Live Free. Live Happy.

Categories

Configuring OpenVPN Client in DD-WRT

Written by

rahul

in

After spending almost a day in trying to configuring my dd-wrt router as an OpenVPN client and reading many complicated guides, I found a really simple way to configure OpenVPN. It is necessary that you have optware set up on your router. For setting up Optware, kindly read Optware, The Right Way.

This configuration has been tested with DD-WRT K26 svn 14569 mega build (of Brainslayer) on a WRT610Nv1 router. Configuration of OpenVPN server is beyond the scope of this article. But here is an excellent article on how to setup OpenVPN server in Debian.

  1. Install openvpn using ipkg. 
    # ipkg-opt update
# ipkg-opt install openvpn
  2. Dump your vpn configuration file in /opt/etc/openvpn/. Let us assume the name of the configuratoin file is example.vpn.conf. You might have to make certain changes in the configuration file such as:
    • Setting the name of the user and group in the config file to that which are existing on the router. ‘nobody’ user and ‘nobody’ group exist on the system so you can use these. If you intend to use the route-down.sh script (see below), you will have to set these to ‘root’ user and ‘root’ group. For route-up.sh script though, it is fine if you use ‘nobody’ user and ‘nobody’ group because the downgrade of privileges by openvpn client happens after the route-up.sh script is called.
    • Setting the correct paths for key and certificate files in example.vpn.conf.
  3. Test if openvpn connection is being established by running the below command. 
    # /opt/sbin/openvpn --cd /opt/etc/openvpn --config example.vpn.conf

    If the connection is being established properly you may proceed to the next step.

  4. Set up the scripts for allowing machines behind the dd-wrt router to access clients in the VPN network and for clients in the VPN network to access the dd-wrt router.

    /opt/etc/openvpn/route-up.sh:

    # Enable machines behind the router to access the clients in VPN network
/usr/sbin/iptables -I POSTROUTING -t nat -o tun0 -j MASQUERADE

# Enable the clients in the VPN network to access the router
/usr/sbin/iptables -I INPUT -t filter -i tun0 -j ACCEPT

    /opt/etc/openvpn/route-down.sh:

    # Disable machines behind the router to access the clients in VPN network
/usr/sbin/iptables -D POSTROUTING -t nat -o tun0 -j MASQUERADE

# Disable the clients in the VPN network to access the router
/usr/sbin/iptables -D INPUT -t filter -i tun0 -j ACCEPT

    Test the connection again.

    # chmod 755 route-up.sh route-down.sh
# /opt/sbin/openvpn --cd /opt/etc/openvpn --config example.vpn.conf --script-security 2 system \
--route-up /opt/etc/openvpn/route-up.sh --down /opt/etc/openvpn/route-down.sh

    Note: For advanced users who can configure OpenVPN server, it is possible for the clients in the VPN network to access the private subnet behind the router. Roughly summarizing, this can be achieved by setting up internal routes in the OpenVPN server to redirect all traffic to the private subnet to the router, pushing additional routes to the VPN clients, and allowing forward/masquerading in the router.

  5. In this last step, we enable openvpn client to connect automatically during startup. Edit /opt/etc/init.d/S20openvpn and make the following changes:
    • Comment the statement “return 0” so that we can keep run openvpn as a daemon.
    • Set the proper path for killall command (/usr/bin/killall).
    • Add the line “/opt/sbin/openvpn –daemon –cd /opt/etc/openvpn –config example.vpn.conf –script-security 2 system –route-up /opt/etc/openvpn/route-up.sh –down /opt/etc/openvpn/route-down.sh” at the bottom.

    /opt/etc/init.d/S20openvpn:

    #!/bin/sh
#
# Startup script for openvpn as standalone server
#

# Make sure IP forwarding is enabled
echo 1 > /proc/sys/net/ipv4/ip_forward

# Make device if not present (not devfs)
if ( [ ! -c /dev/net/tun ] ) then
  # Make /dev/net directory if needed
  if ( [ ! -d /dev/net ] ) then
        mkdir -m 755 /dev/net
  fi
  mknod /dev/net/tun c 10 200
fi

# Make sure the tunnel driver is loaded
if ( !(lsmod | grep -q "^tun") ); then
        insmod /opt/lib/modules/tun.o
fi

# I you want a standalone server (not xinetd), comment out the return statement below
#return 0


## This is for standalone servers only!!!!
# Kill old server if still there
if [ -n "`pidof openvpn`" ]; then
    /usr/bin/killall openvpn 2>/dev/null
fi

# Start afresh - add as many daemons as you want
#/opt/sbin/openvpn --daemon --cd /opt/etc/openvpn --config openvpn.conf
/opt/sbin/openvpn --daemon --cd /opt/etc/openvpn --config example.vpn.conf --script-security 2 \
                  --route-up /opt/etc/openvpn/route-up.sh --down /opt/etc/openvpn/route-down.sh

# [EOF]

    Test the script.

    # chmod u+x /opt/etc/init.d/S20openvpn
# /opt/etc/init.d/S20openvpn
  6. Rebooting the router should now get you connected automatically to your VPN network.

Comments

9 responses to “Configuring OpenVPN Client in DD-WRT”

  1. Adam M avatar
    Adam M

    Thank You So Much
    Thank you so much for your post, this has truly helped me.

    I was looking for a nice quick setup of OpenVPN client NOT server on DD-WRT and everybody kept talking about server.

    Anyway, a lot of your guide can be found in other places, but your IPTables especially was not found anywhere else, and that’s what I truly needed.

    Thank you for helping me finish my $60 DD-WRT Repeater VPN.

    Reply
  2. rahul avatar
    rahul

    Good to hear that it was useful
    I am happy that this guide has been useful to you. Feedback like this encourages me to write such articles :).

    Reply
  3. Anonymous avatar
    Anonymous

    thanks !!!!!!!!
    thanks !!!!!!!! , thanks !!!!!!!! thanks !!!!!!!!

    I spent hours googling to make it work until I stumbled upon yout post.

    The 2 firewall rules dit it!

    Reply
  4. Charls avatar
    Charls

    Question about openvpn client
    HI, Im pretty new with all this stuff, I flash my e2000 linksys with dd-wrt mega build, this firmware has the openvpn seerver and client.

    I just want use the linksys e2000 as openvpn client to connect a openvpn server that I want to put up and running in my house connecting to my internet in USA.

    And as I travel I use the e2000 to connect from around the world to mi vpn in house, get an IP address from my internet provider and then that allow me to see content outside of USA, for example abc.com,etc..

    Any good tutorial, link or documents from where I can check? I spend several days flashing my e2000 but now is working…

    thanx in advance

    Reply
    1. rahul avatar
      rahul

      Hi Charis, if you want to
      Hi Charis, if you want to browse using the ISP at your home in US, you can consider setting up a proxy server on your home system and using it. Be sure though that you don’t set it up as an open proxy and that you have authentication enabled. If you are using linux, I’d highly recommend squid.

      As far as configuring openvpn server is considered, you can search the internet for good tutorials. In case you are using Debian, here is an excellent tutorial on configuring OpenVPN server – http://howto.landure.fr/gnu-linux/debian-4-0-etch-en/install-and-setup-openvpn-on-debian-4-0-etch.

      Reply
  5. Open VPN Service avatar
    Open VPN Service

    Open VPN Service, Open VPN
    Thanks for the post, I spent hours googling to make it work until I stumbled upon your post.

    Reply
  6. Andy avatar
    Andy

    Fantastic guide
    Thanks! Perfect guide!

    But I have one question re the firewall rules, these work perfectly when I use the router as a gateway with a dumb ADSL modem, but as soon as I am behind another router the tunnel sets up but the traffic is not routed down it. I guess I need to add a firewall rule?

    With the VPN started my routing table looks like this in the DDWRT router

    Destination LAN NET Subnet Mask Gateway Interface
    86.6.191.36 255.255.255.255 192.168.1.1 LAN & WLAN
    5.5.32.0 255.255.255.0 0.0.0.0 tun0
    192.168.1.0 255.255.255.0 0.0.0.0 LAN & WLAN
    169.254.0.0 255.255.0.0 0.0.0.0 LAN & WLAN
    0.0.0.0 128.0.0.0 5.5.32.1 tun0
    128.0.0.0 128.0.0.0 5.5.32.1 tun0
    0.0.0.0 0.0.0.0 192.168.1.1 LAN & WLAN

    Reply
  7. Paul-Sebastian avatar
    Paul-Sebastian

    Note: For advanced users who

    Note: For advanced users who can configure OpenVPN server, it is possible for the clients in the VPN network to access the private subnet behind the router. Roughly summarizing, this can be achieved by setting up internal routes in the OpenVPN server to redirect all traffic to the private subnet to the router, pushing additional routes to the VPN clients, and allowing forward/masquerading in the router.

    HOW?!!?!?!?!?

    Reply
    1. rahul avatar
      rahul

      Look at OpenVPN options –
      Look at OpenVPN options – “iroute” and “push”. Setting this up requires some exploring and some knowledge of OpenVPN server and iptables. You should find articles on how to use these options on-line.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts