Know-How: OpenVPN on a dd-wrt Router

Loreas

Junior Member
Introduction
Please use this link ftp://ftp.dd-wrt.com/betas/ to check, if there is a newer dd-wrt version for your router.
Don't use the dd-wrt router database or the wiki, because they aren't state of the art.

1. OpenVPN setup
2. Policy based routing

3. Additional notes + buying guide

1. OpenVPN setup:

1. Download the Config-Files for Android/iOS
2. Everything we need is in the .ovpn file. Choose your server.

3. Go to the dd-wrt Webinerface:

Setup
Basic Setup

WAN-Connection Type
Automatic Setup - DHCP

Router IP

Lokal IP: 192.168.1.1
Network Mask: 255.255.255.0
Gateway: 0.0.0.0
Lokal DNS: 0.0.0.0

Network Address Server Settings (DHCP)

DHCP Type: DHCP Server
DHCP Server: activate
For static DNS 1/2/3 choose one of those DNS provided by OpenNIC https://www.opennicproject.org/
and put them in into Static DNS 1, 2 & 3
Not recommended but can be also a Google DNS 8.8.8.8 & 8.8.4.4

untick Use DNSMasq for DHC
untick Use DNSMasq for DNS
untick DHCP-Authoritative

Clock Setup
NTP-Client: activate
Time Zone: "your time zone"
Server-IP/Name: de.pool.ntp.org
and Save
Setup
IPv6

IPv6-Support
IPv6: enable
Radvd: enable
and Save
Services
VPN

OpenVPN-Client:

Start OpenVPN -> Enable
Server IP/Name: xxx.perfect-privacy.com
Port: 1149 (UDP)
Tunnel Device: TUN
Tunnel Protocol: UDP
Encryption Cipher: AES-256 CBC
Hash Algorithm: SHA512
User Pass Authentication -> Enable
Username: your username
Password: your password
Advanced Options -> Enable
TLS Cipher: None (will be edited in "Additional Config")
LZO Compression: Adaptive
NAT -> enable
MTU: 1500
UDP Fragment: 1300
Tunnel UDP MSS-Fix: Disable
nsCertType verification: enable
Open the .ovpn-File with a text-editor

copy the content
TLS Auth Key (in the .ovpn-file: <tls-auth> )

#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
Additional Config:​
Code:
redirect-gateway def1
reneg-sec 86400
mssfix
float
persist-remote-ip
route-method exe
tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA
route-delay 2
tls-timeout 5
hand-window 120
inactive 604800
ping 5
ping-restart 90
replay-window 512 60
mute-replay-warnings

CA Cert (in the .ovpn-file: <ca> )

copy from .ovpn-file
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----​
Public Client Cert (in the .ovpn-file: <cert> )

copy from .ovpn-file
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----​
Private Client Key (in the .ovpn-file: <key> )

copy from .ovpn-file
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----​
Save Settings

Go to
Administation
Commands
First of all run that command in the shell:
Code:
ifconfig
If you have tun0, you have to edit the firewall command down under.
In my case i have tun1.

Paste this into your Command Shell:
Code:
iptables -P FORWARD DROP
iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan2 -j DROP
iptables -I INPUT -i tun1 -j DROP
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE

and press the "Save Firewall" button.

Paste this into your Command Shell:
Code:
#!/bin/sh
/usr/sbin/openvpn --config /tmp/openvpncl/openvpn.conf --route-up /tmp/openvpncl/route-up.sh --down-pre /tmp/openvpncl/route-down.sh --daemon

and press the "Save Startup Script" button.
Finally go to:
Administration
Management
and press the "Reboot Router" button.
Finished...

2. Policy based Routing:

Under the "Additional config" on the webinterface stands "Policy Based Routing"

View attachment 153

Here you have to put in your internal IP adresses you want to pass through (one IP per line)

Then you have to redo your firewall setting and put in those internal IPs again.

Code:
iptables -P FORWARD DROP
iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan2 -j DROP
iptables -I FORWARD -i br0 -s 192.168.1.xyz -j ACCEPT
iptables -I FORWARD -o br0 -d 192.168.1.xyz -j ACCEPT
iptables -I INPUT -i tun1 -j DROP
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE

3. Additional notes:

Don't forget to keep your Router up to date!
Here you'll get your updated firmware:

ftp://ftp.dd-wrt.com/betas/

If you want to buy a new router thisfor keep in mind that OpenVPN needs much CPU power. The faster the CPU the faster is your connection. A dualcore 1 GHz router like the Netgear R7000 or the Asus RT-AC87U does its work at 20-24 MBit/s
 
Last edited by a moderator:

orkoz

Junior Member
Hi guys, I followed the tutorial to the letter but it doesnt seem to be working for me.

I have no experience in wrt and very basic knowledge of vpn. My setup is Internet < - > Fibre Optic Router < - > Netgear R8000(dd-wrt)

After following the tutorial, there is no tun0 / tun1. I would appreciate if you could help me.
 

henrikvp

Junior Member
Hi Loreas, I am new to all this.

Your tutorial made my newly bought Netgear R7000 from Flashrouters work with the server in Zurich. The included tutorial from Flashrouters did not work... :)

Just one more thing: I am not getting IPV6 connection, only IPV4 (according to PP's check IP). I have done the setup exactly as you wrote with tun+ and all.

Any ideas on getting IPV6?
 

tambo

Junior Member
I've followed this to connect on my Netgear R7000 which is freshly flashed with DD-WRT. I've replace tun1 with tun+ in the instructions. However I can't get a connection to work. DNS lookups work fine, but everything else times out. I've been trying to troubleshoot this for 3 days now. I'm trying to connect to the Zurich server, which means I had to change the port to 1152 instead of 1149. Any help would be extremely gratefully received.
 

tambo

Junior Member
Thanks again for the tutorial. I got it working eventually. I believe my problem was in copying the contents of the <cert> tag, not just the PGP ascii armoured part. And just to confirm the correct port is 1149, as stated, not what it says in the ovpn file.
 

helhound

New Member
I followed this connect guide on my Netgear R7800 with a freshly flashed DD-WRT firmware with everything at default values. I finally got it work, however the speeds have gone from 200mb down and 20mb up to 7mb down and 3mb up. The R7800 has plenty of processing power to handle a VPN. Please give some advice to get the speeds back up. I am in Okinawa and chose the Tokyo, Japan server. The ping it under 100, as low as in the 40s.
 

privacy

Active Member
Test the same vpn Server with your pc or laptop maybe your routing is bad to the server


R7800 should get 70Mbit/s (people say that on ddwrt board)
 

helhound

New Member
I have tested it with my desktop connected with a lan, laptop connected with a lan, laptop on wireless, and cell phone on wireless. All of which are around 6.6Mbps down and 3-4Mbps up. I even switch VPN from Japan to Chicago. I get the same speeds, just a higher ping. The ping makes sense being farther away. However, the speeds do not.

This is the firmware I am using...
DD-WRT v3.0-r31980M kongat (5/11/17)
 

privacy

Active Member
I mean install openvpn on your pc and test the Tokyo server if you get better speed or same slow speed
 

helhound

New Member
Thank you for your help so far. I tried it using the VPN Manager on my desktop and laptop, both wired in. Still getting the same speeds. Both the Tokyo and Chicago server. Any other suggestions would help.
 

privacy

Active Member
Looks like your routing to the server are bad or maybe your isp throttle VPN?

If I remember correct pp manager have in settings stealth vpn obfuscation3 setting or so you could try that

Or test different locations (netherland, Canada, France..)
 

helhound

New Member
Thank you again for the suggestions. I tried all the stealth vpn options with Chicago, Tokyo, Paris, and Oslo. Same results as before.
 

ianfraser

New Member
Hello,

I want to use PP with "128 bit" on my Netgear R7000 DDWRT Router. It's working so far. Only problem what I have is that looks like PP is used with "256 bit".

Here some lines from the log file:

20180803 17:54:42 VERIFY OK: depth=1 C=CH ST=Zug L=Zug O=Perfect Privacy CN=Perfect Privacy emailAddress=admin@perfect-privacy.com
20180803 17:54:42 VERIFY OK: nsCertType=SERVER
20180803 17:54:42 VERIFY OK: depth=0 C=CH ST=Zug O=Perfect Privacy CN=Server_zurich.perfect-privacy.com emailAddress=admin@perfect-privacy.com
20180803 17:54:44 W WARNING: 'cipher' is used inconsistently local='cipher AES-128-CBC' remote='cipher AES-256-CBC'
20180803 17:54:44 W WARNING: 'keysize' is used inconsistently local='keysize 128' remote='keysize 256'
20180803 17:54:44 Control Channel: TLSv1.2 cipher TLSv1.2 DHE-RSA-AES256-SHA256 4096 bit RSA
20180803 17:54:44 I [Server_zurich.perfect-privacy.com] Peer Connection Initiated with [AF_INET]80.255.7.82:1149
20180803 17:54:45 SENT CONTROL [Server_zurich.perfect-privacy.com]: 'PUSH_REQUEST' (status=1)
20180803 17:54:45 PUSH: Received control message: 'PUSH_REPLY topology subnet redirect-gateway def1 sndbuf 131072 rcvbuf 131072 comp-lzo adaptive route-gateway 10.4.144.1 redirect-gateway ipv6 route-ipv6 2000::/3 ping 10 ping-restart 60 dhcp-option DNS 80.255.7.94 dhcp-option DNS 92.222.210.119 ifconfig-ipv6 fdbf:1d37:bbe0:0:73::1246/112 fdbf:1d37:bbe0:0:73::1 ifconfig 10.4.144.246 255.255.255.0 peer-id 6 cipher AES-256-GCM'
20180803 17:54:45 OPTIONS IMPORT: timers and/or timeouts modified
20180803 17:54:45 NOTE: --mute triggered...
20180803 17:54:45 2 variation(s) on previous 3 message(s) suppressed by --mute
20180803 17:54:45 Socket Buffers: R=[180224->262144] S=[180224->262144]
20180803 17:54:45 OPTIONS IMPORT: --ifconfig/up options modified
20180803 17:54:45 OPTIONS IMPORT: route options modified
20180803 17:54:45 OPTIONS IMPORT: route-related options modified
20180803 17:54:45 NOTE: --mute triggered...
20180803 17:54:45 4 variation(s) on previous 3 message(s) suppressed by --mute
20180803 17:54:45 Data Channel: using negotiated cipher 'AES-256-GCM'
20180803 17:54:45 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20180803 17:54:45 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20180803 17:54:45 GDG6: remote_host_ipv6=n/a
20180803 17:54:45 I TUN/TAP device tun1 opened


could be someone here who can help me or can tell me what I have to do to use PP with 128 bit.

thx
 
Top