Thursday, September 11, 2008

OpenVPN - Site-to-Site Bridged VPN Between Two Routers

Procedure Summary

  1. Obtain a Linksys WRT54GL router
  2. Install the OpenVPN version of DD-WRT on both routers. NOTE: Use v23 sp3 or greater if you want to connect multiple clients to one server simultaneously. Single client to server works fine with sp2.
  3. Generate the necessary keys for public key authentication
  4. Configure a router as the server
  5. Configure the other router as the client
  6. Test the VPN

Obtain a Linksys WRT54GL Router

The author has experienced flawless performance from the two Linksys WRT54GL routers he has used to establish a site-to-site VPN. Although other routers will likely work equally well, if you obtain Linksys WRT54GL routers to set up a site-to-site VPN, you can have a high level of confidence that you will be successful.

Install DD-WRT onto Your Routers

  1. Download the latest stable release of the OpenVPN version of DD-WRT from DD-WRT. At the time this was written, the file you need to download is dd-wrt.v23_vpn_generic.bin. , I use dd-wrt.v23_vpn_wrt54g.bin. This is sp3.

Generate Keys for Authentication

  1. Download OpenVPN from HERE onto the computer that you are going to use to communicate with (i.e., configure) the routers.
  2. Follow these instructions to install OpenVPN onto your computer.
  3. Follow these instructions to generate keys for authentication. (Note: when generating the client key, create only one key and name it client, rather than client1.)

Configure the Server Router

Basic Setup

  1. Log onto the first router, which will be our server router, using the GUI.
  2. Go to Setup > Basic Setup.
  3. Set the Local IP Address of the first router to 192.168.1.1 with a Subnet Mask of 255.255.255.0. (Of course, you are not required to use the network address 192.168.1.0. You can use any network address you like, but this tutorial will assume you are using this network.)
  4. Make sure DHCP server is enabled.
  5. Set the Start IP Address to 100.
  6. Set Maximum DHCP Users to 50.
  7. Set the Time Zone. (The time zone you select is not important to the success of this tutorial, but setting the same time zone on both routers is important.)
  8. Click Save Settings.

Startup Script

  1. Go to Administration > Commands
  2. Paste the following into the Command Shell box:
cd /tmp
openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up

echo "
# Tunnel options
mode server # Set OpenVPN major mode
proto udp # Setup the protocol (server)
port 1194 # TCP/UDP port number
dev tap0 # TUN/TAP virtual network device
keepalive 15 60 # Simplify the expression of --ping
daemon # Become a daemon after all initialization
verb 3 # Set output verbosity to n
comp-lzo # Use fast LZO compression

# OpenVPN server mode options
client-to-client # tells OpenVPN to internally route client-to-client traffic
duplicate-cn # Allow multiple clients with the same common name

# TLS Mode Options
tls-server # Enable TLS and assume server role during TLS handshake
ca ca.crt # Certificate authority (CA) file
dh dh1024.pem # File containing Diffie Hellman parameters
cert server.crt # Local peer's signed certificate
key server.key # Local peer's private key
" > openvpn.conf

echo "
-----BEGIN CERTIFICATE-----
INSERT YOUR ca.crt HERE
-----END CERTIFICATE-----
" > ca.crt
echo "
-----BEGIN RSA PRIVATE KEY-----
INSERT YOUR server.key HERE
-----END RSA PRIVATE KEY-----
" > server.key
chmod 600 server.key
echo "
-----BEGIN CERTIFICATE-----
INSERT YOUR server.crt HERE
-----END CERTIFICATE-----
" > server.crt
echo "
-----BEGIN DH PARAMETERS-----
INSERT YOUR dh1024.pem HERE
-----END DH PARAMETERS-----
" > dh1024.pem

sleep 5
ln -s /usr/sbin/openvpn /tmp/myvpn
/tmp/myvpn --config openvpn.conf

route add -net 192.168.1.0/24 dev br0
  1. Replace the "INSERT YOUR [FILE] HERE" text with the appropriate text from the .crt or .key files you generated during the Generate Keys for Authentication step.
  2. Click Save Startup
  3. Paste the following into the Command Shell box:
/usr/sbin/iptables -I INPUT -p udp --dport 1194 -j ACCEPT
  1. Click Save Firewall
  2. Reboot the router

Configure the Client Router

Basic Setup

  1. Log onto the second router, which will be our client router, using the GUI.
  2. Go to Setup > Basic Setup.
  3. Set the Local IP Address of the second router to 192.168.1.254 with a Subnet Mask of 255.255.255.0. (Of course, if you used a different network address and subnet mask when setting up the server router, use that same address and mask for this router.)
  4. Make sure DHCP server is enabled.
  5. Set the Start IP Address to 50. NOTE: All the IP addresses of the client LAN and the server LAN must all be unique. You can't have 192.168.1.100 on the client LAN and 192.168.1.100 on the server LAN. In this case, all would be 192.168.1.x. Router IP addresses must also be different but must be 192.168.1.x as well. If you have multiple routers as simultaneous clients, all client's LAN IP addresses must be unique in the same way. Watch out that your DHCP assignments cannot create duplicate addresses.
  6. Set Maximum DHCP Users to 50.
  7. Set the Time Zone to the same time zone you set on the first (server) router.
  8. Click Save Settings.

Startup Script

  1. Go to Administration > Commands
  2. Paste the following into the Command Shell box:
cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn
./myvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
sleep 5

echo "
client
daemon
dev tap0
proto udp
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3
" > /tmp/client.conf

echo "
-----BEGIN CERTIFICATE-----
INSERT YOUR ca.crt HERE
-----END CERTIFICATE-----
" > /tmp/ca.crt

echo "
-----BEGIN RSA PRIVATE KEY-----
INSERT YOUR client.key HERE
-----END RSA PRIVATE KEY-----
" > /tmp/client.key
chmod 600 /tmp/client.key

echo "
-----BEGIN CERTIFICATE-----
INSERT YOUR client.crt HERE
-----END CERTIFICATE-----
" > /tmp/client.crt

./myvpn --config client.conf

route add -net 192.168.1.0/24 dev br0

UPD from hryamzik: This script didn't work for me. I've composed the folowing:

cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn
./myvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 promisc

cat < /tmp/up.sh
/sbin/ifconfig tap0 0.0.0.0
EOF

chmod +x /tmp/up.sh

echo "
daemon # Become a daemon after all initialization
client
dev tap0
proto udp
remote domain.comt 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
comp-lzo
verb 3
mssfix 1200
up \"/tmp/up.sh\"
" > client.conf

echo "
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
" > ca.crt
echo "
-----BEGIN RSA PRIVATE KEY-----

-----END RSA PRIVATE KEY-----
" > /tmp/client.key
chmod 600 /tmp/client.key

echo "
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
" > /tmp/client.crt

./myvpn --config client.conf

route add -net 192.168.1.0/24 dev br0

Be carefull with "route add", I had some problems with it when used wrong values. I did not updated iptables.

End of upd by hryamzik.

  1. Replace the "INSERT YOUR [FILE] HERE" text with the appropriate text from the .crt or .key files you generated during the Generate Keys for Authentication step.
  2. Replace the xxx.xxx.xxx.xxx text with the public IP address (or DNS name) of your first (server) router. (Note: if your Internet Service Provider gives your routers dynamic IP addresses (and they probably do), you might want to look into Dynamic DNS services such as DynDNS or No-IP.com. You can start to learn more about dynamic DNS by looking at this page
  3. Click Save Startup
  4. Reboot the router (i.e., In the GUI, click Administration > Management and click Reboot Router at the bottom)

Test the VPN

If all is well, and a VPN has been established between your two routers, you should be able to ping hosts behind either router.

No comments: