At Defcon this year Moxy Marlinspike released Chapcrack, a cloud-based tool to crack MSChapv2. Here's a reference: http://threatpost.com/en_us/blogs/new-tool-moxie-marlinspike-cracks-some-crypto-passwords-073012
I had used a PPTP tunnel for my VPN Solution, as I posted about here: http://beboblog.johnbebo.com/2009/11/28/ddwrt-pptp-vpn.aspx
I always knew that PPTP was a bit vulnerable, but it was a pain in the butt to crack, so I figured that nobody would do it. Now that Moxy has made it so easy, I wanted a better approach. Also, I have previously tried to get OpenVPN working, and had a very difficult time on all the machines I use, so I had to ditch that until it was stable. It now looks stable enough, and I've moved to that as my VPN solution.
Flashing the Router:
As a reference, I used the instructions from:
to set up my router. I first checked to see that my ASUS router would support the dd-wrt.v24_vpn_generic.bin image. Since I already had a generic dd-wrt image, I just ssh'd into it and checked. Here's a screenshot:
My ASUS WL-500 had enough memory, so I flashed my router to that image. To flash my router to that image, I did the following:
I unplugging router, plugged back in while holding reset button, and held until Power light blinked, indicating it was waiting for firmware. Then:
and this worked like a champ.
and this worked like a champ.
Now that my Router had the DD-WRT VPN Image, it was time to build my OpenVPN Keys.
Backtrack is my OS of preference, so I built my keys on BT5R3. To do this, I followed the instructions at:
I didn't follow all their stuff, as Backtrack isn't going to be my server, but a client. So I just followed their instructions on making keys.
Basically, I just went to /usr/share/doc/openvpn/examples/easy-rsa/2.0/ and typed the following:
This built my keys, and I put them in a safe directory.
Configuring the DD-WRT Router:
Following the instructions at http://www.serverwatch.com/tutorials/article.php/3896031/Setting-Up-OpenVPN-on-a-DDWRT-Router-Part-2.htm
I cut and pasted my keys into the DD-WRT VPN tables. I pasted
CA Cert: ca.crt
Public Client Cert: server.crt
Private Client Key: server.key
DH Pem: dh1024.pem
My router config file, which took a lot of trial and error to get working, looked like the below. my DD-WRT router IP was 192.168.1.1, and my dhcp client leases were from 82 to 90.
server-bridge 192.168.1.1 255.255.255.0 192.168.1.82 192.168.1.90
keepalive 10 120
management localhost 5001
Another important part, which also took some tweaking, is the firewall configuration. Mine looked like this:
That was it. My router was all set up and ready to go. Next was configuring my clients. Since I use a variety of machines, I will post my instructions for each.
OpenVPN Backtrack 5 R3 Client:
I tried to get KVPNC working with OpenVPN, but couldn't. In the end, I just ran a bash script to launch my OpenVPN Client from the terminal on Backtrack. Here's the script:
1194 udp --client --ca /path-to-keys/ca.crt --cert /path-to-keys/client.crt --key /path-to-keys/client.key --nobind --dev tap0 --persist-tun --persist-key --ns-cert-type server ifconfig 192.168.1.1 192.168.1.82 --reneg-sec 1200 --verb 5
Note: If you want your clients to connect and get a dhcp address, leave out the ifconfig ip ip portion above.
OpenVPN Windows Client:
For Windows, the instructions at http://www.howtogeek.com/64433/how-to-install-and-configure-openvpn-on-your-dd-wrt-router/ might help as a reference.
I went to the OpenVPN site and went to OpenVPN->Community->Downloads and downloaded openvpn-2.2.2-install.exe. This installed an OpenVPN GUI icon. To get this to work with my server, I first had to make a configuration file. I opened up Notepad and typed:
I then named this file clientconfig.ovpn and put this file in the OpenVPN Configuration directory. If you want to know where it got installed click on, Start->All Programs->OpenVPN->Shortcuts->OpenVPN configuration directory.
In that directory, I put my
Next was to build an adapter. I went to
Start->All Programs->OpenVPN->Utilities->Add a new TAP virtual ethernet adapter
That was it. When I clicked on the OpenVPN GUI icon, it connected solidly.
OpenVPN Mac Client:
On my Mac, I needed an OpenVPN client, as Mac doesn't give you one by default. I downloaded and installed Tunnelblick, and it worked very slick! When you download the .dmg file, it pretty much walks you through the setup. It will build a directory, which is automatically opened in Finder. In this directory I put my
I then changed the name of the folder to make it what I wanted my VPN Tunnel to be called, and added a .tblk extension. My OpenVPN configuration looked like this:
Lastly, when I double-clicked on the folder.tblk, it put an icon in the upper-right of my Mac that I can click on and connect with my VPN.
If you want ALL your traffic to go through the router, just add the below 2 lines to the configuration file:
(in Linux, this is "route-gateway x.x.x.1 --redirect-gateway" somewhere in your config line
That's it! I now had a ASUS router as my OpenVPN server, and could connect to it with Windows, Mac, or Backtrack.
Note, if you want to have your VPN be a TCP vs a UDP VPN (say, to get around a firewall rule), then just change the udp to tcp in both the firewall rules listed above, as well as in the VPN tab. Some places on the Internetz it says to use tcp-client or tcp-server, but I didn't need to use that at all.