Professional Documents
Culture Documents
DDWRT OpenVPN Server Setup Public v1.96
DDWRT OpenVPN Server Setup Public v1.96
These notes are intended to help set up an OpenVPN server on DDWRT version 34790 and upwards, an OpenVPN
client on Windows 10, OpenVPN Android client and DDWRT OpenVPN client.
If you upgrade from a build with OpenVPN 2.4 or earlier to a build with OpenVPN 2.5 (builds past 44608) then read
this first!: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=326913
OpenVPN is really CPU intensive so to get any speed you need a powerful router/client. For testing this guide I used
a Netgear R6400 dual core Arm A9 at 800MHz as OpenVPN server and a modern Windows 10 PC as client.
These notes are intended to setup a tunnelled (tun) OpenVPN server on DDWRT router, where the DDWRT router is
in default gateway mode and attached to the internet.
If the DDWRT router is a secondary router you have to use port forwarding on your primary internet attached router.
I have set the server up as default with 192.168.5.1 and local Domain home5
Note: The server subnet, the OpenVPN's subnet (10.8.0.0) and the clients subnet must all be different!
Before you start check if the time is right on your router (when logged in to your router, look at the upper right hand
corner), otherwise certificates are not valid and the VPN will not connect.
Your questions and remarks can be posted in the DDWRT advanced networking forum: https://www.dd-
wrt.com/phpBB2/viewforum.php?f=53 or you can send me a PM (personal mail) via the forum.
Extract the zip file in your working directory (a directory you have created on your local hard drive to work in)
You should now have a directory like this:
You should now able to start using EasyRSA by double clicking (or right click and choose run) EasyRSA-Start.bat to
run the program.
After hitting enter, EasyRSA generates a folder called pki (Public Key Infrastructure).
This is where all of your certificates and keys will be placed once generated.
The “private” folder stores private keys for any certificate generated. “reqs” will store your CSR (Certificate Signing
Request). There are also two “.cnf” files, it is best not to tamper with those and just let EasyRSA deal with them
unless you have experience with OpenSSL.
Now set the keysize to 2048 type or copy the following commands:
echo 'set_var EASYRSA_KEY_SIZE 2048' >> vars
The certificates will expire by default in 825 days , consider making it longer:
echo 'set_var EASYRSA_CERT_EXPIRE 3650' >> vars
You can check in your working directory that there is indeed a file called vars
(The last lines should contain the settings you just made)
OVPN 2.4 has a minimum key size of 2048, so older keys with lower key size are not working!
So if you come from an older build you have to recreate your certificates and keys
Next, you will be asked to provide a “Common Name” for your CA certificate.
Feel free to name it however you like. I just choose : egcs-ca
You will now see “ca.crt” in your “pki” folder. If you go to your “private folder”, you will also see the “ca.key” which
is your certificate’s private key. At this point, we are going to start generating certificates and keys for OpenVPN use.
Your CSR file will be placed under the “reqs” folder in “pki” and key file under “private”.
Next sign your CSR file. Type in or copy the following command into EasyRSA:
./easyrsa sign-req server egcs-server
Your certificate will be pulled from the CSR and signed using your CA certificate generated earlier.
You will be asked to enter the password of your CA key created earlier unless the ca was created with nopass.
Afterwards, your server certificate is created and place in the “issued” folder of “pki”.
Your client certificate will also be placed into the same folder as your server.
You are free to generate as many client certificates as you like for your OpenVPN clients:
./easyrsa gen-req egcs-client2 nopass
./easyrsa sign-req client egcs-client2
For common name use: egcs-client2
Depending on how fast your computer is. this is going to take a long time.
Most of the time it should finish very quickly(1 to 3 minutes).
Once complete, this file will be placed in your “pki” directory as “dh.pem”.
Note: OpenVPN 2.4.and later with TLS 1.2 and SSL 1.1.1.1 (clients must also support this) can use the built-in
Elliptical Curve Diffie Hellman to generate a key so you can skip this step but you have to add the following in the
additional config of the OpenVPN Server (see https://forum.ipfire.org/viewtopic.php?t=22664 ):
dh none
ecdh-curve secp384r1
New builds post 44711 will have a GUI option : "Use ECDH instead of DH.PEM"
Enable this and the Diffie Hellman parameters/key are made automatically, so just enable this option and you are
good.
At this point, all of the necessary certificates and keys (shown below) have been created.
Grab those keys from the respective directories (dh.pem and ca.crt from pki directory, clientx.key, server.key from
pki/private and client.crt, server.crt from pki/issued) and place them in one directory for easy access.
▪ ca.crt (certificate-authority)
▪ server.key (private key for the server)
▪ server.crt (private certificate for the server)
▪ client1.key (private key for client1)
▪ client1.crt (private certificate for client1)
▪ dh.pem (DH Parameters for the server)
In Notepad++, click on "File", then drop down to "Open" and then navigate to the directory you have placed all your
keys and certificates in.
Double click on the "ca.crt" file. (It might just be listed as "ca" with an icon). Once open, click anywhere in the
window (once) and then right click, select all, then copy and paste the contents into the "CA Cert" window, in DD-
WRT as can be seen in the pictures below, and indicated in "SPECIAL NOTE:" listed above.
Back in Notepad++, locate and open the "server.crt" file from the same (keys) directory. This time, you will scroll
down to the bottom, and copy everything starting with "-----BEGIN CERTIFICATE----- and ending with "-----END
CERTIFICATE-----" (INCLUDING ALL of the dashes). You will then paste that into the
"Public Server Cert" window, in DD-WRT as seen in pictures below.
Back in Notepad++, locate and open the "server.key" file from the same (keys) directory. Click anywhere in the
window and right click, select all, then copy and paste the contents into the "Private Server Key" window, in DD-
WRT as can be seen in the pictures below.
Now, scroll down to the bottom of the page in the VPN tab in the DD-WRT GUI, and click "Apply Settings"
Click on the "Administration" tab in the DD-WRT GUI, and then on the "Commands" tab. Copy the above code, and
paste the contents into the "Commands" window.
Sometimes the $(get_wanface) does not always identifies the name of your WAN interface correctly (on older
Broadcom routers the WAN interface is vlan0, on newer Broadcom it is vlan2, on Atheros it is eth0 or sometimes also
vlan2) this has been reported for Marvell based routers, in this case try this rule:
WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o $WAN_IF -j MASQUERADE
Builds from 41786 onwards stop access to the local LAN clients because of a patch which should solve a recent
vulnerability, CVE-2019-14899 (see: https://svn.dd-wrt.com/ticket/6928)
This can be mitigated with the following firewall rule (Administration/Commands, Save as Firewall):
iptables -t nat -I POSTROUTING -o br0 -s $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j MASQUERADE
This rule SNAT's all traffic out of br0 so you cannot distinguish which is the source, this also has security and logging
concerns.
From build 41812 and higher you can disable the patch so you do not have to use the above rule, in the OpenVPN
GUI: disable CVE-2019-14899 Mitigation.
Whether you should disable the patch or use the above rule is open to debate and in my opinion you have to factor
in your threat level versus how much trouble you will get from SNATting all traffic.
If you are a high level government target I would enable the patch.
There is another solution instead of the SNAT rule and that is adding the following to the firewall but you have to do
it after the VPN is up so you need a script checking for that .
The problem is that the firewall rules from the VPN are separate from the rest of the firewall rules and this rule has
to be executed later than the VPN, and if the VPN restarts the rule has to be applied.
Furthermore this rule can expose your LAN side to the CVE attack, if you have your IOT things separated and tight
control over your LAN you should be good, if your LAN is hacked you have got bigger problems:
iptables -t raw -I PREROUTING -i br0 -d $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j ACCEPT
Starting with build 42819 you can define your own route-up and route-pre-down script, and place additional firewall
rules there, but note you replace the existing /tmp/openvpn/route-up.sh script, so you have to copy all rules from
the existing script over to your own script.
If you also want use your own route-pre-down, you do the same but call it with:
route-pre-down /myscript
Note:
LZO compression is Disabled because of VORACLE crack.
Note: Disabled is something else then setting compression to No
Newer builds from 39866 and upwards, have a box Inbound Firewall on TUN, do not enable that (it should not
belong here it is for the OpenVPN client)
Builds from 41027and upwards have new ciphers (GCM) which should be somewhat more efficient and are
recommended to use, I use AES-128-GCM but if you want the utmost safety use AES-256-GCM.
OpenVPN Defaults 2.5 works with data-ciphers, the first matching cipher (matching with the client) will be used,
OVPN 2.4 clients can automatically use AES-256-GCM and AES-128-GCM so for the best compatibility use one of
these, I use AES-128-GCM which is safe enough for normal use.
Older pre 2.4 clients who do not have GCM ciphers can use AES-256-CBC, add the following to the additional config
so that the server uses that as fallback option:
data-ciphers-fallback AES-256-CBC
client
dev tun
proto udp4
remote your.domain.ddns.net 1194
nobind
persist-key
persist-tun
remote-cert-tls server
auth-nocache
verb 4
float
tun-mtu 1500
auth SHA256
cipher AES-256-CBC
data-ciphers CHACHA20-POLY1305:AES-256-GCM:AES-128-GCM:AES-256-CBC
ca ca.crt
cert client1.crt
key client1.key
Note: some older clients might use: proto udp instead of proto udp4, OpenVPN 2.4 can use proto upd but will then
try to connect to IPv4 and IPv6.
If possible choose udp4 otherwise you can have the following error:
--mtu-disc is not supported on this OS
If you have trouble with udp you can use tcp in that case use proto tcp4-client
comp-lzo is removed be sure to disable it also in the OVPN server settings (note: set to "Disabled" in server settings)
If you have disconnects and the VPN does not reconnect, remove the auth-nocache
and add resolv-retry infinite
Clients using OpenVPN 2.5, server must have matching a data-cipher, the first one from the server which matches
will be chosen, so the server determines what data-cipher is used:
If you connect to a really old server (2.3 or earlier) you can use: data-ciphers-fallback AES-128-CBC or BF-CBC
Once you have that done, go back up to the file menu in Notepad++ and (Save As) "client1.ovpn" (no quotes
To start the OpenVPN, double click on the OpenVPN GUI icon on your desktop. That will launch OpenVPN and
activate the TAP. Look down in your taskbar for the OpenVPN GUI icon and right click it. Choose Connect, if
everything was setup correctly you will have a connection.
The menu which opens after right clicking can be used to see the log files or alter the configuration.
The OpenVPN 2.5 client can use Windows TAP or the new WinTun drivers (only for tun connection not for tap) which
has less overhead.
To use the WinTun drivers add in the config:
windows-driver wintun
You can hit (enter) for all of the initial parameters as in the previous step, but for "common name" make sure you
type in "name of new client" (no quotes) (enter).
You can just hit enter for the "extra attributes" queries. You will then be asked again if you want to sign the
certificate, so type "y" (no quotes) (enter) and then "y" again (no quotes) (enter) to commit it.
Then repeat step 9 and adapt the two last lines cert and key to reflect the names of your new client certificate and
key.
Save the new file with a new name (like client2.ovpn).
Note:
The current Android OpenVPN Connect client does not work with data-ciphers yet, it will fall back to using the
default ncp-ciphers: AES-256-GCM:AES-128-GCM, you can add the data-ciphers in the conf file but it will be ignored
for now.
The Android client from Arne Schwab lets you specify newer protocols like CHACHA20-POLY1305 in the cipher
setting
Note:
Instead of copying the "clientx.ovpn" file and the three keys/cert files individually you can append the three keys to
the "clientx.ovpn" file, leave out the reference to ca…., cert…. and key… and copy your own keys and certificates like
the example below, this works for Windows, Android and iOS
client
……
……
data-ciphers CHACHA20-POLY1305:AES-256-GCM:AES-128-GCM:AES-256-CBC
<ca>
-----BEGIN CERTIFICATE-----
MIIEvTCCA6WgAwIBAgIJAKkRkVTxVEclMA0GCSqGSIb3DQEBCwUAMIGaMQswCQYD
VQQGE
-----END CERTIFICATE-----
</ca>
Last edited on 28-2-2021 16:12 by egc page 14
<cert>
-----BEGIN CERTIFICATE-----
MIIE+TCCA+GgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBmjELMAkGA1UEBhM
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAo
-----END PRIVATE KEY-----
</key>
Scroll down to "File Sharing" and click on OpenVPN client, then select "add files" import the following files. (these
instructions are for Windows 10, may vary with MAC OS.
Add the files: (see next page)
• clientx.ovpn
• ca.cert
• clientx.key
• clientx.cert
Turn off wifi and launch OpenVPN on your iPhone. Import the new profile and tap the slider to "connect". You
should be asked about allowing OpenVPN to manage VPN connections on your phone. Click OK then you’ll connect.
I have set the clients IP address to 192.168.6.1 with Local Domain: home6
Open ca.crt with notepad and copy the contents including ---BEGIN CERTIFICATE up until and including END
CERTIFICATE---- , paste in CA.Cert box
Be sure to use the same LZO compression settings, the safest is to disable LZO compression in the GUI and leaving
out anything in the client config regarding comp-lzo.
Note: You cannot test from inside your network, loopback is not working, so test from outside (use cellular)
OpenVPN 2.5 has the new data-ciphers, set the client matching to the server.
The first data-cipher form the server which has a match with the client will be chosen.
In this case it is CHACHA20-POLY1305
When using a DDWRT client to a DDWRT server you do not need to enable NAT on the client (although it is easier to
do so, so it is in my recommended settings).
Instead you can add a static route on the server to route return traffic to the clients subnet (i.e. 192.168.6.0) back
over the OVPN server in the additional config of the OVPN server add:
Route 192.168.6.0 255.255.255.0 vpn_gateway
The advantage of not enabling NAT is that you can leave CVE Mitigation Enabled (but if you have other clients
connecting to the server which do NAT leave it disabled)
Furthermore you have to NAT the clients traffic out of the WAN of the OVPN server if you want to have internet
access, you already have a NAT rule to route the OVPN servers traffic but in this case you should use the general
NAT rule, so in step 8a add:
iptables -t nat -I POSTROUTING -s 192.168.6.0/24 -o $(get_wanface) -j MASQUERADE
To make it a little bit more safe, you can enable: "Verify Server Cert.", this sets ' --remote-cert-tls server ', this
requires that the peer (CA) certificate was signed with an explicit key usage and extended key usage based on
RFC3280 TLS rules.
When generating the certificate with easy-RSA this is the case so you can set this option if you like.
If the client does not reconnect after a disconnection you can add the following to the additional config to do a full
restart on disconnection:
remap-usr1 SIGHUP
resolv-retry infinite
References:
https://www.dd-wrt.com/phpBB2/viewtopic.php?t=312064&highlight=
https://www.howtogeek.com/64433/how-to-install-and-configure-openvpn-on-your-dd-wrt-router/
https://openvpn.net/index.php/open-source/documentation/howto.html
https://martyfoiegras.com/2016/09/05/dd-wrt-routed-openvpn-server-configuration-with-split-tunneling-support/
https://advancedhomeserver.com/dd-wrt-and-openvpn-part-1/
https://advancedhomeserver.com/dd-wrt-and-openvpn-part-2/
https://advancedhomeserver.com/dd-wrt-and-openvpn-part-3/
If you want to connect to the local subnet where OpenVPN server resides (which is often done) and you do not have
"Redirect Default Gateway" enabled then you have to push that local route to your client e.g.:
push "route 192.168.5.0 255.255.255.0 vpn_gateway"
By default a route is added to the clients routing table establishing a route to the OpenVPN server e.g. to 10.8.0.0. So
it is not necessary to push this route.
If you want to resolve DNS names over the VPN you will need to add the below lines to "Additional Config."
If you want to use a public DNS server (e.g. Google's ):
push "dhcp-option DNS 8.8.8.8"
If you want to use your own router/OpenVPN server (my servers Lan Domain is named "home5"):
push "dhcp-option DNS 192.168.5.1"
push "dhcp-option DOMAIN home5"
If you are using DD-WRT as a DNS server you’ll need to tell DNSMasq to listen for requests on the interface your VPN
clients will query on. To do this you’ll need to figure out what interface that is.
To see the interface your VPN clients will query on, you can find this in the GUI by clicking "Setup" > "Advanced
Routing" > "Routing Table." In there you’ll see a route that specifies the tun adapter you are using and the IP net see
below. For me it is tun2
Take that piece of information and navigate to "Services" > "Services." Scroll down to "Additional DNSMasq
Options" and enter
interface=tun#
where # is the number you pulled from routing table, in this case tun2.
If you do not specify Redirect Default Gateway you should push main subnet and push the main router as DNS server
(if you want to use DNS but this is optional):
push "route 192.168.5.0 255.255.255.0 vpn_gateway"
push "dhcp-option DNS 192.168.5.1"
push "dhcp-option DOMAIN home5"
Only rule needed for this type setup is (Administration/Commands, Save Firewall):
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)
Alternatively you can also set a static route on the main router to route VPN traffic to the WAP.
Once the OpenVPN connection is established through the WAP you will be inside the local network.
If local DNS is enabled on the main router it will also work just fine via OpenVPN.
Note the newer guides have the NAT rule which uses get_wanface. This identifies the out interface correctly as br0
(in contrast to wan_ifname or wan_iface, so you do not need the rule as described above.
TLS Crypt (starting with OpenVPN 2.4), this encrypts the OpenVPN at the start of the setup process and therefore
hides that it is an OpenVPN connection and is therefore the preferred option.
The use of tls-auth/tls-crypt key is not strictly necessary, without it OpenVPN is sufficiently safe. But in case you want
it, here are the instructions.
The --tls-auth / --tls-crypt option uses a static pre-shared key (PSK) that must be generated in advance
and shared among all peers. This features adds "extra protection" to the TLS channel by requiring that incoming
packets have a valid signature generated using the PSK key. If this key is ever changed, it must be changed on all
peers at the same time (there is no support for rollover.)
The primary benefit is that an unauthenticated client cannot cause the same CPU/crypto load against a server as the
junk traffic can be dropped much sooner. This can aid in mitigating denial-of-service attempts.
Last edited on 28-2-2021 16:12 by egc page 20
This feature by itself does not improve the tl- auth/tls-crypt in any way, although it offers a 2nd line of defence if a
future flaw is discovered in a particular TLS cipher-suite or implementation (such as CVE-2014-0160, Heartbleed,
where the tls-auth key provided protection against attackers who did not have a copy). However, it offers no
protection at all in the event of a complete cryptographic break that can allow decryption of a cipher-suite's traffic.
Generate a static key, for windows, open a command prompt and go to the OpenVPN directory with:
C:
cd \program files\openvpn\bin
Open the ta.key file with Notepad++, and copy the contents into the TLS Key box in the DDWRT OpenVPN GUI.
For tls-auth, DDWRT sets the key-direction directive to 0 automatically.
For the client copy the ta.key file to the appropriate directory where the other keys are stored.
In the client config add:
For tls-auth:
tls-auth ta.key 1 (or specify the key-direction 1 option separately)
For tls-crypt:
tls-crypt ta.key
tls-crypt does not use a key direction.
If you have a build before 41304 tls-crypt can be pasted in Additional .Config of the server between <tls-crypt> and
</tls-crypt>. For example:
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
41a2fc4fbd0cb890d40ddf704defac6a
.......
-----END OpenVPN Static key V1-----
</tls-crypt>
For the client OVPN configuration file for Windows, Android and Mac add:
tls-crypt ta.key in the openvpn.conf
Copy the ta.key file to the appropriate directory where the other keys are stored.
Specifying the keydir with tls-crypt is not necessary, that is handled automatically
When using a DDWRT OpenVPN client, paste the key in the Additional Config like described for the server
You can examine the requirements of that directive in the following OpenVPN documentation.
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
You have to make an executable file named vpn_user.sh with the username and password those should be set at
ALLOWED_USER and ALLOWED_PASS, add the following to Administration/Commands save as Startup:
If you take this extra step on your OpenVPN server configuration, then the OpenVPN clients require the following
directive:
auth-user-pass <filename>
The argument to that directive must be a file containing the username and password on separate lines. In the case of
dd-wrt, the User Pass Authentication field in the OpenVPN client GUI makes this easier. It takes a username and
password and maps it down to this directive on your behalf.
So in the DDWRT OpenVPN client enable "User Pass Authentication" and fill in the "Username" and "Password" in
the boxes that will appear.
This option should of course be used in conjunction with the dhcp-option DNS command described earlier.
Last edited on 28-2-2021 16:12 by egc page 22
Running from the command line
It is possible to run OpenVPN (server and client) from the command line.
This so you could have two or more servers or clients running at the same time
You have to make your own openvpn.conf, route-up.sh and route-down.sh
You can contact me for assistance.
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1209981#1209981
Put the static key in the appropriate static key box. (older builds will hide the static key box if Config as Text
(Daemon) is chosen.
In the GUI use the following settings:
• OpenVPN = Enable
• CVE-2019-14899 Mitigation = Disable
• Start Type = WAN up
• Inbound Firewall on TUN = Unchecked
• Config as = Text (Daemon in older builds)
Reference:
https://wiki.dd-wrt.com/wiki/index.php/OpenVPN_Remote_Access_by_Static_Key_(The_Simple_Way)
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327231
Running an OpenVPN server and OpenVPN client on the same router (Policy Based Routing)
If you want to run an OpenVPN server to get secure access to your home network and you want to run an OpenVPN
client to a commercial VPN provider (like Nord, Express, Private internet access etc.) for secure access to the
internet, you have to take special measures to make that work.
The problem is that you access your OpenVPN server via the WAN, and if you also have an OpenVPN client running,
the return traffic will go out via the VPN client and your firewall will not allow that.
One way to get this running is using Policy Based Routing (PBR) of the OpenVPN client.
Policy Based Routing will leave the normal default route out via the WAN intact but will instead create an alternate
routing table with a default route via the VPN client.
You specify the IP addresses which you want to use the VPN client in the Policy Based Routing Field of the OpenVPN
client.
You have to use CIDR notation (https://www.ipaddressguide.com/cidr )
In my example I have a client .89 and my whole DHCP range (100 – 150) routed via the VPN.
In the Policy Based Routing field I have:
192.168.5.89/32
192.168.5.100/30
192.168.5.104/29
192.168.5.112/28
192.168.5.128/28
192.168.5.144/30
192.168.5.148/31
192.168.5.150/32
(and now you know why some forum members are using an DHCP range from 64 – 127 ☺ )
When connected to the OVPN server from the outside you will normally be routed out via the WAN for your internet
access.
It is possible to route out via the VPN client so that you have a secured internet access. Therefore you have to add
the address you get from the OVPN server to the PBR range.
Usually you will get an IP address of 10.8.0.2 or 10.8.0.3 (you can see it in the OVPN status page) so enter in the PBR
field: 10.8.0.2/31.
It is even possible to set the whole subnet of the OVPN server to use the OVPN client : 10.8.0.1/24 .
It is possible to have the OpenVPN server hand out a static lease see the next section: Client-specific configuration –
CCD files
Note: for the OpenVPN server to function your default route has to be the WAN.
But there are also other advanced solutions available see: https://forum.dd-
wrt.com/phpBB2/viewtopic.php?p=1129398
you have to tell the OVPN server where it can find these files, so in the Additional config of the OVPN server add:
client-config-dir /jffs/ccd
This tells the server to find the CCD files in the directory /jffs/ccd
Thus you must have permanent /jffs storage (USB or JFFS2) and make a directory on that: /ccd where the CCD files
are placed.
Make a text file in the /jffs/ccd directory with the common name of your client in my example client1
Open client1 with a text editor and add the following line:
ifconfig-push 10.8.0.9 255.255.255.0
to push an ip address of 10.8.0.9 (assuming the OVPN servers subnet is 10.8.0.0)
Alternatively, if you do not have permanent storage, just use the default directory (/tmp/openvpn/ccd) so do not set
client-config-dir and make the CCD files every time at startup:
echo "ifconfig-push 10.8.0.4 255.255.255.0" > /tmp/openvpn/ccd/client1
Place this in Administration/Commands, Save as Startup
There is also a special DEFAULT file (/tmp/openvpn/ccd/DEFAULT) that contains settings in case there is no
configuration file for a certain client.
If you only have one client you can use this default file and you can enter content in that file via the GUI option:
CCD-Dir DEFAULT file
Reference
https://openvpn.net/community-resources/configuring-client-specific-rules-and-access-policies/
Instruct server to add a route to the client-side LAN for all local server side clients
In additional config of server add:
route 192.168.6.0 255.255.255.0 vpn_gateway
This will add a route in the server side routing table to route traffic for 192.168.6.0 to the OVPN server.
The next thing is to tell the OVPN server to which client it must send this traffic, that is where the iroute command
comes into play.
This command has to be placed in the CCD file of that respective client, in my case client1
So in the client1 CCD file add the following line:
iroute 192.168.6.0 255.255.255.0
CVE-2019-14899 patch
You can leave this enabled on the client side and do not need any workarounds, traffic from the servers subnet is not
NAT'ted so does not have a source address of 10.8.0.x and is therefore not blocked when accessing local client side
LAN clients.
The other way around from client side to server side LAN, the connection is blocked by the server side CVE-2019-
14899 patch, you can choose to disable the patch on the server side, or use the mitigation rule described earlier or
and that is actually the best option, disable NAT on the client side VPN (in the OVPN client side GUI set NAT Disable).
As we already have the necessary static routing in place where traffic destined for the client side LAN (192.168.6.x) is
routed via the VPN, the only thing to do is to add a firewall rule to the OpenVPN server to NAT the client side LAN
traffic out via the WAN (so add this on the server side):
iptables -t nat -A POSTROUTING -s 192.168.6.0/24 -o $(get_wanface) -j MASQUERADE
Take note, your local LAN clients usually have their own firewall only allowing traffic from their own subnet.
So to connect to a client from another subnet you often have to tweak the local clients firewall, i.e. clients on the
servers subnet (192.168.5.0) must allow traffic from the clients subnet (192.168.6.0) and the other way around.
A quick an dirty workaround is to NAT traffic:
On the server:
iptables -t nat -I POSTROUTING -o br0 -s 192.168.6.0/24 -j SNAT --to $(nvram get lan_ipaddr)
iptables -t nat -I POSTROUTING -o br0 -s $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j MASQUERADE
On the client:
iptables -t nat -I POSTROUTING -o br0 -s 192.168.5.0/24 -j SNAT --to $(nvram get lan_ipaddr)
If host is a DNS name which resolves to multiple IP addresses, OpenVPN will try them in the order that the system
getaddrinfo() presents them, so priorization and DNS randomization is done by the system library. Unless an IP
version is forced by the protocol specification (proto) (4/6 suffix), OpenVPN will try both IPv4 and IPv6 addresses, in
the order getaddrinfo() returns them.
proto indicates the protocol to use when connecting with the remote, and may be “tcp” or “udp”.
For forcing IPv4 or IPv6 connection suffix tcp or udp with 4/6 like udp4/udp6/tcp4/tcp6.
Bottom line if you do not use the IP suffix OpenVPN might try IPv6 and can easily fail if that is not implemented so if
you have IPv6 enabled and only want IPv4 for OpenVPN use proto udp4 or tcp4
The GUI will be updated so that you can choose various protocol and IP suffixes
If you want your client to stop pulling unsolicited IPv6 options add to the client:
pull-filter ignore "route-ipv6"
pull-filter ignore "ifconfig-ipv6"
block-ipv6
The normal VPN setup is routed (TUN) alternatively you can setup the VPN as bridged (TAP)
TUN is compatible with almost all operating systems, TAP is not compatible with iOS and Android ( a paid version of
the following Android client should support TAP: https://appgrooves.com/android/it.colucciweb.openvpn/openvpn-
client/colucci-webit).
Besides it will generate more traffic/overhead via the bridge and it opens up your whole network so security wise it
is worse.
It can also be used on a Windows client to get seamless access and thus you can have DLNA/streaming across the
VPN bridge
DDWRT Server:
• Tunnel Device = TAP
• DHCP-Proxy = Disable
• Pool start IP = 192.168.6.200
• Pool end IP = 192.168.6.220
• Gateway = 192.168.6.1
• Netmask = 255.255.255.0
• Block DHCP across the tunnel = Disable
If you want to route all your traffic through the VPN server then you have to enable Redirect default Gateway.
CVE mitigation can be left turned on as this will not hamper local LAN access when using TAP mode
Any device that now connects to the OVPN client router (wire or wireless) will make its DHCP request across the
tunnel and get configured on the PH's local network.
If you want the OVPN client router to distribute its own DHCP then set the OVPN client routers IP on the same
subnet i.e. 192.168.5.254. Set the DHCP scope outside the DHCP scope of the OVPN router (100-150) and outside the
OVPN server (200-220) so use 151 -199 (48)
Then on the Server you can set: Block DHCP across the tunnel = Enable
Fill in Ca Cert box with ca.crt, Public Client Cert box with client.cert and Private Client Key box with client.key
client
dev tap
#proto udp4
proto tcp4-client
remote your.domain.ddns.net 1194
nobind
persist-key
persist-tun
remote-cert-tls server
auth-nocache
verb 4
float
tun-mtu 1500
auth SHA256
cipher AES-256-CBC
data-ciphers CHACHA20-POLY1305:AES-256-GCM:AES-128-GCM:AES-256-CBC
ca ca.crt
cert client1.crt
key client1.key
The TAP Network Adapter (which is also used for TUN connections) will have a Public Network profile and thus will
be firewalled.
Disable the firewall or set the TAP adapter on a private profile.
Check with Get-NetConnectionProfile to see if the Network Adapter is changed from Public to Private