Setting up an OpenVPN server with DD-WRT and Viscosity
Virtual Private Networks (VPNs) can be utilized for a number of very useful applications. You can securely connect to any public WiFi hotspot. You can overcome geo-blocking restrictions on your favourite websites. And you can even connect to your home or office network from anywhere in the world, as if you were sitting right at your desk. This guide will walk you through the process of setting up your own OpenVPN server, and connecting to it with your copy of Viscosity.
Running your own OpenVPN server will allow you to encrypt everything you do on the internet, so that you can safely do your online banking on the free WiFi at your favourite cafe. Anything you send over the VPN connection will be encrypted from your device until it reaches your OpenVPN server at home. Setting up your OpenVPN server to access your home or office network gives you full access to all your files on your network.
This guide will walk you through the steps involved in setting up an OpenVPN server on an DD-WRT instance that allows you to securely access your home/office network from a remote location and optionally send all of your network traffic through it so you can access the internet securely as well.
Because DD-WRT is primarily used on router hardware, we will assume that the DD-WRT instance has a direct connection to the internet and its own IP address. Therefore we will not be considering any issues related to having your DD-WRT instance behind another router.
Preparation
For this guide, we assume:
- You have already installed the appropriate version of DD-WRT for your router hardware
- DD-WRT has been set up with at least a WAN interface and a LAN interface
- You are connected with your client device to the DD-WRT server via its LAN interface during this guide
- This installation of DD-WRT is a fresh install
- You already have a copy of Viscosity installed on your client device
If you need to download and install a copy of DD-WRT, information can be found at http://www.dd-wrt.com/wiki/index.php/Installation. We won't be covering the details of setting up a DD-WRT instance, many guides can be found online. Regardless of the version of DD-WRT you are running, it's very likely that many or even all of the steps outlined in this guide will still apply. If you are looking to setup an OpenVPN server on a different operating system, please check out our other guides.
Your client device needs to be connected to the DD-WRT server via the LAN interface. This is necessary so that you can access the control panel to modify the DD-WRT configuration. The specifics of how you can achieve this depend on your particular network configuration.
If you don't have a copy of Viscosity already installed on your client, then please check out this setup guide for installing Viscosity (Mac | Windows).
Support
Unfortunately we cannot provide any direct support for setting up your own OpenVPN server. We provide this guide as a courtesy to help you get started with, and make the most of, your copy of Viscosity. We've thoroughly tested the steps in this guide to ensure that, if you follow the instructions detailed below, you should be well on your way to enjoying the benefits of running your own OpenVPN server.
For further information or help with DD-WRT, we recommend checking out https://dd-wrt.com/support/
Generating Certificates and Keys
The next step is to generate your configurations for the server and your clients as well as certificates to go with them. You can do this easily by following the Creating Certificates and Keys Guide. Generate everything on your PC or Mac and then take a note of the path to your server folder that is created, we will be using the files here later on.
If you use the default DNS Server (10.8.0.1), you will need to setup a DNS server yourself, instructions are at the end of this article. We recommend instead using an existing DNS server, a publically available DNS server like Google's (8.8.8.8 and 8.8.4.4) is the easiest.
Creating the OpenVPN Server
Now we can use the web-based control panel to setup the OpenVPN server on our DD-WRT instance. You need to log in to the control panel from your client device connected to the LAN interface of the DD-WRT server. Please note that "C:\path\to" and "path/to/" below should be replaced with the location where you created your certificate/keys.
- Open a browser on your client and navigate to the IP address of the LAN interface of your DD-WRT server (something like
http://192.168.1.1
). If this is the first time logging in to your DD-WRT control panel, it will prompt you to create new login credentials.
- Click on the
Services
tab and then theVPN
tab. - In the OpenVPN Daemon section, click Enable. This will expand the section and provide you areas to paste in the certificates we created above.
- Ensure that the Start Type parameter is set to WAN Up.
- On your client device, in the Terminal (Mac) or Command Prompt (Windows), read the contents of the ca.crt file by typing:
- Mac
-
cat path/to/server/ca.crt
- Windows
-
type "C:\path\to\server\ca.crt"
-
- Copy the output of this command (including the -----BEGIN CERTIFICATE----- and the -----END CERTIFICATE----- parts) and paste it into the DD-WRT control panel section labelled CA Cert.
- Copy the output from the following command and paste it into the Public Server Cert section of the DD-WRT control panel:
- Mac
-
cat path/to/server/server.crt
- Windows
-
type "C:\path\to\server\server.crt"
-
- Copy the output from the following command and paste it into the Private Server Key section of the DD-WRT control panel.
- Mac
-
cat path/to/server/server.key
- Windows
-
type "C:\path\to\server\server.key"
-
- Copy the Diffie Hellman parameters output by and paste it into the DH PEM section of the DD-WRT control panel:
- Mac
-
cat path/to/server/dh.pem
- Windows
-
type "C:\path\to\server\dh.pem"
-
Finally, we need to insert the server configuration. Paste the following into the OpenVPN Config section of the DD-WRT control panel:
# The credential files dh /tmp/openvpn/dh.pem ca /tmp/openvpn/ca.crt cert /tmp/openvpn/cert.pem key /tmp/openvpn/key.pem # Our VPN connection will be transported over UDP proto udp # The server needs to keep a record of client virtual IP addresses so that they # can be reassigned if the server goes down ifconfig-pool-persist /tmp/openvpn/ip-pool.txt # To ensure that each side of the VPN knows if the connection has been severed, # we want to ping each side every 10 seconds. If either side fails to recieve a # ping within 2 minutes, then it will assume the other side is down keepalive 10 120 # To avoid attempting to access resources that may no longer be accessible on # restart persist-key persist-tun # To write (and rewrite) a short summary of current VPN connections every minute # to a file status /tmp/openvpn/openvpn-status.log # The verbosity of this connection logging (displayed in the Viscosity 'Details' # window) can range from 0 (silent) to 9 extremely verbose. We will use the # default of 3 verb 3 # To prevent more than 10 duplicates of the same log message in a row from # flooding the Viscosity log mute 10 # Provide GUI access over port 5002 management 127.0.0.1 5002 # This server will use the default OpenVPN port (1194) port 1194 # We need the VPN to create a tun network interface through which we can route # all our traffic dev tun0 # The VPN requires a private IP subnet. We will use the default OpenVPN IP # subnet server 10.8.0.0 255.255.255.0 # We want VPN clients connected to this server to be able to access any hosts # accessible on your home network. We are assuming that your local network # subnet is 192.168.0.x/24. If it is something else, you will need to change the # IP address in the command below push "route 192.168.0.0 255.255.255.0" # We want to allow hosts connected to the OpenVPN server to be able to see each # other client-to-client
Pay special attention to the IP address in the push "route 192.168.0.0 255.255.255.0"
. Ensure that this subnet matches your home/office LAN IP subnet. If you are not setting up this VPN server to access your home/office LAN, then you can comment out this line. When you are done, click the Apply Settings
button at the bottom. This will cause the OpenVPN server to be started with these settings.
DNS Server Settings
If you are planning on encrypting all network traffic through your VPN server then it is recommended to enable your own DNS server.
- Click the
Setup
tab in the web control panel and scroll down to the Network Address Server Settings (DHCP) section. - Ensure that all three of the following settings are checked:
- Use DNSMasq for DHCP
- Use DNSMasq for DNS
- DHCP-Authoritative
- Click the
Apply Settings
button to save these changes. - Click on the Services tab and then scroll down to the DNSMasq section.
- Ensure that both of the following settings are enabled:
- DNSMasq
- Local DNS
- Below these settings, you should see a box for Addidtional DNSMasq Options. Copy the following lines into that box:
-
domain-needed
bogus-priv
interface=tun0
listen-address=127.0.0.1
server=8.8.8.8
server=8.8.4.4 - where we are using the Google DNS servers (8.8.8.8 and 8.8.4.4). If you have another DNS service provider of choice, feel free to use their servers here.
-
- Click the
Apply Settings
button at the bottom of the page. This will restart the DNSMasq server with these settings.
Time Server
It's a good idea to set up the clock correctly on your DD-WRT router.
- Click the
Setup
tab and scroll down to the Time Settings section. - Set your time settings as appropriate for your region. A Google search for your region's time server should provide you with an appropriate Server IP/Name (such as pool.ntp.org).
- Click the
Apply Settings
button at the bottom of the page. - To confirm that the time settings have been applied, click the
Administration
tab and then click theCommands
subtab. - In the Commands box, type:
-
date
- and press the
Run Commands
button. This should output the current date and time (most likely in the UTC timezone).
-
Firewall Settings
- Click on the
Administration
tab and then click theCommands
subtab. - Copy the following into the Commands box:
-
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
iptables -I FORWARD -p udp -s 10.8.0.0/24 -j ACCEPT
iptables -I INPUT -p udp --dport=1194 -j ACCEPT
iptables -I OUTPUT -p udp --sport=1194 -j ACCEPT
iptables -I INPUT -p udp -i eth0 -j ACCEPT
iptables -I FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -I INPUT -p udp -i br0 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
-
- Click the
Save Firewall
button.
Setting Up Viscosity
The final step is to setup Viscosity. Thanks to openvpn-generate, this is as easy as importing and connecting.
Importing
Copy your *.visz file you created with openvpn-generate to your Mac or Windows machine with Viscosity installed and double click the file. You should see a prompt that the config was imported successfully.
Connecting and Using Your VPN Connection
You are now ready to connect. Click on the Viscosity icon in the macOS menu bar or Windows system tray to open the Viscosity Menu, select the connection you imported, and Viscosity will connect.
To check that the VPN is up and running, you can open the Details window from the Viscosity Menu. This will allow you to view connection details, traffic and the OpenVPN log.
That's it, you've set up your very own OpenVPN server. Congratulations, you are now free to enjoy the benefits of operating your own OpenVPN server!