How setup OpenVPN client on DD-WRT (Asus RT-N18U)?

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
Stepan_54
DD-WRT Novice


Joined: 20 May 2019
Posts: 1

PostPosted: Mon May 20, 2019 10:26    Post subject: How setup OpenVPN client on DD-WRT (Asus RT-N18U)? Reply with quote
Hi, how setup OpenVPN client?

I have *.ovpn file. I tried used this file with standard firmware Asus RT-N18U, I can connect to server. PC behind router can access to PC in OpenVPN Net. But I also need make access from PC in OpenVPN to PC behind router, I can't do it, so I decide use dd-wrt firmware.

I what make connect to my VPN with some features:

1. Auto connection to my OpenVpn server.
I have ovpn file, which I use when I try setup OpenVpn client with standard Asus firmware.

2. Make access from PC behind router to PC in VPN

3. Make access from PC in VPN to PC behind router
Like port forwarding? Or some else?
For exmaple:
PC_1 behind router have ip 192.168.0.10
PC_2 behind router have ip 192.168.0.11

Router ip in VPN 10.10.0.38

Also I have PC, which connect to VPN and have ip 10.10.37, I want take access to 22 port to PC_1 192.168.0.10, use 10.10.0.38:122 and PC_2 10.10.0.38:222

4. All another traffic not to VPN must go over WAN not over VPN.

opvn file: (I deleted some part of private key):
Code:

dev tun
proto tcp
remote 194.58.140.104 1500
client
resolv-retry infinite
persist-key
persist-tun
comp-lzo
verb 3

-----BEGIN CERTIFICATE-----
MIIDMjCCAhqgAwIBAgIJAN5tt91bugGPMA0GCSqGSIb3DQEBCwUAMBUxEzARBgNV
BAMMCmRjZGFpbHkucnUwHhcNMTkwNDAxMjIwNTA1WhcNMjkwMzI5MjIwNTA1WjAV
MRMwEQYDVQQDDApkY2RhaWx5LnJ1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAxtr94BAHkRoDAQkMgUs4PO1x0zgYeFkZmgpmFRuUcPllev3/BMxx/gCi
-----END CERTIFICATE-----

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
b7:de:14:fc:7f:6a:2f
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=dcdaily.ru
Validity
Not Before: Apr 26 08:47:40 2019 GMT
Not After : Oct 16 08:47:40 2024 GMT
Subject: CN=test_kiosk_MV
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bc:0a:7d:52:34:95:37:1f:5d:b4:78:7c:ad:af:
c2:83:64:3f:b0:ca:ac:a5:8b:83:2f:55:7f:00:cf:
e4:0c:d3:a7:ec:eb:36:58:76:ff:55:8f:40:dc:12:
47:b0:03:6d:c3:1b:37:d3:12:57:04:f2:8a:e9:dd:
d4:f8:c4:b0:dc:d8:f9:18:c8:88:25:6f:6d:c9:3f:
f5:e6:e9:38:97:b1:67:1a:f7:98:cb:4f:7a:b9:76:
82:ff:e1:8c:56:ea:e8:27:ab:d2:6c:3c:94:21:d5:
0c:db:fe:f6:42:ab:56:3c:ad:ff:d1:9c:1e:9e:a5:
cf:9d:f9:3b:df:bd:8
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
9B:51:47:FC:DF:CB:B6:F0:09
X509v3 Authority Key Identifier:
keyid:DD:14:F6:65
DirName:/CN=site.ru
serial:DE:6D:B

X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: sha256WithRSAEncryption
49:4c:6a:25:8e:fa:8d:8b:2a:7e:0d:96:2a:9f:56:ed:6d:43:
05:68:8b:30:19:58:fb:b5:b1:4c:08:f4:33:f7:38:5f:09:4b:
ee:43:0a:89:3a:89:de:9e:61:b9:95:16:fd:d9:bb:3f:f5:45:
de:67:fb:41:28:74:22:3d:45:e0:cb:1b:81:2c:59:7f:3f:b9:
a9:a6:41:4d:df:62:ba:3c:88:c0:73:7e:85:83:e5:76:b7:a7:
ff:29:44:ed:71:b5:51:73
-----BEGIN CERTIFICATE-----
MIIDTzCCAjegAwIBAgIRALfeFPx/ai+zJbA4HPvGUv4wDQYJKoZIhvcNAQELBQAw
FTETMBEGA1
-----END CERTIFICATE-----

-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC8Cn1SNJU3H120
eHytr8KDZD+wyqyli4MvVX8Az+QM06fs6zZYdv9Vj0DcEkewA23DGzfTElcE8orp
3dT
-----END PRIVATE KEY-----
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Mon May 20, 2019 20:35    Post subject: Reply with quote
Sounds to me like what you're after is a site-to-site configuration.

In order for devices on the local network behind the OpenVPN server to reach devices behind the OpenVPN client, you need three things.

1) To inform the OpenVPN client of the local network behind the OpenVPN server. Usually that's via a push directive in the OpenVPN server config. Since you didn't provide that information, I can't be more specific than x.x.x.0.

Code:
push "route x.x.x.0 255.255.255.0"


2) A route directive in the OpenVPN server config which specifies the local network behind the OpenVPN client.

Code:
route 192.168.0.0 255.255.255.0


3) An iroute directive in a file based on the common-name of the OpenVPN client that's placed in the CCD directory (on the *server* side).

Code:
iroute 192.168.0.0 255.255.255.0


It's this last requirement that ppl usually overlook.

Please see https://community.openvpn.net/openvpn/wiki/RoutedLans for more details.

By default, the router looks in the following directory for the CCD files.

Code:
/jffs/etc/openvpn/ccd


But it can be overridden using the client-config-dir directive in Additional Config.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3682
Location: Netherlands

PostPosted: Tue May 21, 2019 6:23    Post subject: Reply with quote
Would using a bridged (TAP) setup not be the easier option?
_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN server setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Tue May 21, 2019 12:10    Post subject: Reply with quote
egc wrote:
Would using a bridged (TAP) setup not be the easier option?


You can't make that determination w/o having the context.

If I'm using a site-to-site configuration between my home and my brother-in-law's home, we probably have two different local networks on each side. It doesn't make sense to create a bridged (tap) tunnel under those circumstances. You just want to route between those two networks over the tunnel.

OTOH, let's pretend this is a business, who happens to have set up shop in two different building, perhaps just across town. If it wasn't for the fact of this physical separation, both offices would be using the same local network, have access to the same resources, etc. There's no sense in creating separate local networks in this case. You want a bridged (tap) tunnel so there is a seamless transition from one side of the tunnel to the other. Of course, you'd probably block DHCP across that tunnel so each side could still manage its own ISP.

IOW, unless you give me the context, the big picture, it's impossible to say whether you should be using a routed (tun) or bridged (tap) tunnel. And most of the time when ppl post problems in this forum, we have NO CLUE of that context. All we typically have is a predefined config, routed or bridged, and asked to make it work.

So it's a good questions to ask, provided the OP gives us that context.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum