OpenVPN - Server or Daemon??

Post new topic   Reply to topic    DD-WRT Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.)
Goto page 1, 2, 3, 4  Next
Author Message
charmander
DD-WRT User


Joined: 22 Jun 2013
Posts: 81

PostPosted: Fri Oct 07, 2016 0:00    Post subject: OpenVPN - Server or Daemon?? Reply with quote
DD-WRT v3.0-r29825M kongmv (06/04/16)
Linksys WRT 1900 ACS

Hello,

I'm starting to setup OpenVPN on my router. For starters, which mode would I choose?

Under "OpenVPN Server/Daemon" there is the option to config as "server" or "daemon".

The "daemon" option only has fields for the certs, keys, CRL, and additional options.

The "server" option has many more fields to configure for ip ranges, ciphers, DHCP, etc.

I want to have a VPN server that I can connect to from a smartphone or laptop on a public ip.

What are the differences between the two modes?

Seems like the server option is what I need, but not sure of the differences.

Any help is appreciated.
Sponsor
HappyDaddy
DD-WRT Novice


Joined: 29 Sep 2016
Posts: 10
Location: WV, USA

PostPosted: Fri Oct 07, 2016 8:11    Post subject: Reply with quote
Hi,

I just finished this same setup earlier today for the first time so hopefully I can save you some time and much frustration. The basic difference is the "Server" option uses the GUI to generate the Server Config file for you whereas the Daemon option requires you to include all of the details in the Server Config file. The Server option is much easier and straightforward.

What I have found is that 90% of the tutorials I have tried online are erroneous and factually inaccurate likely due to them being based on different versions of the software packages required, i.e. OpenVPN, DD-WRT, EasyRSA, etc. Let me also state upfront and in the interest of full disclosure, I am not an expert by any means. That being said, most of my time was spent in a trial and error effort.

Hope this helps and please feel free to ask questions if something seems unclear or if you have trouble. Also, if anyone sees something that doesn't look quite right please chime in.

SETUP
My setup is as follows: I'm running DD-WRT v3.0-r30695M kongmv (09/26/16) on a Linksys WRT-1900ACS v1. I used OpenVPN v. 2.2.2 due to the fact that it includes EasyRSA in the install package. I'm running Windows 10 on my machine and the intent of setting up a VPN on the router is so that I can easily run VNC on my home network while away via iPhone, iPad, or my laptop. I didn't find out until after the fact that iOS does not support TAP based tunnels at this time. Tap-based tunneling creates a bridged connection via VPN that allows you to be remotely connected to your LAN just as if you are physically sitting on the LAN, which is what I wanted. This way, you can "see" everything on the LAN as if you're there. I am still going to work to find a way to connect through a VPN in order to VNC to my machines with my iOS devices but I'm just finishing up with this project so I'm happy to share while it's still fresh in my mind.

PREP WORK
Now to the good stuff.

What you will need: DD-WRT (obviously already setup on your router) and OpenVPN 2.2.2. OpenVPN will also serve as your client side connection app on your remote machine. Further, if you use OpenVPN 2.2.2 as recommended it will also include EasyRSA to create your security keys, certificates, and related files. I also recommend you download and install Notepad++ as it will make creating your config file easier.

Here are the direct links for the two downloads you will need:
OpenVPN 2.2.2 http://build.openvpn.net/downloads/releases/openvpn-2.2.2-install.exe
Notepad++ 7.0 https://notepad-plus-plus.org/repository/7.x/7.0/npp.7.Installer.exe

INSTALLATION
All that said, install OpenVPN 2.2.2 on your machine and keep all of the default install settings as there are a few bugs that apparently make the application files look for those default locations as opposed to the actual locations where the files are installed if you change them. Experience, trust me. I believe the default location is "C:\Program Files (x86)\OpenVPN\"

SECURITY KEY & CERT AND CLIENT CONFIG FILE GENERATION
Create your security certificate and keys. There is a good tutorial on how to install OpenVPN on your computer and create the security keys I can provide if needed but the OpenVPN configuration part of the tutorial is crap so only use it for the OpenVPN install and creating the security files. The link is http://www.howtogeek.com/64433/how-to-install-and-configure-openvpn-on-your-dd-wrt-router/. The server side configuration file is generated by DD-WRT when you select the Server radio button so you will not need to generate a separate server config file. Name the client certificate and key "client1.crt" and "client1.key" respectively. This will be the "CN" field when generating them in EasyRSA.

Ignore the code in the client config file in the above tutorial. Use Notepad++ to create a new file and use the code below.

Quote:
client
dev tap
proto tcp
remote yourddns.com_or_ip_address 1194
nobind
persist-key
persist-tun
verb 4
float
ca ca.crt
cert client1.crt
key client1.key
comp-lzo yes
tun-mtu 1400
auth SHA1
cipher AES-128-CBC


Save the file as "client1.ovpn" without the quotes to the "C:\Program Files (x86)\OpenVPN\config" directory.

FILE LOCATONS
The server.crt, server.key, ca.crt and dh1024.pem files will default to "C:\Program Files (x86)\OpenVPN\easy-rsa\keys". You will open these files with Notepad++ and copy/paste their contents to their respective fields in the DD-WRT Server GUI mentioned below.

NOTE: When copying/pasting the data into the GUI, there may be more info than is needed. Only copy the data between and including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----, -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----, & -----BEGIN DH PARAMETERS----- and -----END DH PARAMETERS-----.

You will need to copy the actual client files (not just their contents); ca.crt, client1.crt and client1.key from "C:\Program Files (x86)\OpenVPN\easy-rsa\keys" to the "C:\Program Files (x86)\OpenVPN\config" directory.

As previously mentioned above, you will also need to save the client1.ovpn file you created with OpenVPN to this same directory. This is where the OpenVPN application on your laptop will look when you first connect to the VPN.

DD-WRT AND OPENVPN SETUP
Finally, I am attaching screenshots of my DD-WRT configuration page so you can simply copy the info. Remember, do not use the instructions in the tutorial above or you will become bald like me from pulling all of your hair out.

The server side configuration file is generated by DD-WRT when you select the Server radio button so you will not need to generate a separate server config file. Just fill in everything I have in the pics below and you should be fine. If you are running Windows, remember to disable Windows Firewall. This will save you about four hours of wasted time troubleshooting. Embarassed DOH!!!

DD-WRT OPENVPN CONFIGURATION
As you can see, using Notepad++, you will only need to copy the data from the files and paste it in the "Public Server Cert" field (server.crt), the "Private Server Key" field (server.key) the "CA Cert" field (ca.crt), and the "DH PEM" field (dh1024.pem).

In the "Additional Config" field copy and paste the following:
Quote:
push "route 192.168.0.0 255.255.255.0"
push "dhcp-option DNS 192.168.0.1"
push "dhcp-option DNS 208.67.222.222"
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
The code here and the image below differ on the DNS setting only because I want the VPN to use the router as the DNS first.

FINAL THOUGHTS
Obviously, wherever I have used the 192.168.0.0 subnet you would enter whatever subnet you are using on your router.

Contrary to what all of the tutorials and forums say, there is no need to change any of the firewall settings in DD-WRT. Leave them as they are and keep your firewall within DD-WRT running.

Remember, disable the firewall on your computer when you start testing.

One last thing, when you begin testing and go live with the VPN, make sure you set BOTH your computer's clock AND the routers time to GMT. This is because there is a time signature in the security keys at the time they're generated. If the local time is earlier than GMT when they were generated, they will not work. Easiest workaround is to temporarily change the time on the computer and router to GMT.

REFERENCE MATERIALS
In conclusion, I wanted to add a few websites that I used to accomplish the task as they might be helpful. Just remember, for this late version of DD-WRT, they ALL have incorrect instructions but each of them have some good information. Just use my above instructions for this version and you should be good.

charmander
DD-WRT User


Joined: 22 Jun 2013
Posts: 81

PostPosted: Sun Oct 09, 2016 22:07    Post subject: Reply with quote
Thanks for the epic post. Cool

I was able to get this working with an Android phone as the client.

I am running OpenVPN 2.3.
I didn't have to add anything to "Additional config".
I didn't have to change the time settings to GMT.

I have only tested with an Android phone so far, so I may have to add those push commands once I start using a windows laptop.

I had to switch to routed mode because Android and IOS don't support bridging.

I agree that a lot of the documentation is bad and outdated.

I'll update this post as I get further into it.

I appreciate your assistance.
fluffuser
DD-WRT Novice


Joined: 23 Oct 2016
Posts: 1

PostPosted: Sun Oct 23, 2016 11:27    Post subject: Reply with quote
HappyDaddy wrote:
Hi,

What I have found is that 90% of the tutorials I have tried online are erroneous and factually inaccurate


Quote:
Contrary to what all of the tutorials and forums say, there is no need to change any of the firewall settings in DD-WRT. Leave them as they are and keep your firewall within DD-WRT running.


I just registered to say thanks for a brilliant post. I had spent several hours following other guides. Two minor additions I found:

1. I had chosen TUN in DD-WRT and already opened UDP on my external brodband router, so my client1.ovpn file ended up as:

client
dev tun
proto udp

remote yourddns.com_or_ip_address 1194
nobind
persist-key
persist-tun
verb 4
float
ca ca.crt
cert client1.crt
key client1.key
comp-lzo yes
tun-mtu 1400
auth SHA1
cipher AES-128-CBC


2. I found both the DD-WRT and Windows 10 firewalls could be re-enabled with no issues.

I have tested this today succesfully with DD-WRT v3.0-r29627 std (05/12/16) on Netgear Nighthawk R7000 ac1900 with both Windows 10 OpenVPN openvpn-install-2.3.12-I602-x86_64 and iPhone 6 IOS 10 OpenVPN clients (I had used easy-rsa from openvpn-2.1.4-install to create the certificates).

The screenshots were missing for me before I logged in, so I attach a PDF print of my DD-WRT VPN service settings.

Thanks.
morten
DD-WRT Novice


Joined: 28 Aug 2013
Posts: 22

PostPosted: Tue Nov 15, 2016 16:31    Post subject: Reply with quote
Can you run multiple openvpn servers on ddwrt? One for TUN and one for TAP? Shame android doesn't support TAP
agromsl
DD-WRT Novice


Joined: 13 Dec 2016
Posts: 3

PostPosted: Fri Dec 16, 2016 20:08    Post subject: More compatible materials and releases Reply with quote
First: thanks to HappyDaddy getting me out a dead-end!
and thanks fluffuser for enlarging compatibility list.

Second: after getting the dead-end, i could verify that those release from betas
(eko???, not sure about the naming, for sure, those I got there: http://www.dd-wrt.com/site/support/other-downloads?path=betas%2F)
worked fine on
TP-Link WR1043nd, version 1.8 and 1.10 of that hardware:
DD-WRT v3.0-r30016 std (betas/eko? 2016-06-24)
DD-WRT v3.0-r30880 std (betas/eko? 2016-11-14)

and those did NOT
DD-WRT v3.0-r29218 std (betas/eko?, 2016-03-07)
DD-WRT v3.0-r30949 std (betas/eko? 2016-12-15)

So there seems to be regression problems from betas because we have approximately alternate version working and working...

Can some someone dissipate my doubts about the betas naming?

And by the occasion, give me a source of releases more reliable and with a material compability list as large as Betaseko?

Thank you!
agromsl
DD-WRT Novice


Joined: 13 Dec 2016
Posts: 3

PostPosted: Wed Dec 21, 2016 15:01    Post subject: Re: More compatible materials and releases Reply with quote
agromsl wrote:
First: thanks to HappyDaddy getting me out a dead-end!
and thanks fluffuser for enlarging compatibility list.

Second: after getting the dead-end, i could verify that those release from betas
(eko???, not sure about the naming, for sure, those I got there: http://www.dd-wrt.com/site/support/other-downloads?path=betas%2F)
worked fine on
TP-Link WR1043nd, version 1.8 and 1.10 of that hardware:
DD-WRT v3.0-r30016 std (betas/eko? 2016-06-24)
DD-WRT v3.0-r30880 std (betas/eko? 2016-11-14)

and those did NOT (sorry, this was false. Once corrected an error in additional config, these 2 releases also work fine!)
DD-WRT v3.0-r29218 std (betas/eko?, 2016-03-07)
DD-WRT v3.0-r30949 std (betas/eko? 2016-12-15)

So there seems to be regression problems from betas because we have approximately alternate version working and working...
In fact, no such regression problems! (once again, sorry)

Can some someone dissipate my doubts about the betas naming?

And by the occasion, give me a source of releases more reliable and with a material compability list as large as Betaseko?

Thank you!
agromsl
DD-WRT Novice


Joined: 13 Dec 2016
Posts: 3

PostPosted: Wed Dec 21, 2016 16:14    Post subject: Reply with quote
fluffuser wrote:
HappyDaddy wrote:
Hi,

What I have found is that 90% of the tutorials I have tried online are erroneous and factually inaccurate


Quote:
Contrary to what all of the tutorials and forums say, there is no need to change any of the firewall settings in DD-WRT. Leave them as they are and keep your firewall within DD-WRT running.


I just registered to say thanks for a brilliant post. I had spent several hours following other guides. Two minor additions I found:

1. I had chosen TUN in DD-WRT and already opened UDP on my external brodband router, so my client1.ovpn file ended up as:

client
dev tun
proto udp

remote yourddns.com_or_ip_address 1194
nobind
persist-key
persist-tun
verb 4
float
ca ca.crt
cert client1.crt
key client1.key
comp-lzo yes
tun-mtu 1400
auth SHA1
cipher AES-128-CBC


2. I found both the DD-WRT and Windows 10 firewalls could be re-enabled with no issues.

I have tested this today succesfully with DD-WRT v3.0-r29627 std (05/12/16) on Netgear Nighthawk R7000 ac1900 with both Windows 10 OpenVPN openvpn-install-2.3.12-I602-x86_64 and iPhone 6 IOS 10 OpenVPN clients (I had used easy-rsa from openvpn-2.1.4-install to create the certificates).

The screenshots were missing for me before I logged in, so I attach a PDF print of my DD-WRT VPN service settings.

Thanks.


Because ISP offers very low speed at one end (server's side) of that internet link (5Mbps down but only 0.7Mbps up, the limitating factor), I could get TAP working fine, as previously said, but the overhead that TAP implies with a lot of services/protocoles diffusion slows down the connection, even the client's LAN: when VPN is connected, a ping from client to Google DNS takes more than 110ms. Once disconnected, it only takes 18ms. When connected, latency is so high that a request to a smtp server fails by timeout, while it works fine when disconnected.
No matter the speed of the client's internet connection, as long as server's internet connection slow, problem shows up.

So I decided to try TUN, made the modification you recommend but I can't get the client to connect.

server's LAN is 192.168.1.0
client LAN is 172.20.0.0 (also tried in a LAN 10.1.1.0)

was I right to keep 10.8.0.0 in DD-WRT's OPenVPN config «Network» field?

Was I right to start «Additional Config» with this line:
push "route 192.168.1.0 255.255.255.0"
?

In your screenshots, you hide the Advanded Options.
Those settings are hidden but might still be effective.
Do I assume settings there are exactly the same as in HappyDaddy's screen shots?

For safety, can you show us those Advanced Options?

Thank You!
mrgino
DD-WRT Novice


Joined: 08 Jan 2017
Posts: 3

PostPosted: Mon Jan 09, 2017 3:52    Post subject: Reply with quote
HappyDaddy wrote:
I'm running Windows 10 on my machine and the intent of setting up a VPN on the router is so that I can easily run VNC on my home network while away via iPhone, iPad, or my laptop. I didn't find out until after the fact that iOS does not support TAP based tunnels at this time.


THANK YOU for this awesome post. Followed it perfectly today to set up my VPN. I too am looking for a way to use this with iOS devices though - have you had any luck getting it to work with your iPhone/iPad yet? Please keep us posted here if you are successful Smile
fperkins
DD-WRT Novice


Joined: 11 Jan 2017
Posts: 3

PostPosted: Wed Jan 11, 2017 1:49    Post subject: Reply with quote
mrgino wrote:
... have you had any luck getting it to work with your iPhone/iPad yet? Please keep us posted here if you are successful Smile


This posted helped me a lot and I got it working on my iPhone. I posted the details here. I hope it helps! https://www.fperkins.com/uncategorized/openvpn-setup-on-dd-wrt-router-with-mac-and-ios-10.php
mrgino
DD-WRT Novice


Joined: 08 Jan 2017
Posts: 3

PostPosted: Wed Jan 11, 2017 5:01    Post subject: Reply with quote
fperkins wrote:

This posted helped me a lot and I got it working on my iPhone. I posted the details here. I hope it helps! https://www.fperkins.com/uncategorized/openvpn-setup-on-dd-wrt-router-with-mac-and-ios-10.php


Thanks, but that's a tun VPN. HappyDaddy's guide is using tap instead.
keith6226
DD-WRT Novice


Joined: 11 Jan 2017
Posts: 1

PostPosted: Wed Jan 11, 2017 11:29    Post subject: Reply with quote
Thanks for this post -- been working at this for a couple days and this is the most progress I have made. That said, I am still not able to complete a connection. Or more accurately, it looks like I connect, but then the connection resets.

In the connection log, I receive the following message:

Code:
SIGUSR1[soft,connection-reset] received, process restarting


and then it waits 5 seconds and continues to loop through the connection/reconnection process...

Windows firewall is off, and I followed the post pretty closely. Any advice on where to start trobleshooting would be appreciated!

Keith
rantaholic
DD-WRT Novice


Joined: 12 Jan 2017
Posts: 2

PostPosted: Thu Jan 12, 2017 4:26    Post subject: missing ovpn file details Reply with quote
fperkins wrote:

This posted helped me a lot and I got it working on my iPhone. I posted the details here. I hope it helps! https://www.fperkins.com/uncategorized/openvpn-setup-on-dd-wrt-router-with-mac-and-ios-10.php


You don't list what you are using for a config .ovpn for your iPhone in that post.

Would you be able to share it?

Thanks
js1662
DD-WRT Guru


Joined: 23 Jul 2014
Posts: 1237
Location: BC, CA

PostPosted: Thu Jan 12, 2017 7:38    Post subject: Reply with quote
You shouldn't ask people for the .ovpn file for security reason. The .ovpn file is like a key. Will you share your key with strangers? If you are using a VPN service provider, the service provider will provide you the .ovpn file. If you are using your own OpenVPN server, you should generate your own .ovpn file. Anyway, .ovpn files are not for sharing!
rantaholic
DD-WRT Novice


Joined: 12 Jan 2017
Posts: 2

PostPosted: Thu Jan 12, 2017 22:56    Post subject: Reply with quote
js1662 wrote:
You shouldn't ask people for the .ovpn file for security reason. The .ovpn file is like a key. Will you share your key with strangers? If you are using a VPN service provider, the service provider will provide you the .ovpn file. If you are using your own OpenVPN server, you should generate your own .ovpn file. Anyway, .ovpn files are not for sharing!


The .ovpn file for OpenVPN for iPhone is just the client config details such as protocol type, port, mtu, etc. It does not contain any private information other than perhaps the domain/ip address you are connecting to which could easily be removed. It is not like a key.
Goto page 1, 2, 3, 4  Next Display posts from previous:    Page 1 of 4
Post new topic   Reply to topic    DD-WRT Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.) All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum