Set up an OpenVPN Server on your DD-WRT Router
Вставка
- Опубліковано 14 лют 2021
- Want to connect to your home network from anywhere? Find out how to do it securely on Windows or Linux using OpenVPN and the DD-WRT router firmware.
Link to guide on dd-wrt forum:
forum.dd-wrt.com/phpBB2/viewt...
EasyRSA Download:
github.com/OpenVPN/easy-rsa/r...
OpenVPN Client Download:
openvpn.net/community-downloads/
Firewall config:
iptables -t nat -IPOSTROUTING -s 10.8.0.0/24 -o $(get_wanface) -j MASQUERADE
Example Client Config (.ovpn file):
client
dev tun
proto udp4
remote your.host.address 1194
nobind
persist-key
persist-tun
remote-cert-tls server
auth-nocache
verb 4
float
tun-mtu 1500
auth SHA256
cipher AES-256-CBC
data-ciphers CHACHA20-POLY1305:AES-256-GCM:AES-128-GCM:AES-256-CBC
ca ca.crt
cert laptop-client1.crt
key laptop-client1.key
Whatever you do DON'T add a password to your certificates. I have retried this tutorial multiple times with and without passwords and every time i add a password it spits out "TLS key negotiation failed" in OpenVPN. It's not worth it to have a password on them.. You just have to take extra good care of your certificates and don't share them or expose them to anyone.
Thanks for this, I'm going to pin this comment :)
But I want to add username and password because winbox will not allow you to do so. I came from OpenWrt but I can't figured out how to set up openvpn with username, so I am seeking another way, DD-WRT may be.
@@DevbaseMedia how to do it by the way? Thanks!
@@rexsovelllejes9383 What you are talking about is a completely different thing. You can't put a username on certificates you can only put passwords on them as far as i know. The whole point of certificates is that the certificate IS your "username". If you wanna authenticate using usernames and passwords there wouldn't really be any reason to use certificates.. well except maybe a server certificate.
@@iTzStick I didn't mean to put username on certificate. I just wanted to use auth-user-pass so that I can use username and password to client side.
THANK YOU! That Firewall code was the last piece of the puzzle I needed! I had an OpenVPN setup on a basic Netgear firmware, but upgraded to DD-WRT since it supported more DDNS capabilities, but I got hung up on trying to configure this thing.
The best video ever. Forget all other 'tutorials'. I now have OpenVPN working like a charm. Thank you.
Man, I've been looking for this almost since 4 years, but nowhere was as detailed as here. Awesome, and it works! I love it! Finally!
Glad I could help!
Awesome tutorial bud. Was a breeze to setup my openvpn server. The only issue I had was that I am behind my service providers router and they would not give me access to it, but they did put my personal dd-wrt router in a DMZ. Later on I found out through nmap that all UDP ports are blocked on my internet service so I had to switch to the TCP protocol instead which than worked like a charm.
Тhis is such a well done guide, easy to follow, worked on first try, well explained. I have been trying to configure it with no luck for so long it feels like cheating using your instructions. Thank you!
I've been trying to get my non compatable rotuer to connect to the internet for months and finally a video that helped thank you so much
What a great video! Easy to follow, concise and superb narration.
Thank you kindly!
This tutorial is FANTASTIC!
Great tutorial. Got me up and running. Many thanks!
Thanks for this clear and concise tutorial!
fantastic tutorial, straighforward with very good narration. As it goes for DH parameters and ciphers.. ARMv8 based devices has the AES-NI instructions within the CPU, so one can make use of the -GCM ciphers, for the ARMv7 based devices, CHACHA-POLY1305 brings some optimizations which can go hand in hand with the elliptic curve cryptography.
Then you do not need to generate diffie helman at all, and leave it empty within the gui, but add following entries within the custom config:
dh none
ecdh-curve secp384r1
It seems to apply starting openVPN 2.4 and it should bring the TLS 1.3 along with more throughput over your tunnel, and optimizations towards the mobile devices.
cheers!
Awesome stuff. Great tutorial. Thank you very much.
Great tutorial. Thank you. Newer builds have "Allow Clients WAN access (internet)" option which might allow you to skip the firewall config iptables command.
Awesome Tutorial, Thanks 👌
great tutorial dude!, really tranks for that!
Excellent tutorial!
Thank you!
Thnaks you so much for this
Excelent! Thank you!
Awesome, thank you
awesome thanks man..
Even over a year later this guide has made this process incredibly easy! ONE QUESTION: How would I go about allowing traffic between my OpenVPN clients and LAN? I'm trying to access one of my local servers, but can't.
Ivz actually answered this in another comment. Thank you very much!! "In dd wrt change the server mode to bridge (tap)"
Hi, this is a great tutorial. I have followed it exactly, and I have successfully connected the OpenVPN server running on my DD-WRT router. But I cannot ping or access anything on the 192.168.1.x network or 10.8.0.x either. Am I missing something? I'm seeing error code 122 in OpenVPN GUI logs.
I would like to know if you can created on a repeater ( my router is a Asus RT-AC68u) a VPN using DD-WRT that I can then add to my network, my main router is a TP-Link TL-WR840N?
I got this working, but I can't connect to it from outside when OpenVPN client is enabled on dd wrt router, as it connects to commercial VPN service. As soon as I disable client, boom, remote connection works from outside of home network. Any ideas how get those two together?
Hello, great tuto, thank you, only connects over LAN, I think something wrong in my dd-wrt firewall, any idea ?
Can you show us how to have both a server and client service running on the router at the same time and being able to VPN into your home router while on the road, for some reason I need to turn off my router (PIA) VPN client in order for me to connect to my home server VPN.
nice tutorial and it works great for windows... but how do you add the ovpn config files to a mac and android.... is there a way to include the cert and key in the ovpn file ?
Yes you can use inline directives. If you copy the .ovpn file template from the description just delete the last 3 lines:
"ca ca.crt
cert laptop-client1.crt
key laptop-client1.key"
Instead of those three lines you can do this:
COPY CA TEXT IN HERE
COPY CERT TEXT IN HERE
COPY KEY TEXT IN HERE
Hey quick question, let's say I have an asus router or this linksys router (Both with the OpenVPN capability), would I be able to connect the first to the second and vice versa, while in different countries. It may be a silly question, but I just want to be safe before I buy a second router.
Yes
My dd-wrt router has the latest firmware but it doesn't have advanced options in OpenVPN server/daemon settings. Any idea what is wrong?
Help me please. How to open ca2.crt and Wdc.key certificates on Mac if I downloaded them from internet? I need to copy text.
there's a lot of tutorials out there to create openVpn server/daemon but how would I setup a Start OpenVPN Client
? Ive got a VPS that hosts openVpn so I want to connect through it. Most guides I find online are not very helpful.
Great video!! Thank you.
Quick question: Can I setup a VPN Server on a router at my home (Canada), and connect to that VPN server using another router (VPN Client) from USA? My office laptop uses "Cisco AnyConnect" to connect to the company VPN, I want my network to "appear" like I am working from Canada!! Is it possible? ( I hate these new rules).
I second this
@@jdnoble8961 It worked, I was working from “home” (India) for 4 months 😂
I can't find the open vpn option on my ddwrt routerm there's only PPTP Server
and PPTP Client options
Odd... my DDWRT router just reset itself back to factory settings after I applied that firewall rule... not fun...
Can you demonstrate this setup via Windows instead of linux?
The newest version of openvpn on ddwrt does not have dh.pem. And it has a static key, which isn't the pem. Any ideas what to do?
It does have it. Just above the public certificate text box there is an option to enable Advanced Settings. After you enable that there is another option at the bottom of the list that says "Use ECHD Instead of DH.PEM". Disable that option and the DH PEM field will show.
I followed this to the T but my server refuses to start.
Thanks for the great video!
I would appreciate if you could explain how to create an .ovpn out of the client .crt. and .key for Android phone or if i could take a different path to use those 2 files in OpenVpn app on my android phone. Probably a video tutorial would be GREATE! Thanks!
I got stuck on the make-cadir step... on macos
Thankyou Thankyou Thankyou! I wish i found your tutorial 8 hours ago before I started the trainwreck of blindly trying to set this up on my router. When is Canada going to start commencing world domination? It would be a better place.
Great Video and I have it working on almost all my devices now so thank you.
Has anyone had any luck getting this to work on an iphone? Mine is asking me to share the cert / key files along with the config file simultaneously, however when I do that OpenVpn is not an option to share the files to. Maybe I just need to switch back to android.😄
Is need set iptables every time when I reboot router?
my router command window has a "save firewall" option
Hi! Anybody used this with WRT54GL router? I used this a new router and works fine then broke down. I did it with this old router and it doesn't work
How do you put a certicate like that one to an iphone?
I found out, but i am having an error : TLS Error: TLS handshake failed
I want to only access VPN LAN and not WAN, how do I set the VPN to only work with LAN traffic?
set to bridge instead of tap
Great video thanks a lot!!! Kudo's for this guy!
[Any idea?] :-P
Glad you liked it. I'm honestly not quite sure, and just now realized I likely have the same issue since I have a few hardcoded names in my router's DNS config. The first place I'd look is at my connection parameters for my wifi or ethernet (on my laptop) - possibly set your dns server to your router address (assuming DNS is running on your router). Would only work once you are connected to the VPN of course
@@DevbaseMedia No running pi-hole on a raspberry 3 and OMV with docker on RASP 4 with adguard (dhcp). So I did find an code somewhere do add to additional blabla of the VPN on DDWRT though my internet wasnt working via VPN anymore (LAN did)
I think but though not sure got a little tired after 10 hrs
""serverfault. com/questions/318563/ how-to-push-my-own-dns-server-to-openvpn""
hi thanks for video ... but there is one problem why facebook not working after using openvpn -
use this in commands and save it as firewall iptables -t nat -IPOSTROUTING -s 10.8.0.0/24 -o $(get_wanface) -j MASQUERADE
Great video! We have been using VPN with DDWRT for a year now. Can you please list the steps to revoke a client .crt in EASYRSA, since an employee left the company and I don't want to regenerate the entire key authority and generate new certificates. Also please indicate how to add revoked .crt to the Certificate Revocation List in DD-WRT. These added instructions will complete your tutorial for a fully functional VPN certificate Authority for DD-WRT!
So I found the solution to revoking certificates as follows:
$ ./easyrsa revoke
$ ./easyrsa gen-crl
Type yes when prompted.
Copy the contents of the generated crl.pem file in the PKI directory (including BEGIN and END lines) to the DD_WRT->Services->VPN Certificate Revocation List and Apply Settings and Save.
Done!
Can you advise if I want the vpn client to be able to reach devices on the lan behind the vpn server, but not use the vpn for its default internet traffic?
In dd wrt change the server mode to bridge (tap)
@@iTzStick THANK YOU!!
It’s easier on fresh tomato
I hate this, this is for masochists. There should be a Download .ovpn File button like the stock firmware has.