Access Server

Follow us

Using DD-WRT with OpenVPN Access Server

Last modified: 29 November 2013

Introduction

Many of our users have expressed interest in using DD-WRT or related routers to connect to VPN servers hosted behind Access Server.
While using OpenVPN in this manner may not yield the best performance, due to the limited processing power and memory of the router, it could be useful in the cases where convenience, rather than high throughput, is required.
Please note that the information provided here is for EDUCATION and INFORMATIONAL uses only. We are not responsible for any damages you incur as a result of using these instructions here. For technical support relating to the DD-WRT firmware, please visit the DD-WRT community forums.

In order to configure DD-WRT for use in OpenVPN Access Server environments, you will first need to create and download the autologin profile from your server. Instructions for doing this is provided below.

Creating and Downloading the Autologin Profile

To create and download the autologin profile for your DD-WRT router, visit the User Permissions area, create an appropriate username for the DD-WRT OpenVPN client, and then check the Allow Auto-login checkbox. Click the Update Running Server button to make sure the changes take effect.

Now, login to the Client Web Server (CWS) and select the Login dropdown, when prompted.

Download the autologin profile that is offered to you in the CWS.

Once the profile has been downloaded, open it your favorite text editor. Please note that if you are using the Windows operating system, you will need to use a text editor that understands the Unix EOF convention. Thus, text editors such as notepad will not work. In this case, use text editors such as Notepad++, Wordpad, or Microsoft Word.

To verify that your profile is indeed an autologin profile, you should see the OVPN_ACCESS_SERVER_AUTOLOGIN=1 notation in the profile you just opened in your text editor. If this notation does not exist, it is possible that the profile you acquired was not an autologin profile, and thus will not work correctly with your DD-WRT router.

** NOTE: The instructions below will only work on more recent versions of DD-WRT. In other words, if you are running the stock version of DD-WRT provided on the main website, these instructions will probably NOT work for you. To update to the latest versions, please update to the latest versions by visiting here: ftp://ftp.dd-wrt.com/others/eko/BrainSlayer-V24-preSP2/. You should make sure that you follow all flashing instructions for your particular device, otherwise your device could be rendered inoperable. We will not be responsible for any devices that are unusable due to incompatible or bad flashes. As with any third party firmware or customizations, FLASH AT YOUR OWN RISK!

Before you begin, make sure your router is properly configured for a NTP server. This setting could be found under the Setup tab in your router configuration. Under Time settings, make sure the NTP Client is set toEnable and the Server IP / Name is populated with a proper time server. If you do not know what your time server is, please fill in time.nist.gov in the text box as indicated.

Afterwards, visit the Services tab, then the VPN tab. Under the section Start OpenVPN Client, click the Enable radio box. If you do not see this section, it is possible that your DD-WRT build is not OpenVPN enabled. Please consult the proper DD-WRT documentation for more information on the various DD-WRT builds.

Once you have selected that option, also check the Enable option under Advanced Options, this will allow you to define options required by Access Server and for the VPN connection to work.

The following screen should then be displayed, as depicted below:

Configuration Descriptions:

Start OpenVPN Client: Enables/Disables the OpenVPN client connection.

Server IP/Name: The hostname of the VPN server you are trying to connect to. If you do not know what this is, look inside your profile for entries starting with remote. For example, the entry remote us.shieldexchange.com 1194 udp indicates that the hostname is us.shieldexchange.com.

Port: The port number the VPN server is listening on. If you do not know what this is, either look for the port number in remote entries such as the one shown in the previous example. In the previous example, the port is 1194. If your server is only using a single port, you may see the port number specified using the port directive (e.g. port 1194). It is preferable that you choose UDP ports over TCP, as UDP provides better reliability for your VPN sessions.

Tunnel Device: What operating mode your Access Server is operating on. In most cases, this will be TUN (layer 3), and this option is specified in the profile as the dev and dev-type directives (e.g. dev-type tun).

Tunnel Protocol: The tunneling protocol your VPN is specified to use. Many times Access Server is set to use a combination of both TCP and UDP ports, as conveyed by the remote entries or by the proto (e.g. proto udp) directive. If your server has both TCP and UDP entries, it is preferable that you select the UDP pair, as it will provide better reliability for your VPN sessions.

Encryption Cipher: The encryption algorithm OpenVPN will use to connect to the remote server. This must match what is currently used on the server. By default, Access Server uses the Blowfish CBC mechanism for encrypting the data channel. You cannot select other algorithms here, unless you also change what is being used on the server. For information on changing the cipher in Access Server, please visit the article here: https://docs.openvpn.net/frequently-asked-questions/cipher-use-in-openvpn-as/.

Hash Algorithm: SHA1 is the hash algorithm used by Access Server, so you should select this here.

nsCertType verification: Checks to see if the remote server is using a valid type of certificate meant for OpenVPN connections. As this is a security feature of OpenVPN, it should be left enabled.

Advanced Options: As described previously, this option must be Enabled for you to set the required options necessary for a successful VPN connection.

LZO Compression: Enables compression over VPN. This option is turned on by default by Access Server, although support for this can be turned off on the client side.

NAT: Creates a NAT layer over the VPN tunnel. This should be Enabled if you plan to have all your client's traffic to be sent over the VPN tunnel under the shared IP address assigned by the VPN server. If you want to send traffic from your clients directly over the tunnel without any address modification(s) (e.g. If you were using Advanced Routing), then this option should be Disabled. It is highly recommended that you turn this option on, unless you know what you are doing.

Local IP Address: Specify a IP address that your OpenVPN tunnel should use. This field is usually not applicable, since Access Server automatically assigns an address upon a successful connection.

TUN MTU Setting: The maximum transmission unit (MTU) used over the VPN tunnel. Leave this at 1500, unless otherwise directed by a support staff or a network professional.

MSS-Fix/Fragment across the tunnel: Unless directed otherwise by a support staff or a network professional, leave this field blank.

TLS Cipher: What encryption algorithm OpenVPN should use for encrypting its control channel. AES-128 SHA and AES-256 SHA are good choices here. On newer versions of DD-WRT that does not have these options, please select options that end with SHA1 or select None for this option.

TLS Auth Key: The static key OpenVPN should use for generating HMAC send/receive keys. You may find this key surrounded by the <tls-auth> brackets. Copy the contents from your profile, starting from -----BEGIN OpenVPN Static key V1----- until you reach -----END OpenVPN Static key V1-----.

Additional Config: Any additional configurations you want to define for the VPN connection. If you would like to run a split tunnel over the VPN, you can use the directive syntax below:

route-nopull
route <VPN server hostname or IP here> 255.255.255.255 net_gateway
route <hostname or IP of subnet here> <subnet mask here> vpn_gateway
route <hostname 2 or IP of subnet 2 here> <subnet mask 2 here> vpn_gateway

For example, to redirect only secretnet.exampletronix.com and the 192.168.1.0/24 subnet over the vpn.exampletronix.com VPN server, use the following directives:

route-nopull
route vpn.exampletronix.com 255.255.255.255 net_gateway
route secretnet.exampletronix.com 255.255.255.255 vpn_gateway
route 192.168.1.0 255.255.255.0 vpn_gateway

Policy based Routing: This field should be left blank.

CA Cert: The CA certificate used by the VPN server, found between the <ca> brackets inside the profile. Start copying from -----BEGIN CERTIFICATE----- until you hit -----END CERTIFICATE-----.

Public Client Cert: The CA certificate used by the VPN client, found between the <cert> brackets inside the profile. Start copying from -----BEGIN CERTIFICATE----- until you hit -----END CERTIFICATE-----.

Private Client Key: The client's private key used by the VPN client, found between the <key> brackets inside the profile. Start copying from -----BEGIN RSA PRIVATE KEY----- until you hit -----END RSA PRIVATE KEY-----.

To start the VPN connection, click the Apply Settings towards the bottom of the page. You may view the status of your VPN connection by visiting the Status tab, and then the OpenVPN tab.