Configuring an OpenVPN Server in DD-WRT — 3

I was contacted about my previous attempts to configure OpenVPN in DD-WRT. I never completed the project. The contact person offered a possible solution and asked me to test.

This person was using DD-WRT version v3.0-r31899 std (04/24/17) on a Linksys WRT-1900ACS. I was using v3.0-r30826 std (11/01/16) on an Asus RT-AC66U.

I had already tried updating the firmware version with frustrating results.

After restoring my router to version r30826, I again confronted OpenVPN. My first attempts were unsuccessful but the logs showed I likely was not configuring the firewall rules correctly. I noticed the device being used was tun2 rather that the usually presumed tun0. I do not know why my configuration is different, but I adjusted the offered firewall rules accordingly.

Finally, at long last, I connected using OpenVPN.

There was a security caveat with my original steps. The login is not password protected. This is important to me should I lose my laptop or the laptop is compromised. I needed to add a password and ensure NetworkManager did not store the password. By default NetworkManager is designed to store passwords, a horrible security flaw.

Much thanks to A.S. who contacted me and offered help.

Here are my final steps to configure OpenVPN on my router.

Create a Public Key Infrastructure (PKI)

    cd /tmp/easyrsa
    easyrsa init-pki

Generate a Certificate Authority (CA) Certificate and Key

easyrsa build-ca nopass

Notice the nopass parameter.

I left all fields blank.

This creates the CA certificate and key.


Generate the Server Certificate and Key

Because I was creating the key for the VPN server, I used the simple name server. I have no idea what other names are sane or reasonable.

easyrsa gen-req server nopass

Again notice the nopass parameter.

This creates two files:


Sign the Server Certificate with the CA Certificate

Next is to create and sign the certificate for the VPN server.

easyrsa sign-req server server

This creates the following file:


Two additional files are needed as part of the authentication glue. One file contains Diffie-Hellman parameters and the other file is a TLS key.

openssl dhparam -out dh2048.pem 2048

/usr/sbin/openvpn --genkey --secret tls-auth.key

Creating the Diffie-Hellman file takes a long and the output warns as much.

The two commands create two files:


Generate the Client Certificate and Key

Next is creating the client certificate and key.

easyrsa gen-req client1

Notice I did not use the nopass parameter. When prompted I provided a pass phrase.

This creates two files:


Sign the Client Certificate with the CA Certificate

Next is to create and sign the client certificate.

easyrsa sign-req client client1

This creates the following file:


For long-term storage I copied the generated /tmp files to my office desktop/server. On my laptop I copied the client certificate and key and CA certificate to the /etc/pki directory.

Configure DD-WRT

Using a text editor I copied and pasted the generated files to the router.

    OpenVPN Server/Daemon
      OpenVPN: Enable
      Start Type: WAN Up
      Config as: Server 
      Server mode: Router (TUN)
      Port: 1194
      Tunnel Protocol: UDP
      Encryption Cypher: AES-256 CBC
      Hash Algorithm: SHA1
      Advanced Options: Disable
      Public Server Cert: copy/paste /tmp/easyrsa/pki/issued/server.crt
      CA Cert: copy/paste /tmp/easyrsa/pki/ca.crt
      Private Server Key: copy/paste /tmp/easyrsa/pki/private/server.key
      DH PEM: /copy/paste tmp/easyrsa/dh2048.pem
      Additional Config
        push "route"
        push "dhcp-option DNS"
        keepalive 10 120
    Apply Settings

Not fully intuitive, the Network IP address is a subnet and not an explicit IP address. The OpenVPN network subnet ( must be different from the LAN subnet ( The push command routes the VPN subnet to the LAN subnet. As my LAN has its own DNS service, I wanted to ensure OpenVPN was using that with the dhcp-option command.

Perhaps I missed the memo somewhere, but the DD-WRT configuration does not automatically create the necessary firewall rules. To me this is just plain odd.

I SSHed into the router to discover the tun device being used. Using ifconfig I saw that tun2 matched the IP subnet I assigned ( The ifconfig command showed tun2 using This is one spot that tripped my previous effort because I presumed tun0.

With that information I added iptables firewall rules:

    # OpenVPN Support.
    iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
    iptables -I FORWARD 1 --source -j ACCEPT
    iptables -t nat -A POSTROUTING -s -j MASQUERADE
    iptables -I INPUT -i tun2 -j ACCEPT
    iptables -I FORWARD -i tun2 -j ACCEPT
    iptables -I OUTPUT -o tun2 -j ACCEPT

Using SSH I verified an openvpnserver process in the ps process list. Another place to check is Status->OpenVPN, which includes related log spew.

I verified port 1194 was open. This is nominally confusing because by default nmap does not check UDP. Checking port 1194 requires the -sU option and looks like this:

nmap -sU -p 1194 ${router_name_or_ip_address}

Configure NetworkManager

Next was to configure NetworkManager.

In the VPN tab I pointed the configuration to the local files:

    User certification: /etc/pki/client1.crt
    CA certificate: /etc/pki/ca.crt
    Private key: /etc/pki/client1.key

In VPN->Advanced->Security:

    Cipher: AES-256-CBC
    HMAC Authentication: SHA1

Because there is no GUI control, I manually edited the NetworkManager configuration file not to store passwords:


I restarted NetworkManager.

At work I tested the configuration. I successfully connected to my home network.

Posted: Category: Tutorial, Usability Tagged: DD-WRT

Next: Odd Fonts in Ubuntu 16.04.3 32-bit

Previous: A Strange VirtualBox Quirk