DD-WRT: OpenVPN Server Using Certificates

Posted by on Mon, October 14, 2013

GUI confuses me sometimes, so I prefer to make configurations in text files. For DD-WRT, OpenVPN server is available in OpenVPN, OpenVPN Small, Big, Mega, and Giga builds: K2.6 Build Features. Since I have never used any router with USB storage capabilities, I can’t be sure but I think OpenVPN can be installed using ipkg as well.

For this post I am going to assume you’re an OS X user, but Windows procedures shouldn’t be too different.

1. Generating certificates and keys

  1. Get Easy-RSA. You can either clone the git repository or download the package as zip. Navigate to the folder where you downloaded/cloned Easy-RSA and get into the directory easy-rsa/2.0.
  2. Edit the file vars. I’m showing the variables that you might want to change. Take note of the KEY_SIZE variable. If you’re paranoid like me, leave it at 2048. It takes longer to generate DH parms but not that long.
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    
    # Increase this to 2048 if you
    # are paranoid.  This will slow
    # down TLS negotiation performance
    # as well as the one-time DH parms
    # generation process.
    export KEY_SIZE=2048
     
    # In how many days should the root CA key expire?
    export CA_EXPIRE=3650
     
    # In how many days should certificates expire?
    export KEY_EXPIRE=3650
     
    # These are the default values for fields
    # which will be placed in the certificate.
    # Don't leave any of these fields blank.
    export KEY_COUNTRY="MY"
    export KEY_PROVINCE="SELANGOR"
    export KEY_CITY="Puchong"
    export KEY_ORG="AdyRomantika"
    export KEY_EMAIL="[email protected]"
    export KEY_OU="RomantikaName"
     
    # X509 Subject Field
    export KEY_NAME="MYKEY1"
  3. Import the variables into the current shell:
    $ source vars
  4. Clean existing keys if any (WARNING: This deletes all existing certificates and keys)
    $ ./clean-all
  5. Generate server certificates. The script will still ask for parameters you entered in vars so just press ENTER if you’re satisfied
    • This will produce 2 files: ca.key and ca.crt
    $ ./build-ca
  6. Generate Diffie Hellman parameters
    • This will produce the file: dh{n}.pem where {n} is the key size specified in the vars file.
    $ ./build-dh
  7. Generate key for the server.
    • When asked for a password, just press ENTER otherwise the key password will be asked each time service is being brought up.
    • When asked whether to sign the certificate, say Yes.
    • This will produce 3 files: server.crt, server.csr, server.key
    $ ./build-key-server server1
  8. Generate key for the clients. This step can be repeated in the future for more clients as needed.
    • When asked for a password, you can enter a password so that when connecting to the service, the key password will be asked. I recommend this to make it more secure.
    • When asked whether to sign the certificate, say Yes.
    • This will produce 3 files: client1.crt, client1.csr, client1.key
    $ ./build-key client1

Previous Articles

Tue, August 13, 2013

WordPress Update: Upgrade package not available (3.5)

I used to upgrade WordPress manually using FTP. I would update a local copy of the website, make sure everything works on my laptop and then upload it to the server. Not that I don’t trust WordPress automatic upgrade but I am paranoid that my custom plugins and changes will break the site. However, starting […] 
Comments Off | Full article »

Mon, May 27, 2013

Happy 10th Anniversary WordPress!

Today marks the 10th anniversary of WordPress which was first released on May 27th, 2003. WordPress now powers countless number of blogs in the Internet via the community driven project WordPress.org and the hosted solutions at WordPress.com. This site has been running on WordPress since the beginning, in 2005. Being sick today, I will not […] 
Comments Off | Full article »

Sat, April 20, 2013

CrashPlan 3.5.3 Headless Upgrade

A headless installation of CrashPlan will fail when it tries to update itself. This short post assumes that you already have it setup and successfully running before, and is targeted only to help you save some time by identifying important files to copy. Running the installer again will also work, but we actually spend more […] 
Comments Off | Full article »

Mon, February 18, 2013

Inbox Zero: Gmail vs. Mailbox

Mailbox is really cool for someone who has a lot of emails like me. It was worth the wait although I didn’t have to wait long (registered in the queue weeks ago). Have you been activated? 
Comments Off | Full article »

Mon, January 21, 2013

CloudFlare: Reliable?

This website and some other websites I maintain had their ups and downs. All of my websites are running via CloudFlare. When you are utilizing CloudFlare and your website is dynamic (not static HTML pages), CloudFlare will still need to contact the server where your website is hosted in order to get the latest contents. […] 
Comments Off | Full article »

Sat, January 19, 2013

Redirecting WordPress Permalinks in Nginx

I know, it’s been really a long time since I last wrote an article in this blog. But trust me, I’ve done a lot of improvements at the back end. The blog is now in a new server, with new backup infrastructure, and most importantly served by Nginx. I was just casually looking at 404 […] 
Comments Off | Full article »

Mon, October 1, 2012

Konvensyen Jutawan Awesome 2012

This year, I am trying to learn as much as possible by joining seminars and conventions related to business and entrepreneurship. I’ve attended seminars by Dr. Azizan Osman and they are superb. As someone who has a day job (salary earner), I still have plans for retirement by having my own business some day. Earlier […] 
Comments Off | Full article »

Tue, September 4, 2012

Pink iPhone Cable from Giveaway

I received a surprise in the mail today. It’s the iPhone cable I won in a giveaway organized by LiewCF.com. Thanks LiewCF and I should also thank MudahAlih.my for sponsoring the gifts. I laughed because I expected that he will send me a pink cable, as I commented about pink in the post: Thank you, […] 
Comments Off | Full article »

Sat, May 12, 2012

Sluggish iChat, Messages, Terminal, and Others in Mac OS X Lion

After about 60 days using my MacBook Pro running Mac OS X Lion (10.7.3), I saw some sluggishness in some apps. At first, it was Messages (iChat replacement for Mountain Lion). It went unresponsive and displays the rainbow wheel for a few seconds, enough to annoy an impatient user. Then, the same behavior happened in […] 
Comments Off | Full article »

Sat, May 5, 2012

Build LFTP on Mac OS X Lion

If you’re a seasoned Linux SysAdmin, you’ll miss LFTP. It’s a really powerful FTP client. Yes, you can also install it using MacPorts or Fink but right now, this is much quicker for me. Here’s how I built LFTP 4.3.6 on my MacBook Pro. For the record, I’m on 10.7.3 Prerequisite: Apple developer tools (Xcode) […] 
1 Comment » | Full article »

Thu, February 23, 2012

UniFi Phone Call Forwarding

If you’re here to look for the way to forward the phone that comes to UniFi to another phone number, I apologize. I don’t know how. I tried asking TM call center but they told me to call UniFi support for UniFi phone. For the record every time I try *61*XXXXXXXXXX# the automated voice response […] 
Comments Off | Full article »

Fri, February 17, 2012

Mac Messages Beta

Apple has just released the developer preview for OS X Mountain Lion yesterday and at the same time released the beta version of Messages, an upgrade of iChat. Here is the link to download Messages. Installation is straight forward but you will be warned that the machine will need to be restarted. After installation, the […] 
Comments Off | Full article »

Thu, February 9, 2012

VirtueMart Custom Login Module in Joomla!

Here’s a short article on making a simple module to include on your Joomla! pages that displays login / logout links. I’m a Joomla! newbie so there might be better ways to accomplish this. I was helping a friend-client to accomplish redirection to the same page after logout. Here’s the basic code that you need […] 
Comments Off | Full article »

Sun, January 22, 2012

Crocs Malaysia Warehouse Sale

I have always been a fan of Crocs shoes because of their lightness, durability and the airy design. As someone who suffers from athlete’s foot since the teen years, airy means better air circulation and dryer feet. Back in 2009 or 2010 we went to a Crocs warehouse sale in Ikano Power Center in Damansara. […] 
Comments Off | Full article »