DD-WRT OpenVPN server configuration

Overview

This tutorial will walk you through configuring an OpenVPN server on DD-WRT. 

For my configuration I used a Linksys WRT1900ACS which had already been flashed to run DD-WRT (DD-WRT v3.0-r28788 std (01/13/16)) and configured to act as my home router.

Server Configuration

The setup is fairly straight forward; the first portion to be configured is the OpenVPN server itself under the Services tab, VPN sub-tab.

For my server setup I chose a network of 192.168.2.0/24 for my subnet, AES256 for my encryption cipher, and SHA512 for my hash algorithm. Obviously these settings will vary for your individual configuration. Note that when you change certain server parameters, matching changes need to be made to the client configuration (see Client Configuration section).

Under Advanced Options I elected to enable Redirect default Gateway which pushes all traffic from the client PC through the VPN. An alternate configuration would be to use a split tunnel and push specific routes to the client PC. I also changed my Tunnel MTU setting to 1500.

Figure 1

The only OpenVPN server configuration required in the large text fields are going to be the addition of your Public Server Cert, CA Cert, Private Server Key, and DH PEM. There are several tutorials out there on how to generate these files (along with how to generate the necessary files for each of your clients).

This tutorial provides a great overview on how to generate the certificates using easy-rsa on Windows after installing OpenVPN client for Windows.

This link is a to Tunnelblick, an OpenVPN client for OS X with easy to access easy-rsa utilities included. You can follow the same steps for prepping and generating the certificates from the windows tutorial. 

Be sure to paste everything between (and including) the ---BEGIN--- and ---END--- lines in the cert/key files in the appropriate fields.

Figure 2

Be sure to click Save and/or Apply Changes when configuration is completed.

Firewall Changes

After the server portion is configured, some slight changes will need to be made to the DD-WRT router's firewall. These changes will be made under the Administration tab, Commands sub-tab. The following two rules will need to be added into the Commands box:

iptables -I FORWARD 1 -s 192.168.2.0/24 -j ACCEPT
iptables -t nat -I POSTROUTING 2 -s 192.168.2.0/24 -o eth0 -j MASQUERADE

Figure 3

The first rule permits VPN traffic to interact with traffic on your LAN, the second rule NATs traffic from your VPN out to the public web using your routers WAN interface. Once the rules have been added click the Save Firewall button. Your router needs to reload the firewall, this process may take up to a minute.

Client Configuration

For a client to connect to the VPN server that was just configured four files are required:

• ca.crt
• client1.crt
• client1.key
• client1.ovpn

The ca.crt file is the same one that was pasted into the DD-WRT server during the initial configuration, the client1.crt and client1.key files are generated from the same toolset used to create the server certificates, and the client1.ovpn file will be created using a text editor (below).

The contents of the client1.ovpn file is below:

client

dev tun

proto udp

remote example.com 1194 # change this to your domain

resolv-retry infinite

nobind

persist-key

persist-tun

ca ca.crt

cert client1.crt # must match file name

key client1.key # must match file name

comp-lzo

remote-cert-tls server

cipher AES-256-CBC # must match server

auth SHA512 # must match server

auth-nocache

keysize 256 # must match server

tun-mtu 1500 # must match server

float

Conclusion

With all of this up and configured you should be able to import the client settings into your OpenVPN client and connect up. If you have any questions feel free to comment below.