Setting up an OpenVPN server with DD-WRT and Viscosity
Virtual Private Networks (VPNs) can be utilized for a number of very useful applications. You can securely connect to any public WiFi hotspot. You can overcome geo-blocking restrictions on your favourite websites. And you can even connect to your home or office network from anywhere in the world, as if you were sitting right at your desk. This guide will walk you through the process of setting up your own OpenVPN server, and connecting to it with your copy of Viscosity.
Running your own OpenVPN server will allow you to encrypt everything you do on the internet, so that you can safely do your online banking on the free WiFi at your favourite cafe. Anything you send over the VPN connection will be encrypted from your device until it reaches your OpenVPN server at home. Setting up your OpenVPN server to access your home or office network gives you full access to all your files on your network.
This guide will walk you through the steps involved in setting up an OpenVPN server on an DD-WRT instance that allows you to securely access your home/office network from a remote location and optionally send all of your network traffic through it so you can access the internet securely as well.
Because DD-WRT is primarily used on router hardware, we will assume that the DD-WRT instance has a direct connection to the internet and its own IP address. Therefore we will not be considering any issues related to having your DD-WRT instance behind another router.
For this guide, we assume:
- You have already installed the appropriate version of DD-WRT for your router hardware
- DD-WRT has been set up with at least a WAN interface and a LAN interface
- You are connected with your client device to the DD-WRT server via its LAN interface during this guide
- This installation of DD-WRT is a fresh install
- You already have a copy of Viscosity installed on your client device
If you need to download and install a copy of DD-WRT, information can be found at http://www.dd-wrt.com/wiki/index.php/Installation. We won't be covering the details of setting up a DD-WRT instance, many guides can be found online. Regardless of the version of DD-WRT you are running, it's very likely that many or even all of the steps outlined in this guide will still apply. If you are looking to setup an OpenVPN server on a different operating system, please check out our other guides.
Your client device needs to be connected to the DD-WRT server via the LAN interface. This is necessary so that you can access the control panel to modify the DD-WRT configuration. The specifics of how you can achieve this depend on your particular network configuration.
Unfortunately we cannot provide any direct support for setting up your own OpenVPN server. We provide this guide as a courtesy to help you get started with, and make the most of, your copy of Viscosity. We've thoroughly tested the steps in this guide to ensure that, if you follow the instructions detailed below, you should be well on your way to enjoying the benefits of running your own OpenVPN server.
For further information or help with DD-WRT, we recommend checking out https://dd-wrt.com/support/
Generating Certificates and Keys
The next step is to generate your configurations for the server and your clients as well as certificates to go with them. You can do this easily by following the Creating Certificates and Keys Guide. Generate everything on your PC or Mac and then take a note of the path to your server folder that is created, we will be using the files here later on.
If you use the default DNS Server (10.8.0.1), you will need to setup a DNS server yourself, instructions are at the end of this article. We recommend instead using an existing DNS server, a publically available DNS server like Google's (220.127.116.11 and 18.104.22.168) is the easiest.
Creating the OpenVPN Server
Now we can use the web-based control panel to setup the OpenVPN server on our DD-WRT instance. You need to log in to the control panel from your client device connected to the LAN interface of the DD-WRT server.
- Open a browser on your client and navigate to the IP address of the LAN interface of your DD-WRT server (something like
http://192.168.1.1). If this is the first time logging in to your DD-WRT control panel, it will prompt you to create new login credentials.
- Click on the
Servicestab and then the
- In the OpenVPN Daemon section, click Enable. This will expand the section and provide you areas to paste in the certificates we created above.
- Ensure that the Start Type parameter is set to WAN Up.
- On your client device, in the Terminal (Mac) or Command Prompt (Windows), read the contents of the ca.crt file by typing:
- Copy the output of this command (including the -----BEGIN CERTIFICATE----- and the -----END CERTIFICATE----- parts) and paste it into the DD-WRT control panel section labelled CA Cert.
- Copy the output from the following command and paste it into the Public Server Cert section of the DD-WRT control panel:
- Copy the output from the following command and paste it into the Private Server Key section of the DD-WRT control panel.
- Copy the Diffie Hellman parameters output by and paste it into the DH PEM section of the DD-WRT control panel:
Finally, we need to insert the server configuration. Paste the following into the OpenVPN Config section of the DD-WRT control panel:
# The credential files dh /tmp/openvpn/dh.pem ca /tmp/openvpn/ca.crt cert /tmp/openvpn/cert.pem key /tmp/openvpn/key.pem # Our VPN connection will be transported over UDP proto udp # The server needs to keep a record of client virtual IP addresses so that they # can be reassigned if the server goes down ifconfig-pool-persist /tmp/openvpn/ip-pool.txt # To ensure that each side of the VPN knows if the connection has been severed, # we want to ping each side every 10 seconds. If either side fails to recieve a # ping within 2 minutes, then it will assume the other side is down keepalive 10 120 # To avoid attempting to access resources that may no longer be accessible on # restart persist-key persist-tun # To write (and rewrite) a short summary of current VPN connections every minute # to a file status /tmp/openvpn/openvpn-status.log # The verbosity of this connection logging (displayed in the Viscosity 'Details' # window) can range from 0 (silent) to 9 extremely verbose. We will use the # default of 3 verb 3 # To prevent more than 10 duplicates of the same log message in a row from # flooding the Viscosity log mute 10 # Provide GUI access over port 5002 management 127.0.0.1 5002 # This server will use the default OpenVPN port (1194) port 1194 # We need the VPN to create a tun network interface through which we can route # all our traffic dev tun0 # The VPN requires a private IP subnet. We will use the default OpenVPN IP # subnet server 10.8.0.0 255.255.255.0 # We want VPN clients connected to this server to be able to access any hosts # accessible on your home network. We are assuming that your local network # subnet is 192.168.0.x/24. If it is something else, you will need to change the # IP address in the command below push "route 192.168.0.0 255.255.255.0" # We want to allow hosts connected to the OpenVPN server to be able to see each # other client-to-client
Pay special attention to the IP address in the
push "route 192.168.0.0 255.255.255.0". Ensure that this subnet matches your home/office LAN IP subnet. If you are not setting up this VPN server to access your home/office LAN, then you can comment out this line. When you are done, click the
Apply Settings button at the bottom. This will cause the OpenVPN server to be started with these settings.
DNS Server Settings
If you are planning on encrypting all network traffic through your VPN server then it is recommended to enable your own DNS server.
- Click the
Setuptab in the web control panel and scroll down to the Network Address Server Settings (DHCP) section.
- Ensure that all three of the following settings are checked:
- Use DNSMasq for DHCP
- Use DNSMasq for DNS
- Click the
Apply Settingsbutton to save these changes.
- Click on the Services tab and then scroll down to the DNSMasq section.
- Ensure that both of the following settings are enabled:
- Local DNS
- Below these settings, you should see a box for Addidtional DNSMasq Options. Copy the following lines into that box:
- where we are using the Google DNS servers (22.214.171.124 and 126.96.36.199). If you have another DNS service provider of choice, feel free to use their servers here.
- Click the
Apply Settingsbutton at the bottom of the page. This will restart the DNSMasq server with these settings.
It's a good idea to set up the clock correctly on your DD-WRT router.
- Click the
Setuptab and scroll down to the Time Settings section.
- Set your time settings as appropriate for your region. A Google search for your region's time server should provide you with an appropriate Server IP/Name (such as pool.ntp.org).
- Click the
Apply Settingsbutton at the bottom of the page.
- To confirm that the time settings have been applied, click the
Administrationtab and then click the
- In the Commands box, type:
- and press the
Run Commandsbutton. This should output the current date and time (most likely in the UTC timezone).
- Click on the
Administrationtab and then click the
- Copy the following into the Commands box:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
iptables -I FORWARD -p udp -s 10.8.0.0/24 -j ACCEPT
iptables -I INPUT -p udp --dport=1194 -j ACCEPT
iptables -I OUTPUT -p udp --sport=1194 -j ACCEPT
iptables -I INPUT -p udp -i eth0 -j ACCEPT
iptables -I FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -I INPUT -p udp -i br0 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
- Click the
Setting Up Viscosity
The final step is to setup Viscosity. Thanks to openvpn-generate, this is as easy as importing and connecting.
Copy your *.visz file you created with openvpn-generate to your Mac or Windows machine with Viscosity installed and double click the file. You should see a prompt that the config was imported successfully.
Connecting and Using Your VPN Connection
You are now ready to connect. Click on the Viscosity icon in the menu bar (Windows: system tray) and select 'Connect DemoConnection'. That's it, you should see a notification that you're now connected!
To check that the VPN is up and running, you can use the Viscosity details window. Click the Viscosity menu bar (Windows: system tray) icon and select 'Details...'. This will bring up the details window.
This window will show you the traffic passing through the VPN connection.
That's it, you've set up your very own OpenVPN server. Congratulations, you are now free to enjoy the benefits of operating your own OpenVPN server!