Configuring an OpenVPN Server in DD-WRT

Compared to PPTP, configuring OpenVPN is much different than configuring PPTP. Way different.

There are many OpenVPN/DD-WRT tutorials online. I found them confusing and outdated. Too many are written from the perspective of a Windows user. I struggled for days to get OpenVPN working. There is a simple reason many people continue to use PPTP despite the security risks. Getting OpenVPN to work is painful.

Yeah, I know, geeks read these words and quip that installing OpenVPN is simple and easy. Just RTFM.

I am not a system administrator or network engineer. I am just a skilled computer user. So the RTFM folks can take a long walk on a short pier.

Here is the sequence of steps I tried.

  • Create a Public Key Infrastructure (PKI).
  • Generate a certificate authority (CA) certificate and key.
  • Generate the server certificate and key.
  • Sign the the server certificate with the CA certificate.
  • Generate the client certificate and key.
  • Sign the the client certificate with the CA certificate.
  • Configure DD-WRT
  • Configure NetworkManager

I use Slackware on my LAN server and office desktop. Strangely, Slackware does not include the easy-rsa scripts in the OpenVPN package. The first step then was to grab the build script and files from slackbuilds.org.

The package installs the easyrsa script to /usr/share/easyrsa/easyrsa, I copied the directory to /tmp.

cp -a /usr/share/easyrsa /tmp/

Not well explained is where this process should occur. As far as I can tell, most of this can occur anywhere on any system. Files will be moved later. I created the certificate authority and server files on my office desktop.

Create a Public Key Infrastructure (PKI)

    cd /tmp/easyrsa
    easyrsa init-pki

Generate a Certificate Authority (CA) Certificate and Key

easyrsa build-ca

Building the certificate authority (CA) requires typing a pass phrase. This pass phrase is required later.

After the pass phrase the script requests a Distinguished Name (DN). I left the field blank.

This created the CA certificate and key.

    /tmp/easyrsa/pki/ca.crt
    ./pki/private/ca.key

Generate the Server Certificate and Key

Next is to create a public-private key pair for the VPN server. The script again asks for a pass phrase. I do not know whether the pass phrase is supposed to be different. I typed the same pass phrase.

Because I was creating the key pair for the VPN server, I used the simple name server. I have no idea what other names are sane or reasonable.

easyrsa gen-req server

This created two files:

    /tmp/easyrsa/pki/reqs/server.req
    /tmp/easyrsa/pki/private/server.key

Sign the Server Certificate with the CA Certificate

Next is to create and sign the certificate for the VPN server.

easyrsa sign-req server server

This created the following file:

/tmp/easyrsa/pki/issued/server.crt

Two additional files are needed as part of the authentication glue. One file contains Diffie-Hellman parameters and the other file is a TLS key.

openssl dhparam -out dh2048.pem 2048

/usr/sbin/openvpn --genkey --secret tls-auth.key

Creating the Diffie-Hellman file takes a long and the output warns as much. My dual core system with 8 GB of RAM needed about 9 minutes.

This created two files:

    /tmp/easyrsa/dh2048.pem
    /tmp/easyrsa/tls-auth.key

Generate the Client Certificate and Key

Next is creating the client certificate and key pair.

easyrsa gen-req client1

This created two files:

    /tmp/easyrsa/pki/reqs/client1.req
    /tmp/easyrsa/pki/private/client1.key

Sign the Client Certificate with the CA Certificate

Next is to create and sign the certificate for the VPN server.

easyrsa sign-req client client1

This created the following file:

/tmp/easyrsa/pki/issued/client1.crt

To preserve the files I copied the files to my server at /home/public/easyrsa directory. On my laptop I copied the client certificate and key and CA certificate to the /etc/pki directory.

Configure DD-WRT

Using a text editor I copied the files to the router.

    Services
    VPN
    OpenVPN Server/Daemon
      OpenVPN: Enable
      Start Type: WAN Up
      Config as: Server 
      CA Cert: /tmp/easyrsa/pki/ca.crt
      Public Server Cert: /tmp/easyrsa/pki/issued/server.crt
      Private Server Key: /tmp/easyrsa/pki/private/server.key
      DH PEM: /tmp/easyrsa/dh2048.pem
      TLS Auth Key: /tmp/easyrsa/tls-auth.key
    Apply Settings
    Save
    

Using the daemon option requires manually creating the configuration options. Configuring the VPN server as a server rather than as a daemon is supposed to trigger the firmware to automatically create the configuration options. This did not happen on my router.

I added the following snippet to the router configuration:

    Services
    VPN
    Additional Config
      push "route 192.168.1.0 255.255.255.0"
      server 10.8.0.0 255.255.255.0
      dev tun0
      proto udp
      keepalive 10 120
      dh /tmp/openvpn/dh.pem
      ca /tmp/openvpn/ca.crt
      cert /tmp/openvpn/cert.pem
      key /tmp/openvpn/key.pem
      # Only use crl-verify if you are using the revoke list - otherwise leave it commented out
      # crl-verify /tmp/openvpn/ca.crl
      # management parameter allows DD-WRT OpenVPN Status web page to access the server management port
      # port must be 5001 for scripts embedded in firmware to work
      management localhost 16
    Apply Settings
    Save
    

I added the following firewall rules:

    Services
    VPN
    # OpenVPN Support.
    iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT
    iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
    iptables -I FORWARD 1 --source 192.168.1.0/24 -j ACCEPT
    iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
    iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

Configure NetworkManager

Next was to create a NetworkManager configuration. This is basically typing the public IP address and pointing to the certificate and keys.

This is as far as I got. After a few days of tinkering I did not have an OpenVPN connection. An nmap scan of the router did not show port 1194 open.

Until I succeed I decided on another approach. Use port forwarding in SSH.

Posted: Category: Tutorial, Usability Tagged: DD-WRT

Next: Port Forwarding VNC With SSH

Previous: Configuring a PPTP VPN Server in DD-WRT