OpenVPN

From DD-WRT Wiki

Revision as of 21:54, 25 August 2012 by Sash (Talk | contribs)
Jump to: navigation, search

OpenVPN is a full-featured SSL VPN solution which can accomodate a wide range of configurations, including road warrior access, home/office/campus telecommuting, WiFi security, secure branch office linking, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls.


Contents

Support

There is a great vary of different support plattfoms out there which discuss all of the openvpn features in detail. so if u have questions you should first check:

FAQ
Open VPN Support possibilities

Getting OpenVPN

Before you begin, you'll need to obtain and install the OpenVPN client (with the GUI (for e.g. Windows)), Mac) for your client computer.

Please note that it consists of one binary for both client and server connections, so don't look for individually labeled client or server packages.

OpenVPN in DD-WRT

In this section, it is assumed that you already have the DD-WRT installed in your router and that its a current build (newer than 01/2011). OpenVPN is only available on units with at least 8mb flash (except the Broadcom VPN build.)

  1. Using the Web Interface, go to the "Services" tab and then the "VPN" tab (for older versions of dd-wrt go to the "Administration" tab and then the "Services" sub-tab).
  2. Enable the "Open VPN Client and/or Server" If new options do not appear, Apply Settings.
  3. Fill in needed parameters (see below). Everything else not mentioned here is taken care of automaticly (e.g. firewall)
  4. Apply Settings

Public Key Infrastructure (PKI)

Follow these instructions to create the required certificates and keys. But there is also a Webmin module for linux servers to create your PKI infrastructure (OpenVPN CA). You begin by creating a key and certificate pair for the certificate authority (CA) you are establishing. Then for the server and each client, you create a private key and certificate pair and sign the certificates using the CA's key. Afterwards, you should have the following files:

ca.crt
ca.key
dh{n}.pem
server.crt
server.key

and a private key and certificate pair for each client. For example, if you have two clients, you should have:

client1.crt
client1.key
client2.crt
client2.key

Note: The CA private key (ca.key) is used only to sign the certificates. It should be kept securely and not be copied to the server or clients.


GUI: Client Mode

Fixed Parameters

There are default parameters that DD-WRT will always wite to the config file and which you cant change if you use GUI client mode:

ca /tmp/openvpncl/ca.crt
cert /tmp/openvpncl/client.crt
key /tmp/openvpncl/client.key
management 127.0.0.1 5001
management-log-cache 50
verb 4
mute 5
log-append /var/log/openvpncl
writepid /var/run/openvpncl.pid
client
resolv-retry infinite
nobind
persist-key
persist-tun
script-security 2
mtu-disc yes
tls-client
mssfix (only when fragment is set)
fast-io

Changeable Parameters

DD-WRT default settings in {}
OpenVPN config language in []

Server IP/Name (e.g. 192.168.1.1)
IP address/hostname of the OpenVPN server you want to connect to. [remote xxx]
Port
port which OpenVPN server is listening on. {1194} [port xxx]
Tunnel Device (TUN/TAP)
The mode of tunneling. TUN: routing (layer 3), TAP: bridgeing (layer 2. can be used for routing, too, but its not very common). [dev-type tun/tap]
Tunnel Protocoll (UDP/TCP)
The subprotocol the connection will use on the real used tcp connection. {udp} [proto udp/tcp]
Encryption Cipher (None and Blowfish to AES512)
The encryption algorithm that will be used for the tunnel. Blowfish: fastest to AES512 safest. {AES128} [cipher xxx]
Hash Algorithm (None and MD4 to SHA512)
The hash algorithm that will be used. MD4: fastest (maybe unsafe) to SHA512. {SHA256} [auth xxx]
nsCertType verification
Checks to see if the remote server is using a valid type of certificate meant for OpenVPN connections. As this is a security feature of OpenVPN, it should be left enabled. {checked} []
Advanced options
Leave defaults as is if you dont know what you are doing. {disabled} []
LZO Compression
Enables compression over VPN. This might speedup the connection. Must be the same value as on server. {yes} [comp-lzo yes/no/adaptive/disabled]
NAT
Enable network address translation on the client side of the connection. Enables tne NAT-firewall to protect clients. {disabled}
Bridge TAP to br0
Enable a transparent bridge across the tunnel to the local LAN. Works only in TAP mode with NAT disabled. {disabled}
Local IP Address
In cases you will not get an ip from the server. Not very common. {empty)
Subnet Mask
Subnet Mask for the IP Address.
TUN MTU Setting
set the mtu of the tunnel {1500} [tun-mtu xxx]
MSS-Fix/Fragment across the tunnel
set mss-fix and fragmentaion accross the tunnel. {empty} [fragment xxx] [mssfix]
TLS Cipher
What encryption algorithm OpenVPN should use for encrypting its control channel. {disabled} []
TLS Auth Key
The static key OpenVPN should use for generating HMAC send/receive keys.
Additional Config
Any additional configurations you want to define for the VPN connection. {empty}
Policy based Routing
allow only special clients to use the tunnel. Add IPs in the form 0.0.0.0/0 to force clients to use the tunnel as default gateway. One line per IP. On the server Redirect Gateway MUST be off. {} []
Public Server Cert
Certificate of OpenVPN CA (not the server's public cert) in pem form; only part between (and including) -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- is necessary; as it is stored in nvram, everything else from that file should be removed to conserve space.
CA Cert
CA certificate; also only part between 'BEGIN' and 'END' is required.
Private Client Key
Key associated with certificate above; should be kept secret because anybody who knows this key can successfully authenticate as this client.
DH PEM
Diffie Hellmann parameter.

GUI: Server Configuration

This section describes how to configure an OpenVPN server that uses SSL certificates for client authentication, which is recommended. The method offers better security than using a static key and allows multiple clients to connect at the same time.



Fixed Parameters

There are default parameters that DD-WRT will always wite to the config file and which you cant change if you use the GUI server mode:

dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
keepalive 10 120
verb 4
mute 5
log-append /var/log/openvpn
writepid /var/run/openvpnd.pid
management 127.0.0.1 5002
management-log-cache 50
mtu-disc yes
topology subnet
client-config-dir /tmp/openvpn/ccd
script-security 2
ifconfig-pool-persist /tmp/openvpn/ip-pool 86400
fast-io
passtos

Customizable Parameters

DD-WRT default settings in {}
OpenVPN config language in []

Start Type
use "System". "WAN Up" doesnt work. {}
Config via (GUI/config file)
GUI {}
Server Mode (TUN/TAP)
The mode of tunneling. TUN: routing (layer 3), TAP: bridging networks (layer 2). {} [dev-type tun/tap]
DHCP-Proxy mode
Only in bridge mode. Let the clients use the network dhcp server not the openvpn dhcp. {} []
Pool start Ip
1st ip of the ip pool used (Only in bridge mode). []
Pool end IP
Last ip of the ip pool used (Only in bridge mode). []
Gateway
Default gateway to use (Only in bridge mode). []
Network (e.g. 10.10.10.0)
Network to use for the tunnel (Only in routing mode). []
Netmask (e.g. 255.255.255.0)
Netmask of the used network. []
Block DHCP accross the tunnel
Dont allow DHCP requests across tunnel (Only in bridge mode).
Port
port which OpenVPN server listens on. {1194} [port xxx]
Tunnel Protocoll (UDP/TCP)
The subprotocol the connection will use on the real used tcp connection. {udp} [proto udp/tcp]
Encryption Cipher (None and Blowfish to AES512)
The encryption algorithm that will be used for the tunnel. Blowfish: fastest to AES512 safest. {AES128} [cipher xxx]
Hash Algorithm (None and MD4 to SHA512)
The hash algorithm that will be used. MD4: fastest (maybe unsafe) to SHA512. {SHA256} [auth xxx]
Advanced options
Leave defaults as is if you dont know what you are doing. {disabled}
LZO Compression
Enables compression over VPN. This might speedup the connection. Must be the same value as on server. {yes} [comp-lzo yes/no/adaptive/disabled]
Redirect default Gateway
Force the clients to use the tunnel as default gateway. {disabled} []
Allow Client to Client
Allow clients to see each other. {disabled} [client-to-client]
Allow duplicate cn
allow to use 1 client cert to use on multiple clients (security risc)
TUN MTU Setting
set the mtu of the tunnel {1500} [tun-mtu xxx]
MSS-Fix/Fragment across the tunnel
set mss-fix and fragmentaion accross the tunnel. {empty} [fragment xxx] [mssfix]
TLS Cipher
What encryption algorithm OpenVPN should use for encrypting its control channel. {disabled} []
TLS Auth Key
The static key OpenVPN should use for generating HMAC send/receive keys.
Client connect script
. {empty} []
Additional Config
Any additional configurations you want to define for the VPN connection. {empty}
Public Server Cert
Certificate of OpenVPN CA (not the server's public cert) in pem form; only part between (and including) -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- is necessary; as it is stored in nvram, everything else from that file should be removed to conserve space.
Public Client Cert
Client certificate issued by CA for this particular router; also only part between 'BEGIN' and 'END' is required
Private Client Key
Key associated with certificate above; should be kept secret because anybody who knows this key can successfully authenticate as this client

Additional Server Protection with usernames and passwords

I wanted to make the access to my network easy but secure. Certificates are nice, but I still like username and password even more. You can use the following simple script to check for usernames/passwords.

Add this to the config on the server and set the right path for the script:

auth-user-pass-verify /path/to/your/script/verify.sh via-file

This line tells openvpn server to check for passed username and password by calling the script verify.sh and passing the username and password in a tmp file


Every client have to have this in its config file:

auth-user-pass

This just tells openvpn client to ask the user for username and password or s/he will not be able to log in. You can also use "--auth-user-pass" (instead of the line in the config file) on the command line.


This is a simple shell script called "verify.sh" which contains usernames and passwords in clear text. I wanted to encrypt passwords with "passwd", but command "passwd" is not available in dd-wrt (and I have no idea how dd-wrt encrypts root password for /etc/passwd). If someone knows how to encrypt passwords in dd-wrt, plese add it here.

[Edit by mrwizeman Dec 18 2011] Hmm ok, I pasted a script here like 2 years ago which grtz was kind enough to modify to support multiple users but after trying it, I couldnt get it to work and I couldnt really understand all of the bracketbracket if statements either so here is a modified version from me as well, which now has multiple users support as well as hash capabillity and it lowercases the username properly as well: users file should contain colon separated entries like this: <username>:<hash>

#!/bin/sh
USERS=`cat ./users`
genhash() {

        HASHPASS=`echo -n "$1$2" | md5sum | sed s'/\  -//'`
        i=0
        while [ $i -lt 10 ]; do
                HASHPASS=`echo -n $HASHPASS$HASHPASS | md5sum | sed s'/\  -//'`
                i=`expr $i + 1`
        done
        echo -n $HASHPASS
}
verify() {
        Login=`echo $1 | awk '{print tolower($0)}'`
        echo Logging in as: $Login
        #echo Password is: $2
        [[ $# -eq 2 ]] || exit 1
        for i in $USERS; do
                Name=${i%:*}
                PassHash=${i#*:}
                Logincmp=`echo $Name | awk '{print tolower($0)}'`
                #echo Logincmp is: $Logincmp
                if [ "$Logincmp" == "$Login" ]
                then
                        #echo "Login('$Login') is equal to Logincmp('$Logincmp')"
                        GENHASH=`genhash "$Login" "$2"`
                        #echo genhash returned $GENHASH
                        #echo and PassHash is: $PassHash
                        if [ "$GENHASH" == "$PassHash" ]
                        then
                                echo Password hashes match
                                exit 0
                        fi
                fi
        done
}
if [ "$1" == "--genhash" ]
then
        Login=`echo $2 | awk '{print tolower($0)}'`
        echo `genhash "$Login" "$3"`
        exit 1
fi
verify `cat $*`
exit 1
 

I had to wait for the time to update from 1970 until I create my users file so here is what my start script looks like in case someone wants to use it:

YEAR="`date +%Y`"
COUNT=0
while [ "$YEAR" = "1970" ] && [ $COUNT -lt 60 ]; do
  # System has not yet synchronized the date with ntp.
  sleep 1
  YEAR="`date +%Y`"
  COUNT=$(($COUNT + 1))
done
# A 60 second wait is long enough. If there is a problem still then
# likely the router booted faster than the ISP CPE. Force a time sync.
if [ "$YEAR" = "1970" ] && [ $COUNT -ge 60 ]; then
  # Initialize the date/time.
  NTP_POOL_SERVER="`nvram get ntp_server`"
  /usr/bin/killall ntpclient
  ntpclient -l -h $NTP_POOL_SERVER
#   stopservice process_monitor
#   startservice process_monitor
fi


openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
echo "user1:ababababababababababababababababa
user2:ababababababababababababababababa" > /tmp/users
 

You may disregard whatever is written below this point , but im going to leave it here for history's sake...

[Edit by mrwizeman Aug 31 2009] Ok so I put it here... here is a way I came up with that make this work with an encrypted password, now, let me explain how it works, I hash the username and password and then add the hash to itself, and hash that 10 times everytime I add the hashes together, I got that idea from the author of the passwd we use Poul-Henning Kamp but he does it 1000 times...

You can easily change this script to hash it 1000 times, but I think 10 is enough it will take a bruteforce program forever to first hash the user and pass and then hash the hashes 10 times, just to find out if it matches, and besides the weak ass processor of the routers we use will take forever to check our credentials if we do it that way... so anyway here it is: you have to run it in telnet the first time to figure out what your hash is, then change that in your script, the hash in the script I paste here is user: test and pass: test

First the script to generate a hash for you:

#!/bin/sh

genhash() {
        echo You are generating a HASH for user: $1
        echo with the password                         : $2
        HASHPASS=`echo -n $1$2 | md5sum | sed s'/\  -//'`
        i=0
        while [ $i != 10 ]; do
            HASHPASS=`echo -n $HASHPASS$HASHPASS | md5sum | sed s'/\  -//'`
            #echo [$i] HASHPASS=$HASHPASS
            i=`expr $i + 1`
        done
        echo HASHPASS=$HASHPASS
}
genhash $1 $2
 

Then the actual script for your check:

#!/bin/sh

HASH='1bbd7254581aaab10868ccfdc0860d68'
#echo HASH = $HASH
#echo param 1 = $1
#echo param 2 = $2

vpn_verify() {
        if [[ ! $1 ]] || [[ ! $2 ]]; then
            #echo "No username or password: $*"
            exit 1
        fi
        HASHPASS=`echo -n $1$2 | md5sum | sed s'/\  -//'`
        #echo HASHPASS = $HASHPASS
        #if [ $HASH == $HASHPASS ]; then
        #    echo MATCH!!
        #else
        #    echo NO MATCH!!!
        #fi
        i=0
        while [ $i != 10 ]; do
            HASHPASS=`echo -n $HASHPASS$HASHPASS | md5sum | sed s'/\  -//'`
            #echo [$i] HASHPASS=$HASHPASS
            i=`expr $i + 1`
        done
        #echo HASHPASS=$HASHPASS
        if [ $HASH == $HASHPASS ]; then
            #echo MATCH!!
            exit 0
        else
            #echo NO MATCH!!!
            exit 1
        fi
}
if [[ ! $1 ]] || [[ ! -e $1 ]]; then
     #echo "No file"
     exit 1
fi
vpn_verify `cat $1`
#echo "No user with this password found"
exit 1

I suck at shellscripting, so if somone spots any errors or want to add support for multiple users that would be cool...


[Edit by grtz Sep 28 2010 ] Here is the optimized version with support for multiple users. Everything is in one file and smaller, little bit faster and more secure:

#!/bin/sh
 
USERS="test:556a2224e307429d714ed8a8134e68e0"
#USERS=`cat ./users`

genhash() {
	HASHPASS=`echo -n "$1$2" | md5sum | sed s'/\  -//'`
        i=0
        while [ $i -lt 10 ]; do
                HASHPASS=`echo -n $HASHPASS$HASHPASS | md5sum | sed s'/\  -//'`
                i=`expr $i + 1`
        done
        echo -n $1:$HASHPASS
}

verify() {
        [[ $# -eq 2 ]] || exit 1
        for i in $USERS; do
                [[ "$i" == `genhash "$1" "$2"` ]] && exit 0
        done
}

[[ $1 == "--genhash" ]] && echo `genhash "$2" "$3"`
[[ -e "$*" ]] || exit 1
verify `cat "$*"`
exit 1


You can as before put users in an external file in format "username1:encrypted_password1" (one per line):

username1:encrypted_password1
username2:encrypted_password2


or put everything in USERS directly in verify.sh and split entries with space (like in the original script below):

USERS="username1:encrypted_password1 username2:encrypted_password2"

Run "verify.sh --genhash username password" to create encrypted string. Copy the result in your file with users or directly in the script as shown above:

root@router:$ ./verify.sh --genhash test 12345
test:556a2224e307429d714ed8a8134e68e0

or even easier if you use external file for users/password:

root@router:$ ./verify.sh --genhash test 12345 >> ./users

--Grtz 22:42, 28 September 2010 (CEST)


Original authors script below, the one without encrypted pass:

#!/bin/sh
 
 ## format: username:password username:password ...
 ## you can even have same usernames with different passwords
 USERS='user1:pass1 user2:pass2 user3:pass3'
 
 ## you could put username:password in
 ## a separate file and read it like this
 #USERS=`cat file_with_users`
 
 vpn_verify() {
     if [[ ! $1 ]] || [[ ! $2 ]]; then
         #echo "No username or password: $*"
         exit 1
     fi
  
     ## it can also be done with grep or sed
     for i in $USERS; do
         if [[ "$i" == "$1:$2" ]]; then

             ## you can add here logging of users
             ## if you have enough space for log file
             #echo `date` $1:$2 >> your_log_file

             exit 0
         fi
     done
 }
   
 if [[ ! $1 ]] || [[ ! -e $1 ]]; then
     #echo "No file"
     exit 1
 fi
   
 ## $1 is file name which contains
 ## passed username and password
 vpn_verify `cat $1`
  
 #echo "No user with this password found"
 exit 1

You can delete all lines which begin with #. "echo" commands are here just for you to know what happens at that and they can be used for debugging.

This verification with the script does not work if openvpn is running in "daemon" mode. I have no idea what is the reason for that, probably some wrong interpretation of the output ("exit 0" means user/pass OK, everything else means user/pass NOT OK). Thats why I am running openvpn server as a background process and all output is going to /dev/null:

 openvpn --config openvpn.conf >/dev/null 2>&1 &

--Comma 23:53, 11 August 2008 (CEST)

I was getting the error

  
   openvpn_execve: external program may not be called due to setting of --script-security level
   

I had to add the following lines to my config file work in v24-SP2

  
   tmp-dir /tmp/openvpn
   script-security 3
   

Additionally, the ">/dev/null 2>&1 &" hack wouldn't work but running from the command line did. I resorted to using the /tmp/myvpn symlink as well as --daemon in the command line. All works now with out an interactive shell. --JoeM 23:28, 22 October 2008 (CEST)

Client Configuration

1) Copy the CA certificate and a private key and certificate pair to the client.

2) Create an OpenVPN configuration file on your client computer:

client
dev tap
proto udp
remote router-address 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3

Replace router-address in the fourth line with your router's IP address or host name and, obviously, use the appropriate file names in the script for the client's certificate and key. On Windows, save this script using notepad as a file with extension .ovpn and copy it into \Program Files\OpenVPN\config (along with the files ca.crt, clientX.crt and clientX.key created earlier.)

Notes:

  • If you need to use TCP instead of UDP, set the protocol to tcp-client. Clients must use the same protocol that the server does.
  • Mac OS X users need to add the line
up "./vpn-up.sh"

to the configuration file and create a script file vpn-up.sh in the same directory as the configuration file with the following contents:

#!/bin/bash 
sleep 2
ipconfig set $1 DHCP

This script configures the TAP interface to request an IP address using DHCP. Make sure to make the script executable with 'chmod 755 vpn-up.sh'

3) Use the configuration file you just created with whatever OpenVPN client software you're using to establish a connection to your router.

If everything works, you will be connected to your internal LAN. If your router is running a DHCP server, the TAP interface will be assigned an IP address on your internal LAN. At this point, you just connect to your home PC the same way you would do it from inside your LAN.

Daemon Mode/Config File

Bridge 2 Networks Route 2 Networks Link-Text

Server mode with Static Key

Note: with DD-WRT v23 SP1 Final (05/16/06) vpn this allows only 1 client connection!! [1]. See below for multiple connections.

Server Configuration

1. Create a static.key file on your computer

Unix:

   openvpn --genkey --secret static.key

Windows: (downloaded at http://www.openvpn.se)

   Click on "Start > Programs ->OpenVPN -> Generate a static OpenVPN key"
  • Note: this will create a c:\Program Files\OpenVPN\config\key.txt file, you will want to rename it to static.key


2. Paste the command below into your router at "Administration > Commands > Commands text box" and replace the text "...INSERT YOUR STATIC KEY HERE..." with the static.key you just made. Click "Save Startup":

   openvpn --mktun --dev tap0
   brctl addif br0 tap0
   ifconfig tap0 0.0.0.0 promisc up
   echo "
   -----BEGIN OpenVPN Static key V1-----
   ...INSERT YOUR STATIC KEY HERE...
   -----END OpenVPN Static key V1-----
   " > /tmp/static.key
   ln -s /usr/sbin/openvpn /tmp/myvpn
   /tmp/myvpn --dev tap0 --secret /tmp/static.key --comp-lzo --port 1194 --proto udp --verb 3 --daemon


3. Paste the command below into your router at "Administration > Commands > Commands text box" and click "Save firewall":

   iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT


4. Reboot your router. Login with ssh and check that "myvpn" is running (ps | grep vpn)


You can also paste the "ps | grep vpn" command into the Administration > Commands box to see if it is running.

Client Configuration

1. Create an openvpn config file on your client computer using one of the following templates. For Windows clients, save it as a .ovpn file in the C:\Program Files\OpenVPN\config folder.

   # Use the following for simple connections:
   remote XXXX.dyndns.org
   port 1194
   dev tap
   secret static.key
   proto udp
   comp-lzo
   # Use the following to have your client computer send all traffic through your router
   # (remote gateway)
   remote XXXX.dyndns.org
   port 1194
   dev tap
   secret static.key
   proto udp
   comp-lzo
   route-gateway 192.168.1.1
   redirect-gateway
   # Use the following if you have an office proxy:
   remote XXXX.dyndns.org
   http-proxy-retry
   http-proxy my.office.proxy.server 8080
   port 1194
   dev tap
   secret static.key
   proto udp
   comp-lzo
   route-gateway 192.168.1.1
   redirect-gateway
  • Reference: fgimenez's post


2. Try to connect

Windows: right click the open vpn icon in your system tray and click connect.


That should do it. This has been tested on DD-WRT v23 SP1 Final vpn.

If everything is working correctly you should receive an IP address from your router (if you have a running dhcp server) when you connect and that IP address will be in your internal LAN so now you just connect to your home PC the same way you would do it from inside your LAN.

Troubleshooting

Correct time

OpenVPN requires client and server to have more or less synchronized time. Therefore make sure that router has correct time. To check it use command date and if you get info about year 1970, you should enable NTP client. Also, ntp server has to be outside of your VPN as time should be corrected before VPN is established. If you have syslog enabled (to local server, or the server outside your VPN), errors like TLS Error: Unroutable control packet received from server_ip:1194 may indicate this problem. (This error message may appear if your certificates are not valid or have expired, too.) If you get an error message saying that your certificate is not yet valid, set the dd-wrt clock to UTC time (in the first configuration page).

To set the time manually connect via telnet or ssh and issue the following command at the prompt:
date MMDDHHMMYYYY


Connecting to DD-WRT OpenVPN Server via Mac Client

Currently, there are two OpenVPN clients for OS X

Viscosity has a more user friendly gui but is a commercial product. It can also import settings created for the Tunnelblick application.

PROBLEM: When I used the sample client.conf file above, nothing happened when I clicked connect on Tunnelblick.

Tunnelblick is a GUI OpenVPN application for the Mac. The last official release is 2.0.1, but I am going to explain how to connect using version 3.0rc3. This version has everything in one app and requires no extra components to be installed.

NOTE: I used certificates to connect my MacBook Pro to the OpenVPN server. You can find documentation on how to do this further up in this page. Remember to place your certificate files in the same directory as the client.conf file. Tunnelblick looks for the files in ~/Library/openvpn.

Download Tunnelblick and drag it to the Applications folder. It will say that you don't have a client.conf file and will make one for you. You can examine the sample client.conf file that Tunnelblick makes and find that it does a few things differently than the example provided above. Set up your client.conf file using the sample I have provided below, and Tunnelblick should connect properly now.

The file I have provided is the same as the sample, except with a few things disabled and a few things added to make it do what we want. The reason I disabled a few things using the # line is that I didn't want to delete anything, so I just disabled them.

You might notice that the command

up "./vpn-up.sh"

This is a fix that I found here.

You will need to make a script called vpn-up.sh and place it in the same directory as the client.conf file. Make the files contents:

#!/bin/bash
sleep 2
ipconfig set tap0 DHCP

client.conf:

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tap 

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
#dev-node MyTap
 
# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
proto tcp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote xxxxxxxxx.dyndns.org 1194 

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
#remote-random 

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
user nobody
group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
#http-proxy-retry # retry on connection failures
#http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca ca.crt
cert client1.crt
key client1.key

up "./vpn-up.sh"

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm

# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
#tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
#cipher x

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20


UPDATE Sept 1, 2009
The most recent release of Tunnelblick is 3.0rc14. It seems as though the previously mention bash script does not work anymore. The following python script does work, however:

#!/usr/bin/python
import os, sys
try:
    tun_dev, tun_mtu, link_mtu = sys.argv[1:4]
except:
    sys.exit(0)
if tun_dev[0:3] == 'tap'
    os.system('/usr/sbin/ipconfig set "%s" DHCP' % os.environ['dev'])

Can't Load DH Parameters

If you get the following:

Tue Jan 23 03:03:05 2007 OpenVPN 2.0.7 mipsel-unknown-linux [SSL] [LZO] [EPOLL] built on Jan 15 2007
Tue Jan 23 03:03:05 2007 Cannot load DH parameters from dh1024.pem: error:0906D064:lib(9):func(109):reason(100)
Tue Jan 23 03:03:05 2007 Exiting

you should check your certificates. Did you paste them correctly?

Note: you must include new lines.

Connection reset by peer (WSAECONNRESET) (code=10054)

If you received error when trying to connect to your VPN server verify the following:

  • Make sure the tap-device was successfully "up'ed". It is, if you find it in the list when running "ifconfig" without further arguments. If it is not displayed in the list of available interfaces have a look at "Yet another evolution" above.
  • Make sure the protocol is the same on the server and client, ie UDP/TCP
  • Verify the port number is the same on the client and server; Default port is UDP 1194
  • Check to see if the port is open on the server by using nMap or another utility

Incoming Packet Rejected

If you get incoming packets being rejected when trying to connect with the VPN client (OpenVPN) make sure that you are forwarding the 1194 port (if configured to use that port) to the proper server/router (usually 192.168.1.1).

Example TCP/UDP Rejection:

  • [Date] TCP/UDP: Incoming packet rejected from 192.168.1.1:1194[2], expected peer address: w.x.y.z:1194 (allow this incoming source address/port by removing --remote or adding --float)

Port Forwarding is configured on v24 SP 2 under 'NAT / Qos'.

Authenticate/Decrypt failure

Error: Authenticate/Decrypt packet error: cipher final failed

If this happens to you, you probably have a mismatch in the configuration between server and client on the "cipher"-option. (E.g.: cipher AES-128-CB / cipher AES-256-CB) This is not a problem of DD-WRT or OpenVPN but just a config issue which can happen if you follow some of those guidelines strictly without knowing what the config options mean. In doubt refer to the OpenVPN documentation.


Old & unsupported instructions

Installing into jffs partition (Deprecated)

old method only recommended for non-vpn firmware

This no longer works with the latest firmware version, please download the new VPN inclusive version. !!However, with at least some new firmware versions (I'm using V23SP1 6/5/06 VOIP), the hurdle can be overcome with some extra effort ... details are provided below in the Troubleshooting section... 19:22, 30 Jun 2006 (CEST)!!

Prerequisites

You should already have:
-a Linksys WRT54G/GS product
-DD-WRT installed as the firmware
-SCP or some other way to copy files to and from your desktop setup
-some knowledge of using ipkg to install packages
-jffs already configured if you don't want to install to ram
If you are running Windows on your desktop: -TextPad or Win32Pad
(or other *nix friendly text editor. DO NOT USE NOTEPAD)
Install the OpenVPN ipkg package
-Find the openvpn package in the THIS LINK DOES NOT WORK ANY MORE OpenWRT Package Tracker.
You will need the URI of package to install it.
-telnet or ssh shell into the router -run the command ipkg -d <dest_name> install <URI of package>
<dest_name> should be root to install to /jffs <dest_name> should be ram to install to /tmp *Remember, /tmp is deleted on router reboot* Ex: ipkg -d root install http://nthill.free.fr/openwrt/ipkg/experimental/20050420/openvpn-static_2.0-1_mipsel.ipk

EDIT: Can't find the right package? Yeah, neither can anyone else. Don't bother. The best strategy is to download and flash the distro with the built-in VPN and copy the binary off of that then re-flash with another distro and copy the binary to the jffs partition. The packages on the openWRT tracker don't seem to work for v23 on WRT54Gv3 ("Bus Error"). The version originally linked above and the version in the VPN firmware are statically compiled. I had to do it this way because the nvram startup script only ran the first command in the variable and I needed the VPN to survive a WRT reboot. Not enough room for jffs on all but the mini distro... so no shell scripts for me! YMMV. Note to the powers that be: How about posting this stuff with the mini firmware so we don't have to do it this way?????

Create the openvpn config file
-Using your method of choice, copy the file /<dest_name>/etc/openvpn/office.conf
to your desktop machine -Using a *nix friendly text editor, edit office.conf (the config file in my setup).
See http://openvpn.net for more informations and examples.

19:16, 30 Jun 2006 (CEST) pagedude

- NOTE : openvpn is highly configurable. Distinct from the original writer of this portion of the wiki, I setup my configuration files much more along the lines of the earlier section in this Wiki on configuring the OpenVPN server with certificates in bridging mode. Certificates provide a more robust dynamic configuration scheme, but take a little bit more time up-front to generate (but the http://www.openvpn.net site has an excellent, easy-to-follow guide on how to generate them). Bridging mode is very convenient in that the remote VPN client effectively appears to be part of the remote(server) LAN, plus much less routing configuration (i.e. use of ifconfig, route etc.) is required on either the OpenVPN server or the OpenVPN client.

19:16, 30 Jun 2006 (CEST) pagedude

?? BUT HOW WOULD YOU SET THIS UP (with Certificates and Bridging) IF YOU HAVE MULTIPLE CLIENTS?

##############################################################################
# this is a sample configuration file for openvpn
# it should be changed to contain your values and
# placed in /jffs/etc/openvpn
#
remote servername.domain.com
rport 5000
dev tap
ifconfig 10.0.1.2 255.255.255.252
secret /jffs/etc/openvpn/key.txt
ping 10
ping-restart 60
ping-timer-rem
persist-tun
persist-key
resolv-retry 86400
verb 1
mute 10
route-up "route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.0.1.1"
#
##############################################################################

This is the OpenVPN config file of the other side (a Linux server or another WRT54G/GS)

##############################################################################
#
dev tap
secret /etc/openvpn/key.txt
persist-key
persist-tun
ifconfig 10.0.1.1 255.255.255.252
ping-restart 60
ping 10
verb 5
mute 10
lport 5000
route-up "route add -net 192.168.2.0/24 gw 10.0.1.2"
#
###############################################################################

Usage & Troubleshooting

Launching the Client

-cd to the install folder (/<dest_name>/usr/sbin)
-run ./openvpn --config ./../../etc/openvpn/office.conf --log openvpn.log

See openvpn.log for debugging

Load on Router Startup

-Using a *nix friendly text editor, create openvpn.startup as:

#!/bin/sh
killall -q openvpn
/jffs/usr/sbin/openvpn --config /jffs/etc/openvpn/office.conf

-Follow the instructions in Startup Scripts#Shell Script Method to make your script load on startup.

Additional notes for improved JFFS installation and security with public hotspots

19:10, 30 Jun 2006 (CEST) pagedude

i) The instructions above confine the OpenVPN server configuration entirely into a rc_startup script. This is elegant when OpenVPN is installed in RAM, since there's no convenient place to put a configuration file for OpenVPN (RAM contents are not persistent). However, if the user instead installs OpenVPN into persistent storage, i.e. the jffs partition, then instead of configuring OpenVPN on the command line, a config file can be used. There are several advantages to doing this; not only is RAM usage minimized (key files don't need to be copied to rc_startup, command line options get transferred to the config file, etc.), but the config file allows the description of more complicated openvpn server configurations.

ii) One interesting capability of the OpenVPN tunnel is to optionally allow the client to pass all traffic through the VPN tunnel when connected. For example, when you are using an unsecure WiFi hotspot, you might want to ensure that eavesdroppers are not able to monitor your WiFi traffic. One way to do this is to route all your WiFi traffic through the encrypted VPN tunnel, using the "redirect-gateway" option on the server or the client. When configured on the server, all clients will reroute all their traffic through the VPN. The "redirect-gateway" option requires pushing two pieces of information from the server to the client, the remote gateway and DNS IP addresses.

Here are my example rc_startup, server, and client config files. Note that I installed OpenVPN in /jffs/tmp and copied the PKI files, ca.crt, server.crt, server.key, dh1024.pem, and the server config file, server.conf, there.

rc_startup: cd /jffs/tmp ./openvpn --mktun --dev tap0 brctl addif br0 tap0 ifconfig tap0 0.0.0.0 promisc up sleep 5

I had to install this library, since my ddwrt distro didnt have it
See Troubleshooting section at the bottom of this wiki for JFFS installations

export LD_PRELOAD=/jffs/sbin/libuClibc-0.9.28.so

./openvpn --config server.conf --daemon </pre>

Note: With V23 SP2, I did not need the LD_PRELOAD statement. I did have to create a link:

ln -s /usr/sbin/openvpn /jffs/tmp/myvpn

and change the last part of the code above to:

sleep 5
./myvpn --config server.conf --daemon

server.conf:

mode server
tls-server
port 1194
proto tcp-server
dev tap0

ca ca.crt
cert server.crt
key server.key
dh dh1024.pem

#These IP addresses need to be changed to be *your* ddwrt LAN addresses ...
push "route-gateway 192.168.3.1"
push "dhcp-option DNS 192.168.3.1"

client-to-client

keepalive 15 60

comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

client.conf:

tls-client
dev tap
proto tcp-client
port 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote XXXX.dyndns.org 1194

ca ca.crt
cert client.crt
key client.key
ns-cert-type server

comp-lzo
verb 3

#Pull info from server, viz. server-side LAN IP's for gateway and DNS
pull
# Uncomment the following to send all traffic through VPN
redirect-gateway

19:10, 30 Jun 2006 (CEST)

GUI Client Mode Custom Parameters

If you want to set custom parameters (e.g. encryption settings, verbosity, ...) for OpenVPN, you'll have to re-create the /tmp/openvpn/openvpn.conf file and restart OpenVPN.

For more detailed information on Startup Commands, please read the Startup Scripts wiki entry.

To do this, use the Web Interface, go to the "Administration" tab and the "Commands" sub-tab.

In the box, enter the configuration how you'd want it, and echo it into /tmp/openvpn/openvpn.conf.

Example (add this in the edit box at the top):

echo "dev tap
link-mtu 1492
remote <remote-ip>
resolv-retry infinite

ifconfig <local ip> <local netmask>
client
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/client.crt
key /tmp/openvpn/client.key
comp-lzo
persist-tun
persist-key
verb 3
cipher AES-256-CBC" > /tmp/openvpn/openvpn.conf

killall openvpn
openvpn --config /tmp/openvpn/openvpn.conf

Next, click the Save Startup, et voila, it should now start openvpn using your custom configuration.

Note: In "v23 SP2 (09/13/06) vpn" I've found that the openvpn startup script can run after the above during startup, so I work around that by doing the echo to "/tmp/openvpn/myopenvpn.conf" and replacing the killall/openvpn commands with:

( sleep 20 ; killall openvpn ; openvpn --config /tmp/openvpn/myopenvpn.conf --route-up /tmp/openvpn/route-up.sh --down /tmp/openvpn/route-down.sh --daemon ) &

You may need to tune the amount of sleep time. Use "ps" to verify that the "openvpn" process you want to be running is running.

--Ripper42 19:42, 30 Sep 2006 (CEST)


Note: In "v23 SP2" the /tmp/ directory exist a few seconds after booting. So the script cannot run immediately during bootup. Also I added a cronjob to check the openvpn connection every 5 minutes. Here is my startup Script thats work for me:

#!/bin/sh
sleep 20
echo "tls-client
dev tun
...
cert /tmp/openvpn/client.crt
key /tmp/openvpn/client.key" > /tmp/openvpn/myopenvpn.conf 
sleep 20
killall openvpn
/usr/sbin/openvpn --config /tmp/openvpn/myopenvpn.conf --route-up /tmp/openvpn/route-up.sh --down /tmp/openvpn/route-down.sh --daemon

# install cronjob, which restart tunnel if not running, but dont install cronjob, if it is already active
if test -s /tmp/cron.d/openvpn_check_status; then echo "" ;else echo '*/5 * * * * root if [ `ps | grep -c "openvp[n]"openvp[n].*myopen"` -ne 1 ] ; then logger OpenVpn restart;. /tmp/.rc_startup  ; fi' >> /tmp/cron.d/openvpn_check_status
# restart cron daemon
stopservice cron && startservice cron
fi                     

--notdefine 16:52, 26.02.2006 after 100 edits

After looking at some posts and WiKi, I have simplified the process of using openVPN as a client.

First, I enabled the openVPN client via the web interface and entered the 3 certificates/keys that are requested. Once I saved that, I disabled openVPN. This got the 3 certs/keys into nvram. I then ran the following 3 nvram commands in the command window at the same time:

nvram set openvpn_tls='
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
'
nvram set openvpn_cfg='
remote remote_server_ip_address
dev tun0
tun-mtu 1500
fragment 1300
mssfix
tls-client
ca /tmp/myvpn/ca.crt
cert /tmp/myvpn/client.crt
key /tmp/myvpn/client.key
ns-cert-type server
tls-auth /tmp/myvpn/tls.key
ping-restart 60
ping-timer-rem
persist-tun
persist-key
resolv-retry 86400
ping 10
comp-lzo
'
nvram commit

I then set the startup script to:

/usr/sbin/openvpn --mktun --dev tun0
ifconfig tun0 192.168.tunnel.2 netmask 255.255.255.252 promisc up
route add -net 192.168.rlan.0 netmask 255.255.255.0 gw 192.168.tunnel.1
sleep 20
mkdir /tmp/myvpn
nvram get openvpn_ca >/tmp/myvpn/ca.crt
nvram get openvpn_client >/tmp/myvpn/client.crt
nvram get openvpn_key >/tmp/myvpn/client.key
nvram get openvpn_tls >/tmp/myvpn/tls.key
nvram get openvpn_cfg >/tmp/myvpn/remote.ovpn
/usr/sbin/openvpn --daemon --config /tmp/myvpn/remote.ovpn

and firewall to:

iptables -I INPUT 2 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

Explanations:
openvpn_tls is set to your TLS key.
remote_server_ip_address = IP address of remote openVPN running in server mode.
192.168.tunnel.2 = 192.168.x.x address of the local openVPN tunnel. Must be different subnet from remote and local LANs.
192.168.tunnel.1 = 192.168.x.x address of the remote end ofl openVPN tunnel. Must be different subnet from remote and local LANs.
192.168.rlan.0 = IP address range of remote LAN
sleep 20 = wait period to ensure /tmp has been created.

This disables the firewall and NAT on the VPN, uses TLS authentication, etc. Hope this helps some. It is easy to change nvram and was much easier for me to review than trying to put it all in startup scripts.

This is working on a Buffalo WHR-G54S running 2.3 SP2.

--Pete 14:29, 5 May 2007 (CEST)

GUI Client Mode Disabling NAT

To have OpenVPN pass traffic normally without address translation, you'll want to turn off masquerading on the tunnel interface as well as set a more permissive default for the firewall. Unfortunately, dd-wrt currently does not have an easy button to do this. Instead, use the startup script to replace the default route-up script with your own version.

To do this, use the Web Interface, go to the "Administration" tab and the "Commands" sub-tab, and add the following line to your Startup Script:

( while [ ! -f /tmp/openvpn/route-up.sh ]; do sleep 1; done; \
 echo "iptables -t filter -I INPUT -i tun0 -j ACCEPT; iptables -t filter -I FORWARD -i tun0 -j ACCEPT" > /tmp/openvpn/route-up.sh ) &


Alternatively you may specifiy the following in the Firewall Script what is much more efficient:

iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I INPUT -i tun0 -j ACCEPT

--- IMPORTANT NOTE: I have tried the above workarounds to no avail. The first approach burns precious CPU cycles. The second one has no effect whatsoever. The reason being that in iptables, NAT table manipulations are applied after the routing chains are processed and there is no way of bypassing that with the above rules. The problem is that the openVPN daemon is passed with immutable route up & down scripts on startup. My solution is based on the custom parameters already discussed above. Simply copy and paste the following script into the Command window and save it as the startup script:

( sleep 20 ; killall openvpn ; iptables -t nat -F POSTROUTING ; openvpn --config /tmp/openvpn/openvpn.conf --daemon ) &

Then restart the box and voila! --Narseh 17:48, 16 December 2008 (CET) ---

Narseh is correct about the top two scripts not working.

I've examined the top-most script, and it would work if certain quote marks were preceded with a backslash. However if I fix this script, and users use it and fail to start up the openvpn client, the router will end up HUNG UP in the COMMAND, Startup script. So fixing the topmost script would not be of much benefit.

For my router, I wanted a startup script that has a bit of smarts to it in terms of knowing whether or not the vpnclient is configured or not. I also wanted to just fix the route-up and route-down scripts with the route commands.

Hint: It would be great if the next release of dd-wrt could have selector to allow people to select whether they want the NAT turned on or not. It kinda defeats the whole idea of VPN to have only a one way vpn tunnel being created with no other option.

Here is my routers ADMINISTRATION, COMMAND, Startup script. It looks rather complicated. I will explain the reasons why I did it this way are below.

echo "
while [ ! -f /tmp/openvpncl/route-up.sh ]; do sleep 1; done;
cd /tmp/openvpncl
sleep 5
killall openvpn
sleep 5

echo \"iptables -I FORWARD -i br0 -o tun0 -j ACCEPT; iptables -I FORWARD -i tun0 -o br0 -j ACCEPT; iptables -I INPUT -i tun0 -j ACCEPT\" >route-up.sh

echo \"iptables -D FORWARD -i br0 -o tun0 -j ACCEPT; iptables -D FORWARD -i tun0 -o br0 -j ACCEPT; iptables -D INPUT -i tun0 -j ACCEPT\" >route-down.sh
chmod a+x *.sh

/usr/sbin/openvpn --daemon --config /tmp/openvpncl/openvpn.conf --route-up /tmp/openvpncl/route-up.sh --down /tmp/openvpncl/route-down.sh
" >/tmp/vpnstartup.sh
chmod a+x /tmp/vpn*.sh

/tmp/vpnstartup.sh &

How the Command, Startup Script Works

The router Command Startup script does three things.

1. It writes /tmp/vpnstartup.sh

2. It runs the script in background

3. It then exits.

In this way, if for some reason the openvpn client fails to start, we do not hang the COMMAND-STARTUP SCRIPT. Having a script wait forever here to have something happen that never does can create other annoyances.

As such, if the openvpn client FAILS to start, we don't hangup. Rather we end up with the vpnstartup.sh running in background consuming a few cpu cycles. Better to do this then have a hung command startup script.

Lets look at vpnstartup.sh and how it works

The vpnstatup script then waits for signs that the router has configured and started openvpn. This is the part that consumes a few CPU cycles if the VPN client fails to start.

Once we see signs vpnclient client life...

We wait another 5 seconds just to be sure vpn has had time to start.

Next killall openvpn. This causes route-down to startup, if route-up was run. This takes a few seconds to run.

We wait another 5 seconds to allow route-down to run.

We then rewrite a new route-up.sh and route-down.sh files with routing that is a bit more 'useful'.

Next we startup openvpn.

Last but not least we exit from vpnstartup.sh so as to not waste memory and cpu.

Known Issues As I do not know what command exactly that DD-WRT uses to start the vpnclient, I had to guess on a few things. It would be better if we knew the original openvpn command. Hope this helps folks...

--Rnthomas 15:59, 18 March 2009 (CET)


Another simple workaround

While i consider it really, really silly that there is no way to customize and/or disable this route-up.sh thing, my "solution" was to use the following as a StartUp Command:

( while [ ! -f /tmp/openvpncl/route-up.sh ]; do sleep 1; done; \ echo "#nothing here!" > /tmp/openvpncl/route-up.sh ) &

( while [ ! -f /tmp/openvpncl/route-down.sh ]; do sleep 1; done; \ echo "#nothing here!" > /tmp/openvpncl/route-down.sh ) &

..... anybody know why the hell the route-down.sh ALSO enables NAT?


--Schweini 10:11, 3 February 2011 (CET)


Another even simpler and way cleaner workaround

Use this as firewall rules (webinterface -> administration -> commands):

 iptables -N VPN
 iptables -F VPN
 iptables -I INPUT -i tun0 -j VPN
 iptables -I FORWARD -i tun0 -j VPN
 iptables -A VPN -i tun0 -o br0 -j ACCEPT
 iptables -I POSTROUTING -t nat -o tun0 -j RETURN

First we create a new chain called VPN and flush it. Then we tell iptables to send all packages coming from tun0 through that chain. In the VPN chain itself we simply accept all traffic - adjust that as needed. Finally we insert a rule to the beginning POSTROUTING chain, simply telling iptables not to nat anything going out through the tunnel.

--Acurus 11:09, 5 March 2011 (CET)


Server Configuration

  • Warning: This Script EXCEEDS NVRAM - will semi-brick you router - JTAG required to recover. See first section.
  • NOTE: This is only true for some (few) routers. To my knowledge it's been reported only for WRT54Gv1 & v2. Better to ask first if you are in doubt.
  • UPDATE: Two people have bricked Buffalo WBR-G54 routers following this guide for OpenVPN with certificates (see http://www.dd-wrt.com/phpBB2/viewtopic.php?p=266750) so proceed with extreme caution if you are using this router. At a minimum I would use "nvram show | grep size" to check that your script is significantly smaller than the free NVRAM space. The "nvram show | grep size" output seemed to fall as expected when I was pasting my certs and keys in the client web config screen (following the wrong part of the guide by mistake :o). However, following a fresh firmware update just prior to bricking my WBR-G54, this command reported over 9.5KB free NVRAM and my router still bricked from a 4.38KB startup script. It might be best to stick to a static key, as the config file will be about 1.5KB smaller.


1. Install DD-WRT with VPN, v23 SP2 or later, on your router.

2. Create a rc_startup script (temporarily prepare in a simple text editor, e.g. notepad or PSPad)

cd /tmp
openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up

echo '
# Tunnel options
mode server       # Set OpenVPN major mode
proto udp         # Setup the protocol (server)
port 1194         # TCP/UDP port number
dev tap0          # TUN/TAP virtual network device
keepalive 15 60   # Simplify the expression of --ping 
daemon            # Become a daemon after all initialization
verb 3            # Set output verbosity to n 
comp-lzo          # Use fast LZO compression 

# OpenVPN server mode options
client-to-client  # tells OpenVPN to internally route client-to-client traffic 
duplicate-cn      # Allow multiple clients with the same common name

# TLS Mode Options
tls-server        # Enable TLS and assume server role during TLS handshake 
ca ca.crt         # Certificate authority (CA) file
dh dh1024.pem     # File containing Diffie Hellman parameters 
cert server.crt   # Local peers signed certificate
key server.key    # Local peers private key 
' > openvpn.conf

echo '
-----BEGIN CERTIFICATE-----
...INSERT YOUR ca.crt HERE...
-----END CERTIFICATE-----
' > ca.crt
echo '
-----BEGIN RSA PRIVATE KEY-----
...INSERT YOUR server.key HERE...
-----END RSA PRIVATE KEY-----
' > server.key
chmod 600 server.key
echo '
-----BEGIN CERTIFICATE-----
...INSERT YOUR server.crt HERE...
-----END CERTIFICATE-----
' > server.crt
echo '
-----BEGIN DH PARAMETERS-----
...INSERT YOUR dh1024.pem HERE...
-----END DH PARAMETERS-----
' > dh1024.pem

sleep 5
openvpn --config openvpn.conf --daemon

Replace "...INSERT YOUR [FILE] HERE..." with the appropriate contents of the files you created earlier. Open these files in a simple text editor and paste contents between the BEGIN and END statements into this script.

Notes:

  • This script bridges the VPN with the LAN, so no routing is required so that clients can communicate with systems and devices on the LAN.
  • The server is configured to use UDP packets since TCP over TCP can lead to poor performance. If you need to use TCP instead of UDP, specify tcp-server as the protocol. TCP is also required if you want your clients to be able to connect through a HTTP Proxy.
  • Script was updated to change the " to '. The use of " in the script can break the rc_startup causing unpredictable behavior.
  • Removed 2 ' in the words peers as they were causing the script not to execute completely with echo using '.
  • You might need to change the last line of the script to (strongly recommended):
ln -s /usr/sbin/openvpn /tmp/myvpn
/tmp/myvpn --config openvpn.conf 

The reason is that with the original command, openvpn might start but mysteriously not stay open.

3. Add the following line to your rc_firewall script (create a new file in simple text editor that will temporarily hold your rc_firewall script):

/usr/sbin/iptables -I INPUT -p udp --dport 1194 -j ACCEPT

This command allows connections to the OpenVPN server.

4. Use the web interface method to store the rc_startup and rc_firewall scripts on the router.

5. Enable NTP and uncheck Use Local Time in the router setup. Then reboot your router.

Note: As of V24-RC4 Use Local Time does not exist. Instead set Time Zone to "UTC" and Summer Time(DST) to "none".

6. Login via ssh or telnet and execute the command

ps | grep openvpn

to verify that the OpenVPN process is running.

A little evolution of the so great rc_startup script

Tested with WRT54GL V1.1 under DD-WRT v24-sp1 (07/27/08) vpn

[ -d /tmp/openvpnsrv ] || mkdir /tmp/openvpnsrv
openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
echo "
dev tap0
port 54321
proto tcp-server
mode server
client-to-client
keepalive 15 60
comp-lzo
tls-server
tls-auth /tmp/openvpnsrv/ta.key 0
ca /tmp/openvpnsrv/ca.crt
cert /tmp/openvpnsrv/server.crt
key /tmp/openvpnsrv/server.key
dh /tmp/openvpnsrv/dh1024.pem
verb 3
" > /tmp/myvpnsrv.conf
echo "
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
" > /tmp/openvpnsrv/ca.crt
echo "
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
" > /tmp/openvpnsrv/server.key
echo "
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
" > /tmp/openvpnsrv/server.crt
echo "
-----BEGIN DH PARAMETERS-----
...
-----END DH PARAMETERS-----
" > /tmp/openvpnsrv/dh1024.pem
echo "
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
" > /tmp/openvpnsrv/ta.key
ln -s /usr/sbin/openvpn /tmp/myvpn
sleep 5
chmod 400 /tmp/openvpnsrv/*
/tmp/myvpn --config /tmp/myvpnsrv.conf --daemon

Do not forget the rc_firewall

iptables -I INPUT 1 -p tcp --dport 54321 -j logaccept

Yet another evolution

Tested with ASUS WL500gp v2 and DD-WRT v24-sp2 (07/21/09) mega (rev. 12533)

Since support of OpenVPN seems to be slowly progressing in the webinterface and by help of NVRAM-variables I thought of a hybrid solution to make use of what is there while combining it with the special features of the bridge setup. This is what I came up with:

Load variables into NVRAM:

Via Webinterface (enable OpenVPN-Server radio-button and fill the text boxes, afterwards disable again) you can currently only upload openvpn_ca, openvpn_key and openvpn_client, while the other three variables don't get committed. (bug?) Anyway - to avoid those hazzles run the following on the command line (not all settings are meaningful to everybody - but this gives transparent bridging, DNSmasq is used to distribute IP-addresses, default route is suppressed by the "nogw" option):

nvram set openvpn_config='server-bridge nogw
proto udp
port 1194
dev tap0
keepalive 15 60
float
verb 3
comp-lzo
client-to-client
duplicate-cn
tls-auth /tmp/openvpnsrv/ta.key 0
ca /tmp/openvpnsrv/ca.crt
dh /tmp/openvpnsrv/dh1024.pem
cert /tmp/openvpnsrv/server.crt
key /tmp/openvpnsrv/server.key
ping-timer-rem
cipher AES-256-CBC
mssfix'

Next we need all your fancy certs/keys as generated with easy-rsa.

WARNING: The following commands might overflow your NVRAM. I myself had to throw away a WL500gp v2 after playing around with 2048bit keys once (and after I tried to recover it by shortening circuits). So please read how to check the remaining space in your NVRAM before doing this and make sure you don't exceed it.

#Certificate of CA
nvram set openvpn_ca='-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----'

#DH Parameters
nvram set openvpn_dh='-----BEGIN DH PARAMETERS-----
...
-----END DH PARAMETERS-----'

#Server Certificate
nvram set openvpn_client='-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----'

#Server Key
nvram set openvpn_key='-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----'

#Static TA key file (If appropriate, depends on individual paranoia: If not used disable in config!)
nvram set openvpn_tlsauth='-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----'

nvram commit

Interesting enough - if you enable OpenVPN-Server in the Webinterface it will display all the values of the variables - you simply can't update all of them...

Furthermore we need the rc_startup file (can be uploaded via the Webinterface, Administration -> Commands):

export PATH=/usr/bin:/bin:/usr/sbin:/sbin
sleep 30

# OpenVPN Server
openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 up
[ -d /tmp/openvpnsrv ] || mkdir /tmp/openvpnsrv
nvram get openvpn_config > /tmp/myvpnsrv.conf
nvram get openvpn_ca > /tmp/openvpnsrv/ca.crt
nvram get openvpn_key > /tmp/openvpnsrv/server.key
nvram get openvpn_client > /tmp/openvpnsrv/server.crt
nvram get openvpn_dh > /tmp/openvpnsrv/dh1024.pem
nvram get openvpn_tlsauth > /tmp/openvpnsrv/ta.key
ln -s /usr/sbin/openvpn /tmp/myvpn
chmod 700 /tmp/openvpnsrv
chmod 400 /tmp/openvpnsrv/*
sleep 5
/tmp/myvpn --config /tmp/myvpnsrv.conf --daemon

# Firewall for OpenVPN - could be put into rc_firewall as well of course
iptables -I INPUT -p udp --dport 1194 -j logaccept

The export of the PATH variable is essential. I found that even the previous script did not work for me without including "/sbin" into PATH. Without it I ran into a silently failing "ifconfig"-command - which again caused a very strange behavior of the setup as tap0 was included in the bridge but stayed down.

After putting everything in place - reboot and you should be done. If in doubt add "log-append /tmp/myvpnsrv.log" to openvpn_config and reboot - this will give you extra logging.

Optional side note:

I came across this idea when I was connected to a public WLAN which was only allowing HTTP over a transparent proxy server, HTTPS (TCP port 443), DNS (UDP port 53), FTP (TCP port 21) and SSH (TCP port 22) connections. UDP port 1194 (the OpenVPN standard) was of course blocked... This is probably not a very representative setup, but if you need to connect to your OpenVPN router at home and this is all you got --- Damn. :-)

So I started to look into a solution: I thought the ports with the highest likelyhood to be "usuable" in most public WLANs without PROXY and without a block on a firewall would be:

UDP 53 and TCP 443

Both services are usually used on our little favorite routers as they are running DNSMASQ for the internal network clients and an HTTPS webinterface to the inside as well. Moreover both of those services can not be convinced to listen only on the internal webinterface. For DNSMASQ I did a lot of investigation - this seems to be a bug on the version used in DD-WRT - the available options do not work. This is not a problem in normal operations as the router's firewall does not allow access to those ports from the outside - so we are save. But if you now want to use one of those ports to the outside to bind OpenVPN to them you fail because the ports are taken --- Damn again. :-)

Solution: Let the firewall redirect all packets coming from the internet to the internal standard OpenVPN port, add this to your firewall script:

iptables -t nat -I PREROUTING -p udp -i vlan1 --dst samplehost.anydyndnsprovider.net --dport 53 -j REDIRECT --to-ports 1194

The value behind "--dst" of course needs to be replaced by your routers registered host name or, in case of a stable IP address this one can be used as well. This works for the UDP configuration as shown above - of course if you want to use a redirect of TCP port 443 you need to change your config on the OpenVPN config file to "proto tcp" as well. Now you can change the "port 1194" line on the client's configuration to 53 - basically the router now "listens" on two ports at the same time.

Yet another evolution - TUN - VPN on a virtual DMZ

Config scripts to get TUN working so you can control the access to your home network with iptables.

rc_firewall is VERY deppendant on v24sp1-vpn build defaults

On this example:

- All traffic from VPN to Internet is allowed.

- All traffic from LAN to VPN is allowed

- Only specific ports from VPN to LAN are allowed.

rc_startup script:

sleep 5
cd /tmp
openvpn --mktun --dev tun0

echo "
port 443
proto tcp-server
dev tun0
ca ca.crt
dh dh1024.pem
cert server.crt
key server.key
server 172.16.0.0 255.255.255.0
push \"route 192.168.1.0 255.255.255.0\"
keepalive 15 60
daemon
verb 3
comp-lzo
client-to-client
duplicate-cn
status /tmp/vpnstatus.log
" > openvpn.conf

echo "
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
" > ca.crt
echo "
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
" > server.key
chmod 600 server.key
echo "
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
" > server.crt
echo "
-----BEGIN DH PARAMETERS-----
...
-----END DH PARAMETERS-----
" > dh1024.pem

sleep 5
ln -s /usr/sbin/openvpn /tmp/myvpn
/tmp/myvpn --config openvpn.conf


rc_firewall:

iptables -I INPUT 4 -p udp --dport 520 -i tun0 -j DROP
iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT
iptables -I INPUT 11 -p tcp --dport 19150 -i tun0 -m state --state NEW -j logaccept
iptables -I INPUT 11 -p tcp --dport 22 -i tun0 -m state --state NEW -j logaccept
iptables -I INPUT 7 -p icmp -i tun0 -j ACCEPT
iptables -I FORWARD 15 -i tun0 -o vlan1 -m state --state NEW -j ACCEPT
iptables -I FORWARD 3 -i tun0 -o tun0 -j ACCEPT
iptables -I FORWARD 3 -i br0 -o tun0 -j logaccept
# Start of VPN-to-LAN allowed ports
iptables -I FORWARD 3 -i tun0 -o br0 -p tcp --dport 22 -j logaccept
iptables -I FORWARD 3 -i tun0 -o br0 -p tcp --dport 5060 -j logaccept
iptables -I FORWARD 3 -i tun0 -o br0 -p udp --dport 5060 -j logaccept
# End of VPN-to-LAN allowed ports
iptables -I FORWARD 3 -i tun0 -o br0 -m state --state RELATED,ESTABLISHED -j logaccept
iptables -I POSTROUTING 3 -t nat -o tun0 -s 172.16.0.0/24 -d 172.16.0.0/24 -j MASQUERADE