[DIY] Configure OpenVPN on newer releases DD-WRT (GUI Style)

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2, 3  Next
Author Message
ReDaLeRt
DD-WRT User


Joined: 26 Oct 2010
Posts: 80
Location: Portugal

PostPosted: Sun Dec 04, 2011 15:43    Post subject: [DIY] Configure OpenVPN on newer releases DD-WRT (GUI Style) Reply with quote
Hi,

At least since 16994M there were made severe changes on how is configured OpenVPN through the Web Admin page.

Forget all those manual procedures and configuration lines written on Wiki page for Bridging or Routing setup: http://www.dd-wrt.com/wiki/index.php/VPN_%28the_easy_way%29_v24%2B

No more "startup" and "firewall" commands are need!

Just start with this basic configuration and modify it at your taste:



OpenVPN status page is fully working without any command.

Tested with Bridging mode on RT-N16 17940M "KingKong".


[[]]

_________________
DD-WRT powered:
RT-N16 + WRT54G v2 + FON 2201 & 2100


Last edited by ReDaLeRt on Sun Dec 04, 2011 21:11; edited 1 time in total
Sponsor
James2k
DD-WRT Guru


Joined: 23 Oct 2011
Posts: 549

PostPosted: Sun Dec 04, 2011 19:08    Post subject: Reply with quote
Wow, looks more user friendly!
ally
DD-WRT Novice


Joined: 24 Nov 2011
Posts: 9

PostPosted: Sun Dec 18, 2011 5:25    Post subject: Reply with quote
Thanks for sharing, Three questions:

Will this GUI setup of OpenVpn server work with Firmware: DD-WRT v24-sp2 (06/14/11) big running on Linksys E3000?

Does this mean that there is no need to generate certificates for each DHCP client?

How would you test from behind the router?
ReDaLeRt
DD-WRT User


Joined: 26 Oct 2010
Posts: 80
Location: Portugal

PostPosted: Sun Dec 18, 2011 18:40    Post subject: Reply with quote
ally wrote:
Will this GUI setup of OpenVpn server work with Firmware: DD-WRT v24-sp2 (06/14/11) big running on Linksys E3000?


Probably yes. Just test it.

ally wrote:
Does this mean that there is no need to generate certificates for each DHCP client?


No, you need always to generate certificates for every single client.

ally wrote:
How would you test from behind the router?


I test it from work office. Plain simple.


[[]]

_________________
DD-WRT powered:
RT-N16 + WRT54G v2 + FON 2201 & 2100
James2k
DD-WRT Guru


Joined: 23 Oct 2011
Posts: 549

PostPosted: Sun Dec 18, 2011 18:52    Post subject: Reply with quote
From inside the network I tested my VPN by using one of my virtual WLAN's which is on a different subnet (Guest Network), I already had firewall rules in place to prevent the guest network accessing the private network, so the VPN and its route pushing was tested to see if I could access the private network via VPN while being on the guest subnet.

However you will need to know how your VPN behaves from the outside and you can test in a variety of locations:

a) Work
b) A friends house
c) Public Place with Wifi Hotspot
somms
DD-WRT User


Joined: 21 Mar 2008
Posts: 261

PostPosted: Sun Dec 18, 2011 22:25    Post subject: Reply with quote
With the serious tweaking performed on the OpenVPN dd-wrt GUI over the past year, it is now a snap in order to get OpenVPN up and running and it is very stable as well! Very Happy


OpenVPNDec11.jpg
 Description:
OpenVPN GUI
 Filesize:  257.53 KB
 Viewed:  88951 Time(s)

OpenVPNDec11.jpg


ally
DD-WRT Novice


Joined: 24 Nov 2011
Posts: 9

PostPosted: Thu Dec 22, 2011 5:08    Post subject: Reply with quote
ReDaLeRt wrote:
ally wrote:
Does this mean that there is no need to generate certificates for each DHCP client?

No, you need always to generate certificates for every single client.

Is there a guide for noob you can point me to showing how to generate these certificates without having to know linux command language.
something easier to follow than the wiki
Would this Using XCA to configure the OpenVPN PKI part as an alternative to OpenVPN's easy-rsa the easier choice?
James2k
DD-WRT Guru


Joined: 23 Oct 2011
Posts: 549

PostPosted: Thu Dec 22, 2011 8:58    Post subject: Reply with quote
ally wrote:
ReDaLeRt wrote:
ally wrote:
Does this mean that there is no need to generate certificates for each DHCP client?

No, you need always to generate certificates for every single client.

Is there a guide for noob you can point me to showing how to generate these certificates without having to know linux command language.
something easier to follow than the wiki
Would this Using XCA to configure the OpenVPN PKI part as an alternative to OpenVPN's easy-rsa the easier choice?


http://www.dd-wrt.com/wiki/index.php/VPN_%28the_easy_way%29_v24%2B#Creating_Certificates

This should get you started. Outlines how to generate the certificates on Windows (easy-rsa) or on a Linux based distro.

I used easy-rsa and it worked fine. I have never used the XCA method, but I know some users prefer it and it seems to work fine. Its really down to personal preference really on how you generate the keys and certificates.
ally
DD-WRT Novice


Joined: 24 Nov 2011
Posts: 9

PostPosted: Wed Dec 28, 2011 6:23    Post subject: Reply with quote
James2k wrote:
ally wrote:
ReDaLeRt wrote:
ally wrote:
Does this mean that there is no need to generate certificates for each DHCP client?

No, you need always to generate certificates for every single client.

Is there a guide for noob you can point me to showing how to generate these certificates without having to know linux command language.
something easier to follow than the wiki
Would this Using XCA to configure the OpenVPN PKI part as an alternative to OpenVPN's easy-rsa the easier choice?


http://www.dd-wrt.com/wiki/index.php/VPN_%28the_easy_way%29_v24%2B#Creating_Certificates

This should get you started. Outlines how to generate the certificates on Windows (easy-rsa) or on a Linux based distro.

I used easy-rsa and it worked fine. I have never used the XCA method, but I know some users prefer it and it seems to work fine. Its really down to personal preference really on how you generate the keys and certificates.

I am not sure what am I screwing up other than just I am fairly new to dd-wrt in the first place much less try to make OpenVpn server work. Where can I go to recruit some guided help on TeamViewer to set up OpenVpn on my E3000 flashed with DD-WRT v24-sp2 (06/14/11) big ?
ndewan
DD-WRT Guru


Joined: 14 Jan 2010
Posts: 553

PostPosted: Fri Dec 30, 2011 15:49    Post subject: Reply with quote
@ReDaLeRt

Can you also post your client config files (with masked data).

Thanks

_________________
===================================
1 * DIR-866L - 29193 Mega (Main Gateway)
1 * EA4200 - 29193 Mega (Main Gateway)
1 * EA6500 - 29193 Mega (Repeater Bridge)
1 * EA6500v2 - 29193 Mega (Repeater Bridge)
1 * WRT610N - 29193 Mega (Repeater Bridge)
===================================
patmtp35
DD-WRT Novice


Joined: 19 Mar 2010
Posts: 41

PostPosted: Wed Jan 04, 2012 14:44    Post subject: lots of change! Reply with quote
i used last kongmod on my wnr3500l and arethusa, but there is so much differences betwen old gui and new gui that i was lost too ....

arethusa just gives us a cong file and a CA cert so we hace to create other cert with OpenVPN's easy-rsa ?

regards
ally
DD-WRT Novice


Joined: 24 Nov 2011
Posts: 9

PostPosted: Wed Jan 04, 2012 15:14    Post subject: Reply with quote
I ask again, do you know where I can recruit some paid help over team viewer to set up openvpn server on dd-wrt. I have pm'd a couple of moderators and I am awaiting any response. Too many manhours burnt already, welcome to open source.
zoomlink
DD-WRT User


Joined: 08 May 2011
Posts: 221

PostPosted: Wed Jan 04, 2012 17:52    Post subject: Reply with quote
@patmtp35 & Ally

I think everyone misses the part where you choose which type of configuration you are trying to setup, VPN Server or VPN Client.

I think RedAlert's excellent easy config guide / example is for setting your router as an OpenVPN Server. However, IT ASSUMES that you have all your required certificate files already on hand.

An easy analogy is that people can show you how to use and configure Facebook or Twitter all day, but if you don't go through the process of registering with Facebook and Twitter and get get your username and password to access their site, all the Facebook and Twitter guides and instructions in the world will be of no use to you because you will be stuck at the front door of the site.

What I am trying to say is that DD-WRT has come a long way with the Web GUI configuration for OpenVPN (client and server), but if you don't have what you need to configure your client or server (e.g. certificate, key and config files) All you are looking at is a nice Web GUI with no real functionality.

I often got lost/disoriented when reading posts, because the persons posting assumed that because they knew what type of configuration they were referring to, so did everyone else that was reading their post.

If you are an experienced user, you can pickup which type of config they are referring to by the context of their postings, however, if you are a Noob, it can get VERY confusing to follow and you could end-up screwing up your config if you follow a guide that is for SERVER when you are trying to setup a CLIENT or the other way around.

So figure out which config you are trying to set up.

A. OPENVPN CLIENT CONFIG:
You are trying to setup your router as an OpenVPN CLIENT that will establish a connection with an OpenVPN Server.

If this is your case you will need the following from your VPN Provider (paid or otherwise):
1) CA Certificate (typically a file called: ca.crt)
2) Client Certificate (typically a file called: client.crt)
3) Client Key (typically a file called: client.key)
4) Client Configuration file containing the VPN Provider's recommended settings to establish a tunnel with them (typically a file called: client.conf)
5) Optional TLS Authentication Key (typically a file called: ta.key)

B. OPENVPN SERVER CONFIG:
Your are trying to set up your router to be an OpenVPN SERVER that will be accepting connections from clients (routers, mobile devices, Linux, Mac or PCs).

If this is the case, you will first have to choose a tool like OpenVPN Easy-RSA to generate your certificates (Clients and Server) as outlined here http://www.dd-wrt.com/wiki/index.php/VPN_%28the_easy_way%29_v24%2B#Creating_Certificates. There are others like XCA mentioned here by ally.

YOU WILL need to generate your client certificate file (client.crt) and key file (client.key) so that you can provide them to your clients in similar fashion to what was outlined under option A above.

Now, YOU WILL ALSO need to generate the following certificates for YOUR OpenVPN SERVER:
1)Certificate Authority Certificate (ca.crt)
2)Public Server Certificate (server.crt)
3)Private Server Key (server.key)
4)Diffie-Hellman Encrypted Authentication Parameters file (dh1024.pem), you can also generate a larger file called (dh2048.pem). Please read up on this because the larger file will affect performance. For more information see http://www.ietf.org/rfc/rfc2631.txt

Hopefully this was clear as mud. Smile
patmtp35
DD-WRT Novice


Joined: 19 Mar 2010
Posts: 41

PostPosted: Wed Jan 04, 2012 19:41    Post subject: Reply with quote
hi zoomlink

it's real i m not too clear, sorry..

i just want to setup my dd-wrt to connect arethusa vpn server, but they just sent to me a certificate a config file and an account and pass , so i think somme files are missing ...
zoomlink
DD-WRT User


Joined: 08 May 2011
Posts: 221

PostPosted: Wed Jan 04, 2012 21:07    Post subject: Reply with quote
Did you follow this set of instructions? it explains what goes where,

This seems like a third option that makes your router a node on a sort of VPN mesh network.

Go to Services -> VPN.

1) Enable OpenVPN Daemon (not client).
2) Choose Start type: Wan up.
3) Open "arethusa-ca.crt" (provided to you by arethusa)with any text editor, select all the text and paste it in "Public Server Cert".
4) In "Private Client Key", enter the username for this tunnel on the first line, and the password on the second line. like this:

username
password


5) Open "arethusa.ovpn"(provided by arethusa) with any text editor, select all the text and paste it in "OpenVPN Config" section. You can remove all the commented lines to save some space.

6) Then, do the following modifications:
a) Replace the line: "ca arethusa-ca.crt" with:
ca /tmp/openvpn/ca.crt
b) Replace the line: "auth-user-pass" with:
auth-user-pass /tmp/openvpn/key.pem

Click on "Apply Settings". (I guess this creates a ca.crt and key.pem files?, it's unclear to me)

7) Go to Administration -> Commands and enter these 3 lines in "Commands":

iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE

Click on "Save Firewall".

That's all ! All internet activity should go through the VPN now.

Are you saying you followed this to the T and it did not work?
Goto page 1, 2, 3  Next Display posts from previous:    Page 1 of 3
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum