Finally!  I started fiddling with OpenVPN two years ago and put it aside until last week.

Real quick, OpenVPN is an open source virtual private network (VPN) solution.  It uses SSL technology to encrypt a tunnel from one internet location to another internet location.  DD-WRT is an alternative firmware available for a bunch of routers.  With DD-WRT, the router runs a watered down flavor of Linux.  Apps meant for full size Linux have been ported to run on the router, like OpenVPN.

I gave up on OpenVPN two years ago because I wasn’t a routing expert.  I’m still not a routing expert.  But I know how to google and I guess maybe I’m a better problem solver, since I passed calculus 1 and 2 (and heck, stats too).  Two years ago I figured I’d use PPTP.  It’s not an ideal solution since it can be easily hacked.   The setup time for PPTP was insanely low – turn on the option, add some users, and you’re done!

This time, I was HIGHLY motivated to get OpenVPN working.  Now and then I visit a network location which provides wireless but has a lot of stuff locked down.  For example, I can’t send email out over their network unless I use their SMTP server (makes sense, limits spammers).  I also want to be able to access the network at our house, get to file shares, etc.  PPTP worked, but it was blocked at this one particular network.  I tried to find out if the ports could be switched.  It didn’t seem possible using the Windows PPTP client.  OpenVPN was now an option again.

First, pick a port.  I like 443.  It’s the browser’s SSL port.  I’m not running SSL on my web server so I don’t mind using 443 for vpn.  You will need to install OpenVPN on the “server” (for me, it was my Linksys WRTSL54GS router).  You will also need to install an OpenVPN client on your client machine(s).  I went with the GUI option.  You will need to setup the keys and certificates.  I ended up using the easy-rsa utilities provided in the Windows OpenVPN client.  I setup the keys and copied them to the proper spots (both server and client get certain files).  Follow the easy-rsa key tutorial on openvpn.net.

Things get rather tricky from here on out. OpenVPN allows you to setup a routed tunnel or a bridged tunnel.  The bridge is a bit chatty since it sends back and forth ALL data, while the routed version just sends targeted TCP/IP traffic.  I went with bridged and my config files reflect it.  You will need to setup config files for both the client and server.  They have to be in tune with each other.  You can’t mix and match with what you find out on the internet.  Here’s what I used for my client:

remote [Your external IP address or domain name] 443

client
dev tap0
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
float
redirect-gateway

ca ca.crt
cert client1.crt
key client1.key

ns-cert-type server

comp-lzo

# Set log file verbosity.
verb 3

The server config file looks like this:

mode server
proto udp
port 443
dev tap0
server-bridge a.b.c.d a2.b2.c2.d2 a3.b3.c3.d3 a4.b4.c4.d4
push “dhcp-option DNS a.b.c.d”

keepalive 10 120
daemon
verb 3
client-to-client
dh dh1024.pem
ca ca.crt
cert server.crt
key server.key

comp-lzo

You will need to update some the a.b.c.d’s with your IP addresses.  Here’s what you will need:

a.b.c.d = The IP address of the vpn server

a2.b2.c2.d2 = The netmask for the a.b.c.d IP address.  If you are using 192.168.1.1, then 255.255.255.0 would go here.

a3.b3.c3.d3 and a4.b4.c4.d4 = An IP range that OpenVPN can use to give to the client.  So a client connects to your VPN, they will get an IP from this range.  Note, this IP should NOT be in conflict with any of your DHCP servers (if you are not using DHCP, you don’t need to worry then).

You may need to tweak the paths for the keys in both the client and server files.

Just when you think its almost over, there’s more!  You have to setup routing on the server.  Here’s the script I used to setup my routing on my Linksys router:

#!/bin/sh

/opt/sbin/openvpn –mktun –dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up

iptables -A INPUT -i tap0 -j ACCEPT
iptables -I INPUT -p udp –dport 443 -j ACCEPT

iptables -A POSTROUTING –table nat -o eth1 -j MASQUERADE

openvpn [path to your server.config file]

The only thing you have to change in the above script is the path to openvpn, the server config file, and the port number if you are not using 443. I use this above script to launch OpenVPN.  There was one catch to this script:  I launch it from the startup script in the DD-WRT menu.  For some reason, if you have the firewall enabled, the firewall takes a bit of time to start up and will overwrite these settings.  So I added the sleep command (went with 60 which should work) followed by the command to run this script.

If you are going to do this with your router, make a backup!  Heck, print out all the config screens (or the ones you know you modified), BEFORE you make any changes.  I finished getting everything working and started fiddling with the firewall and something went terribly wrong and wouldn’t route traffic to the internet.  Everything I tried wouldn’t fix it so I ended up having to reset the router.

With this setup, I can connect from just about any network to my home network.  Plus, my internet gets routed through my home machine, which yes, isn’t fast, but it is secure.  I can be on a hostile network and know my banking and browsing is safe.  Plus, a lot of networks block ports and now I can wiggle around those restrictions.