Configuring an OpenVPN Server in DD-WRT — 3

I was contacted about my previous attempts to configure OpenVPN in DD-WRT. I never completed the project. The contact person offered a possible solution and asked me to test.

This person was using DD-WRT version v3.0-r31899 std (04/24/17) on a Linksys WRT-1900ACS. I was using v3.0-r30826 std (11/01/16) on an Asus RT-AC66U.

I had already tried updating the firmware version with frustrating results.

After restoring my router to version r30826, I again confronted OpenVPN. My first attempts were unsuccessful but the logs showed I likely was not configuring the firewall rules correctly. I noticed the device being used was tun2 rather that the usually presumed tun0. I do not know why my configuration is different, but I adjusted the offered firewall rules accordingly.

Finally, at long last, I connected using OpenVPN.

There was a security caveat with my original steps. The login is not password protected. This is important to me should I lose my laptop or the laptop is compromised. I needed to add a password and ensure NetworkManager did not store the password. By default NetworkManager is designed to store passwords, a horrible security flaw.

Much thanks to A.S. who contacted me and offered help.

Here are my final steps to configure OpenVPN on my router.

Create a Public Key Infrastructure (PKI)

    cd /tmp/easyrsa
    easyrsa init-pki

Generate a Certificate Authority (CA) Certificate and Key

easyrsa build-ca nopass

Notice the nopass parameter.

I left all fields blank.

This creates the CA certificate and key.

    /tmp/easyrsa/pki/ca.crt
    /tmp/easyrsa/pki/private/ca.key

Generate the Server Certificate and Key

Because I was creating the key for the VPN server, I used the simple name server. I have no idea what other names are sane or reasonable.

easyrsa gen-req server nopass

Again notice the nopass parameter.

This creates two files:

    /tmp/easyrsa/pki/reqs/server.req
    /tmp/easyrsa/pki/private/server.key

Sign the Server Certificate with the CA Certificate

Next is to create and sign the certificate for the VPN server.

easyrsa sign-req server server

This creates the following file:

/tmp/easyrsa/pki/issued/server.crt

Two additional files are needed as part of the authentication glue. One file contains Diffie-Hellman parameters and the other file is a TLS key.

openssl dhparam -out dh2048.pem 2048

/usr/sbin/openvpn --genkey --secret tls-auth.key

Creating the Diffie-Hellman file takes a long and the output warns as much.

The two commands create two files:

    /tmp/easyrsa/dh2048.pem
    /tmp/easyrsa/tls-auth.key

Generate the Client Certificate and Key

Next is creating the client certificate and key.

easyrsa gen-req client1

Notice I did not use the nopass parameter. When prompted I provided a pass phrase.

This creates two files:

    /tmp/easyrsa/pki/reqs/client1.req
    /tmp/easyrsa/pki/private/client1.key

Sign the Client Certificate with the CA Certificate

Next is to create and sign the client certificate.

easyrsa sign-req client client1

This creates the following file:

/tmp/easyrsa/pki/issued/client1.crt

For long-term storage I copied the generated /tmp files to my office desktop/server. On my laptop I copied the client certificate and key and CA certificate to the /etc/pki directory.

Configure DD-WRT

Using a text editor I copied and pasted the generated files to the router.

    Services
    VPN
    OpenVPN Server/Daemon
      OpenVPN: Enable
      Start Type: WAN Up
      Config as: Server 
      Server mode: Router (TUN)
      Network: 192.168.2.0
      Netmask: 255.255.255.0
      Port: 1194
      Tunnel Protocol: UDP
      Encryption Cypher: AES-256 CBC
      Hash Algorithm: SHA1
      Advanced Options: Disable
      Public Server Cert: copy/paste /tmp/easyrsa/pki/issued/server.crt
      CA Cert: copy/paste /tmp/easyrsa/pki/ca.crt
      Private Server Key: copy/paste /tmp/easyrsa/pki/private/server.key
      DH PEM: /copy/paste tmp/easyrsa/dh2048.pem
      Additional Config
        push "route 192.168.1.0 255.255.255.0"
        push "dhcp-option DNS 192.168.1.1"
        keepalive 10 120
    Apply Settings
    Save
    

Not fully intuitive, the Network IP address is a subnet and not an explicit IP address. The OpenVPN network subnet (192.168.2.0) must be different from the LAN subnet (192.168.1.0). The push command routes the VPN subnet to the LAN subnet. As my LAN has its own DNS service, I wanted to ensure OpenVPN was using that with the dhcp-option command.

Perhaps I missed the memo somewhere, but the DD-WRT configuration does not automatically create the necessary firewall rules. To me this is just plain odd.

I SSHed into the router to discover the tun device being used. Using ifconfig I saw that tun2 matched the IP subnet I assigned (192.168.2.0). The ifconfig command showed tun2 using 192.168.2.1. This is one spot that tripped my previous effort because I presumed tun0.

With that information I added iptables firewall rules:

    Administration
    Commands
    # OpenVPN Support.
    iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
    iptables -I FORWARD 1 --source 192.168.2.0/24 -j ACCEPT
    iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j MASQUERADE
    iptables -I INPUT -i tun2 -j ACCEPT
    iptables -I FORWARD -i tun2 -j ACCEPT
    iptables -I OUTPUT -o tun2 -j ACCEPT

Using SSH I verified an openvpnserver process in the ps process list. Another place to check is Status->OpenVPN, which includes related log spew.

I verified port 1194 was open. This is nominally confusing because by default nmap does not check UDP. Checking port 1194 requires the -sU option and looks like this:

nmap -sU -p 1194 ${router_name_or_ip_address}

Configure NetworkManager

Next was to configure NetworkManager.

In the VPN tab I pointed the configuration to the local files:

    User certification: /etc/pki/client1.crt
    CA certificate: /etc/pki/ca.crt
    Private key: /etc/pki/client1.key

In VPN->Advanced->Security:

    Cipher: AES-256-CBC
    HMAC Authentication: SHA1

Because there is no GUI control, I manually edited the NetworkManager configuration file not to store passwords:

    [vpn]
    cert-pass-flags=2

I restarted NetworkManager.

At work I tested the configuration. I successfully connected to my home network.

Posted: Category: Tutorial, Usability Tagged: DD-WRT

Next: Odd Fonts in Ubuntu 16.04.3 32-bit

Previous: A Strange VirtualBox Quirk