This is an update of the original article Setup OpenVPN Server on Linksys WRT54G with DD-WRT. Have a look for the certificates generation (easy rsa stuff).
I recently bought an Asus RT-N16 router with VPN capabilities. However it turned out that the included VPN was not as slick as I wanted to. Most builds of DD-WRT now include an OpenVPN server. To make sure that it is not vulnerable to Heartbleed, you need to avoid DD-WRT builds 19163 to 23882. With all these facts in mind, let's get started:
Flash DD-WRT on Asus RT-N16
This is (almost) straightforward except that there are some weird NVRAM limitations to overcome. To do so:
- On the initial Asus firmware, flash a DD-WRT mini edition trx image like dd-wrt.v24-14929_NEWD-2_K2.6_mini_RT-N16.trx
- then flash dd-wrt.v24-21530_NEWD-2_K3.x_big.bin as it automagically expands the nvram to 64K (more than enough for VPN) -- maybe this step is not needed
- finally flash a heartbleed free build. Living on the bleeding edge with dd-wrt.v24-24461_NEWD-2_K3.x_mega_RT-N16.trx. This build embeds OpenVPN 2.3.4. NVRAM also gets expanded to a whooping 256 KB.
Initial setup
The files needed for a server to run are ca.crt, server.crt, server.key, dh1024.pem and ta.key. Have a look at the original article for certificates generation (easy rsa stuff). The most important file is ca.key. It is not needed by the server to run, but it is required to sign client certificates. As such it must be kept in a secure place.
Setup the DD-WRT box
In the Web Interface of your DD-WRT loaded router, go to Services > OpenVPN.
- First, set "Start OpenVPN: Enable".
- Then you can either choose "System" or "WAN Up" as "Start Type". The first choice launches OpenVPN on system startup whereas the second runs OpenVPN whenever the WAN interface goes up. However it seems that WAN Up doesn't work in recent builds, so let's stick with "System".
- Config as: Server
- Server mode: Bridge (TAP)
- DHCP-Proxy mode: Disable
- Pool start IP and end IP: The Start-IP and End-IP in the server-bridge statement define the IP address range from where the Client get their addresses assigned. It must not overlap with the DHCP Servers address range.
- Gateway: your network gateway (in general something like 10.x.x.1)
- Netmask: 255.255.255.0
- Block DHCP across the tunnel: Disable
- Port: 1194
- Tunnel Protocol: UDP
- Encryption Cipher: Blowfish CBC
- Hash Algorithm: SHA1
- Advanced Options: Disable
- Second, paste the certificate files created above into the boxes in the DD-WRT web interface as follows:
Public Server Cert: server.crt CA Cert: ca.crt Private Server Key: server.key DH PEM: dh1024.pem TLS Auth: ta.key Additional Config: push "dhcp-option DNS 10.x.x.x"
NOTE: Only paste the sections of text starting with (and including): --BEGIN CERTIFICATE-- and ending with (and including): --END CERTIFICATE-- in the text files. Do not paste all the descriptive stuff above that section.
It is not over yet. We need to setup a startup script and also open a port in the firewall. (This might not be needed, but I didn't test.)
Goto Administration > Commands, paste
iptables -A INPUT -i tap2 -j ACCEPT iptables -I INPUT -p udp --dport 1194 -j ACCEPT
Then hit Save Firewall. That should be it!
Troubleshooting
Luckily in this DD-WRT build there is a Status page for OpenVPN (Status tab > OpenVPN sub tab). I got a nasty error which prevented OpenVPN from working
Authenticate/Decrypt packet error: packet HMAC authentication failed
I tried all kinds of hacks (changing the server's time to match client, disabling TLS auth, playing with the config...) but it turned out it there was a "fatal warning" at the beginning of the log:
WARNING: 'auth' is used inconsistently local='auth MD5' remote='auth SHA1'
The Hash Algorithm was set to outdated MD5 on the server! Everything got fixed as soon as I switched to SHA1.