App Support.

We're here to help.



Setting up an OpenVPN server with DD-WRT and Viscosity

Virtual Private Networks (VPNs) can be utilized for a number of very useful applications. You can securely connect to any public WiFi hotspot. You can overcome geo-blocking restrictions on your favourite websites. And you can even connect to your home or office network from anywhere in the world, as if you were sitting right at your desk. This guide will walk you through the process of setting up your own OpenVPN server, and connecting to it with your copy of Viscosity.

Running your own OpenVPN server will allow you to encrypt everything you do on the internet, so that you can safely do your online banking on the free WiFi at your favourite cafe. Anything you send over the VPN connection will be encrypted from your device until it reaches your OpenVPN server at home. Setting up your OpenVPN server to access your home or office network gives you full access to all your files on your network.

This guide will walk you through the steps involved in setting up an OpenVPN server on an DD-WRT instance that allows you to securely access your home/office network from a remote location and optionally send all of your network traffic through it so you can access the internet securely as well.

Because DD-WRT is primarily used on router hardware, we will assume that the DD-WRT instance has a direct connection to the internet and its own IP address. Therefore we will not be considering any issues related to having your DD-WRT instance behind another router.

Preparation

For this guide, we assume:

  • You have already installed the appropriate version of DD-WRT for your router hardware
  • DD-WRT has been set up with at least a WAN interface and a LAN interface
  • You are connected with your client device to the DD-WRT server via its LAN interface during this guide
  • This installation of DD-WRT is a fresh install
  • You already have a copy of Viscosity installed on your client device

If you need to download and install a copy of DD-WRT, information can be found at http://www.dd-wrt.com/wiki/index.php/Installation. We won't be covering the details of setting up a DD-WRT instance, many guides can be found online. Regardless of the version of DD-WRT you are running, it's very likely that many or even all of the steps outlined in this guide will still apply. If you are looking to setup an OpenVPN server on a different operating system, please check out our other guides.

Your client device needs to be connected to the DD-WRT server via the LAN interface. This is necessary so that you can access the control panel to modify the DD-WRT configuration. The specifics of how you can achieve this depend on your particular network configuration.

If you don't have a copy of Viscosity already installed on your client, then please check out this setup guide for installing Viscosity (Mac | Windows).

Support

Unfortunately we cannot provide any direct support for setting up your own OpenVPN server. We provide this guide as a courtesy to help you get started with, and make the most of, your copy of Viscosity. We've thoroughly tested the steps in this guide to ensure that, if you follow the instructions detailed below, you should be well on your way to enjoying the benefits of running your own OpenVPN server.

For further information or help with DD-WRT, we recommend checking out https://dd-wrt.com/support/

Generating Certificates and Keys

The next step is to generate your configurations for the server and your clients as well as certificates to go with them. You can do this easily by following the Creating Certificates and Keys Guide. Generate everything on your PC or Mac and then take a note of the path to your server folder that is created, we will be using the files here later on.

If you use the default DNS Server (10.8.0.1), you will need to setup a DNS server yourself, instructions are at the end of this article. We recommend instead using an existing DNS server, a publically available DNS server like Google's (8.8.8.8 and 8.8.4.4) is the easiest.

Creating the OpenVPN Server

Now we can use the web-based control panel to setup the OpenVPN server on our DD-WRT instance. You need to log in to the control panel from your client device connected to the LAN interface of the DD-WRT server. Please note that "C:\path\to" and "path/to/" below should be replaced with the location where you created your certificate/keys.

  1. Open a browser on your client and navigate to the IP address of the LAN interface of your DD-WRT server (something like http://192.168.1.1). If this is the first time logging in to your DD-WRT control panel, it will prompt you to create new login credentials.



  2. Click on the Services tab and then the VPN tab.
  3. In the OpenVPN Daemon section, click Enable. This will expand the section and provide you areas to paste in the certificates we created above.
  4. Ensure that the Start Type parameter is set to WAN Up.
  5. On your client device, in the Terminal (Mac) or Command Prompt (Windows), read the contents of the ca.crt file by typing:
    Mac
    cat path/to/server/ca.crt
    Windows
    type "C:\path\to\server\ca.crt"
  6. Copy the output of this command (including the -----BEGIN CERTIFICATE----- and the -----END CERTIFICATE----- parts) and paste it into the DD-WRT control panel section labelled CA Cert.
  7. Copy the output from the following command and paste it into the Public Server Cert section of the DD-WRT control panel:
    Mac
    cat path/to/server/server.crt
    Windows
    type "C:\path\to\server\server.crt"
  8. Copy the output from the following command and paste it into the Private Server Key section of the DD-WRT control panel.
    Mac
    cat path/to/server/server.key
    Windows
    type "C:\path\to\server\server.key"
  9. Copy the Diffie Hellman parameters output by and paste it into the DH PEM section of the DD-WRT control panel:
    Mac
    cat path/to/server/dh.pem
    Windows
    type "C:\path\to\server\dh.pem"

Finally, we need to insert the server configuration. Paste the following into the OpenVPN Config section of the DD-WRT control panel:

# The credential files
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem

# Our VPN connection will be transported over UDP
proto udp

# The server needs to keep a record of client virtual IP addresses so that they
# can be reassigned if the server goes down
ifconfig-pool-persist /tmp/openvpn/ip-pool.txt

# To ensure that each side of the VPN knows if the connection has been severed,
# we want to ping each side every 10 seconds. If either side fails to recieve a
# ping within 2 minutes, then it will assume the other side is down
keepalive 10 120

# To avoid attempting to access resources that may no longer be accessible on
# restart
persist-key
persist-tun

# To write (and rewrite) a short summary of current VPN connections every minute
# to a file
status /tmp/openvpn/openvpn-status.log

# The verbosity of this connection logging (displayed in the Viscosity 'Details'
# window) can range from 0 (silent) to 9 extremely verbose. We will use the
# default of 3
verb 3

# To prevent more than 10 duplicates of the same log message in a row from
# flooding the Viscosity log
mute 10

# Provide GUI access over port 5002
management 127.0.0.1 5002

# This server will use the default OpenVPN port (1194)
port 1194

# We need the VPN to create a tun network interface through which we can route
# all our traffic
dev tun0

# The VPN requires a private IP subnet. We will use the default OpenVPN IP
# subnet
server 10.8.0.0 255.255.255.0

# We want VPN clients connected to this server to be able to access any hosts
# accessible on your home network. We are assuming that your local network
# subnet is 192.168.0.x/24. If it is something else, you will need to change the
# IP address in the command below
push "route 192.168.0.0 255.255.255.0"

# We want to allow hosts connected to the OpenVPN server to be able to see each
# other
client-to-client

Pay special attention to the IP address in the push "route 192.168.0.0 255.255.255.0". Ensure that this subnet matches your home/office LAN IP subnet. If you are not setting up this VPN server to access your home/office LAN, then you can comment out this line. When you are done, click the Apply Settings button at the bottom. This will cause the OpenVPN server to be started with these settings.

DNS Server Settings

If you are planning on encrypting all network traffic through your VPN server then it is recommended to enable your own DNS server.

  1. Click the Setup tab in the web control panel and scroll down to the Network Address Server Settings (DHCP) section.
  2. Ensure that all three of the following settings are checked:
    • Use DNSMasq for DHCP
    • Use DNSMasq for DNS
    • DHCP-Authoritative
  3. Click the Apply Settings button to save these changes.
  4. Click on the Services tab and then scroll down to the DNSMasq section.
  5. Ensure that both of the following settings are enabled:
    • DNSMasq
    • Local DNS
  6. Below these settings, you should see a box for Addidtional DNSMasq Options. Copy the following lines into that box:
    domain-needed
    bogus-priv

    interface=tun0
    listen-address=127.0.0.1

    server=8.8.8.8
    server=8.8.4.4
    where we are using the Google DNS servers (8.8.8.8 and 8.8.4.4). If you have another DNS service provider of choice, feel free to use their servers here.
  7. Click the Apply Settings button at the bottom of the page. This will restart the DNSMasq server with these settings.

Time Server

It's a good idea to set up the clock correctly on your DD-WRT router.

  1. Click the Setup tab and scroll down to the Time Settings section.
  2. Set your time settings as appropriate for your region. A Google search for your region's time server should provide you with an appropriate Server IP/Name (such as pool.ntp.org).



  3. Click the Apply Settings button at the bottom of the page.
  4. To confirm that the time settings have been applied, click the Administration tab and then click the Commands subtab.
  5. In the Commands box, type:
    date
    and press the Run Commands button. This should output the current date and time (most likely in the UTC timezone).

Firewall Settings

  1. Click on the Administration tab and then click the Commands subtab.
  2. Copy the following into the Commands box:
    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
    iptables -I FORWARD -p udp -s 10.8.0.0/24 -j ACCEPT
    iptables -I INPUT -p udp --dport=1194 -j ACCEPT
    iptables -I OUTPUT -p udp --sport=1194 -j ACCEPT

    iptables -I INPUT -p udp -i eth0 -j ACCEPT
    iptables -I FORWARD -i eth0 -o tun0 -j ACCEPT
    iptables -I FORWARD -i tun0 -o eth0 -j ACCEPT

    iptables -I INPUT -p udp -i br0 -j ACCEPT
    iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
    iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
  3. Click the Save Firewall button.

Setting Up Viscosity

The final step is to setup Viscosity. Thanks to openvpn-generate, this is as easy as importing and connecting.

Importing

Copy your *.visz file you created with openvpn-generate to your Mac or Windows machine with Viscosity installed and double click the file. You should see a prompt that the config was imported successfully.

Connecting and Using Your VPN Connection

You are now ready to connect. Click on the Viscosity icon in the macOS menu bar or Windows system tray to open the Viscosity Menu, select the connection you imported, and Viscosity will connect.

To check that the VPN is up and running, you can open the Details window from the Viscosity Menu. This will allow you to view connection details, traffic and the OpenVPN log.



 

That's it, you've set up your very own OpenVPN server. Congratulations, you are now free to enjoy the benefits of operating your own OpenVPN server!