Today I will show you how to set up your own Virtual Private Network. A VPN can be very useful, especially if you often use foreign internet connections which are insecure or if the internet access is restricted due to website blacklists and word filters and you need to bypass these.
Basically what VPN does is connecting a host to a remote network. Although the host is not physically attached to the network it can communicate with the other hosts as if it was physically attached. Companies primarily use this to let external employees access data that is only available within the company’s intranet.
There are several ways to set up a VPN. In this article I will show you how to do it on a DD-WRT router, which – in my opinion – is a great thing to have. DD-WRT is a free router firmware that can be installed on a wide range of home-routers. For more information and a list of compatible routers visit the official website: http://www.dd-wrt.com.
To do it this way, you will need a working DD-WRT router with internet access and a Windows machine to generate the certificates. You can also use Linux or MacOS for this but in this case I’m using Windows.
Before getting started I will present two different scenarios that make clear why a VPN is also useful for personal use. Then I will explain how to set everything up in 10 steps.
Scenario 1 – Secure Connections Over an Insecure Network
A VPN connection is useful to surf the web safely even if you’re on an insecure network. Imagine being online over a hotel’s WLAN, which is not encrypted and usable for anyone. This means everyone can join the WLAN, run a traffic sniffer and watch what you are doing. If you browse websites that don’t use HTTPS/SSL all data that is exchanged with that website is also visible to anyone.
Scenario 2 – Bypass Site and Port Restrictions
If you’re online over a foreign network it could happen that they’re using some sort of proxy-server which won’t let you connect to certain websites. Also, most ports are often blocked which means that you won’t be able to check your emails using your favorite email-client (i.e. Outlook, Thunderbird, Opera, …).
You can bypass these restrictions by using a VPN tunnel because all data that is transferred through the tunnel won’t be checked by the proxy-server or firewall (in fact it can’t be checked, because it is encrypted). If there are port restrictions within the network you’re connected to it might be a problem to establish a VPN connection. In this case the only thing you can try to do is using port 443 (or 80) for your VPN server. That is the standard port for HTTP(S) and thus allowed on most networks. If you have the worst of luck there is also a firewall or some kind of IDS on the network which checks the traffic at packet level, blocking everything that looks like VPN.
Step 1 – Download and Install OpenVPN
You can download OpenVPN from here: http://openvpn.net/index.php/open-source/downloads.html
During installation have all checkboxes checked.
Step 2 – Create a Certificate-Authority
A Certificate-Authority (CA) is needed to create and sign certificates. Open a command prompt in “Run As Administrator” mode. Then type the following to get started:
Go to “C:\Program Files\OpenVPN\easy-rsa” in your Explorer and open the “vars.bat” file. I’d use Notepad++ for this because Windows Notepad might not interprete the line breaks. Also, use Administrator mode again, otherwise you won’t be able to save the file.
As for the “HOME” variable make sure that the path to the “easy-rsa” directory is correct. And if you want to, you can set the “KEY_SIZE” variable to a higher value (i.e. 2048) in order to get a more complex encryption key.
Then configure the certificate-parameters to your own needs. If you only use the certificates for yourself to connect to your VPN, it doesn’t really matter what you configure here. It’s not a bad idea to use meaningful values, though. Example:
Now go back to your command prompt and create your own Certificate-Authority by typing:
When asked for the certificate-parameters just hit Enter since we have just set the default values before.
Step 3 – Generate a Server Certificate
To create a certificate for the VPN server, type:
You’ll be asked for the certificate-parameters again. Just use your default values again but for the Common Name (CN) use “server”. Finally type “y” to sign and commit the certificate.
Step 4 – Generate Client Certificates
Now you can create as many client certificates as you need. Each client should have an own certificate with a unique name.
This time, use “client1”, “client2”, … for the Common Name (CN). If you want to create more certificates at a later point, you can re-use your CA. Just run the “vars” script again and then the “build-key” script as many times as you need:
Step 5 – Generate Diffie Hellman Parameters
Step 6 – Generate a TLS-Auth Key (Optional)
For additional security you can create a static TLS-Auth key which will be needed by every client:
openvpn --genkey --secret ta.key
All the necessary certificates and keys have been created now and can be found in “C:\Program Files\OpenVPN\easy-rsa\keys”. Make sure to keep the *.key files private since they’re containing secret keys:
- ca.key (private key of your certificate-authority)
- server.key (private key for the server)
- client1.key (private key for client1)
- client2.key (private key for client2)
Step 7 – Create a VPN Server Config
server 172.20.20.0 255.255.255.248
push "dhcp-option DNS 192.168.0.1"
keepalive 15 30
tls-auth /tmp/openvpn/ta.key 0
management localhost 14
|1||Configure server mode and provide a virtual subnet for the VPN. In this case the VPN server will get 172.20.20.1 and the clients will get the remaining addresses of this subnet. 172.20.20.0/29 provides 6 usable ip addresses. Note: It is important to specify an IP network here that does not collide with your other networks (LAN and WAN).|
|3||Specify which DNS server the clients should use, ideally your own DNS server on the main router. Note: If not set, a default DNS server of the foreign network you’re connected to might be used (security risk!). Note 2: There could be a problem if the foreign network’s DNS server (or any other host on the network) has the same address as your main router, which could actually happen when using 192.168.0.1, so it might be a good idea to not use 192.168.x.y addresses in your home network. It’s better to use something unusual instead.|
|5||Set the virtual networking device for the VPN tunnel (tun = IP, tap = Ethernet).|
|6||Use TCP/IP because UDP doesn’t support connections through a proxy server.|
|7||Set the port for the VPN server to listen on.|
|8||Send a ping every 15 seconds. Connection is considered lost when there is no answer within 30 secs.|
|10||Make the server run in the background.|
|11||Set verbosity (0 = no output, 9 = max output).|
|12||Suppress further messages if it is the same one 5 times and more.|
|13||Use LZO compression.|
|14||Allow multiple connections with one certificate.|
|15||Enable TLS and assume server role during TLS handshake (can be omitted if not using the optional ta.key from Step 6).|
|17||Path to the file containing the Diffie Hellmann parameters. For DD-WRT leave this and the following paths as they are in the example.|
|18||Path to the file containing the Certificate-Authority’s public key.|
|19||Path to the file containing the server certificate.|
|20||Path to the file containing the server’s private key (keep this secret!).|
|21||Path to the file containing the TLS-Auth key. On the server a “0” has to be appended. (Optional line, see Step 6)|
|23||Make DD-WRT’s VPN status page able to read the log. Without this line, the status page will be empty. Note: The port might have to be 5001 instead of 14 in older releases.|
Step 8 – Create a VPN Client Config
remote your.domain.com 443
# http-proxy 126.96.36.199 8080
tls-auth ta.key 1
|1||Configure client mode.|
|2||Set the virtual networking device for the VPN tunnel (tun = IP, tap = Ethernet).|
|3||Use TCP/IP because UDP doesn’t support connections through a proxy server.|
|4||Address and port of your VPN server. If you don’t have a static IP address, I’d recommend to use a Dynamic DNS service like No-IP.|
|5||Uncomment if you have to use a proxy-server in order to get a connection. Set proxy address and port accordingly.|
|6||Send all traffic through the VPN tunnel.|
|7||Select the local port automatically.|
|8||Try to keep key data when the tunnel needs to be restarted.|
|9||Try to keep tun data when the tunnel needs to be restarted.|
|10||Only connect to the server if the certificate’s nsCertType field is set to “server”|
|12||Use LZO compression.|
|12||Set verbosity (0 = no output, 9 = max output).|
|13||Don’t use static IP address and port.|
|15||Filename of the Certificate-Authority’s public certificate.|
|16||Filename of your public client certificate.|
|17||Filename of your private key.|
|18||Filename of the TLS-Auth key. On the client a “1” has to be appended. (Optional line, see Step 6)|
Step 9 – Iptables, Port Forwarding and Static Routes
In order to get the VPN working, the following two lines have to be added to DD-WRT’s iptables script (Administration –> Commands / Save Firewall). The first one is necessary to make the VPN server accessible by opening the corresponding port and the second one is to forward all traffic, that comes from the VPN, to your home network/internet.
iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT
iptables -I FORWARD 1 --source 172.20.20.0/29 -j ACCEPT
Depending on how your home network is set up, it might be necessary to configure port forwarding, static routing and DD-WRT’s operating mode. Below I will describe three possible set-ups:
9.1 DD-WRT as The Only Router
This is the easiest case because DD-WRT is the only router in your home network. Since DD-WRT directly provides the internet connection, it should operate in Gateway Mode (Setup –> Advanced Routing –> Operating Mode). Port Forwarding and Static Routing are not necessary. If Client B connects to the VPN, it should be able to access Client A and DD-WRT’s web interface on its local address. All internet traffic should go through the VPN.
9.2 DD-WRT as a Secondary Router
In this case there is another router in the home network providing the internet connection. DD-WRT is the second router and provides a separate network. DD-WRT should still operate in Gateway Mode (Setup –> Advanced Routing –> Operating Mode) because it indirectly provides an internet connection for its local 172 net through the WAN port. To reach the VPN server from the internet, port forwarding has to be configured on the Main Router. A Static Route (172.20.20.0 255.255.255.248 –> 192.168.0.2) should be added as well, otherwise the internet access in the VPN might not work. If Client C connects to the VPN, it should be able to access Client B and DD-WRT’s web interface on its local address. All internet traffic should go through the VPN.
9.3 DD-WRT as a Switch
Here we have DD-WRT operating as a switch that is connected to the main router, so DD-WRT’s WAN interface is disabled in this case. The WAN port can optionally be assigned to the switch (Setup –> Basic Setup). To reach the VPN server from the internet, port forwarding has to be configured on the Main Router. Since DD-WRT does not provide the internet connection, it should operate in Router Mode (Setup –> Advanced Routing –> Operating Mode), although it is technically connected as a switch. Now, client C will be able to connect to the VPN but it won’t be able to access the Main Router or the internet. To fix this, a Static Route (172.20.20.0 255.255.255.248 –> 192.168.0.2) for the VPN has to be added on the Main Router. Client C should be able to access everything on your home network and all internet traffic should go through the VPN.
Info on Static Routes
You have to specify the VPN’s network address and subnet mask (see line 1 of the server config in Step 8) and have this routed to DD-WRT’s WAN address (or LAN address if the WAN interface is disabled). If your Main Router does not support configuring Static Routes, you might not be able to get the VPN connection working.
Step 10 – Put Everything Into Operation
Open your DD-WRT configuration, go to [Services] –> [VPN] and configure it as follows:
- PPTP Server = Disable
- PPTP Client Options = Disable
- OpenVPN = Enable (in older releases: Start OpenVPN Daemon = Enable)
- Start Type = WAN Up
- Config as = Daemon (if you select “Server”, the server configuration can be created using the GUI. You don’t need the config file from Step 7 in that case.)
- Start OpenVPN Client = Disable
Then copy the contents of the files in “easy-rsa\keys” into the appropiate fields:
|Public Server Cert
(called Public Client Cert in older releases)
|server.crt (only the part starting at —BEGIN CERTIFICATE—)|
|Private Server Key
(called Private Client Key in older releases)
(called OpenVPN Config in older releases)
|The server config from Step 7|
|TLS Auth Key
(called OpenVPN TLS Auth in older relases)
|ta.key (Optional, see Step 6)|
|Certificate Revoke List||—|
Finally copy the files “ca.crt”, “client1.crt”, “client1.key” and (optionally) “ta.key” to your client computer that is supposed to use the VPN tunnel. If it is a Windows machine you can use OpenVPN, on MacOS you can use Tunnelblick instead. As for Linux I do not have any experience with VPNs. Then you just have to load the client config (Step 8 ) and you’re ready to go.
As a last step I would recommend you to delete the “easy-rsa\keys” folder to achieve maximum security. Or you could add the files to a password-protected zip-archive and put this one away.
If the VPN does not work as expected, finding the error can be frustrating. Here are some notes that might help:
- The date and time settings must be correct on both systems, the computer you create the certificates on and the OpenVPN server (DD-WRT). Otherwise the connection might fail because the certificates are not considered valid.
- Use “netstat -ntl” to find out if (and on what port) the server is listening.
- Use “iptables -nL INPUT” and “iptables -nL FORWARD” to verify the firewall/iptables config.
- Increase the verbosity (“verb” parameter in the OpenVPN config files) and check the logs (server and client) for any hints.
- Temporarily disable all firewalls (SPI on DD-WRT, Main Router, Windows, …) to find out if the connection problem is firewall-related.
- If you can connect to the VPN but have no internet access, check your static route on the main router (see 9.2 and 9.3).
- If you can’t access the internet from within the VPN, use IP addresses instead of DNS names to find out if the problem is DNS-related.
- Have a look at your client’s routing table (netstat -nr)