Configuring an OpenVPN Server in DD-WRT
Compared to PPTP, configuring OpenVPN is much different than configuring PPTP. Way different.
There are many OpenVPN/DD-WRT tutorials online. I found them confusing and outdated. Too many are written from the perspective of a Windows user. I struggled for days to get OpenVPN working. There is a simple reason many people continue to use PPTP despite the security risks. Getting OpenVPN to work is painful.
Yeah, I know, geeks read these words and quip that installing OpenVPN is simple and easy. Just RTFM.
I am not a system administrator or network engineer. I am just a skilled computer user. So the RTFM folks can take a long walk on a short pier.
Here is the sequence of steps I tried.
- Create a Public Key Infrastructure (PKI).
- Generate a certificate authority (CA) certificate and key.
- Generate the server certificate and key.
- Sign the the server certificate with the CA certificate.
- Generate the client certificate and key.
- Sign the the client certificate with the CA certificate.
- Configure DD-WRT
- Configure NetworkManager
I use Slackware on my LAN server and office desktop. Strangely, Slackware does not include the easy-rsa scripts in the OpenVPN package. The first step then was to grab the build script and files from slackbuilds.org.
The package installs the easyrsa script to /usr/share/easyrsa/easyrsa, I copied the directory to /tmp.
cp -a /usr/share/easyrsa /tmp/
Not well explained is where this process should occur. As far as I can tell, most of this can occur anywhere on any system. Files will be moved later. I created the certificate authority and server files on my office desktop.
Create a Public Key Infrastructure (PKI)
cd /tmp/easyrsa
easyrsa init-pki
Generate a Certificate Authority (CA) Certificate and Key
easyrsa build-ca
Building the certificate authority (CA) requires typing a pass phrase. This pass phrase is required later.
After the pass phrase the script requests a Distinguished Name (DN). I left the field blank.
This created the CA certificate and key.
/tmp/easyrsa/pki/ca.crt
./pki/private/ca.key
Generate the Server Certificate and Key
Next is to create a public-private key pair for the VPN server. The script again asks for a pass phrase. I do not know whether the pass phrase is supposed to be different. I typed the same pass phrase.
Because I was creating the key pair for the VPN server, I used the simple name server. I have no idea what other names are sane or reasonable.
easyrsa gen-req server
This created two files:
/tmp/easyrsa/pki/reqs/server.req
/tmp/easyrsa/pki/private/server.key
Sign the Server Certificate with the CA Certificate
Next is to create and sign the certificate for the VPN server.
easyrsa sign-req server server
This created the following file:
/tmp/easyrsa/pki/issued/server.crt
Two additional files are needed as part of the authentication glue. One file contains Diffie-Hellman parameters and the other file is a TLS key.
openssl dhparam -out dh2048.pem 2048
/usr/sbin/openvpn --genkey --secret tls-auth.key
Creating the Diffie-Hellman file takes a long and the output warns as much. My dual core system with 8 GB of RAM needed about 9 minutes.
This created two files:
/tmp/easyrsa/dh2048.pem
/tmp/easyrsa/tls-auth.key
Generate the Client Certificate and Key
Next is creating the client certificate and key pair.
easyrsa gen-req client1
This created two files:
/tmp/easyrsa/pki/reqs/client1.req
/tmp/easyrsa/pki/private/client1.key
Sign the Client Certificate with the CA Certificate
Next is to create and sign the certificate for the VPN server.
easyrsa sign-req client client1
This created the following file:
/tmp/easyrsa/pki/issued/client1.crt
To preserve the files I copied the files to my server at /home/public/easyrsa directory. On my laptop I copied the client certificate and key and CA certificate to the /etc/pki directory.
Configure DD-WRT
Using a text editor I copied the files to the router.
Services
VPN
OpenVPN Server/Daemon
OpenVPN: Enable
Start Type: WAN Up
Config as: Server
CA Cert: /tmp/easyrsa/pki/ca.crt
Public Server Cert: /tmp/easyrsa/pki/issued/server.crt
Private Server Key: /tmp/easyrsa/pki/private/server.key
DH PEM: /tmp/easyrsa/dh2048.pem
TLS Auth Key: /tmp/easyrsa/tls-auth.key
Apply Settings
Save
Using the daemon option requires manually creating the configuration options. Configuring the VPN server as a server rather than as a daemon is supposed to trigger the firmware to automatically create the configuration options. This did not happen on my router.
I added the following snippet to the router configuration:
Services
VPN
Additional Config
push "route 192.168.1.0 255.255.255.0"
server 10.8.0.0 255.255.255.0
dev tun0
proto udp
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
# Only use crl-verify if you are using the revoke list - otherwise leave it commented out
# crl-verify /tmp/openvpn/ca.crl
# management parameter allows DD-WRT OpenVPN Status web page to access the server management port
# port must be 5001 for scripts embedded in firmware to work
management localhost 16
Apply Settings
Save
I added the following firewall rules:
Services
VPN
# OpenVPN Support.
iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.1.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
Configure NetworkManager
Next was to create a NetworkManager configuration. This is basically typing the public IP address and pointing to the certificate and keys.
This is as far as I got. After a few days of tinkering I did not have an OpenVPN connection. An nmap scan of the router did not show port 1194 open.
Until I succeed I decided on another approach. Use port forwarding in SSH.
Posted: Category: Tutorial, Usability Tagged: DD-WRT
Next: Port Forwarding VNC With SSH
Previous: Configuring a PPTP VPN Server in DD-WRT