Set up an OpenVPN Server on your DD-WRT Router

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everyone it's chris again today i'm going to talk about setting up an openvpn server on your ddwrt router why would you want to do this hey it's really nice to be able to connect to your home network from some remote location and i regard the openvpn server as the cornerstone of a decent lab setup in your home so if you've got a lot of services running on your home network you don't want to expose them out to the real internet but you do want to use them when you're out and about well a good way to do that is to set up an openvpn server on your router so that you can tunnel into your home network as if you were home now really i'm just following more or less the guide that is in the ddwrt forum and i'm going to post the link to this guide in the description below i would recommend you go over to this forum location if you have any issues it's very excellent the people who've maintained this guide have put a lot of work into it and if you can't see it it's because you can only see the download if you are logged in so you will need to join the forum and log in so i'm going to do most of this tutorial from linux but if you are in windows you can go and download the easy rsa package from github i put the link in the video description below here i'm on easy rsa 308 you're going to want to grab the win64 package most likely if you still are running a 32-bit machine i think you'll probably know that so once it's downloaded we're going to go have a look at it and i'm just going to extract it right here in my downloads directory okay i have a look inside here so first thing i'll have you do is i'll have you copy that virus example file and then i'm going to rename it we're just going to rename it to vars that copy and then just run easy rsa start and this opens up a window in which you can execute easy rsa commands now the rest of this video as i mentioned is going to be in linux the same kinds of commands you can execute here in this windows shell that i'm going to show you in linux the only differences are in linux i'm going to use vi for file editing in windows you're going to want to edit the virus file probably with notepad plus plus so i'm going to show this part from linux it's going to be really similar if you're in windows you're just using a different set of tools if you're in mac os it's going to be really really similar to what i'm doing in linux if you are using ubuntu like i am you can always do a sudo app to install easy rsa and openvpn i already have them installed so i don't need to do that but that'll get you what you need and what we're going to do is we're going to create our own certificate authority and we're going to use that certificate authority to issue certificates for our openvpn server so for our router and also for a client so in my case a laptop and once you've created the certificate authority we will be able to use it in the future to create more client certificates if you have more clients in the future so on linux there is a command we can run and you won't have this on other platforms but make ca der will create a certificate authority directory for us i'm going to call it ddwrt certificate authority okay so now if i go into ddwrt certificate authority there's a few things in here i've got a nice convenient link here for the easy rsa command that i can use for certificate authority creation now before i begin anything what i want to do is i want to actually set up a public key infrastructure in here and that really just means go create me a bunch of files but what you do is you write an easy rsa init pki okay so now if i look at my directory again i now have a pki subdirectory and that's the beginning of my certificate authority okay now you don't want to run init pki in here again because that will blow away what you've done so you want to keep your certificate authority now before we start to create certificates i need to edit this virus file because this tells easyrsa a few things about how to create the certificates okay now i'm in linux i'm going to use vi to edit this if you're in windows you probably want to use notepad plus plus a good text editor like notepad plus plus because it can edit unix style files so here i am in vi if if you're not used to vi you can navigate this kind of easily i'm at the top of the file right now if i hit shift g that will put me at the bottom of the file and i need to add two lines at the bottom of the file so if i just type i that puts me in insert mode i can say set var easy rsa key size 2048 so my keys are going to be 2048 bytes the other one is set var easy rsa cert expire and this is going to be the number of days before your certificates expire so like you could do like 36.50 that's 10 years roughly i'm not sure i think the default is 1080. choose whatever you like just just be aware that whatever you choose the certificates that you issue will expire after this many days so once you're done editing you can hit escape and i'm going to say colon x that's exit and write the file so my two lines were added to the virus file and now i'm able to start creating some keys the first thing i need to do is i need to build my certificate authority keys and so what we do is we say easy rsa build ca no pass i'm saying no pass i'm not putting a password on my certificate authority you could choose differently and it's going to prompt me for a certificate authority name i'm going to call it ddwrt certificate authority and there we go so it says that it's created this for us in the pki directory there's a ca cert and that ca cert is the public certificate for our certificate authority there's also a private one in there if we want to go look in pki so there's my public certificate for the for the whole certificate authority and if i go into private there is a ca key and that's the private key these always come in pairs there's always one that you give out to the public and there's always a private one you keep for yourself and the private one is for encrypting and decrypting messages in and note so that's the certificate authority but we also need to create a key for our server our actual router and once we've created the keys for our router we're going to use the certificate authority to say yes those keys are good we're going to sign the keys with the certificate authority all right so what we're going to do is we're going to say easy rsa gen request and we're going to say we're going to create a ddwrt server or say no pass and it's going to ask me for a name i'll just say ddwrt server is good i'll hit enter and it creates my public private key pair so there's the ddwrt server that's the public one and the private one is here now this request this one isn't really what we're going to use because this really needs to be signed by our certificate authority for it to be usable so we can do that pretty easily so we've got this request this unsigned request we can say easy rsa sign request and it's a server we're signing and we're going to sign ddwrt server just says do you really want to do this in fact i do and so what we ended up with was a certificate a signed certificate created a pki issued ddwrt server so this is a public another public one it's a public certificate so in just a recap we created three files for our server we created that request the private key and now this signed certificate we really only need the signed certificate and the private key so that's the certificate we also need a key pair for our client in my case for my laptop so we just do another easy rsa gen request and we're going to call this one laptop client we'll say no pass again okay and it created a pair and then of course we need to sign it so we just do easy rsa sign request this time it's a client that we're signing and then we just say laptop client am i sure yes i am so there you see it went into the issue directory as laptop client cert so we have a signed key pair for the server we have a sign key pair for the client there's one more file that we need it's a diffie-hellman parameter i think it's for authentication and for encryption i'm not totally sure but we're going to make it it's easy rsa gen dh and i love this command it looks so cool and computery watch this it's going to take a long time but meantime we get a nice little show all right that was pretty awesome and we now have our dhpem file in pki so we've got everything we need but like let's go look at that pki directory it is crazy there is too much to see here there's too much to know so we need to make it a little more straightforward i am going to back up a directory and i'll create a directory called ddwrt i'm going to only put in the things that we need in ddwrt okay so we are going to need from pki the ca certificate so i'll copy that over to ddwrt so that's the public certificate for the certificate authority i'm going to copy the public and private keys for the server so let's go private first we'll go private and we will copy ddwrt server 2d wrt and then we'll copy the public one which is under issued and then we'll do the same for the client certificates so remember those were called laptop so pki private laptops laptop client to ddwrt copy pki issued ddwr no no it's laptop ddwrt and we need our awesome duffy hellman file we will copy that to ddwrt all right now go into ddwrt and i have six files so we've got the public certificate authority cert we've got the public server cert and the private server key we've got our duffy helmet guy we've got the public laptop certificate and we've got the private laptop key so the client and server so you should have six files now we're gonna move on to the router configuration for all of this but please keep your certificate authority directory around and the reason i say that is because you're probably to want to sign a certificate for another client in the future in this case i did a laptop maybe i'm going to want to do another one for an iphone or something so keep your certificate authority directory around because you need to use it in order to generate new certificates okay so now that we have our certificates we're going to go into the router itself so here i'm in my ddwrt interface and i've gone to the services tab and vpn and that's really where we're going to start you just want to scroll down to open vpn server and we're going to enable that and we'll review some of these settings in a moment but i want to focus on the certificate sections so it's asking for a ca cert what i'll do is i will put my window docked over here and we'll look at the terminal docked like that so that ca cert is going to be that ca cert file that we generated i'm just going to cut it out you could open it in a text editor or whatever you want we just need to copy and paste some stuff so i'm gonna get from the start where it says begin certificate i'm gonna highlight everything to the end and i'm going to copy it and we're going to paste it right into ca cert okay next up is the private server key if we look in here again here i'll make this i'll change these windows a little bit so for the private server key we're looking for one of these two server files and it actually is the one with the dot key extension so let's cat that out and i will copy and paste this as well dhpem is pretty easy that's going to be the dhpm file and we also need to do this public server cert so that one is the server.crt this one has some extra stuff in it you only need the stuff from begin certificate and then certificate okay so that's all the server certificates scroll to the bottom and hit apply settings okay and here's where we're going to configure the rest of this so i'm just going to go down through the options and you'll just have to set them to the same settings so i'm turning off this cve mitigation mitigation this is safe to do because i'm on a newer version of the firmware i'm going to start with well you can either start with the system or the wan it's up to you i'm going to start with the wan so as soon as we get internet connectivity it's going to start this uh this network here this is the subnet that clients connected to openvpn are going to connect us so uh we'll do 10.8.0.0 and the netmask will be 255 255 255 0. so everybody connecting will be 10 8 0 1 2 3 4. they'll connect with those addresses we'll leave the port alone and udp is the protocol we'll change the cipher to this aes 256 cbc and we have an opportunity for advanced options so we're going to enable that so under compression we want to disable it entirely we're going to enable redirect default gateway and we are going to allow duplicate clients you can choose to allow that or disallow that we'll see later on when we provide the client key and that's everything you need so i'm going to go to the bottom and apply settings now one thing you need to be sure about is your router's date should be actually accurate so if i go to administration i'm going to go to commands i'm just going to run the date command i'm just going to run it so you see my router thinks that it's january first 1970. that's a little bit of a problem and the reason that's a problem is because our certificates are all time based you know i only issued the certificate today in 2021 so the certificates are going to appear to be not valid if the writer thinks it's 1970. so we need to make sure that we have the correct time in my case it's because i haven't plugged this test router into the internet yet you'll notice my wan ip is 0 0 0 0. if i go over to setup i just plugged in the cable and so i've got something now but you want to go down and you want to enable the ntp client so it will go get to time automatically and i'm not in europe i'll just change this to canada atlantic apply my settings and i can be sure that it worked by going back to administration commands and i'll just run that date command again that's good news so right now the router is theoretically set up to accept clients and in fact if we look at status and go to openvpn you'll actually see some logging here related to the openvpn server now i have nothing in the client list so far because no clients have connected there is one more thing you may want to do it's under the administration tab and commands again you may want to and i'll paste this in the video description you may want to add this iptables command what this is going to do is it's going to allow clients that are running in our subnet in our 10.8.0 subnet it will allow them to connect up to the wan interface in other words if i connect to the openvpn server from a hotel somewhere i'm going to run as if i'm really on the home network even when i'm connecting to the internet so i'm going to save firewall and since we did a lot of new things to this router i'm going to go to the administration tab and management and at the bottom is reboot router so we're going to reboot it okay the router started back up i'm just gonna double check in status and openvpn okay and i do have openvpn logging so the server is up so now you're gonna wanna set up your laptop to be able to connect to this openvpn server so to do that we are gonna need to use our client key pair and we're going to show how to do that in linux and also in windows all right with my openvpn server set up i can actually test it and i'm going to test it first here in linux if you're in linux it's actually very very easy to test this but first i'm going to show you conceptually how i'm going to test this it's a little bit tricky you know we're used to testing things inside our local networks and this is really for getting into your local network from outside so how would you properly test that well first of all i'd like to point out that uh here's my wan ip for this router and you know this is just a test router that i set up for this video and i actually have it connected in behind my real router so this uh this address was actually handed out by my main or primary router so i'm just going to show a little diagram here this is kind of my setup at the moment my my primary router is connected to the internet and my openvpn server is connected via its lan port to something on my main router i've got the wrong address here but like conceptually if you think about it if i connect directly to my main router i am external to this subnet so this router would see any traffic coming in by its lan port as if it's external i'm going to connect to my main router and i'm going to attempt to connect to the openvpn server through the ip address that my that my main router has assigned the secondary router so it's an easy way to do a local test now ultimately we're going to want to expose this to the real internet and so really you'd want to be running your openvpn server on your primary router and you would need a way to test it so you can hop onto a friend's wi-fi maybe and test it that way but i find the easiest thing to do is you know we all have cell phones that have external connections to the internet turn on your personal hotspot on your cell phone connect your laptop to the personal hotspot then you are really on the real internet and if you can connect to your openvpn server from that personal hotspot then you know that it really does work of course there's lots of other configurations the the openvpn server runs on udp port 1194. if you are stuck with a router behind another router you at least need to port forward 1194 so if a connection does come in through the internet you do have a way to tunnel through so i'm just going to pull out the ethernet cable from my laptop to that router and i will no longer be on this network and i'll fall back to being connected to my main network via wi-fi and to prove that i really am disconnected what i can do is i can ping 192 168 1 1 which of course is the address of the router that i've been setting up and it's not working i'll just leave that running in the background so i'm going to connect to that address 192.168.5.204. i'm going to go under my network configuration and go to vpn connections and i'm going to go to configure vpn so i'm running ubuntu xfce under this vpn section i'm just going to click plus and i will choose an open vpn connection create so gateway 192.168.5204 so ca certificate click on this so i'm going to select the cacrt file that we that we set aside user certificate this is one of the client certificates so that will be laptop client crt so the user private key of course is the private key associated with this laptop certificate and there it is laptop client key and you know if you had set a password on your key you could fill it out here but i didn't do that so i'll save that and now if i just select vpn connection one i'll watch this up here and i did get logged into a vpn i'll go back over to my terminal and all of a sudden i'm getting replies from my router which means i'm on the 192.1681 network so that's definitely working so if we go to status openvpn so that's nice but you know if i was connecting from the internet i wouldn't want to use an ip address to connect i wouldn't necessarily know the ip address in my home network and so a good thing to do is to go to setup and ddns and what you can do is you can set up one of these services now i like to use knowip.com so if you get an account on noip.com what it does is it gives you an address that is always updated with your i your external i p address your public i p address so like your host name might be something like myhost.noip.com that's what you would use in the vpn configuration so rather than having that ip address you would put myhost.noip.com in there so that's connection from linux and it works really really well so now i'm going to show you how to connect your openvpn server using windows and here i've got the the guide open that i had mentioned in the beginning of the video and it has some information about connecting via the windows client so what windows client are we talking about well we're talking about downloading this openvpn community client if you're on windows it's likely you need the 64-bit installer so i downloaded that and i installed it now once i had installed it i ended up having a program files openvpn directory on my c drive and under that is a config directory and what you need to do is you need to copy in the ca cert and the client cert and the client key that you're going to use now i've got these a little bit different named than what i showed earlier in the video because this is a different configuration but previously i'd put aside all of the certificates and keys that we had generated using easy rsa and so i need the certificate authority and i need the key pair associated with the client so you copy those over into the config directory and you need to be administrator in order to do that because it's windows and you'll also need to add a text file in this case it's called client1 ovpn a little tricky to create this file what i did was i actually i copied and pasted the readme and it prompts me for administrator i just say go ahead and then i hit f2 to rename this thing and i rename it even with the extension it just needs to have an ovpn extension another administrator prompt and then you're going to want to open it and edit it using notepad plus plus so you need to fill in a configuration here i've already got one right here which i will copy in and i'll provide access to this in the video description and there's just a few key things that you need to set up so first is the remote address you're going to connect to i covered that in the linux setup so you can choose whatever makes sense either a noip dot com address or perhaps it's an ip address and you need to provide the file name of the ca cert and the certificate for the client and the key for the client which hopefully you've copied into that directory if you try to save this the first time you save it you're likely going to be prompted to restart notepad plus plus in administrator mode so you would go ahead and do that so i'm actually just going to delete that file because i already have a client file in here once you have the client file and the required keys if you go down to this icon right here which is the openvpn gui and right click on it you should be able to say connect and it's going to use the settings associated with that client to connect if all was well it should tell you you got connected and you should see a little green icon in your taskbar it could be hidden of course in here and it's a nice little green icon so i'm now connected so that's connection using windows so that's all i wanted to show you today i hope that was really informative if you liked it give it a like and i hope to see you next time thank you [Music]
Info
Channel: DevbaseMedia
Views: 10,494
Rating: undefined out of 5
Keywords: dd-wrt, tutorial, openvpn, open vpn, home vpn, how to, router, firewall, security, openvpn server, ddwrt, home lab, windows openvpn client, linux openvpn client
Id: dwrR18_xO_Q
Channel Id: undefined
Length: 24min 33sec (1473 seconds)
Published: Mon Feb 15 2021
Related Videos
2020 Getting started with pfsense 2.4 Tutorial: Network Setup, VLANs, Features & Packages
Lawrence Systems
586K
my SUPER secure Raspberry Pi Router (wifi VPN travel router)
NetworkChuck
368K
Set up a Wireguard VPN Server on your DD-WRT Router
DevbaseMedia
4K
FortiGate 60F HA Cluster Build
Fortinet Guru
1.1K
PiVPN : How to Run a VPN Server on a $35 Raspberry Pi!
Lon.TV
793K
Solid State Batteries - Autumn 2021 mass production in Japan. Is it FINALLY happening?
Just Have a Think
1.2M
Use DD-WRT to set up a VLAN and Virtual Wifi for IoT devices
DevbaseMedia
17K
Special Lecture: F-22 Flight Controls
MIT OpenCourseWare
2.1M
Critical Vulnerability In Java log4j Affecting UniFi, Apple, Minecraft, and Many Others!
Lawrence Systems
94K
OpenWRT - How to set up an OpenVPN Tap Bridge between two routers
Prime Tech Guides
5.7K
How to Make Your Own VPN (And Why You Would Want to)
Wolfgang's Channel
1.4M
OpenWRT - How to set up an OpenVPN Tun Route between two routers
Prime Tech Guides
1.9K
How to set up Surfshark VPN on DD-WRT router | Tutorial
Surfshark
1.2K
How to setup NordVPN on your router with DD-WRT
Byte My Bits
140K
How to Transfer a Domain Name From Godaddy to Google (or Any Other Registrar) in 4 Simple Steps
Mindful Marketplace
72
Tutorial: pfsense OpenVPN Configuration For Remote Users 2020
Lawrence Systems
137K
OpenVPN Presentation
Delaware BMX
36K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.