This howto covers setting up an OpenVPN Server for access to your home network as if you were local. It's an excellent alternative to opening a bunch of ports in your firewall and exposing poorly secured programs to the world wide web.
Here's the overview:
- install OpenVPN on laptop to generate keys for server and a few clients
- configure dd-wrt router
- configure clients
Please respond in the Comments what hardware you used this how-to on, and any differences. I will update original article with your input.
I am not a network dd-wrt OpenVPN genius, or even competent. I've cobbled this together from what I could find around the internets. I've included all my sources at the bottom.
generate your keys
Download and install OpenVPN on your computer. Be sure to install all the options during the installation
We're going to be using Easy RSA, and I believe that option is unchecked in the default installation.
Before I start generating keys, I want to make 2048bit keys vs the default 1024bit keys. To make that change for yourself, edit the vars.bat file (this is clearly on Windows). It's in C:\Program Files\OpenVPN\easy-rsa\vars.bat.
change the line from set KEY_SIZE=1024, to set KEY_SIZE=2048.
Default key size is now 4096bits, the above step is unnecessary. openvpn 2.4.4
Head over to this OpenVPN how to, and down to the part about "On Windows: vars, clean, build..." start following those instructions. You'll see this note all over about to the tune of "none of these settings matter that much except for Common Name" where you have to make sure it's something, and it's different from the others. So toot along with those steps.
When you get to the build-key-server server command, be sure to enter "server" for it's Common Name.
You will be getting a bunch of matrix-y looking text flying by like this
Generate a few clients, as many as you think you'll need plus one or two more. In this folder, you'll have all sort of files.
C:\Program Files\OpenVPN\easy-rsa\keys
.
configure dd-wrt server
This is based on Netgear Nighthawk AC1900 model R7000.
Get a router that is compatible with DD-WRT, and install dd-wrt. Couple of different places to check for that: dd-wrt database, dd-wrt supported devices wiki, and the myopenrouter download page (Netgear specific models). I bought two routers for this project, whoops! The Nighthawk AC1900 is not a model, the model number will be something like R7000 or R7300.
Flash your router to dd-wrt firmware. Instructions for the R8000, but worked like a charm for my R7000.
Set up the NTP server. This is important for your self-signed certificates to start working right away. So I read. dd-wrt GUI > Setup > Basic Setup > scroll down to Time Settings. Here's what I've got. You can grab more info/servers from this ntp.org page or dig around on ntp.org
Next, go to Services > VPN. Scroll down to OpenVPN Server/Daemon, hit enable. Now this is a big one, so here we go.
OpenVPN: enable
Start Type: WAN up
Config as: Server
Server mode: TUN
Network: Choose something that will NOT interfere with your DHCP server. I have a couple of static DHCP leases for a file server and a network printer. Then my DHCP server starts handing out IPs on 192.168.11.100-150. So the Network I stuck in here is 192.168.88.0; the IPs on that network will never conflict with IPs on my regular home network.
Port: 1194, default
Tunnel Protocol: UDP, default
Encyrption Cipher: AES-256 CBC ("hardending" article)
Hash Algorithm: SHA256
Advanced options: Enable
TLS Cipher: none
LZO Compression: Yes
Redirect default Gateway: Disable
Allow Client to Client: Enable
Allow duplicate cn: Disable
Tunnel MTU settings: 1400
Tunnel UDP Fragment: blank
Tunnel UDP MSS-Fix: Disable
Next we're going to need to start opening some of those files you generated above using Easy RSA. In all cases, you're going to get a block of non-sense stuff, surrounded by
-----BEGIN blahblahblah-----
xxxxxxxxxxxxxxxxx
-----END blahblahblah-----
When you do your copy/paste, include those parts, but nothing else outside of them. For instance, in server.crt, there's all kinds of crap above the goods. The goods, as I said, are between, and including
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxx
-----END CERTIFICATE-----
CCD-Dir DEFAULT File: <blank>
Client connect script: <blank>
Static Key: <blank>
PKCS12 Key: <blank>
Public Server Cert: server.crt
CA Cert: ca.crt
Private Server Key: server.key
DH PEM: dh2048.pem. Or dh1024.pem if you didn't change to 2048bit keys like I mentioned above. There should only be one dhxxxx.pem file, use it.
Additional config:
push "dhcp-option DNS 192.168.88.1" push "dhcp-option DOMAIN HOME" push "route 192.168.11.0 255.255.255.0"
.
configure clients
I'm going to use client1 for this laptop. Navigate to your generated keys
C:\Program Files\OpenVPN\easy-rsa\keys
and copy ca.crt, client1.crt, and client1.key into the config directory.
C:\Program Files\OpenVPN\config
Create a new text file in the config directory called client1.ovpn. The contents of my client1.ovpn file is as follows:
remote your.home.website.dyndns.org 1194 client dev tun proto udp resolv-retry infinite nobind persist-key persist-tun cipher aes-256-cbc float tun-mtu 1500 ca ca.crt cert client1.crt key client1.key remote-cert-tls server comp-lzo verb 3 auth-nocache
You can see the file references the three files we copied in there. If yours are different, you'll need to change them.
**Side note here: duckdns.org is a terrific free service for keeping track of a non-static external IP.
Run Start > OpenVPN > OpenVPN GUI
When you right click on the OpenVPN GUI, it will present all the .ovpn config files as options. If you only have one in there, it will use that one, and only show you a Connect option. Right click, connect, boom!
configure android phone
I'm currently on a Nexus 5X running android N v7.0 build NRD90R
Download and install OpenVPN Connect app store.
Download the same three files to your phone, ca.crt, client2.crt, and client2.key. You'll also have to make another client2.ovpn text file. I accomplished this on the laptop, and transferred it as the fourth file over to the phone using Google Drive. Run the app, and touch dot-dot-dot > Import File from SD Card. Navigate over to your Downloads directory (or wherever you saved the four files). Touch the client2.ovpn file, and it should quickly import all the necessary files to it's own working directory somewhere else in the phone.
Now you'll see that you've got your custom connection there in the top. Long-press on that, and you'll be able to "Create a Shortcut" to the connection as it's own little icon on your homescreen. This is super easy for getting connected to your home LAN from your phone.
bibliography
- Official openvpn.net howto
- "Hardening" article on openvpn.net
- helpful howtogeeks article on what goes where (2011)
- Marty online VPN article 9/2016
- Marty's post mentions this post at dd-wrt forums, started in 2011, most recently active 2014
- Original blog post
This doesn't work for me. I get TLS-Handshake failed :(
Very helpful. I got my running in pretty short order. Thanks!
This is way overkill to set up VPN in dd-wrt on R7000 router. I'm using NordVPN and merely followed the turorial on their website and I have VPN on everything in my house.