Configuring an OpenVPN Server in DD-WRT — 2
I returned to configuring an OpenVPN server in DD-WRT. My previous attempt had failed.
I ended my previous effort noticing port 1194 was not open and there was no OpenVPN process running in DD-WRT.
I looked at the Additional Config options. Browsing the web finds many tutorials with most of these options are similar or the same. Knowing little about OpenVPN, I did the usual copypasta and tried to adjust the options according to my LAN. This approach failed.
I noticed additional options in many of these tutorials that no longer were necessary with the current DD-WRT interface. I reduced the additional options to a single push command to the router’s LAN IP address.
I configured the DD-WRT system log for High verbosity and rebooted the router.
The logs this time were informative and I saw a helpful message:
neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Private Key Password:'
Searching the web revealed I needed to regenerate my certificates without a password. Here are the steps I used — modified from my previous attempt.
Create a Public Key Infrastructure (PKI)
cd /tmp/easyrsa
easyrsa init-pki
Generate a Certificate Authority (CA) Certificate and Key
easyrsa build-ca nopass
Notice the nopass parameter.
I left all fields blank.
This creates the CA certificate and key.
/tmp/easyrsa/pki/ca.crt
/tmp/easyrsa/pki/private/ca.key
Generate the Server Certificate and Key
Because I was creating the key pair for the VPN server, I used the simple name server. I have no idea what other names are sane or reasonable.
easyrsa gen-req server nopass
Again notice the nopass parameter.
This creates two files:
/tmp/easyrsa/pki/reqs/server.req
/tmp/easyrsa/pki/private/server.key
Sign the Server Certificate with the CA Certificate
Next is to create and sign the certificate for the VPN server.
easyrsa sign-req server server
This creates the following file:
/tmp/easyrsa/pki/issued/server.crt
Two additional files are needed as part of the authentication glue. One file contains Diffie-Hellman parameters and the other file is a TLS key.
openssl dhparam -out dh2048.pem 2048
/usr/sbin/openvpn --genkey --secret tls-auth.key
Creating the Diffie-Hellman file takes a long and the output warns as much.
The two commands create two files:
/tmp/easyrsa/dh2048.pem
/tmp/easyrsa/tls-auth.key
Generate the Client Certificate and Key
Next is creating the client certificate and key pair.
easyrsa gen-req client1 nopass
Again notice the nopass parameter.
This creates two files:
/tmp/easyrsa/pki/reqs/client1.req
/tmp/easyrsa/pki/private/client1.key
Sign the Client Certificate with the CA Certificate
Next is to create and sign the certificate for the VPN server.
easyrsa sign-req client client1
This creates the following file:
/tmp/easyrsa/pki/issued/client1.crt
I copied the generated /tmp files to my server at /home/public/easyrsa directory. On my laptop I copied the client certificate and key and CA certificate to the /etc/pki directory.
Configure DD-WRT
Using a text editor I copied and pasted the files to the router.
Services
VPN
OpenVPN Server/Daemon
OpenVPN: Enable
Start Type: WAN Up
Config as: Server
CA Cert: /tmp/easyrsa/pki/ca.crt
Public Server Cert: /tmp/easyrsa/pki/issued/server.crt
Private Server Key: /tmp/easyrsa/pki/private/server.key
DH PEM: /tmp/easyrsa/dh2048.pem
TLS Auth Key: /tmp/easyrsa/tls-auth.key
Apply Settings
Save
I added only one additional configuration option.
Services
VPN
Additional Config
push "route 192.168.1.0 255.255.255.0"
Apply Settings
Save
I verified my previous firewall rules were intact.
Services
VPN
# OpenVPN Support.
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.1.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
For the first time I finally saw an openvpnserver process in the ps process list.
Port 1194 showed filtered with an nmap scan. While that seems better than showing closed, I was uncertain about the result. A little web surfing revealed this result likely is normal with UDP. I changed the DD-WRT configuration to TCP and the port then showed open.
At this point I hoped OpenVPN was configured correctly. I did not know whether the firewall rules were correct.
Configure NetworkManager
Next was to configure NetworkManager.
To simulate connecting to the VPN from a public access point I used one of my router VLAN ports. This assigned the laptop an IP address outside the LAN subnet and provided isolation from the LAN subnet.
I monitored the logs at both ends and adjusted the NetworkManager configuration. Finally I saw a connection — after I removed the TLS Auth Key from the DD-WRT configuration. Yet I had no Internet connection or LAN access.
My laptop firewall was incorrect and not adjusted for the VPN connection. The clue was the ping sendmsg: operation not permitted message. Disabling the laptop firewall ended that specific message. Then I ran into “Destination Host Unreachable” ping errors, which indicates a routing problem.
In the NetworkManager IPv4 tab, I enabled the Routes/Use this connection only for resources on its network option. This provided me Internet access, but I was unable to connect to my LAN.
With more reading I wondered whether I would have any LAN access when using Routed Mode. Routed Mode is a pass-through mode. To provide a secure tunnel when using a public access point. To access my LAN I wondered whether I needed to use Bridged Mode.
Once again, this is as far as I got. I again halted the project.
Posted: Category: Tutorial, Usability Tagged: DD-WRT
Next: SSHFS — A VPN Alternative
Previous: GTK3 Tooltips