Configuring an OpenVPN Server in DD-WRT — 3
I was contacted about my previous attempts to configure OpenVPN in DD-WRT. I never completed the project. The contact person offered a possible solution and asked me to test.
This person was using DD-WRT version v3.0-r31899 std (04/24/17) on a Linksys WRT-1900ACS. I was using v3.0-r30826 std (11/01/16) on an Asus RT-AC66U.
I had already tried updating the firmware version with frustrating results.
After restoring my router to version r30826, I again confronted OpenVPN. My first attempts were unsuccessful but the logs showed I likely was not configuring the firewall rules correctly. I noticed the device being used was tun2
rather that the usually presumed tun0
. I do not know why my configuration is different, but I adjusted the offered firewall rules accordingly.
Finally, at long last, I connected using OpenVPN.
There was a security caveat with my original steps. The login is not password protected. This is important to me should I lose my laptop or the laptop is compromised. I needed to add a password and ensure NetworkManager did not store the password. By default NetworkManager is designed to store passwords, a horrible security flaw.
Much thanks to A.S. who contacted me and offered help.
Here are my final steps to configure OpenVPN on my router.
Create a Public Key Infrastructure (PKI)
cd /tmp/easyrsa easyrsa init-pki
Generate a Certificate Authority (CA) Certificate and Key
easyrsa build-ca nopass
Notice the nopass
parameter.
I left all fields blank.
This creates the CA certificate and key.
/tmp/easyrsa/pki/ca.crt /tmp/easyrsa/pki/private/ca.key
Generate the Server Certificate and Key
Because I was creating the key for the VPN server, I used the simple name server
. I have no idea what other names are sane or reasonable.
easyrsa gen-req server nopass
Again notice the nopass
parameter.
This creates two files:
/tmp/easyrsa/pki/reqs/server.req /tmp/easyrsa/pki/private/server.key
Sign the Server Certificate with the CA Certificate
Next is to create and sign the certificate for the VPN server.
easyrsa sign-req server server
This creates the following file:
/tmp/easyrsa/pki/issued/server.crt
Two additional files are needed as part of the authentication glue. One file contains Diffie-Hellman parameters and the other file is a TLS key.
openssl dhparam -out dh2048.pem 2048
/usr/sbin/openvpn --genkey --secret tls-auth.key
Creating the Diffie-Hellman file takes a long and the output warns as much.
The two commands create two files:
/tmp/easyrsa/dh2048.pem /tmp/easyrsa/tls-auth.key
Generate the Client Certificate and Key
Next is creating the client certificate and key.
easyrsa gen-req client1
Notice I did not use the nopass
parameter. When prompted I provided a pass phrase.
This creates two files:
/tmp/easyrsa/pki/reqs/client1.req /tmp/easyrsa/pki/private/client1.key
Sign the Client Certificate with the CA Certificate
Next is to create and sign the client certificate.
easyrsa sign-req client client1
This creates the following file:
/tmp/easyrsa/pki/issued/client1.crt
For long-term storage I copied the generated /tmp files to my office desktop/server. On my laptop I copied the client certificate and key and CA certificate to the /etc/pki directory.
Configure DD-WRT
Using a text editor I copied and pasted the generated files to the router.
Services VPN OpenVPN Server/Daemon OpenVPN: Enable Start Type: WAN Up Config as: Server Server mode: Router (TUN) Network: 192.168.2.0 Netmask: 255.255.255.0 Port: 1194 Tunnel Protocol: UDP Encryption Cypher: AES-256 CBC Hash Algorithm: SHA1 Advanced Options: Disable Public Server Cert: copy/paste /tmp/easyrsa/pki/issued/server.crt CA Cert: copy/paste /tmp/easyrsa/pki/ca.crt Private Server Key: copy/paste /tmp/easyrsa/pki/private/server.key DH PEM: /copy/paste tmp/easyrsa/dh2048.pem Additional Config push "route 192.168.1.0 255.255.255.0" push "dhcp-option DNS 192.168.1.1" keepalive 10 120 Apply Settings Save
Not fully intuitive, the Network
IP address is a subnet and not an explicit IP address. The OpenVPN network subnet (192.168.2.0) must be different from the LAN subnet (192.168.1.0). The push
command routes the VPN subnet to the LAN subnet. As my LAN has its own DNS service, I wanted to ensure OpenVPN was using that with the dhcp-option
command.
Perhaps I missed the memo somewhere, but the DD-WRT configuration does not automatically create the necessary firewall rules. To me this is just plain odd.
I SSHed into the router to discover the tun device being used. Using ifconfig
I saw that tun2
matched the IP subnet I assigned (192.168.2.0). The ifconfig
command showed tun2
using 192.168.2.1. This is one spot that tripped my previous effort because I presumed tun0
.
With that information I added iptables firewall rules:
Administration Commands # OpenVPN Support. iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT iptables -I FORWARD 1 --source 192.168.2.0/24 -j ACCEPT iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j MASQUERADE iptables -I INPUT -i tun2 -j ACCEPT iptables -I FORWARD -i tun2 -j ACCEPT iptables -I OUTPUT -o tun2 -j ACCEPT
Using SSH I verified an openvpnserver
process in the ps
process list. Another place to check is Status->OpenVPN
, which includes related log spew.
I verified port 1194 was open. This is nominally confusing because by default nmap
does not check UDP. Checking port 1194 requires the -sU
option and looks like this:
nmap -sU -p 1194 ${router_name_or_ip_address}
Configure NetworkManager
Next was to configure NetworkManager.
In the VPN
tab I pointed the configuration to the local files:
User certification: /etc/pki/client1.crt CA certificate: /etc/pki/ca.crt Private key: /etc/pki/client1.key
In VPN->Advanced->Security
:
Cipher: AES-256-CBC HMAC Authentication: SHA1
Because there is no GUI control, I manually edited the NetworkManager configuration file not to store passwords:
[vpn] cert-pass-flags=2
I restarted NetworkManager.
At work I tested the configuration. I successfully connected to my home network.
Posted: Tutorial, Usability Tagged: DD-WRT
Category:Next: Odd Fonts in Ubuntu 16.04.3 32-bit
Previous: A Strange VirtualBox Quirk