Joined: 18 Mar 2014 Posts: 13446 Location: Netherlands
Posted: Fri Feb 22, 2019 13:52 Post subject: OpenVPN Server Setup guide
OpenVPN Server Setup guide
To work with this guide you need build number 52242 or higher.
v1.30 added instructions for TAP setup
v1.31 added chapter about running an OpenVPN server and OpenVPN client together (Policy Based Routing)
v1.34 added chapter about CCD for setting a static lease
v1.35 added chapter about two way communication over TUN/routed interface
v1.39 added some clarifications in response to comments
v1.40 added use of tls-crypt and username/password
v1.41 corrected and amended TAP setup
v1.42 added instructions for iOS
v1.43 some cleanup
v1.44 textual changes
v1.46 textual changes
v1.47 textual changes
v1.49 textual changes
v1.50 Added extra solutions for running a client and server on the same router
v1.51 Some textual changes
v1.52 Some tidying up and added how to block outside DNS on Windows
v1.53 Some textual changes
v1.55 Some corrections
v1.56 added new ciphers, and adapted the NAT rule for the VPN
v1.57 Updated picture of DDWRT VPN client
v1.58 Some text clarifications
v1.59-v1.62 Cleaning up switch to pdf format, new ciphers
v1.63 Choice between tls-auth and tls-crypt, compression options, check Server Certificate
v1.66 tidying up and adding some information about using username and password
v1.67 corrected some typos
v1.70 CVE-2019-14899 Information and workarounds, build 41791 and after
v1.71 Corrected some typos
v1.74 Added instructions for using all-in-one client file
v1.76 reference to troubleshooting guide
v1.78 added instructions for Static Key
v1.89 for use with OpenVPN 2.5 and Easy RSA 3
v1.93 Improved instruction for static key setup
v1.94 Corrected instructions for CCD and auth-user-pass
v1.96 Updated TAP instructions
v1.98 For builds from 46681
v2.04 Updates (Static Key)
v2.06 Update site-to-site (LAN2LAN) setup
v25 Update with Bypass LAN Same-Origin Policy
v27 Automatic making of partial client config
v28 Preparing for setting username and password in the GUI
v30 Small updates
v32 Added IPv6 for OpenVPN server
v33 Added instructions for tls-crypt-v2
v34 Added reference for Scramble (obfuscation)
so, quite sincerely, thank you! This worked. Looks like when I was setting up other configurations, my encryptions were off.
Just an FYI, I did modify your directions slightly. You had it setup as router (tun), and I changed it to Bridge (tap). I only need a small number of clients connected, and this easily enables me to see everything on the network, on the same subnet. No push routes required, no firewall adjustments needed.
Joined: 18 Mar 2014 Posts: 13446 Location: Netherlands
Posted: Thu Mar 07, 2019 8:38 Post subject:
Glad you got it working.
Yes I only deal with TUN as TAP is not compatible with iOS and Android (at least not out of the box).
Besides it will generate more traffic/overhead via the bridge and it opens up your whole network so security wise it is worse.
However it has a big advantage: seamless access.
So if you use the VPN to connect lets say 2 family homes where you want to have seamless acccess/media streaming etc. then TAP is a valid option.
A tap doc and script would be nice.
For those rare situations.
A real world example for me:
Friend lives in a diff state than I.
We have an old LAN only golfing game.
With a tap vpn we could play the game again.
Thanks
Mike _________________ Router currently owned:
Netgear R7800 - Router
Netgear R7000 - AP mode
Joined: 18 Mar 2014 Posts: 13446 Location: Netherlands
Posted: Sat Mar 09, 2019 11:11 Post subject:
Hi Mike
I am currently working on instructions for a TAP setup.
I can not properly test it as I do not have a laptop with cellular.
But I think I have it going, connecting from a Windows PC to DDWRT router/OVPN TAP server.
One problem I encountered is that the TAP adapter is set on a public network profile and that is firewalled from everything. But that is also solved.
Posted: Sun Mar 10, 2019 16:41 Post subject: looking for guide
Where is the guide? Am I overlooking something or did it get taken down? I'm trying to setup OpenVPN server on a WRT1900ACv2. I tried a guide on the internet that involved generating keys but it didn't bring up the server and I couldn't easily check the logs.
Posted: Sun Mar 10, 2019 16:47 Post subject: Re: looking for guide
Mokdore wrote:
Where is the guide? Am I overlooking something or did it get taken down? I'm trying to setup OpenVPN server on a WRT1900ACv2. I tried a guide on the internet that involved generating keys but it didn't bring up the server and I couldn't easily check the logs.
Posted: Tue Mar 12, 2019 20:23 Post subject: Re: OpenVPN server setup guide by egc
egc wrote:
Attached are my notes for setting up an OpenVPN server on DDWRT routers.
As many people found them helpfull and succeeded in setting up an open VPN server, I decided to place my notes in a separate thread.
As not all people were succesfull there is definitely room for improvement.
So your remarks and additions are more than welcome.
You can always PM me or leave your remarks or questions in this thread.
I will try to keep the guide updated with your comments.
Note: you can only see and download the guide if you are logged in
Brilliant used this guide as you recommended on another post to me.
Took the guide advice and put the network on 192.168.49.x and this took the most time as i have a lot of statics.
Anyway first after refreshing my whole WRT (R7000) install i set up my expressVPN client in the VPN setttings, and all good.
Then followed your instructions (which apart from a couple of minor spillchickins) as they are brilliant, I would only note the STEP 9 on "second/more clients" needs a small edit to update the last two lines to correct .crt .key filenames but I still smoothly installed on my android for remote testing.
What I found so far, I do not get a connection UNTIL i disable the clientVPN, when enabled it knocks out remote connections, not LAN ones, although I am not worried about LAN ones.
I want to do this, leave the WRT-serverVPN running which allows me to tunnel in using the oVPN client setup (on mobile 4G), but also keep the WRT-clientVPN running so all my outbound trafic is tunnelled via expressVPN.
I will manually add expressVPN settings to my oVPN app so if I dont want to use my landline ADSL data, I can free that up and use the secondary expressVPN direct from my mobiles.
This just means to see my CCTV etc, i need to swap vpn profiles.
Am i missing something on the issue regards have WRT client/server running together?
I did add the firewall cmd as per the instructions, not sure if it was in the "pushing routes" section as I was unclear of the reasoning for this?
Joined: 18 Mar 2014 Posts: 13446 Location: Netherlands
Posted: Tue Mar 12, 2019 20:44 Post subject:
You did not miss anything.
But when using an OVPN server and client on the same router you have to use Policy based routing on the OVPN client.
Otherwise traffic goes in through the WAN and is routed out through the vpn client and the firewall wiil not do that.
For policy based routing enter the ip addresses of the clients you want to route via the VPN client in the PBR field of the client use CIDR notation and do not include the router itself.
The ddwrt PBR implementation has some flaws, if you run into that then see my signature for a better implementation.
If you have your android client connected to your OVPN server you can have it use your outbound vpn client by adding the IP's of the OVPN server added to the PBR field
I.e add 10.8.0.2 to the PBR field