Lately I’ve had the need to setup a secure instance of OpenVPN on a DD-WRT enabled router. As I expected the process wasn’t exactly smooth, from experience setting up OpenVPN before on a number of different servers I know it can be complex but (naively) thought that setup baked into the DD-WRT firmware would be simpler.

Engaging my Google-fu I found a LOT of other articles explaining the process, to my horror no one article was able to get me correctly setup and I was left picking up the pieces from multiple different sources. So here I am, writing a blog post about how to setup OpenVPN on a DD-WRT router. I think XKCD explains this situation best, but I’m shamelessly continuing.

xkcd comic #927

First thing’s first, for this article we’ll be focusing only on a DD-WRT implementation, I am considering writing another post about implementing OpenVPN on a remote server (likely Ubuntu, or CentOS) but that will have to wait for another time. I also want you, dear reader, to understand what this article is not:

  • An explanation of how OpenVPN works
  • A DD-WRT tutorial
  • In depth look at tradeoffs of different options and settings
  • Analysis of VPNs and security
  • Necessarily the best tutorial for your scenario

With that out of the way let’s get started!

Pre-Requisites

For this guide to make any sense, you’re going to need a few things.

  • Router with internet access
  • DD-WRT V3.0 firmware installed on said router
  • A Computer! (Windows or Linux)

I’m going to assume little to no knowledge of networking and computers in general. I find that in a number of other articles and guides which I’ve read online, the authors assume a great deal of knowledge and leave out what can actually be quite crucial steps. Without knowing how to troubleshoot networking issues this can be very frustrating and often lead to bad configs and a giant mess of settings changes from different advice on the internet. I endeavour to present this information in a clear and concise way so as not to confuse any potential readers.

Brace yourselves.

The Goal

The goal of this VPN setup is to allow a remote client computer to connect over the internet, through an encrypted and secure channel, to access locally available resources as well as forward all internet traffic from the remove client through that secure connection. This connection should be as hardened as possible and follow up to date guidelines for the use of OpenVPN.

This can be useful for several different reasons. In my case this will allow me to connect to devices (such as Raspberry Pi’s) on my network from anywhere in the world without having to expose them directly to the internet through port forwarding. Instead my local network remains behind my firewall and only I have the key to opening the door to the other side. Connecting to a VPN also serves as a great way to maintain secure web traffic when travelling, should I really trust that open WiFi network with hundreds of other random people connected to it? Well now it doesn’t matter, all my traffic is encrypted before leaving my device, forwarded over the internet to a known location, and decrypted safely.

Enable OpenVPN Server

First we need to enable OpenVPN on our router. Since you are a person who is running DD-WRT on their router, I will make one assumption: you know how to access the router’s administration panel and know your username and password. If not, please look at other tutorials around the internet on how to figure that out.

1. Navigate to the default gateway address via a web browser and login to DD-WRT.

192.168.0.1:80

2. Now that we’re into the router’s administration settings we can start changing things and enabling the modules that we need. DD-WRT has OpenVPN server support built right in so all we need to do is head through the following menu options.

Services -> VPN

3. Enable the OpenVPN server by changing the option under the OpenVPN Server heading (who would have guessed?!). Once this is changed all the other OpenVPN options that we need will be revealed to us (and there are a lot of them).

✓ Enable

Scroll right past all the settings and hit “Save” to make sure we don’t lose anything to a timeout while doing other things. Next we can configure the server how we want!

Configuring the Server

OpenVPN has a lot of settings and they all do different and very important things, we need to make sure that we have the correct ones selected for what we want to do. I’ll give a quick rundown of each setting and field that is available to us and what each does. This is by no means an exhaustive explanation but will serve to help you make a decision about which way you need to go.

1. Start Type: This option let’s us select when the VPN starts, either when the WAN interface is connected (WAN Up), or when the router itself boots (System). In most cases the System option is fine, especially since we are running this as a server, however if the server startup relies on connecting to another remote server it will fail if the WAN interface is not up yet. For this reason we choose the WAN Up option.

✓ WAN Up

2. Config As: This option is a bit of a mystery, the naming convention doesn’t follow the standard for what a server and daemon are. Leave it as a server, selecting daemon removes all the options we need!

✓ Server

3. Server Mode: It is very important to understand the different between these two options as they have significantly different topologies. Take a look at the heading link, for our use though we will use Router (TUN) mode.

✓ Router (TUN)

4. Network: This is the network address that will be used for clients connecting to the server. Make this something unique that won’t overlap with the local network on the router, or any potential local networks the client is connected to (like 192.168.0.0, 192.168.1.0, etc).

192.168.20.0

5. NetmaskThe netmask should be the same as shown here. I don’t want to go in to depth about how the netmask functions but it’s quite a complex and core concept to networking and worth looking into more at the heading link.

255.255.255.0

6. Port: This is the port that we want to connect to the server on. 1194 is the default port of VPNs, some networks may filter out this port so it can be worth changing to something else that would not be filtered (such as port 443), take your pick but I’m sticking with the standard.

1194

7. Tunnel ProtocolThe protocol selected has an effect on the operation of the server, for more information see the heading link. Again some networks may block UDP in which case it’s best to choose TCP. For me I’m sticking with UDP for performance reasons.

UDP

8. Encryption CipherThe cipher is responsible for keeping information sent through the VPN tunnel secret. This is the encryption method that will be used to encrypt data send through the tunnel. This should be strong so that any listening parties won’t be able to see what we’re doing or decrypt our data!

AES-256 CBC

9. Hash AlgorithmThe hash algorithm is responsible for the integrity of data sent through the VPN tunnel and allows the client and server to know whether or not data has been altered or modified without permission. It’s important to choose a robust hashing algorithm that doesn’t have easy to compute conflicts.

SHA256

10. Advanced Options: Just bang this on, there is only one setting we need to change in here.

✓ Enable

11: TLS Cipher: OpenVPN uses two parallel communications channels to ferry server handshake data and client data through. The TLS cipher is responsible for protecting data through the handshake channel. It’s important for a secure connection to choose a strong cipher.

TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

12. LZO Compression: This configures whether or not the server uses lossless compression on the data flowing through the tunnel. Leave this as adaptive so the server can decide when it’s best to do that.

Adaptive

13. Redirect Default Gateway: By redirecting the default gateway all traffic from each client can be directed through the VPN tunnel (which is what we want to do!). This makes the VPN tunnel the default internet gateway for the client.

✓ Enable

14. Allow Client to Client: By enabling this, clients will be allowed to speak to each other through the VPN. This ok, if I connect multiple devices to the VPN I’m assuming they are secure since they have our keys and certificates.

✓ Enable

15. Allow Duplicate CN: This allows the same client/keypair to connect multiple times at the same time to the VPN server. This should be disabled to prevent attack to the network from stolen keys, it will prevent the same key from connecting twice at the same time.

✓ Disable

16. Tunnel MTULeave this as standard, this is a core and complex networking topic. If you want to know more check out the link in the heading.

1500

17. UDP FragmentLeave this as standard, this is another core and complex networking topic. If you want to know more check out the link in the heading.

<leave blank>

18. UDP MSS-FixLeave this as disabled, this lets the client know what is the maximum packet size before fragmentation begins. Check the previous links and the one in the heading for more info.

✓ Disable

Wow that was a lot of options…

The next step involves generating keys and certificates for the server and for our clients, let’s first scroll down past that and hit save before moving on.

Generating Keys

Now that the server is setup with everything we want it’s time to generate some keys and certificates for the server and for our clients. I’m going to explain how to do this for both Windows and Linux, each in their own column below.

The Key and Certificate files that are generated here are what authenticate the client with the server. Only clients that have correctly authenticated certificates will be able to connect to the server. These certificates and keys can be managed on a per client basis and compromised certificates can be revoked and/or added to a ban list to prevent connection in the future.

Keep these files secret! See the link here on the OpenVPN documentation page about which key files should be shared with who.

Windows

1. The first thing that you will need to do is download and install OpenVPN for Windows. This can be found at the following URL.

https://openvpn.net/index.php/open-source/downloads.html

Once downloaded go through the installation wizard but when the option comes up, be sure to select the option to install the “OpenSSL Utilities” as well as the standard packages that are pre-checked during the installation process.

✓ OpenSSL Utilities

2. To generate the keys we need to run some scripts that are included in the OpenVPN install via the Windows Command Prompt. This needs to be in administrator mode, search “Command Prompt” in the Windows start menu. right click on the result, and select “Run As Adminstrator”.

Command Prompt -> Run As Administrator

3. Navigate to the install directory of OpenVPN and find the “easy-rsa” folder within.

cd <install dir>\OpenVPN\easy-rsa

4. The config files need to be initialised and and coped into the right place. Luckily there is a script for that already! Run the following command.

init-config

5. Next edit the vars.bat file with the correct settings for your locale and organisation. Open Notepad as administrator and navigate to the “easy-rsa” folder and open the vars.bat file. Edit the following settings.

set KEY_SIZE=4096
set KEY_COUNTRY=<your country code>
set KEY_PROVINCE=<your province/state code>
set KEY_CITY=<your city>
set KEY_ORG=<your organisation name>
set KEY_EMAIL=<mail@your.domain>

6. The Certificate Authority needs to be generated now. This is the “master” certificate and must be kept VERY secret, it is what signs other client and server certificates to authenticate them as valid.

Execute the following commands and follow the prompts. Answer yes to everything and enter in any required information when “[changeme]” appears.

vars
clean-all
build-ca

7. The server needs a set of keys signed with this Certificate Authority, this is what we will copy into the DD-WRT configuration later. Let’s generate that now, again follow the prompts.

build-key-server server

8. Each of the clients now also needs a set of keys signed with this Certificate Authority, this is what will be copied into the OpenVPN configuration folder for each client. Let’s generate that now, again follow the prompts.

Note: You can do this for as many clients as you would like.

build-key client1
build-key client2
build-key client3

9. Diffie-Hellman parameters also need to be generated for the server. This is achieved with the following command.

build-dh

10. Lastly a TLS Authentication key file must be generated for the server and clients. This is not generated using the easy-rsa tool, but with the OpenVPN program itself. Enter the following commands to change directory and generate the key.

cd ..\bin
openvpn –genkey –secret ..\easy-rsa\keys\ta.key

All the keys and certificates needed are now generated, next step is to complete the server and client configuration! Let’s move on to finishing the server setup and getting our first client’s connected.

Final Server Configuration

Back to the DD-WRT administration console. We are now ready to fill in the final parts of the OpenVPN configuration options. The keys that we generated in the previous steps are located in the following folders. For the rest of this section reference the files here.

Windows

<install dir>\OpenVPN\easy-rsa\keys

1. Copy the contents of server.crt into the “Public Server Key” field.

2. Copy the contents of ca.crt into the “CA Cert” field.

3. Copy the contents of server.key into the “Private Server Key” field. Make sure to remove all the configuration garbage above the line with “—–BEGIN PRIVATE KEY—–“.

4. Copy the contents of dh4096.pem into the “DH PEM” field.

5. Copy the contents of ta.key into the “TLS Auth Key” field.

6. Save and Apply the settings that we just changed! The VPN server is now setup on the DD-WRT router.

7. In order to forward the client’s traffic through the server’s internet connection, Network Address Translation needs to be turned on for the VPN tunnel. To do this a custom command needs to be run on the router to change a firewall setting. Go to the following menu items in DD-WRT.

8. Enter the following command to enable NAT for the tunnel through the WAN interface. Click “Save Firewall” so that this change is executed to the firewall each time the router is rebooted.

Note: replace <your network ip address> with the value from the Network field in the steps above.

iptables -t nat -A POSTROUTING -s <your network ip address>/24 -o eth0 -j MASQUERADE

That’s it!

Scroll down to the bottom and hit “Apply Settings” to enable the OpenVPN server with the settings and keys we have just entered.

Client Setup

The process of connecting clients is now very easy. We have signed client keys and the server is setup with all the required options, all we need to do now is create a client configuration file for OpenVPN to read settings from and we can launch the connection!

Windows

1. I’m going to assume that OpenVPN is already installed from the previous section, if not, make sure to download and install OpenVPN from the following link.

https://openvpn.net/index.php/open-source/downloads.html

Once downloaded go through the installation wizard and follow all the prompts. No extra packages such as OpenSSL are required for standard client connections.

2. Copy the following files into the configuration folder for OpenVPN.

Copy From: \OpenVPN\easy-rsa\keys
Copy To: \OpenVPN\config

ca.crt
client1.crt
client1.key
ta.key

2. With the keys in the correct place we now need to create a configuration file for the OpenVPN client. To do this open up Notepad and enter the following.

#Tells OpenVPN where the remote server is located
remote 1194

#Put OpenVPN into client mode
client

#Set the remote server certification type
remote-cert-tls server

#Set the VPN type (TUN vs TAP)
dev tun

#Set the protocol being used
proto udp

#Make OpenVPN retry infitirely when a connection is dropped
resolv-retry infinite

#Nobind
nobind

#Persist
persist-key
persist-tun

#Required for TUN connections, optional for TAP
float

#Tell OpenVPN where the certificates and keys are
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1

#Setup TLS use for the tunnel
#Force minimum version use to prevent vulnerabilities in older versions
tls-version-min 1.2

#Set the TLS cipher type
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

#Set the data encryption cipher type
cipher aes-256-cbc

#Set the authentication hashing cipher type
auth sha512

#Request the server re-negotiate keys every 3 minutes
reneg-sec 180

#Tell the client that LZO Compression is in use
comp-lzo

#Set the VPN Tunnel as the default gateway for the client machine
redirect-gateway def1

3. All our setup for the client is not complete! Launch OpenVPN and hit the connect button and you should connect to your server!

All Finished!

You should now be connected with a super hard OpenVPN setup! The final verification is to connect to the VPN from a remote location or from a different internet connection (e.g. tether off your phone). Once you connect through the VPN you should see that your external IP address changes from the phone’s address to the server’s address when you hit www.whatismyip.com.

Load a few webpages and run a speed test to validate that everything is working as it should. You will see a slight degradation in connection speed due to the overheads of the VPN tunnel, however your connection is now rock solid, secure, and encrypted. The benefits outweigh the negatives if you ask me!

I would love to know if there are any issues with the setup as described here, I don’t want people following in my footsteps and finding this guide in 5 years time only to not be able to setup their connection because of some bad advice I’ve given here.

Enjoy!