Setup OpenVPN: dd-wrt router, Windows laptop, and android phone

================================================================
3/16/2019 update: moved over to an unRaid docker installation of OpenVPN that I am very happy with. Works great for my android and laptop. I followed Space Invader One’s youtube howto here .
================================================================

This howto covers setting up an OpenVPN Server for access to your home network as if you were local. It’s an excellent alternative to opening a bunch of ports in your firewall and exposing poorly secured programs to the world wide web.

Here’s the overview

  1. install OpenVPN on laptop to generate keys for server and a few clients
  2. configure dd-wrt router
  3. configure clients

Please respond in the Comments what hardware you used this how-to on, and any differences. I will update original article with your input.

I am not a network dd-wrt OpenVPN genius, or even competent. I’ve cobbled this together from what I could find around the internets. I’ve included all my sources at the bottom

generate your keys


Download and install OpenVPN on your computer. Be sure to install all the options during the installation
We’re going to be using Easy RSA, and I believe that option is unchecked in the default installation.

Head over to this OpenVPN how to, and down to the part about “Setting up your own Certificate Authority (CA) and generating certificates and keys for an OpenVPN server and multiple clients” start following those instructions. You’ll need to open an Administrative Command Prompt instructions.

So toot along with those steps. You should be flipping back and forth between those instructions, this page, and your terminal window.

When you get to the build-key-server server command, be sure to enter “server” for it’s Common Name.

You will be getting a bunch of matrix-y looking text flying by like this

Next you’ll be generating client files. The command for that one is also in the above OpenVPN howto article (build-key client1). Common Name here is going to be “client1,” “client2,” etc. not “server” like above. Leave the password blank.  Generate a few clients (client1, client2, etc), as many as you think you’ll need plus one or two more.

In the key\ subfolder, you’ll get these files: pic to the left.

Finally execute the build-dh command. Good grief this is taking a while….+………. feels like almost 10 minutes on this laptop (i7 5700 2.7GHz). Default number is a 4096 bit prime number.

If you screw something up, you can start over from the vars, clean-all, build-ca commands on the OpenVPN howto.

configure dd-wrt server


This is based on Netgear Nighthawk AC1900 model R7000.

Get a router that is compatible with DD-WRT, and install dd-wrt. Couple of different places to check for that: dd-wrt database, dd-wrt supported devices wiki, and the myopenrouter download page (Netgear specific models). I bought two routers for this project, whoops! The Nighthawk AC1900 is not a model, the model number will be something like R7000 or R7300.

Flash your router to dd-wrt firmware. Instructions for the R8000, but worked like a charm for my R7000.

Set up the NTP server. This is important for your self-signed certificates to start working right away. So I read. dd-wrt GUI > Setup > Basic Setup > scroll down to Time Settings. Here’s what I’ve got. You can grab more info/servers from this ntp.org page or dig around on ntp.org

Next, go to Services > VPN. Scroll down to OpenVPN Server/Daemon, hit enable. Now this is a big one, so here we go.

OpenVPN: enable

Start Type: WAN up

Config as: Server

Server mode: TUN

Network: Choose something that will NOT interfere with your DHCP server. I have a couple of static DHCP leases for a file server and a network printer. Then my DHCP server starts handing out IPs on 192.168.11.100-150. So the Network I stuck in here is 192.168.88.0; the IPs on that network will never conflict with IPs on my regular home network. OpenVPN suggests a totally different network, like you use 192.168.x.x at home, use 10.x.x.x on this VPN network. The OpenVPN takes care of all translation between 192x and 10x networks, so you’ll still be able to reach everything no problem.

Netmask: 255.255.255.0

Port: 1194, default

Tunnel Protocol: UDP, default

Encyrption Cipher: AES-256 CBC (“hardending” article)

Hash Algorithm: SHA256

Advanced options: Enable

TLS Cipher: none

LZO Compression: Yes

Redirect default Gateway: Disable

Allow Client to Client: Enable

Allow duplicate cn: Disable

Tunnel MTU settings: 1400

Tunnel UDP Fragment: blank

Tunnel UDP MSS-Fix: Disable

Next we’re going to need to start opening some of those files you generated above using Easy RSA. In all cases, you’re going to get a block of non-sense stuff, surrounded by

—–BEGIN blahblahblah—–
xxxxxxxxxxxxxxxxx
—–END blahblahblah—–

When you do your copy/paste, include those parts, but nothing else outside of them. For instance, in server.crt, there’s all kinds of crap above the goods. The goods, as I said, are between, and including

—–BEGIN CERTIFICATE—–
xxxxxxxxxxxx
—–END CERTIFICATE—–

CCD-Dir DEFAULT File: <blank>

Client connect script: <blank>

Static Key: <blank>

PKCS12 Key: <blank>

Public Server Cert: server.crt

CA Cert: ca.crt

Private Server Key: server.key

DH PEM: dh4096.pem. There should only be one dhxxxx.pem file, use it.

Additional config:

push "dhcp-option DNS 192.168.88.1"
push "dhcp-option DOMAIN HOME"
push "route 192.168.11.0 255.255.255.0"

**Careful copy/pasting this stuff. I got hosed with “smart quotes.” Right after I hit Save, Apply Changes, I’d come back to the page and the quotes turned into &#8220; and &#8221; which are hexadecimal for up and down quotes.

The dhcp-option DNS is going to be the VPN network, ending in .1    The route xxx.xxx.xxx.0 is going to be your home network IP range.

TLS Auth Key: <blank>

Certificate Revoke List: <blank>

Save, Apply Settings.


.

configure clients

I’m going to use client1 for this laptop. Navigate to your generated keys

C:\Program Files\OpenVPN\easy-rsa\keys

and copy ca.crt, client1.crt, and client1.key into the config directory.

C:\Program Files\OpenVPN\config

Create a new text file in the config directory called client1.ovpn. The contents of my client1.ovpn file is as follows:

remote your.home.website.dyndns.org 1194
client
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-256-cbc
auth sha256
float
tun-mtu 1500
ca ca.crt
cert client1.crt
key client1.key

remote-cert-tls server
comp-lzo
verb 3
auth-nocache

You can see the file references the three files we copied in there. If yours are different, you’ll need to change them.

**Side note here: duckdns.org is a terrific free service for keeping track of a non-static external IP.

Run Start > OpenVPN > OpenVPN GUI

When you right click on the OpenVPN GUI, it will present all the .ovpn config files as options. If you only have one in there, it will use that one, and only show you a Connect option. Right click, connect, boom!

configure android phone


I’m currently on a Nexus 5X running android N v7.0 build NRD90R

Download and install OpenVPN Connect app store.

Download the same three files to your phone, ca.crt, client2.crt, and client2.key. You’ll also have to make another client2.ovpn text file. I accomplished this on the laptop, and transferred it as the fourth file over to the phone using Google Drive. Run the app, and touch  dot-dot-dot > Import File from SD Card. Navigate over to your Downloads directory (or wherever you saved the four files). Touch the client2.ovpn file, and it should quickly import all the necessary files to it’s own working directory somewhere else in the phone.

Now you’ll see that you’ve got your custom connection there in the top. Long-press on that, and you’ll be able to “Create a Shortcut” to the connection as it’s own little icon on your homescreen. This is super easy for getting connected to your home LAN from your phone.

bibliography


  1. Official openvpn.net howto
  2. Hardening” article on openvpn.net
  3. helpful howtogeeks article on what goes where (2011)
  4. Marty online VPN article 9/2016
  5. Marty’s post mentions this post at dd-wrt forums, started in 2011, most recently active 2014

old edits


01/2018 changed SHA1 to SHA256 in text description. Picture is correct.

11/2017 Before I start generating keys, I want to make 2048bit keys vs the default 1024bit keys. To make that change for yourself, edit the vars.bat file (this is clearly on Windows). It’s in C:\Program Files\OpenVPN\easy-rsa\vars.bat.
change the line from set KEY_SIZE=1024, to set KEY_SIZE=2048.
Default key size is now 4096bits, this step is unnecessary. openvpn 2.4.4 – da2434890

11/2017 modified client1.ovpn to include: remote-cert-tls server, and auth-nocache. Got rid of a few error messages in newest OpenVPN client software Windows 10 2.4.4