Main menu
You are here
Configuring OpenVPN Client in DD-WRT
After spending almost a day in trying to configuring my dd-wrt router as an OpenVPN client and reading many complicated guides, I found a really simple way to configure OpenVPN. It is necessary that you have optware set up on your router. For setting up Optware, kindly read Optware, The Right Way.
This configuration has been tested with DD-WRT K26 svn 14569 mega build (of Brainslayer) on a WRT610Nv1 router. Configuration of OpenVPN server is beyond the scope of this article. But here is an excellent article on how to setup OpenVPN server in Debian.
- Install openvpn using ipkg.
# ipkg-opt update # ipkg-opt install openvpn
- Dump your vpn configuration file in /opt/etc/openvpn/. Let us assume the name of the configuratoin file is example.vpn.conf. You might have to make certain changes in the configuration file such as:
- Setting the name of the user and group in the config file to that which are existing on the router. 'nobody' user and 'nobody' group exist on the system so you can use these. If you intend to use the route-down.sh script (see below), you will have to set these to 'root' user and 'root' group. For route-up.sh script though, it is fine if you use 'nobody' user and 'nobody' group because the downgrade of privileges by openvpn client happens after the route-up.sh script is called.
- Setting the correct paths for key and certificate files in example.vpn.conf.
- Test if openvpn connection is being established by running the below command.
# /opt/sbin/openvpn --cd /opt/etc/openvpn --config example.vpn.conf
If the connection is being established properly you may proceed to the next step.
- Set up the scripts for allowing machines behind the dd-wrt router to access clients in the VPN network and for clients in the VPN network to access the dd-wrt router.
/opt/etc/openvpn/route-up.sh:
# Enable machines behind the router to access the clients in VPN network /usr/sbin/iptables -I POSTROUTING -t nat -o tun0 -j MASQUERADE # Enable the clients in the VPN network to access the router /usr/sbin/iptables -I INPUT -t filter -i tun0 -j ACCEPT
/opt/etc/openvpn/route-down.sh:
# Disable machines behind the router to access the clients in VPN network /usr/sbin/iptables -D POSTROUTING -t nat -o tun0 -j MASQUERADE # Disable the clients in the VPN network to access the router /usr/sbin/iptables -D INPUT -t filter -i tun0 -j ACCEPT
Test the connection again.
# chmod 755 route-up.sh route-down.sh # /opt/sbin/openvpn --cd /opt/etc/openvpn --config example.vpn.conf --script-security 2 system \ --route-up /opt/etc/openvpn/route-up.sh --down /opt/etc/openvpn/route-down.sh
Note: For advanced users who can configure OpenVPN server, it is possible for the clients in the VPN network to access the private subnet behind the router. Roughly summarizing, this can be achieved by setting up internal routes in the OpenVPN server to redirect all traffic to the private subnet to the router, pushing additional routes to the VPN clients, and allowing forward/masquerading in the router.
- In this last step, we enable openvpn client to connect automatically during startup. Edit /opt/etc/init.d/S20openvpn and make the following changes:
- Comment the statement "return 0" so that we can keep run openvpn as a daemon.
- Set the proper path for killall command (/usr/bin/killall).
- Add the line "/opt/sbin/openvpn --daemon --cd /opt/etc/openvpn --config example.vpn.conf --script-security 2 system --route-up /opt/etc/openvpn/route-up.sh --down /opt/etc/openvpn/route-down.sh" at the bottom.
/opt/etc/init.d/S20openvpn:
#!/bin/sh # # Startup script for openvpn as standalone server # # Make sure IP forwarding is enabled echo 1 > /proc/sys/net/ipv4/ip_forward # Make device if not present (not devfs) if ( [ ! -c /dev/net/tun ] ) then # Make /dev/net directory if needed if ( [ ! -d /dev/net ] ) then mkdir -m 755 /dev/net fi mknod /dev/net/tun c 10 200 fi # Make sure the tunnel driver is loaded if ( !(lsmod | grep -q "^tun") ); then insmod /opt/lib/modules/tun.o fi # I you want a standalone server (not xinetd), comment out the return statement below #return 0 ## This is for standalone servers only!!!! # Kill old server if still there if [ -n "`pidof openvpn`" ]; then /usr/bin/killall openvpn 2>/dev/null fi # Start afresh - add as many daemons as you want #/opt/sbin/openvpn --daemon --cd /opt/etc/openvpn --config openvpn.conf /opt/sbin/openvpn --daemon --cd /opt/etc/openvpn --config example.vpn.conf --script-security 2 \ --route-up /opt/etc/openvpn/route-up.sh --down /opt/etc/openvpn/route-down.sh # [EOF]Test the script.
# chmod u+x /opt/etc/init.d/S20openvpn # /opt/etc/init.d/S20openvpn
- Rebooting the router should now get you connected automatically to your VPN network.
del.icio.us
Digg
Facebook
Google
identi.ca
LinkedIn
Ping This!
Reddit
SlashDot
StumbleUpon
Favorite on Technorati
Twitter
YahooSyndicate
Recent blog posts
- Debian on self-encrypting drive using cryptsetup OPAL support
- Relocation to London
- The Ultimate Hack for Chewing Food Properly
- Work environment upgrades
- Roopkund Trek - Summing up my experience
- Roopkund Trek - Day 9: Driving back to Kathgodam and heading for home
- Roopkund Trek - Arriving at Hyderabad
- Roopkund Trek - Day 8: Return to basecamp Lohajung
- Roopkund Trek - Day 6: Reaching the highest campsite - Bhagwabhasa (altitude: 14100 ft)
- Roopkund Trek - Day 7: An attempt to reach Roopkund and down to Bedni Bugyal
Recent comments
- Wow. You have mentioned every 6 years 1 month ago
- Glad that the information 6 years 9 months ago
- Thank you very much Rahul. 6 years 9 months ago
- Sorry, but I don't know what 6 years 11 months ago
- What do we call "vatti vella 6 years 11 months ago
- Very descriptive and useful 7 years 3 months ago
- I had submitted the originals 7 years 4 months ago
- Hi Rahul, 7 years 5 months ago
- I don't recollect paying any 7 years 10 months ago
- What about Court fees? How 7 years 11 months ago
Comments
Thank You So Much
Thank you so much for your post, this has truly helped me.
I was looking for a nice quick setup of OpenVPN client NOT server on DD-WRT and everybody kept talking about server.
Anyway, a lot of your guide can be found in other places, but your IPTables especially was not found anywhere else, and that's what I truly needed.
Thank you for helping me finish my $60 DD-WRT Repeater VPN.
Good to hear that it was useful
I am happy that this guide has been useful to you. Feedback like this encourages me to write such articles :).
thanks !!!!!!!!
thanks !!!!!!!! , thanks !!!!!!!! thanks !!!!!!!!
I spent hours googling to make it work until I stumbled upon yout post.
The 2 firewall rules dit it!
Question about openvpn client
HI, Im pretty new with all this stuff, I flash my e2000 linksys with dd-wrt mega build, this firmware has the openvpn seerver and client.
I just want use the linksys e2000 as openvpn client to connect a openvpn server that I want to put up and running in my house connecting to my internet in USA.
And as I travel I use the e2000 to connect from around the world to mi vpn in house, get an IP address from my internet provider and then that allow me to see content outside of USA, for example abc.com,etc..
Any good tutorial, link or documents from where I can check? I spend several days flashing my e2000 but now is working...
thanx in advance
Hi Charis, if you want to
Hi Charis, if you want to browse using the ISP at your home in US, you can consider setting up a proxy server on your home system and using it. Be sure though that you don't set it up as an open proxy and that you have authentication enabled. If you are using linux, I'd highly recommend squid.
As far as configuring openvpn server is considered, you can search the internet for good tutorials. In case you are using Debian, here is an excellent tutorial on configuring OpenVPN server - http://howto.landure.fr/gnu-linux/debian-4-0-etch-en/install-and-setup-o....
Open VPN Service, Open VPN
Thanks for the post, I spent hours googling to make it work until I stumbled upon your post.
Fantastic guide
Thanks! Perfect guide!
But I have one question re the firewall rules, these work perfectly when I use the router as a gateway with a dumb ADSL modem, but as soon as I am behind another router the tunnel sets up but the traffic is not routed down it. I guess I need to add a firewall rule?
With the VPN started my routing table looks like this in the DDWRT router
Destination LAN NET Subnet Mask Gateway Interface
86.6.191.36 255.255.255.255 192.168.1.1 LAN & WLAN
5.5.32.0 255.255.255.0 0.0.0.0 tun0
192.168.1.0 255.255.255.0 0.0.0.0 LAN & WLAN
169.254.0.0 255.255.0.0 0.0.0.0 LAN & WLAN
0.0.0.0 128.0.0.0 5.5.32.1 tun0
128.0.0.0 128.0.0.0 5.5.32.1 tun0
0.0.0.0 0.0.0.0 192.168.1.1 LAN & WLAN
Note: For advanced users who
HOW?!!?!?!?!?
Look at OpenVPN options -
Look at OpenVPN options - "iroute" and "push". Setting this up requires some exploring and some knowledge of OpenVPN server and iptables. You should find articles on how to use these options on-line.
Add new comment