Posted: Mon Jan 07, 2019 19:08 Post subject: How to setup OpenVPN server on DD-WRT?
Hi everyone!
I can imagine that this question has been posted at least a few dozen times before. But I can't for the life of me figure this out, and I also see that most people that post questions about it have some kind of advanced setup. All I want is just a basic setup.
Please understand, I have been trying to setup OpenVPN server on my dd-wrt router for months on and off. Sometimes I can get it to work to some point but then something else goes wrong and I just give up. I find this very difficult.
What I would like is to be able to access a single computer on my home network over the Internet, using VPN for added security/obfuscation.
What are the ingredients, what exactly do I need for such setup? I know I already have dd-wrt which is capable of running a VPN server.
I have the latest dd-wrt version 3.0-r38132 std, recently flashed. So no corrupted old configs laying around.
I did get OpenVPN client to work with my VPN provider. I just had to clear out old broken down PPTP configs.
But a client setup is not what I need for this purpose, I need to know how to set up OpenVPN as a server.
Can I still use Easy RSA help files to generate the cert and keys and then put it into my dd-wrt? I did that once successfully between my computers on the home network. This was some time ago, I don't recall how I did it but I know that these files come with OpenVPN installation.
I didn't see the attachment earlier. I thought I was signed in because my name was visible. But I can see it now after attempting to post a reply. False alarm! I will check it out later. But I have a question.
Do I need to generate the Diffie Hellman parameter if I intend to configure OpenVPN as a server? Or does this only apply to a daemon?
I have been reading the various posts in full detail and taking notes along the way. I totally understand what the author of the linked thread means by "there's a lot of outdated info out there on OpenVPN + DD-WRT". No wonder people get confused and give up (at least I did, a number of times)...
init-config
vars
clean-all
build-ca
build-key client1
build-key-server server
build-dh
These are the commands to be executed when generating keys and certificates?
When I run build-key-server I get this warning.
Code:
Could Not Find C:\Program Files\OpenVPN\easy-rsa\keys\*.old
Do I need to do something about it? I recall seeing in some tutorial that you have to rename a file to something.old when generating keys and certificates. Is this related to EasyRSA 2 and 3?
Code:
build-key client1
build-key-server server
Who is client and who is server? Client is my remote computer connecting to DD-WRT and server is the DD-WRT OpenVPN server?
Ignore the error. The script builds new certificate files, and in that process it renames existing certificate files to *.old. However the process crashes if one of the *.old files exists. To make sure this does not happen, the batch file deletes all existing *.old files. But it is poorly written because it the delete command fails it throws an error. The batch command should say “if exist path\*.old del path\*.old” then it will not complain if does not find any files to delete.
Note that this error is in the files that you download from the OpenVPN.net website, and @egc is not responsible for them.
Cheers,
I understand that the problem might be in the Bat files that ship with OpenVPN. But I don't know how to handle the situation. Do I need to build the server cert and key? If I do then I'm afraid I won't be connecting to anything unless I deal with this first.
My server.crt is 0 bytes. It was not 0 the first time I ran the commands. So it fails to build it correctly and here is what it has to say.
Code:
ERROR:There is already a certificate for /C=US/ST=CA/L=SanFrancisco/O=OpenVPN/OU=changeme/CN=itsme/name=changeme/emailAddress=mail@host.domain
The matching entry has the following details
Type :Valid
Expires on :290110232019Z
Serial Number :01
File name :unknown
Subject Name :/C=US/ST=CA/L=SanFrancisco/O=OpenVPN/OU=changeme/CN=itsme/name=changeme/emailAddress=mail@host.domain
Could Not Find C:\Program Files\OpenVPN\easy-rsa\keys\*.old
Since I already ran these commands earlier, it thinks I already have one certificate like that.
So the *.old seems to be least of my problems. In fact, clean-all.bat cleans the keys folder with success.
I suspect it has created something that is stored elsewhere. Somewhere in Windows.
When I want to start over from scratch can I simply execute these commands in this order?
Code:
init-config
vars
clean-all
build-ca
build-key client1
build-key-server server
build-dh
Or I need to do something first?... I don't know... maybe go remove some certificates from Windows certificate store? I understand this is some kind of database that Windows uses.
Just follow my notes attached to the fourth posting.
Quote:
Step 6 – Configuring DD-WRT for OpenVPN
From the DD-WRT GUI, click on the “Services” tab, and then click on the “VPN” tab. Scroll down to the OpenVPN section and click the radio button to enable OpenVPN. That will expose a new pane where you will enter the VPN tunnel network settings and enter the data from the “keys” and “certificates” as well as the data from the “dh2048” file that you created in the previous steps. Scroll down to the pictures below as necessary for a visual queue.
It doesn't say what mode to select once I am on the VPN tab. But I can see from the included screenshots that you selected "Server" option.
This is one of those pivot points in configuring OpenVPN on DD-WRT. I followed the link from one of the links posted earlier and ended up here:
I gathered a lot from reading this lengthy article. But I also understand that it has its factual errors and outdated information. The main point from one of the posters here on DD-WRT forum was that you should skip the "Daemon" and some other parts of that article. It's understandable, because the old builds of DD-WRT didn't have the "Server" option. But it is exactly for this reason that I need to generate a server cert and key... no?
Let's get back to your attached document for now.
Quote:
Back in Notepad++, locate and open the “server.crt” file from the same (keys) directory. This time, you will scroll down to the bottom, and copy everything starting with “-----BEGIN CERTIFICATE----- and ending with “-----END CERTIFICATE-----“ (INCLUDING ALL of the dashes). You will then paste that into the
“Public Server Cert” window, in DD-WRT as seen in pictures below.
Precisely! My server cert is 0 byte, remember? What shall I copy from this file?...
Quote:
Back in Notepad++, locate and open the “server.key” file from the same (keys) directory. Click anywhere in the window and right click, select all, then copy and paste the contents into the “Public Server Key” window, in DD-WRT as can be seen in the pictures below.
My server key however is populated with data. But it's useless without the server cert, right? Or am I delusional?
Your screenshots look good, that's what I want for myself also. But the server cert generation keeps failing and I don't think I can continue without it.
Last edited by Fractalogic on Mon Jan 14, 2019 23:19; edited 1 time in total
I can see more clearly now why I haven't managed to set this up many months ago. There is too much confusion spreading across the web regarding this topic. Just like Weird AL Yankovic misattributions used to flood the web once. If you repeat something many times it will eventually become the truth if it is not already.
I think I need to do more reading and experimenting on my own in order to filter out the misconceptions (my own and others').
Joined: 18 Mar 2014 Posts: 12884 Location: Netherlands
Posted: Tue Jan 15, 2019 9:19 Post subject:
To setup that is why I included a picture, a picture says more than a thousands words
You need to generate a server certificate and that should be more than 0 bytes.
It is important that you follow all steps meticulously.
My notes have been used many times with succes, but of course something could have changed the last couple of weeks. Next week I have more time and will review the process.