention to the following sections and be prepared to find:

  • An OpenVPN batch file summary
  • An OpenVPN certificate and key summary
  • A DD-WRT configuration summary
  • Sample text for DD-WRT ‘Additional Config’
  • Sample DD-WRT firewall modifications
  • A sample client.ovpn file
  • Some directions on where to copy client files

OpenVPN server is offered on other alternate router firmwares besides DD-WRT. These instructions should be helpful with many of them.

Creating Certificates With OpenVPN

DDWRT-OpenVPN-42

OpenVPN Certificates

DDWRT-OpenVPN-41

DD-WRT / OpenVPN Server settings

DDWRT-OpenVPN-43b

 

Sample DD-WRT additional config text

push “route 192.168.1.0 255.255.255.0”
push “dhcp-option DNS 8.8.8.8”
push “redirect-gateway def1”
server 10.1.1.0 255.255.255.0
dev tun0
proto tcp
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem

Sample DD-WRT firewall text

iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT
iptables -I FORWARD 1 --source 10.1.1.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -j MASQUERADE

Sample OpenVPN client.ovpn

(replace YOUR_URL.COM with your personal DDNS url)

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# file for Laptop01
client
dev tun0
proto tcp

remote YOUR_URL.COM 443

resolv-retry infinite

nobind
persist-key
persist-tun

ca ca.crt
cert Laptop01.crt
key Laptop01.key

ns-cert-type server
comp-lzo
verb 3
float

 

Sample of OpenVPN client files to copy

Copy three files from …\OpenVPN\easy-rsa\keys to ..\OpenVPN\config. Using the naming conventions from Part 1:

  • ca.crt
  • Laptop01.crt
  • Laptop01.key

Now, go for it.

One last thing. I’m not a DD-WRT expert. I’m not an OpenVPN expert. I’m not an iptables expert although I’ve been working at learning more. It’s rather logical although I’m not sure how it otherwise relates to default DD-WRT. If you don’t understand a reference about OpenVPN, or want to know more about iptables, or are having problems with DD-WRT then post the question. But try to look it up first. I learned all of this by using Google and being persistent.


26 Comments on “OpenVPN And DD-WRT Part 3”

  1. Cote/Bunklung says:

    Very nice write up! You put in some hard work getting this put together. I have had a little experience with OpenVPN/DD-WRT. Originally I did effectively what you have setup: run DD-WRT as a server (home) and have clients (PCs) connect to it remotely. I never got around to creating certificates, I just used a static key. In the end, I used two DD-WRT routers (one server and one client). With the final configuration, it was simple. I didn’t have to mess around with certificates and I didn’t need to install OpenVPN on any devices, I would just plug-in/wireless associate it with the client DD-WRT OpenVPN router in my backpack. Dirt cheap hardware VPN!

    Then I moved on…

    Currently I use DD-WRT as a hardware like VPN (client) and use a VPN service provider. Now I just connect PCs/devices directly (wired or wireless) to the router, nothing leaks and no setup for the devices requiring the VPN. If I want to tunnel traffic to and from my home network, I use SSH/Sock from an unrelated DD-WRT device inside my LAN.

    My most recent DD-WRT endeavor: http://www.antifart.com/2014/11/26/dd-wrt-block-traffic-when-the-vpn-conection-fails.html

    That’s my blog/website.

  2. Ben says:

    Hello,

    I am a novice and was wondering about the simplified two DD-WRT router setup Mr. Antifart has mentioned above. IE How to generate the static key and where to find whatever you need to input on both the server and client sides. Also would you still need to enter the additional configuration and firewall commands?

    Also thank you very much to the author, if every instruction manual was as good as this the world would be a much better place!

  3. Andy says:

    hi, everyone

    i get problem when i try to setup a openvpn server for visit home local pc.
    i setup openvpn server on dd-wrt route and connected successful,
    my vpn client ip is 10.8.0.6 ,the dd-wrt route local subnet ip is 192.168.1.0 , and the route ip is 192.168.1.1
    i try to visit pc which under the route, like 192.168.1.128
    can not ping 192.168.1.128, even 192.168.1.1
    do you know what is the problem?

    server config
    push “route 192.168.1.0 255.255.255.0″
    server 10.8.0.0 255.255.255.0
    dev tun0
    proto udp
    keepalive 10 120
    dh /tmp/openvpn/dh.pem
    ca /tmp/openvpn/ca.crt
    cert /tmp/openvpn/cert.pem
    key /tmp/openvpn/key.pem

    Firewall

    iptables -I INPUT 1 -p tcp –dport 1194 -j ACCEPT
    iptables -I INPUT 1 -p udp –dport 1194 -j ACCEPT
    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o br0 -j MASQUERADE
    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
    iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE
    iptables -I FORWARD 1 –source 10.8.0.0/24 -j ACCEPT
    iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
    iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

    • Carl Rinker says:

      The configuration you have is different from the one I wrote. That one works well for me. I can’t speak to any other. The iptables you wrote are really different. Iptables is the linux firewall. You might be cutting yourself off there, too. I’m not an iptables expert, though, so that is only conjecture. No ping suggests dns problem. You won’t ping any 192.168 address. Only your DDNS ip address. Read the article and do what I did and it should work.

      I recently added an article about DD-WRT and SSH server. It allows you to browse securely over public wifi and is easier to set up. Look into it.

  4. Alex Ivanov says:

    Well, i can only appreciate your work ad dedication in writing this article. I’ve tried several other configurations, even setting VPN server on Macosx, but to no avail. So i decided that i want it on DDWRT router and your steps, clearly described are best.

    Thanks for the hard work

    • Carl Rinker says:

      Thank you. They didn’t make it easy. Lots of little differences among various other articles, and a lot is not included. FYI, I performed an OpenVPN install on pfSense. It was very easy. The background experience from DD-WRT helped a lot … coming in cold would have been a little confusing. It has a client export utility that is automatic. Also, it uses named clients. A utility on the router generates certificated for them in a second.

  5. Jordan says:

    Just want to say thanks so much! I followed your directions carfully, and it worked on 4 devices first time! Very clear!

    In My case, I have an old Netgear WDR3700 that I repurposed strictly as an OpenVPN gateway. I installed DD-WRT, and got it working behind my main, new, Nighthawk router. I do not use any of the “default” IP addresses anywhere in my network, by the way. I’ve turned off all the wireless radios in the old router, as I just need it to act as a VPN tunnel to my phones, tablets, and laptops. For security, and to get to NAS drives when away from home. I had planned to just enable the Nighthawk VPN… but I discovered to my dismay, that it only supports TAP/layer 2 VPN protocol, which does not work with iOS devices at all at this time (rev 8.4.1 iOS).

    So I’ve configured the WDR3700 as a wired Access Point (AP), Forward the VPN TCP Port from the Nighthawk to the WDR3700, and otherwise, just followed your directions carefully. Works beautifully! I’ve verified that all traffic is going through the VPN tunnel. I have also verified that multiple devices can connect and use the VPN tunnel at the same time.

    One more thing I did, and maybe it is worth mentioning somewhere in your directions; Although it is not really VPN specific, I have configued the WDR3700 to reboot itself once per day. When I am travelling for extended trips, I would really hate to find myself unable to VPN into my network. Select the Administration Menu, and the Keep Alive submenu, and configure the Scheduled Reboot as desired.

    Jordan

  6. aj johnson says:

    Carl , I am lacking in my knowledge of vpn’s but do have limited knowledge of networks, i want to set up vpn with the following physical attributes
    L1{NN-RouterAAnetwork1.1—-isp’s Cable modemwanA}L2{isp’s cable modemwanB—RouterBBnetwork0.1} What I want to do is connect RouterAA(DDwrt)running OpenVpn client) to RouterBB(DDwrt)running OpenVpn Server) I Want NNclients @ L1 to access network0.1@L2 as if i am at that location It seems like this should be a simple setup but I am clueless as to how to configure the routers , I’ve found sites that show how to setup individual clients remotely but cant seem to find any that show how setup a router as client to a remote router…thanks for any help or direction….

    • Carl Rinker says:

      I’ve never set up a site to site VPN. About the only suggestions I can offer are Google and YouTube. Look up OpenVPN site to site and then take notes for any new search ideas that develop.

  7. nyrogerstern says:

    I tried setting up OPENVPN with my iPhone as client. Clearly the certificates are correct because I can connect from within my home network. But I get a connection time out from outside. I throught the standard port may be blocked by my ISP so I changed the port to one I know works–I changed the server and client config files and the firewall commands. Still no luck. I also checked that my DNS updated correctly. Any idea why I cannot connect from the outside?

    • Carl Rinker says:

      I can only offer guesses as to why you can’t connect. The config in the articles works perfectly for me and is written documentation of it.

      Connecting using a DDNS url or static IP address (not the 192.168.1.x address) should work anywhere if it works at home. I once had a problem connecting using free wi-fi at a major university. It worked at the hotel in the same town but not at the school no matter what port I tried. I assumed they were using some blocks and also assumed they taught some pretty good internet security courses there. Try if from Starbucks or another place that offers free wi-fi. Otherwise, look over the details in your config and adjust if anything looks odd.

      • nyrogerstern says:

        I can only assume it is something in my router firewall that’s blocking the server from connecting through the wan connection but not the lan. I’ve tried using Verizon wireless as well as various wifi systems. it doesn’t seem to work.

  8. Teddy says:

    Hi,
    Thanks for the tips. It helped a lot to get me going….
    Things i did differently and it works:-
    1) I only add this firewall rule to allow VPN clients to get NAT’ed when going to internet
    iptables -t nat -A POSTROUTING -s -j MASQUERADE
    2) I use the Advanced option in VPN setup to enable “Redirect default Gateway” instead of adding the extra command in “Additional Config”.

    Thanks

    • Carl Rinker says:

      Great job.

      ‘Redirect Default Gateway’ should have worked when I wrote this originally, but didn’t for me. It’s the standard method for other routers that offer OpenVPN implementations. That was one of my frustrations, among others. The iptables were a research project that I was happy to get working. I tried lots of variations, but not the one you mentioned.

  9. Torey says:

    Thanks for taking the time to post this write up. After a second try I was able to get it to work without a hitch. I have one question I am hoping someone can answer. When I am outside the LAN can I access the router? I have a second router on my network thank I can access no problem, but I cannot access the router running the VPN from outside my network using the VPN. Any help or suggestions would be a great help! Thanks.

    • Carl Rinker says:

      Thanks for reading and making a comment. I’m happy you got it working. DD-WRT doesn’t make it easy, but it’s not impossible either.

      OpenVPN has two interfaces: tap and tun.

      Most DD-WRT / OpenVPN articles, including these, illustrate the tun interface, which is routed. This means pass through. When outside, all you can do is use the local router to access the world, not your network. It’s designed for safe browsing over public wifi.

      The OpenVPN tap interface is bridged, or connected to your home network. OpenVPN supports tap, but I don’t know how to install it using DD-WRT. I think stock Netgear R7000 firmware supports OpenVPN tap, but I don’t know anything about its capabilities or limitations.

      I’m currently using pfSense for my home router. It supports multiple simultaneous OpenVPN servers. I have one tap and one tun. The tap allows me to log into my home network from anywhere and access it just as if I were downstairs in an easy chair. The security is high; DDNS url that is personal, specific certificates unique for each client, special user id tied to each certificate, two passwords unique to each userid. The tun VPN is for routine passthrough.

      • toreylittlefield says:

        Thanks for the thorough explanation. At least where I am is a great starting point and I appreciate all the help. It may not be as elegant a solution but I suppose I can always WOL a PC in LAN and access the router through the PC with Teamviewer. Also at least I can also access the network drive on the router through the VPN with this setup now. Very cool.

  10. zedenka says:

    Hey Carl, Thank you sooo much for this blog and writing this article. You are a life saver and may God bless you. lol

    I don’t know if others were having this problem but i followed your instructions and everything worked perfect i was able to connect to the OpenVPN server with no problems on my dd-wrt router.

    But when i tried to access it inside my network i was not able to communicate with my devices or get internet and it was the same when i tried it on another network. It took me two days trying and it still did not work.

    What i realized is that it had to be the firewall settings, so i search online forum for hours for help and i got this settings :

    iptables -I INPUT 1 -p tcp -dport 443 -j ACCEPT
    iptables -I INPUT -i tun0 -m state –state NEW -j ACCEPT
    iptables -I FORWARD -i tun0 -m state –state NEW -j ACCEPT
    iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -j MASQUERADE

    It working immediately and perfectly without any problems!!! Thanks to the person who posted it on the forum.

    My questions is, are these firewall settings good or safe? I want to make sure i am securely connecting to my home network. Thanks for a reply.

    • Carl Rinker says:

      I’m NOT an OpenVPN / DD-WRT / iptables expert and never will be. The article documents my DD-WRT / OpenVPN configutation, including the problems I had with it along the way.

      OpenVPN supports two types of client – server connections; tap and tun. This series describes the tun connection, which is routed. Tap is bridged.

      The distinction is tun, if configured properly, allows you to securely route through your home router via public wifi. To the outside world, it looks like your IP address is your home IP address and not the IP address of your public wifi provider. You should not be able to access your home network with a tun connection, if configured properly, according to my understanding of OpenVPN. A genuine expert may know of an alternative method, but I don’t.

      A tap connection is bridged and allows you to access your home network securely from afar via public wifi. It’s set up differently and this article series does not document how to do it.

      This is only a guess, but if you can access your home network using a tun interface, then it may be set up incorrectly and, thus, not be secure.

      I’m currently using a pfSense router to support both tap and tun interfaces. pfSense provides an OpenVPN implementation that supports multiple simultaneous OpenVPN servers. This is not to criticize DD-WRT’s OpenVPN implementation, which is similar to just about every other retail router’s OpenVPN implementation. I used DD-WRT / OpenVPN for a long time before building a pfSense router and setting up OpenVPN on it. pfSense allows commercial strength routing, including IPS / IDS.


Have Something To Add?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s