Setting Up OpenVPN on a DD-WRT Router, Part 1
VPN connections let you remotely access file or connect remote offices together via secure tunnels over the Internet. They can even come in handy to secure connections on public Internet ports or Wi-Fi hotspots, hiding Internet traffic from local eavesdroppers.A VPN enables users to remotely access file or connect remote offices together via secure tunnels over the Internet. If you're building a VPN for more than two-dozen VPN users, setting up a VPN server is a viable option. Find out how to do so using DD-WRTDD-WRT router firmware.
If you aren't going to have more than two-dozen VPN users, you might consider setting up your own VPN server using the DD-WRT router firmware. If you have a compatible wireless router, you can load the firmware on it. This gives you an OpenVPN server and client, and many more cool features. You can then set it up for remote access connections or site-to-site connections to connect offices together.
DD-WRT supports two different VPN protocols: Point-to-Point Tunneling Protocol (PPTP), which is very popular but has vulnerabilities, and OpenVPN, which uses Secure Sockets Layer (SSL) and Transport Layer Security (TLS) for a much more secure solution. In this two-part tutorial, we will set up and use OpenVPN.
In this first of two articles, we will explain how to flash the router with the DD-WRT firmware, change the router's IP and subnet for compatibly reasons, and create the SSL certificates. In the second installment, we will step through configuring the OpenVPN server, creating startup and firewall scripts, configuring the clients, and testing it out.
For the record, this tutorial was based off using the VPN variant of DD-WRT v24-SP2. It's the build 13064, dated 10/10/09. For creating SSL certificates and for the clients, we used OpenVPN 2.1.1, released on 12/11/09. The steps for using other versions of the firmware or OpenVPN may vary.
Flash Router With the VPN Version of DD-WRT
First, make sure you're using a wireless router that's compatible with DD-WRT and has enough NVRAM storage space. You'll want to follow the directions to flash or upload the VPN version of DD-WRT to your router.
To check the available NVRAM, you must use Telnet or SSH to get to the router. You can download and use PuTTY. Select Telnet as the Connection Type and enter the router's IP address (192.168.1.1). Then, for the DD-WRT Login, enter "root." If you've created a password via the Web-based control panel, use it; otherwise, the default is "admin".
Once logged in via Telnet, enter the following command:
nvram show | grep size
If you have more than 5,200 bytes left, you're good to go.
Change the Router's IP and Subnet
Remember, a VPN connection connects two or more networks. You should make sure each network's subnet and IPs do not conflict. So if you are planning to use the VPN connections from public Internet or Wi-Fi hotspots, you should make sure your local network and VPN network aren't set to a common subnet.
Since DD-WRT uses a very common IP of 192.168.1.1, we should change it:
Start by connecting to the router and bringing up the Web-based control panel by entering the IP address (192.168.1.1) into a Web browser. Then, click the Setup tab and in the Router IP area, change the Local IP Address to 192.168.2.1, and click Apply Settings.
Now you must use the new IP (192.168.2.1) to log in to the DD-WRT control panel.
Create server and client certificates
You must download and install OpenVPN on a PC using the Windows Installer. You can use Linux machines too, but we're going the Windows route. Once installed, here's how to get started:
- Open the Command Prompt: click Start, type cmd, and hit Enter.
- Then move to another directory by typing: cd C:Program FilesOpenVPNeasy-rsa
- Run a batch file to create configuration files by typing: init-config
- Keep this Command Prompt window open for later use.
Now, open a Computer window and browse to the following directory C:Program FilesOpenVPNeasy-rsa. Right-click the vars.bat file and click Edit. Then you must set all the following settings:
You can change the default values, which is after the equal sign of each parameter. Be sure to save the changes when you're done.
Go back to the Command Prompt window and initialize the PKI by entering the following commands one at a time:
vars clean-all build-ca
After entering the last command, you'll be prompted for the parameters you just set in the vars.bat file. Click Enter to accept those parameters. You can leave the Organizational Unit Name blank. However, you must enter a Common Name. Pretty much anything will work. I used "OpenVPN-CA"
Now you can generate a certificate and private key for the server by entering the following:
You'll be prompted for parameters again. Accept the defaults for the ones you set in vars.bat. For the Common Name this time, enter "server." Be sure to enter a secure password you'll remember or store somewhere safe. When prompted to sign and commit the certificate, enter "y."
Now, you can generate the certificates for the clients or computers that will be connecting to your OpenVPN server on the DD-WRT router. You must create one for each client. Just enter "build-key" followed by a space and a name. For example, for three clients:
build-key client1 build-key client2 build-key client3
Again, you'll be prompted for the parameters. Choose a unique Common Name. You can use the certificate name, such as client1, client2 or client3.
Note: If you later find you must generate additional client certificates, return to the easy-rsa directory in a Command Prompt, type "vars," and then go ahead with the build-key command, such as build-key client2.
Now you must generate the Diffie Hellman parameters by entering:
Finally, you should see all your certificates in the following directory: C:Program FilesOpenVPNeasy-rsakeys
Keep in mind, the ca, server, and all client keys should be kept private and secure.
Continue on to Part 2 to learn how to configure the server and clients.
Eric Geier is the Founder and CEO of NoWiresSecurity, which helps businesses easily protect their Wi-Fi with enterprise-level encryption by offering an outsourced RADIUS/802.1X authentication service. He is also the author of many networking and computing books, for brands such as For Dummies and Cisco Press.