As of DD-WRT v.24 SP1, it is now possible to set up DD-WRT as an OpenVPN server. Which is a pretty good thing, because I needed to setup one of these beasts!
I used Windows as a client, but also to generate the various configuration, certificate and key files.
Initial setup
First, install OpenVPN for Windows. At the time of writing, it is available under the name 'OpenVPN Community Software Windows Client Download'. The installer is called openvpn-2.1.4-install.exe.
Open up a Command Prompt and cd to C:\<<Program Files>>\OpenVPN\easy-rsa. Run the following batch file to copy configuration files into place (this will overwrite any preexisting vars.bat and openssl.cnf files):
init-config
Now edit the vars file (called vars.bat on Windows) and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Don't leave any of these parameters blank. For example:
set KEY_COUNTRY=FR set KEY_PROVINCE=LO set KEY_CITY=Nancy set KEY_ORG=MasterJul.net set KEY_EMAIL=example@masterjul.net
Save the file and return to the CMD Prompt. All of the following build actions produce files that will be placed in the "keys" directory under C:\<<Program Files>>\OpenVPN\easy-rsa\.
In the CMD Prompt, type:
vars clean-all build-ca
Note that in the above sequence, most queried parameters were defaulted to the values set in the vars or vars.bat files. The only parameter which must be explicitly entered is the Common Name. For example:
OpenVPN-MJ.net
Next, we will generate a certificate and private key for the server. Type:
build-key-server server
As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter "server". Two other queries require positive responses, "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]".
We need 2 more files to secure the communications between server and clients. One is Diffie Hellman:
build-dh
Last but not least, TLS authentication:
openvpn --genkey --secret ta.key
The server part is now done. The files needed for a server to run are ca.crt, server.crt, server.key, dh1024.pem and ta.key.
The most important file is ca.key. It is not needed by the server to run, but it is required to sign client certificates. As such it must be kept in a secure place.
You can now configure the DD-WRT box, but you can also create some client certificates now.
Generate certificate and key for a client
It is quite easy;
build-key "clientName"
Type the appropriate Common Name when prompted, i.e. "clientName". Always use a unique common name for each client, and make sure it is meaningful.
The required files for a client are ca.crt, "client".crt, "client".key and ta.key
Setup a client
Since we're on the client machine, we will set it up before the server. Create a file named client.ovpn and fill it with
client dev tap proto udp remote XXXXserver.dyndns.org 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert "clientName".crt key "clientName".key ns-cert-type server tls-auth ta.key 1 comp-lzo verb 4
I had a lot of clients to setup, so I did an extra script: copy-key.bat, that must be called after build-key.bat
@echo off if "%1" == "" goto error cd %HOME% cd %KEY_DIR% if not exist %1 goto :process del /S %1 rmdir %1 :process mkdir %1 copy ca.crt %1\ copy ta.key %1\ copy %1.crt %1\ copy %1.key %1\ copy client.ovpn %1\ fart %1\client.ovpn ~KEYNAME~ %1 cd %HOME% goto eof :error echo Usage: copykey keyname (for example copykey j-smith) :eof
Setup the DD-WRT box
First, is there enough NVRAM storage space? All the data from the web-GUI is permanently stored in the NVRAM area. Overfilling the NVRAM area is likely to brick your router!
Using a KEY_SIZE of 1024 you need about 5200 bytes available in NVRAM on the server-side before you push SAVE in the web-GUI, or you might brick your router. Using a KEY_SIZE of 2048 you need about 6000 bytes available in NVRAM on the server-side. To test how much NVRAM space is left (and used) telnet or ssh into your router and type:
nvram show | grep size
If you do not have enough NVRAM space available, you cannot use the web-GUI method that is outlined below. Check the web for another method!
If there is enough NVRAM left; in the Web Interface of your DD-WRT loaded router, go to Services > OpenVPN Daemon.
- First, set "Start OpenVPN: Enable".
- Then you can either choose "System" or "WAN Up" as "Start Type". The first choice launches OpenVPN on system startup whereas the second runs OpenVPN whenever the WAN interface goes up (preferred).
- Second, paste the certificate files created above into the boxes in the DD-WRT web interface as follows:
Public Server Cert (CA Cert) <= ca.crt Certificate Revoke List <= (blank) Public Client Cert <= server.crt Private Client Key <= server.key DH PEM <= dh1024.pem OpenVPN TLS Auth <= ta.key
NOTE: Only paste the sections of text starting with (and including): --BEGIN CERTIFICATE-- and ending with (and including): --END CERTIFICATE-- in the text files. Do not paste all the descriptive stuff above that section.
EDIT 140704 - In more recent version (2013 and later) you can find different labels for the boxes:
Public Server Cert: server.crt CA Cert: ca.crt Private Server Key: server.key DH PEM: dh1024.pem TLS Auth: ta.key Additional Config: only the push commands from below example
- Last but not least, let's fill the OpenVPN Config (you can remove the # after pasting, these comments are only here for reference)
mode server proto udp port 1194 dev tap0 server-bridge 10.22.0.1 255.255.0.0 10.22.0.50 10.22.0.100 # Gateway (VPN Server) Subnetmask Start-IP End-IP push "dhcp-option DNS 10.22.0.1" keepalive 10 120 daemon verb 5 comp-lzo client-to-client management localhost 5001 dh /tmp/openvpn/dh.pem ca /tmp/openvpn/ca.crt cert /tmp/openvpn/cert.pem key /tmp/openvpn/key.pem tls-auth /tmp/openvpn/ta.key 0 # Only use crl-verify if you are using the revoke list - otherwise leave it commented out # crl-verify /tmp/openvpn/ca.crl
The Start-IP and End-IP in the server-bridge statement define the IP address range from where the Client get their addresses assigned. It must not overlap with the DHCP Servers address range. The DHCP option is not mandatory but useful to indicate the client a DNS for internal resolution. The management localhost line is also optional, but is useful if you want to check logs in the Status -> OpenVPN page of DD-WRT.
It is not over yet. We need to setup a startup script and also open a port in the firewall.
Goto Administration > Commands, paste
openvpnmktundev tap0 brctl addif br0 tap0 ifconfig tap0 0.0.0.0 promisc up
then hit Save Startup.
Clear the box (if it doesn't automatically do so) and enter
iptables -A INPUT -i tap0 -j ACCEPT iptables -I INPUT -p udp --dport 1194 -j ACCEPT
Then hit Save Firewall. That should be it!