I just finished this same setup earlier today for the first time so hopefully I can save you some time and much frustration. The basic difference is the "Server" option uses the GUI to generate the Server Config file for you whereas the Daemon option requires you to include all of the details in the Server Config file. The Server option is much easier and straightforward.
What I have found is that 90% of the tutorials I have tried online are erroneous and factually inaccurate likely due to them being based on different versions of the software packages required, i.e. OpenVPN, DD-WRT, EasyRSA, etc. Let me also state upfront and in the interest of full disclosure, I am not an expert by any means. That being said, most of my time was spent in a trial and error effort.
Hope this helps and please feel free to ask questions if something seems unclear or if you have trouble. Also, if anyone sees something that doesn't look quite right please chime in.
SETUP
My setup is as follows: I'm running DD-WRT v3.0-r30695M kongmv (09/26/16) on a Linksys WRT-1900ACS v1. I used OpenVPN v. 2.2.2 due to the fact that it includes EasyRSA in the install package. I'm running Windows 10 on my machine and the intent of setting up a VPN on the router is so that I can easily run VNC on my home network while away via iPhone, iPad, or my laptop. I didn't find out until after the fact that iOS does not support TAP based tunnels at this time. Tap-based tunneling creates a bridged connection via VPN that allows you to be remotely connected to your LAN just as if you are physically sitting on the LAN, which is what I wanted. This way, you can "see" everything on the LAN as if you're there. I am still going to work to find a way to connect through a VPN in order to VNC to my machines with my iOS devices but I'm just finishing up with this project so I'm happy to share while it's still fresh in my mind.
PREP WORK
Now to the good stuff.
What you will need: DD-WRT (obviously already setup on your router) and OpenVPN 2.2.2. OpenVPN will also serve as your client side connection app on your remote machine. Further, if you use OpenVPN 2.2.2 as recommended it will also include EasyRSA to create your security keys, certificates, and related files. I also recommend you download and install Notepad++ as it will make creating your config file easier.
INSTALLATION
All that said, install OpenVPN 2.2.2 on your machine and keep all of the default install settings as there are a few bugs that apparently make the application files look for those default locations as opposed to the actual locations where the files are installed if you change them. Experience, trust me. I believe the default location is "C:\Program Files (x86)\OpenVPN\"
SECURITY KEY & CERT AND CLIENT CONFIG FILE GENERATION
Create your security certificate and keys. There is a good tutorial on how to install OpenVPN on your computer and create the security keys I can provide if needed but the OpenVPN configuration part of the tutorial is crap so only use it for the OpenVPN install and creating the security files. The link is http://www.howtogeek.com/64433/how-to-install-and-configure-openvpn-on-your-dd-wrt-router/. The server side configuration file is generated by DD-WRT when you select the Server radio button so you will not need to generate a separate server config file. Name the client certificate and key "client1.crt" and "client1.key" respectively. This will be the "CN" field when generating them in EasyRSA.
Ignore the code in the client config file in the above tutorial. Use Notepad++ to create a new file and use the code below.
Quote:
client
dev tap
proto tcp
remote yourddns.com_or_ip_address 1194
nobind
persist-key
persist-tun
verb 4
float
ca ca.crt
cert client1.crt
key client1.key
comp-lzo yes
tun-mtu 1400
auth SHA1
cipher AES-128-CBC
Save the file as "client1.ovpn" without the quotes to the "C:\Program Files (x86)\OpenVPN\config" directory.
FILE LOCATONS
The server.crt, server.key, ca.crt and dh1024.pem files will default to "C:\Program Files (x86)\OpenVPN\easy-rsa\keys". You will open these files with Notepad++ and copy/paste their contents to their respective fields in the DD-WRT Server GUI mentioned below.
NOTE: When copying/pasting the data into the GUI, there may be more info than is needed. Only copy the data between and including-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----, -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----, & -----BEGIN DH PARAMETERS----- and -----END DH PARAMETERS-----.
You will need to copy the actual client files (not just their contents); ca.crt, client1.crt and client1.key from "C:\Program Files (x86)\OpenVPN\easy-rsa\keys" to the "C:\Program Files (x86)\OpenVPN\config" directory.
As previously mentioned above, you will also need to save the client1.ovpn file you created with OpenVPN to this same directory. This is where the OpenVPN application on your laptop will look when you first connect to the VPN.
DD-WRT AND OPENVPN SETUP
Finally, I am attaching screenshots of my DD-WRT configuration page so you can simply copy the info. Remember, do not use the instructions in the tutorial above or you will become bald like me from pulling all of your hair out.
The server side configuration file is generated by DD-WRT when you select the Server radio button so you will not need to generate a separate server config file. Just fill in everything I have in the pics below and you should be fine. If you are running Windows, remember to disable Windows Firewall. This will save you about four hours of wasted time troubleshooting. DOH!!!
DD-WRT OPENVPN CONFIGURATION
As you can see, using Notepad++, you will only need to copy the data from the files and paste it in the "Public Server Cert" field (server.crt), the "Private Server Key" field (server.key) the "CA Cert" field (ca.crt), and the "DH PEM" field (dh1024.pem).
In the "Additional Config" field copy and paste the following:
Quote:
push "route 192.168.0.0 255.255.255.0"
push "dhcp-option DNS 192.168.0.1"
push "dhcp-option DNS 208.67.222.222"
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
The code here and the image below differ on the DNS setting only because I want the VPN to use the router as the DNS first.
FINAL THOUGHTS
Obviously, wherever I have used the 192.168.0.0 subnet you would enter whatever subnet you are using on your router.
Contrary to what all of the tutorials and forums say, there is no need to change any of the firewall settings in DD-WRT. Leave them as they are and keep your firewall within DD-WRT running.
Remember, disable the firewall on your computer when you start testing.
One last thing, when you begin testing and go live with the VPN, make sure you set BOTH your computer's clock AND the routers time to GMT. This is because there is a time signature in the security keys at the time they're generated. If the local time is earlier than GMT when they were generated, they will not work. Easiest workaround is to temporarily change the time on the computer and router to GMT.
REFERENCE MATERIALS
In conclusion, I wanted to add a few websites that I used to accomplish the task as they might be helpful. Just remember, for this late version of DD-WRT, they ALL have incorrect instructions but each of them have some good information. Just use my above instructions for this version and you should be good.
This page explains a lot of the certificate detail. https://www.dd-wrt.com/wiki/index.php/VPN_(the_easy_way)_v24%2B
(phpBB didn't like the parenthesis in that link so you will need to copy/paste it into your browser's address field.)
What I have found is that 90% of the tutorials I have tried online are erroneous and factually inaccurate
Quote:
Contrary to what all of the tutorials and forums say, there is no need to change any of the firewall settings in DD-WRT. Leave them as they are and keep your firewall within DD-WRT running.
I just registered to say thanks for a brilliant post. I had spent several hours following other guides. Two minor additions I found:
1. I had chosen TUN in DD-WRT and already opened UDP on my external brodband router, so my client1.ovpn file ended up as:
client
dev tun
proto udp
remote yourddns.com_or_ip_address 1194
nobind
persist-key
persist-tun
verb 4
float
ca ca.crt
cert client1.crt
key client1.key
comp-lzo yes
tun-mtu 1400
auth SHA1
cipher AES-128-CBC
2. I found both the DD-WRT and Windows 10 firewalls could be re-enabled with no issues.
I have tested this today succesfully with DD-WRT v3.0-r29627 std (05/12/16) on Netgear Nighthawk R7000 ac1900 with both Windows 10 OpenVPN openvpn-install-2.3.12-I602-x86_64 and iPhone 6 IOS 10 OpenVPN clients (I had used easy-rsa from openvpn-2.1.4-install to create the certificates).
The screenshots were missing for me before I logged in, so I attach a PDF print of my DD-WRT VPN service settings.
Posted: Fri Dec 16, 2016 20:08 Post subject: More compatible materials and releases
First: thanks to HappyDaddy getting me out a dead-end!
and thanks fluffuser for enlarging compatibility list.
Second: after getting the dead-end, i could verify that those release from betas
(eko???, not sure about the naming, for sure, those I got there: http://www.dd-wrt.com/site/support/other-downloads?path=betas%2F)
worked fine on
TP-Link WR1043nd, version 1.8 and 1.10 of that hardware:
DD-WRT v3.0-r30016 std (betas/eko? 2016-06-24)
DD-WRT v3.0-r30880 std (betas/eko? 2016-11-14)
and those did NOT
DD-WRT v3.0-r29218 std (betas/eko?, 2016-03-07)
DD-WRT v3.0-r30949 std (betas/eko? 2016-12-15)
So there seems to be regression problems from betas because we have approximately alternate version working and working...
Can some someone dissipate my doubts about the betas naming?
And by the occasion, give me a source of releases more reliable and with a material compability list as large as Betaseko?
Posted: Wed Dec 21, 2016 15:01 Post subject: Re: More compatible materials and releases
agromsl wrote:
First: thanks to HappyDaddy getting me out a dead-end!
and thanks fluffuser for enlarging compatibility list.
Second: after getting the dead-end, i could verify that those release from betas
(eko???, not sure about the naming, for sure, those I got there: http://www.dd-wrt.com/site/support/other-downloads?path=betas%2F)
worked fine on
TP-Link WR1043nd, version 1.8 and 1.10 of that hardware:
DD-WRT v3.0-r30016 std (betas/eko? 2016-06-24)
DD-WRT v3.0-r30880 std (betas/eko? 2016-11-14)
and those did NOT (sorry, this was false. Once corrected an error in additional config, these 2 releases also work fine!)
DD-WRT v3.0-r29218 std (betas/eko?, 2016-03-07)
DD-WRT v3.0-r30949 std (betas/eko? 2016-12-15)
So there seems to be regression problems from betas because we have approximately alternate version working and working...
In fact, no such regression problems! (once again, sorry)
Can some someone dissipate my doubts about the betas naming?
And by the occasion, give me a source of releases more reliable and with a material compability list as large as Betaseko?
What I have found is that 90% of the tutorials I have tried online are erroneous and factually inaccurate
Quote:
Contrary to what all of the tutorials and forums say, there is no need to change any of the firewall settings in DD-WRT. Leave them as they are and keep your firewall within DD-WRT running.
I just registered to say thanks for a brilliant post. I had spent several hours following other guides. Two minor additions I found:
1. I had chosen TUN in DD-WRT and already opened UDP on my external brodband router, so my client1.ovpn file ended up as:
client
dev tun
proto udp
remote yourddns.com_or_ip_address 1194
nobind
persist-key
persist-tun
verb 4
float
ca ca.crt
cert client1.crt
key client1.key
comp-lzo yes
tun-mtu 1400
auth SHA1
cipher AES-128-CBC
2. I found both the DD-WRT and Windows 10 firewalls could be re-enabled with no issues.
I have tested this today succesfully with DD-WRT v3.0-r29627 std (05/12/16) on Netgear Nighthawk R7000 ac1900 with both Windows 10 OpenVPN openvpn-install-2.3.12-I602-x86_64 and iPhone 6 IOS 10 OpenVPN clients (I had used easy-rsa from openvpn-2.1.4-install to create the certificates).
The screenshots were missing for me before I logged in, so I attach a PDF print of my DD-WRT VPN service settings.
Thanks.
Because ISP offers very low speed at one end (server's side) of that internet link (5Mbps down but only 0.7Mbps up, the limitating factor), I could get TAP working fine, as previously said, but the overhead that TAP implies with a lot of services/protocoles diffusion slows down the connection, even the client's LAN: when VPN is connected, a ping from client to Google DNS takes more than 110ms. Once disconnected, it only takes 18ms. When connected, latency is so high that a request to a smtp server fails by timeout, while it works fine when disconnected.
No matter the speed of the client's internet connection, as long as server's internet connection slow, problem shows up.
So I decided to try TUN, made the modification you recommend but I can't get the client to connect.
server's LAN is 192.168.1.0
client LAN is 172.20.0.0 (also tried in a LAN 10.1.1.0)
was I right to keep 10.8.0.0 in DD-WRT's OPenVPN config «Network» field?
Was I right to start «Additional Config» with this line:
push "route 192.168.1.0 255.255.255.0"
?
In your screenshots, you hide the Advanded Options.
Those settings are hidden but might still be effective.
Do I assume settings there are exactly the same as in HappyDaddy's screen shots?
For safety, can you show us those Advanced Options?
I'm running Windows 10 on my machine and the intent of setting up a VPN on the router is so that I can easily run VNC on my home network while away via iPhone, iPad, or my laptop. I didn't find out until after the fact that iOS does not support TAP based tunnels at this time.
THANK YOU for this awesome post. Followed it perfectly today to set up my VPN. I too am looking for a way to use this with iOS devices though - have you had any luck getting it to work with your iPhone/iPad yet? Please keep us posted here if you are successful
Thanks for this post -- been working at this for a couple days and this is the most progress I have made. That said, I am still not able to complete a connection. Or more accurately, it looks like I connect, but then the connection resets.
In the connection log, I receive the following message:
Code:
SIGUSR1[soft,connection-reset] received, process restarting
and then it waits 5 seconds and continues to loop through the connection/reconnection process...
Windows firewall is off, and I followed the post pretty closely. Any advice on where to start trobleshooting would be appreciated!
You shouldn't ask people for the .ovpn file for security reason. The .ovpn file is like a key. Will you share your key with strangers? If you are using a VPN service provider, the service provider will provide you the .ovpn file. If you are using your own OpenVPN server, you should generate your own .ovpn file. Anyway, .ovpn files are not for sharing!
You shouldn't ask people for the .ovpn file for security reason. The .ovpn file is like a key. Will you share your key with strangers? If you are using a VPN service provider, the service provider will provide you the .ovpn file. If you are using your own OpenVPN server, you should generate your own .ovpn file. Anyway, .ovpn files are not for sharing!
The .ovpn file for OpenVPN for iPhone is just the client config details such as protocol type, port, mtu, etc. It does not contain any private information other than perhaps the domain/ip address you are connecting to which could easily be removed. It is not like a key.