VPN (the easy way) v24+
From DD-WRT Wiki
As of DD-WRT v.24 SP1, it is now possible to set up DD-WRT as an OpenVPN appliance using only the web-based GUI. It is no longer necessary to issue shell commands, or to echo quoted certificates and config files using a shell script.
This Tutorial shows how to set up an OpenVPN Server on DD-WRT and his clients on either Desktop PCs or another DD-WRT box.
Contents |
[edit] Getting Started - Flashing the Router
To flash a brand new WRT54GL:
First, install the "mini" version of DD-WRT. (Current filename: dd-wrt.v24_mini_generic.bin ) Then, install the "vpn" version of DD-WRT that has OpenVPN support. (Current filename: dd-wrt.v24_vpn_generic.bin ) For other routers, use the appropriate bin files and installation procedure, as per the DD-WRT website.
We have more detailed instructions on this for example at Installation.
[edit] Enough NVRAM storage space?
All the data from the web-GUI is permanently stored in the NVRAM area. Overfilling the NVRAM area is likely to brick your router.
Using a KEY_SIZE of 1024 you need about 5200 bytes available in NVRAM on the server-side before you push SAVE in the web-GUI, or you might brick your router.
Using a KEY_SIZE of 2048 you need about 6000 bytes available in NVRAM on the server-side.
To test how much NVRAM space is left (and used) telnet or ssh into your router and type:
nvram show | grep size
If you do not have enough NVRAM space available, you cannot use the web-GUI method that is outlined below. You must use the Script method to store the certificates and activate VPN. Doing a factory reset may free up NVRAM, however, you will lose your existing configuration.
[edit] Creating Certificates
Once you have verified you have enough nvram space, you need the OpenVPN software installed on your computer, as it is used to create all the needed certificates.
See steps below for "how to" download/install/use OpenVPN on your computer, or visit
http://openvpn.net/index.php/documentation/howto.html for the general official guide.
[edit] Creating Certificates Using Easy RSA in Windows
PRECAUTION: When generating certificates using Easy RSA in Windows, the certificate will be signed using GMT time, not your local time. This will result in the certificated not being valid until your local time equals that of GMT at the time of the certificate signing. For instance, if on the West Coast of USA, your local time is GMT-8. Your certificates will not be valid until 8 hours after generation, assuming that you have your time set to GMT-8 on the router and are using a NTP time server to manage the router time setting. You will need to set your router to use GMT until the time difference elapses or you will receive TLS Auth errors when tring to connect until the time difference passes. After then, you can set your time to GMT-8 or what ever time zone you are in.
Easy RSA is installed with the OpenVPN package on Windows. Open up a Command Prompt and cd to C:\<<Program Files>>\OpenVPN\easy-rsa. Run the following batch file to copy configuration files into place (this will overwrite any preexisting vars.bat and openssl.cnf files):
init-config ->ENTER
Now edit the vars file (called vars.bat on Windows) and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Don't leave any of these parameters blank. Save the file and return to the CMD Prompt. All of the following build actions produce files that will be placed in the "keys" directory under C:\<<Program Files>>\OpenVPN\easy-rsa\.
In the CMD Prompt, type:
vars ->ENTER
clean-all ->ENTER
build-ca ->ENTER
The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive openssl command:
ai:easy-rsa # ./build-ca Generating a 1024 bit RSA private key ............++++++ ...........++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [NY]: Locality Name (eg, city) [NewYork]: Organization Name (eg, company) [MyORG]: Organizational Unit Name (eg, section) []:MyUNIT Common Name (eg, your name or your server's hostname) []:OpenVPN-CA Email Address [me@myhost.mydomain]:
Note that in the above sequence, most queried parameters were defaulted to the values set in the vars or vars.bat files. The only parameter which must be explicitly entered is the Common Name. In the example above, I used "OpenVPN-CA". Generate certificate & key for server
Next, we will generate a certificate and private key for the server. Type:
vars ->ENTER
build-key-server server ->ENTER
As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter "server". Two other queries require positive responses, "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]". Generate certificates & keys for 3 clients
Generating client certificates is very similar to the previous step. Create as many client certs as needed, naming each individually. Type:
vars ->ENTER build-key client1 ->ENTER
If you would like to password-protect your client keys, substitute the build-key-pass script.
Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. "client1", "client2", or "client3". Always use a unique common name for each client. Generate Diffie Hellman parameters
Diffie Hellman parameters must be generated for the OpenVPN server. Type:
vars ->ENTER build-dh ->ENTER
Output:
ai:easy-rsa # ./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time .................+........................................... ...................+.............+.................+......... ......................................
[edit] Creating Certificates using Ubuntu Linux
Creating certificates only requires the easy-rsa package. Easy-rsa is now managed as an independent package
sudo apt-get install easy-rsa
You may want to use TLS pre-authentication on your VPN. Then you could need to install openvpn in this ubuntu machine, even this machine won't be a VPN tunnel peer, just to generate a ta.key file (you could generate this file from a client computer where the openvpn package is mandatory). Then the command above becomes
sudo apt-get install easy-rsa openvpn
Recent easy-rsa package in Ubuntu features a single make-cadir command that will deal with all the stuff below about copying templates files and setting permissions into your own $HOME/<certification authority directory> or elsewhere. No need to sudo. Just run
make-cadir path cd path
then edit vars as explained below, then go on with
. ./vars
then go on beginning with ./clean-all in the code below.
Install OpenVPN package (with easy-rsa inside)
sudo apt-get install openvpn openssl
You must execute the following commands as root. Either type sudo in front of every command (ie sudo ./clean-all) or do sudo su once and see the last character on the command prompt change to #.
# Move to the OpenVPN script folder cd /usr/share/doc/openvpn/examples/easy-rsa/2.0/ # Before anything else you may want to make a backup copy of the vars script cp vars vars-org # You can now edit some default values in the vars script if you want to, just saves you some typing later, # there is no actual need to edit the vars script at any point during the use of this guide # gedit vars # The following are the actual certificate building commands source ./vars ./clean-all ./build-ca ./build-key-server server ./build-key client1 ./build-key client2 #Etc, for other clients ./build-dh
If you plan to use TLS authentication (see openvpn manual , install openvpn now if not yet done. Create the shared key:
openvpn --genkey --secret $KEY_DIR/ta.key
You can uninstall openvpn now if this machine won't be a vpn peer.
At this point, you have created the certificates which you will need to pass out to the server and clients. You find them in the new directory keys. KEEP THEM IN A SAFE PLACE.
Notes about the above commands:
- Before you run the source vars command you may want to edit some of the export lines in the vars file. You might do: cp vars vars-org before you edit the vars script. One of the following commands will allow you to edit the vars file in Ubuntu Linux gedit vars or nano vars or vi vars. KEY_SIZE, KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL are probably the only export variables you should mess with. Please note: if you change KEY_SIZE it must be done before running source vars.
- source vars - will run the vars script and export the vars variables all the way to the command prompt. Type sudo set in the Linux terminal window to see all global variables, or just set if you have already done sudo su. The rest of the commands above depend on and use the global variables exported from the vars script
- ./clean-all - makes sure no old keys are stored in the "keys" directory. All the .crt and .key files you create make up ONE set of mutually dependent keys, that all store parts from one another.
- ./build-ca - creates the ca.crt and ca.key files - ./build-ca will ask you to enter some parameters. Here is an example of what I might use (living in Denmark)
Country Name (2 letter code) [US]:DK State or Province Name (full name) [CA]:DK Locality Name (eg, city) [SanFrancisco]:AtHome Organization Name (eg, company) [Fort-Funston]:AtHome Organizational Unit Name (eg, section) []:AtHome Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:AtHome CA Email Address [me@myhost.mydomain]:vpn@mydomain.dk
- ./build-key-server server - creates the server.crt and server.key files. Here is an example of what I might use (living in Denmark)
Country Name (2 letter code) [US]:DK State or Province Name (full name) [CA]:DK Locality Name (eg, city) [SanFrancisco]:AtHome Organization Name (eg, company) [Fort-Funston]:AtHome Organizational Unit Name (eg, section) []:AtHome Common Name (eg, your name or your server's hostname) [server]:server Email Address [me@myhost.mydomain]:vpn@mydomain.dk Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:password An optional company name []:AJAX Inc.
- ./build-key client1 - creates the client1.crt and client1.key files
Country Name (2 letter code) [US]:DK State or Province Name (full name) [CA]:DK Locality Name (eg, city) [SanFrancisco]:AtHome Organization Name (eg, company) [Fort-Funston]:AtHome Organizational Unit Name (eg, section) []:AtHome Common Name (eg, your name or your server's hostname) [client1]:client1 Email Address [me@myhost.mydomain]:vpn@mydomain.dk Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:password An optional company name []:AJAX Inc.
- So long as you change nothing in the vars file, you can come back and run the ./build-key clientX command at any time, in order to create keys for one more client to connect to your OpenVPN (DD-WRT) server.
- ./build-dh - creates the dh1024.pem or dh2048.pem files, depending on KEY-SIZE variable. Please note: if you change KEY_SIZE you must re-do all steps above begining with source vars
edit: easy-rsa is at version 3 and some of the commands have changed. These are the new ones. I use no password and require certificates. I believe this works closely with the rest of the instructions.
easyrsa build-ca nopass easyrsa init-pki easyrsa gen-req OVPN_server_name nopass easyrsa gen-req OVPN_client_name nopass openvpn --genkey --secret /etc/easy-rsa/ta.key openssl dhparam -out /etc/easy-rsa/pki/dh.pem 2048
[edit] Setting up the Gateway
In the Web Interface of your DD-WRT loaded router, go to Services > OpenVPN Daemon.
The server will reject certificates unless the server clock is set correctly. To fix this, enable NTP.
- First, set "Start OpenVPN: Enable".
- Then you can either choose "System" or "WAN Up" as "Start Type". The first choice launches OpenVPN on system startup whereas the second runs OpenVPN whenever the WAN interface goes up
NOTE: Be carefull! If your openvpn.conf has to resolve some Domain Names, you may face issues with "System" start type. Especially if your openvpn.conf contains the command local domain.
- Second, paste the certificate files created above into the boxes in the DD-WRT web interface as follows:
Box | File to insert |
---|---|
Public Server Cert (CA Cert) | ca.crt |
Certificate Revoke List | (blank) |
Public Server Cert | server.crt |
Private Server Key | server.key |
DH PEM | dh1024.pem |
OpenVPN Config | (see below) |
OpenVPN TLS Auth | blank (or ta.key file content) |
NOTE: Only paste the sections of text starting with (and including):
-----BEGIN CERTIFICATE-----
and ending with (and including):
-----END CERTIFICATE-----
in the text files. That is, include the two ---BEGIN/END CERTIFICATE--- lines. Do not paste all the descriptive stuff above that section.
NOTE on File Access in Ubuntu (for recent Ubuntu see Note** further): The following commands will make it easier to use the GUI tools in Ubuntu to copy text from the files stored in /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys to the web-GUI of DD-WRT.
# When you have issued ./build-dh, then do: chmod 755 keys cd keys chmod 755 *.*
Then open any File browser in Ubuntu menu "Places" and paste
/usr/share/doc/openvpn/examples/easy-rsa/2.0/keys
into the "Location:" text field and you can easily open (display/edit) the files in order to copy-and-paste the certificate and key sections into DD-WRT web-GUI.
Note** In recent Ubuntu, after you ran make-cadir with some target in your $HOME (e.g. My-OpenVPN-CA), source vars, clean-all and build-ca as explain above, the key folder ($KEY_DIR) has permissions set to 700 (fine). In it you can read/write all files. *.keys are set to permissions 600 (fine again), and all others are 644 (fine too). Don't open key/crt/pem files from the graphical file browser as a graphical utility ViewFile will popup, either puzzeling you with what to copy/paste or failing to show anything. Instead, in a terminal, use:
cd $KEY_DIR # source ~/My-OpenVPN-CA/vars (if the command above failed) # cd $KEY_DIR (again) cat ca.crt cat server.crt cat server.key cat dh2048.pem cat ta.key
Copy paste only the useful data to limit nvram space needed (including headers/footers -----BEGIN .........END PRIVATE KEY|CERTIFICATE|OpenVPN Static key V1-----
[edit] Sample Setup with Routing
The following example config file uses OpenVPN in routed mode. It is also possible to set up OpenVPN in bridged mode, this is explained below.
[edit] The Server Config File
In routed mode, there are three networks to consider:
- The LAN (192.168.54.0 here)
- The WAN (Internet)
- The OpenVPN private routing network (192.168.66.0 here)
The OpenVPN private routing network is used by the OpenVPN software. The OpenVPN server and clients will be on this "private" subnet, and OpenVPN will route packets between your LAN subnet (192.168.54.0) and the OpenVPN subnet (192.168.66.0). Change the LAN subnet addresses to whatever you like. By default the LAN address is 192.168.1.0, but I changed it to 192.168.54.0 here so I could test these devices under my pre-existing LAN.
Note that the port used in this example is 1194, and the OpenVPN subnet is 192.168.66.0. You can change those, but then you must change the firewall commands to match your new settings. I chose 192.168.66.0 simply because it doesn't conflict with anything else on my network.
My Server Config File:
push "route 192.168.54.0 255.255.255.0" push "dhcp-option DNS 192.168.66.1" server 192.168.66.0 255.255.255.0 dev tun0 proto udp keepalive 10 120 dh /tmp/openvpn/dh.pem ca /tmp/openvpn/ca.crt cert /tmp/openvpn/cert.pem key /tmp/openvpn/key.pem # Only use crl-verify if you are using the revoke list - otherwise leave it commented out # crl-verify /tmp/openvpn/ca.crl # management parameter allows DD-WRT's OpenVPN Status web page to access the server's management port # port must be 5001 for scripts embedded in firmware to work management localhost 5001
In this example, all the computers behind this appliance will have 192.168.54.* IP addresses (The network is 192.168.54.0/24).
[edit] The Server Firewall Script
Go to Administration > Commands.
Type in these text "commands" for the Firewall, replace 1194 with your OpenVPN port number:
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
Replace 192.168.66.0/24 with your OpenVPN server subnet:
iptables -I FORWARD 1 --source 192.168.66.0/24 -j ACCEPT # These next two lines may or may not be necessary. # I (dereks) did not need them, but bmatthewshea did. # Thus, we include them so that this works for more people: iptables -I FORWARD -i br0 -o tun0 -j ACCEPT iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
Then click Save Firewall.
The first two lines allow external clients to connect to the OpenVPN software (on port 1194). The last line allows packets to flow to/from the OpenVPN private network, and thus may not be necessary on bridged configurations.
[edit] Client Config File - Desktop
This is my configuration file for a Desktop OpenVPN Client to connect to the server we just set up. It was tested from a laptop with Ubuntu Linux.
Client Config File:
remote XXXXserver.dyndns.org 1194 client remote-cert-tls server dev tun0 proto udp resolv-retry infinite nobind persist-key persist-tun float #If the pushed routes appear not to be added on windows hosts, add the following: route-delay 30 ca ca.crt cert client1.crt key client1.key
(Note: for a routed OpenVPN, the "float" option is necessary.)
You could prefer to use the sample client.conf file provided by openvpn installation: copy /usr/share/doc/openvpn/examples/sample-config-files/client.conf (or equivalent client.openvpn for Windows) into your $HOME (or config folder for Windows) then rename the copy to your-client-name, keeping the extension as is. Adapt it according your needs, e.g. : Set the line(s)
remote my-server-1 1194 ;remote my-server-2 1194
according to the server name/ip port.
For linux you can uncomment lines;user nobody ;group nogroupfor security, but if the tun/tap goes down, you'll need to re run the sudo openvpn my.conf; command.
Change the lines
cert client.crt key client.keyto
cert your-client-name.crt key your-client-name.keyas issued by certificates generation.
Uncomment the line
;tls-auth ta.key 1if you use it (ddwrt server config is set to tls-auth ta.key 0 , which is what we want), and so, copy the ta.key file into all clients config folder.
Just below, add
auth md5if you want to match with ddwrt default, which is not openvpn sha1 default. If you set ddwrt server to sha1 you don't (may not) need this line.
Uncomment/change the line
;cipher xto
cipher bf-cbcwhich is the openvpn recommended ciphering algorithm, and set ddwrt openvpn server to use it instead of the default none.
Uncomment the line
;comp-lzowhich, with no more argument, means adaptive compression (match with ddwrt default)
Run openvpn as said above for linux. For Windows, right-clic the icon OpenVPN-GUI and select Run as administrator.
Note: the first statement in the config file, client, implies the --pull option which allows the server to push some other parameters to the clients once the connection is established.
[edit] Client Configuration - DD-WRT
This is the configuration for an OpenVPN Client running on another DD-WRT box.
Just set the OpenVPN server name (its WAN address or name) and port (1194) using the GUI, and then put in the certs similar to the procedure on the server:
Box | File to insert |
---|---|
Public Server Cert | ca.crt |
Public Client Cert | client1.crt |
Private Client Key | client1.key |
[edit] Performance
Using Linksys WRT54GL v1.1 boxes as both client and server OpenVPN appliances.
CPU Model: Broadcom BCM5352 chip rev 0
SCP File transfer with CPU at 200 MHz: 313 KB/s
SCP File transfer with CPU at 250 MHz: 423 KB/s
Thus, estimated OpenVPN User Capacity (with CPU at 250 MHz):
For users with 768 Kbit DSL:
About 4-5 users (100% usage, like big downloads)
About 10-20 users (intermittent usage, like web or shell traffic)
For users with 128 Kbit dial-up modems:
About 25 users (100% usage, like big downloads)
About 50-100 users (intermittant usage, like web or shell traffic)
I tested an OpenVPN connection for about 24 hours in my lab. I transferred 525 MB of files. I also did two power cycles on both client and server appliances, and the tunnel re-established itself correctly.
[edit] Instructions for Bridging
Bridging is mainly needed if you need to exchange Broadcasts (needed for many network games and for windows shares) or if you have other protocols than IP. With a bridge the Clients get a part of the servers "other-side-network", normally the LAN on DD-WRT boxes.
In this example, the network (which is the LAN and the network where the VPN Clients are located) is 10.22.0.0/16 or 10.22.0.0 with a subnet mask of 255.255.0.0, the normal DD-WRTs DHCP-Server assigns no addresses under 10.22.0.100 (to set under Setup > Basic Setup > Network Address Server Settings (DHCP) ).
[edit] The server config file for bridging
mode server proto udp port 1194 dev tap0 server-bridge 10.22.0.1 255.255.0.0 10.22.0.50 10.22.0.100 # Gateway (VPN Server) Subnetmask Start-IP End-IP keepalive 10 120 daemon verb 5 client-to-client dh /tmp/openvpn/dh.pem ca /tmp/openvpn/ca.crt cert /tmp/openvpn/cert.pem key /tmp/openvpn/key.pem # Only use crl-verify if you are using the revoke list - otherwise leave it commented out # crl-verify /tmp/openvpn/ca.crl
verb 5
isn't necessary, but good for troubleshooting.
The Start-IP and End-IP in the server-bridge
statement define the IP address range from where the Client get their addresses assigned. It must not overlap with the DHCP Servers address range (see above, before the file).
[edit] The Startup Script
Goto Administration > Commands, paste
openvpn --mktun --dev tap0 brctl addif br0 tap0 ifconfig tap0 0.0.0.0 promisc up
then hit Save Startup.
[edit] The Firewall Script
Clear the box (if it doesn't automatically do so) and enter
iptables -A INPUT -i tap0 -j ACCEPT iptables -I INPUT -p udp --dport 1194 -j ACCEPT
Then hit Save Firewall.
[edit] Client config file for bridging
You will also need to modify your client config file(s) to match your server config file. In particular, the dev setting needs to match what is configured on the server.
Client Config File:
remote XXXXserver.dyndns.org 1194 client dev tap0 proto udp resolv-retry infinite nobind persist-key persist-tun float ca ca.crt cert client1.crt key client1.key ns-cert-type server
Now restart your router and try.
[edit] Troubleshooting
[edit] Prerequisites
Running commands and watching logs. Use telnet, SSH, or Administration > Commands to run commands.
To troubleshoot, you should turn on logging, and then watch the log file using this command:
tail -f /var/log/messages
To turn on logging, do this:
- Turn on syslog with setting Services > System Log > Syslogd" to Enabled,
- Add a line that says "verb 5" to the OpenVPN config file
[edit] Steps
- First, is OpenVPN running?
ps | grep openvpn
If you don't see the OpenVPN process listed, then that is the first problem you need to solve.
Make sure you are running it by setting "Start type: WAN Up".
- Maybe there is an error in your config file. If so, OpenVPN will log an error message and then die.
Here is an example error I got when my config file had a bad setting in it:
root@WRT54GL:~# cat /var/log/messages | grep openvpn Jul 31 11:55:13 WRT54GL daemon.err openvpn[1686]: Options error: --server directive network/netmask combination is invalid Jul 31 11:55:13 WRT54GL daemon.warn openvpn[1686]: Use --help for more information. root@WRT54GL:~#
See if OpenVPN is logging an error message for you, to tell you what is wrong. (See "Logging" above; you need syslogd on and "verb 5" in your OpenVPN config file.)
- Next, is your firewall blocking OpenVPN?
If your firewall settings are wrong, OpenVPN's packets will be blocked by the DD-WRT firewall software.
First, turn off your firewall altogether, as a test to see if that makes things work. "Security > Firewall > SPI Firewall: Disable". If that fixes your problem, you need to tweak your firewall rules.
You can review your Linux IPTABLES firewall rules with this command:
iptables -L -v -n --line-numbers
Also, the firewall can log any DROPped or REJECTed packets. Examine these log messages and compare the DROPped packets to your iptables rules, and then tweak as necessary.
"Security > Firewall > Log: Enable" "Security > Firewall > Log > Log Level: Medium" "Security > Firewall > Log > Options > Dropped: Enable; Rejected: Enable"
There are many web sites that explain Linux iptables rules and commands.
- If you are still having trouble, make sure the cert and config files are saved correctly on the DD-WRT by looking in the directory /tmp/openvpn/ (for server) and /tmp/openvpncl/ (for client).
[edit] TLS Configuration Issues
There may be problems that occur due to TLS Errors, the following in particular "cannot locate HMAC in incoming packet." Here is an evolution/combination of the server and client configurations from this wiki and the startup script listed in the other VPN configuration page:
Server:
push "route 192.168.1.0 255.255.255.0" server 192.168.66.0 255.255.255.0 dev tun0 proto udp port 1194 keepalive 15 60 daemon verb 3 comp-lzo client-to-client duplicate-cn tls-server dh /tmp/openvpn/dh.pem ca /tmp/openvpn/ca.crt cert /tmp/openvpn/cert.pem key /tmp/openvpn/key.pem
and client:
client dev tun0 proto udp remote 192.168.1.1 1194 resolv-retry infinite nobind persist-key persist-tun ns-cert-type server comp-lzo verb 3 float ca ca.crt cert client2.crt key client2.key
Many thanks to all the contributors below, especially bmatthewshea who figured out the correct locations for the certificates.
--Derek
[edit] Windows Certificate Creation
For those who wish to create the certificates on their Windows machine, please reference the documentation from the OpenVPN site.
http://openvpn.net/index.php/open-source/documentation/howto.html#pki
ERROR MESSAGE: "OpenVPN: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"
In Windows there is a bug with easy-rsa that causes this error at any connection attempt if you added the line remote-cert-tls server to your client configuration file. The following fix was provided by a user on the OpenVPN mailing list.
In file easy-rsa/openssl.cnf.sample go to section [ server ] and add the following two lines:
extendedKeyUsage=serverAuth keyUsage = digitalSignature, keyEncipherment
Then remake certificates from the beginning. You even have to run init-config again in order to erase the old openssl.cnf by the sample with the the right settings. Now everything should work properly :) .
Unix version is fine.
2010-08-14 --- I have installed OpenVPN 2.1 for Windows and faces this issue. The fix works very well!
[edit] Comments
- 2009-03-25: Posted to this wiki after looking everywhere and not finding this =P
The original post which this article was copied & pasted from: Forum thread
- 2009-06-25: The server will reject certificates unless the server clock is set correctly. To fix this, enable NTP.
Other note: The server seems to reject Server certificates where the common name on the certificate isn't 'server'
- 2009-07-16: revised the whole site --Azaël
- 2009-08-08: added TLS Configuration Issues section --zamodeo
- 2009-09-19: Followed the wiki using Ubuntu 9.04 and made minor clarification changes to the wiki --MrAlvin
- 2009-11-15: I suggest to remove last line of config file related to server config in bridging mode ("crl-verify /tmp/openvpn/ca.crl"). There is no "Certificate Revoke List" section filled in and no file created, so when it starts the first connection attempt, the server process goes in error and ends --bfg9000it
- 2009-12-18: I second the last suggestion regarding the config file for the server config in bridging mode. My setup was non-functional until I removed that line "crl-verify /tmp/openvpn/ca.crl" as I was not using a revoke list. I imagine that when one is instated, the line will be necessary to reference it; however I do not know. --arriflex
- 2010-01-21: To configure routed openvpn in linksys<->linksys mode with subnets behind each router talking to each other through the tunnel, it seems it's still necessary (dd-wrt v24-sp2 build 13064) to script the ccd directory and populate it with the proper iroute statement in a file named for the common name in the certificate of the connecting client router. Also, I found I needed "iptables -t nat -I POSTROUTING -o tun0 -j ACCEPT" in my firewall script and another line similar for the PREROUTING table. I used this on server and client because these rules turn off the NATing of the vpn tunnel between endpoints, which you want if you want your tunnel to be truly routed. Otherwise, that NAT does bad things like one-way audio for SIP traffic, e.g. --mulderlr
- 2010-02-10: I have set up a pfSense server and dd-wrt client (build 13064) which I'm tunneling VoIP traffic. I had to set up client specific iroutes on pfSense through the gui (there is a tab for this under OpenVPN), and make sure that the proper networks were routed and pushed in the server config. I did not find I need the PREROUTE and POSTROUTE of mulderlr, however, i did have to add a forward rule: "iptables -I FORWARD -i tun0 -o br0 -j ACCEPT" --Edjusted 15:52, 10 February 2010 (CET)
- 2010-02-15: As a nice addition to this how-to, I have an Asus WL500W with 4GB memory stick attached to it and Optware installed on it (although not necessary) I mount it as /opt and created an "openvpn" directory on it then copied all of the files from a running OpenVPN setup from a real server I have a chroot jail, ccd/ directory and certs on this directory, and as clients connect they get their respective settings from my server DHCP, DNS and WINS (samba) information so road-warriors or sites with more computers behind them can connect and it creates a really nice network. I'm testing this with five clients connected right now and works flawlessly.
- 2010-06-11: Had some Problems to get the openvpn daemon start with (v24-sp2 SVN revision: 13064). Reason was an unreadable ca.crt certificate although I pasted it via the webinterface. If the daemon isn't running (ssh -> ps | grep vpn) after you finished to follow the instructions from above, try starting it by hand (openvpn /tmp/openvpn/openvpn.conf) and watch for error messages. In my case I had to copy the ca.crt via scp to the router. --Dude 11:00, 11 June 2010 (CEST)
- 2010-06-11: If the connection to your vpn-server can be established and pinging some IPs in your "home-net" also works but the communications freezes after some seconds try "proto tcp-server" (Server-conf) and "proto tcp-client" (Client-conf) as alternative protocol. Don't forget to open the tcp-protocol in your firewall! This worked fine for me!--Dude 11:00, 11 June 2010 (CEST)
- 2010-08-30: I used Windows to generate the certificates and tried for over an hour to get it to work before I figured out that the certificates were generated for UTC time so the certificates would not become valid until 5 hours after creating them. I changed the router time to UTC for the time being, then changed it back to -500 the next day. It worked like a charm.
I'm using eko-s big build with OpenVPN on it, I set it up according to this how-to, but I added some bits from my own.
- Bridged mode setup
- Certificate based auth
- static key auth
- Client config dir
- Chroot jail for the vpn process
- Network details taken from the router
My config looks like this:
daemon cd /opt/etc/openvpn mode server port 443 proto tcp-server dev tap0 chroot /opt/etc/openvpn/chroot/ ca /tmp/openvpn/ca.crt cert /tmp/openvpn/cert.pem key /tmp/openvpn/key.pem dh /tmp/openvpn/dh.pem tls-auth /tmp/openvpn/ta.key 0 client-config-dir ccd ccd-exclusive status logs/openvpn-status.log log logs//openvpn.log cipher AES-256-CBC verb 4 mute 20 max-clients 15 management 127.0.0.1 7505 keepalive 10 120 tls-server client-to-client comp-lzo persist-key persist-tun push "route 192.168.100.0 255.255.255.0 192.168.254.1" # Adding a route for LAN2 on site A to the connecting VPN clients push "dhcp-option WINS 192.168.254.100" push "dhcp-option WINS 192.168.254.110" push "dhcp-option DNS 192.168.254.110" push "dhcp-option DNS 192.168.254.100" push "dhcp-option DOMAIN dghvoip.lan"
As you see I do some "cool" things with my setup, I made some videos I posted on youtube about this, now with dd-wrt it's even better as many of these services can be centralized on the router.
Hope this comes in handy for someone.
If you need a bit of help with this PM me at the forum, I'd gladly try to help.
Great job, dd-wrt rocks,
--Dgonzalezh 00:41, 15 February 2010 (CET)
- 2009-05-11: By user icmp: To allow clients in the server side LAN to access clients in the client LAN i had to do some additional configuring.
Server side startup commands:
mkdir -p /tmp/openvpn/ccd echo "iroute 192.168.24.0 255.255.255.0" > /tmp/openvpn/ccd/client1 echo "iroute 192.168.25.0 255.255.255.0" > /tmp/openvpn/ccd/client2
(Where 192.168.24.0 is the network on client1 and 192.168.25.0 is the network on client 2)
I added the following to the server side OpenVPN config:
push "route 192.168.24.0 255.255.255.0" push "route 192.168.25.0 255.255.255.0" client-config-dir /tmp/openvpn/ccd route 192.168.24.0 255.255.255.0 route 192.168.25.0 255.255.255.0 client-to-client
Firewall commands on each client:
# Allow server-side and client-side hosts to ping routers endpoint iptables -I INPUT 3 -i tun0 -p icmp -j ACCEPT # Allow internal remote administration through HTTP iptables -I INPUT 1 -i tun0 -p tcp --dport 80 -j ACCEPT # Allow forwarding to other clients in the LAN iptables -I FORWARD -i br0 -o tun0 -j ACCEPT iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
To save some memory I don't start httpd automatically. I disabled HTTPD in the web interface. If for any reason I should need the web interface, I simply connect with SSH to the router and issue the command: httpd If you consider doing the same, make sure first that you can access your router with telnet or ssh. Otherwise you'll lock yourself out.
Thank You very much for this article. Great job!
- 2011-03-13: Regarding comments above dated 2009-11-15 and 2009-12-18, it's worth pointing out that if you do use a Certificate Revocation List, when you add the directive crl-verify <crl_file>, be sure to point to the full path of <crl_file>. The OpenVPN documentation does not indicate this, and it appears that clients cannot connect if openvpn cannot find the CRL file. --jmaher
--Keamas 11:50, 27 October 2010 (CEST)
Can anyone post how to route the whole traffic through the VPN tunnel with the Gateway scenario ?
--Krissi 19:00, 25 June 2011 (CEST)
Public Server Cert and CA Cert
This article assimilates that the "Public Server Cert" and "CA Cert" are the same. That is seen under the Server Configuration. It is actually described as just one value to insert.
Fact is though that the OpenVPN setup needs input for both CA Cert and Public Server Cert. Somebody should update the documentation to reflect this. As far as I understand the values should be as follows:
CA Cert = ca.crt
Public Server Cert = server.crt
Private Server Key = server.key
DH PEM = dh1024.pem
Public Client Cert = client.crt
Private Client Key = client.key