OpenVPN Site to Site Connection Using DD-WRT Capable Routers
Posted: Sun Aug 29, 2010 2:53 pm
http://www.dd-wrt.com/phpBB2/viewtopic. ... ht=#391635
Basically lifted from above link over at DD-WRT forums but this OpenVPN bridged (tap) connection between physically seperated DD-WRT capable routers continues to work very well and clients on either end all act like they are on the same local LAN!
FWIW: WRT320N located at my daughter's dorm configured as OpenVPN client bridge backto OpenVPN server located at home(WRT310N)...works 100%!
Under Administration/Commands Tab
Startup:
openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
Firewall:
...nothing required since configured as client...
Under Services/VPN/OpenVPN Daemon
OpenVPN Daemon: Enable
Start OpenVPN: Wan Up
CA Cert: ca.crt
Certificate Revoke List: *blank*
Public Client Cert: client1.crt
Private Client Key: client1.key
DH PEM: *blank*
OpenVPN Config:
management localhost 5001
verb 0
up-delay
client
dev tap0
proto udp
remote your.dyndns.ipaddress 1194
ns-cert-type server
cipher BF-CBC
comp-lzo
nobind
float
mute-replay-warnings
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
OpenVPN TLS Auth: *blank*
Notice configured as client using settings under 'OpenVPN Daemon' NOT 'OpenVPN Client' under Services/VPN GUI tab of DD-WRT!
WRT310N configured as OpenVPN server:
Under Administration/Commands Tab
Startup:
openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
Firewall:
iptables -I INPUT -p udp --dport 1194 -j ACCEPT
(currently my WRT310N's WAN is disabled with static 192.168.1.120 LAN IP & gateway set to 192.168.1.1 since it is behind WRT600N gateway router with port 1194 port forwarded to WRT310N so the firewall on WRT310N is actually blank!)
Under Services/VPN/OpenVPN Daemon
OpenVPN Daemon: Enable
Start OpenVPN: Wan Up
CA Cert: ca.crt
Certificate Revoke List: *blank*
Public Client Cert: server.crt
Private Client Key: server.key
DH PEM: dh1024.pem
OpenVPN Config:
server-bridge 192.168.1.1 255.255.255.0 192.168.1.225 192.168.1.234
management localhost 5001
verb 0
comp-lzo
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "persist-tun"
push "persist-key"
port 1194
cipher BF-CBC
dev tap0
proto udp
keepalive 10 60
max-clients 8
client-to-client
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
OpenVPN TLS Auth: *blank*
You may have to adjust above highlighted in bold depending on your network!
BTW: SPI Firewall still enabled on both routers since this does not affect OpenVPN bridge and 'management localhost 5001' config line set in each router allows for populating the OpenVPN tab under Status for each router's DD-WRT GUI: http://www.dd-wrt.com/phpBB2/viewtopic. ... ht=#393084
Basically lifted from above link over at DD-WRT forums but this OpenVPN bridged (tap) connection between physically seperated DD-WRT capable routers continues to work very well and clients on either end all act like they are on the same local LAN!
FWIW: WRT320N located at my daughter's dorm configured as OpenVPN client bridge backto OpenVPN server located at home(WRT310N)...works 100%!
Under Administration/Commands Tab
Startup:
openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
Firewall:
...nothing required since configured as client...
Under Services/VPN/OpenVPN Daemon
OpenVPN Daemon: Enable
Start OpenVPN: Wan Up
CA Cert: ca.crt
Certificate Revoke List: *blank*
Public Client Cert: client1.crt
Private Client Key: client1.key
DH PEM: *blank*
OpenVPN Config:
management localhost 5001
verb 0
up-delay
client
dev tap0
proto udp
remote your.dyndns.ipaddress 1194
ns-cert-type server
cipher BF-CBC
comp-lzo
nobind
float
mute-replay-warnings
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
OpenVPN TLS Auth: *blank*
Notice configured as client using settings under 'OpenVPN Daemon' NOT 'OpenVPN Client' under Services/VPN GUI tab of DD-WRT!
WRT310N configured as OpenVPN server:
Under Administration/Commands Tab
Startup:
openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
Firewall:
iptables -I INPUT -p udp --dport 1194 -j ACCEPT
(currently my WRT310N's WAN is disabled with static 192.168.1.120 LAN IP & gateway set to 192.168.1.1 since it is behind WRT600N gateway router with port 1194 port forwarded to WRT310N so the firewall on WRT310N is actually blank!)
Under Services/VPN/OpenVPN Daemon
OpenVPN Daemon: Enable
Start OpenVPN: Wan Up
CA Cert: ca.crt
Certificate Revoke List: *blank*
Public Client Cert: server.crt
Private Client Key: server.key
DH PEM: dh1024.pem
OpenVPN Config:
server-bridge 192.168.1.1 255.255.255.0 192.168.1.225 192.168.1.234
management localhost 5001
verb 0
comp-lzo
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "persist-tun"
push "persist-key"
port 1194
cipher BF-CBC
dev tap0
proto udp
keepalive 10 60
max-clients 8
client-to-client
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
OpenVPN TLS Auth: *blank*
You may have to adjust above highlighted in bold depending on your network!
BTW: SPI Firewall still enabled on both routers since this does not affect OpenVPN bridge and 'management localhost 5001' config line set in each router allows for populating the OpenVPN tab under Status for each router's DD-WRT GUI: http://www.dd-wrt.com/phpBB2/viewtopic. ... ht=#393084