[note: this post was written in Feb, 2008, and used the current-at-the-time version of dd-wrt. Â My router has been working for almost 4 years, so I haven’t repeated the process from the beginning with the latest version. The information below may or may not be 100% accurate with the current version.]
I needed an inexpensive but flexible VPN solution.Â Inspired by some blog posts and podcasts (linked below), I looked into changing the firmware on my Linksys router.Â The firmware I found is the open source DD-WRT.Â I am by no means a Linksys or DD-WRT expert.Â I’m just someone who managed to muddle through things on my own.Â Some steps I got right the first time, and some took a couple of tries.Â This post, and my explanations and experiences, are one contribution back to the community.Â I hope they help!
According to the DD-WRT list of supported hardware, my current router (a WRT54GS v5) won’t work.Â So I picked up a Linksys WRT54GL from Amazon, and went to work.Â Again, make sure you get the GL version.
I installed DD-WRT v23 SP2 VPN, generic version, using Internet Explorer (apparently there is sometimes a timeout issue with FireFox when uploading the firmware).Â At the time of this post, this is the most recent stable version.Â There are several editions of DD-WRT, so make sure you get the VPN version.Â The generic edition is the one to use for the WRT54GL router.Â You can check their download section to look for a different edition, or see if there is a more recent version.
On a fresh, out of the box router, installation was a snap.Â I simply logged in to the web interface, uploaded the new firmware and rebooted the router.Â I did not need to use the mini version first, since I have a WRT54GL v1.1 (you can check your version on the bottom of the router).Â The older models apparently have a 2MB limit on the upload file size, and the DD-WRT file is 3+MB.Â There is no such limitation on v1.1 and above WRT54GL routers, so if you have one of these, you can upload the full version right away.
After making sure I could access the Internet through the router, the fun began–setting up the VPN.
To enable the VPN on the router, log in to the web interface and go Administration >> Services.
Scroll down to the OpenVPN section and select Enable.Â On my installation, I accepted the default port, protocol and TUN settings.Â Scroll to the bottom of the page, and save the settings.Â A reboot of the router wouldn’t be a bad idea.
DD-WRT implements OpenVPN, which is great but also means setup instructions are spread over several websites.Â There are a couple configurations you can use–Server Mode with Static Key (which is simpler to set up, but only allows a single VPN connection), and Server Mode With Certificates, which is a little more complicated but allows multiple simultaneous connections.Â I chose Server Mode with Certificates, since I need multiple connections.Â The formatting on the wiki page makes following the tutorial a little confusing, so I’ll try to guide you through the steps.Â There is some bouncing around to several sites during the configuration, which can get a little confusing, too.
Before you do anything else on the router, go to http://openvpn.net/ and download the OpenVPN client.Â You need to install the client in order to generate the certificates needed during the router configuration.Â Since I’m a Windows user, I downloaded the OpenVPN GUI for Windows (this is a separate site from the OpenVPN site, and the download is all you need from this site).Â Look for the Installation Package under the Stable downloads.Â Run the installer and let it do its thing.Â You may be prompted that an adapter has not passed Windows testing–in this instance, that’s OK, go ahead and install it.
Once the client is installed, you need to generate at least three sets of keys and certificates and one set of encryption parameters to ensure your VPN’s security.Â All the utilities you need are installed with the OpenVPN GUI client.Â Before we generate any keys, I’ll explain what they do.Â Also, configuring the VPN causes the router to reboot at one point, so it’s a good idea to do this when no one is connected.
The full instructions for generating the certificates and keys you need are on the OpenVPN site at http://openvpn.net/howto.html#pki.Â Once you complete the section for generating the certs and keys, you’re done with their site.
Important!Â When you generate your certs and keys, you’ll be prompted to enter some variables.Â In some cases, this information needs to be the same for all certs and keys, and some variables need to be different.Â Pay attention to the variables for each set of certs and keys!
I recommend editing the vars.bat file to make life a little easier.
Now is the time to start generating your certs and keys.Â Follow the instructions (linked above), but read through the commentary below for each cert before actually creating it.
You’ll be acting as your own Certificate Authority, so you need to generate a CA certificate and a CA key, which are used to sign each of the subsequent certificates and keys.Â Having the same CA signature on the client and the server means both keys were generated by the same person, and is the top level of trust between the server and the client.Â You need to keep the CA cert and key a secret, and you need to be sure to securely archive a copy of each so you can create additional certs and keys in the future.Â You’ll install the CA cert (but not the key) on the router, and use it to sign any future client keys.Â If you edited the vars.bat file, when you generate the cert and key, you only need to enter the Common Name variable.Â You can make this whatever you like, but I suggest using something recognizable such as your business name or your name.
The next certificate and key are for the server.Â These both will also be installed on the router.Â For this pair, when you are prompted to enter the Common Name, enter something like “server”.Â Also, be sure to sign and commit the certificate.
For each client you want to connect to the VPN, you’ll need to generate a certificate and key.Â These will not be loaded onto the server–instead, you’ll copy one set to each client.Â Client sets are the only ones you’ll generate multiple ones of.Â For each client cert/key pair, enter a different Common Name for each (such as “client1”, “client2”, etc).
Since certificates need to be exchanged over the open Internet, we’ll need a little additional cryptography to ensure they are secure.Â OpenVPN uses Diffie-Hellman as part of the key exchange.Â These will be loaded onto the server.Â There are no additional variables to enter for these.
Once the certs and keys have been generated, pick up in the Server Configuration steps of Server Mode with Certificates section of the DD-WRT site.Â The next few paragraphs flow along with the instructions there.Â Read their instructions, then read my comments below before doing anything.
Step 2 & 4: Copy the sample rc_startup script into a text editor, and insert the ca.crt, server.key, server.crt and dh1024.pem where indicated (you’ll find the keys and certs at c:\program files\openvpn\easy-rsa\keys).Â I also had to change the last line of the script to the workaround shown.Â After I had set everything up, I couldn’t keep the VPN connection open, and this workaround fixed the problem.Â If you changed the port or protocol when you enabled the VPN service, you need to make sure the changes are reflected in this script, too.
Once you’ve inserted the proper keys and certs, log in to the web interface and navigate to the Commands tab.Â On a new installation, you should not have any saved commands, so all you need to do is copy the rc_startup script into the box and click the Save Startup button.
Step 3-5:Â On a fresh installation, you won’t have a saved rc_firewall command.Â Copy the one shown, and save the firewall script the same way.Â Reboot the router, if it doesn’t happen for you.
Step 6: You can use the DOS telnet command to access the router and execute the shell command.Â Simply go to a command window, and type “telnet 192.168.1.1”.Â Log in, and execute the “ps | grep openvpn”.Â This command searches the stack of recently executed instructions and prints them to the screen.Â You should see a couple of commands show up, indicating OpenVPN has been called, and is therefore running.
Once the server is configured, follow through the Client Configuration section (at this time, only three steps and a short explanation).Â Copy a client key and cert pair to the config folder (C:\Program Files\OpenVPN\config), as well at the ca.crt, and save the config file to this same folder.Â Name the file whatever you want, but the extension should be .ovpn.Â Make sure you put in the proper IP address to your router, and enter the right file names for the CA cert and client cert/key.Â Â You should now be able to connect to your VPN–just remember to try it from outside your LAN!Â Start the OpenVPN Gui client from the Start menu, and it will appear in the taskbar, down by the clock.Â Right-click on the icon and choose Connect.
If you don’t have a static IP address, you might want to look into a dynamic DNS service, such as DynDNS.org (see link below).Â You can set up a free account, and choose a custom subdomain.Â You can configure the DD-WRT software to update the DynDNS records every time your IP changes.Â This way, you only need to configure a DNS name in the config file, and you can always access your system.
OpenVPN GUI has a console where you can see what’s going on.Â I ran into a couple problems with my VPN.
If the connection is made and drops repeatedly, make sure you use the workaround in the rc_setup script (replacing the last line with the two indicated below the script).
If you can connect to the VPN, and an ipconfig /all shows you have an IP address from the VPN server, but you can’t access anything inside your network, it might be your local router.Â My old home router prevented me from accessing any of the remote resources.