Page 1 of 1

DD-WRT, Tunnelblick, OpenVPV for Android

Posted: Thu Oct 25, 2018 3:28 am
Below are the steps I followed to get Tunnelblick 3.7.8beta01 (build 5160) on a MacBook Pro with macOS Mojave, 10.14 and/or OpenVPN for Android on Android 9 connecting to an OpenVPN server running DD-WRT v3.0-r36527 std 8/9/18 firmware on a Netgear R7000 router.

1. Create Certificates and Keys

Create OpenVPN certificates and keys by following the directions here - ... -on-macos/

I would suggest that one generate 4096-bit keys rather than the default 2048-bit keys. This will require changes to the vars file prior to key generation.

This will generate an ~/EasyRSA-X.Y.Z directory.

2. Create ta.key

SSH or Telnet to the DD-WRT router command line.

Run the following commands

# openvpn –-genkey –-secret ta.key

# cat ta.key

Highlight the key contents and copy to TextEdit on the Mac.

Save TextEdit ta.key file to the ~/EasyRSA-X.Y.Z/pki/private/ directory on the Mac

Delete the ta.key file on router's DD-WRT command line

# rm ta.key

3. OpenVPN Server

On the Services, VPN area of the router's DD-WRT web configuration page add the following information.

OpenVPN Server/Daemon

OpenVPN: Enable

Start Type: System

Config as: Server

Server mode: Router (TUN)

Network: (local private network that is different from your primary LAN - My primary LAN is 192.168.x.0 and I put in 10.x.y.0)


Port: (default is 1194, I put in 80, others like 443)

Tunnel Protocol: UDP

Encryption Cipher: AES-256 CBC

Hash Algorithm: SHA256

Advanced Options: Enable

TLS Cipher: None

LZO Compression: Yes

Redirect default Gateway: Enable

Allow Client to Client: Enable

Allow duplicate cn: Disable

Tunnel MTU setting: 1500

Tunnel UDP Fragment: Leave blank

Tunnel UDP MSS-Fix: Disable

CCD-Dir DEFAULT file: Leave empty

Client connect script: Leave empty

Static Key: Leave empty

PKCS12 Key: Leave empty

Public Server Cert: Paste the contents of the ~/EasyRSA-X.Y.Z/pki/issued/server.crt file on the Mac. Make sure it only includes lines between and including -----BEGIN CERTIFICATE-----, -----END CERTIFICATE-----

CA cert: Paste the contents of ~/EasyRSA-X.Y.Z/pki/ca.crt file on the Mac. Make sure it only includes lines between and including -----BEGIN CERTIFICATE-----, -----END CERTIFICATE-----

Private Server Key: Paste the contents of the ~/EasyRSA-X.Y.Z/pki/private/server.key file found on the Mac. Make sure it only includes lines between and including -----BEGIN PRIVATE KEY-----, -----END PRIVATE KEY-----

DH PEM: Paste the contents of the ~/EasyRSA-X.Y.Z/pki/dh.pem file found on the Mac. Make sure it only includes lines between and including -----BEGIN DH PARAMETERS-----, -----END DH PARAMETERS-----

Additional Config:

push "route 192.168.x.0"
push "dhcp-option DNS 192.168.x.1"

TLS Auth Key: Paste the contents of the ~/EasyRSA-X.Y.Z/pki/private/ta.key file found on the Mac.

At the bottom of the web page, first click on Save, and when the page comes back, click on Apply Settings

Go to Services, Services web configuration page

Find the Additional DNSMasq Options window

Add the following statement.


Click on Save, and after the page comes back click on Apply Settings

Go to Administration, Commands web page

Add the following command to the Firewall.

iptables -t nat -A POSTROUTING -o `get_wanface` -j MASQUERADE

Once you added this statement click on Save Firewall.

When the web page comes back, click on Administration, Management

At the bottom of the page click on the red Router Reboot button and reboot the router. Wait 3 minutes for the router to complete its reboot.

4. Tunnelblick on the Mac

Install Tunnelblick on the Mac

Launch Tunnelblick on the Mac.

Create a folder on your Desktop with the <session_name>. I called mine Home.

Add the following statements to TextEdit.

auth RSA-SHA256
cipher AES-256-CBC

# Use the same setting as you are using on the server.
dev tun2

# Are we connecting to a TCP or UDP server? Use the same setting as on the server.
proto udp
tun-mtu 1500

# The hostname/IP and port of the server.
remote <internet domain of OpenVPN server> <port that was defined on the DD-WRT OpenVPN web configuration page>

resolv-retry infinite

# Most clients don't need to bind to a specific local port number.

# Try to preserve some state across restarts.

# SSL/TLS parmeters
ca ca.crt
cert <client_name1>.crt
key <client_name1>.key
tls-auth ta.key 1

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# ns-cert-type server
remote-cert-tls server

# Enable compression on the VPN link.
# comp-lzo
compress lzo

# Allow me to change my IP address and/or port number (if I get a new local IP address at Starbucks).

Save the file with the name <session_name>.conf to the <session_name> desktop folder

Copy to the Desktop <session_name> folder:


Once all the files are in the folder rename the <session_name> folder to <session_name>.tblk

The folder will then convert itself to a file.

Click and drag that file to the Tunnelblick icon at the top of the screen. When you see a + show up, release the click.

Add the session to ALL users of the Mac

Delete the <session_name>.tblk file from the Desktop.

Click on the Tunnelblick icon at the top of the screen on the Mac and click on VPN Details.

Highlight the <session_name>.

In the VPN Details screen click on the gear icon at the bottom left of the window.

Scroll down and click on Make Configuration Private.

Type in the Mac password when requested.

Log into a WiFi link that is not on your local LAN. For testing I use my smartphone hotspot. Click on Tunnelblick icon and click on Connect to start up VPN.

5. OpenVPN on Android

Install OpenVPN for Android (OfA) from the Play Store

Copy the following files from your Mac laptop to a USB thumb drive.


Transfer those files to the internal storage of the Android mobile device.

Open OfA

At the top portion of the screen tap on SETTINGS

Show log window: Checked

OpenVPN 3 Core: Checked

Connect on boot: Unchecked

Reconnect on network change: Checked

Pause VPN connection after screen off: Checked

At the top right portion of the screen tap the circle plus icon

Edit the profile by taping the pencil icon to the right of its name

Go to the BASIC tab

Name the profile. I use Home

Check LZO Compression

For the CA Certificate select the path to the ca.crt file
For the Client Certificate select the path to the <client_name2>.crt file
For the Client Certificate Key select the path to the <client_name2>.key file

Go to the SERVER tab

Server Address: <internet domain of OpenVPN server>

Server Port: <port that was defined on the DD-WRT OpenVPN web configuration page>

Protocol: UDP

Proxy: None

Connect Timeout: 120

Custom Options: Unchecked

Go to the IP AND DNS tab

Pull Settings: Enabled

No local binding: Checked

Override DNS Settings by Server: Unchecked


Ignore pushed routes: Unchecked

Bypass VPN for local networks: Unchecked


Use default Route: Checked


Use default Route: Unchecked


Expect TLS server certificate: Checked

Certificate Hostname Check: Checked

Remote certificate subject

RDN (common name)

-- Leave Blank --

X.509 Username Field

-- Leave Blank --

TLS Authentication/Encryption

Use TLS Authentication: Enabled

TLS Auth File: Select the path to the ta.key file

TLS Direction: 1


Encryption Cypher: AES-256-CBC

Go to the ADVANCED tab

Client behavior

Persistent tun: Checked

Push Peer info: Unchecked

Random Host Prefix: Unchecked

Allow floating server: Checked

Payload options

Override MSS value of TCP payload: Unchecked

Tunnel MTU (mtu-mtu): Using default (1500) MTU

Custom Options

auth SHA256

Reconnection settings

Connection retries

Unlimited reconnection retries

Seconds between connections

2 s

Maximum time between connection attempts

300 s

To test, turn off WiFi on phone

Exit out of OfA edit mode to main screen. Tap profile name to connect to OpenVPN server.