Be aware that you need to enter the certificates, keys and DH-PEM values in the right text fields in the DD-WRT menu Services > VPN.
NOTE: Do not follow the rest of the instructions for configuring OpenVPN on DD-WRT. Not for this r23919 release! I tried that without success. Instead see the values given below and adapt these to your needs.
My LAN IP range is 192.168.1.x.
The IP address of the router is 192.168.1.1 (default).
I used 10.10.10.0 range for OpenVPN.
The first client that connects gets 10.10.10.2 as IP address.
If you want more clients like client2, client3 etc. then create for each client its own certificate and add an extra rule in the Startup script (follow exactly the same instructions as for client1 and each time you change only 1, by 2, 3 and so on).
DD-WRT MENU: Services > VPN tab
===============================
OpenVpn Server: enabled
Start Type: WAN up
Config as: Server
Server Mode: Routed (TUN)
Network: 10.10.10.0
Netmask: 255.255.255.0
Port: 1194
Tunnel Protocol: UDP
Encryption Cipher: AES-256 CBC
Hash Algorithm: SHA1
Advanced Options: Disabled (I first did set the values below with enabled and then finally disabled this setting)
TLS Cipher: None
LZO COmpression: Yes
Redirect default Gateway: Disable
Allow Client to Client: Enable
Allow duplicate cn: Disable
Tunnel MTU setting: 1500
Tunnel UDP Fragment: empty
Tunnel UDP MSS-Fix: Disable
CCD-Dir DEFAULT file: empty
Client connect script: empty
Static Key: empty
PKCS12 Key: empty
I use English language user interface in DD-WRT as that will show the certificate field names correctly I discovered. These certificates are generated with OpenVPN 2.3.4 -- released on 2014.05.02 on Windows 7. See http://openvpn.net/index.php/download/community-downloads.html.
Only copy the content between AND including these lines in the text fields.
-----BEGIN CERTIFICATE-----
.....
.....
-----END CERTIFICATE-----
So be aware NOT to copy things like this for example in the file server.crt:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: md5WithRSAEncryption
...
...
The certificates that I filled in in the text fields are shown below.
Public Server Cert: server cert ==> content of generated file server.crt
CA Cert: CA Cert ==> file CA.crt
Private Server Key: server key ==> file server.key
DH PEM: dh2048.pem ==> file dh2048.pem or dh1024.pem if you used 1024 bits key
Additional Config: ==> put next 3 lines in this text field
DD-WRT MENU: Administration > Commands
======================================
Add following Startup script (use Save Startup button on the Commands page).
My startup script contains this:
If you have a client2 you need to add this:
echo "iroute 10.10.10.0 255.255.255.0" > /tmp/openvpn/ccd/client2
... and so on for each additional client.
Reboot now your router and wait a while.
Setup of CLIENT DEVICE.
Copy your client.ovpn AND CA.crt AND server.crt AND server.key to your client device.
For example your mobile phone. I used a Galaxy S3 Android 4.3 version.
Install the OpenVPN app from the Appstore and import file client.ovpn. Be aware that all certificates files must be in the same directory (or adapt the client.ovpn file to point to the right location. I used the default settings as that is easier and less risk on typing errors.
Note that below xx.xx.xx.xx is the IP number that you get from your service provider.
When you do not have an own fixed IP address than you can also replace that IP number with yyyyyyy.dyndns.org where yyyyyyy is the first part of your account at dyndns.org. NOTE: dyndns.org is NOT FOR FREE anymore, so I changed with success to freedns.afraid.org which is FOR FREE...
Of course you must have enabled Dynamic Domain Name System in DD-WRT in Menu Setup > DDNS and check also if it is working correctly!
In the hostname field, put in both the Hostname and the hash value from freedns.afraid.org separated by a comma like:
Hostname: yourdomainname,AUdf38SJKksoP81M
The hash value is available from the Dynamic DNS screen on freedns.afraid.org
A complete example on the Dynamic Domain Name System screen in DD-WRT:
DDNS Service : freedns.afraid.org
Username : your user name at freedns.afraid.org
Password : your password at freedns.afraid.org
Hostname : yourdomain.moo.com,ZUjAKEphcO1LWW1XSkNiKmlnVnQWRngPOlExQjYzKTS5
Do not use external ip : checked Yes
When you do NOT use the Dynamic Domain Name System in DD_WRT, then each time your internet provider gives you a new IP address, you need to change that IP number xx.xx.xx.xx also on your client device in file client.ovpn and import that file again by the OpenVPN app. That's annoying...but it works.
My client.ovpn file contains this:
client
dev tun
cipher AES-256-CBC
proto udp
remote xx.xx.xx.xx 1194
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3
Success! Thanks to all the people who posted there solutions, by combining the things and lot of testing I succeeded.
Posted: Tue Oct 28, 2014 16:17 Post subject: Tedious trek
Thank you very much for this. It helps a lot but I am still facing some difficulties .....
Questions:
- do you have PPPoE enabled to your DSL provider and do you know if it was possible for both it and OpenVPN server to run concurrently?
In the past, back at release 14xxx, I had OPENVPN server working for about a year. To get it working in my PPPoE environment, I had to add a second router on my home network because I could never get the main router to run both applications. Last month, a hardware issue wiped out my whole setup and I am starting over now, with a new Buffalo WZR-HP-AG300H and am having no success at all, sporatic results and highly confusing.
- did you set the Security, SPI Firewall option to off or on to allow this to work?
- can you explain further how to create the keys while using the latest version of OpenVPN client
- did you get OpenVPN working without any firewall commands in the Admin panel? (All previous how-tos I have seen on this say some commands are necessardy.)
Key Creation:
A terrible jumbled mix exists online as how-tos regarding something that logically should have been streamlined and automated a long time ago..... From what I can tell from research ....
The howtogeek addresses editing the vars.bat but doesn't address what to do with the new lines of code seen in recent releases:
set KEY_CN=
set KEY_NAME=
set KEY_OU=
set PKCS11_MODULE_PATH=
set PKCS11_PIN=
- Are these variables left in, left out are set to what?
Now using the most current release of OpenVPN openvpn-install-2.3.4-I005-x86_64.exe, I find I have problems when generating keys on Windowx XP 32 bit in that the "build-ca" won't work at all, and on using this same release on Win 7 64 bit, I find that it works but I have also found that build-dh sometimes will run "this is going to take a long time" and generate a flash of a couple of lines and other times it will generate a page or so of data. Something is wrong with it. But for the moment if we forget about the build-dh problem (I just keep running it until it makes a run that fills a whole page or two), there is the issue of "Common Name".
From what I have been able to determine and I ask is this correct:
build-ca: respond to Common Name query, anything, such as MyHome
build-client: respond to Common Name the same name as the client, i.e. client1, client2, as they are created
build-server: respond to Common Name the same name as the server, ie. server
There there are all the questions about the fields of "Name" and the PKCSII and the other two questions that pop up asking about passwords:
What should the response be to these:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Also there is an issue with this error message:
WARNING: can't open config file: /etc/ssl/openssl.cnf
Using configuration from openssl-1.0.0.cnf
There are even more error messages if you alter the vars.bat as per the HowToGeek article as this:
OK, many problems abound. First of all, I went searching archives and found my notes when I installed this before. The easy-rsa key maker is just as flaky now as it was back when the HowToGeek article came out. There is some sort of major memory leak on Win 7 64 bit at least when generating keys. Well I wrote all about it here:
I finally got a good set of keys generated. I could tell because after plugging them in the Buffalo and linking with the client, I received the error that keys were not yet valid. Excited that I was at least now talking to the router, this error reminded me I needed to wait a fading memory amount of hours, somewhere and up to 24 to be able to test with them once they have been genned.
So the next morning I was ecstatic to learn I was both connected and routing. I was able to go into my routers web page, check settings and to VNC into the consoles of servers on my LAN while tunneled in from my laptop over a cellular hotspot. Then I tried NetBios over TCPIP which worked with my previous setup (net use x: \\192.168.x.x\shareName and it failed on this configuration. I also visited "what is my IP" and I was still showing an IP of my cellular carrier (via the hotspot of my cellphone). I wanted to route all traffic over the connection so I went back to the documentation for my previous setup and attempted to configure. I first added to "Additional config":
push "redirect-gateway def1"
push "dhcp-option DNS 10.10.10.1"
That caused my OpenVPN client to not be able to reach the server at all. So I added an additional line suggested both on the OpenVPN support site and which I found in my notes from my old configuration. This was added to the Firewall in the Administrator, Commands section:
Still no communication. So the logical thing to do would be to remove the 3 lines I added to OpenVPN and try something else. But no, something changed in my setup by simply adding these lines and deleting them. Power reset the router and everything and still my client can NOT talk to the remote OpenVPN server.
Code:
Fri Oct 31 20:00:01 2014 MANAGEMENT: >STATE:1414803601,WAIT,,,
Fri Oct 31 20:00:01 2014 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Fri Oct 31 20:00:03 2014 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Fri Oct 31 20:00:07 2014 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Fri Oct 31 20:00:15 2014 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Fri Oct 31 20:00:31 2014 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Fri Oct 31 20:01:02 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Oct 31 20:01:02 2014 TLS Error: TLS handshake failed
So all I know to do now is do a hard reset on the router and reconfigure it. It takes several hours because I have so many static IPs, port forwards and permitted wi-fi MACs. So time will tell if starting anew will give me back the service I had for a few moments.
More to come ..... (recommended: only start a project like this in the dead of winter - never in fall or spring!)
I took the same settings that worked originally, but I checked the "Advance Options" where I selected the "Redirect default gateway" option. Still it looks like I am linking but something goes wrong during the handshake. Again this is a PPPoE DSL client to my ISP and running with SPI Firewall "on":
Code:
Fri Oct 31 22:45:24 2014 OpenVPN 2.3.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on May 2 2014
Fri Oct 31 22:45:24 2014 library versions: OpenSSL 1.0.1g 7 Apr 2014, LZO 2.05
Enter Management Password:
Fri Oct 31 22:45:24 2014 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Fri Oct 31 22:45:24 2014 Need hold release from management interface, waiting...
Fri Oct 31 22:45:25 2014 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Fri Oct 31 22:45:25 2014 MANAGEMENT: CMD 'state on'
Fri Oct 31 22:45:25 2014 MANAGEMENT: CMD 'log all on'
Fri Oct 31 22:45:25 2014 MANAGEMENT: CMD 'hold off'
Fri Oct 31 22:45:25 2014 MANAGEMENT: CMD 'hold release'
Fri Oct 31 22:45:25 2014 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Oct 31 22:45:25 2014 MANAGEMENT: >STATE:1414813525,RESOLVE,,,
Fri Oct 31 22:45:25 2014 UDPv4 link local (bound): [undef]
Fri Oct 31 22:45:25 2014 UDPv4 link remote: [AF_INET]69.22.56.51:443
Fri Oct 31 22:45:25 2014 MANAGEMENT: >STATE:1414813525,WAIT,,,
Fri Oct 31 22:45:25 2014 MANAGEMENT: >STATE:1414813525,AUTH,,,
Fri Oct 31 22:45:25 2014 TLS: Initial packet from [AF_INET]69.22.56.51:443, sid=3a92596a 093ef28a
Fri Oct 31 22:45:27 2014 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=OpenVPN, OU=changeme, CN=MyHouse, name=MyHouse, emailAddress=mail@host.domain
Fri Oct 31 22:45:27 2014 VERIFY OK: nsCertType=SERVER
Fri Oct 31 22:45:27 2014 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=OpenVPN, OU=changeme, CN=server, name=server, emailAddress=mail@host.domain
Fri Oct 31 22:45:28 2014 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Fri Oct 31 22:45:28 2014 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Fri Oct 31 22:45:31 2014 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Fri Oct 31 22:45:31 2014 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Server log file:
/var/log/messages
Code:
Nov 1 00:13:37 DDWRT user.info syslog: vpn modules : vpn modules successfully unloaded
Nov 1 00:13:37 DDWRT user.info syslog: vpn modules : nf_conntrack_proto_gre successfully loaded
Nov 1 00:13:37 DDWRT user.info syslog: vpn modules : nf_nat_proto_gre successfully loaded
Nov 1 00:13:37 DDWRT user.info syslog: vpn modules : nf_conntrack_pptp successfully loaded
Nov 1 00:13:37 DDWRT user.info syslog: vpn modules : nf_nat_pptp successfully loaded
Nov 1 00:13:39 DDWRT user.info syslog: vpn modules : vpn modules successfully unloaded
Nov 1 00:13:39 DDWRT user.info syslog: vpn modules : nf_conntrack_proto_gre successfully loaded
Nov 1 00:13:39 DDWRT user.info syslog: vpn modules : nf_nat_proto_gre successfully loaded
Nov 1 00:13:39 DDWRT user.info syslog: vpn modules : nf_conntrack_pptp successfully loaded
Nov 1 00:13:39 DDWRT user.info syslog: vpn modules : nf_nat_pptp successfully loaded
Nov 1 00:16:30 DDWRT daemon.notice openvpn[13824]: 32.147.199.156:1194 TLS: Initial packet from [AF_INET]32.147.199.156:1194, sid=3a92596a 093ef28a
Nov 1 00:16:32 DDWRT daemon.err openvpn[13824]: 32.147.199.156:1194 CRL: cannot read CRL from file /tmp/openvpn/ca.crl
Nov 1 00:16:32 DDWRT daemon.notice openvpn[13824]: 32.147.199.156:1194 Exiting due to fatal error
Nov 1 00:16:32 DDWRT daemon.notice openvpn[13824]: 32.147.199.156:1194 /sbin/route del -net 10.10.10.0 netmask 255.255.255.0
Nov 1 00:16:32 DDWRT daemon.notice openvpn[13824]: 32.147.199.156:1194 Closing TUN/TAP interface
Nov 1 00:16:32 DDWRT daemon.notice openvpn[13824]: 32.147.199.156:1194 /sbin/ifconfig tun2 0.0.0.0
Nov 1 00:16:56 DDWRT daemon.info hostapd: ath0: STA 00:db:df:20:38:ed IEEE 802.11: authenticated
Nov 1 00:16:56 DDWRT daemon.info hostapd: ath0: STA 00:db:df:20:38:ed IEEE 802.11: associated (aid 1)
Nov 1 00:16:56 DDWRT daemon.info hostapd: ath0: STA 00:db:df:20:38:ed RADIUS: starting accounting session 00000003-00000002
Nov 1 00:16:56 DDWRT daemon.info hostapd: ath0: STA 00:db:df:20:38:ed WPA: pairwise key handshake completed (RSN)
Nov 1 00:17:02 DDWRT authpriv.info dropbear[14374]: Child connection from 192.168.2.131:55161
Nov 1 00:17:11 DDWRT authpriv.notice
*** Updated: Forgot to turn on syslog
****Looks like either the client or the server are still trying to use port 1194 even though I changed it both in the client config and the server to 443. This is especially strange since I had it working on port 443 earlier this morning and I changed nothing in this area other than enabling the redirect gateway option. Both the client config states port 443 as well as the dd-wrt configuration panel. Strange!
This error made me wonder why the program would be looking for CRL file .... well of course that was before I figured out what a CRL file was. Turns out it is a file created from data entered in the "Client Revoke List". Also turns out when I clicked in that field, my cursor went the the second line in the input field rather than the top corner like other input fields. Turns out, if a space or a CR (invisible) gets put in here, apparently dd-wrt thinks there is data in a revoke list.
Nov 1 00:16:32 DDWRT daemon.err openvpn[13824]: 32.147.199.156:1194 CRL: cannot read CRL from file /tmp/openvpn/ca.crl
Not the case. I am a provoker, not a revoker. So I simply hit backspace, save, apply settings and I was back in business, routing again! Wow, many hours for one simple space! Who put it in there? I have no idea. Must have been a spastic keyboard movement as I was drifting off to sleep on these lonely dd-wrt configuring nights .....
Now I am talking to the inside of my home router from afar but still I have to keep searching to figure out how to transfer all the traffic through the tunnel. Apparently clicking the option to "Redirect default gateway" on the server configuration menu is not enough. With it checked, I can still get to IP addresses on my tunneled-to home LAN but I can't get any contact with the outside world:
Still no luck ... I upgraded to version 24160 oer suggestion of another individual and the results are the same. Tunneling into my home router allows be to access my router, my VNC clients on the LAN but still no Netbios over TCPIP of my Windows machines or still the entire traffic is not routed over the tunnel when I open Advanced Options and select to Redirect Gateway. In fact, there is no routing at all outside my local subnet when I enable the redirect gateway option.
I tried all combinations with firewall commands and config entries I had used from my last working 14xxx on the old Linksys WRT54G and none of those configuration options from that previously working setup would work on the modern day implementation of OpenVPN inside dd-wrt.
Now it is assumed that a large number of people, presumably of a lower skill level network-wise would need a way to tunnel completely into their home router. That would be anyone who travels, actually, from those who want security in public wi-fi locations to those who want to watch a Netflix in Mexico. So there are reasons. Not sure why this part of OpenVPN Server need is not focused on much in the various documentation of how to set this up. I suppose some have addressed it by bridging rather than routing, but when you are struggling with a cellular hotspot or shared wifi, you want to keep the network traffic down to the minimum. Using Routing (opposed to Bridging) with the redirect-gateway option accomplishes this.
Well I finally got v24160 working with all traffic going through the tunnel. Here is what I did. I took the information from this very helpful post and changed the following:
Turn on "Advance Routing" and click the option for
Redirect default gateway [X] Enable
I was able to VNC into my local LAN servers, get to my router config menus, use Netbios over IP (net view \\192.168.2.x) and do a tracert to www.google.com and see it went directly to my router and out of my Buffalo wrouter' ISP.
Now if these firewall commands are not exposing me in some what I am not aware of, then I think I am set. Of course the Buffalo router menu went offline after my last remote reboot, so that makes me a little nervous. A POR brought it back up.
So good luck to all you experimenters out there who now have a way to be good road warriors. Use your new privilege carefully - live long, and prosper.
P.S. The device used for testing for the latter part of this article was a Buffalo WZR-HP-AG300H . The build is 24160. There should be no Heardbleed vulnerability. I hope the dd-wrt author will be able to add these firewall settings automatically when the redirect-gateway command is encountered, to match the fine job that has been done with other configurations. Good day to all and at last I exit with success!
The original author of this post used in his examples the default gateway of a fresh setup of dd-wrt, which is 192.168.1.1. Notice that I have changed mine to 192.168.2.1 ..... this is why the push of my ip address is different than his in his original server config description. Set your value in the "push" to the same as what you choose as a local subnet on your router.
Note that the reason that it is a good idea to use another address on your local LAN other than the default is, often when you travel you find the local routers have their gateways configured as 192.168.0.1 and 192.168.1.1. If yours at home is the same and you want to sign into your home router and you enter 192.168.1.1 and that is the address of the hotels gateway/router, you see you have a conflict. Therefore if you set your home to something like 192.168.66.1 or anything other than these common ones, then your chance of conflicting with your hotels subnet is much smaller when you are traveling and tunnel back into your home router.
.
