Turning a Linksys WRT54GL Router Into a VPN Server

[note: this post was written in Feb, 2008, and used the current-at-the-time version of dd-wrt.  My router has been working for almost 4 years, so I haven’t repeated the process from the beginning with the latest version. The information below may or may not be 100% accurate with the current version.]

I needed an inexpensive but flexible VPN solution.  Inspired by some blog posts and podcasts (linked below), I looked into changing the firmware on my Linksys router.  The firmware I found is the open source DD-WRT.  I am by no means a Linksys or DD-WRT expert.  I’m just someone who managed to muddle through things on my own.  Some steps I got right the first time, and some took a couple of tries.  This post, and my explanations and experiences, are one contribution back to the community.  I hope they help!

According to the DD-WRT list of supported hardware, my current router (a WRT54GS v5) won’t work.  So I picked up a Linksys WRT54GL from Amazon, and went to work.  Again, make sure you get the GL version.

I installed DD-WRT v23 SP2 VPN, generic version, using Internet Explorer (apparently there is sometimes a timeout issue with FireFox when uploading the firmware).  At the time of this post, this is the most recent stable version.  There are several editions of DD-WRT, so make sure you get the VPN version.  The generic edition is the one to use for the WRT54GL router.  You can check their download section to look for a different edition, or see if there is a more recent version.

On a fresh, out of the box router, installation was a snap.  I simply logged in to the web interface, uploaded the new firmware and rebooted the router.  I did not need to use the mini version first, since I have a WRT54GL v1.1 (you can check your version on the bottom of the router).  The older models apparently have a 2MB limit on the upload file size, and the DD-WRT file is 3+MB.  There is no such limitation on v1.1 and above WRT54GL routers, so if you have one of these, you can upload the full version right away.

After making sure I could access the Internet through the router, the fun began–setting up the VPN.

To enable the VPN on the router, log in to the web interface and go Administration >> Services.

Scroll down to the OpenVPN section and select Enable.  On my installation, I accepted the default port, protocol and TUN settings.  Scroll to the bottom of the page, and save the settings.  A reboot of the router wouldn’t be a bad idea.

DD-WRT implements OpenVPN, which is great but also means setup instructions are spread over several websites.  There are a couple configurations you can use–Server Mode with Static Key (which is simpler to set up, but only allows a single VPN connection), and Server Mode With Certificates, which is a little more complicated but allows multiple simultaneous connections.  I chose Server Mode with Certificates, since I need multiple connections.  The formatting on the wiki page makes following the tutorial a little confusing, so I’ll try to guide you through the steps.  There is some bouncing around to several sites during the configuration, which can get a little confusing, too.

Before you do anything else on the router, go to http://openvpn.net/ and download the OpenVPN client.  You need to install the client in order to generate the certificates needed during the router configuration.  Since I’m a Windows user, I downloaded the OpenVPN GUI for Windows (this is a separate site from the OpenVPN site, and the download is all you need from this site).  Look for the Installation Package under the Stable downloads.  Run the installer and let it do its thing.  You may be prompted that an adapter has not passed Windows testing–in this instance, that’s OK, go ahead and install it.

Once the client is installed, you need to generate at least three sets of keys and certificates and one set of encryption parameters to ensure your VPN’s security.  All the utilities you need are installed with the OpenVPN GUI client.  Before we generate any keys, I’ll explain what they do.  Also, configuring the VPN causes the router to reboot at one point, so it’s a good idea to do this when no one is connected.

The full instructions for generating the certificates and keys you need are on the OpenVPN site at http://openvpn.net/howto.html#pki.  Once you complete the section for generating the certs and keys, you’re done with their site.

Important!  When you generate your certs and keys, you’ll be prompted to enter some variables.  In some cases, this information needs to be the same for all certs and keys, and some variables need to be different.  Pay attention to the variables for each set of certs and keys!

I recommend editing the vars.bat file to make life a little easier.

Now is the time to start generating your certs and keys.  Follow the instructions (linked above), but read through the commentary below for each cert before actually creating it.

You’ll be acting as your own Certificate Authority, so you need to generate a CA certificate and a CA key, which are used to sign each of the subsequent certificates and keys.  Having the same CA signature on the client and the server means both keys were generated by the same person, and is the top level of trust between the server and the client.  You need to keep the CA cert and key a secret, and you need to be sure to securely archive a copy of each so you can create additional certs and keys in the future.  You’ll install the CA cert (but not the key) on the router, and use it to sign any future client keys.  If you edited the vars.bat file, when you generate the cert and key, you only need to enter the Common Name variable.  You can make this whatever you like, but I suggest using something recognizable such as your business name or your name.

The next certificate and key are for the server.  These both will also be installed on the router.  For this pair, when you are prompted to enter the Common Name, enter something like “server”.  Also, be sure to sign and commit the certificate.

For each client you want to connect to the VPN, you’ll need to generate a certificate and key.  These will not be loaded onto the server–instead, you’ll copy one set to each client.  Client sets are the only ones you’ll generate multiple ones of.  For each client cert/key pair, enter a different Common Name for each (such as “client1”, “client2”, etc).

Since certificates need to be exchanged over the open Internet, we’ll need a little additional cryptography to ensure they are secure.  OpenVPN uses Diffie-Hellman as part of the key exchange.  These will be loaded onto the server.  There are no additional variables to enter for these.

Once the certs and keys have been generated, pick up in the Server Configuration steps of Server Mode with Certificates section of the DD-WRT site.  The next few paragraphs flow along with the instructions there.  Read their instructions, then read my comments below before doing anything.

Step 2 & 4: Copy the sample rc_startup script into a text editor, and insert the ca.crt, server.key, server.crt and dh1024.pem where indicated (you’ll find the keys and certs at c:\program files\openvpn\easy-rsa\keys).  I also had to change the last line of the script to the workaround shown.  After I had set everything up, I couldn’t keep the VPN connection open, and this workaround fixed the problem.  If you changed the port or protocol when you enabled the VPN service, you need to make sure the changes are reflected in this script, too.

Once you’ve inserted the proper keys and certs, log in to the web interface and navigate to the Commands tab.  On a new installation, you should not have any saved commands, so all you need to do is copy the rc_startup script into the box and click the Save Startup button.

Step 3-5:  On a fresh installation, you won’t have a saved rc_firewall command.  Copy the one shown, and save the firewall script the same way.  Reboot the router, if it doesn’t happen for you.

Step 6: You can use the DOS telnet command to access the router and execute the shell command.  Simply go to a command window, and type “telnet 192.168.1.1”.  Log in, and execute the “ps | grep openvpn”.  This command searches the stack of recently executed instructions and prints them to the screen.  You should see a couple of commands show up, indicating OpenVPN has been called, and is therefore running.

Once the server is configured, follow through the Client Configuration section (at this time, only three steps and a short explanation).  Copy a client key and cert pair to the config folder (C:\Program Files\OpenVPN\config), as well at the ca.crt, and save the config file to this same folder.  Name the file whatever you want, but the extension should be .ovpn.  Make sure you put in the proper IP address to your router, and enter the right file names for the CA cert and client cert/key.   You should now be able to connect to your VPN–just remember to try it from outside your LAN!  Start the OpenVPN Gui client from the Start menu, and it will appear in the taskbar, down by the clock.  Right-click on the icon and choose Connect.

If you don’t have a static IP address, you might want to look into a dynamic DNS service, such as DynDNS.org (see link below).  You can set up a free account, and choose a custom subdomain.  You can configure the DD-WRT software to update the DynDNS records every time your IP changes.  This way, you only need to configure a DNS name in the config file, and you can always access your system.

Troubleshooting

OpenVPN GUI has a console where you can see what’s going on.  I ran into a couple problems with my VPN.

If the connection is made and drops repeatedly, make sure you use the workaround in the rc_setup script (replacing the last line with the two indicated below the script).

If you can connect to the VPN, and an ipconfig /all shows you have an IP address from the VPN server, but you can’t access anything inside your network, it might be your local router.  My old home router prevented me from accessing any of the remote resources.

Useful Links:

Linksys-Cisco WRT54GL Wireless-G Broadband Router (Compatible with Linux)

Hack Attack: Turn Your $60 Router Into A $600 Router

Podcast: The Linksys WRT54GL Router

Podcast: Setting Up A Home Network

Adding Additional Clients to your WRT54GL/DD-WRT VPN

Using a Dynamic DNS Service with DD-WRT

kick it on DotNetKicks.com

Scott’s Flickr for Community Server (Updated)

I’d downloaded Scott’s code for his module and took the liberty of updating it to use the latest build of FlickrNet, so that users can now make use of both modules side-by-side.  Since Scott is going to be out of town on vacation, he’d said he wouldn’t mind if I went ahead and released, and so without further ado, please feel free to download it below.


Full story at http://qgyen.net/archive/2006/08/09/Scott_2700_s-Flickr-for-Community-Server-_2800_Updated_2900_.aspx


kick it on DotNetKicks.com

Still Getting Mileage From nGallery

nGallery was a great application on its own, but Community Server is just far too much overhead when all you need is a simple gallery app.  Even though it haven’t been updated in a while, nGallery is still one of the better gallery apps out there.  After quite a bit of template tweaking, I have very customized gallery up at http://www.cleantownusa.com/gallery/.  The template seems difficult at first, but after fooling around with it for a little bit, it’s actually quite easy.  You need either a great mind’s eye, or you need to use the refresh button liberally as you tweak, and very liberal use of source control for the different template bits is highly recommended.  “I told you so”, in advance, for those who don’t.


BTW – CleanTown USA is Pittsburgh’s favorite car wash and interior detail center.  Find them online at http://www.cleantownusa.com.  Shameless plug, but the marketing coordinator threatened to cut off my supply of free Mountain Dew if I didn’t say it.  I hope you understand.

Software for Starving Students (SSS) version 2006.01 is now released

via Digg



The Software for Starving Students CD enhances the Windows and Mac desktop computing experiences by providing an easy way to install free, high-quality software titles via a user-friendly interface. It includes popular open source programs like Firefox and OpenOffice, intended to help students learn about and benefit from open source and free software programs. The SSS team put all the most commonly used free programs onto one CD to make it easier for students to install useful software (including fully-featured office suites, 3D graphic editors and much more) for free. To preview the new SSS interface, check out some screenshots of the latest release.


Full info at http://mirror.softwarefor.org/index.html.

via Digg: Free Asterisk Ebook

via Digg

O'Reilly Media's latest book, Asterisk: The Future of Telephony, written by Jim Van Meggelen, Jared Smith, and Leif Madsen is the most complete book on the Asterisk PBX system to date. The new book, announced at Astricon 2005 covers many of the new features of Asterisk 1.2. In the spirit of open source, O'Reilly has licensed the book under the creative commons license making it free to download and distribute. If you are looking for the ultimate Asterisk book, you can now download the entire book as a PDF file!

Find it at http://voipspeak.net/index.php?/content/view/33/2/.