I have successfully configured OpenVPN to run on DD-WRT router to provide access for my iOS devices. Details of the configuration/hardware can be found here:
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=168295
Success with iOS and OpenVPN running on DD-WRT router
-
aj montgomery
- OpenVpn Newbie
- Posts: 5
- Joined: Thu Feb 07, 2013 6:34 pm
-
LtsGH
- OpenVpn Newbie
- Posts: 6
- Joined: Wed Feb 06, 2013 2:11 pm
Re: Success with iOS and OpenVPN running on DD-WRT router
Hi, dont u run into the tun route error issue?
could u pls post ur logs?
pls see also:
topic12098.html
Thx,
LtsGH
could u pls post ur logs?
pls see also:
topic12098.html
Thx,
LtsGH
-
Lagranger
- OpenVpn Newbie
- Posts: 2
- Joined: Wed Feb 13, 2013 5:19 pm
Re: Success with iOS and OpenVPN running on DD-WRT router
Hi all,
Just wanted to chime in that I also got the iOS OpenVPN client to work with an ancient WRT-54G v2 (using one of the regular versions of DD-WRT with OpenVPN rolled into it). Using with a 4th-gen iPad. Took some gyrations to get it working, but I'm now able to connect to my home network over Wifi/LTE and use a webcam to spy on my near motionless cat napping for hours on end. Amazing stuff. Heh.
Anyway, I wanted to post this as another voice of confirmation that the iOS OpenVPN client *can* work with a DD-WRT implemented headend. If anyone has specific questions or want to see my configs, just ask -- however one caveat is that I'm neither heavily into DD-WRT nor OpenVPN specifically (I'm a network guy by trade, but only dabble with these two projects)
Other:
- Running in split-tunnel mode only
- Only using IP-based addressing at this point (i.e. haven't tried to set up local DNS)
- Using 2048-bit key. Tested with Blowfish and AES128 ciphers. Decided to stick with BF after a few ad-hoc perf. tests and the fact that this is just a home network.
- Moved default connection params to TCP/443 to better allow use on Wifi networks with restrictive egress policies.
- Next projects: See if there is a way to set up a separate (client) config for a full-tunnel and try to test connect-on-demand.
Thanks,
Lagranger
Just wanted to chime in that I also got the iOS OpenVPN client to work with an ancient WRT-54G v2 (using one of the regular versions of DD-WRT with OpenVPN rolled into it). Using with a 4th-gen iPad. Took some gyrations to get it working, but I'm now able to connect to my home network over Wifi/LTE and use a webcam to spy on my near motionless cat napping for hours on end. Amazing stuff. Heh.
Anyway, I wanted to post this as another voice of confirmation that the iOS OpenVPN client *can* work with a DD-WRT implemented headend. If anyone has specific questions or want to see my configs, just ask -- however one caveat is that I'm neither heavily into DD-WRT nor OpenVPN specifically (I'm a network guy by trade, but only dabble with these two projects)
Other:
- Running in split-tunnel mode only
- Only using IP-based addressing at this point (i.e. haven't tried to set up local DNS)
- Using 2048-bit key. Tested with Blowfish and AES128 ciphers. Decided to stick with BF after a few ad-hoc perf. tests and the fact that this is just a home network.
- Moved default connection params to TCP/443 to better allow use on Wifi networks with restrictive egress policies.
- Next projects: See if there is a way to set up a separate (client) config for a full-tunnel and try to test connect-on-demand.
Thanks,
Lagranger
-
Lagranger
- OpenVpn Newbie
- Posts: 2
- Joined: Wed Feb 13, 2013 5:19 pm
Re: Success with iOS and OpenVPN running on DD-WRT router
Since at least one person did ask about my config, I thought I'd post the details here for the benefit of others.
To start, I should mention that I largely followed these instructions:
http://www.howtogeek.com/64433/how-to-i ... rt-router/
...although not verbatim. There were some differences in my resulting config, but the above article got me close enough to figure things out.
I'm using:
- OpenVPN 2.0.0 client on on iPad 4. Works fine w/ WiFi and LTE.
- A Linksys WRT-54G v2 w/ firmware: DD-WRT v24-sp2 (11/02/09) vpn.
Router scripts
On the router, I'm not using any custom startup/shutdown scripts, except for the following firewall script:
Notes:
- 192.168.4.0/24 is my internal subnet
- I'm using port tcp/443 because some locations I use my iPad at have super-aggressive egress policies (i.e., they don't allow anything but outbound http/s traffic on 80/443). Naturally, this could cause problems if you're running an SSL-based web server on your external IP. (I'm not).
- You do not have to open port 443 under the DD-WRT's NAT->Port Forwarding in order for this to all work-- the iptables cmds takes care of it.
OpenVPN Daemon settings (DD-WRT)
Start OpenVPN : Enabled (duh
)
Start Type: Wan Up
[Upload all the required certs/keys per instructions elsewhere]
OpenVPN Config
Notes:
- Again, 192.168.4.0/24 is my internal LAN subnet
- 10.8.1.0/24 is the IP range that your VPN clients will live in. Pretty much arbitrary.
- I chose 'cipher bf-cbc' for performance reasons. If you're extremely security-conscious, 'cipher AES-128-CB' may be a better choice.
- Probably can lower verbosity (verb 5) level. Had it set high during troubleshooting.
Lastly, here's the OpenVPN .ovpn client config itself:
OpenVPN Client .ovpn config
Notes:
- I chose to upload my keys and certs as separate files, but the unified (inline) method works fine as well.
- If you're on residential broadband (that uses dynamic IPs), make your life easier and sign up with a dynamic DNS service. (I'm using myhost.dyndns.org as an example in client config below)
Closing comments
- There are likely a number of spurious/unnecessary settings in my conf files from early troubleshooting attempts. At first I thought of cleaning them up before posting here, then realized that it would be better to show exact copies of a known-working config (albeit a bit messy).
- This is a standard split-tunnel config. I've been messing around trying to get a full-tunnel working but admittedly, it's not a high priority for me.
- I hope this helps others. Because of other obligations, I don't frequent these forums that often, but if you have any questions about my config -- just ask here and I'll try to respond when I can.
To start, I should mention that I largely followed these instructions:
http://www.howtogeek.com/64433/how-to-i ... rt-router/
...although not verbatim. There were some differences in my resulting config, but the above article got me close enough to figure things out.
I'm using:
- OpenVPN 2.0.0 client on on iPad 4. Works fine w/ WiFi and LTE.
- A Linksys WRT-54G v2 w/ firmware: DD-WRT v24-sp2 (11/02/09) vpn.
Router scripts
On the router, I'm not using any custom startup/shutdown scripts, except for the following firewall script:
Code: Select all
iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.4.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
- 192.168.4.0/24 is my internal subnet
- I'm using port tcp/443 because some locations I use my iPad at have super-aggressive egress policies (i.e., they don't allow anything but outbound http/s traffic on 80/443). Naturally, this could cause problems if you're running an SSL-based web server on your external IP. (I'm not).
- You do not have to open port 443 under the DD-WRT's NAT->Port Forwarding in order for this to all work-- the iptables cmds takes care of it.
OpenVPN Daemon settings (DD-WRT)
Start OpenVPN : Enabled (duh
)Start Type: Wan Up
[Upload all the required certs/keys per instructions elsewhere]
OpenVPN Config
Code: Select all
push "route 192.168.4.0 255.255.255.0"
server 10.8.1.0 255.255.255.0
dev tun0
proto tcp
port 443
keepalive 10 120
comp-lzo
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
verb 5
cipher bf-cbc
management localhost 5001
- Again, 192.168.4.0/24 is my internal LAN subnet
- 10.8.1.0/24 is the IP range that your VPN clients will live in. Pretty much arbitrary.
- I chose 'cipher bf-cbc' for performance reasons. If you're extremely security-conscious, 'cipher AES-128-CB' may be a better choice.
- Probably can lower verbosity (verb 5) level. Had it set high during troubleshooting.
Lastly, here's the OpenVPN .ovpn client config itself:
OpenVPN Client .ovpn config
Notes:
- I chose to upload my keys and certs as separate files, but the unified (inline) method works fine as well.
- If you're on residential broadband (that uses dynamic IPs), make your life easier and sign up with a dynamic DNS service. (I'm using myhost.dyndns.org as an example in client config below)
Code: Select all
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
proto tcp
#proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote myhost.dyndns.org 443
pull
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert ipad4.crt
key ipad4.key
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
#cipher AES-128-CBC
cipher bf-cbc
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 5
# Silence repeating messages
;mute 20
# --float tells OpenVPN to accept authenticated packets from any address, not only the address which was specified in the --remote option.
# Useful if you're using round-robin DNS. Also useful if your server has a dynamic IP address which the ISP could change.
# I use float so I can connect from inside AND outside my router.
float
- There are likely a number of spurious/unnecessary settings in my conf files from early troubleshooting attempts. At first I thought of cleaning them up before posting here, then realized that it would be better to show exact copies of a known-working config (albeit a bit messy).
- This is a standard split-tunnel config. I've been messing around trying to get a full-tunnel working but admittedly, it's not a high priority for me.
- I hope this helps others. Because of other obligations, I don't frequent these forums that often, but if you have any questions about my config -- just ask here and I'll try to respond when I can.
-
dangil
- OpenVpn Newbie
- Posts: 3
- Joined: Wed Mar 13, 2013 2:49 pm
Re: Success with iOS and OpenVPN running on DD-WRT router
my DD-WRT firmware (20548) already configures the firewall, adding the forwards and inputs as needed.
but it fails to configure the SNAT for the tun connections, so it can reach the internet
the default firmware firewall rule only SNATs connections from the local LAN subnet (10.0.0.0/24 in my case)
so I had to add another SNAT rule to connections from tun, like this
iptables -A POSTROUTING -t nat -s 10.10.10.0/24 -j SNAT --to [wan IP]
where 10.10.10.0 is my OpenVPN network.
the mangle table:
the nat table
the default table
but it fails to configure the SNAT for the tun connections, so it can reach the internet
the default firmware firewall rule only SNATs connections from the local LAN subnet (10.0.0.0/24 in my case)
so I had to add another SNAT rule to connections from tun, like this
iptables -A POSTROUTING -t nat -s 10.10.10.0/24 -j SNAT --to [wan IP]
where 10.10.10.0 is my OpenVPN network.
the mangle table:
Code: Select all
Chain PREROUTING (policy ACCEPT 549K packets, 336M bytes)
pkts bytes target prot opt in out source destination
12 528 MARK 0 -- !ppp0 * 0.0.0.0/0 [wan IP] MARK or 0x80000000
549K 336M CONNMARK 0 -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK save
Chain INPUT (policy ACCEPT 1622K packets, 211M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 396M packets, 309G bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 177K packets, 158M bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 398M packets, 310G bytes)
pkts bytes target prot opt in out source destinationthe nat table
Code: Select all
Chain PREROUTING (policy ACCEPT 16805 packets, 1304K bytes)
pkts bytes target prot opt in out source destination
12 1008 DNAT udp -- * * 0.0.0.0/0 [wan ip] udp dpt:60820 to:10.0.0.110:60820
2 56 DNAT icmp -- * * 0.0.0.0/0 [wan ip] to:10.0.0.150
320 31843 TRIGGER 0 -- * * 0.0.0.0/0 [wan ip] TRIGGER type:dnat match:0 relate:0
Chain INPUT (policy ACCEPT 191K packets, 13M bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3567 packets, 314K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 7655 packets, 824K bytes)
pkts bytes target prot opt in out source destination
1292 79958 SNAT 0 -- * ppp0 10.0.0.0/24 0.0.0.0/0 to:[wan ip]
0 0 MASQUERADE 0 -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x80000000/0x80000000
5514 291K SNAT 0 -- * * 10.10.10.0/24 0.0.0.0/0 to:[wan ip]
the default table
Code: Select all
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
125K 17M logaccept 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 logbrute tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723
0 0 logaccept tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723
0 0 logaccept 47 -- * * 0.0.0.0/0 0.0.0.0/0
35 1825 logaccept udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194
162 8424 ACCEPT 0 -- tun2 * 0.0.0.0/0 0.0.0.0/0
0 0 logdrop udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
0 0 logdrop udp -- br0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
136 7672 logdrop icmp -- ppp0 * 0.0.0.0/0 0.0.0.0/0
0 0 logdrop 2 -- * * 0.0.0.0/0 0.0.0.0/0
37 2163 ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
11985 1838K logaccept 0 -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
605 104K logdrop 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 logaccept 47 -- * ppp0 10.0.0.0/24 0.0.0.0/0
0 0 logaccept tcp -- * ppp0 10.0.0.0/24 0.0.0.0/0 tcp dpt:1723
82649 7389K ACCEPT 0 -- tun2 * 0.0.0.0/0 0.0.0.0/0
115K 129M ACCEPT 0 -- * tun2 0.0.0.0/0 0.0.0.0/0
0 0 logaccept 0 -- br0 br0 0.0.0.0/0 0.0.0.0/0
2952 174K TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
214K 180M lan2wan 0 -- * * 0.0.0.0/0 0.0.0.0/0
208K 179M logaccept 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
12 1008 TRIGGER 0 -- ppp0 br0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
1758 105K trigger_out 0 -- br0 * 0.0.0.0/0 0.0.0.0/0
1322 82986 logaccept 0 -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
448 23165 logdrop 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 177K packets, 158M bytes)
pkts bytes target prot opt in out source destination
Chain advgrp_1 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_10 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_2 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_3 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_4 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_5 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_6 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_7 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_8 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_9 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_1 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_10 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_2 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_3 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_4 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_5 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_6 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_7 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_8 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_9 (0 references)
pkts bytes target prot opt in out source destination
Chain lan2wan (1 references)
pkts bytes target prot opt in out source destination
Chain logaccept (32 references)
pkts bytes target prot opt in out source destination
351K 200M ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain logbrute (1 references)
pkts bytes target prot opt in out source destination
0 0 0 -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: BRUTEFORCE side: source
0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0 !recent: UPDATE seconds: 60 hit_count: 4 name: BRUTEFORCE side: source
0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/min burst 1
0 0 logdrop 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (7 references)
pkts bytes target prot opt in out source destination
1189 135K DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
Chain trigger_out (1 references)
pkts bytes target prot opt in out source destination