Configuring an OpenVPN Server in DD-WRT — 2

I returned to configuring an OpenVPN server in DD-WRT. My previous attempt had failed.

I ended my previous effort noticing port 1194 was not open and there was no OpenVPN process running in DD-WRT.

I looked at the Additional Config options. Browsing the web finds many tutorials with most of these options are similar or the same. Knowing little about OpenVPN, I did the usual copypasta and tried to adjust the options according to my LAN. This approach failed.

I noticed additional options in many of these tutorials that no longer were necessary with the current DD-WRT interface. I reduced the additional options to a single push command to the router’s LAN IP address.

I configured the DD-WRT system log for High verbosity and rebooted the router.

The logs this time were informative and I saw a helpful message:

neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Private Key Password:'

Searching the web revealed I needed to regenerate my certificates without a password. Here are the steps I used — modified from my previous attempt.

Create a Public Key Infrastructure (PKI)

    cd /tmp/easyrsa
    easyrsa init-pki

Generate a Certificate Authority (CA) Certificate and Key

easyrsa build-ca nopass

Notice the nopass parameter.

I left all fields blank.

This creates the CA certificate and key.

    /tmp/easyrsa/pki/ca.crt
    /tmp/easyrsa/pki/private/ca.key

Generate the Server Certificate and Key

Because I was creating the key pair for the VPN server, I used the simple name server. I have no idea what other names are sane or reasonable.

easyrsa gen-req server nopass

Again notice the nopass parameter.

This creates two files:

    /tmp/easyrsa/pki/reqs/server.req
    /tmp/easyrsa/pki/private/server.key

Sign the Server Certificate with the CA Certificate

Next is to create and sign the certificate for the VPN server.

easyrsa sign-req server server

This creates the following file:

/tmp/easyrsa/pki/issued/server.crt

Two additional files are needed as part of the authentication glue. One file contains Diffie-Hellman parameters and the other file is a TLS key.

openssl dhparam -out dh2048.pem 2048

/usr/sbin/openvpn --genkey --secret tls-auth.key

Creating the Diffie-Hellman file takes a long and the output warns as much.

The two commands create two files:

    /tmp/easyrsa/dh2048.pem
    /tmp/easyrsa/tls-auth.key

Generate the Client Certificate and Key

Next is creating the client certificate and key pair.

easyrsa gen-req client1 nopass

Again notice the nopass parameter.

This creates two files:

    /tmp/easyrsa/pki/reqs/client1.req
    /tmp/easyrsa/pki/private/client1.key

Sign the Client Certificate with the CA Certificate

Next is to create and sign the certificate for the VPN server.

easyrsa sign-req client client1

This creates the following file:

/tmp/easyrsa/pki/issued/client1.crt

I copied the generated /tmp files to my server at /home/public/easyrsa directory. On my laptop I copied the client certificate and key and CA certificate to the /etc/pki directory.

Configure DD-WRT

Using a text editor I copied and pasted the files to the router.

    Services
    VPN
    OpenVPN Server/Daemon
      OpenVPN: Enable
      Start Type: WAN Up
      Config as: Server 
      CA Cert: /tmp/easyrsa/pki/ca.crt
      Public Server Cert: /tmp/easyrsa/pki/issued/server.crt
      Private Server Key: /tmp/easyrsa/pki/private/server.key
      DH PEM: /tmp/easyrsa/dh2048.pem
      TLS Auth Key: /tmp/easyrsa/tls-auth.key
    Apply Settings
    Save
    

I added only one additional configuration option.

    Services
    VPN
    Additional Config
      push "route 192.168.1.0 255.255.255.0"
    Apply Settings
    Save
    

I verified my previous firewall rules were intact.

    Services
    VPN
    # OpenVPN Support.
    iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
    iptables -I FORWARD 1 --source 192.168.1.0/24 -j ACCEPT
    iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
    iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

For the first time I finally saw an openvpnserver process in the ps process list.

Port 1194 showed filtered with an nmap scan. While that seems better than showing closed, I was uncertain about the result. A little web surfing revealed this result likely is normal with UDP. I changed the DD-WRT configuration to TCP and the port then showed open.

At this point I hoped OpenVPN was configured correctly. I did not know whether the firewall rules were correct.

Configure NetworkManager

Next was to configure NetworkManager.

To simulate connecting to the VPN from a public access point I used one of my router VLAN ports. This assigned the laptop an IP address outside the LAN subnet and provided isolation from the LAN subnet.

I monitored the logs at both ends and adjusted the NetworkManager configuration. Finally I saw a connection — after I removed the TLS Auth Key from the DD-WRT configuration. Yet I had no Internet connection or LAN access.

My laptop firewall was incorrect and not adjusted for the VPN connection. The clue was the ping sendmsg: operation not permitted message. Disabling the laptop firewall ended that specific message. Then I ran into “Destination Host Unreachable” ping errors, which indicates a routing problem.

In the NetworkManager IPv4 tab, I enabled the Routes/Use this connection only for resources on its network option. This provided me Internet access, but I was unable to connect to my LAN.

With more reading I wondered whether I would have any LAN access when using Routed Mode. Routed Mode is a pass-through mode. To provide a secure tunnel when using a public access point. To access my LAN I wondered whether I needed to use Bridged Mode.

Once again, this is as far as I got. I again halted the project.

Posted: Category: Tutorial, Usability Tagged: DD-WRT

Next: SSHFS — A VPN Alternative

Previous: GTK3 Tooltips