Skip to main content

OpenVPN Server on DD-WRT Router

At Defcon this year Moxy Marlinspike released Chapcrack, a cloud-based tool to crack MSChapv2.  Here's a reference:  http://threatpost.com/en_us/blogs/new-tool-moxie-marlinspike-cracks-some-crypto-passwords-073012

I had used a PPTP tunnel for my VPN Solution, as I posted about here:  http://beboblog.johnbebo.com/2009/11/28/ddwrt-pptp-vpn.aspx 

I always knew that PPTP was a bit vulnerable, but it was a pain in the butt to crack, so I figured that nobody would do it.  Now that Moxy has made it so easy, I wanted a better approach.   Also, I have previously tried to get OpenVPN working, and had a very difficult time on all the machines I use, so I had to ditch that until it was stable.   It now looks stable enough, and I've moved to that as my VPN solution.   

Flashing the Router:
As a reference, I used the instructions from:
and 
to set up my router.  I first checked to see that my ASUS router would support the dd-wrt.v24_vpn_generic.bin image.  Since I already had a generic dd-wrt image, I just ssh'd into it and checked.  Here's a screenshot:


My ASUS WL-500 had enough memory, so I flashed my router to that image.  To flash my router to that image, I did the following:

I unplugging router, plugged back in while holding reset button, and held until Power light blinked, indicating it was waiting for firmware.  Then:
#tftp 192.168.1.1
>binary
>rexmt 1
>timeout 60
>trace
>put packet...
and this worked like a champ.  

Now that my Router had the DD-WRT VPN Image, it was time to build my OpenVPN Keys.  
Building Keys:
Backtrack is my OS of preference, so I built my keys on BT5R3.  To do this, I followed the instructions at: 

I didn't follow all their stuff, as Backtrack isn't going to be my server, but a client.  So I just followed their instructions on making keys.  

Basically, I just went to /usr/share/doc/openvpn/examples/easy-rsa/2.0/ and typed the following:
#source ./vars
#./clean-all
#./build-ca
#./build-key-server openvpn_server
#./build-key client1

This built my keys, and I put them in a safe directory.   

Configuring the DD-WRT Router:
I cut and pasted my keys into the DD-WRT VPN tables.  I pasted 
CA Cert:  ca.crt
Public Client Cert:  server.crt
Private Client Key: server.key
DH Pem: dh1024.pem

My router config file, which took a lot of trial and error to get working, looked like the below.  my DD-WRT router IP was 192.168.1.1, and my dhcp client leases were from 82 to 90.

mode server
proto udp
port 1194
dev tap0
server-bridge 192.168.1.1 255.255.255.0 192.168.1.82 192.168.1.90
keepalive 10 120
daemon
verb 5
client-to-client
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
management localhost 5001

Another important part, which also took some tweaking, is the firewall configuration.   Mine looked like this:

That was it.  My router was all set up and ready to go.   Next was configuring my clients.    Since I use a variety of machines, I will post my instructions for each.  

OpenVPN Backtrack 5 R3 Client:
I tried to get KVPNC working with OpenVPN, but couldn't.  In the end, I just ran a bash script to launch my OpenVPN Client from the terminal on Backtrack.   Here's the script:

#/!bin/bash
openvpn --remote 1194 udp --client --ca /path-to-keys/ca.crt --cert /path-to-keys/client.crt --key /path-to-keys/client.key --nobind --dev tap0 --persist-tun --persist-key --ns-cert-type server ifconfig 192.168.1.1 192.168.1.82 --reneg-sec 1200 --verb 5

Note:  If you want your clients to connect and get a dhcp address, leave out the ifconfig ip ip portion above.

OpenVPN Windows Client:
For Windows, the instructions at http://www.howtogeek.com/64433/how-to-install-and-configure-openvpn-on-your-dd-wrt-router/ might help as a reference.  

I went to the OpenVPN site and went to OpenVPN->Community->Downloads and downloaded openvpn-2.2.2-install.exe.   This installed an OpenVPN GUI icon.   To get this to work with my server, I first had to make a configuration file.   I opened up Notepad and typed:

client
dev tap
proto udp
remote 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server

I then named this file clientconfig.ovpn and put this file in the OpenVPN Configuration directory.   If you want to know where it got installed click on, Start->All Programs->OpenVPN->Shortcuts->OpenVPN configuration directory.

In that directory, I put my 
ca.crt
client.crt
client.key
clientconfig.ovpn

Next was to build an adapter.  I went to
Start->All Programs->OpenVPN->Utilities->Add a new TAP virtual ethernet adapter

That was it.  When I clicked on the OpenVPN GUI icon, it connected solidly.  

OpenVPN Mac Client:
On my Mac, I needed an OpenVPN client, as Mac doesn't give you one by default.  I downloaded and installed Tunnelblick, and it worked very slick!  When you download the .dmg file, it pretty much walks you through the setup.  It will build a directory, which is automatically opened in Finder.   In this directory I put my 
ca.crt
client.crt
client.key
openvpnconfig.ovpn

I then changed the name of the folder to make it what I wanted my VPN Tunnel to be called, and added a .tblk extension.   My OpenVPN configuration looked like this:
client
dev tap
proto udp
remote domain-name.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert bebo.crt
key bebo.key
verb 4

Lastly, when I double-clicked on the folder.tblk, it put an icon in the upper-right of my Mac that I can click on and connect with my VPN.  

If you want ALL your traffic to go through the router, just add the below 2 lines to the configuration file:
route-gateway 192.168.1.1
redirect-gateway

(in Linux, this is "route-gateway x.x.x.1 --redirect-gateway" somewhere in your config line

That's it!  I now had a ASUS router as my OpenVPN server, and could connect to it with Windows, Mac, or Backtrack.   

Note, if you want to have your VPN be a TCP vs a UDP VPN (say, to get around a firewall rule), then just change the udp to tcp in both the firewall rules listed above, as well as in the VPN tab.   Some places on the Internetz it says to use tcp-client or tcp-server, but I didn't need to use that at all.    

Comments

  1. Hi, I want to do this too. What version of dd-wrt did you use? The builds 19163 to 23882 contain the "Heartbleed" flaw. Did you use an older or more recent one by chance? Thanks!

    ReplyDelete
  2. Thanks for solution.
    Good blog about VPN.
    top10-bestvpn.com

    ReplyDelete

Post a Comment

Popular posts from this blog

ADS-B plotting with Kali (and other SDR goodies)

Recently I wanted to try some Software Defined Radio stuff.   
I had a RTL-SDR, FM+DAB, DVB-T USB Stick Set with RTL2832U & R820T. that I got from: http://www.amazon.com/gp/product/B00C37AZXK/ref=oh_details_o04_s00_i00?ie=UTF8&psc=1
But, even though this dongle would break out FM radio stations, and ATC frequencies (like the local Ground Control, tower, and even ATIS), which was cool, it wouldn't break out ADS-B.   
Thus, I bought a Vantech Green Mini RTL2832U R820T DVB-T SDR DAB FM USB DIGITAL TV Tuner Receiver RTL-SDR Project + DAB dongle Tuner MCX Input from Amazon, and tried this.  
This dongle was able to listen to the 1090MHz frequency required for ADS-B (as it goes from 25MHz to 1700MHz).  There were tons of Windows programs out there for breaking out and plotting ADS-B Mode S broadcasts, but not many for Linux.  
For Kali Linux, here's how I got it running and plotting planes around my home:
0) before you start, you should do an apt-get update to ensure you hav…

Beaglebone Black as a Wireless Intrusion Detection System (WIDS)

Recently I have been wanting a wireless IDS (WIDS) to detect nefarious wifi activity.  I also had a Beaglebone Black hanging around that I wanted to put to good use.   This seemed like a perfect match, and indeed it seems to be so!

I did some research on WIDSs, and although there is SUPPOSED to be several out there, nearly all that I seemed to find was commercial and Windows-based products, not something I could use myself.   
About the only exception to that rule was Kismet, so I decided to give that a try.  Kismet is supposed to work as a WIDS, and per its documentation should catch the following attacks:
Kismet supports the following alerts, where applicable the WVE (Wireless Vulnerability and Exploits, www.wve.org) ID is included: AIRJACKSSID Fingerprint Deprecated The original 802.11 hacking tools, Airjack, set the initial SSID to 'airjack' when starting up. This alert is no longer relevant as the Airjac…

Temper Temperature monitor on a Beaglebone Black

Beaglebone Black as a temperature monitor:

Recently I wanted to monitor the temperature of my shed.  I thought I'd use a small computer such as a Raspberry Pi or a Beaglebone or Odroid.

My Raspberry Pi boxes were all in use, so I grabbed my Beaglebone, which was doing nothing.

I flashed it with the Debian9.32018-03-054GB SDIoTimage, but that seemed like it was running lots of bloatware and the ethernet interface wouldn't take a static IP with /etc/network/interfaces.

So I went with the Debian9.32018-01-284GB SDLXQTi image instead.  I still had the same problem, that lots of junk was running, and I couldn't configure my interface by modifying /etc/network/interfaces

So my first step was to get rid of all the bloatware.  If you're using a Raspberry Pi or something, you can skip this and just go to the second step below

STEP 1--Remove Blotatware from Beaglebone Black:

With some searching, I came across this post:
https://www.linuxquestions.org/questions/linux-newbie-8/inte…