How to Set Up OpenVPN on NETGEAR R7000 with DD-WRT

thmb

This howto covers setting up an OpenVPN Server for access to your home network as if you were local. It's an excellent alternative to opening a bunch of ports in your firewall and exposing poorly secured programs to the world wide web.

Here's the overview:

  1. install OpenVPN on laptop to generate keys for server and a few clients
  2. configure dd-wrt router
  3. configure clients

Please respond in the Comments what hardware you used this how-to on, and any differences. I will update original article with your input.

I am not a network dd-wrt OpenVPN genius, or even competent. I've cobbled this together from what I could find around the internets. I've included all my sources at the bottom.

generate your keys


 


Download and install OpenVPN on your computer. Be sure to install all the options during the installation
We're going to be using Easy RSA, and I believe that option is unchecked in the default installation.

Before I start generating keys, I want to make 2048bit keys vs the default 1024bit keys. To make that change for yourself, edit the vars.bat file (this is clearly on Windows). It's in C:\Program Files\OpenVPN\easy-rsa\vars.bat.
change the line from set KEY_SIZE=1024, to set KEY_SIZE=2048.

Default key size is now 4096bits, the above step is unnecessary. openvpn 2.4.4

Head over to this OpenVPN how to, and down to the part about "On Windows: vars, clean, build..." start following those instructions. You'll see this note all over about to the tune of "none of these settings matter that much except for Common Name" where you have to make sure it's something, and it's different from the others. So toot along with those steps.

When you get to the build-key-server server command, be sure to enter "server" for it's Common Name.

You will be getting a bunch of matrix-y looking text flying by like this

Generate a few clients, as many as you think you'll need plus one or two more. In this folder, you'll have all sort of files.

C:\Program Files\OpenVPN\easy-rsa\keys

.

configure dd-wrt server


This is based on Netgear Nighthawk AC1900 model R7000.

Get a router that is compatible with DD-WRT, and install dd-wrt. Couple of different places to check for that: dd-wrt database, dd-wrt supported devices wiki, and the myopenrouter download page (Netgear specific models). I bought two routers for this project, whoops! The Nighthawk AC1900 is not a model, the model number will be something like R7000 or R7300.

Flash your router to dd-wrt firmware. Instructions for the R8000, but worked like a charm for my R7000.

Set up the NTP server. This is important for your self-signed certificates to start working right away. So I read. dd-wrt GUI > Setup > Basic Setup > scroll down to Time Settings. Here's what I've got. You can grab more info/servers from this ntp.org page or dig around on ntp.org

Next, go to Services > VPN. Scroll down to OpenVPN Server/Daemon, hit enable. Now this is a big one, so here we go.

OpenVPN: enable

Start Type: WAN up

Config as: Server

Server mode: TUN

Network: Choose something that will NOT interfere with your DHCP server. I have a couple of static DHCP leases for a file server and a network printer. Then my DHCP server starts handing out IPs on 192.168.11.100-150. So the Network I stuck in here is 192.168.88.0; the IPs on that network will never conflict with IPs on my regular home network.

Port: 1194, default

Tunnel Protocol: UDP, default

Encyrption Cipher: AES-256 CBC ("hardending" article)

Hash Algorithm: SHA256

Advanced options: Enable

TLS Cipher: none

LZO Compression: Yes

Redirect default Gateway: Disable

Allow Client to Client: Enable

Allow duplicate cn: Disable

Tunnel MTU settings: 1400

Tunnel UDP Fragment: blank

Tunnel UDP MSS-Fix: Disable

Next we're going to need to start opening some of those files you generated above using Easy RSA. In all cases, you're going to get a block of non-sense stuff, surrounded by

-----BEGIN blahblahblah-----
xxxxxxxxxxxxxxxxx
-----END blahblahblah-----

When you do your copy/paste, include those parts, but nothing else outside of them. For instance, in server.crt, there's all kinds of crap above the goods. The goods, as I said, are between, and including

-----BEGIN CERTIFICATE-----
xxxxxxxxxxxx
-----END CERTIFICATE-----

CCD-Dir DEFAULT File: <blank>

Client connect script: <blank>

Static Key: <blank>

PKCS12 Key: <blank>

Public Server Cert: server.crt

CA Cert: ca.crt

Private Server Key: server.key

DH PEM: dh2048.pem. Or dh1024.pem if you didn't change to 2048bit keys like I mentioned above. There should only be one dhxxxx.pem file, use it.

Additional config:

push "dhcp-option DNS 192.168.88.1"
push "dhcp-option DOMAIN HOME"
push "route 192.168.11.0 255.255.255.0"
 
**Careful copy/pasting this stuff. I got hosed with "smart quotes." Right after I hit Save, Apply Changes, I'd come back to the page and the quotes turned into &#8220; and &#8221; which are hexadecimal for up and down quotes.
 
TLS Auth Key: <blank>
 
Certificate Revoke List: <blank>
 
Save, Apply Settings.
 

.

configure clients

I'm going to use client1 for this laptop. Navigate to your generated keys

C:\Program Files\OpenVPN\easy-rsa\keys

and copy ca.crt, client1.crt, and client1.key into the config directory.

C:\Program Files\OpenVPN\config

Create a new text file in the config directory called client1.ovpn. The contents of my client1.ovpn file is as follows:

remote your.home.website.dyndns.org 1194
client
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-256-cbc
float
tun-mtu 1500
ca ca.crt
cert client1.crt
key client1.key

remote-cert-tls server
comp-lzo
verb 3
auth-nocache

You can see the file references the three files we copied in there. If yours are different, you'll need to change them.

**Side note here: duckdns.org is a terrific free service for keeping track of a non-static external IP.

Run Start > OpenVPN > OpenVPN GUI

When you right click on the OpenVPN GUI, it will present all the .ovpn config files as options. If you only have one in there, it will use that one, and only show you a Connect option. Right click, connect, boom!

configure android phone


I'm currently on a Nexus 5X running android N v7.0 build NRD90R

Download and install OpenVPN Connect app store.

Download the same three files to your phone, ca.crt, client2.crt, and client2.key. You'll also have to make another client2.ovpn text file. I accomplished this on the laptop, and transferred it as the fourth file over to the phone using Google Drive. Run the app, and touch dot-dot-dot > Import File from SD Card. Navigate over to your Downloads directory (or wherever you saved the four files). Touch the client2.ovpn file, and it should quickly import all the necessary files to it's own working directory somewhere else in the phone.

Now you'll see that you've got your custom connection there in the top. Long-press on that, and you'll be able to "Create a Shortcut" to the connection as it's own little icon on your homescreen. This is super easy for getting connected to your home LAN from your phone.
 

bibliography


  1. Official openvpn.net howto
  2. "Hardening" article on openvpn.net
  3. helpful howtogeeks article on what goes where (2011)
  4. Marty online VPN article 9/2016
  5. Marty's post mentions this post at dd-wrt forums, started in 2011, most recently active 2014
  6. Original blog post
silkstone
silkstone's picture
This doesn't work for me. I

This doesn't work for me. I get TLS-Handshake failed :(

 

Epiphany2000
Epiphany2000's picture
Very helpful. I got my

Very helpful. I got my running in pretty short order. Thanks!

Michael Terry
Michael Terry's picture
This is way overkill to set

This is way overkill to set up VPN in dd-wrt on R7000 router. I'm using NordVPN and merely followed the turorial on  their website and I have VPN on everything in my house.