DD-WRT OpenVPN guide for complete dummies

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3, 4, 5  Next
Author Message
zaiuss
DD-WRT Novice


Joined: 25 Jul 2018
Posts: 6

PostPosted: Thu Aug 16, 2018 15:01    Post subject: Reply with quote
Thanks egc for the quick reply!

I should have clarified. I used my friend's network who also had the same IP addressing (router was 192.168.1.1). Does that make a difference?
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Thu Aug 16, 2018 15:22    Post subject: Reply with quote
YES, that is why in my guide it is said that you better use a network addres which is not frequently used (e.g. 192.168.22.1) for you rown home network.
Open VPN in TUN mode has to have 3 different subnets, home subnet, VPN subnet and clients subnet. otherwise it gets confused and does not know where to route.

from my guide first paragraph:
Quote:
I have set the router up as default so the router's IP is 192.168.1.1. This is not recommended, as the routers subnet (192.168.1.0) , the OpenVPN's subnet (10.8.0.0) and the clients subnet must all be different it is advised to use a subnet for the router which is not often used, so a better choice for the router's IP/subnet would be something like 192.168.49.1/255.255.255.0

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
zaiuss
DD-WRT Novice


Joined: 25 Jul 2018
Posts: 6

PostPosted: Thu Aug 16, 2018 17:14    Post subject: Reply with quote
Ah! That's why!

Ok! I'll try changing my home network to say 192.168.22.1 (as suggested) and devices to 192.168.22.X.

Do I need to change the subnet/gateway address or "push route" differently?

Thanks again! Very Happy
zaiuss
DD-WRT Novice


Joined: 25 Jul 2018
Posts: 6

PostPosted: Thu Aug 16, 2018 17:35    Post subject: Reply with quote
(or change the firewall rules?)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Fri Aug 17, 2018 8:01    Post subject: Reply with quote
zaiuss wrote:
Ah! That's why!

Ok! I'll try changing my home network to say 192.168.22.1 (as suggested) and devices to 192.168.22.X.

Do I need to change the subnet/gateway address or "push route" differently?

Thanks again! Very Happy


Yes you need to adjust settings accordingly i.e.
Code:
push "route 192.168.22.0 255.255.255.0 vpn_gateway"

And if you are pushing the DNS serer:
Code:
push “dhcp-option DNS 192.168.22.1”

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
zaiuss
DD-WRT Novice


Joined: 25 Jul 2018
Posts: 6

PostPosted: Sat Aug 18, 2018 17:52    Post subject: Reply with quote
Thanks egc! I got mostly everything working.

I had some time to play around with it some more.

I changed my main router to 192.168.22.1, and the other OpenVPN router to 192.168.22.2 as suggested. Cameras are on 192.168.22.200+

1) works fantastic on wifi and mobile data from my friend's house on my phone. I can connect on OpenVPN no problem, and can see my cameras and can surf the net via my home network. everything is solved on my cellphone.

2) using my mac laptop on wifi at my friends, it cannot see my devices nor access the web. I'm pretty sure I'm using the same opvn. There must be some setting on Viscosity which is blocking me. I will dig some more.

Many thanks for your help.
zaiuss
DD-WRT Novice


Joined: 25 Jul 2018
Posts: 6

PostPosted: Sun Aug 19, 2018 0:20    Post subject: Reply with quote
I got everything working. I had to remove the vpn_gateway command in the ovpn.

fyi, I changed

comp-lzo yes
to
compress lzo

as "comp-lzo yes" is deprecated
Andr0med
DD-WRT Novice


Joined: 04 Feb 2017
Posts: 10

PostPosted: Mon Nov 19, 2018 22:16    Post subject: Server settings Reply with quote
Hey guys, please excuse the networking ignorance but would appreciate some guidance here (I've changed some of the digits around):

My router's address and LAN IP is 192.168.20.10 with DHCP from 30-60 (i.e. 192.168.20.30, 192.168.20.31, etc) and the OpenVPN network I'd like to use is 192.168.21.0

1. So given the above, which from the below is correct:
a) push "route 192.168.20.10 255.255.255.0"
b) push "route 192.168.20.0 255.255.255.0"
c) push "route 192.168.20.30 255.255.255.0"

2. This is correct right?
server 192.168.21.0 255.255.255.0

3. Should I use public DNS servers or IP of my router?
a) push "dhcp-option DNS 208.67.222.22"
a) push "dhcp-option DNS 208.67.220.220"
b) push "dhcp-option DNS 192.168.20.1 (.0 .1 or .10)

4. Include this as well?
push “redirect-gateway def1”

Many thanks in advance!
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Mon Nov 19, 2018 22:42    Post subject: Reply with quote
Quote:
router IP is 192.168.20.10 255.255.255.0

#This would be correct --
push "route 192.168.20.0 255.255.255.0"
push "dhcp-option DNS 192.168.20.10"
#will use the same DNS as the router uses
#or if you want different DNS
push "dhcp-option DNS 208.67.222.22"
push "dhcp-option DNS 208.67.220.220"
#or better
push "dhcp-option DNS 9.9.9.9"
push "dhcp-option DNS 149.112.112.112"
#the last two are QUAD9 DNS servers
Quote:
push “redirect-gateway def1”

Should have 'Advanced Options' Enabled and just Enable the 'Redirect default Gateway' in GUI
wurts_leg
DD-WRT Novice


Joined: 14 Dec 2018
Posts: 4

PostPosted: Sat Dec 15, 2018 22:04    Post subject: Reply with quote
Hi all,

First off, thank you to @Boogalooz for putting together this guide. However, I am hoping a fine person would be able to help me with my own setup.

Here is what I am trying to achieve:

Code:

Offsite device(To OpenVPN Server)

Internet

Router(Running OpenVPN client to AirVPN (policy based to Rpi) and OpenVPN Server)
↕                   
Rpi(AirVPN) + Other devices on LAN   


So far i got my OpenVPN client working and policy routed to my Rpi which is on the LAN. What i'd like is to have an offsite device (like my smartphone) VPN to the server on the router to be able to connect to the other devices on the LAN (i have some other devices including the pi running web services only available to the LAN). I'd possibly like to have the option to have the offsite device access the internet through the OpenVPN server on the router.

The status page says the client and server is connected, but i cannot connect my phone (i disabled WiFi to test through the carrier network) to the VPN server. Apologies if this seems extremely n00bish/way in over my head, but i like to learn. Any help is appreciated. Code and screenshots below:

Linksys EA6900 running DD-WRT v3.0-r37015M kongac (09/23/18 )
EDIT: Router operating as gateway.

Basic Router Settings:
[img]
https://drive.google.com/file/d/1rlDqdN_U_tP8DJZhWm8PXHhsyabsBY4T/view?usp=sharing
[/img]

Server Configuration:
[img]
https://drive.google.com/file/d/1s9K-hTevEJAGW18PmBc36R5UDakwNfKS/view?usp=sharing
[/img]

Client Configuration:
[img]
https://drive.google.com/file/d/1ffa2vNPfL0LLfkQ1vPPpAmlW1xzvnFAH/view?usp=sharing
[/img]

Firewall Settings (first line is kill switch for the Pi):
Code:

iptables -I FORWARD -s 192.168.1.105 -o $(nvram get wan_iface) -j DROP
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
iptables -I INPUT 1 -p tcp -–dport 443 -j ACCEPT
iptables -I FORWARD 1 –-source 10.8.0.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o $WAN_IF -j MASQUERADE


OpenVPN States (Status Page):
Code:

Server: CONNECTED SUCCESS
Local Address: 10.8.0.1
Remote Address:

Client: CONNECTED SUCCESS
Local Address: 10.26.220.111
Remote Address: 10.26.220.111


client.ovpn
Code:

remote my.DNS.com 443
client
dev tun
proto udp
nobind
persist-key
persist-tun
remote-cert-tls server
auth-nocache
verb 4
float
comp-lzo
tun-mtu 1500
auth SHA256
cipher AES-256-CBC
resolv-retry infinite

ca "ca.crt"
cert "my-phone.crt"
key "my-phone.key"
tls-auth "ta.key" 1
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sun Dec 16, 2018 8:05    Post subject: Reply with quote
Why is this setup as "Start Type: System" and "Config as: Daemon"? This makes it complicated to setup and debug.

Is your EA6900 equiped with the Xvortex CFE as to solve the 32Kb bug?

Edit: I just checked the guide in this thread, most firewall rules in that case are redundant

Attached my notes how I setup an OpenVPN server

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
wurts_leg
DD-WRT Novice


Joined: 14 Dec 2018
Posts: 4

PostPosted: Sun Dec 16, 2018 17:13    Post subject: Thanks for the Updated guide Reply with quote
@egc,

Thanks so much for the updated guide! I agree that running it in daemon mode made things much harder. I decided to start from scratch and follow the guide and it worked!

After i got it working, i wanted to try and add TLS authentication for extra security. To accomplish this in the command prompt:
Code:

cd C:\Program Files\OpenVPN\bin
openvpn --genkey --secret ta.key

I then copied the contents of ta.key into the "TLS Auth Key" field in the OpenVPN Server/Daemon page. On that page i also changed the setting "TLS cipher" to "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384"

I also added the line:
Code:

tls-auth "ta.key" 1

at the end of the client1.ovpn file. This all worked as well.

To answer your other question, yes my EA6900 is equipped with the XVortex CFE to solve the 32KB bug. Right now my NVRAM is 45 KB / 64 KB.

I am wondering though if i were to generate the keys/certificates by keeping the key size in the vars.bat file default (4096), if it would overload my NVRAM. If not, do you think i would have to change the cipher type in the settings?

Thanks!
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sun Dec 16, 2018 17:30    Post subject: Reply with quote
Glad you got it working.

Keysize of 2048 is more than adequate, and of course a longer keysize will take up more Ram but not that much.
So your Ram is probably not a problem if you want a keyzise of 4096.

Regarding the use of a TLS auth key that is in my opinon not needed for normal security.
It can be handy if you experience a lot of attacks but for normal use not necessary, but as said this is only my opinion.
I am more of an experienced user than an expert in this field Smile.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
wurts_leg
DD-WRT Novice


Joined: 14 Dec 2018
Posts: 4

PostPosted: Mon Dec 17, 2018 2:31    Post subject: Reply with quote
Yea, the more I thought of it, the more i think it'll be fine. I've spent the last few days getting up to the point of it working, so now i will go forward with "if it ain't broke, don't fix it" Very Happy

Thanks again!
Cindy62707
DD-WRT Novice


Joined: 22 Dec 2018
Posts: 20

PostPosted: Tue Dec 25, 2018 7:38    Post subject: Re: DD-WRT OpenVPN guide for complete dummies Reply with quote
Boogalooz wrote:
I have compiled an OpenVPN guide for complete dummies (like me), as a pdf.

The information is scattered around this website and others, but not a single guide I was able to dig up, had all of the information I needed to get my router (Linksys WRT-1900AC v2) up and running with OpenVPN.

I decided it was worth the time to compile the data I found into one easy to reference guide, that could be downloaded and shared.

Hopefully, this guide will save about a week of your life. That is how much time it took me to try and fail over and over to make OpenVPN work on my router.

I would really like feedback here. If you try this guide out, and you find any issues that prevent you from establishing an OpenVPN connection on your computer using the settings I have included in the guide, PLEASE let me know. I will amend the guide and put up a new revision.

As you will see in the guide, this method assumes that your DD-WRT router is secondary to your primary internet facing router. I do not go into detail on the methods for setting up a DD-WRT router as the primary WAN/DHCP router on your network. If this guide gets any traction, we can discuss those methods and amend the guide accordingly.

The idea here is to make it easy for people to find the information they need to get OpenVPN up and running without having to scour the internet for easter eggs.

Let me know what you think.


I see your post but can't find the guide you are talking about. I am having trouble getting OpenVPN to connect using IPVanish settings. Thank you.
Goto page Previous  1, 2, 3, 4, 5  Next Display posts from previous:    Page 4 of 5
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum