Installing OpenVPN
Now let’s head over to OpenVPN’s Downloads page and download the OpenVPN Windows Installer. In this guide, we’ll be using the second latest version of OpenVPN called 2.1.4. The latest version (2.2.0) has a bug in it that would make this process even more complicated. The file we’re downloading will install the OpenVPN program that allows you to connect to your VPN network, so be sure to install this program on any other computers that you want to act as clients (as we’ll be seeing how to do that later). Save the openvpn-2.1.4-install .exe file to your computer.
Creating the Certificates and Keys
Now that you have OpenVPN installed on your computer, we have to start creating the certificates and keys to authenticate devices. Click the Windows Start button and navigate under Accessories. You’ll see the Command Prompt program. Right click on it and click Run as administrator.
In the command prompt, type cd c:\Program Files (x86)\OpenVPN\easy-rsa if you’re running 64-bit Windows 7 as seen below. Type cd c:\Program Files\OpenVPN\easy-rsa if you’re running 32-bit Windows 7. Then hit Enter.
Now type init-config and hit Enter to copy two files called vars.bat and openssl.cnf into the easy-rsa folder. Keep your command prompt up as we’ll be coming back to it shortly.
Navigate to C:\Program Files (x86)\OpenVPN\easy-rsa (or C:\Program Files\OpenVPN\easy-rsa on 32-bit Windows 7) and right click on the file called vars.bat. Click Edit to open it up in Notepad. Alternatively, we recommend opening this file with Notepad++ as it formats the text in the file much better. You can download Notepad++ from their homepage.
The bottom portion of the file is what we are concerned with. Starting at line 31, change the KEY_COUNTRY value, KEY_PROVINCE value, etc. to your country, province, etc. For example, we changed our province to “IL”, city to “Chicago”, org to “HowToGeek”, and email to our own email address. Also, if you’re running Windows 7 64-bit, change the HOME value in line 6 to %ProgramFiles (x86)%\OpenVPN\easy-rsa. Do not change this value if you’re running 32-bit Windows 7. Your file should look similar to ours below (with your respective values, of course). Save the file by overwriting it once you’re done editing.
Go back to your command prompt and type vars and hit Enter. Then type clean-all and hit Enter. Finally, type build-ca and hit Enter.
After executing the build-ca command, you will be prompted to enter in your Country Name, State, Locality, etc. Since we already set up these parameters in our vars.bat file, we can skip past these options by hitting Enter, but! Before you start slamming away at the Enter key, watch out for the Common Name parameter. You can enter anything in this parameter (i.e. your name). Just make sure you enter something. This command will output two files (a Root CA certificate and a Root CA key) in the easy-rsa/keys folder.
Now we’re going to build a key for a client. In the same command prompt type build-key client1. You can change “client1” to anything you’d like (i.e. Acer-Laptop). Just be sure to enter the same name as the Common Name when prompted. Run through all the defaults like the last step we did (except for Common Name, of course). However, at the end you will be asked to sign the certificate and to commit. Type “y” for both and click Enter.
Also, don’t worry if you received the “unable to write ‘random state’” error. We’ve noticed that your certificates still get made without a problem. This command will output two files (a Client1 Key and a Client1 Certificate) in the easy-rsa/keys folder. If you want to create another key for another client, repeat the previous step, but be sure to change the Common Name.
The last certificate we’ll be generating is the server key. In the same command prompt, type build-key-server server. You can replace “server” at the end of the command with anything you’d like (i.e. HowToGeek-Server). As always, be sure to enter the same name as the Common Name when prompted. Hit Enter and run through all the defaults except Common Name. At the end, type “y” to sign the certificate and commit. This command will output two files (a Server Key and a Server Certificate) in the easy-rsa/keys folder.
Now we have to generate the Diffie Hellman parameters. The Diffie Hellman protocol “allows two users to exchange a secret key over an insecure medium without any prior secrets”. You can read more about Diffie Hellman on RSA’s website.
In the same command prompt type build-dh. This command will output one file (dh1024.pem) in the easy-rsa/keys folder.
Creating the Configuration Files for the Client
Before we edit any configuration files, we should set up a dynamic DNS service. Use this service if your ISP issues you a dynamic external IP address every so often. If you have a static external IP address, skip down to the next step.
We suggest using DynDNS.com, a service that allows you to point a hostname (i.e. howtogeek.dyndns.org) to a dynamic IP address. It’s important for OpenVPN to always know your network’s public IP address, and by using DynDNS, OpenVPN will always know how to locate your network no matter what your public IP address is. Sign up for a free hostname and point it to your public IP address.
Now back to configuring OpenVPN. In Windows Explorer, navigate to C:\Program Files (x86)\OpenVPN\sample-config if you’re running 64-bit Windows 7 or C:\Program Files\OpenVPN\sample-config if you’re running 32-bit Windows 7. In this folder you will find three sample configuration files; we’re only concerned with the client.ovpn file.
Right click on client.ovpn and open it with Notepad or Notepad++. You’ll notice your file will look like the picture below:
However, we want our client.ovpn file to look similar to this picture below. Be sure to change the DynDNS hostname to your hostname in line 4 (or change it to your public IP address if you have a static one). Leave the port number to 1194 as it is the standard OpenVPN port. Also, be sure to change lines 11 and 12 to reflect the name of your client’s certificate file and key file. Save this as new file .ovpn file in the OpenVPN/config folder.
Configuring DD-WRT’s OpenVPN Daemon
The basic idea now is to copy the server certificates and keys we made earlier and paste them into the DD-WRT OpenVPN Daemon menus. Open up your browser again and navigate to your router. You should now have the DD-WRT VPN edition installed on your router. You will notice a new sub-tab under the Services tab called VPN. Click the Enable radio button under OpenVPN Daemon.
First, be sure to change Start type to “Wan Up” instead of the default “System”. Now we’re going to need our server keys and certificates we created earlier. In Windows Explorer, navigate to C:\Program Files (x86)\OpenVPN\easy-rsa\keys on 64-bit Windows 7 (or C:\Program Files\OpenVPN\easy-rsa\keys on 32-bit Windows 7). Open each corresponding file below (ca.crt, server.crt, server.key, and dh1024.pem) with Notepad or Notepad++ and copy the contents. Paste the contents in the corresponding boxes as seen below.
For the OpenVPN Config field, we will need to create a custom file. These settings will differ depending on how your LAN is set up. Open a separate browser window and type in your router’s IP address. Click the Setup tab and take note of what IP address you have configured under Router IP > Local IP Address. The default, which is what we are using in this example, is 192.168.1.1. Paste this subnet right after “route” in the first line to reflect your LAN setup. Copy this into the OpenVPN Config box and click Save.
push “route 192.168.1.0 255.255.255.0″
server 10.8.0.0 255.255.255.0
dev tun0
proto tcp
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
# Only use crl-verify if you are using the revoke list – otherwise leave it commented out
# crl-verify /tmp/openvpn/ca.crl
# management parameter allows DD-WRT’s OpenVPN Status web page to access the server’s management port
# port must be 5001 for scripts embedded in firmware to work
management localhost 5001
Now we must configure the firewall to allow clients to connect to our OpenVPN server via the 1194 port. Go to the Administration tab and click the Commands sub-tab. In the Commands text box paste the following:
iptables -I INPUT 1 -p udp –dport 1194 -j ACCEPT
iptables -I FORWARD 1 –source 192.168.1.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
Be sure to change your LAN IP in the second line if it is different than the default. Then click the Save Firewall button below.
Finally, be sure to check your Time Settings under the Setup tab otherwise the OpenVPN daemon will deny all clients. We suggest going to TimeAndDate.com and searching for your city under Current Time. This website will give you all the information you need to fill in under Time Settings just like we did below. Also, check out the NTP Pool Project’s website for public NTP servers to use.
Setting Up an OpenVPN Client
In this example we will be using a Windows 7 laptop as our client on a separate network. The first thing you’ll want to do is install OpenVPN on your client like we did above in the first steps under Configuring OpenVPN. Then navigate to C:\Program Files\OpenVPN\config which is where we’ll be pasting our files.
Now we have to go back on our original computer and collect a total of four files to copy over to our client laptop. Navigate to C:\Program Files (x86)\OpenVPN\easy-rsa\keys again and copy ca.crt, client1.crt, and client1.key. Paste these files in the client’s config folder.
Finally, we need to copy one more file over. Navigate to C:\Program Files (x86)\OpenVPN\config and copy over the new client.ovpn file we created earlier. Paste this file in the client’s config folder also.
Testing the OpenVPN Client
On the client laptop, click the Windows Start button and navigate to All Programs > OpenVPN. Right click on the OpenVPN GUI file and click Run as administrator. Note that you must always run OpenVPN as an administrator in order for it to work properly. To permanently set the file to always run as administrator, right click the file and click Properties. Under the Compatibility tab check Run this program as an administrator.
The OpenVPN GUI icon will appear next to the clock in the taskbar. Right click the icon and click Connect. Since we only have one .ovpn file in our config folder, OpenVPN will connect to that network by default.
A dialog box will pop up displaying a connection log.
Once you’re connected to the VPN, the OpenVPN icon in the taskbar will turn green and will display your virtual IP address.
And that’s it! You now have a secured connection between your server and client’s network using OpenVPN and DD-WRT. To further test the connection, try opening a browser on the client laptop and navigating to your DD-WRT router on the server’s network.