Knowledgebase: OpenVPN Setup
How to Setup with a DD-WRT router?
Posted by Max Biggavelli on 10 November 2014 17:10

We have two different versions of tutorials, one being a video and other being a text version, both made from our member, therefore it is important to say we can not give much ticket support in relation to the DD-WRT setup, anything related to the setup is a client task and we can not help with (much) it.

Video version: here

Text version: 

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<

Note: this was tested on build 27413 with a netgear 6300v2.

As the VPN speed depends on how much work the router has to do, think about putting 5GhZ Wifi one core 2. As an alternative disable it, as i did.

O/C, the 6300V2 is still able to be overclocked via webui to 1200 Mhz. At the end you are able to get DL speeds between 35-40 mbit (6300V2). It depends as well on the machine you are using.

I use the router,because of the performance advantages vs other routers.
I tested a TP Link1043nd before, but this gives me only 5-6Mbits on an 11Mbit DSL connection. 
For best DD-WRT Routers have a look at: http://rooftopbazaar.com/routerfirmware It should still work fine with any build that has OpenVPN compatibility, however.

I use my DD-WRT netgear Router behind a fritzbox (router) via lan to lan connection. My wan is disabled / used as switch.
If you want to use you're wan port to connect your DD-WRT to your modem/router, you have to use another ip settings on the DD-WRT, in my case via lan 2 lan it is necessary to use the same ip range.

I want to mention, that this is only ONE possible way of many ways to get nVPN working!

Router 1: Fritzbox 7170 for ISP connection, used in Router mode
LAN IP: 192.168.178.1
DNS: use secure DNS servers here
DHCP off
exposed host / DMZ 192.168.178.8

Router 2 (VPN Router): Netgear 6300V2 build DD-WRT v24-sp2 (09/13/14) kongac SVN revision 27413, 
LAN port: connected to Router 1
LAN IP 192.168.178.8
Gateway and DNS 192.168.178.1
DHCP ON (100-120)
Firewall open Port 12345 an Client 192.168.178.98

Client: Win7 client per LAN connected to Router 2
Gateway 192.168.178.8
IP 192.168.178.98
Running a torrent client on port 12345

All Clients with Gateway 192.168.178.8 using VPN, all clients (static IP) with Gateway 192.168.178.1 are running with ISP IP.

On the nVpn Homepage go to your account to „port forwarding“ and open Port 12345

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<


So here we are to get the OPENVPN started! I used the „old“ nVpn forum tutorial, but it was necessary to change some things to get it started.

1) Log in to your DD-WRT control panel at 192.168.1.1 (unless you changed your DHCP settings - if so, you know where to go) in my case i use 192.168.178.8

2) Make sure OpenVPN is disabled, if it isn't already: Go to services tab, then the VPN sub-tab. All options should be disabled here.

3) Go to the Administration tab at the top, then to the commands sub-tab.

4) Into the box, copy & paste the following:

mkdir /tmp/nvpn
echo "the nVPN certificate - see below on how to obtain (do NOT paste just this!)" > /tmp/nvpn/nvpn.crt
echo "#!/bin/sh
iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE"> /tmp/nvpn/route-up.sh
chmod +x /tmp/nvpn/route-up.sh
echo "#!/bin/sh
iptables -D POSTROUTING -t nat -o tun0 -j MASQUERADE"> /tmp/nvpn/route-down.sh
chmod +x /tmp/nvpn/route-down.sh
echo "YourUsernameGoesHere
YourPasswordGoesHere" > /tmp/nvpn/auth.txt
chmod 600 /tmp/nvpn/auth.txt
echo "client
dev tun
auth-user-pass /tmp/nvpn/auth.txt
proto your protocol ("udp" if on 1194 and "tcp" if on 443 (you find in your account settings)
remote your hostname your port (so for example uXXXXXX.nvpn.so 1194)
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
auth SHA512 (it depends on your config file, have a look there)
cipher AES-256-CBC (it depends on your config file, have a look there)
verb 3
reneg-sec 0
tun-mtu 1500
script-security 3
fragment 1400 (it depends on your config file, have a look there - if on tcp/443 then remove this)
massfix (it depends on your config file, have a look there - if on tcp/443 then remove this)
ca /tmp/nvpn/nvpn.crt" > /tmp/nvpn/nvpn.conf
sleep 60
openvpn --cd /tmp/nvpn --config nvpn.conf --route-up /tmp/nvpn/route-up.sh --down /tmp/nvpn/route-down.sh --daemon
 

5) Replace your certificate, your username, your password, your protocol, your hostname and your port with your relevant information. Make sure the username and password are on separate lines!

5.1) You can also compare the config at the 'echo "client ' part with the one located in your config folder at C:\Program Files\OpenVPN\config (C:\Program Files (x86)\OpenVPN\config on 64 bit systems) to be sure it's correct.
To get the nVPN certificate, open up the "nVPN.crt" file (it's in the same directory as the config listed above) in notepad and copy the content. Make sure there are line breaks in the cert and that it includes the ----BEGIN---- and ----END---- tags.

6) After you have replaced the information with your own, click the "Save Startup" button.

7) Copy and paste the following into the commands box:

iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

8) Click the "Save Firewall" button.

9) Copy and paste the following into the commands box:

killall openvpn
openvpn --cd /tmp/nvpn --config nvpn.conf --route-up /tmp/nvpn/route-up.sh --down /tmp/nvpn/route-down.sh --daemon

10) Click the "Save Custom Script" button.

11) Finally, copy and paste the following into the commands box: 

sh /tmp/custom.sh

12) Click the "Run Commands" button.

13) Check your IP changed at http://check.nvpn.net

Additional two important informations:

1) If you want to be secured against potential IP leaks, you have to make sure that your whole traffic is only routed via the VPN tunnel. Means, if the VPN connection drops, your connection should drop at the same second too!
To get this working, i use the part below in the firewall settings to prevent being unsecured:

iptables -I FORWARD ! -o tun0 -s 192.168.178.0/24 -j DROP

All traffic in my network range is forced to use tun0 (pls be sure to use tun0), otherwise (without VPN tun0) traffic drops. You can test it by killing the VPN daemon via the console.

2) If you are running torrent (or other appliations..) the client should be connectable, you have to put it in the iptables and the DD-WRT web in (NAT settings) too … :
a) Bind the incoming port 12345 to port 12345 (or other ports of your choice) via port forwarding.
b) 

iptables -t nat -I PREROUTING -i tun0 -p tcp --dport 12345 -j DNAT --to-destination 192.168.178.98
iptables -t nat -I PREROUTING -i tun0 -p udp --dport 12345 -j DNAT --to-destination 192.168.178.98 

If your VPN daemon is running (pls think of the 60 seconds sleep command) and your connection is not secure at all:

killall openvpn 

Get some output from OpenVPN by either using the run commands button, or by SSHing into your router and manually running the following:

openvpn --cd /tmp/nvpn --config nvpn.conf --route-up /tmp/nvpn/route-up.sh --down /tmp/nvpn/route-down.sh --verb 3

This shows the openvpn log, allowing easier debugging to trace where the problem is!

Thanks to our member netguru for the text tutorial!

(14 vote(s))
Helpful
Not helpful