I've been running IPCOP as my home firewall for a couple of years. I was also running OpenVPN on my firewall to allow for remote road warrior VPN connections. The combination worked great; protecting my home network while providing secure remote access. Still, the geek in me wanted to consolidate my hardware and experiment with dd-wrt. After a little research I found out that there was OpenVPN support for dd-wrt. However, looking at the documentation and various forums I didn't see anything showing me how to set up a successful road warrior tunnel. After an evening of experimenting got it to work; DD-WRT and OpenVPN running on a Linksys WRT54GL allowing inbound road warrior connections using tunnel mode. Here's what I did.First, this is what I had setup previously:
- DSL modem which plugged into
- Computer running IPCOP and OpenVPN which plugged into
- Switch and a separate WAP (a Linksys wireless access point)
- DSL modem which plugs into
- Linksys WRT54GL running DD-WRT and OpenVPN (also providing switch ports and a WAP)
- Download dd-wrt.v23_sp2_mini.zip
- Download dd-wrt.v23_sp2_vpn.zip
- Reset Linksys WRT54GL to factory defaults. The router will have a default IP of 192.168.1.1 with a blank username and password “admin”.
- Update WRT54GL firmware with dd-wrt.v23_mini_wrt54g.bin (from step 1) using http (not https)
- Log back into the router via the web console (username will now be 'root' and password remains 'admin') and update the firmware (Administration | Firmware Upgrade) a second time with dd-wrt.v23_vpn_wrt54g.bin (from step 2)
- Here we run into a minor bug - upon reboot of the router you won't be able to access the web admin pages. No worries. Hold the reset button on the back of the router for five seconds. It'll reboot and you'll be able to access the web console successfully once again.
- Login to the updated WRT54GL (router) with web browser and configure as needed (e.g., change root password, enable wireless security with WPA or WPA2, DynDNS, enable sshd, disable telnet, etc). Backup the config when done (Administration | Backup).
- Reboot router (Administration | Management | Reboot Router)
- Create OpenVPN certificates for server and client. I'm running Ubuntu as my OS and already had OpenVPN installed (`sudo aptitude install openvpn`). Instructions on how to create the certificates can be found here.
- Log back in to router and go to ADMINISTRATION | COMMANDS
- Enter the following into the command shell box (the idea for this step was found here). Paste your certificates in where it says “…INSERT YOUR OWN CONTENT HERE…”
cd /tmp echo " # Initial Options daemon dev tun tun-mtu 1400 proto udp port 1194 tls-server mode server server 10.5.10.0 255.255.255.0 ifconfig-pool-persist ipp.txt # Certificates and Keys ca ca.crt # Certificate authority (CA) file dh dh1024.pem # File containing Diffie Hellman parameters cert server.crt # Local peer's signed certificate key server.key # Local peer's private key # Additional Options keepalive 10 60 status openvpn-status.log log openvpn.log comp-lzo cipher BF-CBC max-clients 100 persist-key persist-tun verb 3 mute 20 " > openvpn.conf echo " -----BEGIN CERTIFICATE----- ...INSERT YOUR OWN CONTENT HERE... -----END CERTIFICATE----- " > ca.crt echo " -----BEGIN RSA PRIVATE KEY----- ...INSERT YOUR OWN CONTENT HERE... -----END RSA PRIVATE KEY----- " > server.key chmod 600 server.key echo " -----BEGIN CERTIFICATE----- ...INSERT YOUR OWN CONTENT HERE... -----END CERTIFICATE----- " > server.crt echo " -----BEGIN DH PARAMETERS----- ...INSERT YOUR OWN CONTENT HERE... -----END DH PARAMETERS----- " > dh1024.pem sleep 5 ln -s /usr/sbin/openvpn /tmp/myvpn /tmp/myvpn --config openvpn.conf
- Click on SAVE STARTUP at bottom of webpage.
- Enter the following into the command shell for box to punch the right firewall holes
/usr/sbin/iptables -I INPUT -p udp --dport 1194 -j ACCEPT /usr/sbin/iptables -I INPUT -i tun+ -j ACCEPT /usr/sbin/iptables -I FORWARD -i tun+ -j ACCEPT
- Click on SAVE FIREWALL at bottom of webpage and then Reboot router (Administration | Management | Reboot Router)
- Setup OpenVPN clien. Here's a sample openvpn-client.conf file from my laptop:
tls-client client dev tun proto udp tun-mtu 1400 remote dyndns-hostname-or-ip-of-server 1194 ca /home/username/openvpn/keys/home/ca.crt cert /home/username/openvpn/keys/home/client1.crt key /home/userame/openvpn/keys/home/client1.key cipher BF-CBC comp-lzo verb 3 ns-cert-type server route remote_host 255.255.255.255 net_gateway route 10.5.1.0 255.255.255.0 vpn_gateway route 10.5.10.0 255.255.255.0 vpn_gateway #redirect-gateway
- From outside of network test the connection
This is an over simplified explanation, but it should get you where you need to be. For troubleshooting purposes you may need to ssh to the router and look at the running processes to make sure OpenVPN is running (`ps | grep open`). As well, you may want to change the server ip within the server's config file as well as the route entries within the client's config above to match your network.openvpn --config openvpn-client.conf
Now I'm able to VPN to my home network from anywhere and access my systems at home securely using DD-WRT and OpenVPN. I've also setup the Network Manager applet for Gnome on my Ubuntu boxes to establish an OpenVPN connection to my router/firewall as well.
UPDATE [2/15/2008]: I received a couple of emails asking how to setup dd-wrt with service from Comcast. I personally don't use Comcast, however, I did successfully setup a dd-wrt for a friend who does.
First, you will need to get the MAC address from the computer that you originally setup your Internet connection up with through Comcast. If it's a windows system, get a command shell and type “ipconfig” on that same system. On Linux or a MAC, type 'ifconfig' from a terminal. Write down the MAC (or HWaddr) address. It will look something like 00:16:6F:12::34:56.
Next, go to the web management front-end for your dd-wrt device. Click on SETUP | MAC ADDRESS CLONE. Select “Enable”. Within the “Clone WAN MAC” field enter in the MAC address you jotted down from above. Save settings and reboot for good measure.
That should do the trick for you.
UPDATE [5/13/2008]: A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. Be sure to patch vulnerable systems. [link to advisory]