This is a work in progress. I just started writing this on 22MAR11 & I've been wrestling with OpenVPN under dd-wrt since 17MAR11.

Contents 1 Preface 1.1 How I'm Using It 2 My Network 3 Hardware 4 Software 5 Installing dd-wrt 6 Generating VPN PKI Files 7 Configuring VPN Server 7.1 Administration -> Commands 7.1.1 Firewall Commands 7.1.2 Startup Commands 7.2 PKI Files 7.3 OpenVPN Config

Preface

The documentation on dd-wrt.com suffers from too many chefs, this causes it to be a complete mess. I needed a venue to clean up what I read on there and make my results reproducible.

This page assumes you have access to a Mac OS X, Unix or GNU/Linux system and know how to use the command line well enough to run a few canned scripts from the OpenVPN folks to generate certificates. I have ZERO way to test anything on Windows systems.

This isn't for the faint of heart, but it's not really all that difficult.

I first read up on how to do this via an article on dd-wrt.com.

How I'm Using It

I LOVE my WRT54GL running Tomato and i definitely didn't want to get rid of it. My second WRT54GL running the dd-wrt VPN software is connected with a single network cable from a LAN port (not the WAN port) to another LAN port on the Tomato router.

I like this because it's sort of a drop-in VPN solution. Once I have this figured out it'll be easy to configure new WRT54GLs to be set up in a similar way, only they'd be bridges for 2 way communication between networks. I'd just have them dial home, authenticate & then I can work on my mom's computer (or whatever) over a secure channel.

My Network

[internet]->-[tomato_router:1194]->-[dd-wrt_vpn:1194]->-[intranet]

Everything here is based upon my network settings. Change to suit your own.

Network : 10.0.1.0/24 Router  : 10.0.1.1 DNS  : 10.0.1.1 DHCP  : 10.0.1.1

VPN Ext : 10.0.1.2 (Internet -> VPN) VPN Int : 10.0.1.3 (VPN -> Intranet) VPN Net : 172.25.1.0/24 (VPN Client IPs)

DDNS  : notpip.homelinux.org (DynDNS hostname)

Hardware

Everything runs on a Linksys WRT54GL router. The price fluctuates on Amazon somewhat regularly. Cheapest I've seen it in 4 years is $40 & the most expensive is $80.

Software

I used OpenVPN with dd-wrt-vpn which is at v24-SP2 as of 20110322.

Installing dd-wrt

• Download dd-wrt-vpn for the WRT54GL here.
  • Snag both the Mini for the Web & the VPN Generic versions.
• Read both the precautions & flashing your router instructions and follow them.

Generating VPN PKI Files

The PKI files are used to authenticate the server to the client & the client to the server. Several files will be generated & it's extremely important to keep them in a safe place!

Download the OpenVPN software from the OpenVPN website here (This is to generate the certificates).

Read the instructions from the OpenVPN website here.

CentOS & Ubuntu both have an openvpn package that contains the easy-rsa software you need.

If you need to download the easy-rsa software for Mac OS X or any other Unix system you can snag it here. Download the source tarball & you'll find the easy-rsa scripts within. They're all you really need.

Configuring VPN Server

Administration -> Commands

Firewall Commands

iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT
iptables -t nat -I POSTROUTING -o br0 -j MASQUERADE
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

Startup Commands

There's really got to be a better way to handle this. OpenVPN doesn't always start up on boot. Kind of annoying.

oD=/tmp/openvpn
oC="openvpn --config $oD/openvpn.conf --route-up $oD/route-up.sh --down $oD/route-down.sh --daemon"
[ ! "$(ps | grep "$oC" | grep -v grep)" ] && { 
sleep 30 ; $oC
}

PKI Files

For the files generated by the easy-rsa scripts you'll only want to cut & paste the actual CERT/KEY/PARAMETERS sections, including the BEGIN & END markers.

For example :

-----BEGIN CERTIFICATE-----
(contents of certificate)
-----END CERTIFICATE-----

Public Server Cert (CA Cert)	ca.crt
Certificate Revoke List	(EMPTY)
Public Client Cert	server.crt
Private Client Key	server.key
DH PEM	dh1024.pem
OpenVPN Config	The OpenVPN Config
OpenVPN TLS Auth	(EMPTY)

OpenVPN Config

• port 1194 : defines the port we're listening on
• push "route" : defines the /24 network I have at home.
• push "dhcp-option DNS : defines what to use for DNS for the VPN
• push "dhcp-option DOMAIN : dictates your searched domains so you don't have to use FQDNs
• server 172.25.1.0 : dictates that VPN hosts should use the 172.125.1.0/24 network
• dev tun0 : use tunneling device tun0
• proto udp : tells OpenVPN to use UDP for incoming connections
  • This can be changed to tcp-server
• keepalive 10 120 :
• ifconfig-pool-persist /tmp/openvpn/ipp.txt : where we keep a list of DHCP leases.

port 1194
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.1"
push "dhcp-option DOMAIN home"
server 172.25.1.0 255.255.255.0
dev tun0
proto udp
keepalive 10 120
ifconfig-pool-persist /tmp/openvpn/ipp.txt
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
management localhost 5001