HomeHowTo › How To Set Up a VPN on DD-WRT

How To Set Up a VPN on DD-WRT

Today I will show you how to set up your own Virtual Private Network. A VPN can be very useful, especially if you often use foreign internet connections which are insecure or if the internet access is restricted due to website blacklists and word filters and you need to bypass these.

Basically what VPN does is connecting a host to a remote network. Although the host is not physically attached to the network it can communicate with the other hosts as if it was physically attached. Companies primarily use this to let external employees access data that is only available within the company’s intranet.

There are several ways to set up a VPN. In this article I will show you how to do it on a DD-WRT router, which – in my opinion – is a great thing to have. DD-WRT is a free router firmware that can be installed on a wide range of home-routers. For more information and a list of compatible routers visit the official website: http://www.dd-wrt.com.

To do it this way, you will need a working DD-WRT router with internet access and a Windows machine to generate the certificates. You can also use Linux or MacOS for this but in this case I’m using Windows.

Before getting started I will present two different scenarios that make clear why a VPN is also useful for personal use. Then I will explain how to set everything up in 10 steps.

Scenario 1 – Secure Connections Over an Insecure Network

A VPN connection is useful to surf the web safely even if you’re on an insecure network. Imagine being online over a hotel’s WLAN, which is not encrypted and usable for anyone. This means everyone can join the WLAN, run a traffic sniffer and watch what you are doing. If you browse websites that don’t use HTTPS/SSL all data that is exchanged with that website is also visible to anyone.

If you use a VPN tunnel instead all data will be encrypted which means that it’ll be useless for third parties.

Scenario 2 – Bypass Site and Port Restrictions

If you’re online over a foreign network it could happen that they’re using some sort of proxy-server which won’t let you connect to certain websites. Also, most ports are often blocked which means that you won’t be able to check your emails using your favorite email-client (i.e. Outlook, Thunderbird, Opera, …).

You can bypass these restrictions by using a VPN tunnel because all data that is transferred through the tunnel won’t be checked by the proxy-server or firewall (in fact it can’t be checked, because it is encrypted). If there are port restrictions within the network you’re connected to it might be a problem to establish a VPN connection. In this case the only thing you can try to do is using port 443 (or 80) for your VPN server. That is the standard port for HTTP(S) and thus allowed on most networks. If you have the worst of luck there is also a firewall or some kind of IDS on the network which checks the traffic at packet level, blocking everything that looks like VPN.

Step 1 – Download and Install OpenVPN

You can download OpenVPN from here: http://openvpn.net/index.php/open-source/downloads.html
During installation have all checkboxes checked.

Step 2 – Create a Certificate-Authority

A Certificate-Authority (CA) is needed to create and sign certificates. Open a command prompt in “Run As Administrator” mode. Then type the following to get started:

cd "C:\Program Files\OpenVPN\easy-rsa"
init-config.bat

Go to “C:\Program Files\OpenVPN\easy-rsa” in your Explorer and open the “vars.bat” file. I’d use Notepad++ for this because Windows Notepad might not interprete the line breaks. Also, use Administrator mode again, otherwise you won’t be able to save the file.

As for the “HOME” variable make sure that the path to the “easy-rsa” directory is correct. And if you want to, you can set the “KEY_SIZE” variable to a higher value (i.e. 2048) in order to get a more complex encryption key.

Then configure the certificate-parameters to your own needs. If you only use the certificates for yourself to connect to your VPN, it doesn’t really matter what you configure here. It’s not a bad idea to use meaningful values, though. Example:

set KEY_COUNTRY=DE
set KEY_PROVINCE=HB
set KEY_CITY=Bremen
set KEY_ORG=OpenVPN
set KEY_EMAIL=acidx@email.com
set KEY_CN=AcidX-CA
set KEY_NAME=AcidX
set KEY_OU=AcidX

Now go back to your command prompt and create your own Certificate-Authority by typing:

vars.bat
clean-all.bat
build-ca.bat

When asked for the certificate-parameters just hit Enter since we have just set the default values before.

Step 3 – Generate a Server Certificate

To create a certificate for the VPN server, type:

build-key-server.bat server

You’ll be asked for the certificate-parameters again. Just use your default values again but for the Common Name (CN) use “server”. Finally type “y” to sign and commit the certificate.

Step 4 – Generate Client Certificates

Now you can create as many client certificates as you need. Each client should have an own certificate with a unique name.

build-key.bat client1
build-key.bat client2

This time, use “client1”, “client2”, … for the Common Name (CN). If you want to create more certificates at a later point, you can re-use your CA. Just run the “vars” script again and then the “build-key” script as many times as you need:

cd "C:\Program Files\OpenVPN\easy-rsa"
vars.bat
build-key.bat client3
build-key.bat client4

Step 5 – Generate Diffie Hellman Parameters

build-dh.bat

Step 6 – Generate a TLS-Auth Key (Optional)

For additional security you can create a static TLS-Auth key which will be needed by every client:

cd "C:\Program Files\OpenVPN\easy-rsa\keys"
openvpn --genkey --secret ta.key

All the necessary certificates and keys have been created now and can be found in “C:\Program Files\OpenVPN\easy-rsa\keys”. Make sure to keep the *.key files private since they’re containing secret keys:

  • ca.key (private key of your certificate-authority)
  • server.key (private key for the server)
  • client1.key (private key for client1)
  • client2.key (private key for client2)

Step 7 – Create a VPN Server Config

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
server 172.20.20.0 255.255.255.248

push "dhcp-option DNS 192.168.0.1"

dev tun0
proto tcp
port 443
keepalive 15 30

daemon
verb 0
mute 5
comp-lzo
duplicate-cn
tls-server

dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
tls-auth /tmp/openvpn/ta.key 0

management localhost 14
Line Purpose
1 Configure server mode and provide a virtual subnet for the VPN. In this case the VPN server will get 172.20.20.1 and the clients will get the remaining addresses of this subnet. 172.20.20.0/29 provides 6 usable ip addresses. Note: It is important to specify an IP network here that does not collide with your other networks (LAN and WAN).
3 Specify which DNS server the clients should use, ideally your own DNS server on the main router. Note: If not set, a default DNS server of the foreign network you’re connected to might be used (security risk!). Note 2: There could be a problem if the foreign network’s DNS server (or any other host on the network) has the same address as your main router, which could actually happen when using 192.168.0.1, so it might be a good idea to not use 192.168.x.y addresses in your home network. It’s better to use something unusual instead.
5 Set the virtual networking device for the VPN tunnel (tun = IP, tap = Ethernet).
6 Use TCP/IP because UDP doesn’t support connections through a proxy server.
7 Set the port for the VPN server to listen on.
8 Send a ping every 15 seconds. Connection is considered lost when there is no answer within 30 secs.
10 Make the server run in the background.
11 Set verbosity (0 = no output, 9 = max output).
12 Suppress further messages if it is the same one 5 times and more.
13 Use LZO compression.
14 Allow multiple connections with one certificate.
15 Enable TLS and assume server role during TLS handshake (can be omitted if not using the optional ta.key from Step 6).
17 Path to the file containing the Diffie Hellmann parameters. For DD-WRT leave this and the following paths as they are in the example.
18 Path to the file containing the Certificate-Authority’s public key.
19 Path to the file containing the server certificate.
20 Path to the file containing the server’s private key (keep this secret!).
21 Path to the file containing the TLS-Auth key. On the server a “0” has to be appended. (Optional line, see Step 6)
23 Make DD-WRT’s VPN status page able to read the log. Without this line, the status page will be empty. Note: The port might have to be 5001 instead of 14 in older releases.

 

Step 8 – Create a VPN Client Config

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
client
dev tun0
proto tcp
remote your.domain.com 443
# http-proxy 1.2.3.4 8080
redirect-gateway
nobind
persist-key
persist-tun
ns-cert-type server
comp-lzo
verb 3
float

ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
Line Purpose
1 Configure client mode.
2 Set the virtual networking device for the VPN tunnel (tun = IP, tap = Ethernet).
3 Use TCP/IP because UDP doesn’t support connections through a proxy server.
4 Address and port of your VPN server. If you don’t have a static IP address, I’d recommend to use a Dynamic DNS service like No-IP.
5 Uncomment if you have to use a proxy-server in order to get a connection. Set proxy address and port accordingly.
6 Send all traffic through the VPN tunnel.
7 Select the local port automatically.
8 Try to keep key data when the tunnel needs to be restarted.
9 Try to keep tun data when the tunnel needs to be restarted.
10 Only connect to the server if the certificate’s nsCertType field is set to “server”
12 Use LZO compression.
12 Set verbosity (0 = no output, 9 = max output).
13 Don’t use static IP address and port.
15 Filename of the Certificate-Authority’s public certificate.
16 Filename of your public client certificate.
17 Filename of your private key.
18 Filename of the TLS-Auth key. On the client a “1” has to be appended. (Optional line, see Step 6)

 

Step 9 – Iptables, Port Forwarding and Static Routes

In order to get the VPN working, the following two lines have to be added to DD-WRT’s iptables script (Administration –> Commands / Save Firewall). The first one is necessary to make the VPN server accessible by opening the corresponding port and the second one is to forward all traffic, that comes from the VPN, to your home network/internet.

1
2
iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT
iptables -I FORWARD 1 --source 172.20.20.0/29 -j ACCEPT

Depending on how your home network is set up, it might be necessary to configure port forwarding, static routing and DD-WRT’s operating mode. Below I will describe three possible set-ups:

9.1 DD-WRT as The Only Router

dd-wrt_vpn_setup_1

This is the easiest case because DD-WRT is the only router in your home network. Since DD-WRT directly provides the internet connection, it should operate in Gateway Mode (Setup –> Advanced Routing –> Operating Mode). Port Forwarding and Static Routing are not necessary. If Client B connects to the VPN, it should be able to access Client A and DD-WRT’s web interface on its local address. All internet traffic should go through the VPN.

 

9.2 DD-WRT as a Secondary Router

dd-wrt_vpn_setup_2.png

In this case there is another router in the home network providing the internet connection. DD-WRT is the second router and provides a separate network. DD-WRT should still operate in Gateway Mode (Setup –> Advanced Routing –> Operating Mode) because it indirectly provides an internet connection for its local 172 net through the WAN port. To reach the VPN server from the internet, port forwarding has to be configured on the Main Router. A Static Route (172.20.20.0 255.255.255.248 –> 192.168.0.2) should be added as well, otherwise the internet access in the VPN might not work. If Client C connects to the VPN, it should be able to access Client B and DD-WRT’s web interface on its local address. All internet traffic should go through the VPN.

9.3 DD-WRT as a Switch

dd-wrt_vpn_setup_3Here we have DD-WRT operating as a switch that is connected to the main router, so DD-WRT’s WAN interface is disabled in this case. The WAN port can optionally be assigned to the switch (Setup –> Basic Setup). To reach the VPN server from the internet, port forwarding has to be configured on the Main Router. Since DD-WRT does not provide the internet connection, it should operate in Router Mode (Setup –> Advanced Routing –> Operating Mode), although it is technically connected as a switch. Now, client C will be able to connect to the VPN but it won’t be able to access the Main Router or the internet. To fix this, a Static Route (172.20.20.0 255.255.255.248 –> 192.168.0.2) for the VPN has to be added on the Main Router. Client C should be able to access everything on your home network and all internet traffic should go through the VPN.

Info on Static Routes

In my set-up the Main Router is a Fritz!Box and the corresponding menu for adding static routes looks like this:dd-wrt_vpn_setup_3_fritzbox

You have to specify the VPN’s network address and subnet mask (see line 1 of the server config in Step 8) and have this routed to DD-WRT’s WAN address (or LAN address if the WAN interface is disabled). If your Main Router does not support configuring Static Routes, you might not be able to get the VPN connection working.

 

Step 10 – Put Everything Into Operation

Open your DD-WRT configuration, go to [Services] –> [VPN] and configure it as follows:

  • PPTP Server = Disable
  • PPTP Client Options = Disable
  • OpenVPN = Enable (in older releases: Start OpenVPN Daemon = Enable)
  • Start Type = WAN Up
  • Config as = Daemon (if you select “Server”, the server configuration can be created using the GUI. You don’t need the config file from Step 7 in that case.)
  • Start OpenVPN Client = Disable

Then copy the contents of the files in “easy-rsa\keys” into the appropiate fields:

Field File
CA Cert ca.crt
Public Server Cert
(called Public Client Cert in older releases)
server.crt (only the part starting at —BEGIN CERTIFICATE—)
Private Server Key
(called Private Client Key in older releases)
server.key
DH PEM dh{n}.pem
Additional Config
(called OpenVPN Config in older releases)
The server config from Step 7
TLS Auth Key
(called OpenVPN TLS Auth in older relases)
ta.key (Optional, see Step 6)
Certificate Revoke List

Finally copy the files “ca.crt”, “client1.crt”, “client1.key” and (optionally) “ta.key” to your client computer that is supposed to use the VPN tunnel. If it is a Windows machine you can use OpenVPN, on MacOS you can use Tunnelblick instead. As for Linux I do not have any experience with VPNs. Then you just have to load the client config (Step 8 ) and you’re ready to go.

As a last step I would recommend you to delete the “easy-rsa\keys” folder to achieve maximum security. Or you could add the files to a password-protected zip-archive and put this one away.

 

Troubleshooting

If the VPN does not work as expected, finding the error can be frustrating. Here are some notes that might help:

  • The date and time settings must be correct on both systems, the computer you create the certificates on and the OpenVPN server (DD-WRT). Otherwise the connection might fail because the certificates are not considered valid.
  • Use “netstat -ntl” to find out if (and on what port) the server is listening.
  • Use “iptables -nL INPUT” and “iptables -nL FORWARD” to verify the firewall/iptables config.
  • Increase the verbosity (“verb” parameter in the OpenVPN config files) and check the logs (server and client) for any hints.
  • Temporarily disable all firewalls (SPI on DD-WRT, Main Router, Windows, …) to find out if the connection problem is firewall-related.
  • If you can connect to the VPN but have no internet access, check your static route on the main router (see 9.2 and 9.3).
  • If you can’t access the internet from within the VPN, use IP addresses instead of DNS names to find out if the problem is DNS-related.
  • Have a look at your client’s routing table (netstat -nr)

54 Comments.[ Leave a comment ]

  1. Hi there

    Step 4 is wrong, it should be:

    “build-key-server.bat” instead of “build-key.bat”

    But the rest seems to be fine, thanks.

  2. Thanks for your comment, John. You are right, I made a mistake there — in step 3, though. It’s corrected now 🙂

    Using build-key.bat would also work but only if “ns-cert-type server” (–> forcing the client to verify that the machine it is connecting to uses a server certificate) is removed from the client config. This however might be a security risk because it could allow another authenticated client to perform a mitm attack and impersonate the server (especially if client-to-client communication is enabled in the server config). So using build-key-server.bat is definitely the better option.

  3. Hello, I’m not familiar with openvpn, can you give me some advice on:

    1)I need 10 clients cert. When generating TLS-Auth Key, do I need to generate 10 TLS key using the same name as the generated client cert for the TLS key? i.e, not only ta.key

    2)In client config, any things I need to change per client config? Or, all client config keep “tls-auth ta.key 1” is fine?

  4. Hi Gary, ok let’s see:

    1) The TLS-Auth key in this case is static. If you decide to use it, you have to generate the key once (–> ta.key) and give this same key to every client. If you don’t want to use this optional key, you can remove the tls-auth line from both configs and just use the client certs for authentication.

    2) The client config is the same for each client and “tls-auth ta.key 1″ should be fine for every client config. Only in the cert and key line you have to adjust the names.

  5. dear admin, thank you for your promptly reply. Let me have a try.

  6. hello, I finally make it without using TSL-Auth, it doesn’t work for me. And I need to regenerate client cert using “build-key.bat client1”, otherwise, connection can’t make it.

    I can access my internal host, but can’t access internet. What route I need to add it for internet access?

    Thanks for your advice.

  7. It should work without adding any routes. I only added the two iptables lines from step 9 to the dd-wrt firewall script (–> Administration –> Commands –> Save Firewall). That, in combination with ‘redirect-gateway’ in the client config, should give you internet access.

    Two questions:

    1) Do you have any proxy-servers involved?
    2) Do you have your subnet masks configured correctly? Since you need 10 clients, you must use 255.255.255.240 in your server config and /28 in your iptables script.

  8. Hello,

    1)I don’t any proxy-servers,
    2)During first client test successfully, I keep the org. subnet, i.e not /28. Just can’t access the internet. The client cert is generated by buil-key.bat.

    btw, fyi, if I used the cert generated by the command build-key-server.bat client, connection not success. No error shown but it keeps restart and negotiation again and again without assign the client IP.

  9. Hello,

    1)I didn’t use any prox-server there.
    2)During first trail, the org. subnet mask was used, /29. and the client cert is generated by build-key.bat instead of build-key-server.bat. Don’t know why it does work for me. However, it can start the key negotiation but the server doesn’t assign IP to client. It just keep restart the negotiation process.

  10. The client certificates definitely have to be created by using build-key.bat. build-key-server.bat is for the server certificate only.

    I have no idea why you can access your other computers but not the internet. Do you run the OpenVPN software with administrative privileges? It needs to set some temporary routes which fails when it is run as a user. Or maybe it is a DNS-related problem. Try opening a website by using its ip address.

  11. Hello,

    You’re right, only client cert gen by build-key.bat and server cert gen by build-key-server.bat works.

    And I found the root cause, once I removed “redirect-gateway” at client config, I can access internet. However, the internet traffic is not tunnel via my OpenVPN server. That is not really I want.

    Also, I add below lines into server config while other not touched, but still doesn’t up.

    push “redirect-gateway def1”
    push “dhcp-option DNS xx.xx.xx.xx”
    #using DNS IP from my ISP
    iptables -t nat -A POSTROUTING -s 172.20.20.0/29 -o eth0 -j MASQUERADE

    Btw, below lines should put in dd-wrt firewall config,right?

    iptables -I INPUT 1 -p tcp –dport 443 -j ACCEPT
    iptables -I FORWARD 2 –source 172.17.20.20/29 -j ACCEPT

    I changed to “”iptables -I FORWARD 1 –source 172.20.20.0/29 -j ACCEPT””

    Anything I did wrong there?

  12. Exactly, if you remove “redirect-gateway” you will browse over the insecure connection and not over your VPN.

    Hmm, I’m not sure if those extra “push”-lines are necessary; gateway and dns configuration should run automatically. Do you have that “iptables -t nat …” placed in your server config? That wouldn’t be correct.

    And yes, the other two lines (from step 9) have to be put into the dd-wrt firewall config. Changing the numbers shouldn’t be a problem.

  13. @Gary: I recently re-configured my home network and after that I experienced the exact same problem that you described. I started to research again and found a solution. Maybe this will fix your problem as well. To address the issue I have extended Step 9 of this howto.

  14. Hi, I got a problem with my OpenVPN server on DD-WRT. Following your guide, I have successfully created certificates and keys. I manage to connect my Android phone to the OpenVPN server through OpenVPN Connect. However, I receive no data from the server. eg. Sent: 26286bytes/377 packets Received: 0bytes/0packets

    I am using DD-WRT v24-sp2 (05/27/13) big on Linksys E1200 v2.

    This router is behind a main router, similar to your 9.2 scenario.
    WAN IP: 192.168.18.4/24
    LAN IP: 172.16.0.1/24
    VPN IP: 172.20.20.0/29

    I managed to do port forwarding from main router. The main router shouldn’t be blocking in/out traffic as I’m able to get authentication done and get connected.

    Could you advise me on the config?

    ——
    Server Config:

    server 172.20.20.0 255.255.255.248

    dev tun0
    proto tcp
    port 1194
    keepalive 15 60

    daemon
    verb 0
    mute 5
    comp-lzo
    duplicate-cn

    persist-key
    persist-tun

    dh /tmp/openvpn/dh.pem
    ca /tmp/openvpn/ca.crt
    cert /tmp/openvpn/cert.pem
    key /tmp/openvpn/key.pem

    management localhost 5001

    ——

    Client Config

    client
    dev tun0
    proto tcp
    remote kiantek.dlinkddns.com 8520
    redirect-gateway
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ns-cert-type server
    comp-lzo
    verb 3
    float

    ca ca.crt
    cert admin-pc.crt
    key admin-pc.key

    ——

    Firewall IP Tables:

    # Opens firewall for incoming port 1194
    iptables -I INPUT 1 -p tcp –dport 1194 -j ACCEPT

    # Allows connection from local VPN to the Internet
    iptables -I FORWARD 1 –source 172.20.20.0/29 -j ACCEPT

    # Allows connection between the local network and local VPN
    iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
    iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

    ——

    I have been trying this for 2 nights without success. I really hope you could help me!!

  15. Additional Information:

    I managed to ping my Android phone from DD-WRT (OpenVPN Server) -> Command Shell. On the phone, the received bytes increased from 0 to 3 packets.

    PING 172.20.20.6 (172.20.20.6): 56 data bytes
    64 bytes from 172.20.20.6: seq=0 ttl=64 time=857.046 ms
    64 bytes from 172.20.20.6: seq=1 ttl=64 time=612.858 ms
    64 bytes from 172.20.20.6: seq=2 ttl=64 time=816.526 ms
    — 172.20.20.6 ping statistics —
    3 packets transmitted, 3 packets received, 0% packet loss
    round-trip min/avg/max = 612.858/762.143/857.046 ms

    But I couldn’t surf net or launch the router GUI (172.16.0.1 or 172.20.20.1). I couldn’t ping router (server) from the Android phone (client) also.

    Please help.

  16. Hi KT,

    your config looks perfectly fine to me. Since you can successfully authenticate and connect to the VPN, I don’t think that the server or client config is the problem. Port forwarding from 8520 to 1194 is also working.

    The problem is probably firewall- or routing-related, but your iptables looks good as well. I’m not quite sure about those last two lines (br0 <> tun0), though. They make sense, but I’d try removing them and see if it changes anything.

    Also, I’d suggest to temporarily disable any active firewalls on the main router.

  17. Thanks for your timely reply.

    I have commented the last 2 lines in iptables. But still couldn’t get internet access after connect to OpenVPN server.

    For firewall, I have tried:
    (1) disable main router firewall + disable DD-WRT router firewall
    (2) enable main router firewall but set ip of DD-WRT into DMZ + disable DD-WRT router firewall
    (3) enable main router firewall but set ip of DD-WRT into DMZ + enable DD-WRT router firewall with default settings

    But still no luck in getting it done. =(

    Well, is there any additional command needed for “redirect-gateway”?

    I also tried adding “push “dhcp-option DNS 8.8.8.8″” in Server config, but make no improvement.

  18. Hmm, I’d expect that to work. As far as I know there isn’t any additional command needed for redirect-gateway. I just tried the OpenVPN app on my old Galaxy S1 and both worked, accessing the internet and accessing the DD-WRT GUI on its local address.

    Have you rebooted DD-WRT after making changes to the firewall?

    Check if the firewall config has been applied correctly with the following commands (I’ll paste my results below):

    iptables -nL INPUT
    >> ACCEPT 0 — 0.0.0.0/0 0.0.0.0/0
    >> ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:443

    iptables -nL FORWARD
    >> ACCEPT 0 — 172.20.20.0/29 0.0.0.0/0

    Is your DD-WRT operating in Gateway Mode?

    Try adding the following static route to your main router:

    Network = 172.20.20.0 /and/ Subnet = 255.255.255.248 /to/ Gateway = 192.168.18.4

  19. I have installed the DD-WRT release that you use and recreated your scenario. My Android device connected to the VPN successfully, but it couldn’t access the internet. It could however ping the DD-WRT router. Then I added the static route (172.20.20.0 255.255.255.248 –> 192.168.18.4) to my main router and now the Android device can access the internet as well.

    So adding the static route seems to be obligatory. I have no idea how it worked when I ran this same scenario some time ago without configuring any static routes. I had an ancient D-Link box as the main router at that time. Well, I’ll probably never find out, so I’ll just keep in mind to add static routes.

    I have updated the article accordingly.

  20. Finally……. I got the internet up on my Android phone!!

    Thanks man. You are great! Really thankful for your effort spent on troubleshooting the static route.

    My DD-WRT is in gateway mode and iptables are setup alike. Follow your advice, I have twisted the configuration of my main router. Well, main router provide no direct access to static route, but it do provide a special function call “Supplementary Network”. I try 172.16.0.0/24 with both DD-WRT DHCP and VPN Client under the same subnet and everything works!
    i.e. DHCP 172.16.0.100 onwards and VPN between 172.16.0.0 to 172.16.0.15

    However, I still got two more issues:
    (1) Second clients failed to connect with IFCONFIG error. I then expand the 172.16.0.0/29 to 172.16.0.0/28 and able to connect two clients concurrently. But I wonder why 172.16.0.0/29 couldn’t support up to 6 devices (or at least 2).

    (2) In DD-WRT iptables, all traffic from 172.16.0.0/28 are forwarded to Main router. So, from Android phone, I can access Main router and 192.168.1.0/24 subnet, but I have no access to DD-WRT router and 172.16.0.0/24 subnet. I have failed with attempt to remove “redirect gateway” with addition of “route remote_host 255.255.255.255 net_gateway” and “route 172.16.0.0 255.255.255.0 172.16.0.1”. Alternatively, could any command be used in DD-WRT iptables?

    By the way, I have added def1 flag following client config “redirect-gateway”. OpenVPN website mentioned “add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. Using the def1 flag is highly recommended, and is currently planned to become the default by OpenVPN 2.1”.

  21. (1) That’s weird. /29 provides 6 usable ip addresses. One of these is used by the server itself and one or two for something else (I’m not sure what that is, maybe some kind of virtual gateways). As for my understanding, at least 3 clients should be able to connect, but I could be wrong.

    (2) No idea, sry. I don’t know how this supplementary network option works. But is it possible that you have an address conflict, i.e. VPN server and physical DD-WRT interface both using 172.16.0.1?

  22. (1) I think alike. /29 should give 8 addresses i.e. 0-7. 0 is unusable, 1 is VPN server and we should have 6 usable addresses. I also notice 2 is used up for VPN functions, so I would expect 5 usable address. But anyway, problem solved when I change /29 to /28.

    (2) No worries. That’s not critical as my existing LAN are connected to main router. I will do more read up on this aspect. I guess some works are needed for DD-WRT firewall settings.

    I have set DD-WRT router IP to 192.16.0.16 so it won’t conflict with VPN server 192.16.0.1. The /28 limit VPN client to 192.16.0.15, so client IP shouldn’t crash with router IP. Then, for LAN, DHCP start from IP 192.16.0.100.

    Feel so good with OpenVPN now. Thanks for your help.

  23. No problem, I’m glad you got it up and running.

  24. Hello,
    I need a little bit of help with my DDWRT VPN setup, please.
    I am running an OpenVPN on a Lynksys WRT54GL with DD-WRT v24-sp2vpn firmware.

    The connection works fine, with only one issue. The client’s traffic is not routed through the VPN. Any ideas?

    Below you can see my Server and Client configs

    Server:

    mode server
    dev tap0
    proto tcp
    port 1194
    keepalive 10 30
    daemon
    server-bridge 192.168.2.2 255.255.255.0 192.168.2.200 192.168.2.249
    push “redirect-gateway def1”
    push “dhcp-option DNS 192.168.2.1”
    verb 5
    client-to-client
    dh /tmp/openvpn/dh.pem
    ca /tmp/openvpn/ca.crt
    cert /tmp/openvpn/cert.pem
    key /tmp/openvpn/key.pem
    management localhost 5001

    Server startup command:

    openvpn –mktun –dev tap0
    brctl addif br0 tap0
    ifconfig tap0 0.0.0.0 promisc up

    Server firewall command:

    iptables -A INPUT -i tap0 -j ACCEPT
    iptables -I INPUT -p tcp –dport 1194 -j ACCEPT

    Client:

    remote xxx.xxx.xxx.xxx 1194
    client
    dev tap0
    proto tcp
    nobind
    route-method exe
    route-delay 2
    persist-key
    persist-tun
    float
    ca ca.crt
    cert client1.crt
    key client1.key
    pull “redirect-gateway def1”
    pull “dhcp-option DNS 192.168.2.1”
    ns-cert-type server
    resolv-retry infinite
    keepalive 10 30

  25. Hi, unfortunately I don’t have any experience with bridge-mode VPNs, but I noticed three things I’m not quite sure about. First one would be the push “redirect-gateway def1” option in the server config, I don’t know if this is needed in a bridged scenario. Second one is the first iptables rule, it might have to be FORWARD instead of INPUT. And lastly: I’m not sure if the pull commands in the client config are correct. I think it should just be “pull” or the corresponding options directly. So I would try to play around with these options. But this is really just guessing. I don’t quite understand what the first value behind the server-bridge option does. According to the documentation it is the gateway address. Will this establish a virtual gateway or is this the existing gateway of the bridged subnet? Independently from that, this address seems to be pushed to the client as “route-gateway”.

  26. hey, can you help me get this set up? i’ve got a bit of a different setup but i’m in a similar boat to how the person above where i have dd-wrt as my router behind another router (fios actiontec), and i can connect to the vpn and connect to my machines behind it – this is what i primarily use it for, to rdp into my windows machines – but i have no internet. the only client i’ve tested with so far is my android phone…let me know if you need any additional info from me, i’m completely stumped.

    i tried to follow the logic of adding a route to the main router (the actiontec?) to get internet access on the clients, but i must be doing something wrong because i just haven’t been able to get it working and i’m getting so frustrated i’m ready to break something.

    my dd-wrt router subnet is 192.168.88.xxx
    openvpn subnet is 192.168.77.xxx

    actiontec router hands out IPs 192.168.11.xxx
    dd-wrt is in the DMZ of the actiontec and has static IP 192.168.11.10

    server config

    push “route 192.168.88.0 255.255.255.0”

    push “dhcp-option DNS 8.8.8.8”
    push “dhcp-option DNS 8.8.4.4”

    server 192.168.77.0 255.255.255.0

    dev tun0
    proto udp
    keepalive 10 120
    script-security 3 system

    dh /tmp/openvpn/dh.pem
    ca /tmp/openvpn/ca.crt
    cert /tmp/openvpn/cert.pem
    key /tmp/openvpn/key.pem

    # Only use crl-verify if you are using the revoke list – otherwise leave it commented out
    # crl-verify /tmp/openvpn/ca.crl

    # management parameter allows DD-WRT\s OpenVPN Status web page to access the server\s management port
    # port must be 16 for scripts embedded in firmware to work
    management localhost 16

    client config

    remote xxx.xxx.xxx.xxx 1194

    client
    remote-cert-tls server
    dev tun0
    proto udp
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    float

    script-security 3 system
    redirect-gateway

    #If the pushed routes appear not to be added on windows hosts, add the following:
    route-delay 30

    ca ca.crt
    cert client1.crt
    key client1.key

  27. Hey,

    except for one thing, everything you wrote looks good to me. As always, I’m not quite sure about the push route command. I don’t have that in my config and still everything works just fine. This is an extract of my client’s routing table after connecting to the VPN:

    Destination Gateway
    default 172.20.20.5
    172.20.20.1/32 172.20.20.5
    172.20.20.5 172.20.20.6

    So the default route is changed to 172.20.20.5 and I have no idea what that is. I also don’t know what 172.20.20.6 is. But… it does work 😀

    I’d recommend to have a look at your client’s routing table. Also, try removing the push route command from the server config and see how it affects the routing table.

    And can you tell me how the static route entry looks like that you added to your Actiontec router?

  28. the push route was added based on the 9 billion or so “tutorials” that are scattered throughout the interwebs…i’ll try removing it and see if that helps, but at this point i’m so frustrated i have no idea where else to go.

    here’s the routing table on my phone (i’m connected to the wifi on the actiontec, cell service at home is kinda crappy so it’s hard for me to just jump off wifi to test):

    default via 192.168.11.1 dev wlan0
    default via 192.168.11.1 dev wlan0 metric 325
    192.168.11.0/24 dev wlan0 scope link
    192.168.11.0/24 dev wlan0 proto kernel scope link src 192.168.11.153 metric 325
    192.168.11.1 dev wlan0 scope link
    192.168.77.4/30 dev tun0 proto kernel scope link src 192.168.77.6

    that is without the static route added to the actiontec. the route i added to the actiontec was…

    destination: 192.168.77.0
    subnet: 255.255.255.0
    gateway: 192.168.11.10
    metric: 0

    although, interestingly adding this route doesn’t appear to change the routing table (not sure if it’s supposed to at this point, my brain is fried and networking isn’t my strong suit to begin with…i’m a programmer).

    the static route page on the actiontec only allows entering the route this way, not in CIDR…

  29. i can say for sure it definitely appears to be a routing issue somewhere. i turned the firewall completely off on the actiontec, and still no internet access on the android phone. this is so incredibly frustrating…everything else works, except internet.

  30. ok, getting closer…now the android client has internet and can see the computers on the home network. but, i still can’t get to the router web config for the dd-wrt router. 192.168.88.1, 192.168.77.1, and 192.168.11.10 all time out…i can see the actiontec router via 192.168.11.1 when on the vpn.

    here’s the routing table from the actiontec (xxx.xxx.xxx.xxx is my public IP):

    Source Destination Gateway Flags DSCP Metric Interface
    0.0.0.0/0 192.168.77.0/24 192.168.11.10 UG 0 3 br0
    0.0.0.0/0 192.168.77.0/24 * U 0 4 br0
    0.0.0.0/0 xxx.xxx.xxx.xxx/24 * U 0 3 eth1
    0.0.0.0/0 192.168.11.0/24 * U 0 4 br0
    0.0.0.0/0 192.168.88.0/24 192.168.11.10 UG 0 3 br0
    0.0.0.0/0 192.168.88.0/24 * U 0 4 br0
    0.0.0.0/0 0.0.0.0/0 xxx.xxx.xxx.xxx UG 0 3 eth1

    also, another question for another day, but anything connected to the actiontec still can’t see anything connected to the dd-wrt router…that’s actually how i want it at the moment actually, but is there a route i can add that would allow that to happen?

  31. sorry to be taking over your comments section, but it seems this still works even if i remove the 192.168.88.xxx routes from the actiontec…but, still can’t see the dd-wrt web interface from the vpn. i’d really rather be able to do that if possible…

    everything else seems to work now though…i’ll do some testing this afternoon when i’m out to see if i can get into the network and still see everything.

  32. …and back to square one. apparently, verizon is blocking ovpn and the entire LTE connection drops every few seconds when connected (although it works otherwise, the connection as a whole is unusable since it keeps dropping).

    OTOH, i can’t get my macbook pro using viscosity to do anything right now. it connects, but can’t see any of the computers on the network and has no internet…FML.

    any ideas?

  33. Hmm, the routing table from your phone looks weird to me as I would have expected the default route to be something else and not the Actiontec’s address.

    The static route you added to the Actiontec router (destination: 192.168.77.0, subnet: 255.255.255.0, gateway: 192.168.11.10) looks right, I’d keep that added. But I’d remove that push “route 192.168.88.0 255.255.255.0” from the VPN server config.

    How did you manage to get internet on your phone as mentioned three posts above? And as for your question for another day: that is possible. You can either add a corresponding route on each client of the Actiontec network or add one on the Actiontec router. Also, you’ll have to add an iptables rule on DD-WRT.

    It is strange, that you can’t at least access the DD-WRT GUI. That should work from one of its two addresses – I’m not sure from which, though. If you try to access it on its WAN address (192.168.11.10) I think you must have enabled “Web GUI Management” under “Administration –> Management”.

    What iptables rules have you added to the DD-WRT firewall? And how does the routing table of the Macbook look like when you’re connected (netstat -nr)?

  34. My setup is as follows;

    Internet =>
    Cable Modem (Nat off) =>
    Router (WNDR3700v1 ) with DD-WRT (v24-sp2 (04/18/14) std 23919) & OpenVPN daemon =>
    Lan Wired & Wireless Clients

    Lan network is 192.168.1.0/24
    OpenVPN network is 10.8.0.0/29
    No ports forwarded, Router access via web is on, remote access is off
    Router is in Gateway mode

    From outside the network, I can connect to clients on the Lan via VPN and browse internet. All good except;

    I cannot ping the dd-wrt router /see the interface – Can you see from below what I need to do to enable access to the router 192.168.1.1?

    Settings are as follows;

    OpenVPN Config
    *****************

    push “dhcp-option DNS 8.8.8.8”
    server 10.8.0.0 255.255.255.248

    dev tun0
    proto tcp
    keepalive 10 120
    duplicate-cn
    verb 0
    mute 5
    dh /tmp/openvpn/dh.pem
    ca /tmp/openvpn/ca.crt
    cert /tmp/openvpn/cert.pem
    key /tmp/openvpn/key.pem

    management localhost 14

    Firewall
    *****************
    iptables -I INPUT 1 -p tcp –dport 1194 -j ACCEPT
    iptables -I INPUT 1 -p udp –dport 1194 -j ACCEPT
    iptables -I FORWARD 1 –source 10.8.0.0/29 -j ACCEPT

    Client Config
    *****************
    client
    remote-cert-tls server
    dev tun0
    proto tcp
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    redirect-gateway
    float
    route-delay 30
    ca ca.crt
    cert client1.crt
    key client1.key

  35. I have tried a lot of different configurations for setting up openvpn on my dd-wrt home router and all failed miserably, I done one more Google search and came upon your tutorial. I didn’t have much hope at this point but decided to give it one more shot. And WOW it finally worked, I noticed one critical step that all the others failed to mention “TLS” this actually is a vital and important step as well as it ads another layer of security and handshake to the connecting client. I suggest others to follow this tutorial step by step, and not to leave out “TLS” key.

  36. Andrew, I notice in your client config 1. you have no “remote xxx.xxx.xxx.xxx 1194” which tells the client config where to connect. 2. I suggest taken out the “float” statement and the “redirect-gateway” statement from your client config as well. These statements cause problems on windows tap I am assuming you are using windows. 3. I also suggest taking out “iptables -I INPUT 1 -p udp –dport 1194 -j ACCEPT” from your firewall commands your server config and your client config are using tcp 4. I noticed also in your client config “remote-cert-tls server” this statement is flat wrong. These configs didn’t come from the original tutorial, it looks as if you jumbled up different configs from around the net and screwed up. Please start back over and follow along with the tutorial posted on this page.

  37. Proper Windows 7 – OpenVPN – DD-WRT setup

    (DD-WRT) Server Config

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    server 172.20.20.0 255.255.255.248
    push "dhcp-option DNS 192.168.0.1"
    push "dhcp-option DNS 8.8.8.8"
    push "dhcp-option DNS 8.8.4.4"
    dev tun0
    proto tcp
    port 443
    keepalive 15 30

    daemon
    verb 0
    mute 5
    comp-lzo
    duplicate-cn
    tls-server

    dh /tmp/openvpn/dh.pem
    ca /tmp/openvpn/ca.crt
    cert /tmp/openvpn/cert.pem
    key /tmp/openvpn/key.pem
    tls-auth /tmp/openvpn/ta.key 0

    management localhost 14

    Client Config

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    client
    dev tun0
    proto tcp
    port 443
    remote xxx.xxx.xxx.xxx 443
    remote xxx.xxx.xxx.xxx 443
    nobind
    persist-key
    persist-tun
    ns-cert-type server
    comp-lzo
    verb 3
    ca ca.crt
    cert client1.crt
    key client1.key
    tls-auth ta.key 1

    DD-wrt Firewall

    1
    2
    iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT
    iptables -I FORWARD 1 --source 172.20.20.0/29 -j ACCEPT

    Cell Phone’s & Tablets
    Create a chained PKCS12 with the ca and client cert then import your pkcs12 into your cell or tablet.
    Client Config for cell or tablet

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    client
    dev tun0
    proto tcp
    port 443
    remote xxx.xxx.xxx.xxx 443
    remote xxx.xxx.xxx.xxx 443
    nobind
    persist-key
    persist-tun
    ns-cert-type server
    comp-lzo
    verb 3
    key-direction 1
    <tls-auth>
    #
    # 2048 bit OpenVPN static key
    #
    -----BEGIN OpenVPN Static key V1-----
    Your tls key goes here!
    -----END OpenVPN Static key V1-----
    </tls-auth>

    I don’t know why any one would not be using a vpn! Americans have become lazy with internet security and this fact has allowed us to be simple / easy targets. Lets all work together and do our part and tighten up! Secure breaches aren’t going away in fact they will get worse.

  38. Hi,
    You post was a great help.
    However in the log I see the following error using (DD-WRT v24SP2- (06/12/14) std)
    on a Buffalo router.

    Server:
    =============
    CONNECTED: SUCCESS Local Address: 172.20.20.1 Remote Address:
    Client: : Local Address: Remote Address

    Log
    =============
    20150731 11:55:19 W NOTE: starting with OpenVPN 2.1 ‘–script-security 2’ or higher is required to call user-defined scripts or executables
    20150731 11:55:19 W WARNING: External program may not be called
    unless ‘–script-security 2’ or higher is enabled.
    See –help text or man page for detailed info.

    20150731 11:55:19 W WARNING: Failed running command (–route-up):
    external program fork failed

    dh /tmp/openvpn/dh.pem ca /tmp/openvpn/ca.crt cert /tmp/openvpn/cert.pem key /tmp/openvpn/key.pem server 172.20.20.0 255.255.255.248 push “dhcp-option DNS 192.168.0.1” dev tun0 proto tcp port 443 keepalive 15 30 daemon verb 0 mute 5 comp-lzo duplicate-cn tls-server dh /tmp/openvpn/dh.pem ca /tmp/openvpn/ca.crt cert /tmp/openvpn/cert.pem key /tmp/openvpn/key.pem management localhost 14 Clientlog

    Any thoughts? Appreciate your help.

    Thanks

    BP

  39. To suppress this message:

    1
    script-security 3

    Place this code in your client config and try to connect again again, also reboot your dd-wrt router. Also double check your certs and spacing. i.e.. no extra characters and excessive spacing.

  40. Be specific Mike in your feed back, not all understand the wide world of the net! Or know how to google for answers.
    Better yet:

    1
    --script-security 2 system

    Add this code above to your dd-wrt server config, and add the code below to your client config.

    1
    script-security 2 system

    –script-security level [method]

    This directive offers policy-level control over OpenVPN’s usage of external programs and scripts. Lower level values are more restrictive, higher values are more permissive. Settings for level:

    0 — Strictly no calling of external programs.
    1 — (Default) Only call built-in executables such as ifconfig, ip, route, or netsh.
    2 — Allow calling of built-in executables and user-defined scripts.
    3 — Allow passwords to be passed to scripts via environmental variables (potentially unsafe).

    The method parameter indicates how OpenVPN should call external commands and scripts. Settings for method:

    execve — (default) Use execve() function on Unix family OSes and CreateProcess() on Windows.
    system — Use system() function (deprecated and less safe since the external program command line is subject to shell expansion).

    The –script-security option was introduced in OpenVPN 2.1_rc9. For configuration file compatibility with previous OpenVPN versions, use: –script-security 3 system

    I am assuming you are using windows.

  41. I have been tying to setup a VPN using a DD-WRT so that my daughter can connect to my server over OpenVPN with both her laptop and a VoIP SIP ATA so that she can connect direct into my PBX.

    What I don’t understand about your configuration is it looks like although you have the client certs in the DD-WRT OpenVPN client config, her Windows Laptop also needs a client config, is this correct?

    Because if that is the case, then her SIP ATA will not be able to use the VPN because you cannot have any client config set within the ATA settings. Is it not the case that you set the DD-WRT to be the client of the OpenVPN Server and that all other network clients can just be routed to use the DD-WRT as their router which is then routed over her main Internet Router?

    Your feedback would be greatly appreciated.

  42. Hello Les,

    the client config contains the name of the associated client certificate (and private key), but neither the client config nor the client cert/key is stored on the DD-WRT machine. All these files have to be stored on the client (in your case the Windows laptop and the VoIP box). In my configuration described here, the DD-WRT machine does not act as a client. It acts as a VPN server and would have to be located at your house, not at your daughter’s. She would then connect to your DD-WRT machine to gain access to your network.

    The VPN type described here is “end-to-site” which basically means that each client (end) connects to a VPN server (site) with an own connection and configuration. If the VoIP box doesn’t support OpenVPN then this will not work. In that case you would probably need a VPN in “site-to-site” mode with a VPN gateway on both sites. I think a particular configuration of the clients is not neccesary in this mode because the two gateways do all the work. But I’m afraid I can’t help with that, because I don’t have any experience with this kind of set-up.

  43. Hi. I have obviously missed the core point here then and have so started researching WWW for your suggestion. I have found the following site http://wadihzaatar.com/?p=11 and so will start to look into testing their suggested setup.
    Thanks, Les

  44. That could be the solution, looks like a good guide.

  45. ***WARNING***
    USING TCP PLACES YOUR PC AND DATA IN EXTREME DANGER, IF YOU ARE USING TCP I SUGGEST YOU CHANGE IT NOW TO UDP. ***WHY*** THE USE OF TCP DOES NOT STEALTH THE OPEN PORT.

    ANY HACK CAN ACCESS THESE OPEN TCP PORTS.

  46. @Mr. Robot: UDP isn’t more secure than TCP in that matter. An open port – whether it is TCP or UDP – remains an open port, thus it can be found by portscanners and used by exploits. There is not much you can do about it. If you want to “stealth” your system, you need to configure your firewall to drop all packets except the ones from specific hosts – which however isn’t practicable for a VPN scenario.

  47. Admin,
    I do understand your point, how ever when running a port scanner on an IP which has an open TCP port the scanner sees it as open and not stealth. So this is where I would focus my attack. On the other hand while using UDP on the same IP, the port scanner sees the open UDP port as stealth. More than likely the attacker will move on to an easier target.

    My point only being UDP is going to be more secure for the public! I should have be more clear.

    Open minds and open dialog always leads to solutions!

  48. Now I see your point. Since UDP is a connection-less protocol, you don’t get any acknowledgments which makes it harder to probe. Ports “could be” be open if no ICMP error message was received. However, the error message could have gotten lost or dropped by a firewall. So it is in fact harder to tell if a UDP port is really open. To detect this for sure, more sophisticated tools – which try to communicate with the assumed service – are necessary.

    On the other hand, though: using TCP, you can tell pretty much for sure if a port is open, but you can’t tell for sure what’s running on it. To figure that out, you need more sophisticated tools as well.

  49. Hi, first of all thanks for this great tutorial!
    I’ve got everyting almost working 🙂 up to the point that I can’t access the routers itself. I’m able to connect to other machines on the LAN via the VPN though, using tracert and/or ping.

    So I’m guessing the firewall is blocking the traffic. I’ve added both your example firewall lines and some more to enable internet via the VPN (192.168.66.0/24):

    1
    2
    3
    4
    5
    iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
    iptables -I FORWARD 1 --source 192.168.66.0/24 -j ACCEPT
    iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
    iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
    iptables -t nat -A POSTROUTING -s 192.168.66.0/24 -j MASQUERADE

    Would you happen to know what to add to the firewall so I can connect to the routers UI (via https)?

  50. Hi,

    sry mate, I don’t have an idea. I only use the two iptables lines from the tutorial and the web interface is accessible on its local ip address for me. I’m no iptables expert, but I think line 2 should make this possible. Not sure if lines 3-5 are necessary – don’t you have internet access without those??

  51. Hi,

    Thank you for your amazing and such detailed post. I have followed this post for most of my setup, however I still have couple of small issues and hope that maybe you’re not too tired of all requests here 🙂

    I’ve got network setup #2 (cable modem/router -> DD-WRT router). I cannot setup static routes on my cable modem. But surprisingly it still works. Mostly.

    My Android phone connects to my VPN, I can ping other machines on the local network (eg. 192.168.1.10). However the phone does not see 192.168.1.1 (my DD-WRT router’s LAN IP) nor 172.20.20.1 (VPN IP) – I cannot ping those IPs from the phone. I can, however, ping the phone from my router (either from Web UI or from SSH session).

    Considering how DNS is configured to be 192.168.1.1 (with push “dhcp-option DNS 192.168.1.1”) I am unable to resolve anything, however accessing websites by IP works. Once I’ve changed my config to be [push “dhcp-option DNS 8.8.8.8”] it all started working.

    So, now I wonder whether static routes are crucial to this process. It seems that DD-WRT firewall setup actually makes all of this doable without static routes. Here are my IPTables rules:

    1
    2
    3
    4
    5
    iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT
    iptables -I FORWARD 1 --source 172.20.20.0/24 -j ACCEPT
    iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
    iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
    iptables -t nat -A POSTROUTING -s 172.20.20.0/24 -j MASQUERADE

    My only problem – I cannot access the router for some reason and I cannot use it as my DNS.

    I know you’ve said here few times that you are not IPTables expert. Maybe you are not, but you are way better expert than I am in all of this 🙂 So if you have any piece of wisdom that you may share – I would really appreciate hearing from you.

    Thanks!

  52. Hi,

    I have been thinking about this and unfortunately didn’t have any groundbreaking ideas. However, I am no longer sure about what I wrote in Step 9.2 regarding the operating mode. It’s hard to find good information about this, but in Gateway mode the WAN port seems to act as a mere NAT interface – not sure if this could be a problem in this scenario. Maybe Router mode is the better option here. Unfortunately I don’t have time to test this.

    Another thought: is DNS working for computers that are connected to the DD-WRT LAN ports? How is DNS configured on DD-WRT at Setup –> Basic Setup?

  53. Overall congrats on this guide. This is the only guide that I found that actually works for a beginner like myself. Thank you for this!

    Did you consider on writing such a short guide also for PfSense to connect as client to the ddwrt router, this is what I am having trouble with now.

  54. Thanks for the feedback, I’m glad that the guide helped. However, due to lack of time, I’ll probably not have any new stuff on this blog anytime soon :-/

Leave a Comment

Captcha Captcha Reload