Since I’ve been struggling a bit setting up OpenVPN on my router (Netgear r3700) with DD-WRT, I thought I’d write up a small post explaining how I got things done.
When it comes to DD-WRT and OpenVPN, there’s some information out there that might be a bit outdated and incorrect for the latest builds of DD-WRT. I’m currently running DD-WRT R31924 (released on 05-02-2017), which is a beta build. You can find beta builds for all available routers here.
First of all you would need a copy of OpenVPN on a PC, so you will be able to generate the necessary keys. I won’t go into details on how to do this, there’s a lot of resources out there online, you can start by looking at this tutorial. This HowToGeek’s tutorial will be used as a base or reference, for this blogpost.
If you already have DD-WRT installed, skip to the chapter “Installing OpenVPN” and follow the instructions from there.
This tutorial however, is outdated when it comes to the DD-WRT settings of things. In this post I will explain the differences with the latest DD-WRT builds.
The correct way to setup DD-WRT
When looking at the HowToGeek tutorial’s chapter “Configuring DD-WRT’s OpenVPN Daemon”, the image showing which cert and key file to put where, is wrong. Below you find the correct way of setting these fields;
- Public Server Cert
This should contain the contents of server.crt
- CA Cert
This should contain the contents of ca.crt
- Private Server Key
This should contain the contents of server.key
- DH PEM
This should contain the contents of dh.pem
When it comes to the additional config in this tutorial, things also changed a bit. The only thing that actually needs to be defined nowadays is the push route;
push “route 192.168.1.0 255.255.255.0”
All the rest is already setup by DD-WRT. Setting this as suggested in the HowToGeek tutorial will actually break things for you.
The default dev in DD-WRT’s OpenVPN configuration is tun2 instead of tun0 in HowToGeek’s tutorial. This is important to note, because it has an impact on how to define your client configuration (client.ovpn in the HowToGeek tutorial) and the firewall commands in DD-WRT.
DD-WRT Firewall commands
Again the HowToGeek tutorial is a little misleading when it comes to the firewall commands. It actually has a couple misstakes, such as using a single dash “-” for certain arguments. Arguments that have words in it (such as -source) should have double dashes in front, instead of a single one. The single dash is only used for the abbreviated versions of the arguments (such as “-i” instead of “–interface”).
Besides this, it’s also missing a IPTables command, which is crucial to get things actually accessible from the different subnet we use for the OpenVPN connection;
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
For your reference, the entire firewall commands would look like this;
iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT iptables -I FORWARD 1 --source 10.8.0.0/24 -j ACCEPT iptables -I FORWARD -i br0 -o tun2 -j ACCEPT iptables -I FORWARD -i tun2 -o br0 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
That’s all. Happy networking!