DD-WRT OpenVPN guide for complete dummies

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page 1, 2, 3, 4, 5  Next
Author Message
Boogalooz
DD-WRT User


Joined: 13 Oct 2017
Posts: 52

PostPosted: Thu Nov 02, 2017 0:40    Post subject: DD-WRT OpenVPN guide for complete dummies Reply with quote
I have compiled an OpenVPN guide for complete dummies (like me), as a pdf.

The information is scattered around this website and others, but not a single guide I was able to dig up, had all of the information I needed to get my router (Linksys WRT-1900AC v2) up and running with OpenVPN.

I decided it was worth the time to compile the data I found into one easy to reference guide, that could be downloaded and shared.

Hopefully, this guide will save about a week of your life. That is how much time it took me to try and fail over and over to make OpenVPN work on my router.

I would really like feedback here. If you try this guide out, and you find any issues that prevent you from establishing an OpenVPN connection on your computer using the settings I have included in the guide, PLEASE let me know. I will amend the guide and put up a new revision.

As you will see in the guide, this method assumes that your DD-WRT router is secondary to your primary internet facing router. I do not go into detail on the methods for setting up a DD-WRT router as the primary WAN/DHCP router on your network. If this guide gets any traction, we can discuss those methods and amend the guide accordingly.

The idea here is to make it easy for people to find the information they need to get OpenVPN up and running without having to scour the internet for easter eggs.

Let me know what you think.

Newer guide can be found at: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795


Last edited by Boogalooz on Tue Nov 14, 2017 5:11; edited 3 times in total
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Thu Nov 02, 2017 14:28    Post subject: Reply with quote
Good job!
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Thu Nov 02, 2017 16:26    Post subject: Reply with quote
Wow -- lots hard work you been at.
alrighthen I'll commit .. just because you ask Smile

Looks like you're setup as a WAP -- that's good, running two in that setup at the homeworld.
http://www.dd-wrt.com/wiki/index.php/Wireless_Access_Point#Long_Version

If you run ovpn ser on the WAP there is no need for a DHCP forwarder.
DHCP should be disabled.
Also DNSMasq should be disabled ..unless you are running a guest network from it -- which has nothing to do with ovpn serv anyways

Only firewall needed on the WAP for the ovpn server to work is
Code:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`

that just opens the LAN to it... that's all you want and that'll get it to/from main router.
Works same on QCA or BRCM units

but....If what you have works then that's all that matters Cool

EDIT: I see you are using a Marvell unit.
I don't know squat about them but all my atheros/QCA/BRCM units use tun2 for ovpn server ...
...not that it even matters running from a WAP Razz
Boogalooz
DD-WRT User


Joined: 13 Oct 2017
Posts: 52

PostPosted: Thu Nov 02, 2017 20:58    Post subject: Reply with quote
Thank you so much mrjcd ! I appreciate the input sir.
Just a couple of questions if you don't mind?

mrjcd wrote:
Looks like you're setup as a WAP -- that's good, running two in that setup at the homeworld.
http://www.dd-wrt.com/wiki/index.php/Wireless_Access_Point#Long_Version


The idea with this setup was not necessarily to be exclusively WAP, but rather to use the router as a ovpn server, that would provide some level of protection (though encryption) for all clients, wired and wireless that are connected to it. I got this router brand new in the box a week ago and paid $80.00 for it, so it was a good investment for me.

mrjcd wrote:
If you run ovpn ser on the WAP there is no need for a DHCP forwarder.
DHCP should be disabled.


I do not see an option for completely disabling DHCP anywhere. In the "Network Address Server Settings (DHCP)" section of the "Setup/Basic Setup" tab, there is a drop down menu for DHCP and the only 2 choices are "DHCP Server" and DHCP Forwarder". Is there another option in the GUI somewhere that I am missing to completely turn off DHCP ?

mrjcd wrote:
Also DNSMasq should be disabled ..unless you are running a guest network from it -- which has nothing to do with ovpn serv anyways


If I am not running this router as a WAP exclusively, and will have other computers plugged into it directly, even tho it is NOT the primary router on my network, should DNSMasq still be disabled?

P.S. How did you know DNSMasq was enabled? I do not have a pic of the tab where DNSMasq is located in the guide?

mrjcd wrote:
Only firewall needed on the WAP for the ovpn server to work is
Code:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`

that just opens the LAN to it... that's all you want and that'll get it to/from main router.
Works same on QCA or BRCM units

but....If what you have works then that's all that matters Cool


So far all of the computers/devices I have with an active VPN connection to this router are within my LAN, with the exception of my mobile device (Android) and all of them have internet access. That being said, when I was at work last and established a VPN connection on my work computer, I could wander around inside the (home) LAN but could not get internet access on the work computer. IS there something I am missing on the firewall that is preventing Windows clients from getting internet access from outside my home LAN?


mrjcd wrote:
I see you are using a Marvell unit.
I don't know squat about them but all my atheros/QCA/BRCM units use tun2 for ovpn server ...
...not that it even matters running from a WAP Razz


Does this (tun2) perhaps have something to do with why I cannot get internet access through the VPN on clients outside the home LAN?

Thank you for the help here sir. The guide is a work in progress for sure, so any help is genuinely appreciated.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Thu Nov 02, 2017 21:16    Post subject: Reply with quote
On the WAP disable the firewall and use the firewall rule from @mrjcd for natting the VPN.

One thing I am not sure about is setting the WAP as a router, I always leave it in gateway mode, seems to work also Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Boogalooz
DD-WRT User


Joined: 13 Oct 2017
Posts: 52

PostPosted: Sun Nov 05, 2017 3:07    Post subject: Reply with quote
So it turns out that it probably would have worked all along.

On a whim, while at work yesterday, I decided to place a Linksys WRT300N router between my work computer and the work LAN/WAN, and give my work computer an IP in the 192.168.1.x range.

The work network is on a completely different subnet mask and subnet, which is 10.80.10.x with a subnet mask of 255.255.254.0, so when I fire up my work computer, I end up with an IP usually of 10.80.10.112.

So, anyway, once I did that, and confirmed that I was online, I initiated the VPN connection and BAM, I was connected to my home LAN, having been issued an IP from the AC1900v2 (VPN router) at home, and was immediately online. I confirmed that I was using the home WAN by doing a "whatismyip" check and confirmed it was my home WAN IP.

As I may have mentioned somewhere, I am completely green with regards to networking, so the only thing I can imagine I have succeeded in doing, is using the WRT300N router at work for NAT which allowed me to gain internet access through my VPN tunnel.

If you have any ideas on how to solve the problem at work that would allow me to delete the WRT300N router there, that would be great. I am not sure the IT guys at work are too keen on me using my own router in their network.
Jules13
DD-WRT Novice


Joined: 10 Jun 2017
Posts: 36

PostPosted: Sun Nov 05, 2017 12:09    Post subject: Reply with quote
Hi guys
I have a question,
I complete the tutorial but i got a problem
I can't put in advanced routing other thing as gateway otherwhise i got no internet
Some Ideas?
Thank you
Jules13
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sun Nov 05, 2017 12:21    Post subject: Reply with quote
You mean when in Router mode you have no internet?

For internet you have to NAT and natting is switched off in router mode, I guess.

@Eibgrad always told us to leave the router in gateway mode (when using as a WAP) Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Jules13
DD-WRT Novice


Joined: 10 Jun 2017
Posts: 36

PostPosted: Sun Nov 05, 2017 13:07    Post subject: Reply with quote
It's ok my VPN work, i can connect to it but it has no internet
Here are the logs with the 2 errors all the pconnecting process is OK

Sun Nov 05 14:04:52 2017 NOTE: Release of DHCP-assigned IP address lease on TAP-Windows adapter failed: Le fichier spécifié est introuvable. (translation : specified folder is unfindable) (code=2)
Sun Nov 05 14:04:52 2017 SIGTERM[hard,] received, process exiting
Boogalooz
DD-WRT User


Joined: 13 Oct 2017
Posts: 52

PostPosted: Sun Nov 05, 2017 19:20    Post subject: Reply with quote
Jules13 wrote:
It's ok my VPN work, i can connect to it but it has no internet
Here are the logs with the 2 errors all the pconnecting process is OK

Sun Nov 05 14:04:52 2017 NOTE: Release of DHCP-assigned IP address lease on TAP-Windows adapter failed: Le fichier spécifié est introuvable. (translation : specified folder is unfindable) (code=2)
Sun Nov 05 14:04:52 2017 SIGTERM[hard,] received, process exiting


Thank you for trying this and commenting. I am going to change the firewall image and instructions on the guide right now.

For you to get internet, go to the "Administration" tab, then click on the "Commands" tab, then scroll down to the Firewall window and click the edit button and add this to the commands window:

WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"
iptables -t nat -I POSTROUTING -s 192.168.10.0/24 -o $WAN_IF -j MASQUERADE

Make sure you leave the rest of the Firewall code in place and just add the above code BELOW the existing code. Then click "Save Firewall" and try again to see if you get internet.
Jules13
DD-WRT Novice


Joined: 10 Jun 2017
Posts: 36

PostPosted: Sun Nov 05, 2017 20:52    Post subject: Reply with quote
Boogalooz wrote:
Jules13 wrote:
It's ok my VPN work, i can connect to it but it has no internet
Here are the logs with the 2 errors all the pconnecting process is OK

Sun Nov 05 14:04:52 2017 NOTE: Release of DHCP-assigned IP address lease on TAP-Windows adapter failed: Le fichier spécifié est introuvable. (translation : specified folder is unfindable) (code=2)
Sun Nov 05 14:04:52 2017 SIGTERM[hard,] received, process exiting


Thank you for trying this and commenting. I am going to change the firewall image and instructions on the guide right now.

For you to get internet, go to the "Administration" tab, then click on the "Commands" tab, then scroll down to the Firewall window and click the edit button and add this to the commands window:

WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"
iptables -t nat -I POSTROUTING -s 192.168.10.0/24 -o $WAN_IF -j MASQUERADE

Make sure you leave the rest of the Firewall code in place and just add the above code BELOW the existing code. Then click "Save Firewall" and try again to see if you get internet.


Thank you it work perfectly.
Thanks a lot
Jules13
<3
igornvaladares
DD-WRT Novice


Joined: 06 Nov 2017
Posts: 2

PostPosted: Mon Nov 06, 2017 13:19    Post subject: Reply with quote
Hi,
When setting up the OpenVPN server, should the server information appear in the TAB Status> OpenVPN?
I spent several hours yesterday trying to confirm and nothing appears in the TAB Status> Open VPN
Router WRT1900ACS V2
Build: 33607 10/25/2017
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Mon Nov 06, 2017 13:51    Post subject: Reply with quote
Yes (although there were versions which were empty because of a bug, but I do not think this is one of them), when it stays empty the server does not start indicating a serious error in your settings, the first thing to look at are the certificates
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
igornvaladares
DD-WRT Novice


Joined: 06 Nov 2017
Posts: 2

PostPosted: Mon Nov 06, 2017 14:04    Post subject: Reply with quote
egc wrote:
Yes (although there were versions which were empty because of a bug, but I do not think this is one of them), when it stays empty the server does not start indicating a serious error in your settings, the first thing to look at are the certificates


Thank you
I used this tutorial:
With the same version of openVPN.


I tried several other ways, but nothing appears in STATUS
Is it a bug in this version?
mercury187
DD-WRT Novice


Joined: 14 Dec 2010
Posts: 15

PostPosted: Tue Nov 07, 2017 2:56    Post subject: Reply with quote
Good guide but a couple of questions:
Shouldn't you have to do some kind of port forwarding on your main router that the DD-WRT server router connects to?

Another question, does anyone have a guide for setting up a secondary DD-wrt as a client thus creating a site to site link? That's what i'm looking to accomplish. I'm using a wrt54gv2 and a wrt54gs1. I was able to configure most of the settings using a different guide but when I went to stats>openvpn the entries there were blank although I did not reboot the router so maybe that is why?
Goto page 1, 2, 3, 4, 5  Next Display posts from previous:    Page 1 of 5
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum