DD-WRT OpenVPN and iOS Client

[Ken_Griffiths]

Hi,

This is my first post on the forum and whilst I thought I had a tiny bit of knowledge of networking and VPN tunnels I find myself a bit lost with OpenVPN.

A bit of background to how I got to where I am now.

I am a home user in the UK, my internet provider is Virgin Media and I use their Superhub2 .. For explanation purposes I will say that my external WAN address is 78.102.6.128 (obviously not my real address). On the LAN side my gateway IP is address 192.168.7.1 with subnet 255.255.255.0

The subnet has lots of devices assigned mainly via DHCP beginning at 192.168.7.100 and above.

I have recently gone to my attic and found an old Linksys WRT54GS v4 router and installed DD-WRT firmware v24 with built in VPN.

I initially set this Linksys up on my home network a bit like a cabled client bridge in that the WAN side of the linksys was assigned a static IP address 192.168.7.7 and the LAN side was set to 192.168.7.11 ... However I have now changed the setup and removed the WAN cable and now use the wireless setup as a client-bridge.

So the Linksys router is accessible and simply located on my home network at IP address 192.168.7.11 and is effectively connected to my home LAN subnet via a wireless connection.

I initially setup a simple PPTP VPN server on the Linksys dd-wrt interface and had this working just fine and was able to remotely connect to my home network using my iPad and the iOS built in VPN client. So no problems with that.

Anyhow I decided to switch things over to OpenVPN and downloaded the necessary software to my PC and generated the 'usual' certificates and keys using the easy-rsa commands.

I generated the following:

ca certificate and key
Server certificate and key
dh1024 pem
And 3 client certificates and keys

Cutting a long story short, I pasted the necessary certificates in the DD-WRT server interface and a config file that says the following:

push "route 192.168.7.0 255.255.255.0"
push "dhcp-option DNS 192.168.66.1"
server 192.168.66.0 255.255.255.0
dev tun0
proto udp
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem

Obviously I forwarded UDP port 1194 on my Virgin Media Superhub2 to direct it to 192.168.7.11

I downloaded the OpenVPN client for iOS and installed that on my iPad and my final step was to create and import the .ovpn file... Here are the contents of that file but obviously with my client certificate and key details removed:

dev tun0
proto udp
remote 78.102.6.128 1194
cipher bf-cbc
auth md5
resolv-retry infinite
nobind
persist-key
persist-tun
client
comp-lzo
remote-cert-tls server
verb 3
float

<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>

Obviously (once again) I have changed my external WAN IP address in the .ovpn above to protect things.

Anyhow at the moment using my iPad App (VPN client) and this imported .ovpn file the iPad does connect to the DD-WRT VPN server from a remote location... Yippe! .. But obviously the iPad client is being assigned an IPv4 IP address in the 192.168.66.0 subnet ... In fact it is usually 192.168.66.6 for some reason?

The problem...
Clearly the configuration above is absolutely of no use to me, as I need an IP address in the 192.168.7.0 home subnet ... In fact I would like it to assign my iPad client an IP address between 192.168.7.15 and 192.168.7.20

Despite all my efforts so far, I cannot make this work for me ... I tried changing the following line in the server config file:

server 192.168.66.0 255.255.255.0

To read as follows;
server 192.168.7.0 255.255.255.0

But this then stops the client connecting and appears to occasionally lock up the Linksys server... Change it back and it all works again.

One more thing I forgot to say is the firewall on the Linksys DD-WRT interface has been completely disabled as I don't need that.

I think that either my server config file is incorrect or something is wrong in my .ovpn file or possibly I need to somehow bridge the subnet 192.168.66 0 with the 192.168.7.0 subnet.

I am quite a new user of the DD-WRT software too... I have now spent a week or so learning and configuring the above to get it connected and have started to lose the will to live ... I'm sure the answer must be simple and others here have hopefully encountered and overcome this issue.

I apologise if I have missed something obvious .. I will mention that I did have a tap adapter setup with a Windows PC client initially and had that working, but when I switched to my iPad I then discovered that iOS does not support tap and I therefore had to switch to dev tun and play around with the config file etc.

So clearly all my certificates and keys are okay ... It's just the config files and the IP subnet issue that I need to resolve

Anyhow .. Any help or advice is appreciated ... I have pulled all my hair out and I am nearly bald anyway.

Sorry for quite a lengthy first post ... and hello to everyone here.

Kind regards...

Ken Griffiths

[TinCanTech]

In fact it is usually 192.168.66.6 for some reason?

See --topology net30 in The Manual v23x

The problem...
Clearly the configuration above is absolutely of no use to me, as I need an IP address in the 192.168.7.0 home subnet ... In fact I would like it to assign my iPad client an IP address between 192.168.7.15 and 192.168.7.20

This can only be done with --dev tap and --server-bridge ..

See:

• Determining whether to use a routed or bridged VPN
• Ethernet Bridging

Note: You may not be able to use --dev tap with your client device .. some devices do not support TAP mode.

I recommend you start here:
HOWTO: For OpenVPN Community Edition

Read it carefully

[Ken_Griffiths]

Firstly TinCanTech, I would like to say 'thank you very much' for reading and taking the time to respond to my post.

I think from quickly reading through the links that you sent me, that in normal circumstances, I could replace the following two lines in my config file like this:

server 192.168.66.0 255.255.255.0 ...(replace with)... server-bridge 192.168.7.11 255.255.0.0 192.168.7.15 192.168.7.20
dev tun0 ...(replace with) ... dev tap0

However it is clear that tap and tun cannot be mixed and I am pretty certain that iOS does not support tap at this moment in time. So it seems what I am trying to do therefore, is not possible... Well not whilst I have the Linksys router bridged to my home network and using the same subnet.

So (if I am honest) I am now stuck ... It seems I have to start over again and setup the Linksys router in some other way possibly on its own subnet and then route the two subnets so that they see each other. I'm not sure I know how to do that at the moment, so it looks like I have some more reading and 'hair pulling' to do.

However....

Before I press the Linksys router's reset button and start again ... I was just wondering if anyone here on this forum, has ever setup OpenVPN on a router, that is NOT their main router in their network... and managed to get an iOS client (iPad/iPhone) connected from a remote location and could perhaps kindly give me a brief outline of what I may need to do next, to resolve the issue.

I should add that the Linksys router and its DD-WRT firmware are really just me having a 'play' with OpenVPN and trying to understand it a little better, rather than this being anything serious ... So it matters not if I 'balls things up' and have to start over again and again. I do have a tiny bit of hair left to play with, for a few days at least.

But any help and advice from anyone who may have done this before, is very much appreciated.

Kind Regards...

Ken Griffiths

[TinCanTech]

I am pretty certain that iOS does not support tap

That is what I thought ..

It seems I have to start over again and setup the Linksys router in some other way

Yes .. the normal routed way ..

The HOWTO above explains .. see the section: Expanding the scope of the VPN to include additional machines