For OpenVPN server on DD-WRT router basics, return to Part 1.
This is the second installment of a two-part series on setting up the OpenVPN server on DD-WRT router firmware. This is a great way to set up secure connections to your network for road-warriors or to remotely connect offices. This a cost-effective solution can support a dozen or two VPN users.
In Part 1, we uploaded the DD-WRT firmware to the router, changed the router's IP and subnet for compatibly reasons, and created the SSL certificates for the OpenVPN server and clients.
Now, we'll continue by enabling the OpenVPN server and copying in the SSL certificates. We'll also input startup and firewall scripts. Then, we'll configure the clients and finally test it out.
Configure the OpenVPN Server
We can begin configuring the OpenVPN server on the DD-WRT router. Start by connecting to the router. Enter the new IP address (192.168.2.1) into a web browser. Then enable and configure the server:
- Click Services > VPN.
- In the OpenVPN Daemon area, enable Start OpenVPN.
- For the Start Type, select WAN Up.
- Public Server Cert: ca.crt
- Certificate Revoke List: (leave blank)
- Public Client Cert: server.crt. Don't include first part of file. Similar to the others, start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.
- Private Client Key: server.key
- DH PEM: dh1024.pem
- OpenVPN Config: (see below)
- OpenVPN TLS Auth: (leave blank)
Open each certificate file in Notepad to view the contents. Some files you can right-click, select Open With, and choose Notepad. Some you may have to Open and then choose Notepad as the program.
For the OpenVPN Config box, enter the following:
mode server proto udp port 1194 dev tap0 server-bridge 192.168.2.2 255.255.255.0 192.168.2.200 192.168.2.249 keepalive 10 120 daemon verb 5 client-to-client dh /tmp/openvpn/dh.pem ca /tmp/openvpn/ca.crt cert /tmp/openvpn/cert.pem key /tmp/openvpn/key.pem management localhost 5001
When you're done entering all these pieces of information, click Apply Settings.
Configure the Startup and Firewall
Now, you must enter the startup script so the server can initialize during boot. You must then enter a firewall script so the VPN traffic can pass. On the DD-WRT control panel, click Administration > Commands.
Paste the following, and click Save Startup:
openvpn --mktun --dev tap0 brctl addif br0 tap0 ifconfig tap0 0.0.0.0 promisc up Paste the following and click Save Firewall: iptables -A INPUT -i tap0 -j ACCEPT iptables -I INPUT -p udp --dport 1194 -j ACCEPT
Reboot the Router
Now that everything is set up for the OpenVPN server on the router, reboot it. Either unplug the router for a few seconds or do it via the control panel by clicking the Administration tab and hitting the Reboot Router button on the bottom.
Configure the Windows Clients
Next, you must set up the clients, the computers from which you want to connect to the VPN server. Start by downloading and installing OpenVPN on each PC using the Windows Installer.
Now, open Notepad and paste in the following configuration parameters:
remote XXX.XXX.XXX.XXX 1194 client dev tap0 proto udp resolv-retry infinite nobind persist-key persist-tun float ca ca.crt cert client1.crt key client1.key ns-cert-type server
Be sure to replace the remote address in the beginning with your WAN or Internet IP address. You could alternatively use a hostname, such as from a dynamic DNS service, if your Internet connection doesn't have a static IP. Also, make sure the names of the client certificate and key are correct.
Save the Notepad file with an .ovpn extension to the following location: C:Program FilesOpenVPNconfig. To save as a different extension, you'll have to change the Save as Type option on the Save dialog from Text Files to All Files.
You must also copy the following three files from the computer and directory where you created the certificates (C:Program FilesOpenVPNeasy-rsakeys) to the particular client computer in the C:Program FilesOpenVPNconfig directory:
Remember, the names of each client certificate and key vary; select the correct ones for each client.
Configure Additional DD-WRT Routers
If you want to connect offices together, you can set up additional DD-WRT routers at other locations. Then you can use its OpenVPN client to connect back to the VPN server you just configured. Configuring the client is easy, here's how:
- Click Services > VPN.
- For the OpenVPN Client, click Enable.
- For the Server IP/Name, enter the WAN/Internet IP address or host name of the DD-WRT router that's hosting the OpenVPN Server.
For the following boxes, enter the contents of the certificate file specified below:
- Public Server Cert: ca.crt
- Public Client Cert: client1.crt. Don't include first part of file. Similar to the others, start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----
- Private Client Key: client1.key
Test It Out
And you're done! Now you can connect. If the OpenVPN GUI isn't already loaded to your system tray, the lower right corner of Windows, then bring it up now. Click Start > All Programs > OpenVPN > OpenVPN GUI.
Right-click the OpenVPN GUI icon in the system tray and select Connect.
Now you should be able to access the DD-WRT router and any network shares on the local network where the OpenVPN server resides.
Remember, you are trying to connect to the WAN or Internet address. So you should be connecting from outside of the DD-WRT router's local network, such as from another location on the Internet.
If you want to test the server without going to another location, connect the DD-WRT router from the WAN/Internet port to an Ethernet port on another network or router. Make sure the DD-WRT router gets a WAN IP address; use this in the OpenVPN configuration file on the test client. Then you can get onto that other network and try to connect to the OpenVPN server. This simulates a connection from the Internet. Once you're done and want to use it via the real Internet, discount the DD-WRT router and hook it directly to the Internet modem.
You can view the OpenVPN status and connections in DD-WRT by clicking Status > OpenVPN.
Eric Geier is the Founder and CEO of NoWiresSecurity, which helps businesses easily protect their Wi-Fi with enterprise-level encryption by offering an outsourced RADIUS/802.1X authentication service. He is also the author of many networking and computing books, for brands such as For Dummies and Cisco Press.