Below are the steps I followed to get Tunnelblick 3.7.8beta01 (build 5160) on a MacBook Pro with macOS Mojave, 10.14 and/or OpenVPN for Android on Android 9 connecting to an OpenVPN server running DD-WRT v3.0-r36527 std 8/9/18 firmware on a Netgear R7000 router.
1. Create Certificates and Keys
Create OpenVPN certificates and keys by following the directions here - https://firxworx.com/blog/it-devops/sys ... -on-macos/
I would suggest that one generate 4096-bit keys rather than the default 2048-bit keys. This will require changes to the vars file prior to key generation.
This will generate an ~/EasyRSA-X.Y.Z directory.
2. Create ta.key
SSH or Telnet to the DD-WRT router command line.
Run the following commands
# openvpn –-genkey –-secret ta.key
# cat ta.key
Highlight the key contents and copy to TextEdit on the Mac.
Save TextEdit ta.key file to the ~/EasyRSA-X.Y.Z/pki/private/ directory on the Mac
Delete the ta.key file on router's DD-WRT command line
# rm ta.key
3. OpenVPN Server
On the Services, VPN area of the router's DD-WRT web configuration page add the following information.
Start Type: System
Config as: Server
Server mode: Router (TUN)
Network: (local private network that is different from your primary LAN - My primary LAN is 192.168.x.0 and I put in 10.x.y.0)
Port: (default is 1194, I put in 80, others like 443)
Tunnel Protocol: UDP
Encryption Cipher: AES-256 CBC
Hash Algorithm: SHA256
Advanced Options: Enable
TLS Cipher: None
LZO Compression: Yes
Redirect default Gateway: Enable
Allow Client to Client: Enable
Allow duplicate cn: Disable
Tunnel MTU setting: 1500
Tunnel UDP Fragment: Leave blank
Tunnel UDP MSS-Fix: Disable
CCD-Dir DEFAULT file: Leave empty
Client connect script: Leave empty
Static Key: Leave empty
PKCS12 Key: Leave empty
Public Server Cert: Paste the contents of the ~/EasyRSA-X.Y.Z/pki/issued/server.crt file on the Mac. Make sure it only includes lines between and including -----BEGIN CERTIFICATE-----, -----END CERTIFICATE-----
CA cert: Paste the contents of ~/EasyRSA-X.Y.Z/pki/ca.crt file on the Mac. Make sure it only includes lines between and including -----BEGIN CERTIFICATE-----, -----END CERTIFICATE-----
Private Server Key: Paste the contents of the ~/EasyRSA-X.Y.Z/pki/private/server.key file found on the Mac. Make sure it only includes lines between and including -----BEGIN PRIVATE KEY-----, -----END PRIVATE KEY-----
DH PEM: Paste the contents of the ~/EasyRSA-X.Y.Z/pki/dh.pem file found on the Mac. Make sure it only includes lines between and including -----BEGIN DH PARAMETERS-----, -----END DH PARAMETERS-----
push "route 192.168.x.0 255.255.255.0"
push "dhcp-option DNS 192.168.x.1"
TLS Auth Key: Paste the contents of the ~/EasyRSA-X.Y.Z/pki/private/ta.key file found on the Mac.
At the bottom of the web page, first click on Save, and when the page comes back, click on Apply Settings
Go to Services, Services web configuration page
Find the Additional DNSMasq Options window
Add the following statement.
Click on Save, and after the page comes back click on Apply Settings
Go to Administration, Commands web page
Add the following command to the Firewall.
iptables -t nat -A POSTROUTING -o `get_wanface` -j MASQUERADE
Once you added this statement click on Save Firewall.
When the web page comes back, click on Administration, Management
At the bottom of the page click on the red Router Reboot button and reboot the router. Wait 3 minutes for the router to complete its reboot.
4. Tunnelblick on the Mac
Install Tunnelblick on the Mac
Launch Tunnelblick on the Mac.
Create a folder on your Desktop with the <session_name>. I called mine Home.
Add the following statements to TextEdit.
# Use the same setting as you are using on the server.
# Are we connecting to a TCP or UDP server? Use the same setting as on the server.
# The hostname/IP and port of the server.
remote <internet domain of OpenVPN server> <port that was defined on the DD-WRT OpenVPN web configuration page>
# Most clients don't need to bind to a specific local port number.
# Try to preserve some state across restarts.
# SSL/TLS parmeters
tls-auth ta.key 1
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# ns-cert-type server
# Enable compression on the VPN link.
# Allow me to change my IP address and/or port number (if I get a new local IP address at Starbucks).
Save the file with the name <session_name>.conf to the <session_name> desktop folder
Copy to the Desktop <session_name> folder:
Once all the files are in the folder rename the <session_name> folder to <session_name>.tblk
The folder will then convert itself to a file.
Click and drag that file to the Tunnelblick icon at the top of the screen. When you see a + show up, release the click.
Add the session to ALL users of the Mac
Delete the <session_name>.tblk file from the Desktop.
Click on the Tunnelblick icon at the top of the screen on the Mac and click on VPN Details.
Highlight the <session_name>.
In the VPN Details screen click on the gear icon at the bottom left of the window.
Scroll down and click on Make Configuration Private.
Type in the Mac password when requested.
Log into a WiFi link that is not on your local LAN. For testing I use my smartphone hotspot. Click on Tunnelblick icon and click on Connect to start up VPN.
5. OpenVPN on Android
Install OpenVPN for Android (OfA) from the Play Store
Copy the following files from your Mac laptop to a USB thumb drive.
Transfer those files to the internal storage of the Android mobile device.
At the top portion of the screen tap on SETTINGS
Show log window: Checked
OpenVPN 3 Core: Checked
Connect on boot: Unchecked
Reconnect on network change: Checked
Pause VPN connection after screen off: Checked
At the top right portion of the screen tap the circle plus icon
Edit the profile by taping the pencil icon to the right of its name
Go to the BASIC tab
Name the profile. I use Home
Check LZO Compression
For the CA Certificate select the path to the ca.crt file
For the Client Certificate select the path to the <client_name2>.crt file
For the Client Certificate Key select the path to the <client_name2>.key file
Go to the SERVER tab
Server Address: <internet domain of OpenVPN server>
Server Port: <port that was defined on the DD-WRT OpenVPN web configuration page>
Connect Timeout: 120
Custom Options: Unchecked
Go to the IP AND DNS tab
Pull Settings: Enabled
No local binding: Checked
Override DNS Settings by Server: Unchecked
Go to ROUTING Tab
Ignore pushed routes: Unchecked
Bypass VPN for local networks: Unchecked
Use default Route: Checked
Use default Route: Unchecked
Go to the AUTHENTICATION/ENCRYPTION tab
Expect TLS server certificate: Checked
Certificate Hostname Check: Checked
Remote certificate subject
RDN (common name)
-- Leave Blank --
X.509 Username Field
-- Leave Blank --
Use TLS Authentication: Enabled
TLS Auth File: Select the path to the ta.key file
TLS Direction: 1
Encryption Cypher: AES-256-CBC
Go to the ADVANCED tab
Persistent tun: Checked
Push Peer info: Unchecked
Random Host Prefix: Unchecked
Allow floating server: Checked
Override MSS value of TCP payload: Unchecked
Tunnel MTU (mtu-mtu): Using default (1500) MTU
Unlimited reconnection retries
Seconds between connections
Maximum time between connection attempts
To test, turn off WiFi on phone
Exit out of OfA edit mode to main screen. Tap profile name to connect to OpenVPN server.
Use this forum to share your network setup and what's been working for you.
1 post • Page 1 of 1