OpenVPN config docs for v24 SP1?

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2, 3 ... 22, 23, 24  Next
Author Message
dereks
DD-WRT Novice


Joined: 30 Jul 2008
Posts: 14

PostPosted: Wed Jul 30, 2008 7:20    Post subject: OpenVPN config docs for v24 SP1? Reply with quote
NOTE: This was originally a post asking for help. But I got it working, and now I've written this HOWTO. Hopefully one of the Wiki admins can copy my HOWTO to the official Wiki.


Introduction

As of DD-WRT v.24 SP1, it is now possible to set up DD-WRT as an OpenVPN appliance using only the web-based GUI. It is no longer necessary to issue shell commands, or to echo quoted certificates and config files using a shell script.

To flash a brand new WRT54GL:

First, install the the "mini" version of DD-WRT. (Current filename: dd-wrt.v24_mini_generic.bin )
Then, install the the "vpn" version of DD-WRT that has OpenVPN support. (Current filename: dd-wrt.v24_vpn_generic.bin )
For other routers, use the appropriate bin files and installation procedure, as per the DD-WRT website.

Then, install the full OpenVPN software on a desktop computer, so you can use the OpenVPN tools to create the necessary certificates. (Visit http://openvpn.net/, or under Ubuntu Linux just do "sudo apt-get install openvpn".)

Create the Certificates

Go to your desktop computer and create the certificates, as per the OpenVPN Quickstart. Under Ubuntu Linux:

Code:
# (Must be root to work in this dir:)
cd /usr/share/doc/openvpn/examples/easy-rsa/2.0/
. ./vars
./clean-all
./build-ca
./build-key-server server
./build-key client1
./build-key client2   # Etc, for other clients
./build-dh


Paste in the Certificates

The certs (and keys) generated above, on your regular workstation computer, will located be in the new directory "keys". Paste those files into the DD-WRT web interface as follows:

For a DD-WRT OpenVPN Server:

Code:
Public Server Cert            > ca.crt
Certificate Revoke List (CRL) > (blank)
Public Client Cert            > server.crt
Private Client Key            > server.key
DH PEM                        > dh1024.pem
OpenVPN Config                > (see below)
OpenVPN TLS Auth              > (blank)


NOTE: Only paste in the sections that appear between
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
in the text files, including the two ---BEGIN/END CERTIFICATE--- lines above. Do not paste all the descriptive stuff above that section.

NOTE 2: Some users have reported that using HTTPS (instead of HTTP) causes the paste to fail. I have not confirmed that bug (and it makes no sense to me), but if you are having problems, be sure to try HTTP instead of HTTPS.

Also, set "Start OpenVPN: Enable" and "Start type: WAN Up". (Bug: 2008-07-31 setting "Start type: System" causes OpenVPN to die during the first connection attempt.)



Paste in the Server Config File

The following example config file uses OpenVPN in routed mode. (It is also possible to set up OpenVPN in bridged mode, just change your config files.)

In routed mode, there are three networks to consider:

1. The LAN (192.168.54.0 here)
2. The WAN (Internet)
3. The OpenVPN private routing network (192.168.66.0 here)

The OpenVPN private routing network is used by the OpenVPN software. The OpenVPN server and clients will be on this "private" subnet, and OpenVPN will route packets between your LAN subnet (192.168.54.0) and the OpenVPN subnet (192.168.66.0). Change the LAN subnet addresses to whatever you like. By default the LAN address is 192.168.1.0, but I changed it to 192.168.54.0 here so I could test these devices under my pre-existing LAN.

Note that the port used in this example is 1194, and the OpenVPN subnet is 192.168.66.0. You can change those, but then you must change the firewall commands to match your new settings. I chose 192.168.66.0 simply because it doesn't conflict with anything else on my network.

Server Config File:
Code:
push "route 192.168.54.0 255.255.255.0"
server 192.168.66.0 255.255.255.0

dev tun0
proto udp
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem

In this example, all the computers behind this appliance will have 192.168.54.* IP addresses.

Paste in the Server Firewall Script:

Go to Administration > Commands

Type in these text "commands" for the Firewall:

Code:
# Replace 1194 with your OpenVPN port number:
iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT

# Replace 192.168.66.0/24 with your OpenVPN server subnet:
iptables -I FORWARD 1 --source 192.168.66.0/24 -j ACCEPT

# These next two lines may or may not be necessary.
# I (dereks) did not need them, but bmatthewshea did.
# Thus, we include them so that this works for more people:
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT


Then Click: Save Firewall

The first two lines allow external clients to connect to the OpenVPN software (on port 1194).
The last line allows packets to flow to/from the OpenVPN private network, and thus may not be necessary on bridged configurations.

Client Config: for a Desktop OpenVPN Client:
(This was tested from a laptop w/Ubuntu Linux.)

Client Config File:
Code:
remote XXXXserver.dyndns.org 1194

client
remote-cert-tls server
dev tun0
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
float

ca ca.crt
cert client1.crt
key client1.key


(Note: for a routed OpenVPN, the "float" option is necessary.)

Client Config: for a DD-WRT OpenVPN Client appliance:

Just set the OpenVPN server name (it's WAN address), and port (1194) using the GUI, and then put in the certs:
Code:
Public Server Cert      > ca.crt
Public Client Cert      > client1.crt
Private Client Key      > client1.key


Performance

Using Linksys WRT54GL v1.1
(as both client and server OpenVPN appliances)
CPU Model: Broadcom BCM5352 chip rev 0

SCP File transfer w/CPU at 200 MHz: 313 KB/s
SCP File transfer w/CPU at 250 MHz: 423 KB/s

Thus, estimated OpenVPN User Capacity (w/CPU at 250 MHz):

For users with 768 Kbit DSL:
About 4-5 users (100% usage, like big downloads)
About 10-20 users (intermittant usage, like web or shell traffic)

For users with 128 Kbit dial-up modems:
About 25 users (100% usage, like big downloads)
About 50-100 users (intermittant usage, like web or shell traffic)

I tested an OpenVPN connection for about 24 hours in my lab. I transferred 525MB files. I also did two power cycles on both client and server appliances, and the tunnel re-established itself correctly.


Troubleshooting

Prerequisite: Running commands and watching logs.

Use telnet, SSH, or Administration > Commands to run commands.
The default username/password are user: "root", password: "admin".

To troubleshoot, you should turn on logging, and then watch the log file using this command:
Code:
tail -f /var/log/messages

To turn on logging, do this:

1. Turn on syslog with "Services > System Log > Syslogd",
2. Add a line that says "verb 5" to the OpenVPN config file

Here is an example error I got when my config file had a bad setting in it:
Code:
root@WRT54GL:~# cat /var/log/messages | grep openvpn
Jul 31 11:55:13 WRT54GL daemon.err openvpn[1686]: Options error: --server directive network/netmask combination is invalid
Jul 31 11:55:13 WRT54GL daemon.warn openvpn[1686]: Use --help for more information.
root@WRT54GL:~#


First, is OpenVPN running?
Code:
ps | grep openvpn

If you don't see the OpenVPN process listed, then that is the first problem you need to solve.

Make sure you are running it by setting "Start type: WAN Up".

Maybe there is an error in your config file. If so, OpenVPN will log an error message and then die.

See if OpenVPN is logging an error message for you, to tell you what is wrong. (See "Logging" above; you need syslogd on and "verb 5" in your OpenVPN config file.)

Next, is your firewall blocking OpenVPN?

If your firewall settings are wrong, OpenVPN's packets will be blocked by the DD-WRT firewall software.

First, turn off your firewall altogether, as a test to see if that makes things work. "Security > Firewall > SPI Firewall: Disable". If that fixes your problem, you need to tweak your firewall rules.

You can review your Linux IPTABLES firewall rules with this command:
Code:
iptables -L -v -n --line-numbers

Also, the firewall can log any DROPped or REJECTed packets. Examine these log messages and compare the DROPped packets to your iptables rules, and then tweak as necessary.

"Security > Firewall > Log: Enable"
"Security > Firewall > Log > Log Level: Medium"
"Security > Firewall > Log > Options: Dropped: Enable, Rejected: Enable"


There are many web sites that explain Linux iptables rules and commands.

If you are still having trouble, make sure the cert and config files are saved correctly on the DD-WRT by looking in the directory /tmp/openvpn/ (for server) and /tmp/openvpncl/ (for client).


Many thanks to all the contributors below, especially bmatthewshea who figured out the correct locations for the certificates.

--Derek


======================================================
My original post for help (outdated:)

Hello,
I'm setting up two Linksys WRT54GLs as OpenVPN appliances, using the latest DD-WRT (version 24 SP1 with OpenVPN).

One of the "enhancements" listed for this version is: "more flexible openvpn configuration". I am trying to figure out what that means.

I can see that I am able to save the OpenVPN certificates (and keys) using the web interface. That is very convenient. The files wind up saved in /tmp/openvn/:

Code:
root@WRT54GL:/tmp/openvpn# ls
ca.crt         dh.pem         route-down.sh
cert.pem       key.pem        route-up.sh



However, I do not see the openvpn.conf configuration saved anywhere in the filesystem. It was also pasted via the web interface.

I also see 29 openvpn (and openvpn client) nvram variables. Some of those are redundant with the text files in /tmp/openvpn. For example, nvram's openvpn_dh is the same as /tmp/openvpn/dh.pem.

I can also see that my OpenVPN config file is saved in the nvram variable openvpn_config, and that there is an nvram variable openvpn_enable, but I cannot find any files on the filesystem that hold the OpenVPN config or SysV init script to launch OpenVPN.


My basic problem is that this is very different from what the online documentation says. The online DD-WRT OpenVPN docs don't say anything about saving certs and keys with the web interface. Instead, the instructions say to make boot scripts that echo the values into filesystem files, and then start openvpn explicitly from the script. That obviously conflicts with the "Start type: System" option in the web interface. (See http://www.dd-wrt.com/wiki/index.php?title=OpenVPN)

All the online articles I find date back to ~2006, and I can't find anything about the new web-based configuration. Basically, I'm looking for updated docs.

If there aren't any updated docs yet, I am willing to write them. But I need help figuring out how the new stuff works. I'm a software developer, so hopefully the DD-WRT developers out there can throw me a bone, and then I can update the Wiki page.

So, here are some specific questions:


Q1. If possible, I would like to configure OpenVPN without using telnet or ssh. Is that possible using the new web interface OpenVPN options?

Q2. The included file /tmp/openvpn/route-up.sh has this in it:

startservice set_routes
iptables -I INPUT -i tun0 -j ACCEPT

Q2a. What does startservice set_routes do?

Q2b. Does the "set_routes" service getting started know about the OpenVPN subnets I'm using?

Q2c. Where does the OpenVPN tun0 device get created? I don't have it:

Code:
root@WRT54GL:~# ifconfig | grep tun
root@WRT54GL:~#


Q2d. Does that iptables line mean my OpenVPN traffic won't get firewalled? (The old Wiki docs say to put "/usr/sbin/iptables -I INPUT -p udp --dport 1194 -j ACCEPT" into rc_firewall, is that still necessary given route-up.sh?)

Q3. How is OpenVPN launched (on the latest v24 SP1)? Am I still required to make a startup script and put it into /jffs/etc/config/<scriptname>.startup (as per the old Wiki docs)?

Q4. I've set up openvpn server on my box, but it's not running. How do I troubleshoot?

Code:
root@WRT54GL:~# ps | grep openvpn
root@WRT54GL:~#


Q5. Given that the certs and keys are saved with specific filenames (i.e., "dh.pem"), does the new DD-WRT come with an openvpn launcher-script and/or config file that points to those specific pathnames?


My goal is to get this down to simply copy'n'paste into the web interface. If that is not possible, I want to document the exact shell commands to run.

Thanks,
Derek

--
Running the latest DD-WRT version 24 SP1 (file dd-wrt.v24_vpn_generic.bin, released 2008-07-26) on two WRT54GL v1.1.


Last edited by dereks on Mon May 04, 2009 18:22; edited 4 times in total
Sponsor
SteveDemy
DD-WRT Novice


Joined: 30 Jul 2008
Posts: 9

PostPosted: Wed Jul 30, 2008 18:05    Post subject: OpenVPN input and file mappings Reply with quote
Enabling OpenVPN daemon in the GUI and filling in some certificates resulted in some new files in /tmp/openvpn

Code:
root@AsusRouter:/tmp/openvpn# ls
ca.crt         dh.pem         openvpn.conf   route-up.sh
cert.pem       key.pem        route-down.sh


The data went here: GUI box name --> file:

Public Server Cert --> ca.cert
Public Client Cert --> cert.pem
Private Client Key --> key.pem
DH PEM --> dh.pem
OpenVPN Config --> openvpn.conf

Trying to be a server, I need server.crt and server.key files, not cert.pem or key.pem. I don't see how to do that in the GUI, and using the rc_startup method does not produce a running server as it did before.

I'm currently unable to create the correct files, and get OpenVPN running. Of course it would be possible to manually write the correct files into /tmp/openvpn but this sounds unlikely in a firmware that is trying to help with GUIs. Or is that what we have to do?

Using v24-sp1 vpn, Asus WL-500G premium
SteveDemy
DD-WRT Novice


Joined: 30 Jul 2008
Posts: 9

PostPosted: Thu Jul 31, 2008 8:42    Post subject: Use existing method Reply with quote
The OpenVPN server works now. The solution came by disabling the new OpenVPN Daemon and letting the rc_startup script do its job as before. Otherwise the GUI inputs create files which interfere with what the script is doing. At least I was unable to get the GUI inputs to work.

I added one line to the script in the wiki after the creation of the openvpn.conf file:

chmod 755 openvpn.conf

I'm too new to know if this is necessary, but no harm done. The startup logfile looks like this:

Code:
Jul 31 01:20:38 192.168.1.1 openvpn[422]: OpenVPN 2.1_rc7 mipsel-unknown-linux-gnu [SSL] [LZO1] [EPOLL] built on Jul 27 2008
Jul 31 01:20:39 192.168.1.1 openvpn[422]: Diffie-Hellman initialized with 1024 bit key
Jul 31 01:20:39 192.168.1.1 openvpn[422]: TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Jul 31 01:20:39 192.168.1.1 openvpn[422]: TUN/TAP device tap0 opened
Jul 31 01:20:39 192.168.1.1 openvpn[422]: TUN/TAP TX queue length set to 100
Jul 31 01:20:39 192.168.1.1 openvpn[422]: Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Jul 31 01:20:39 192.168.1.1 openvpn[426]: Socket Buffers: R=[109568->131072] S=[109568->131072]
Jul 31 01:20:39 192.168.1.1 openvpn[426]: UDPv4 link local (bound): [undef]:1194
Jul 31 01:20:39 192.168.1.1 openvpn[426]: UDPv4 link remote: [undef]
Jul 31 01:20:39 192.168.1.1 openvpn[426]: MULTI: multi_init called, r=256 v=256
Jul 31 01:20:39 192.168.1.1 openvpn[426]: Initialization Sequence Completed
Jul 31 01:20:40 192.168.1.1 : klogd started: BusyBox v1.11.1 (2008-07-27 16:20:53 CEST)


I'll try to connect to OpenVPN 2.1_rc7 tomorrow.
switch
DD-WRT Guru


Joined: 30 Apr 2008
Posts: 967
Location: Romania

PostPosted: Thu Jul 31, 2008 9:11    Post subject: Reply with quote
Using bot startup script and GUI script won't work. Use either, but never both.

I'll try to write up a Wiki entry on v24SP1 openvpn when I get the chance.

_________________
Q: How do I do ...? A: Read the tutorials or Search forums
bmatthewshea
DD-WRT User


Joined: 31 Jul 2008
Posts: 53

PostPosted: Thu Jul 31, 2008 16:22    Post subject: Re: v24 SP1 WebGui OpenVPN Cert/Key Mappings Reply with quote
SteveDemy wrote:
Enabling OpenVPN daemon in the GUI and filling in some certificates resulted in some new files in /tmp/openvpn
...
The data went here: GUI box name --> file:

Public Server Cert --> ca.cert
Public Client Cert --> cert.pem
Private Client Key --> key.pem
DH PEM --> dh.pem
OpenVPN Config --> openvpn.conf

Trying to be a server, I need server.crt and server.key files, not cert.pem or key.pem.
...


I haven't had a chance to test this remotely (can connect locally - back through router - just fine.. so I (know/think) certs are working...)

Anyway, I put them in like this (I think most ppl want to simply use the router as a hardware VPN server...not sure why the wiki goes into client setup etc. Just makes it more confusing, and of course it is still written with old script setup):

v24 sp1:
(Under OpenVPN Daemon)

Start OpenVPN: (Enable)
Start Type: (WAN Up)
Code:
Public Server Cert            > ca.crt
Certificate Revoke List (CRL) > (mine is empty)
Public Client Cert            > server.crt
Private Client Key            > server.key
DH PEM                        > dh1024.pem
OpenVPN Config                > (see below)
OpenVPN TLS Auth              > ta.key (or key.txt depending on how created)(see below)


My OpenVPN Config:
Code:
dev tun0
port {your port}
server 10.68.0.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
tls-auth /tmp/openvpn/ta.key 0
keepalive 10 120
comp-lzo
max-clients 2
verb 5

Don't know if you need to specify the absolute path for certs/keys. I did, and it works. Also, I have my verbosity turned up for troubleshooting. Make this to 3 or less.

I pushed my local 192.168.1.0/24 net to the client. You may need to change this to suit your net.

I added the HMAC authentication (TLS-Auth setting) today, and seems to work. It worked without it, too. So you don't really need this added to WebGui. If not remove from config. If you use the utility "Generate Static OpenVPN Key" you will get a "key.txt" which is your "ta.key". If you use the CLI method:
Code:
openvpn --genkey --secret ta.key
You obviously will have it named ta.key already.


I did notice a couple things:
The nvram setting for LZO:
openvpn_lzo=0
Strange.
You can see above, that the OpenVPN config set that. (unsuccessfully?) Apparently not, as I can connect.

Also, under STATUS: I get absolutely no info in regards to the "VPN" tab. Since this is a VPN release shouldn't this work at least a little? Log?

I also notice that to get it running, ssh into your router and 'ps' to check (and check log also). Sometimes it fails to come up on first reboot. Sometimes have to reboot twice to get it to init correctly. Or go to 'Services" tab and then go to bottom and click "Apply Changes" and that should work w/o rebooting twice.

I will update when I get a chance to test it truly remotely.

One question: From my tests so far it seem to connect just fine from within the local network.. as far as security goes. Do we need to 'unblock' the used port above in NAT section, or leave it alone.. I would think it should work without this pointing back to itself (router)?


Log ("cat /var/log/messages" - make sure syslog is on!)
When it comes up correctly:
Code:

Jul 31 10:43:02 SHEA002 daemon.notice openvpn[1749]: OpenVPN 2.1_rc7 mipsel-unknown-linux-gnu [SSL] [LZO1] [EPOLL] built on Jul 27 2008
Jul 31 10:43:03 SHEA002 daemon.notice openvpn[1749]: Diffie-Hellman initialized with 1024 bit key
Jul 31 10:43:03 SHEA002 daemon.warn openvpn[1749]: WARNING: file '/tmp/openvpn/key.pem' is group or others accessible
Jul 31 10:43:03 SHEA002 daemon.warn openvpn[1749]: WARNING: file '/tmp/openvpn/ta.key' is group or others accessible
Jul 31 10:43:03 SHEA002 daemon.notice openvpn[1749]: Control Channel Authentication: using '/tmp/openvpn/ta.key' as a OpenVPN static key file
Jul 31 10:43:03 SHEA002 daemon.notice openvpn[1749]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 31 10:43:03 SHEA002 daemon.notice openvpn[1749]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 31 10:43:03 SHEA002 daemon.notice openvpn[1749]: TLS-Auth MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Jul 31 10:43:03 SHEA002 daemon.notice openvpn[1749]: TUN/TAP device tun0 opened

Jul 31 10:43:03 SHEA002 daemon.notice openvpn[1749]: TUN/TAP TX queue length set to 100
Jul 31 10:43:03 SHEA002 daemon.notice openvpn[1749]: /sbin/ifconfig tun0 10.68.0.1 pointopoint 10.68.0.2 mtu 1500
Jul 31 10:43:03 SHEA002 daemon.notice openvpn[1749]: /sbin/route add -net 10.68.0.0 netmask 255.255.255.0 gw 10.68.0.2

Jul 31 10:43:03 SHEA002 daemon.notice openvpn[1749]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Jul 31 10:43:03 SHEA002 daemon.notice openvpn[1762]: Socket Buffers: R=[32767->65534] S=[32767->65534]
Jul 31 10:43:03 SHEA002 daemon.notice openvpn[1762]: UDPv4 link local (bound): [undef]:8989
Jul 31 10:43:03 SHEA002 daemon.notice openvpn[1762]: UDPv4 link remote: [undef]
Jul 31 10:43:03 SHEA002 daemon.notice openvpn[1762]: MULTI: multi_init called, r=256 v=256
Jul 31 10:43:03 SHEA002 daemon.notice openvpn[1762]: IFCONFIG POOL: base=10.68.0.4 size=62
Jul 31 10:43:03 SHEA002 daemon.notice openvpn[1762]: Initialization Sequence Completed


Process:
Code:
root@SHEA002:~# ps | grep openvpn
1762 root      1980 S    openvpn --config /tmp/openvpn/openvpn.conf --route-up /tmp/openvpn/route-up.sh --down /tmp/openvpn/route-down.sh --daemon


Last edited by bmatthewshea on Thu Jul 31, 2008 19:15; edited 8 times in total
bruce9090
DD-WRT Novice


Joined: 30 Jul 2008
Posts: 29

PostPosted: Thu Jul 31, 2008 16:26    Post subject: Reply with quote
I'm experiencing the same issues... Old doc's aren't realitive and I've spent hours trying to piece it all together... Please update Wiki!
bmatthewshea
DD-WRT User


Joined: 31 Jul 2008
Posts: 53

PostPosted: Thu Jul 31, 2008 16:43    Post subject: Reply with quote
bruce9090 wrote:
I'm experiencing the same issues... Old doc's aren't realitive and I've spent hours trying to piece it all together... Please update Wiki!


I spent all day yesterday just getting this far! :)

Hope that helped...
dereks
DD-WRT Novice


Joined: 30 Jul 2008
Posts: 14

PostPosted: Thu Jul 31, 2008 18:03    Post subject: Re: v24 SP1 WebGui OpenVPN Cert/Key Mappings Reply with quote
Thanks to all who have posted so far. Gotta love community-supported software!

I'm going to work on my setup again some more today, but first, a couple of quick points:

bmatthewshea wrote:

Anyway, I put them in like this (I think most ppl want to simply use the router as a hardware VPN server...not sure why the wiki goes into client setup etc. Just makes it more confusing, and of course it is still written with old script setup):


I'm using two appliances to establish a VPN between a Main Office and a Remote Office. The Main Office will be the server, and the Remote Office will be a client. So, I need to know how to set up the DD-WRT client as well as the server daemon.

By using two hardware appliances like this, we do not need to install or configure OpenVPN on any workstations or internal servers.

bmatthewshea wrote:
Code:

Public Server Cert            > ca.crt
Certificate Revoke List (CRL) > (mine is empty)
Public Client Cert            > server.crt
Private Client Key            > server.key
DH PEM                        > dh1024.pem
OpenVPN Config                > (see below)
OpenVPN TLS Auth              > ta.key (see below)


There is a minor typo above: The DH PEM data is stored in dh.pem, not dh1024.pem.

Note that if you use OpenVPN to create your SSL certs for you (as per the OpenVPN Quickstart), the default filename will be dh1024.pem. But when you paste it into the DD-WRT web interface, it gets saved on the appliance as dh.pem.

bmatthewshea wrote:
The nvram setting for LZO:
openvpn_lzo=0
Strange.
You can see above, that the OpenVPN config set that. (unsuccessfully?) Apparently not, as I can connect.


Yes, I'm hoping the DD-WRT developer who created all those openvpn* nvram variables can post a description of where/how they are used.

bmatthewshea wrote:
One question: From my tests so far it seem to connect just fine from within the local network.. as far as security goes. Do we need to 'unblock' the used port above in NAT section, or leave it alone.. I would think it should work without this pointing back to itself (router)?
[...]
Process:
Code:
root@SHEA002:~# ps | grep openvpn
1762 root      1980 S    openvpn --config /tmp/openvpn/openvpn.conf --route-up /tmp/openvpn/route-up.sh --down /tmp/openvpn/route-down.sh --daemon


The port unblocking is something I'll be testing today. Note that DD-WRT launches OpenVPN with the --route-up and --down options. Here is the included route-up.sh script:

Code:
startservice set_routes
iptables -I INPUT -i tun0 -j ACCEPT


I think (but haven't tested yet) that the iptables line there takes care of the firewall unblocking.

Thanks again for all the great info... I'll post an update when I've made some progress on my setup here.
bmatthewshea
DD-WRT User


Joined: 31 Jul 2008
Posts: 53

PostPosted: Thu Jul 31, 2008 18:23    Post subject: Re: v24 SP1 WebGui OpenVPN Cert/Key Mappings Reply with quote
dereks wrote:
Thanks to all who have posted so far. Gotta love community-supported software!
bmatthewshea wrote:
Code:

Public Server Cert            > ca.crt
Certificate Revoke List (CRL) > (mine is empty)
Public Client Cert            > server.crt
Private Client Key            > server.key
DH PEM                        > dh1024.pem
OpenVPN Config                > (see below)
OpenVPN TLS Auth              > ta.key (see below)


There is a minor typo above: The DH PEM data is stored in dh.pem, not dh1024.pem.


These are filenames from when you created them. As you mentioned if you follow OpenVPN quickstart exactly, you should have all these filenames (.key's .crt's, .pem's). I am simply stating what you copy and paste into the Web gui. I didn't even go into how they are stored in /tmp/openvpn directory. But that would be the filename there once you save and apply.

After saving/applying/rebooting etc here is what they look like in the folling dir:

Code:

root@SHEA002:~# ls -la /tmp/openvpn
drwx------    1 root     root            0 Jan  1  1970 .
drwxrwxrwx    1 root     root            0 Jan  1  2000 ..
-rw-r--r--    1 root     root         1346 Jul 31 12:54 ca.crt
-rw-r--r--    1 root     root         1379 Jul 31 12:54 cert.pem
-rw-r--r--    1 root     root          245 Jul 31 12:54 dh.pem
-rw-r--r--    1 root     root          891 Jul 31 12:54 key.pem
-rw-r--r--    1 root     root          265 Jul 31 12:54 openvpn.conf
-rwx------    1 root     root           36 Jul 31 12:54 route-down.sh
-rwx------    1 root     root           60 Jul 31 12:54 route-up.sh
-rw-r--r--    1 root     root          601 Jul 31 12:54 ta.key


So not a typo. Smile
bmatthewshea
DD-WRT User


Joined: 31 Jul 2008
Posts: 53

PostPosted: Thu Jul 31, 2008 18:46    Post subject: RE: Port forwarding/NAT Reply with quote
Indeed to get this working I had to port forward my particular port under NAT/Port Forwarding, and point back to the local networks router address (one with server running). Shouldn't need this. OpenVPN puts a static route:port through ifconfig.. but seems you do. (Again)- Strange. May be because I am testing from inside my network.

Also, you may need to make the router (server) pingable. (Under "Security" tab.) You may also want to uncheck "Filter WAN redirection" if you want to test the security portion from within local network. (As I have been doing.) Again these steps may only be necessary if testing from inside local net.

I also found out that the OpenVPN daemon will startup better if you run with the setting "Wan Up" as starting at system startup seems to cause problems. (Process seems to die.)


Last edited by bmatthewshea on Thu Jul 31, 2008 19:14; edited 1 time in total
switch
DD-WRT Guru


Joined: 30 Apr 2008
Posts: 967
Location: Romania

PostPosted: Thu Jul 31, 2008 19:06    Post subject: Reply with quote
Guys what is so difficult? Just take the usual startup scripts and look for quotes. If you see:

Code:
"
bla bla
bla bla
bla bla
" > filename.ext


Just put the bla bla bla part in the appropriate textbox on the DD-WRT GUI!





Also, you're not forced to use the GUI. Simply use the startup scripts (as described in the Wiki) to start OpenVPN. It *still* works! The info in the Wiki is not outdated -- it's merely the old way of doing it. So if you can't interpret the script and get GUI working, use the scripts since those have been tested over and over again.

_________________
Q: How do I do ...? A: Read the tutorials or Search forums
bmatthewshea
DD-WRT User


Joined: 31 Jul 2008
Posts: 53

PostPosted: Thu Jul 31, 2008 19:18    Post subject: Reply with quote
switch wrote:
Guys what is so difficult? Just take the usual startup scripts and look for quotes. If you see:

Code:
"
bla bla
bla bla
bla bla
" > filename.ext


Just put the bla bla bla part in the appropriate textbox on the DD-WRT GUI!

Also, you're not forced to use the GUI. Simply use the startup scripts (as described in the Wiki) to start OpenVPN. It *still* works! The info in the Wiki is not outdated -- it's merely the old way of doing it. So if you can't interpret the script and get GUI working, use the scripts since those have been tested over and over again.


That is the point. I am trying to get this working by using GUI only. And *no* it's not that easy.

And *yes* I realize the scripts still work. Although I haven't tested them on v24-sp1.. was looking to avoid doing extra stuff inside router manually.
switch
DD-WRT Guru


Joined: 30 Apr 2008
Posts: 967
Location: Romania

PostPosted: Thu Jul 31, 2008 19:21    Post subject: Reply with quote
Scripts are by no means 'doing stuff manually inside the router'. you needn't use the router's CLI at all. GUI suffices. Like I said, I'll update the guide but I'm a bit busy at the moment.
_________________
Q: How do I do ...? A: Read the tutorials or Search forums
bmatthewshea
DD-WRT User


Joined: 31 Jul 2008
Posts: 53

PostPosted: Thu Jul 31, 2008 19:27    Post subject: Reply with quote
switch wrote:
Scripts are by no means 'doing stuff manually inside the router'. you needn't use the router's CLI at all. GUI suffices. Like I said, I'll update the guide but I'm a bit busy at the moment.


Ok. Should have read:
"Instead of adding startup script for something that should be working under "Services"/VPN without adding to "Administration/Commands/Save Startup"

It has also been noted to get a server functioning using start script method can BRICK certain routers.
See: WARNING
Just testing/trying to get working under strictly the Services/VPN section. Ok?

Also trying to make this as simple as possible for others trying to accomplish the same.

Thanks for the help.[/url]
dereks
DD-WRT Novice


Joined: 30 Jul 2008
Posts: 14

PostPosted: Fri Aug 01, 2008 1:49    Post subject: Re: RE: Port forwarding/NAT Reply with quote
I got the OpenVPN server to work. Basically, it's everything you said, plus this command:

Code:
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT


...where 1194 is the default OpenVPN port.

Although I used the command line, you can supposedly save that line into the firewall rules using the web GUI. So I'm going to write a procedure to set up OpenVPN without using the shell at all, and then test it. Once I test it, I'll post it here (and/or on the Wiki).

bmatthewshea wrote:
Indeed to get this working I had to port forward my particular port under NAT/Port Forwarding, and point back to the local networks router address (one with server running). Shouldn't need this.


My testing disagrees here. I did not need to turn on port forwarding.


bmatthewshea wrote:
Also, you may need to make the router (server) pingable. (Under "Security" tab.) You may also want to uncheck "Filter WAN redirection" if you want to test the security portion from within local network. (As I have been doing.) Again these steps may only be necessary if testing from inside local net.


For "Filter WAN redirection", I agree, that's necessary to talk to the outside IP address from inside the LAN.

But I don't think turning on ping is necessary... I didn't explicitly check for that.

bmatthewshea wrote:
I also found out that the OpenVPN daemon will startup better if you run with the setting "Wan Up" as starting at system startup seems to cause problems. (Process seems to die.)


There is also a note about the process dying in the older Wiki docs. It talks about renaming some files... not sure why.
Goto page 1, 2, 3 ... 22, 23, 24  Next Display posts from previous:    Page 1 of 24
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum