How to setup OpenVPN server on DD-WRT?

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page 1, 2, 3, 4, 5  Next
Author Message
Fractalogic
DD-WRT Novice


Joined: 25 Jun 2010
Posts: 41

PostPosted: Mon Jan 07, 2019 19:08    Post subject: How to setup OpenVPN server on DD-WRT? Reply with quote
Hi everyone!

I can imagine that this question has been posted at least a few dozen times before. But I can't for the life of me figure this out, and I also see that most people that post questions about it have some kind of advanced setup. All I want is just a basic setup.

Please understand, I have been trying to setup OpenVPN server on my dd-wrt router for months on and off. Sometimes I can get it to work to some point but then something else goes wrong and I just give up. I find this very difficult.

What I would like is to be able to access a single computer on my home network over the Internet, using VPN for added security/obfuscation.

What are the ingredients, what exactly do I need for such setup? I know I already have dd-wrt which is capable of running a VPN server.

Can you at least point me in the right direction?
Sponsor
Fractalogic
DD-WRT Novice


Joined: 25 Jun 2010
Posts: 41

PostPosted: Mon Jan 07, 2019 19:44    Post subject: Reply with quote
I have the latest dd-wrt version 3.0-r38132 std, recently flashed. So no corrupted old configs laying around.

I did get OpenVPN client to work with my VPN provider. I just had to clear out old broken down PPTP configs.

But a client setup is not what I need for this purpose, I need to know how to set up OpenVPN as a server.

Can I still use Easy RSA help files to generate the cert and keys and then put it into my dd-wrt? I did that once successfully between my computers on the home network. This was some time ago, I don't recall how I did it but I know that these files come with OpenVPN installation.
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 1267
Location: Indiana

PostPosted: Mon Jan 07, 2019 19:52    Post subject: Reply with quote
Have a look at these:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=307718
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1146427#1146427
Be sure to be logged in.

_________________
SUPPORTED DEVICES -- DON'T USE ROUTER DATABASE!
--IMPORTANT UPGRADE INFORMATION--STUBBY DoT install guide
Qualcomm-Atheros:
R7800 x2 kongat & BS WDS AP & Sta-- R7500V2 BS std WDS STA-- WZR-HP-AG300H BS std WDS STA
WNDR3700v4 BS std WDS STA-- Nanostation M2 AirOS-- LocoM2 AirOS
MikroTik SXT R LTE
Broadcom:
R6200v2 41664std TFTP R6250.chk WLAN Repeater Archer C9 v1 OEM WAP

DDWRT Policy Based Routing Guide by egc
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4415
Location: Netherlands

PostPosted: Mon Jan 07, 2019 20:14    Post subject: Reply with quote
Attached my notes how I do it (with easy RSA Smile )

See https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795 for the latest guide

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135


Last edited by egc on Sun Jul 14, 2019 19:57; edited 2 times in total
Fractalogic
DD-WRT Novice


Joined: 25 Jun 2010
Posts: 41

PostPosted: Tue Jan 08, 2019 17:46    Post subject: Reply with quote
egc wrote:
Attached my notes how I do it (with easy RSA Smile )

What notes?...
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 1267
Location: Indiana

PostPosted: Tue Jan 08, 2019 18:04    Post subject: Reply with quote
bushant wrote:
Have a look at these:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=307718
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1146427#1146427 EDIT: (Link to @egc notes, Tried and failed to save him some ink)
Be sure to be logged in.


You must be logged in to see attachments.

_________________
SUPPORTED DEVICES -- DON'T USE ROUTER DATABASE!
--IMPORTANT UPGRADE INFORMATION--STUBBY DoT install guide
Qualcomm-Atheros:
R7800 x2 kongat & BS WDS AP & Sta-- R7500V2 BS std WDS STA-- WZR-HP-AG300H BS std WDS STA
WNDR3700v4 BS std WDS STA-- Nanostation M2 AirOS-- LocoM2 AirOS
MikroTik SXT R LTE
Broadcom:
R6200v2 41664std TFTP R6250.chk WLAN Repeater Archer C9 v1 OEM WAP

DDWRT Policy Based Routing Guide by egc
Fractalogic
DD-WRT Novice


Joined: 25 Jun 2010
Posts: 41

PostPosted: Thu Jan 10, 2019 23:09    Post subject: Reply with quote
I didn't see the attachment earlier. I thought I was signed in because my name was visible. But I can see it now after attempting to post a reply. False alarm! I will check it out later. But I have a question.

Do I need to generate the Diffie Hellman parameter if I intend to configure OpenVPN as a server? Or does this only apply to a daemon?

I have been reading the various posts in full detail and taking notes along the way. I totally understand what the author of the linked thread means by "there's a lot of outdated info out there on OpenVPN + DD-WRT". No wonder people get confused and give up (at least I did, a number of times)...
Fractalogic
DD-WRT Novice


Joined: 25 Jun 2010
Posts: 41

PostPosted: Thu Jan 10, 2019 23:36    Post subject: Reply with quote
Code:
init-config
vars
clean-all
build-ca
build-key client1
build-key-server server
build-dh


These are the commands to be executed when generating keys and certificates?

When I run build-key-server I get this warning.

Code:
Could Not Find C:\Program Files\OpenVPN\easy-rsa\keys\*.old


Do I need to do something about it? I recall seeing in some tutorial that you have to rename a file to something.old when generating keys and certificates. Is this related to EasyRSA 2 and 3?

Code:
build-key client1
build-key-server server


Who is client and who is server? Client is my remote computer connecting to DD-WRT and server is the DD-WRT OpenVPN server?
jxm
DD-WRT Guru


Joined: 23 Jul 2017
Posts: 726
Location: Brisbane, Australia

PostPosted: Fri Jan 11, 2019 5:45    Post subject: Reply with quote
Ignore the error. The script builds new certificate files, and in that process it renames existing certificate files to *.old. However the process crashes if one of the *.old files exists. To make sure this does not happen, the batch file deletes all existing *.old files. But it is poorly written because it the delete command fails it throws an error. The batch command should say “if exist path\*.old del path\*.old” then it will not complain if does not find any files to delete.

Note that this error is in the files that you download from the OpenVPN.net website, and @egc is not responsible for them.

Cheers,
Fractalogic
DD-WRT Novice


Joined: 25 Jun 2010
Posts: 41

PostPosted: Sun Jan 13, 2019 23:15    Post subject: Reply with quote
Is it only the Common Name that is mandatory field and has to be the same for all?

Quote:
Organizational Unit Name (eg, section) [changeme]:
Name [changeme]:


I can ignore the "changeme" here and just press Enter? These fields become "changeme" unless I make a change?

Also when asked about password...

Quote:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:


Do I need to type something in? Or I can leave it blank and continue?
Fractalogic
DD-WRT Novice


Joined: 25 Jun 2010
Posts: 41

PostPosted: Sun Jan 13, 2019 23:31    Post subject: Reply with quote
jxm wrote:
Ignore the error. The script builds new certificate files, and in that process it renames existing certificate files to *.old. However the process crashes if one of the *.old files exists. To make sure this does not happen, the batch file deletes all existing *.old files. But it is poorly written because it the delete command fails it throws an error. The batch command should say “if exist path\*.old del path\*.old” then it will not complain if does not find any files to delete.

Note that this error is in the files that you download from the OpenVPN.net website, and @egc is not responsible for them.

Cheers,


I understand that the problem might be in the Bat files that ship with OpenVPN. But I don't know how to handle the situation. Do I need to build the server cert and key? If I do then I'm afraid I won't be connecting to anything unless I deal with this first.

My server.crt is 0 bytes. It was not 0 the first time I ran the commands. So it fails to build it correctly and here is what it has to say.

Code:
ERROR:There is already a certificate for /C=US/ST=CA/L=SanFrancisco/O=OpenVPN/OU=changeme/CN=itsme/name=changeme/emailAddress=mail@host.domain
The matching entry has the following details
Type          :Valid
Expires on    :290110232019Z
Serial Number :01
File name     :unknown
Subject Name  :/C=US/ST=CA/L=SanFrancisco/O=OpenVPN/OU=changeme/CN=itsme/name=changeme/emailAddress=mail@host.domain
Could Not Find C:\Program Files\OpenVPN\easy-rsa\keys\*.old


Since I already ran these commands earlier, it thinks I already have one certificate like that.

So the *.old seems to be least of my problems. In fact, clean-all.bat cleans the keys folder with success.

I suspect it has created something that is stored elsewhere. Somewhere in Windows.
Fractalogic
DD-WRT Novice


Joined: 25 Jun 2010
Posts: 41

PostPosted: Sun Jan 13, 2019 23:44    Post subject: Reply with quote
When I want to start over from scratch can I simply execute these commands in this order?

Code:
init-config
vars
clean-all
build-ca
build-key client1
build-key-server server
build-dh


Or I need to do something first?... I don't know... maybe go remove some certificates from Windows certificate store? I understand this is some kind of database that Windows uses.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4415
Location: Netherlands

PostPosted: Mon Jan 14, 2019 11:38    Post subject: Reply with quote
Just follow my notes attached to the fourth posting.

Generating keys and certificates has nothing to do with the windows certificate store

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Fractalogic
DD-WRT Novice


Joined: 25 Jun 2010
Posts: 41

PostPosted: Mon Jan 14, 2019 22:39    Post subject: Reply with quote
egc wrote:
Just follow my notes attached to the fourth posting.


Quote:
Step 6 – Configuring DD-WRT for OpenVPN
From the DD-WRT GUI, click on the “Services” tab, and then click on the “VPN” tab. Scroll down to the OpenVPN section and click the radio button to enable OpenVPN. That will expose a new pane where you will enter the VPN tunnel network settings and enter the data from the “keys” and “certificates” as well as the data from the “dh2048” file that you created in the previous steps. Scroll down to the pictures below as necessary for a visual queue.


It doesn't say what mode to select once I am on the VPN tab. But I can see from the included screenshots that you selected "Server" option.

This is one of those pivot points in configuring OpenVPN on DD-WRT. I followed the link from one of the links posted earlier and ended up here:

https://www.howtogeek.com/64433/how-to-install-and-configure-openvpn-on-your-dd-wrt-router/

I gathered a lot from reading this lengthy article. But I also understand that it has its factual errors and outdated information. The main point from one of the posters here on DD-WRT forum was that you should skip the "Daemon" and some other parts of that article. It's understandable, because the old builds of DD-WRT didn't have the "Server" option. But it is exactly for this reason that I need to generate a server cert and key... no?

Let's get back to your attached document for now.

Quote:
Back in Notepad++, locate and open the “server.crt” file from the same (keys) directory. This time, you will scroll down to the bottom, and copy everything starting with “-----BEGIN CERTIFICATE----- and ending with “-----END CERTIFICATE-----“ (INCLUDING ALL of the dashes). You will then paste that into the
“Public Server Cert” window, in DD-WRT as seen in pictures below.

Precisely! My server cert is 0 byte, remember? What shall I copy from this file?...

Quote:
Back in Notepad++, locate and open the “server.key” file from the same (keys) directory. Click anywhere in the window and right click, select all, then copy and paste the contents into the “Public Server Key” window, in DD-WRT as can be seen in the pictures below.

My server key however is populated with data. But it's useless without the server cert, right? Or am I delusional?

Your screenshots look good, that's what I want for myself also. But the server cert generation keeps failing and I don't think I can continue without it.


Last edited by Fractalogic on Mon Jan 14, 2019 23:19; edited 1 time in total
Fractalogic
DD-WRT Novice


Joined: 25 Jun 2010
Posts: 41

PostPosted: Mon Jan 14, 2019 22:48    Post subject: Reply with quote
I can see more clearly now why I haven't managed to set this up many months ago. There is too much confusion spreading across the web regarding this topic. Just like Weird AL Yankovic misattributions used to flood the web once. If you repeat something many times it will eventually become the truth if it is not already.

I think I need to do more reading and experimenting on my own in order to filter out the misconceptions (my own and others').
Goto page 1, 2, 3, 4, 5  Next Display posts from previous:    Page 1 of 5
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum