DDWRT OpenVPN Server Setup

(see: https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1157344 for the most recent version)

These notes are intended to help set up an OpenVPN server on DDWRT version 34790 and upwards, an OpenVPN
client on Windows 10, OpenVPN Android client and DDWRT OpenVPN client.

If you upgrade from a build with OpenVPN 2.4 or earlier to a build with OpenVPN 2.5 (builds past 44608) then read
this first!: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=326913

OpenVPN is really CPU intensive so to get any speed you need a powerful router/client. For testing this guide I used
a Netgear R6400 dual core Arm A9 at 800MHz as OpenVPN server and a modern Windows 10 PC as client.

These notes are intended to setup a tunnelled (tun) OpenVPN server on DDWRT router, where the DDWRT router is
in default gateway mode and attached to the internet.

For a discussion of bridged (tap) versus routed (tun) see:

https://community.openvpn.net/openvpn/wiki/BridgingAndRouting, I also added a chapter about how to set up a
bridged (TAP) OpenVPN Server in the Advanced section.

If the DDWRT router is a secondary router you have to use port forwarding on your primary internet attached router.

I have set the server up as default with 192.168.5.1 and local Domain home5

Note: The server subnet, the OpenVPN's subnet (10.8.0.0) and the clients subnet must all be different!

Before you start check if the time is right on your router (when logged in to your router, look at the upper right hand
corner), otherwise certificates are not valid and the VPN will not connect.

A lot of existing guides are obsolete or wrong.

I am trying to keep this guide up to date but your help is necessary. If you find anything wrong or unclear please
contact me.

Your questions and remarks can be posted in the DDWRT advanced networking forum: https://www.dd-
wrt.com/phpBB2/viewforum.php?f=53 or you can send me a PM (personal mail) via the forum.

Last edited on 28-2-2021 16:12 by egc page 1

Table of Contents
Step- 1a: Download and Install: ....................................................................................................................................... 3
Step- 1b Generating keys and certs .................................................................................................................................. 3
Step- 1b Making the vars file ............................................................................................................................................ 4
Step 2 – Generate a "Certificate-Authority" (ca.crt) ......................................................................................................... 4
Step 3 – Generate the "Server Certificate" (server.crt). ................................................................................................... 5
Step 4 – Generate Client Certificates ................................................................................................................................ 5
Step 5 – Generate Diffie Hellman Parameters . ................................................................................................................ 6
Step 6 – Configuring DD-WRT for OpenVPN ..................................................................................................................... 6
Step- 7 Copy/Paste the code from your crt, dh and key files into DD-WRT: .................................................................. 7
Step- 8a Setting up the Firewall ........................................................................................................................................ 8
Step- 8b OpenVPN Server settings.................................................................................................................................... 9
Step- 8c Reboot DD-WRT. ............................................................................................................................................... 12
Step-9 Create "client1.ovpn" file and copy to windows client ...................................................................................... 12
Step 10 Windows setting up and installing the OpenVPN client .................................................................................... 13
Step- 11 Creating additional client files ......................................................................................................................... 13
Step-12 Android setting up and installing the OpenVPN client ...................................................................................... 13
Step-13 iOS setting up and installing the OpenVPN client ............................................................................................. 15
Step-14 Setting up and Installing the OpenVPN client on DDWRT ................................................................................. 15
OpenVPN Client settings (using a DDWRT router as client of your DDWRT server) ...................................................... 17
Pushing Routes to the client (including pushing DNS servers) ....................................................................................... 19
OpenVPN server on a Wireless Access Point (WAP) ....................................................................................................... 20
Use of tls-auth / tls-crypt ................................................................................................................................................ 20
Use of Username and Password ..................................................................................................................................... 21
Windows 10, blocking the use of clients own DNS servers ............................................................................................ 22
Running from the command line .................................................................................................................................... 23
Setup with static key only ............................................................................................................................................... 23
Running an OpenVPN server and OpenVPN client on the same router (Policy Based Routing) .................................... 24
Client-specific configuration – CCD files ......................................................................................................................... 25
OpenVPN communication both ways (site to site communication). .............................................................................. 26
OpenVPN and IPv6 .......................................................................................................................................................... 27
Set up as TAP (bridged) ................................................................................................................................................... 28
Troubleshooting .............................................................................................................................................................. 32

Last edited on 28-2-2021 16:12 by egc page 2

Step- 1a: Download and Install:
Download OpenVPN from here: : https://openvpn.net/community-downloads/ (grab the installer appropriate for
your Windows version)
OpenVPN 2.5 comes with Easy RSA 3 for generating keys and certificates

Download Notepad++ from here: https://notepad-plus-plus.org/

(Click on the downloads link and grab the latest appropriate version for your system)

Install both programs, for OpenVPN install everything:

Click on the OpenVPN icon Install type choose Customize.
Click on the OpenVPN icon and choose: "Entire Feature will be installed on your local hard drive. Scroll down to the
bottom and install OpenSSL utilities, choose Entire Feature will be installed on the local hard drive

Linux users see: https://openvpn.net/community-resources/how-to/#setting-up-your-own-certificate-authority-ca-

and-generating-certificates-and-keys-for-an-openvpn-server-and-multiple-clients

Step- 1b Generating keys and certs

To generate keys and certificates you have to copy some folders of the installed OpenVPN client to a working
directory , but it actually is easier to download the latest EasyRSA from : https://github.com/OpenVPN/easy-
rsa/releases , choose the for your machine appropriate version for windows that is mostly the EasyRSA-3.x.x-
win64.zip

Extract the zip file in your working directory (a directory you have created on your local hard drive to work in)
You should now have a directory like this:

You should now able to start using EasyRSA by double clicking (or right click and choose run) EasyRSA-Start.bat to
run the program.

Double click on: EasyRSA-Start.bat:

Keep this command window open during the whole session.

Last edited on 28-2-2021 16:12 by egc page 3

Everything seems to be running fine. It uses a Linux-based shell which allows you to execute pre-defined bash scripts
to create your certificates/keys.

First generate a folder for your certificates.

To do that, under “EasyRSA Shell”, type or copy the following:
./easyrsa init-pki

After hitting enter, EasyRSA generates a folder called pki (Public Key Infrastructure).
This is where all of your certificates and keys will be placed once generated.

The “private” folder stores private keys for any certificate generated. “reqs” will store your CSR (Certificate Signing
Request). There are also two “.cnf” files, it is best not to tamper with those and just let EasyRSA deal with them
unless you have experience with OpenSSL.

Step- 1b Making the vars file

Settings are stored in a vars file, so we first going to make a vars file with this command:
cp vars.example vars

Now set the keysize to 2048 type or copy the following commands:
echo 'set_var EASYRSA_KEY_SIZE 2048' >> vars
The certificates will expire by default in 825 days , consider making it longer:
echo 'set_var EASYRSA_CERT_EXPIRE 3650' >> vars

You can check in your working directory that there is indeed a file called vars
(The last lines should contain the settings you just made)

OVPN 2.4 has a minimum key size of 2048, so older keys with lower key size are not working!
So if you come from an older build you have to recreate your certificates and keys

Step 2 – Generate a "Certificate-Authority" (ca.crt)

Generate your CA (Certificate Authority), type or copy the following:
./easyrsa build-ca nopass
Press enter.

Last edited on 28-2-2021 16:12 by egc page 4

If you leave out the nopass, you will be asked to make up a passphrase for your CA. It is important to write whatever
passphrase you create into a special file or piece of paper.
This protects the CA’s private key stored in “pki\private\ca.key” from being compromised.
If you make a key without a password be sure to keep it secured.

Next, you will be asked to provide a “Common Name” for your CA certificate.
Feel free to name it however you like. I just choose : egcs-ca

You will now see “ca.crt” in your “pki” folder. If you go to your “private folder”, you will also see the “ca.key” which
is your certificate’s private key. At this point, we are going to start generating certificates and keys for OpenVPN use.

Step 3 – Generate the "Server Certificate" (server.crt).

First, let’s generate a CSR(Certificate Signing Request) for the server certificate.
Name your CSR file however you like, I use egcs-server for my server files, name yours like you want, type or copy
the following command into EasyRSA (nopass means no password is asked):
./easyrsa gen-req egcs-server nopass

After, hit enter the process will begin.

Right after, you will be asked for a “Common Name”, again name it as you like., I use the same name as my file:
egcs-server.
(As this is the same name as the CSR's file name you can just hit enter)

Your CSR file will be placed under the “reqs” folder in “pki” and key file under “private”.

Next sign your CSR file. Type in or copy the following command into EasyRSA:
./easyrsa sign-req server egcs-server

Type “yes” to confirm your CSR’s common name.

Your certificate will be pulled from the CSR and signed using your CA certificate generated earlier.
You will be asked to enter the password of your CA key created earlier unless the ca was created with nopass.
Afterwards, your server certificate is created and place in the “issued” folder of “pki”.

Step 4 – Generate Client Certificates

Now generate the clients files, I name my first client egcs-client1, name yours like you want:
./easyrsa gen-req egcs-client1 nopass

You will be asked for a Common name I use egcs-client1

(As this is the same name as the CSR's file name you can just hit enter)

Next, sign it, with the following command (type in or copy):

./easyrsa sign-req client egcs-client1

Type “yes” to confirm your CSR’s common name.

Your client certificate will also be placed into the same folder as your server.
You are free to generate as many client certificates as you like for your OpenVPN clients:
./easyrsa gen-req egcs-client2 nopass
./easyrsa sign-req client egcs-client2
For common name use: egcs-client2

You can now close the shell by typing exit.

You can always start again and make additional client certificates/keys but then you should not run ./easyrsa init-pki
as that wipes out the existing keys
Last edited on 28-2-2021 16:12 by egc page 5
https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto

Step 5 – Generate Diffie Hellman Parameters .

Next, we are going to generate a diffie-hellman key. This key will allow us to authenticate securely with an OpenVPN
server. In order to generate one, we will be typing the following:
./easyrsa gen-dh

Depending on how fast your computer is. this is going to take a long time.
Most of the time it should finish very quickly(1 to 3 minutes).
Once complete, this file will be placed in your “pki” directory as “dh.pem”.

Note: OpenVPN 2.4.and later with TLS 1.2 and SSL 1.1.1.1 (clients must also support this) can use the built-in
Elliptical Curve Diffie Hellman to generate a key so you can skip this step but you have to add the following in the
additional config of the OpenVPN Server (see https://forum.ipfire.org/viewtopic.php?t=22664 ):
dh none
ecdh-curve secp384r1

New builds post 44711 will have a GUI option : "Use ECDH instead of DH.PEM"
Enable this and the Diffie Hellman parameters/key are made automatically, so just enable this option and you are
good.

At this point, all of the necessary certificates and keys (shown below) have been created.
Grab those keys from the respective directories (dh.pem and ca.crt from pki directory, clientx.key, server.key from
pki/private and client.crt, server.crt from pki/issued) and place them in one directory for easy access.
▪ ca.crt (certificate-authority)
▪ server.key (private key for the server)
▪ server.crt (private certificate for the server)
▪ client1.key (private key for client1)
▪ client1.crt (private certificate for client1)
▪ dh.pem (DH Parameters for the server)

Step 6 – Configuring DD-WRT for OpenVPN

From the DD-WRT GUI, click on the "Services" tab, and then click on the "VPN" tab. Scroll down to the OpenVPN
section and click the radio button to enable OpenVPN. That will expose a new pane where you will enter the VPN
tunnel network settings and enter the data from the "keys" and "certificates" as well as the data from the "dh2048"
file that you created in the previous steps.

Last edited on 28-2-2021 16:12 by egc page 6

Step- 7 Copy/Paste the code from your crt, dh and key files into DD-WRT:
SPECIAL NOTE: When copying/pasting the data into the DD-WRT GUI, there may be more info than is needed. Only
copy the data between and including: -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----, -----
BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- , -----BEGIN DH PARAMETERS----- and -----END DH
PARAMETERS-----.

In Notepad++, click on "File", then drop down to "Open" and then navigate to the directory you have placed all your
keys and certificates in.
Double click on the "ca.crt" file. (It might just be listed as "ca" with an icon). Once open, click anywhere in the
window (once) and then right click, select all, then copy and paste the contents into the "CA Cert" window, in DD-
WRT as can be seen in the pictures below, and indicated in "SPECIAL NOTE:" listed above.

Back in Notepad++, locate and open the "server.crt" file from the same (keys) directory. This time, you will scroll
down to the bottom, and copy everything starting with "-----BEGIN CERTIFICATE----- and ending with "-----END
CERTIFICATE-----" (INCLUDING ALL of the dashes). You will then paste that into the
"Public Server Cert" window, in DD-WRT as seen in pictures below.

Back in Notepad++, locate and open the "server.key" file from the same (keys) directory. Click anywhere in the
window and right click, select all, then copy and paste the contents into the "Private Server Key" window, in DD-
WRT as can be seen in the pictures below.

Last edited on 28-2-2021 16:12 by egc page 7

Finally (this step can be skipped if you use OpenVPN 2.5 and later and have enabled Use ECDH instead of DH.PEM),
back in Notepad++, locate and open the "dh" file from the same (keys) directory. Click anywhere in the window and
right click, select all, then copy and paste the contents into the "DH Pem" window, in DDWRT as can be seen in the
pictures below.

Now, scroll down to the bottom of the page in the VPN tab in the DD-WRT GUI, and click "Apply Settings"

Step- 8a Setting up the Firewall

A lot of guides have redundant firewall rules, in case of firewall rules less is more.
Actually you do not need any rules to make a connection, but if you want to have an outside/internet connection for
your client when "Redirect Default Gateway" is enabled then you have to add the rule described below, the rule is
necessary to NAT the traffic form the VPN out onto the internet via the WAN interface.

iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o $(get_wanface) -j MASQUERADE

Click on the "Administration" tab in the DD-WRT GUI, and then on the "Commands" tab. Copy the above code, and
paste the contents into the "Commands" window.

Then click "Save Firewall".

Sometimes the $(get_wanface) does not always identifies the name of your WAN interface correctly (on older
Broadcom routers the WAN interface is vlan0, on newer Broadcom it is vlan2, on Atheros it is eth0 or sometimes also
vlan2) this has been reported for Marvell based routers, in this case try this rule:
WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o $WAN_IF -j MASQUERADE

Last edited on 28-2-2021 16:12 by egc page 8

Step- 8b OpenVPN Server settings
Note : if your setup page shows way less settings, start with setting "Config as" : "GUI (Server)" and all boxes will
become available

Last edited on 28-2-2021 16:12 by egc page 9

If you do not have "Redirect Default Gateway" enabled, then you have to push a local route to reach the routers
subnet where the OpenVPN server resides. See the Advanced Section, which starts on page 15.

Builds from 41786 onwards stop access to the local LAN clients because of a patch which should solve a recent
vulnerability, CVE-2019-14899 (see: https://svn.dd-wrt.com/ticket/6928)
This can be mitigated with the following firewall rule (Administration/Commands, Save as Firewall):
iptables -t nat -I POSTROUTING -o br0 -s $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j MASQUERADE
This rule SNAT's all traffic out of br0 so you cannot distinguish which is the source, this also has security and logging
concerns.

From build 41812 and higher you can disable the patch so you do not have to use the above rule, in the OpenVPN
GUI: disable CVE-2019-14899 Mitigation.
Whether you should disable the patch or use the above rule is open to debate and in my opinion you have to factor
in your threat level versus how much trouble you will get from SNATting all traffic.
If you are a high level government target I would enable the patch.

There is another solution instead of the SNAT rule and that is adding the following to the firewall but you have to do
it after the VPN is up so you need a script checking for that .
The problem is that the firewall rules from the VPN are separate from the rest of the firewall rules and this rule has
to be executed later than the VPN, and if the VPN restarts the rule has to be applied.
Furthermore this rule can expose your LAN side to the CVE attack, if you have your IOT things separated and tight
control over your LAN you should be good, if your LAN is hacked you have got bigger problems:
iptables -t raw -I PREROUTING -i br0 -d $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j ACCEPT

Starting with build 42819 you can define your own route-up and route-pre-down script, and place additional firewall
rules there, but note you replace the existing /tmp/openvpn/route-up.sh script, so you have to copy all rules from
the existing script over to your own script.

Last edited on 28-2-2021 16:12 by egc page 10

You call your own route-up script by adding the following in the Additional config (I am using my own route-up script
placed in /jffs/openvpn:
route-up /jffs/openvpn/route-up-egc.sh
Do not forget to make the script executable

If you also want use your own route-pre-down, you do the same but call it with:
route-pre-down /myscript

Note:
LZO compression is Disabled because of VORACLE crack.
Note: Disabled is something else then setting compression to No

Newer builds from 39866 and upwards, have a box Inbound Firewall on TUN, do not enable that (it should not
belong here it is for the OpenVPN client)

Builds from 41027and upwards have new ciphers (GCM) which should be somewhat more efficient and are
recommended to use, I use AES-128-GCM but if you want the utmost safety use AES-256-GCM.

OpenVPN Defaults 2.5 works with data-ciphers, the first matching cipher (matching with the client) will be used,
OVPN 2.4 clients can automatically use AES-256-GCM and AES-128-GCM so for the best compatibility use one of
these, I use AES-128-GCM which is safe enough for normal use.

Older pre 2.4 clients who do not have GCM ciphers can use AES-256-CBC, add the following to the additional config
so that the server uses that as fallback option:
data-ciphers-fallback AES-256-CBC

Do not use ncp-disable on OpenVPN 2.5 unless specifically instructed

Last edited on 28-2-2021 16:12 by egc page 11

Step- 8c Reboot DD-WRT.
Click on the "Administration" tab and then on the "Management" tab. Scroll down to the bottom and click on
"Reboot Router". Just let it reboot, don’t be in a hurry to try and see if it has internet access as soon as you see
lights flickering. Work the next few steps below first. By the time you are done with them, the DD-WRT will be back
online and ready to go.
After changing anything always reboot, otherwise you might encounter: TLS Error: TLS key negotiation failed to
occur within 60 seconds (check your network connectivity).

Step-9 Create "client1.ovpn" file and copy to windows client

Back in Notepad++, Click on the File menu, and then click "New" to open a new file.
Next, copy the code below (in green and red), then, place (click) your cursor on line 1 in the new file you just opened
in Notepad++, and then paste the contents into the new file. The part in RED should reflect your DDNS info, or your
WAN IP of the server, NOT the IP address you set up in the VPN section.
(See "IMPORTANT NOTE" below when done with step 9).

client
dev tun
proto udp4
remote your.domain.ddns.net 1194
nobind
persist-key
persist-tun
remote-cert-tls server
auth-nocache
verb 4
float
tun-mtu 1500
auth SHA256
cipher AES-256-CBC
data-ciphers CHACHA20-POLY1305:AES-256-GCM:AES-128-GCM:AES-256-CBC
ca ca.crt
cert client1.crt
key client1.key

Note: some older clients might use: proto udp instead of proto udp4, OpenVPN 2.4 can use proto upd but will then
try to connect to IPv4 and IPv6.
If possible choose udp4 otherwise you can have the following error:
--mtu-disc is not supported on this OS
If you have trouble with udp you can use tcp in that case use proto tcp4-client
comp-lzo is removed be sure to disable it also in the OVPN server settings (note: set to "Disabled" in server settings)

If you have disconnects and the VPN does not reconnect, remove the auth-nocache
and add resolv-retry infinite

For compatibility with older servers/clients cipher AES-256-CBC is set

Clients using OpenVPN 2.5, server must have matching a data-cipher, the first one from the server which matches
will be chosen, so the server determines what data-cipher is used:

If you connect to a really old server (2.3 or earlier) you can use: data-ciphers-fallback AES-128-CBC or BF-CBC
Once you have that done, go back up to the file menu in Notepad++ and (Save As) "client1.ovpn" (no quotes

Last edited on 28-2-2021 16:12 by egc page 12

IMPORTANT NOTE: If you do not have a dynamic DNS domain (ddns) and you choose to use the DD-WRT WAN IP
address, your VPN will break as soon as your ISP changes your WAN IP address. For testing purposes, you can use the
DD-WRT WAN IP address.
You can then change the client1.ovpn settings later, once you have set up your DDNS. Or you can choose to use your
WAN IP address until it breaks.

Step 10 Windows setting up and installing the OpenVPN client

Copy the "client1.crt" "client1.key" and ‘ca.crt" files FROM: C:\Program Files\OpenVPN\easy-rsa\keys\ to
C:\Program Files\OpenVPN\config\ .
Lastly also copy the saved "client1.ovpn" from step 9 to the same OpenVPN config directory C:\Program
Files\OpenVPN\config.
It should get a nice orange OpenVPN icon if you were successful.

To start the OpenVPN, double click on the OpenVPN GUI icon on your desktop. That will launch OpenVPN and
activate the TAP. Look down in your taskbar for the OpenVPN GUI icon and right click it. Choose Connect, if
everything was setup correctly you will have a connection.
The menu which opens after right clicking can be used to see the log files or alter the configuration.

The OpenVPN 2.5 client can use Windows TAP or the new WinTun drivers (only for tun connection not for tap) which
has less overhead.
To use the WinTun drivers add in the config:
windows-driver wintun

Step- 11 Creating additional client files

To create additional client files, simply open up the command prompt and repeat Step- 4.
Don’t forget to run as administrator.
Once the command prompt is open, type:

cd C:\Program Files\OpenVPN\easy-rsa (enter)

vars.bat (enter)
build-key.bat "name of new client" (no quotes) (enter)

You can hit (enter) for all of the initial parameters as in the previous step, but for "common name" make sure you
type in "name of new client" (no quotes) (enter).
You can just hit enter for the "extra attributes" queries. You will then be asked again if you want to sign the
certificate, so type "y" (no quotes) (enter) and then "y" again (no quotes) (enter) to commit it.

Then repeat step 9 and adapt the two last lines cert and key to reflect the names of your new client certificate and
key.
Save the new file with a new name (like client2.ovpn).

Step-12 Android setting up and installing the OpenVPN client

Go to the Google play store and install the OpenVPN Connect app.

Last edited on 28-2-2021 16:12 by egc page 13

Copy the "ca.crt", "clientx.key", "clientx.crt" and "clientx.ovpn" config file to your phones download directory.
Open the VPN connect app and tap Import on the drop down:

Choose Import profile from SD Card

Head over to the download directory and import the "client.ovpn" file
Now you should be able to hit connect and have a connection.
Alternatively use the OpenVPN for Android client from Arne Schwabe, this is easier to change/play with.

Note:
The current Android OpenVPN Connect client does not work with data-ciphers yet, it will fall back to using the
default ncp-ciphers: AES-256-GCM:AES-128-GCM, you can add the data-ciphers in the conf file but it will be ignored
for now.
The Android client from Arne Schwab lets you specify newer protocols like CHACHA20-POLY1305 in the cipher
setting

Note:
Instead of copying the "clientx.ovpn" file and the three keys/cert files individually you can append the three keys to
the "clientx.ovpn" file, leave out the reference to ca…., cert…. and key… and copy your own keys and certificates like
the example below, this works for Windows, Android and iOS
client
……
……
data-ciphers CHACHA20-POLY1305:AES-256-GCM:AES-128-GCM:AES-256-CBC
<ca>
-----BEGIN CERTIFICATE-----
MIIEvTCCA6WgAwIBAgIJAKkRkVTxVEclMA0GCSqGSIb3DQEBCwUAMIGaMQswCQYD
VQQGE
-----END CERTIFICATE-----
</ca>
Last edited on 28-2-2021 16:12 by egc page 14
<cert>
-----BEGIN CERTIFICATE-----
MIIE+TCCA+GgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBmjELMAkGA1UEBhM
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAo
-----END PRIVATE KEY-----
</key>

Step-13 iOS setting up and installing the OpenVPN client

(courtesy of @awh3r, I have not personally tested it comments are welcome)
Install ‘OpenVPN connect’ from the apps store. Plug your iPhone/iPad into your laptop. Sync your Phone/iPad , then
select the iPhone/iPad icon on the toolbar of iTunes. In iTunes Click on the iPhone.

Scroll down to "File Sharing" and click on OpenVPN client, then select "add files" import the following files. (these
instructions are for Windows 10, may vary with MAC OS.
Add the files: (see next page)
• clientx.ovpn
• ca.cert
• clientx.key
• clientx.cert

Restart your Phone.

Turn off wifi and launch OpenVPN on your iPhone. Import the new profile and tap the slider to "connect". You
should be asked about allowing OpenVPN to manage VPN connections on your phone. Click OK then you’ll connect.

Step-14 Setting up and Installing the OpenVPN client on DDWRT

I have set the clients IP address to 192.168.6.1 with Local Domain: home6

Goto Services/VPN and enable the OpenVPN Client

Use the same setting as the server setup (see screenshots below).
Be sure to use the same LZO compression settings

Open ca.crt with notepad and copy the contents including ---BEGIN CERTIFICATE up until and including END
CERTIFICATE---- , paste in CA.Cert box

Last edited on 28-2-2021 16:12 by egc page 15

Do the same for clientx.crt, copy ---BEGIN CERTIFICATE up until and including END CERTIFICATE---- this is at the end
of the file, so do not copy the whole content of this file, paste in Public Client Cert box
Do the same for client.key copy ---BEGIN PRIVATE KEY up until and including END PRIVATE KEY---- to the Private
Client Key box
Save and Apply and head over to the Status/VPN page and you should see CONNECTED.

Be sure to use the same LZO compression settings, the safest is to disable LZO compression in the GUI and leaving
out anything in the client config regarding comp-lzo.

See next page for an example

Note: You cannot test from inside your network, loopback is not working, so test from outside (use cellular)

Last edited on 28-2-2021 16:12 by egc page 16

OpenVPN Client settings (using a DDWRT router as client of your DDWRT server)

Last edited on 28-2-2021 16:12 by egc page 17

Newer builds from 39866 and upwards, have a box Inbound Firewall on TUN, it is not necessary to enable it. This is
for OVPN servers which you do not inherently trust i.e. for when connecting to commercial OVPN providers.

OpenVPN 2.5 has the new data-ciphers, set the client matching to the server.
The first data-cipher form the server which has a match with the client will be chosen.
In this case it is CHACHA20-POLY1305

When using a DDWRT client to a DDWRT server you do not need to enable NAT on the client (although it is easier to
do so, so it is in my recommended settings).
Instead you can add a static route on the server to route return traffic to the clients subnet (i.e. 192.168.6.0) back
over the OVPN server in the additional config of the OVPN server add:
Route 192.168.6.0 255.255.255.0 vpn_gateway

The advantage of not enabling NAT is that you can leave CVE Mitigation Enabled (but if you have other clients
connecting to the server which do NAT leave it disabled)

Furthermore you have to NAT the clients traffic out of the WAN of the OVPN server if you want to have internet
access, you already have a NAT rule to route the OVPN servers traffic but in this case you should use the general
NAT rule, so in step 8a add:
iptables -t nat -I POSTROUTING -s 192.168.6.0/24 -o $(get_wanface) -j MASQUERADE

To make it a little bit more safe, you can enable: "Verify Server Cert.", this sets ' --remote-cert-tls server ', this
requires that the peer (CA) certificate was signed with an explicit key usage and extended key usage based on
RFC3280 TLS rules.
When generating the certificate with easy-RSA this is the case so you can set this option if you like.

If the client does not reconnect after a disconnection you can add the following to the additional config to do a full
restart on disconnection:
remap-usr1 SIGHUP
resolv-retry infinite

References:
https://www.dd-wrt.com/phpBB2/viewtopic.php?t=312064&highlight=
https://www.howtogeek.com/64433/how-to-install-and-configure-openvpn-on-your-dd-wrt-router/
https://openvpn.net/index.php/open-source/documentation/howto.html
https://martyfoiegras.com/2016/09/05/dd-wrt-routed-openvpn-server-configuration-with-split-tunneling-support/
https://advancedhomeserver.com/dd-wrt-and-openvpn-part-1/
https://advancedhomeserver.com/dd-wrt-and-openvpn-part-2/
https://advancedhomeserver.com/dd-wrt-and-openvpn-part-3/

Routing both ways:

https://www.ossramblings.com/openvpn_route_both_ways

Last edited on 28-2-2021 16:12 by egc page 18

Advanced Section
Pushing Routes to the client (including pushing DNS servers)
Redirect-gateway def1 (which is enabled by enabling "Redirect default Gateway" in settings) pushes a default route
to the client, if done manually you could add the following commands in the Additional Config of the OpenVPN
server settings:
push "route 0.0.0.0 128.0.0.0 vpn_gateway"
push "route 128.0.0.0 128.0.0.0 vpn_gateway"
or
push "redirect-gateway def1" (def 1 preserves the old default gateway and is recommended)

If you want to connect to the local subnet where OpenVPN server resides (which is often done) and you do not have
"Redirect Default Gateway" enabled then you have to push that local route to your client e.g.:
push "route 192.168.5.0 255.255.255.0 vpn_gateway"

To push a route to the client not going through the VPN:

push "route 8.8.8.8 255.255.255.255 net_gateway"

By default a route is added to the clients routing table establishing a route to the OpenVPN server e.g. to 10.8.0.0. So
it is not necessary to push this route.

If you want to resolve DNS names over the VPN you will need to add the below lines to "Additional Config."
If you want to use a public DNS server (e.g. Google's ):
push "dhcp-option DNS 8.8.8.8"

If you want to use your own router/OpenVPN server (my servers Lan Domain is named "home5"):
push "dhcp-option DNS 192.168.5.1"
push "dhcp-option DOMAIN home5"

Here’s a breakdown of what’s going on:

The local DNS server at 192.168.5.1 is pushed to clients so they can make queries on the server’s network.
The domain is specified so local hostnames will resolve.

If you are using DD-WRT as a DNS server you’ll need to tell DNSMasq to listen for requests on the interface your VPN
clients will query on. To do this you’ll need to figure out what interface that is.
To see the interface your VPN clients will query on, you can find this in the GUI by clicking "Setup" > "Advanced
Routing" > "Routing Table." In there you’ll see a route that specifies the tun adapter you are using and the IP net see
below. For me it is tun2

Take that piece of information and navigate to "Services" > "Services." Scroll down to "Additional DNSMasq
Options" and enter
interface=tun#
where # is the number you pulled from routing table, in this case tun2.

Last edited on 28-2-2021 16:12 by egc page 19

Depending on Network setup you might have to disable "No DNS Rebind" on Services/Services on the OpenVPN
client or exclude your servers DNS server (its Local Domain) in Additional DNSMasq options with: rebind-domain-
ok=/[servers LAN Domain]/

As my OpenVPN servers local Lan Domain is home5:

rebind-domain-ok=home5

OpenVPN server on a Wireless Access Point (WAP)

(this also applies if you are setting up on a client bridge)
If using an OVPN server on a WAP with WAN disabled, on the same subnet, you should not be using DHCP forwarder.
It should be setup as simple WAP (see the wiki: https://wiki.dd-wrt.com/wiki/index.php/Wireless_Access_Point ) and
DHCP should be disabled.
Furthermore as DDWRT relies for a lot of things on the router is in Gateway mode, it is advised to keep the router in
its default Gateway mode and do not use Router mode.

Set Start Type on System, not WAN up.

If you do not specify Redirect Default Gateway you should push main subnet and push the main router as DNS server
(if you want to use DNS but this is optional):
push "route 192.168.5.0 255.255.255.0 vpn_gateway"
push "dhcp-option DNS 192.168.5.1"
push "dhcp-option DOMAIN home5"

Only rule needed for this type setup is (Administration/Commands, Save Firewall):
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)

This will route to/from all interface on the WAP.

And the cool thing about this type of setup is that you will not need further firewall rules on any other device.

Alternatively you can also set a static route on the main router to route VPN traffic to the WAP.

Once the OpenVPN connection is established through the WAP you will be inside the local network.
If local DNS is enabled on the main router it will also work just fine via OpenVPN.

Note the newer guides have the NAT rule which uses get_wanface. This identifies the out interface correctly as br0
(in contrast to wan_ifname or wan_iface, so you do not need the rule as described above.

Use of tls-auth / tls-crypt

Starting with build 41304 there is a selection box to choose between TLS Auth and TLS Crypt (see pictures of settings
in this guide). So you can just selected which key to use.
Before that you can only use tls-auth via the GUI (you can use tls-crypt in the Additional Config)

TLS Crypt (starting with OpenVPN 2.4), this encrypts the OpenVPN at the start of the setup process and therefore
hides that it is an OpenVPN connection and is therefore the preferred option.

The use of tls-auth/tls-crypt key is not strictly necessary, without it OpenVPN is sufficiently safe. But in case you want
it, here are the instructions.

The --tls-auth / --tls-crypt option uses a static pre-shared key (PSK) that must be generated in advance
and shared among all peers. This features adds "extra protection" to the TLS channel by requiring that incoming
packets have a valid signature generated using the PSK key. If this key is ever changed, it must be changed on all
peers at the same time (there is no support for rollover.)
The primary benefit is that an unauthenticated client cannot cause the same CPU/crypto load against a server as the
junk traffic can be dropped much sooner. This can aid in mitigating denial-of-service attempts.
Last edited on 28-2-2021 16:12 by egc page 20
This feature by itself does not improve the tl- auth/tls-crypt in any way, although it offers a 2nd line of defence if a
future flaw is discovered in a particular TLS cipher-suite or implementation (such as CVE-2014-0160, Heartbleed,
where the tls-auth key provided protection against attackers who did not have a copy). However, it offers no
protection at all in the event of a complete cryptographic break that can allow decryption of a cipher-suite's traffic.

Generate a static key, for windows, open a command prompt and go to the OpenVPN directory with:
C:
cd \program files\openvpn\bin

and generate the static pre-shared key (PSK) with:

openvpn --genkey --secret ta.key

Open the ta.key file with Notepad++, and copy the contents into the TLS Key box in the DDWRT OpenVPN GUI.
For tls-auth, DDWRT sets the key-direction directive to 0 automatically.

For the client copy the ta.key file to the appropriate directory where the other keys are stored.
In the client config add:
For tls-auth:
tls-auth ta.key 1 (or specify the key-direction 1 option separately)

For tls-crypt:
tls-crypt ta.key
tls-crypt does not use a key direction.

TLS cipher setting can be left at None, it will default to TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

If you have a build before 41304 tls-crypt can be pasted in Additional .Config of the server between <tls-crypt> and
</tls-crypt>. For example:
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
41a2fc4fbd0cb890d40ddf704defac6a
.......
-----END OpenVPN Static key V1-----
</tls-crypt>

For the client OVPN configuration file for Windows, Android and Mac add:
tls-crypt ta.key in the openvpn.conf
Copy the ta.key file to the appropriate directory where the other keys are stored.

Specifying the keydir with tls-crypt is not necessary, that is handled automatically

When using a DDWRT OpenVPN client, paste the key in the Additional Config like described for the server

Use of Username and Password

When you configure the OpenVPN server, you have the option to require a username/password from your OpenVPN
clients by adding the following directive in the Additional Config.
auth-user-pass-verify cmd method

You can examine the requirements of that directive in the following OpenVPN documentation.
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

This is not tested so needs confirmation

https://stackoverflow.com/questions/14448079/openvpn-password-authentication

Last edited on 28-2-2021 16:12 by egc page 21

In the OpenVPN config add:
verify-client-cert none
auth-user-pass-verify /tmp/vpn_user.sh via-env
script-security 3
username-as-common-name

You have to make an executable file named vpn_user.sh with the username and password those should be set at
ALLOWED_USER and ALLOWED_PASS, add the following to Administration/Commands save as Startup:

#=======BEGIN vpn_user.sh for setting username and password=========

SCRIPT="/tmp/vpn_user.sh"
cat << "EOF" > $SCRIPT
#!/bin/sh
(
#!/bin/bash
#vpn_user.sh
ALLOWED_USER="user"
ALLOWED_PASS="password"
echo "$username"
echo "$password"
echo $ALLOWED_USER
echo $ALLOWED_PASS
if [[ "$username" == "$ALLOWED_USER" && "$password" = "$ALLOWED_PASS" ]]
then
exit 0
else
exit 1
fi
)2>&1 | logger -t $(basename $0)[$$]
EOF
chmod +x $SCRIPT
nohup $SCRIPT > /dev/null 2>&1 &
#=======END vpn_user.sh=========

If you take this extra step on your OpenVPN server configuration, then the OpenVPN clients require the following
directive:
auth-user-pass <filename>

The argument to that directive must be a file containing the username and password on separate lines. In the case of
dd-wrt, the User Pass Authentication field in the OpenVPN client GUI makes this easier. It takes a username and
password and maps it down to this directive on your behalf.
So in the DDWRT OpenVPN client enable "User Pass Authentication" and fill in the "Username" and "Password" in
the boxes that will appear.

Windows 10, blocking the use of clients own DNS servers

Windows 10 has a habit of still using its own (client) DSN servers and disregarding the pushed DNS servers.
You can correct this by adding the following to your Additional Config of the server: push "block-outside-dns" or add
just block-outside-dns to the .ovpn file you use on your windows client.
On non windows clients this directive will give an error on the clients side as it is not recognized, you can simply
ignore the error or use ccd files (discussed elsewhere).

This option should of course be used in conjunction with the dhcp-option DNS command described earlier.
Last edited on 28-2-2021 16:12 by egc page 22
Running from the command line
It is possible to run OpenVPN (server and client) from the command line.
This so you could have two or more servers or clients running at the same time
You have to make your own openvpn.conf, route-up.sh and route-down.sh
You can contact me for assistance.
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1209981#1209981

Setup with static key only

Static key setup is less secure so is not really advised, if you really want a quick and low footprint setup use
WireGuard. But if you still want it read on.

Put the static key in the appropriate static key box. (older builds will hide the static key box if Config as Text
(Daemon) is chosen.
In the GUI use the following settings:
• OpenVPN = Enable
• CVE-2019-14899 Mitigation = Disable
• Start Type = WAN up
• Inbound Firewall on TUN = Unchecked
• Config as = Text (Daemon in older builds)

In the Additional config add:

verb 5
script-security 2
dev tun2
port 1194
proto tcp4-server
keepalive 10 120
ifconfig 10.8.0.1 10.8.0.2
syslog
writepid /var/run/openvpnd.pid
cipher AES-128-CBC
auth SHA256
tun-mtu 1500
mtu-disc yes
route [lan-address-client] 255.255.255.0 vpn_gateway

For the Client:

verb 5
remote [ip-address-server]
port 1194
proto tcp4-client
dev tun (if used for ddwrt use dev tun1)
ifconfig 10.8.0.2 10.8.0.1
cipher AES-128-CBC
auth SHA256
keepalive 10 120
resolv-retry infinite
nobind
float
route [lan-address-server] 255.255.255.0 vpn_gateway
<secret>
Last edited on 28-2-2021 16:12 by egc page 23
-----BEGIN OpenVPN Static key V1-----
{{your static key goes here}}
-----END OpenVPN Static key V1-----
</secret>

In the client, of course, change your route to be your local subnet.

Also change port and protocol as you like (protocol can be proto udp4 for both server and client if you want udp).

Reference:
https://wiki.dd-wrt.com/wiki/index.php/OpenVPN_Remote_Access_by_Static_Key_(The_Simple_Way)
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327231

Running an OpenVPN server and OpenVPN client on the same router (Policy Based Routing)
If you want to run an OpenVPN server to get secure access to your home network and you want to run an OpenVPN
client to a commercial VPN provider (like Nord, Express, Private internet access etc.) for secure access to the
internet, you have to take special measures to make that work.
The problem is that you access your OpenVPN server via the WAN, and if you also have an OpenVPN client running,
the return traffic will go out via the VPN client and your firewall will not allow that.
One way to get this running is using Policy Based Routing (PBR) of the OpenVPN client.
Policy Based Routing will leave the normal default route out via the WAN intact but will instead create an alternate
routing table with a default route via the VPN client.
You specify the IP addresses which you want to use the VPN client in the Policy Based Routing Field of the OpenVPN
client.
You have to use CIDR notation (https://www.ipaddressguide.com/cidr )
In my example I have a client .89 and my whole DHCP range (100 – 150) routed via the VPN.
In the Policy Based Routing field I have:
192.168.5.89/32
192.168.5.100/30
192.168.5.104/29
192.168.5.112/28
192.168.5.128/28
192.168.5.144/30
192.168.5.148/31
192.168.5.150/32
(and now you know why some forum members are using an DHCP range from 64 – 127 ☺ )

When connected to the OVPN server from the outside you will normally be routed out via the WAN for your internet
access.
It is possible to route out via the VPN client so that you have a secured internet access. Therefore you have to add
the address you get from the OVPN server to the PBR range.
Usually you will get an IP address of 10.8.0.2 or 10.8.0.3 (you can see it in the OVPN status page) so enter in the PBR
field: 10.8.0.2/31.
It is even possible to set the whole subnet of the OVPN server to use the OVPN client : 10.8.0.1/24 .

It is possible to have the OpenVPN server hand out a static lease see the next section: Client-specific configuration –
CCD files

Note: for the OpenVPN server to function your default route has to be the WAN.

But there are also other advanced solutions available see: https://forum.dd-
wrt.com/phpBB2/viewtopic.php?p=1129398

Last edited on 28-2-2021 16:12 by egc page 24

References:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=315526&highlight=
https://wiki.dd-wrt.com/wiki/index.php/Policy_Based_Routing

Client-specific configuration – CCD files

In a setup where a single server can handle many clients, it is sometimes necessary to set per-client options that
overrule the global options, or to add extra options to a particular client. The option client-config-dir is very useful
for this. It allows the VPN administrator to assign a specific IP address to a client, in order to push specific options
such as a DNS server to a particular client or to temporarily disable a client altogether. This option is also vital if you
want to route a subnet from the client side to the server side, as we will see later on.

A client-config-dir or CCD file can contain the following options:

push: This is useful for pushing DNS and WINS servers, routes, and so on
push-reset: This is useful to overrule global push options
iroute: This is useful for routing IPv4 client subnets to the server
iroute-ipv6: This is useful for routing IPv6 client subnets to the server
ifconfig-push: This is useful for assigning a specific static lease

you have to tell the OVPN server where it can find these files, so in the Additional config of the OVPN server add:
client-config-dir /jffs/ccd
This tells the server to find the CCD files in the directory /jffs/ccd

Thus you must have permanent /jffs storage (USB or JFFS2) and make a directory on that: /ccd where the CCD files
are placed.

Make a text file in the /jffs/ccd directory with the common name of your client in my example client1
Open client1 with a text editor and add the following line:
ifconfig-push 10.8.0.9 255.255.255.0
to push an ip address of 10.8.0.9 (assuming the OVPN servers subnet is 10.8.0.0)

Alternatively, if you do not have permanent storage, just use the default directory (/tmp/openvpn/ccd) so do not set
client-config-dir and make the CCD files every time at startup:
echo "ifconfig-push 10.8.0.4 255.255.255.0" > /tmp/openvpn/ccd/client1
Place this in Administration/Commands, Save as Startup

You can add extra lines to this file with:

echo "iroute 192.168.6.0 255.255.255.0" >> /tmp/openvpn/ccd/client1

There is also a special DEFAULT file (/tmp/openvpn/ccd/DEFAULT) that contains settings in case there is no
configuration file for a certain client.
If you only have one client you can use this default file and you can enter content in that file via the GUI option:
CCD-Dir DEFAULT file

When you are done, reboot the OpenVPN server.

Reference
https://openvpn.net/community-resources/configuring-client-specific-rules-and-access-policies/

Last edited on 28-2-2021 16:12 by egc page 25

OpenVPN communication both ways (site to site communication).
Two way communication (from site to site) is easier to do with a bridged TAP setup but this chapter is for when you
are using a routed TUN setup and want to have two way communication.

Prerequisites and assumptions:

You have set up an OVPN server snd client on a DDWRT
You have a connection between OVPN server and OVPN client
Server side LAN 192.168.5.0
OVPN subnet: 10.8.0.0
Client side LAN 192.168.6.0
Client attached uses the common name client1

If you have not already done so:

Push server side LAN route to clients by adding redirect default gateway or push "route 192.168.5.0 255.255.255.0
vpn_gateway"

Instruct server to add a route to the client-side LAN for all local server side clients
In additional config of server add:
route 192.168.6.0 255.255.255.0 vpn_gateway
This will add a route in the server side routing table to route traffic for 192.168.6.0 to the OVPN server.

On the OVPN server disable the setting: Allow duplicate cn.

The next thing is to tell the OVPN server to which client it must send this traffic, that is where the iroute command
comes into play.
This command has to be placed in the CCD file of that respective client, in my case client1
So in the client1 CCD file add the following line:
iroute 192.168.6.0 255.255.255.0

Reboot server, Reboot client

CVE-2019-14899 patch
You can leave this enabled on the client side and do not need any workarounds, traffic from the servers subnet is not
NAT'ted so does not have a source address of 10.8.0.x and is therefore not blocked when accessing local client side
LAN clients.
The other way around from client side to server side LAN, the connection is blocked by the server side CVE-2019-
14899 patch, you can choose to disable the patch on the server side, or use the mitigation rule described earlier or
and that is actually the best option, disable NAT on the client side VPN (in the OVPN client side GUI set NAT Disable).
As we already have the necessary static routing in place where traffic destined for the client side LAN (192.168.6.x) is
routed via the VPN, the only thing to do is to add a firewall rule to the OpenVPN server to NAT the client side LAN
traffic out via the WAN (so add this on the server side):
iptables -t nat -A POSTROUTING -s 192.168.6.0/24 -o $(get_wanface) -j MASQUERADE

Site-to-Site reverse DNS setup (this needs confirmation)

When doing a reverse DNS lookup for site-to-site i.e. lookup for local lan from server to local clients add the tun
interface of the client (usually tun1 )to the clients DNSMasq.
On the server side specify a server for lookup of local lan clients of the client i.e. the local LAN domain of the client
and the IP address of the Clients router(which is the DNS server)

Additional DNSMasq Options of client (192.168.6.1, home6):

interface=tun1
local=/home6/
expand-hosts
server=/home5/192.168.5.1 (only when not pushed, see "Pushing Routes to the client (including pushing DNS servers") )
Last edited on 28-2-2021 16:12 by egc page 26
In Additional DNMasq options of the server (192.168.5.1, home5):
server=/home6/192.168.6.1 (local Lan Domain of the client and the clients DNS server (router))
rebind-domain-ok=home6 (clients local LAN Domain)

Take note, your local LAN clients usually have their own firewall only allowing traffic from their own subnet.
So to connect to a client from another subnet you often have to tweak the local clients firewall, i.e. clients on the
servers subnet (192.168.5.0) must allow traffic from the clients subnet (192.168.6.0) and the other way around.
A quick an dirty workaround is to NAT traffic:
On the server:
iptables -t nat -I POSTROUTING -o br0 -s 192.168.6.0/24 -j SNAT --to $(nvram get lan_ipaddr)
iptables -t nat -I POSTROUTING -o br0 -s $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j MASQUERADE

On the client:
iptables -t nat -I POSTROUTING -o br0 -s 192.168.5.0/24 -j SNAT --to $(nvram get lan_ipaddr)

Local DNS setup : https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1208854#1208854

https://openvpn.net/community-resources/how-to/#scope
https://www.ossramblings.com/openvpn_route_both_ways
https://community.openvpn.net/openvpn/wiki/RoutedLans
https://forums.openvpn.net/viewtopic.php?t=26839
https://backreference.org/2009/11/15/openvpn-and-iroute/

OpenVPN and IPv6

(this section is under development)
https://community.openvpn.net/openvpn/wiki/IPv6

OpenVPN 2.5 should fully support IPv6 only tunnels

If host is a DNS name which resolves to multiple IP addresses, OpenVPN will try them in the order that the system
getaddrinfo() presents them, so priorization and DNS randomization is done by the system library. Unless an IP
version is forced by the protocol specification (proto) (4/6 suffix), OpenVPN will try both IPv4 and IPv6 addresses, in
the order getaddrinfo() returns them.

proto indicates the protocol to use when connecting with the remote, and may be “tcp” or “udp”.
For forcing IPv4 or IPv6 connection suffix tcp or udp with 4/6 like udp4/udp6/tcp4/tcp6.

Bottom line if you do not use the IP suffix OpenVPN might try IPv6 and can easily fail if that is not implemented so if
you have IPv6 enabled and only want IPv4 for OpenVPN use proto udp4 or tcp4

The GUI will be updated so that you can choose various protocol and IP suffixes

If you want your client to stop pulling unsolicited IPv6 options add to the client:
pull-filter ignore "route-ipv6"
pull-filter ignore "ifconfig-ipv6"
block-ipv6

Last edited on 28-2-2021 16:12 by egc page 27

Set up as TAP (bridged)

The normal VPN setup is routed (TUN) alternatively you can setup the VPN as bridged (TAP)

TUN is compatible with almost all operating systems, TAP is not compatible with iOS and Android ( a paid version of
the following Android client should support TAP: https://appgrooves.com/android/it.colucciweb.openvpn/openvpn-
client/colucci-webit).

Besides it will generate more traffic/overhead via the bridge and it opens up your whole network so security wise it
is worse.

However it has a big advantage: seamless access.

So if you use the VPN to connect let's say 2 family homes where you want to have seamless access/media streaming
etc. then TAP is a valid option.

It can also be used on a Windows client to get seamless access and thus you can have DLNA/streaming across the
VPN bridge

Setting up DDWRT OVPN server and DDWRT OVPN client

Basically use the guide to setup, with the following differences

DDWRT Server:
• Tunnel Device = TAP
• DHCP-Proxy = Disable
• Pool start IP = 192.168.6.200
• Pool end IP = 192.168.6.220
• Gateway = 192.168.6.1
• Netmask = 255.255.255.0
• Block DHCP across the tunnel = Disable

In the above, I'm assuming the Router’s network is using 192.168.6.0/24.

Once the OpenVPN server is up and running, it will automatically bridge the tunnel's network interface (usually tap2)
to the default bridge (br0).
You can even see this by issuing the following command from a telnet/ssh session: brctl show

Last edited on 28-2-2021 16:12 by egc page 28

Pool start in same subnet as router but outside DHCP scope, Gateway is Router

If you want to route all your traffic through the VPN server then you have to enable Redirect default Gateway.

CVE mitigation can be left turned on as this will not hamper local LAN access when using TAP mode

Last edited on 28-2-2021 16:12 by egc page 29

DDWRT Client:
The DDWRT client router needs to be configured as a standard router (i.e., its WAN connected to a LAN port on the
primary router). Give it an IP address that's different from the Router/server (e.g., if the primary is 192.168.5.1,
perhaps make it 192.168.6.1). And disable its DHCP server, that's important!
Now configure the OpenVPN client to connect to the OpenVPN server. Once again, most of the options are standard
fare, but pay special attention to the following:
• Tunnel Device = TAP
• NAT = Disable
• Bridge TAP to br0 = Enable
Once the OpenVPN client is connected to the OpenVPN server, the OpenVPN client's network interface (usually
tap0) will be bridged to the default network (br0). And once again, you can see this by issuing the following
command from a telnet/ssh session: brctl show

Any device that now connects to the OVPN client router (wire or wireless) will make its DHCP request across the
tunnel and get configured on the PH's local network.

If you want the OVPN client router to distribute its own DHCP then set the OVPN client routers IP on the same
subnet i.e. 192.168.5.254. Set the DHCP scope outside the DHCP scope of the OVPN router (100-150) and outside the
OVPN server (200-220) so use 151 -199 (48)
Then on the Server you can set: Block DHCP across the tunnel = Enable

Fill in Ca Cert box with ca.crt, Public Client Cert box with client.cert and Private Client Key box with client.key

Last edited on 28-2-2021 16:12 by egc page 30

Windows Client configuration:
For setting up a Windows client use the guide with the following settings:

client
dev tap
#proto udp4
proto tcp4-client
remote your.domain.ddns.net 1194
nobind
persist-key
persist-tun
remote-cert-tls server
auth-nocache
verb 4
float
tun-mtu 1500
auth SHA256
cipher AES-256-CBC
data-ciphers CHACHA20-POLY1305:AES-256-GCM:AES-128-GCM:AES-256-CBC
ca ca.crt
cert client1.crt
key client1.key

The TAP Network Adapter (which is also used for TUN connections) will have a Public Network profile and thus will
be firewalled.
Disable the firewall or set the TAP adapter on a private profile.

How to set the TAP adapter on a private profile:

Run cmd as administrator and do:
powershell.exe -ExecutionPolicy Bypass
to get the name of the TAP adapter: Get-NetConnectionProfile
Set-NetConnectionProfile -Name "[Name of TAP adapter]" -NetworkCategory Private

The default name is Unidentified Network in that case use:

Set-NetConnectionProfile -Name "Unidentified Network" -NetworkCategory Private

Check with Get-NetConnectionProfile to see if the Network Adapter is changed from Public to Private

For trouble shooting just disable the Windows Firewall.

Last edited on 28-2-2021 16:12 by egc page 31

Troubleshooting

See the third post: https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1157344

Or download the Troubleshooting guide

Reference for OpenVPN 2.5: https://build.openvpn.net/man/openvpn-2.5/openvpn.8.html

Last edited on 28-2-2021 16:12 by egc page 32

Last edited on 28-2-2021 16:12 by egc page 33