Configuring an OpenVPN Server in DD-WRT — 3
I was contacted about my previous attempts to configure OpenVPN in DD-WRT. I never completed the project. The contact person offered a possible solution and asked me to test.
This person was using DD-WRT version v3.0-r31899 std (04/24/17) on a Linksys WRT-1900ACS. I was using v3.0-r30826 std (11/01/16) on an Asus RT-AC66U.
I had already tried updating the firmware version with frustrating results.
After restoring my router to version r30826, I again confronted OpenVPN. My first attempts were unsuccessful but the logs showed I likely was not configuring the firewall rules correctly. I noticed the device being used was tun2 rather that the usually presumed tun0. I do not know why my configuration is different, but I adjusted the offered firewall rules accordingly.
Finally, at long last, I connected using OpenVPN.
There was a security caveat with my original steps. The login is not password protected. This is important to me should I lose my laptop or the laptop is compromised. I needed to add a password and ensure NetworkManager did not store the password. By default NetworkManager is designed to store passwords, a horrible security flaw.
Much thanks to A.S. who contacted me and offered help.
Here are my final steps to configure OpenVPN on my router.
Create a Public Key Infrastructure (PKI)
cd /tmp/easyrsa
easyrsa init-pki
Generate a Certificate Authority (CA) Certificate and Key
easyrsa build-ca nopass
Notice the nopass parameter.
I left all fields blank.
This creates the CA certificate and key.
/tmp/easyrsa/pki/ca.crt
/tmp/easyrsa/pki/private/ca.key
Generate the Server Certificate and Key
Because I was creating the key for the VPN server, I used the simple name server. I have no idea what other names are sane or reasonable.
easyrsa gen-req server nopass
Again notice the nopass parameter.
This creates two files:
/tmp/easyrsa/pki/reqs/server.req
/tmp/easyrsa/pki/private/server.key
Sign the Server Certificate with the CA Certificate
Next is to create and sign the certificate for the VPN server.
easyrsa sign-req server server
This creates the following file:
/tmp/easyrsa/pki/issued/server.crt
Two additional files are needed as part of the authentication glue. One file contains Diffie-Hellman parameters and the other file is a TLS key.
openssl dhparam -out dh2048.pem 2048
/usr/sbin/openvpn --genkey --secret tls-auth.key
Creating the Diffie-Hellman file takes a long and the output warns as much.
The two commands create two files:
/tmp/easyrsa/dh2048.pem
/tmp/easyrsa/tls-auth.key
Generate the Client Certificate and Key
Next is creating the client certificate and key.
easyrsa gen-req client1
Notice I did not use the nopass parameter. When prompted I provided a pass phrase.
This creates two files:
/tmp/easyrsa/pki/reqs/client1.req
/tmp/easyrsa/pki/private/client1.key
Sign the Client Certificate with the CA Certificate
Next is to create and sign the client certificate.
easyrsa sign-req client client1
This creates the following file:
/tmp/easyrsa/pki/issued/client1.crt
For long-term storage I copied the generated /tmp files to my office desktop/server. On my laptop I copied the client certificate and key and CA certificate to the /etc/pki directory.
Configure DD-WRT
Using a text editor I copied and pasted the generated files to the router.
Services
VPN
OpenVPN Server/Daemon
OpenVPN: Enable
Start Type: WAN Up
Config as: Server
Server mode: Router (TUN)
Network: 192.168.2.0
Netmask: 255.255.255.0
Port: 1194
Tunnel Protocol: UDP
Encryption Cypher: AES-256 CBC
Hash Algorithm: SHA1
Advanced Options: Disable
Public Server Cert: copy/paste /tmp/easyrsa/pki/issued/server.crt
CA Cert: copy/paste /tmp/easyrsa/pki/ca.crt
Private Server Key: copy/paste /tmp/easyrsa/pki/private/server.key
DH PEM: /copy/paste tmp/easyrsa/dh2048.pem
Additional Config
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.1"
keepalive 10 120
Apply Settings
Save
Not fully intuitive, the Network IP address is a subnet and not an explicit IP address. The OpenVPN network subnet (192.168.2.0) must be different from the LAN subnet (192.168.1.0). The push command routes the VPN subnet to the LAN subnet. As my LAN has its own DNS service, I wanted to ensure OpenVPN was using that with the dhcp-option command.
Perhaps I missed the memo somewhere, but the DD-WRT configuration does not automatically create the necessary firewall rules. To me this is just plain odd.
I SSHed into the router to discover the tun device being used. Using ifconfig I saw that tun2 matched the IP subnet I assigned (192.168.2.0). The ifconfig command showed tun2 using 192.168.2.1. This is one spot that tripped my previous effort because I presumed tun0.
With that information I added iptables firewall rules:
Administration
Commands
# OpenVPN Support.
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.2.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j MASQUERADE
iptables -I INPUT -i tun2 -j ACCEPT
iptables -I FORWARD -i tun2 -j ACCEPT
iptables -I OUTPUT -o tun2 -j ACCEPT
Using SSH I verified an openvpnserver process in the ps process list. Another place to check is Status->OpenVPN, which includes related log spew.
I verified port 1194 was open. This is nominally confusing because by default nmap does not check UDP. Checking port 1194 requires the -sU option and looks like this:
nmap -sU -p 1194 ${router_name_or_ip_address}
Configure NetworkManager
Next was to configure NetworkManager.
In the VPN tab I pointed the configuration to the local files:
User certification: /etc/pki/client1.crt
CA certificate: /etc/pki/ca.crt
Private key: /etc/pki/client1.key
In VPN->Advanced->Security:
Cipher: AES-256-CBC
HMAC Authentication: SHA1
Because there is no GUI control, I manually edited the NetworkManager configuration file not to store passwords:
[vpn]
cert-pass-flags=2
I restarted NetworkManager.
At work I tested the configuration. I successfully connected to my home network.
Posted: Category: Tutorial, Usability Tagged: DD-WRT
Next: Odd Fonts in Ubuntu 16.04.3 32-bit
Previous: A Strange VirtualBox Quirk