OpenVPN server

This is a step-by-step guide on how to set up an OpenVPN server on your DD-WRT router. It is assumed that you have an OpenVPN build on your router.

This guide has been tested on three different routers:

• D-Link DIR-868L A1 (DD-WRT v3.0-r27506 (07/09/15) std)
• NETGEAR WNDR3700v3 (DD-WRT v3.0-r29440 mega (04/11/16))
• NETGEAR WNR3500Lv2 (DD-WRT v24-sp2 (03/25/13) vpn (SVN revision 21061))

This guide does not explain how to generate certificates and keys or how to set up an OpenVPN client. The setup is for a server using basic certificates for an Autologin profile only. A user/password and man-in-the-middle protection can be added later on, once you have a working server.

My router arrangement is as follows; cable modem bridged to my Airport Extreme which forwards port 45022 to my DD-WRT router (WAN IP: 10.0.1.222).

Before you start, you should backup your router, then Restore Factory Defaults to avoid unknown settings messing up your server configuration. Once you have a working server, you may restore your backup and configure it again and further tweak it to your needs.

With your clean DD-WRT router (Factory Defaults), do the following:

1) Log into your router and set a new Router Username and Router Password
2) Press <Save Password>

3) Refresh and log into your router using your new username and password
4) Go to Setup >> Basic Setup
5) Scroll down to Router IP and update Local IP Address and Local DNS. This will be your router’s IP address (e.g. 192.168.22.1).
6) <Save> settings

7) Go to Wireless >> Wireless Security
8) Set Security Mode (WPA2 Personal), then WPA Algorithms (AES) and add a suitable WPA Shared Key
9) <Save> settings

10) Go to Wireless >> Basic Settings
11) Update Wireless Network Name (SSID) and disable Wireless SSID Broadcast.
12) <Save> settings

13) Go to Services >> VPN
14) Scroll down to OpenVPN Server/Daemon
15) Enable OpenVPN
16) Configure the server as follows:

OpenVPN: Enable
Start Type: WAN Up
Config as: Server
Server mode: Router (TUN)
Network: 10.35.22.0
Netmask: 255.255.255.0
Port: 45022
Tunnel Protocol: UDP
Encryption Cipher: Blowfish CBC
Hash Algorithm: SHA256
Advanced Options: Enable
TLS Cipher: None
LZO Compression: Adaptive
Redirect default Gateway: Enable
Allow Client to Client: Enable
Allow duplicate cn: Enable
Tunnel MTU setting: 1500
Tunnel UDP Fragment:
Tunnel UDP MSS-Fix: Disable
CCD-Dir DEFAULT file:
Client connect script:
Static Key:
PKCS12 Key:
Public Server Cert: paste server.crt content from and including —–BEGIN CERTIFICATE—–
CA Cert: paste ca.crt content here
Private Server Key: paste server.key content here
DH PEM: paste dh2048.pem content here
Additional Config:

push “route 192.168.22.0 255.255.255.0”
push “dhcp-option DNS 192.168.22.1”

TLS Auth Key:
Certificate Revoke List:

17) <Save> settings

18) Press <Apply Settings>
19) Wait two minutes and restart your PC for a simple IP reset
20) Log into your router (192.168.22.1)
21) Go to Setup >> Advanced Routing
22) Press <Show Routing Table>
23) Find column Interface and look for tun# (e.g. tun2)
24) Press <Close>

25) Go To Services >> Services
26) Scroll down to DNSMasq and enable DNSMasq, Local DNS, No DNS Rebind and Query DNS in Strict Order
27) Add the following text under Additional DNSMasq Options:

interface=tun2

28) <Save> settings

29) Go to Administration >> Commands
30) Add the below text to the Command textbox and press <Run Commands> and then <Save Firewall>

iptables -I INPUT 1 -p udp –dport 45022 -j ACCEPT
iptables -I FORWARD 1 –source 10.35.22.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.35.22.0/24 -j MASQUERADE
iptables -I FORWARD -i br0 -o tun2 -j ACCEPT
iptables -I FORWARD -i tun2 -o br0 -j ACCEPT

31) Go to Status >> OpenVPN
32) Scroll down to State. If it says “Server: CONNECTED: SUCCESS”, then you’ve made it!

Now that you have a working OpenVPN server, you just have to configure an OpenVPN client.