Wednesday, January 16, 2008 by Steve Zenone
I've been running IPCOP as my home firewall for a couple of years. I was also running OpenVPN on my firewall to allow for remote road warrior VPN connections. The combination worked great; protecting my home network while providing secure remote access. Still, the geek in me wanted to consolidate my hardware and experiment with dd-wrt. After a little research I found out that there was OpenVPN support for dd-wrt. However, looking at the documentation and various forums I didn't see anything showing me how to set up a successful road warrior tunnel. After an evening of experimenting got it to work; DD-WRT and OpenVPN running on a Linksys WRT54GL allowing inbound road warrior connections using tunnel mode. Here's what I did.
First, this is what I had setup previously:
DSL modem which plugged into
Computer running IPCOP and OpenVPN which plugged into
Switch and a separate WAP (a Linksys wireless access point)
I wanted to consolidate the last three pieces of hardware (firewall/OpenVPN, switch and WAP). My plan was to have the following:
DSL modem which plugs into
Linksys WRT54GL running DD-WRT and OpenVPN (also providing switch ports and a WAP)
So, I began my search through the DD-WRT website [link].
1.Download dd-wrt.v23_sp2_mini.zip
2.Download dd-wrt.v23_sp2_vpn.zip
3.Reset Linksys WRT54GL to factory defaults. The router will have a default IP of 192.168.1.1 with a blank username and password “admin”.
4.Update WRT54GL firmware with dd-wrt.v23_mini_wrt54g.bin (from step 1) using http (not https)
5.Log back into the router via the web console (username will now be 'root' and password remains 'admin') and update the firmware (Administration | Firmware Upgrade) a second time with dd-wrt.v23_vpn_wrt54g.bin (from step 2)
6.Here we run into a minor bug – upon reboot of the router you won't be able to access the web admin pages. No worries. Hold the reset button on the back of the router for five seconds. It'll reboot and you'll be able to access the web console successfully once again.
7.Login to the updated WRT54GL (router) with web browser and configure as needed (e.g., change root password, enable wireless security with WPA or WPA2, DynDNS, enable sshd, disable telnet, etc). Backup the config when done (Administration | Backup).
8.Reboot router (Administration | Management | Reboot Router)
9.Create OpenVPN certificates for server and client. I'm running Ubuntu as my OS and already had OpenVPN installed (`sudo aptitude install openvpn`). Instructions on how to create the certificates can be found here.
10.Log back in to router and go to ADMINISTRATION | COMMANDS
11.Enter the following into the command shell box (the idea for this step was found here). Paste your certificates in where it says “…INSERT YOUR OWN CONTENT HERE…”
cd /tmp
echo “
# Initial Options
daemon
dev tun
tun-mtu 1400
proto udp
port 1194
tls-server
mode server
server 10.5.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt
# Certificates and Keys
ca ca.crt # Certificate authority (CA) file
dh dh1024.pem # File containing Diffie Hellman parameters
cert server.crt # Local peer's signed certificate
key server.key # Local peer's private key
# Additional Options
keepalive 10 60
status openvpn-status.log
log openvpn.log
comp-lzo
cipher BF-CBC
max-clients 100
persist-key
persist-tun
verb 3
mute 20
” > openvpn.conf
echo “
—–BEGIN CERTIFICATE—–
…INSERT YOUR OWN CONTENT HERE…
—–END CERTIFICATE—–
” > ca.crt
echo “
—–BEGIN RSA PRIVATE KEY—–
…INSERT YOUR OWN CONTENT HERE…
—–END RSA PRIVATE KEY—–
” > server.key
chmod 600 server.key
echo “
—–BEGIN CERTIFICATE—–
…INSERT YOUR OWN CONTENT HERE…
—–END CERTIFICATE—–
” > server.crt
echo “
—–BEGIN DH PARAMETERS—–
…INSERT YOUR OWN CONTENT HERE…
—–END DH PARAMETERS—–
” > dh1024.pem
sleep 5
ln -s /usr/sbin/openvpn /tmp/myvpn
/tmp/myvpn –config openvpn.conf
12.Click on SAVE STARTUP at bottom of webpage.
13.Enter the following into the command shell for box to punch the right firewall holes
/usr/sbin/iptables -I INPUT -p udp –dport 1194 -j ACCEPT
/usr/sbin/iptables -I INPUT -i tun+ -j ACCEPT
/usr/sbin/iptables -I FORWARD -i tun+ -j ACCEPT
14.Click on SAVE FIREWALL at bottom of webpage and then Reboot router (Administration | Management | Reboot Router)
15.Setup OpenVPN clien. Here's a sample openvpn-client.conf file from my laptop:
tls-client
client
dev tun
proto udp
tun-mtu 1400
remote dyndns-hostname-or-ip-of-server 1194
ca /home/username/openvpn/keys/home/ca.crt
cert /home/username/openvpn/keys/home/client1.crt
key /home/userame/openvpn/keys/home/client1.key
cipher BF-CBC
comp-lzo
verb 3
ns-cert-type server
route remote_host 255.255.255.255 net_gateway
route 10.5.1.0 255.255.255.0 vpn_gateway
route 10.5.10.0 255.255.255.0 vpn_gateway
#redirect-gateway
16.From outside of network test the connection
openvpn –config openvpn-client.conf
This is an over simplified explanation, but it should get you where you need to be. For troubleshooting purposes you may need to ssh to the router and look at the running processes to make sure OpenVPN is running (`ps | grep open`). As well, you may want to change the server ip within the server's config file as well as the route entries within the client's config above to match your network.
Now I'm able to VPN to my home network from anywhere and access my systems at home securely using DD-WRT and OpenVPN. I've also setup the Network Manager applet for Gnome on my Ubuntu boxes to establish an OpenVPN connection to my router/firewall as well.
-steve
UPDATE [2/15/2008]: I received a couple of emails asking how to setup dd-wrt with service from Comcast. I personally don't use Comcast, however, I did successfully setup a dd-wrt for a friend who does.
First, you will need to get the MAC address from the computer that you originally setup your Internet connection up with through Comcast. If it's a windows system, get a command shell and type “ipconfig” on that same system. On Linux or a MAC, type 'ifconfig' from a terminal. Write down the MAC (or HWaddr) address. It will look something like 00:16:6F:12::34:56.
Next, go to the web management front-end for your dd-wrt device. Click on SETUP | MAC ADDRESS CLONE. Select “Enable”. Within the “Clone WAN MAC” field enter in the MAC address you jotted down from above. Save settings and reboot for good measure.
That should do the trick for you.
UPDATE [5/13/2008]: A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. Be sure to patch vulnerable systems.
http://blog.zenone.org/2008/01/openvpn-and-dd-wrt-on-linksys-wrt54gl.html