安装Setting Up DD-WRT OpenVPN Server and Certificate Creation

This is part five of a series of creating your own self-signed PKI and some ways to utilize the PKI to setup SSL for your web server or create your own OpenVPN server.

Disclaimer: I am not a security expert. This is just demonstrating an easy way to get OpenVPN up and running to allow access to a remote network from anywhere in the world.

For increased security, use a non-standard TCP or UDP port for your OpenVPN server, making sure to update the client "remote" line with the matching port number.

In this tutorial I am running DD-WRT in a VirtualBox VM. Learn how at https://youtu.be/BRLukj4dZxk

Prerequisites

• A XCA PKI database https://youtu.be/ezzj3x207lQ

Create Required Certificates

1. Launch XCA
2. Open the PKI database if it is not already (File > Open DataBase), enter password
3. Click on the Certificates tab, right click on your Intermediate CA certificate
4. Select New
5. On the Source tab, make sure Use this Certificate for signing is selected
6. Verify your Intermediate CA certificate is selected from the drop down
7. Click the Subject tab
8. Complete the Distinguished Name section

   internalName: OpenVPN Server
   countryName: US
   stateOrProvinceName: Virginia
   localityName: Northern
   organizationName: i12bretro
   organizationUnitName: i12bretro Certificate Authority
   commonName: vpn.i12bretro.local

9. Click the Generate a New Key button
10. Enter a name and set the key size to at least 2048
11. Click Create
12. Click on the Extensions tab
13. Set the Type dropdown to End Endity
14. Check the box next to Subject Key Identifier
15. Update the validity dates to fit your needs
16. Click the Key Usage tab
17. Under Key Usage select Digital Signature and Key Encipherment
18. Under Extended Key Usage select TLS Web Server Authentication
19. Click the Netscape tab
20. Deselect all options and clear the Netscape Comment field
21. Click OK to create the certificate
22. Click on the Certificates tab, right click on your Intermediate CA certificate again
23. Select New
24. On the Source tab, make sure Use this Certificate for signing is selected
25. Verify your Intermediate CA certificate is selected from the drop down
26. Click the Subject tab
27. Complete the Distinguished Name section

    internalName: OpenVPN Client #1
    countryName: US
    stateOrProvinceName: Virginia
    localityName: Northern
    organizationName: i12bretro
    organizationUnitName: i12bretro Certificate Authority
    commonName: VPN Client 1

28. Click the Generate a New Key button
29. Enter a name and set the key size to at least 2048
30. Click Create
31. Click on the Extensions tab
32. Set the Type dropdown to End Endity
33. Check the box next to Subject Key Identifier
34. Update the validity dates to fit your needs
35. Click the Key Usage tab
36. Under Key Usage select Digital Signature, Key Agreement
37. Under Extended Key Usage select TLS Web Client Authentication
38. Click the Netscape tab
39. Deselect all options and clear the Netscape Comment field
40. Click OK to create the certificate
41. On the Certificates tab, click the OpenVPN Server certificate
42. Select Extra > Generate DH Parameter
43. Type 2048 for DH parameter bits
44. Click OK
45. Select a location for dh2048.pem and click Save

Exporting Required Files for OpenVPN

1. In XCA, click on the Certificates tab
2. Right click the Intermediate CA certificate > Export > File
3. Set the file name with a .pem extension and verify the export format is PEM chain (*.pem)
4. Click OK
5. Right click the OpenVPN Server certificate > Export > File
6. Set the file name with a .crt extension and verify the export format is PEM (*.crt)
7. Click OK
8. Right click the OpenVPN Client #1 certificate > Export > File
9. Set the file name with a .crt extension and verify the export format is PEM (*.crt)
10. Click OK
11. Click on the Private Keys tab
12. Right click the OpenVPN Server key > Export > File
13. Set the file name with a .pk8 extension and verify the export format is PKCS #8 (*.pk8)
14. Click OK
15. Right click the OpenVPN Client #1 key> Export > File
16. Set the file name with a .pk8 extension and verify the export format is PKCS #8 (*.pk8)
17. Click OK

Setting Up OpenVPN Server in DD-WRT

1. Open a web browser and navigate to your DD-WRT IP address
2. Login when prompted
3. Select the Administration tab
4. Select the Backup sub tab
5. Click Backup at the very bottom
6. Save the nvrambak file somewhere safe
7. Select the Services tab
8. Select the VPN sub tab
9. Scroll down and select enable next to OpenVPN under the OpenVPN Server/Daemon header
10. Set the OpenVPN Settings as the following:
    1. Start Type: System
    2. Config as: Server
    3. Server mode: Router (TUN)
    4. Network: 10.10.28.0
    5. Netmask: 255.255.255.0
    6. Port: 1194
    7. Tunnel Protocol: TCP
    8. Encyption Cipher: AES-256 GCM
    9. Hash Algorithm: SHA256
    10. Advanced Options: Enable
    11. TLS Cipher: TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
    12. Compression: Compress lz4-v2
    13. Redirect default Gateway: Disable
    14. Allow Client to Client: Enable
    15. Allow duplicate CN: Disable
    16. Tunnel MT setting: 1500
    17. Tunnel UDP MSS-Fix: Disable
11. Paste the contents of OpenVPN_Server.crt into the Public Server Cert field
12. Paste the contents of CA_Chain.pem into the CA Cert field
13. Paste the contents of OpenVPN_Server.pem into the Private Server Key field
14. Paste the contents of dh2048.pem into the DH PEM field
15. Paste the following into the Additional Config field:

    push "route-gateway 10.10.27.27"
    push "route 10.10.27.0 255.255.255.0"
    push "dhcp-option DNS 10.10.27.1"
    push "dhcp-option DNS 208.67.222.222"

16. Note in the above:
    route-gateway is the IP address of the internet gateway on your local network
    route is the subnet of your local network
    dhcp-option DNS sets DNS servers, in my case my domain controller and an OpenDNS server
17. Click Save at the bottom
18. Click Apply Settings
19. Click the Administration tab
20. Click the Command sub tab
21. Paste the following into the Commands field

    iptables -t nat -I PREROUTING -p udp --dport 1194 -j ACCEPT
    iptables -I INPUT -p udp --dport 1194 -j ACCEPT
    iptables -t nat -I PREROUTING -p tcp --dport 1194 -j ACCEPT
    iptables -I INPUT -p tcp --dport 1194 -j ACCEPT
    iptables -I INPUT -i tun2 -j ACCEPT
    iptables -I FORWARD -i tun2 -j ACCEPT
    iptables -I FORWARD -o tun2 -j ACCEPT
    iptables -t nat -A POSTROUTING -s 10.10.28.0/24 -o eth0 -j MASQUERADE

22. Click Save Firewall at the bottom
23. Click the Management sub tab
24. Click Reboot Router at the very bottom

Installing OpenVPN Client Software and Testing

1. Download the OpenVPN software Download
2. Run the installer with all the default values
3. Click the Start button and search OpenVPN GUI
4. Select OpenVPN GUI from the results to start the application

Creating the OpenVPN Client Profile

1. Download the OVPN template Download
2. Rename the .ovpn template something meaningful
3. Edit the .ovpn template replacing the following:

   <#replace with dynamic dns#> with a dynamic DNS or external IP address to your server
   <#replace with CA chain#> with the contents of CA_Chain.pem
   <#replace with client 1 cert #> with the contents of OpenVPN_Client #1.crt
   <#replace with client 1 key #> with the contents of OpenVPN_Client #1.pk8

4. Save your changes
5. Copy the .ovpn template to OpenVPN install directory/config
6. Right click OpenVPN GUI in the system tray > Connect