So today I’m going to explain in few simple steps how to setup OpenVPN on DD-WRT and how to cope with some of the stupidest problems I’ve ever seen in my life until now (after paypal’s shit last night).

First let me introduce you to my problem – as I have to travel from time to time, I would like to be able to work on some servers remotely. But the servers are limited on IP basis and trust me, I don’t want to call someone with access to add my IP every time I move or disconnect (if dynamic IPs are used). So I had to think of some way to get around this problem and I got it – get a router/server of some kind at a place where I have static IP (which happens to be my router at home) and setup a tunnel of some kind.

First I had it set up with PPTP and I had no trouble with it on Windows (click-connect-works), but I have migrated to Linux and stumbled upon some nasty trouble which I didn’t want to solve anyhow for variety of reasons (mainly because PPTP is not that secured and I wanted to learn something new).

So I headed to DD-WRT wiki to see how to enable OpenVPN. Downloaded the latest firmware for my router (Buffalo WHR125G) and flashed it. Then I began reading how to setup the whole system. After a bit of head-banging and awful lot of swearing I found a simple enough guide on how to set it up. You can read it in original here: http://hamisageek.blogspot.com/2009/04/setting-up-openvpn-with-dd-wrt-for.html.

This was the perfect guide for several reasons:

• It uses the least steps needed to do something
• It’s structured quite well (You can follow just the highlighted areas and copy-paste them and it WILL work).
• It explains how to set up NetworkManager’s applet to connect (I use it, so it just made a perfect fit)

Now just for the sake of archiving here is what you do:

Step 1 – Enable OpenVPN on DD-WRT:

1. Go to Services
2. Go to VPN
3. Check Enable OpenVPN Daemon
4. Also check On WAN Up
5. Save & Apply settings (first save, then apply)

Step 2 – Generate certificates for encryption (requires Linux, sorry, Windows just s0cks hard :))

1. On your linux desktop, open a terminal and become root by using su.

su –

2. Go to /usr/share/openvpn/easy-rsa/2.0 (note by me: on Arch Linux is just /usr/share/openvpn/easy-rsa/ (without 2.0 at the end, try it and see.)

cd /usr/share/openvpn/easy-rsa/2.0

3. Execute the following commands in the correct order

# sets some environment variables to make the succeeding scripts work
source vars

# cleans up any previously created keys if any
./clean-all

# create a certificate
# you will be asked to enter some information
# remember what you entered as you will need to use the same information
# to generate the server key
./build-ca

# create a server key
./build-key-server server

# create the Diffie-Hellman parameters needed by the server
./build-dh

Now you should have a directory named keys in the current directory.

Step 3 – Copy the certificates to the router

1. Go to the DD-WRT administration, Services, VPN
2. You should see some fields have appeared under the OpenVPN Daemon section.
3. Follow these steps to fill them in:

Public Server Cert > ca.crt (Fill Public Server Cert text area with the contents of file ca.crt located in the keys subdirectory, mentioned above)

# note that you only need the portion of ca.crt that starts with
# —–BEGIN CERTIFICATE —–
# and ends with
# —– END CERTIFICATE —–.

Certificate Revoke List (CRL) > (leave empty)
Public Client Cert > server.crt
Private Client Key > server.key
DH PEM > dh1024.pem
OpenVPN Config > (check below first!)
OpenVPN TLS Auth > (leave empty)

OpenVPN Config:

push “route 192.168.1.0 255.255.255.0”
server 192.168.2.0 255.255.255.0
dev tun0
proto udp
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem

Copy and paste this in the Open VPN Config text area.

4. Click Save settings, then Apply settings, then reboot the router.

By reaching here, you should have a fully working DD-WRT OpenVPN enabled router

Now let’s connect to it.

Step 4 – Generating user certificates – needed for the client to connect.

Now you just have to run one more command to generate the user certificate:  ./build-key client1

Step 5 – Setting up DD-WRT firewall rules – as DD-WRT is kind of an ass here, here is how you set up your firewall rules:

Step 5 – Connecting