goffredo
DD-WRT Novice
Joined: 02 May 2018
Posts: 4
|
 Posted: Sat Jul 21, 2018 21:06 Post subject: Connecting DD-WRT router to Boleh VPN service |
 |
I bought a WRT-3200ACM router so that I could flash it with DD-WRT in order to use its OpenVPN client to connect to a commercial VPN service, so that all my devices at home would be behind the VPN.
For my VPN service, I am using BolehVPN. I wanted to make some notes here because I couldn't find any such help when I was trying to set things up and it was a little frustrating.
I flashed my WRT-3200ACM with the latest firmware available at the time, which was DD-WRT v3.0-r35831 std (04/26/18). There was considerable misinformation on this site warning about bricking the router, and pointing to older versions of the firmware as the correct ones to use -- my advice is to disregard this stale information. I downloaded the latest DD-WRT firmware that supported the router's hardware, and utilized the router's built-in interface for flashing the firmware, and I had no problems and everything worked super easy.
Fix up your DNS
I'm putting this above everything else so nobody misses it, even though you really shouldn't do this until you've confirmed your VPN connection is working.
This was a very important step for me, so that internet addresses resolved correctly and my browser stopped timing out trying to hit external websites. After you get your OpenVPN working (per below), you need to tell DD-WRT to use 1.1.1.1 for the DNS. Do this by going DD-WRT's Setup : Basic Setup tab, down to Network Address Server Settings (DHCP), and enter 1.1.1.1 for Static DNS 1.
Ok. So first, to connect to BolehVPN, I first created an account and subscribed to their VPN service, and then I logged into bolehvpn.net and went to "Download Configuration", and downloaded my personalized "Linux_iOS normal" configuration, and unzipped the resulting directory. Note that if you download the "inline" version of the config file, your various certificates will not be in separate files (ta.key etc) as I indicate below, and will instead have their contents pasted inline (get it?) into each ovpn file.
I opted for the FullyRouted-Canada configuration. Opening the FullyRouted-Canada.ovpn file in my text editor provided me with the information I needed below.
I went into DDWRT's Services : VPN tab, and down to the OpenVPN Client section, wherein I made the following entries:
Server IP/Name and Port
My FullyRouted-Canada.ovpn file suggested a few remote servers to point OpenVPN client to:
| Code: |
remote-random
remote 74.120.222.234 443
remote 67.215.10.250 1433
remote 198.57.27.238 443
resolv-retry 10
|
I found through much trial and error that the first and last one worked, but only when I changed to port from 443 to 4443. Otherwise, when viewing the Status : VPN : OpenVPN : Log section, the three servers as listed would produce repeated instances of "TLS Error: TLS handshake failed", or would produce a "Client Log" entry with no further entries, which I can only assume was a bug where OpenVPN failed silently and didn't produce any logging.
My advice would be to try using port 4443, and systematically go through each listed remote server, until you find one that works. And then just enter that one for Server/IP Name field. I have no idea why the ports that BolehVPN specifies do not work.
Note that OpenVPN on DD-WRT doesn't currently seem to support randomizing the remote server (I tried unsuccessfully via the Additional Config field), so just pick one that works and enter it here, that's the one you'll always use.
Port, Tunnel Device, etc:
Tunnel Device: Select "TUN"
Tunnel Protocol: Select "UDP"
Encryption Cipher: Select "AES-128 CBC"
Hash Algorithm: Select "SHA512"
User Pass Authentication: Disable
Advanced Options: Enable
TLS Cipher: Select "TLS-DHE-RSA-WITH-AES-128-CBC-SHA" even though it doesn't exactly match BolehVPN's config file (which specifies TLS-DHE-RSA-WITH-AES-128-CBC-SHA256)
LZO Compression: Disabled
NAT: Enabled
Firewall Protection: Disabled
IP Address: I left this blank
Subnetmask: I left this blank
Tunnel MTU Setting: I kept the default 1500
Tunnel UDP Fragment: I left this blank
Tunnel UDP MSS-Fix: I kept the default Disable
nsCertType verification: I left this blank
TLS Auth Key and Additional Config etc
TLS Auth Key: In the unzipped directory of BolehVPN config files, open up the file "ta.key" in a text editor and copy the contents. Paste the whole thing into this field.
Additional Config
I added this line so Pandora worked in my house
| Code: |
# Me 2018-05-03: Send Pandora traffic around VPN tunnel
route 208.85.40.0 255.255.248.0 net_gateway
|
CA Cert
Open the ca.crt file in a text editor, copy the contents, and paste into this field. Note that mine has two separate certificates inside, this is fine.
Public Client Cert
Open the file that is [your BolehVPN username].crt and copy the contents into this field. Note the 'Validity "Not After"' date, because after this date, you will notice your internet connections no longer work and checking the OpenVPN log you will see "TLS reconnect error", which is the super cryptic way of saying these two certs expired and you need to download your latest config files from BolehVPN and come back and place a fresh version of this cert here, as well as place a fresh version of the Private Client Key cert (below).
Private Client Key
Open the file that is [your BolehVPN username].key and copy the contents into this field.
Verify Connection
After making changes, hit "Apply Settings" at the very bottom of DD-WRT's Services : VPN page. (This will save your settings, and then apply them). Then pop over to the Status : OpenVPN tab. If all is going well, under State you will see "Client: CONNECTED SUCCESS", so surf to https://www.whatismyip.com and confirm your location is pulling from your VPN (in my case, Canada). You are all set if this is the case. You will see a bunch of warnings and stuff in the Log section, but as long as you have success here you are good to go.
Otherwise, something went wrong. Double check that you pasted the correct certificates in the correct fields as noted above, verify that you are within the "Not Before" and "Not After" dates in the Public Client Cert field, and verify you got the 'remote' server IP address correct -- maybe try playing with the port?
That's it. Hope this helps someone. |
|
