Zum Inhalt springen

OpenVPN with DD-WRT (v24-SP2) Setup

Currently, I am in the UK a lot and sometimes I like to watch live German TV via the internet. Often that's not a problem, but some programmes are only viewable if you have a German IP address - for copyright issues, I guess. As I don't want to spend money for some external VPN service or install any particular software on my computer, nor try to use a slow proxy server, I decided to set up my router at home, as an OpenVPN Server.

After spending many days trying to configure my router (Buffalo WZR-HP-AG300H) to also run as an OpenVPN Server, I thought I'd share my final configuration settings, in case it may be helpful to others. I found a lot of configuration examples online, but none of them worked with my setup exactly. Getting the right iptables rules seems to be the main problem, so I can't guarantee that my settings will work for other routers with the DD-WRT firmware as well.

The server configuration

The first thing you will need to have, before even starting to setup the router to run as an OpenVPN server are the certificates and the private key, which need to be created. I won't go into explaining how to do that, because there are enough good examples online that explain the process. Here is a link to an article that explains pretty much everything. If you already have DD-WRT Firmware Version v24-SP2 installed, you don't need the first part of the article, because OpenVPN is already installed on the router.

The following 3 screenshots will show you all the relevant settings in the router. Of course you must make sure that your client configuration matches your server, especially if you are using specific cipher and auth settings.

Server screenshots

  • Main router setup
  • VPN Server configuration
  • iptables rules

The client configuration

Below the corresponding client configuration file. It is pretty much according to standard settings, except that I have specified the type of encryption cipher that the server has been set up to use, as well has the type of hash algorithm.

##############################################
# Client-side OpenVPN 2.0 config file        #
# for connecting to multi-client server.     #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
dev tun

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote your.server.com 1194

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Try to preserve some state across restarts.
persist-key
persist-tun

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca ca.crt
cert client1.crt
key client1.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher AES-128-CBC
auth SHA1

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 3

Firewall iptables rules

I guess this was the most tricky part. Easy if you understand iptables rules and tricky, if like me you can't get your head around them. For me this took the most time, because I always seemed to be missing the one rule needed to make everything work. So here, again, for easy copy and paste the rules I ended up using.

# Accepts incoming traffic via port 1194 UDP
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT

# Allows the VPN client access to router intern
# processes, e.g. Web admin, SSH etc
iptables -I INPUT 3 -i tun0 -j ACCEPT

# Allows connections between VPN clients, if
# client-to-client is enabled in OpenVPN server
iptables -I FORWARD 3 -i tun0 -o tun0 -j ACCEPT

# Allows connection from local VPN to the internet
iptables -I FORWARD 1 --source 192.168.10.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j MASQUERADE

# Allows connections from local network to VPN network
# and other way around (br0 is LAN and WIFI)
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

1 Kommentar



[1] Gravatar0
Roman sagte ...
26. April 2015, 21:36

It works, but a bit tricky, if I omit :

cipher AES-128-CBC
auth SHA1

and use none, so it does not work however the config as is written here works for me perfectly, MANY THANKS!!!

Roman

Kommentiere diesen Artikel

Kommentar (erforderlich) (keine Anzeige) (optional)
Ja, erkenne mich, wenn ich das nächste mal hier bin