Wednesday, January 16, 2008

OpenVPN and DD-WRT on Linksys WRT54GL

I've been running IPCOP as my home firewall for a couple of years. I was also running OpenVPN on my firewall to allow for remote road warrior VPN connections. The combination worked great; protecting my home network while providing secure remote access. Still, the geek in me wanted to consolidate my hardware and experiment with dd-wrt. After a little research I found out that there was OpenVPN support for dd-wrt. However, looking at the documentation and various forums I didn't see anything showing me how to set up a successful road warrior tunnel. After an evening of experimenting got it to work; DD-WRT and OpenVPN running on a Linksys WRT54GL allowing inbound road warrior connections using tunnel mode. Here's what I did.

First, this is what I had setup previously:
  • DSL modem which plugged into
  • Computer running IPCOP and OpenVPN which plugged into
  • Switch and a separate WAP (a Linksys wireless access point)
I wanted to consolidate the last three pieces of hardware (firewall/OpenVPN, switch and WAP). My plan was to have the following:
  • DSL modem which plugs into
  • Linksys WRT54GL running DD-WRT and OpenVPN (also providing switch ports and a WAP)
So, I began my search through the DD-WRT website [link].
  1. Download dd-wrt.v23_sp2_mini.zip
  2. Download dd-wrt.v23_sp2_vpn.zip
  3. Reset Linksys WRT54GL to factory defaults. The router will have a default IP of 192.168.1.1 with a blank username and password “admin”.
  4. Update WRT54GL firmware with dd-wrt.v23_mini_wrt54g.bin (from step 1) using http (not https)
  5. Log back into the router via the web console (username will now be 'root' and password remains 'admin') and update the firmware (Administration | Firmware Upgrade) a second time with dd-wrt.v23_vpn_wrt54g.bin (from step 2)
  6. Here we run into a minor bug - upon reboot of the router you won't be able to access the web admin pages. No worries. Hold the reset button on the back of the router for five seconds. It'll reboot and you'll be able to access the web console successfully once again.
  7. Login to the updated WRT54GL (router) with web browser and configure as needed (e.g., change root password, enable wireless security with WPA or WPA2, DynDNS, enable sshd, disable telnet, etc). Backup the config when done (Administration | Backup).
  8. Reboot router (Administration | Management | Reboot Router)
  9. Create OpenVPN certificates for server and client. I'm running Ubuntu as my OS and already had OpenVPN installed (`sudo aptitude install openvpn`). Instructions on how to create the certificates can be found here.
  10. Log back in to router and go to ADMINISTRATION | COMMANDS
  11. Enter the following into the command shell box (the idea for this step was found here). Paste your certificates in where it says “…INSERT YOUR OWN CONTENT HERE…
cd /tmp

echo "
# Initial Options
daemon
dev tun
tun-mtu 1400
proto udp
port 1194
tls-server
mode server
server 10.5.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt

# Certificates and Keys
ca ca.crt         # Certificate authority (CA) file
dh dh1024.pem     # File containing Diffie Hellman parameters
cert server.crt   # Local peer's signed certificate
key server.key    # Local peer's private key

# Additional Options
keepalive 10 60
status openvpn-status.log
log openvpn.log
comp-lzo
cipher BF-CBC
max-clients 100
persist-key
persist-tun
verb 3
mute 20
" > openvpn.conf

echo "
-----BEGIN CERTIFICATE-----
...INSERT YOUR OWN CONTENT HERE...
-----END CERTIFICATE-----
" > ca.crt
echo "
-----BEGIN RSA PRIVATE KEY-----
...INSERT YOUR OWN CONTENT HERE...
-----END RSA PRIVATE KEY-----
" > server.key
chmod 600 server.key
echo "
-----BEGIN CERTIFICATE-----
...INSERT YOUR OWN CONTENT HERE...
-----END CERTIFICATE-----
" > server.crt
echo "
-----BEGIN DH PARAMETERS-----
...INSERT YOUR OWN CONTENT HERE...
-----END DH PARAMETERS-----
" > dh1024.pem

sleep 5
ln -s /usr/sbin/openvpn /tmp/myvpn
/tmp/myvpn --config openvpn.conf
  1. Click on SAVE STARTUP at bottom of webpage.
  2. Enter the following into the command shell for box to punch the right firewall holes
/usr/sbin/iptables -I INPUT -p udp --dport 1194 -j ACCEPT
/usr/sbin/iptables -I INPUT -i tun+ -j ACCEPT
/usr/sbin/iptables -I FORWARD -i tun+ -j ACCEPT
  1. Click on SAVE FIREWALL at bottom of webpage and then Reboot router (Administration | Management | Reboot Router)
  2. Setup OpenVPN clien. Here's a sample openvpn-client.conf file from my laptop:
tls-client
client
dev tun
proto udp
tun-mtu 1400
remote dyndns-hostname-or-ip-of-server 1194
ca /home/username/openvpn/keys/home/ca.crt
cert /home/username/openvpn/keys/home/client1.crt
key /home/userame/openvpn/keys/home/client1.key
cipher BF-CBC
comp-lzo
verb 3
ns-cert-type server
route remote_host 255.255.255.255 net_gateway
route 10.5.1.0 255.255.255.0 vpn_gateway
route 10.5.10.0 255.255.255.0 vpn_gateway
#redirect-gateway
  1. From outside of network test the connection
openvpn --config openvpn-client.conf
This is an over simplified explanation, but it should get you where you need to be. For troubleshooting purposes you may need to ssh to the router and look at the running processes to make sure OpenVPN is running (`ps | grep open`). As well, you may want to change the server ip within the server's config file as well as the route entries within the client's config above to match your network.

Now I'm able to VPN to my home network from anywhere and access my systems at home securely using DD-WRT and OpenVPN. I've also setup the Network Manager applet for Gnome on my Ubuntu boxes to establish an OpenVPN connection to my router/firewall as well.

-steve

UPDATE [2/15/2008]: I received a couple of emails asking how to setup dd-wrt with service from Comcast. I personally don't use Comcast, however, I did successfully setup a dd-wrt for a friend who does.

First, you will need to get the MAC address from the computer that you originally setup your Internet connection up with through Comcast. If it's a windows system, get a command shell and type “ipconfig” on that same system. On Linux or a MAC, type 'ifconfig' from a terminal. Write down the MAC (or HWaddr) address. It will look something like 00:16:6F:12::34:56.

Next, go to the web management front-end for your dd-wrt device. Click on SETUP | MAC ADDRESS CLONE. Select “Enable”. Within the “Clone WAN MAC” field enter in the MAC address you jotted down from above. Save settings and reboot for good measure.

That should do the trick for you.

UPDATE [5/13/2008]: A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. Be sure to patch vulnerable systems. [link to advisory]

39 comments:

c said...

I like it and would probably have done the same, but I picked up a Cisco 851W pretty cheap a while back and now I can just use the same VPN client to home as I use for work.

Anonymous said...

Steve,

Forget it. I managed to figure it out. Nice blog.

Marv.

Steve Zenone said...

Hi Marv,

I'm glad you got it working. As you found out it's a simple change within the client OpenVPN config file. For example, just comment out the router directives and uncomment the "redirect-gateway' directive from the example in my blog post. For example:


-----SNIPPET FROM CLIENT OPENVPN.CONF FILE-----
#route remote_host 255.255.255.255 net_gateway
#route 10.5.1.0 255.255.255.0 vpn_gateway
#route 10.5.10.0 255.255.255.0 vpn_gateway
redirect-gateway
-----END SNIPPET-----

Thank you for your comments and reading my blog.

BTW: I also emailed this comment to your email address.

Regards,
Steve

Unknown said...

Thanks for great writeup for a novice like me. I hate the entire routing vs bridging discussion, however per the openddrt wiki page:
http://www.dd-wrt.com/wiki/index.php/OpenVPN

They are setting up a bridge, whereas in your example you are using routing.

I don't really have a prefence for either, however on my home LAN (the one with the ddwrt linksys server), there is a mixture of windows and ubuntu machines. I'd really like to have some type of access to all of them preferrably.

Any suggestions??

Unknown said...

Steve

This is very good writeup. I am very close to finishing my configuration, I am having some issues connecting from client.

I am not able to understand few things, have some questions.

1) Does this work on V24 SP1
2) Under Initial Options you have mentioned server 10.5.10.0 255.255.255.0 is this your LAN subnet.
3) Under Initial Options you have ifconfig-pool-persist ipp.txt do you have to define same IP subnet or new subnet and create a route for it.
4. Can I use port 443 instead of 1194. 1194 will be blocked in many places.
5. on routes you have remote_host 255.255.255.255 net_gateway
route 10.5.1.0 255.255.255.0 vpn_gateway

what does remote host, vpn_gateway and net_gateway refer to, do I need to define them some where.

Thanks in advance. Any suggestions greatly appreciate.

VJ

zonak said...

Hi Steve,

Excellent article, very useful. I am trying to achieve something slightly different but I hope you have my answers.

My first problem is that start-up scripts are not populating the respective files in /tmp. I just get an empty openvpn.conf and no key files. That is I guess an issue for later.

My major problem is the redirect-gateway problem. I am trying to have my dd-wrt to connect to a OpenVPN server and route all traffic through the VPN. Without the redirect gateway I can reach the network behind the OpenVPN server and I can go out to the internet, but if I start the client with this directive, I can only get to the network of the OpenVPN server and no access to outside, no internet. I tried also running something like:

iptables -t nat -A POSTROUTING -s 192.168.15.0/24 -o eth0 -j MASQUERADE

on the server, but to no effect. Any advice is appreciated.

Thanks,
zonak

Anonymous said...

Hi, I dont understand linux very well so I am having a difficult time with this. First off let me say that Ive tried a bunch of tutorials and this is the only one that I managed to get an IP with, so good job.
but my issue is this, when it connects I get an IP 10.5.10.6 and a blank default gateway. I pretty much copied the client file word for word and I concerned that I might need to change the values of remote_host, net_gateway, and vpn_gateway. So similar to what Vijay has asked. Like I said Im the not smartest when it comes to this, so any thing will help.

Steve Zenone said...

Zonak -- the problem you were running into may quite possibly be DNS related. Specifically, when you enable the redirect gateway, all traffic will go through the VPN tunnel, including all DNS lookups. It's likely that the DNS servers that you're using aren't allowing recursive lookups from whatever IP is on the other end of your VPN tunnel. Trust me -- I've seen this happen multiple times.

When I've run into this issue I've changed my client to use different nameservers, such as the ones provided by OpenDNS; 208.67.222.222 and 208.67.220.220. Else, use some other nameserver that you know is accessible and usable from the other end of your VPN tunnel.

Steve Zenone said...

Kevdog - I'm not completely clear on what you're asking. By using the OpenVPN/DD-WRT settings I wrote about, you will be able to VPN to your home Linksys/DD-WRT router from outside and access all of your internal computers. It doesn't matter if your home systems are windows, Ubuntu, Mac, or a wifi-enabled liquor bar ;-)

Steve Zenone said...

Vijay - as you can probably see, I'm knocking out a slew of comments here. My apologies for the delay. To answer your questions:

1. I have not done, but I have received feedback that this will work on V24 SP1.

2. The subnet 10.5.10.0/24 that I used in my example is the VPN net. By default, the VPN net is allowed to talk to the internal net. My Linksys/DD-WRT device will have an IP on the 10.5.10.0/24 subnet. My laptop running the OpenVPN client will also get an IP assigned on the 10.5.10.0/24 subnet once my VPN session authenticates.

3. The ifconfig-pool-persist options makes OpenVPN keep a list of certificate to IP relationships, so that a client connecting will typically get the same IP. You don't need to make any changes here.

4. Yes, you can use port 443 instead of the default 1194. You will need to change protocol to "proto tcp" and port to "port 443" on the server. You will also need to make the change in the client config file so that it knows to connect on port 443/tcp.

5. remote host, vpn_gateway and net_gateway are all variables that OpenVPN will automatically fill in for you. You don't need to change these.

I hope this does the trick for you.

Steve Zenone said...

Anonymous - I'm glad that this tutorial has already helped you make some progress. The fact that you're getting an IP (10.5.10.6) after you connect via OpenVPN is a very good sign. Send me your routing table (e.g., type `netstat -rn` in the shell prompt and send me the output).

You don't need to change remote_host, net_gateway, and vpn_gateway -- they're variables that OpenVPN will fill in for you automagically.

Anonymous said...

Steve

Thanks a lot -- I wish this blog were easier to find and stumble upon because it has really helped me.

I'm really a novice at setting up VPNs, however I wanted to pass my config files along for anyone else.

They allow for use of the DD-WRT firmware (Currently Im using Firmware: DD-WRT v24-sp1 (07/27/08) vpn

Firewall:
/usr/sbin/iptables -I INPUT -p udp --dport 1194 -j ACCEPT
#/usr/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
/usr/sbin/iptables -I INPUT -i tun+ -j ACCEPT
/usr/sbin/iptables -I FORWARD -i tun+ -j ACCEPT


Server Config
cd /tmp

#Following Statements Needed for DD-WRT to establish TAP Bridge If You are Planning on Using Bridging
#openvpn --mktun --dev tap0
#brctl addif br0 tap0
#ifconfig tap0 0.0.0.0 promisc up

echo "
# Tunnel options
mode server # Set OpenVPN major mode
proto udp # Setup the protocol (server)
port 1194 # TCP/UDP port number

#Options Needed for VPN Bridging -- Make sure to create Virtual Bridge First
#dev tap0 # TUN/TAP virtual network device

#Options Needed for VPN Routing
dev tun
tun-mtu 1400
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
persist-key
persist-tun
#push "redirect-gateway def1 bypass-dhcp bypass-dns"
#push "dhcp-option DNS 10.8.0.1"

keepalive 15 60 # Simplify the expression of --ping
daemon # Become a daemon after all initialization
verb 3 # Set output verbosity to n
comp-lzo # Use fast LZO compression

#Cipher -- Cipher Variants
#DES-CBC 64 bit default key (fixed)
#IDEA-CBC 128 bit default key (fixed)
#RC2-CBC 128 bit default key (variable)
#DES-EDE-CBC 128 bit default key (fixed)
#DES-EDE3-CBC 192 bit default key (fixed)
#DESX-CBC 192 bit default key (fixed)
#BF-CBC 128 bit default key (variable) <--- Default OpenVPN cipher
#RC2-40-CBC 40 bit default key (variable)
#CAST5-CBC 128 bit default key (variable)
#RC5-CBC 128 bit default key (variable)
#RC2-64-CBC 64 bit default key (variable)
#AES-128-CBC 128 bit default key (fixed)
#AES-192-CBC 192 bit default key (fixed)
#AES-256-CBC 256 bit default key (fixed)
cipher AES-256-CBC

# OpenVPN server mode options
client-to-client # tells OpenVPN to internally route client-to-client traffic
duplicate-cn # Allow multiple clients with the same common name

# TLS Mode Options
tls-server # Enable TLS and assume server role during TLS handshake
ca ca.crt # Certificate authority (CA) file
dh dh2048.pem # File containing Diffie Hellman parameters
cert server.crt # Local peer's signed certificate
key server.key # Local peer's private key
tls-auth tls-auth.key 0 #TLS HMAC Authentication
" > openvpn.conf

echo "
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
" > ca.crt
echo "
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
" > server.key
chmod 600 server.key
echo "
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
" > server.crt
echo "
-----BEGIN DH PARAMETERS-----
-----END DH PARAMETERS-----
" > dh2048.pem
echo "
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
" > tls-auth.key

sleep 5
ln -s /usr/sbin/openvpn /tmp/myvpn
/tmp/myvpn --config openvpn.conf


Client Config
tls-client
client

#Following Option Needed for Ethernet Bridging
#dev tap

#Following Option Needed for VPN Routing
dev tun
tun-mtu 1400
redirect-gateway def1

proto udp
remote 67.177.126.122 1194
float
resolv-retry infinite
nobind
persist-key
persist-tun

#Cipher -- Cipher Variants
#DES-CBC 64 bit default key (fixed)
#IDEA-CBC 128 bit default key (fixed)
#RC2-CBC 128 bit default key (variable)
#DES-EDE-CBC 128 bit default key (fixed)
#DES-EDE3-CBC 192 bit default key (fixed)
#DESX-CBC 192 bit default key (fixed)
#BF-CBC 128 bit default key (variable) <--- Default OpenVPN cipher
#RC2-40-CBC 40 bit default key (variable)
#CAST5-CBC 128 bit default key (variable)
#RC5-CBC 128 bit default key (variable)
#RC2-64-CBC 64 bit default key (variable)
#AES-128-CBC 128 bit default key (fixed)
#AES-192-CBC 192 bit default key (fixed)
#AES-256-CBC 256 bit default key (fixed)
cipher AES-256-CBC

mute-replay-warnings
ca ca.crt
cert client1.crt
key client1.key
tls-auth tls-auth.key 1
ns-cert-type server
comp-lzo
verb 3


Everything seems to work for me however I can not verify (yet) that for example if I am connecting from outside the Local Lan, that I would be able to see computers that exist currently on the LAN. From what I was reading, I believe a few more parameters are needed on both the server and client config file. Perhaps you could shed some light on this!!

Unknown said...

Openvpn with routing working great but I sometimes receive this error:

Tue Oct 14 16:52:18 2008 Replay-window backtrack occurred [22]

Any ideas how I can correct this since it really slows down the vpn.

Steve Zenone said...

KevDog -- A backtrack value of 22 should normally be tolerable. If you want to tone the logging down, change the 'verb' value in the config. I don't recommend disabling replay protection (i.e., using the '--no-replay' flag).

Are you noticing packet drops?

BTW: Here's a relevant posting on the OpenVPN-users mailing list that may help: http://openvpn.net/archive/openvpn-users/2004-09/msg00068.html

If you decide you want to use a larger replay window, check out the manpage: http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html -- most likely, the default replay window of 64 should suffice and not need any adjusting.

Steve Zenone said...

KevDog - I also wanted to thank you for posting your configs for v24-sp1! Good stuff!

Unknown said...

Steve

What I was noticing was particularly long dns lookups. In the client config file I edited the following line:

redirect-gateway def1 bypass-dns

I believe the addition of the bypass-dns flag, would bypass dns lookup via the openvpn gateway.

I know in some cases this may not be desireable, however the vpn connection does seem to be much more "snappier". I wish there was a way for the linksys firmware to cache dns requests. If it is caching dns requests, then possibly my configuration is wrong.

Anonymous said...

Hi Steve,

GREAT BLOG! Thank you so much for the help...

I'm trying to setup a road-warrior access using my WRT-54G. All I need is to sit at a hotel or Starbucks someplace and have a secure way to reroute all my traffic through the VPN back to my home WRT-54G and out to the net from there. Both for security and privacy reasons. So your tutorial is perfect.

A couple of quick questions though:

1. Is it possible to set ports for this to use a port that is always open at any hotel etc.? I mean would I be stuck if the hotel or coffee shot I were at blocked 1194 or 443? Could I use port 80 or some other port and still be secure?

2. If setting up the firewall on the WRT-54G to open the port for open VPN, would that weaken the router security any?

3. I'm not familiar with a lot of the advanced settings for DD-WRT (for basic things like security, firewall etc.) I've hardened my WRT-54G using Linksys firmware before switching to DD-WRT. Can you post a "hardening DD-WRT" type tutorial, especially for IPTables?

4. Last one... Assuming someone sets up a VPN they believe works and routes everything securely and privately through to their home DD-WRT router and then out to the net from there, how can someone test this to ensure it works the way its supposed to? Is there a "Shields Up" type service to test a VPN? I'm paranoid, that a misconfiguration would give me a false sense of security, like using the local DNS versus the one through the VPN etc.

Sorry for the barrage and thanks.

Ric

Steve Zenone said...

Anonymous (Ric) -- I'm glad that the tutorial has helped you out. Anytime I connect to public wireless access point I tunnel all of my traffic through my VPN connection. To answer your questions:

1. Yes, you can change the port and protocol OpenVPN uses. For example, in the server config you could use:

proto tcp
port 80

and on the client config you would, for example, use:

proto tcp
remote dyndns-hostname-or-ip-of-server 80

2. Opening up the firewall to ONLY allow VPN traffic inbound to the router/firewall has increased your risk...but only very slightly...and I emphasize *slightly*. If someone were to steal your VPN private cert they could then get through the firewall until you revoke the cert. The benefits obtained by punching a hole to only allow VPN traffic greatly outweigh the risks, in my opinion. If there was a zero-day exploit against, say, how OpenVPN authenticates, then an attacker could get in...unless a fix is released and you apply it before the attacker exploits your box. How likely is this to happen? Is the likelihood low? It should be low for you (you should be protecting your private certs and I don't anticipate a zero-day exploit anytime soon and I will patch if one is announced). To sum up, the risk is low and the pros outweigh any cons.

3. The guide that I wrote on setting up DD-WRT and OpenVPN does list steps to help improve the security of your DD-WRT device. As well, DD-WRT is fairly hardened by default. Deciding to broadcast SSID, filtering MACs, or use WPA vs. WPA2 are decisions you'll need to make. Disabling SSID won't prevent an attacker from obtaining the SSID, and some of your older devices might have a difficult time connecting without a SSID broadcast. WPA2 is my preferred choice, however, some older clients may not support WPA2...so WPA becomes the next logical choice. MAC address filters can be a real pain in the neck to manage if you have family and friends stopping by and wanting to connect to your wireless access point. For the most part, WPA will keep the cruft off your network. Filtering on MAC will give you some added confidence while requiring more of your time to administrate. It's a trade-off you'll need to make.

4. Whenever I want to test my VPN's routing, I'll do a couple of things:

First, you can check your routing table with 'netstat -rn' and see what the routes are. I won't get into interpreting the table.

Secondly, and perhaps more user friendly, you can use traceroute to see where the routes are going. For example, if you're routing all traffic through your VPN tunnel via the "redirect-gateway" option in the client config, I would do a "traceroute -n www.google.com" and make sure that the first hop is through my VPN tunnel and not Starbuck's TMobile gateway.

I hope that does the trick for you.
--Steve

Unknown said...

Steve

Im not sure how you are adding or modifying your options. Im using the Administration/Commands Dialog box. I found to actually enable forwarding for my vpn, I had to add the following line:
echo 1 > /proc/sys/net/ipv4/ip_forward


Do you find that you need to do this?

Steve Zenone said...

KevDog - In steps 10-12 I detail how the options are added to the ADMINISTRATION | COMMANDS section. I've had no need to add the ip_forward set to 1 on any of the dd-wrt installs that I've done because, by default, the value is already set to 1.

Unknown said...

I didn't know the default IP FORWARD chain was set to 1. Here are my firewall rules. I think I have a little bit of redundancy here:

iptables -I INPUT -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o br0 -j MASQUERADE
iptables -I FORWARD 1 --source 10.8.0.0/24 -j ACCEPT

Anonymous said...

Hi all!!
My internet connection at work is "capped" (eSafe) through a router VPN.
My question is, can I create a 2nd vpn connection from one pc at work to go out through the router's vpn to an external vpn server (at home, for example)?
It's a vpn into another vpn.

I have a DSL PPPoE router and a WRT54gl at home.

Thanks!!

Anonymous said...

Hi Steve,

Thanks for your help in a previous post to "Anonymous (Ric)", it helped me out.

I set everything up and will be testing out the config from my folks' house.

In your reply you mentioned using the netstat command to make sure the tunneling is working. Do you mean netstat -aon and check that the connection is established with my vpn by looking at the foreign address (& port)?

How would I ensure that nothing else is using the local connection and all is being routed through the VPN? Would all processes be using that VPN port?

Sorry if the question seems dumb, just trying to understand.

Thanks again!!!

Ric

Steve Zenone said...

Ric wrote:
"In your reply you mentioned using the netstat command to make sure the tunneling is working. Do you mean netstat -aon and check that the connection is established with my vpn by looking at the foreign address (& port)?"

I was referring to using netstat to show the routing table. The routing table will be used by your client system to determine where traffic should go when leaving your system.

Based upon what I see in the routing table I then confirm that that traffic that's supposed to be going through the VPN indeed is by doing:

1. ping IP's that should only be accessible via VPN and observe the hops to confirm the path taken by the traffic

2. use tcpdump or some other tool to capture packets for confirmation that the traffic is being routed correctly. If my primary interface is eth0, I'll run tcpdump looking at that interface so make sure I don't see any non-VPN traffic going to the destination where traffic should be encrypted. Secondly, if the OpenVPN interface is tun0, I can also have tcpdump look at the traffic going through that interface to confirm traffic is going where I want it to.

Anonymous said...

Is this an ideal solution to set up a VPN at my home where I store most files on a computer? I would like to connect when I am at my office and copy files, and synchronize files between the 2 computers over WAN. Is DD-WRT and Open VPN a good solution when running Windows XP?

Steve Zenone said...

Anonymous - In my opinion, running DD-WRT with OpenVPN is an effective low cost solution for secure remote access. Yes, OPenVPN is supported on XP.

Though you may have a secure remote access solution, do keep in mind that "good" security is a layered approach - there's no silver bullet that will reduce all risk to zero. That means running current and up to date anti-virus on your windows systems, use firewalls (e.g., host based firewall for a laptop you take on the road), configure your browser to be more "secure" (firefox w/ noscript addon, etc), harden your wifi networks and don't connect to untrusted networks, don't login an admin user on your computers to do day-to-day activity, use strong passwords, and simply use common sense when surfing the web or clicking on links or attachments within emails.

Anonymous said...

Thanks Steven, exactly the answer I was looking for.

So it sounds like WRT54GL and DD-WRT are a good idea, I am going to purchase the router soon.

Would it be even more secure to run one of these on each end, at my home and at my office for added VPN security? Or will that not really make a difference?

I run Norton's Internet Security. Yes, I know it isn't the greatest but it does its job with minimal hands on activity so I am always up to date with anti-virus and firewall protection. I currently use WRT54G routers and they have been bullet proof. Once loaded up DD-WRT but didn't have the time to adjust and always play with it as it wasn't as stable as the regular Linksys firmware, so I will be hoping that DD-WRT is more stable on the WRT54GL.

About Firefox plugins, is there a way to enable and disable all plugins? I like to use certain plugins so I couldn't see disabling them all and not using any. Is there a secure way to use them safely? Or a way to enable and disable based on tasks you are doing?

When not using Administrator, do you simply create a new user account and give them Administrator access? I have fallen back to using Administrator always and have been curious on the best way to go about reverting back to using an actual user profile. Any feedback on that will be helpful.

Thanks!

Steve Zenone said...

Before installing the device at your office I’d review their policies to make sure you’re not violating any of them. Consult with the IT/Security/Policy people at your office.

Putting the VPN at work could potentially put your home and office at increased risk; for example, if you had a VPN connection established between home and the office, and a system on your home network were to be compromised, the attacker could then make their way through the VPN tunnel that’s already established between the two routers and attack systems at the office.

As for Firefox plugins -- it’s a good habit to look at the installed plugins and see which are active and how they’re configured. At a high level you can do this by looking at the add-ons through Firefox. At a lower level you can look at the add-ons on the filesystem. You can disable all plugins by starting Firefox in safe mode (‘firefox -safe-mode’).

Regarding the admin account - no, you do not want to create a new user account and give it admin privileges for doing your day-to-day activity. For example, imagine you’re logged in as user JOHNDOE, a user that you gave admin rights to. During the course of the day you get an email that has an attachment that you know you shouldn’t be clicking on, but you do. The attachment is actually malware that isn’t detected by your anti virus software. Since you are logged in as an admin, the malware will execute with admin privileges. The integrity of the system has been compromised. That’s bad.

Anonymous said...

Thanks for the details steve.

The office is actually my own, so I have an open port there and do not need to worry about the policies in that fashion.

My scenario is this:
The first computer is at the office which houses only live files that I work with on a regular or frequent basis. The second computer is at home and has older archived information and files that I may need to access at random, but not regularly.

I am hoping to manage a VPN so I can sychronize a folder on each of the 2 computers so the same data is at home, and the office at any given point. I would use a software like Vice Versa, or something similar.

Thanks for the tips on admin and another user. Looks like I will be creating a second user and limiting its access. Should I have a separate user account for VPN, separate from the admin and the new account I will be creating as well?

Steve Zenone said...

There are other commercial firewalls that offer support. However, you could definitely place a DD-WRT device at home to protect your home network, and another at your office to protect your office network. I personally wouldn't create a gateway-to-gateway VPN tunnel between the two. Rather, I'd setup OpenVPN on each DD-WRT device to allow inbound road warrior connections, as describe in the blog posting. I would then install an OpenVPN client on your home and office systems with the appropriate VPN certs. You would then establish the VPN connection as needed and would have more control.

Anonymous said...

Thanks again.
I might buy the Linksys or an Asus with 8mb of ram over 4mb.

Question, is using a VPN software/Service like Hamachi, LeafNetworks, or Remobo a secure alternative with less maintenance? Are these encrypted between peer to peer solely, or would I have to worry about the security of my data? Can these types of services be trusted safely with valuable data? I am going to give the DD-WRT a try, but I would like to have a simple software like this to fall back on. Thoughts?

Anonymous said...

Your post is great, I managed to get it working from within the local network, but cannot get it to work from outside. I can see it is connecting to 1194 by looking at the log in /var/log/messages on the dd-wrt device. It gets as far as saying it received the TLS initial packet from the client and nothing more. Seems like a routing problem such that the client never gets a response.

My routing table looks like:
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.5.10.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
10.5.10.0 10.5.10.2 255.255.255.0 UG 0 0 0 tun0
24.28.0.0 0.0.0.0 255.255.224.0 U 0 0 0 vlan1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 24.28.0.1 0.0.0.0 UG 0 0 0 vlan1

Thanks if you can help

Anonymous said...

Hi Steve,

Thanks for the great article! Using this article and other internet sources I managed to get OpenVPN and DD-WRT set up, however I still have some kinks to work out. I'm not too well versed in networking and haven't been able to connect from my Vista laptop to my DD-WRT router at home from the road...

In my setup I had the VPN use port 80, so that it'd be useful anyplace and not blocked. However I am questioning if this is sound.

In your experience, what would be the best port and protocol to use for road-warrior access to absolutely be able to connect?

I don't travel often, but wanted a reliable port that'd be useful at hotels, schools, coffee shops etc. I've heard that some of these places actually block the common VPN ports to prevent people for circumventing their network use policies or "encourage" them to use their service.

Thanks again,
-Ric

Mark Tarq said...

How has this been working for you? Is it stable? Can you do site to site VPN? I currently also want to consolidate my router, wap, and ipcop/openvpn to one unit and save power consumption!

Steve Zenone said...

Mark - this setup has been working flawlessly in multiple environments that I have it setup. The devices have remained stable after I setting wireless TX Power to 84 and overclocking frequency to 200 MHz. I also have two of the devices setup for site-to-site VPN. DD-WRT might be the low-cost green solution you're looking for!

Franz said...

Hi Steve,

the first really helpful configuration for a routed vpn I saw.

After endless unsuccessful retries to get openvpn working I'm very happy that I got it now.

Thanks a lot for this blog.

Best regards, Franz

Anonymous said...

Hi,

Do you know if there is a Linux-based OpenVPN-compatible router/modem with a RJ-11 port to establish the ADSL connection and to make SSL VPNs ? It doesn't matter if it has wireless or not.

Linksys WRT54GL Ver 1.1 works very well with openvpn but it needs another appliance to do the ADSL dialing.

I hope you can help.

Regards.
Leandro.

Unknown said...

Hi Steve

It seems that you'll make my day, because i'm been looking for this kind of solution for quite some time now...

I have a Linksys WRT54GL and I want to connect it with my dyndns over an IPsec VPN connection. Is that possible with this solution? I use dd-wrt today and it doesn't support Ipsec...

/regards Benny

Jayanth said...
This comment has been removed by the author.