Skip to main content

OpenVPN Server on DD-WRT Router

At Defcon this year Moxy Marlinspike released Chapcrack, a cloud-based tool to crack MSChapv2.  Here's a reference:  http://threatpost.com/en_us/blogs/new-tool-moxie-marlinspike-cracks-some-crypto-passwords-073012

I had used a PPTP tunnel for my VPN Solution, as I posted about here:  http://beboblog.johnbebo.com/2009/11/28/ddwrt-pptp-vpn.aspx 

I always knew that PPTP was a bit vulnerable, but it was a pain in the butt to crack, so I figured that nobody would do it.  Now that Moxy has made it so easy, I wanted a better approach.   Also, I have previously tried to get OpenVPN working, and had a very difficult time on all the machines I use, so I had to ditch that until it was stable.   It now looks stable enough, and I've moved to that as my VPN solution.   

Flashing the Router:
As a reference, I used the instructions from:
and 
to set up my router.  I first checked to see that my ASUS router would support the dd-wrt.v24_vpn_generic.bin image.  Since I already had a generic dd-wrt image, I just ssh'd into it and checked.  Here's a screenshot:


My ASUS WL-500 had enough memory, so I flashed my router to that image.  To flash my router to that image, I did the following:

I unplugging router, plugged back in while holding reset button, and held until Power light blinked, indicating it was waiting for firmware.  Then:
#tftp 192.168.1.1
>binary
>rexmt 1
>timeout 60
>trace
>put packet...
and this worked like a champ.  

Now that my Router had the DD-WRT VPN Image, it was time to build my OpenVPN Keys.  
Building Keys:
Backtrack is my OS of preference, so I built my keys on BT5R3.  To do this, I followed the instructions at: 

I didn't follow all their stuff, as Backtrack isn't going to be my server, but a client.  So I just followed their instructions on making keys.  

Basically, I just went to /usr/share/doc/openvpn/examples/easy-rsa/2.0/ and typed the following:
#source ./vars
#./clean-all
#./build-ca
#./build-key-server openvpn_server
#./build-key client1

This built my keys, and I put them in a safe directory.   

Configuring the DD-WRT Router:
I cut and pasted my keys into the DD-WRT VPN tables.  I pasted 
CA Cert:  ca.crt
Public Client Cert:  server.crt
Private Client Key: server.key
DH Pem: dh1024.pem

My router config file, which took a lot of trial and error to get working, looked like the below.  my DD-WRT router IP was 192.168.1.1, and my dhcp client leases were from 82 to 90.

mode server
proto udp
port 1194
dev tap0
server-bridge 192.168.1.1 255.255.255.0 192.168.1.82 192.168.1.90
keepalive 10 120
daemon
verb 5
client-to-client
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
management localhost 5001

Another important part, which also took some tweaking, is the firewall configuration.   Mine looked like this:

That was it.  My router was all set up and ready to go.   Next was configuring my clients.    Since I use a variety of machines, I will post my instructions for each.  

OpenVPN Backtrack 5 R3 Client:
I tried to get KVPNC working with OpenVPN, but couldn't.  In the end, I just ran a bash script to launch my OpenVPN Client from the terminal on Backtrack.   Here's the script:

#/!bin/bash
openvpn --remote 1194 udp --client --ca /path-to-keys/ca.crt --cert /path-to-keys/client.crt --key /path-to-keys/client.key --nobind --dev tap0 --persist-tun --persist-key --ns-cert-type server ifconfig 192.168.1.1 192.168.1.82 --reneg-sec 1200 --verb 5

Note:  If you want your clients to connect and get a dhcp address, leave out the ifconfig ip ip portion above.

OpenVPN Windows Client:
For Windows, the instructions at http://www.howtogeek.com/64433/how-to-install-and-configure-openvpn-on-your-dd-wrt-router/ might help as a reference.  

I went to the OpenVPN site and went to OpenVPN->Community->Downloads and downloaded openvpn-2.2.2-install.exe.   This installed an OpenVPN GUI icon.   To get this to work with my server, I first had to make a configuration file.   I opened up Notepad and typed:

client
dev tap
proto udp
remote 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server

I then named this file clientconfig.ovpn and put this file in the OpenVPN Configuration directory.   If you want to know where it got installed click on, Start->All Programs->OpenVPN->Shortcuts->OpenVPN configuration directory.

In that directory, I put my 
ca.crt
client.crt
client.key
clientconfig.ovpn

Next was to build an adapter.  I went to
Start->All Programs->OpenVPN->Utilities->Add a new TAP virtual ethernet adapter

That was it.  When I clicked on the OpenVPN GUI icon, it connected solidly.  

OpenVPN Mac Client:
On my Mac, I needed an OpenVPN client, as Mac doesn't give you one by default.  I downloaded and installed Tunnelblick, and it worked very slick!  When you download the .dmg file, it pretty much walks you through the setup.  It will build a directory, which is automatically opened in Finder.   In this directory I put my 
ca.crt
client.crt
client.key
openvpnconfig.ovpn

I then changed the name of the folder to make it what I wanted my VPN Tunnel to be called, and added a .tblk extension.   My OpenVPN configuration looked like this:
client
dev tap
proto udp
remote domain-name.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert bebo.crt
key bebo.key
verb 4

Lastly, when I double-clicked on the folder.tblk, it put an icon in the upper-right of my Mac that I can click on and connect with my VPN.  

If you want ALL your traffic to go through the router, just add the below 2 lines to the configuration file:
route-gateway 192.168.1.1
redirect-gateway

(in Linux, this is "route-gateway x.x.x.1 --redirect-gateway" somewhere in your config line

That's it!  I now had a ASUS router as my OpenVPN server, and could connect to it with Windows, Mac, or Backtrack.   

Note, if you want to have your VPN be a TCP vs a UDP VPN (say, to get around a firewall rule), then just change the udp to tcp in both the firewall rules listed above, as well as in the VPN tab.   Some places on the Internetz it says to use tcp-client or tcp-server, but I didn't need to use that at all.    

Comments

  1. Hi, I want to do this too. What version of dd-wrt did you use? The builds 19163 to 23882 contain the "Heartbleed" flaw. Did you use an older or more recent one by chance? Thanks!

    ReplyDelete
  2. Thanks for solution.
    Good blog about VPN.
    top10-bestvpn.com

    ReplyDelete

Post a Comment

Popular posts from this blog

HP c6180 Printer and Vista

Hp c6180 driver issues with Vista Home Premium My wife has a Vista Home Premium laptop, and the HP C6180 Photosmart printer keeps disappearing from her available printers.  The only way I've found to fix the problem is to reinstall all the HP software. When I do this, I have to download the (large..507M software from HP, or reinstall the printer (ONLY the printer, not the scanner) with the installation disk, as the drivers are not discovered with a "Windows Update" setting.  My guess is that is because HP doesn't like people to install only the printer driver, which would be easy, but they want folks to install all their crapware as well, so they are withholding the drivers from the on-line Microsoft printer database.  So keep your installation CD!  I've also found that unless I install everything on the CD or in the Full Version download (HP Customer Participation Program, HP Imaging Device functions, HP OCR SW, HP All-In-one SW, HP Photosm...

atftpd vs tftpd-hpa

Recently I was trying to tftp files from a Windows computer to a Kali box.   One version of Windows worked, but another didn't.    After much troubleshooting, here were my symptoms: I could tftp a file from-to any Kali box from-to another Kali box I could NOT tftp files to a specific Windows 7 box from any Kali box I could NOT tftp files to a Chrooted-Ubuntu-Chromebook box from a Kali box After MUCH troubleshooting, going through every setting in atftpd, it seemed like it literally was a client OS problem.  Different clients simply would not download files---unacceptable. Thus, I switched to tftpd-hpa.   To install: apt-get install tftpd-hpa files go to/come from /srv/tftp, but it needs to be a tftp user. Thus, I needed to: chroot -R /srv/tftp Also, if you want to be able to put files ON the tftp server (from a client), you need to modify /etc/default/tftpd-hpa: change "TFTP_OPTIONS="--secure"  to "TFTP_OPTIONS="--secure --create" ...

Security Onion on the Antsle

My Setup of Security Onion on the Antsle: Recently my IDS box, an Intel Atom D2500 Fanless Mini-ITX PC, D2500CCE, died.  Truth be told, I think it came from the factory in a bad state, as I originally thought I had a bad graphics driver, but I then noticed that, after much troubleshooting, it wasn't a driver issue at all.  The box just sometimes wouldn't boot up correctly with video.  It seems heat related, something like not enough thermal paste on the CPU, as after it is powered off for a while it is more likely to boot than when it is warm.  Along with that issue, this box maxed out at 4GB of RAM (only has 2 memory slots, each of which will only take a 2GB card max) and had a single processor, so it was under powered for Security Onion. So, I decided to quit limping along on P.O.S. boxes, and buy a little more heavyweight box for my networked IDS.   Security Onion requires a minimum of 8GB of RAM, and 4 cores per their specs page htt...