Thursday, January 18, 2007

OpenVPN on your WRT54G

One of the coolest things to come out of the SOHO router market has been the ability to take a few of the Linux-based routers and significantly upgrade their capabilities using community driven 3rd-party firmware.  The most popular of these of course is the WRT54G(S) varieties since they can be had for under $50 pretty easily.  Unfortunately, Linksys (or Cisco) decided that they didn't appreciate the competition, so newer WRT54G based routers no longer have as much memory or even run Linux anymore, making them much more difficult to upgrade.  Instead, they now offer a more expensive WRT54GL (where L stands for Linux I guess) model that is essentially what the older models were and still are easily upgradeable.  Of course, Asus and Buffalo make decent and affordable routers that can be upgraded as well, so you needn't worry too much if you can't find an affordable Linksys version.

I have previously mentioned OpenVPN on this blog and sang its praises as an extremely capable SSL VPN solution.  In the past, I was running a VPN server on my home computer and forwarding the port through the WRT54G such that my client laptop could connect from anywhere to my home network.  This is very useful when you have very restrictive firewall or web proxy policies you don't feel like obeying.

I use DD-WRT firmware on my WRT54GS router.  I initially looked at using Sveasoft, but found their business model to be a little disturbing and hypocritical.  The DD-WRT firmware is top notch, well maintained, and free however.  The other day I was checking out what progress has been made for new features, and found that in addition to working as an OpenVPN client, the latest release of the DD-WRT firmware also allows the router to work as a server.  This is huge.  This means that I can now remove the VPN server from my home box and locate it on the router which allows me to hit each and every computer easily on my network instead of just one.

Setting up everything appears intimidating, but it really isn't.  Here is how to perform this simple task and get your own SSL VPN.  Assuming you have a capable router, just follow these easy steps:


  1. Download the DD-WRT firmware from here.  Install the one with VPN support built into the image.  When I did this, it was v.23 SP2 VPN (dd-wrt.v23_vpn_wrt54gsv4.bin). However, you should read the Wiki to make sure you are installing the correct version for your model (mine was a v4 GS version).
  2. Download the OpenVPN GUI or OpenVPN Admin software and install on your client.  For Vista users, first install the latest OpenVPN (version 2.0.9 or later) and then install one of the clients on top (GUI only).  Vista will choke on installing a new TAP adapter if you don't use a later release (I used version 2.1 RC1 with no problems).  Since the GUIs are packaged usually a bit behind the latest release of OpenVPN, you may not be able to download and use an all-in-one install on Vista.
  3. Follow directions here on how to create SSL certificates for your server and for each client machine that will be connecting.  Note, I was unable to get OpenSSL to sign my certificate request from Vista (even running as an admin).  When I took the files to an XP machine, I had no problems however.  Technically, you don't even need to use certs and can use a static key.  However, I like the idea of using certificates as you can get even fancier later with your own CA authority and automatic enrollment if you would like.
  4. Use this script here in the section entitled "Server Mode with Certificates" to install the server certificates and startup script on your router.  Reboot your router.  You just need to cut and paste your information into the script.
  5. Create your client configuration file and start it!  This is very easy to do using OpenVPN Admin and pretty easy to do using the sample config file from your OpenVPN installation or if you used OpenVPN GUI.  You now have a secure VPN connection back to your home network and should find that you can ping any machine on your network as if you were sitting behind the router.  See screenshots below using OpenVPN Admin for config params.  Note, if you are at a place that has a web proxy, use the Proxy tab to tunnel right on through.

A couple final notes:  If you are using a web proxy, you must be using TCP instead of UDP.  The server is already setup using TCP, so your client should be setup with that as well.  Additionally, you can use a TLS handshake initially for even more security.  I did not do this in my router install, but had it working on my home server installation.  I also modified the scripts in step #4 and in step #5 to use port 443 instead of the default 1194.  The reason is that certain locations will block all ports but 80 and 443 typically, so it is easiest to use this and tunnel through this port.

So, with a couple hours effort (to initially read the Wiki) and a $30 hardware investment, I now have an extremely capable and resilient solution that allows me to securely access my home network from virtually any place that has an internet connection.