Whatever you do DON'T add a password to your certificates. I have retried this tutorial multiple times with and without passwords and every time i add a password it spits out "TLS key negotiation failed" in OpenVPN. It's not worth it to have a password on them.. You just have to take extra good care of your certificates and don't share them or expose them to anyone.
But I want to add username and password because winbox will not allow you to do so. I came from OpenWrt but I can't figured out how to set up openvpn with username, so I am seeking another way, DD-WRT may be.
@@rexsovelllejes9383 What you are talking about is a completely different thing. You can't put a username on certificates you can only put passwords on them as far as i know. The whole point of certificates is that the certificate IS your "username". If you wanna authenticate using usernames and passwords there wouldn't really be any reason to use certificates.. well except maybe a server certificate.
Тhis is such a well done guide, easy to follow, worked on first try, well explained. I have been trying to configure it with no luck for so long it feels like cheating using your instructions. Thank you!
THANK YOU! That Firewall code was the last piece of the puzzle I needed! I had an OpenVPN setup on a basic Netgear firmware, but upgraded to DD-WRT since it supported more DDNS capabilities, but I got hung up on trying to configure this thing.
Awesome tutorial bud. Was a breeze to setup my openvpn server. The only issue I had was that I am behind my service providers router and they would not give me access to it, but they did put my personal dd-wrt router in a DMZ. Later on I found out through nmap that all UDP ports are blocked on my internet service so I had to switch to the TCP protocol instead which than worked like a charm.
Clear, concise and works! Im using iy on an Ubuntu server, so the router part didnt apply, but you made sense out of my setup. I created a power shell script to add clients, after. Great tutorial!
fantastic tutorial, straighforward with very good narration. As it goes for DH parameters and ciphers.. ARMv8 based devices has the AES-NI instructions within the CPU, so one can make use of the -GCM ciphers, for the ARMv7 based devices, CHACHA-POLY1305 brings some optimizations which can go hand in hand with the elliptic curve cryptography. Then you do not need to generate diffie helman at all, and leave it empty within the gui, but add following entries within the custom config: dh none ecdh-curve secp384r1 It seems to apply starting openVPN 2.4 and it should bring the TLS 1.3 along with more throughput over your tunnel, and optimizations towards the mobile devices. cheers!
Great tutorial. Thank you. Newer builds have "Allow Clients WAN access (internet)" option which might allow you to skip the firewall config iptables command.
Even over a year later this guide has made this process incredibly easy! ONE QUESTION: How would I go about allowing traffic between my OpenVPN clients and LAN? I'm trying to access one of my local servers, but can't.
Hi, this is a great tutorial. I have followed it exactly, and I have successfully connected the OpenVPN server running on my DD-WRT router. But I cannot ping or access anything on the 192.168.1.x network or 10.8.0.x either. Am I missing something? I'm seeing error code 122 in OpenVPN GUI logs.
nice tutorial and it works great for windows... but how do you add the ovpn config files to a mac and android.... is there a way to include the cert and key in the ovpn file ?
Yes you can use inline directives. If you copy the .ovpn file template from the description just delete the last 3 lines: "ca ca.crt cert laptop-client1.crt key laptop-client1.key" Instead of those three lines you can do this: COPY CA TEXT IN HERE COPY CERT TEXT IN HERE COPY KEY TEXT IN HERE
there's a lot of tutorials out there to create openVpn server/daemon but how would I setup a Start OpenVPN Client ? Ive got a VPS that hosts openVpn so I want to connect through it. Most guides I find online are not very helpful.
Can you show us how to have both a server and client service running on the router at the same time and being able to VPN into your home router while on the road, for some reason I need to turn off my router (PIA) VPN client in order for me to connect to my home server VPN.
I would like to know if you can created on a repeater ( my router is a Asus RT-AC68u) a VPN using DD-WRT that I can then add to my network, my main router is a TP-Link TL-WR840N?
Great video!! Thank you. Quick question: Can I setup a VPN Server on a router at my home (Canada), and connect to that VPN server using another router (VPN Client) from USA? My office laptop uses "Cisco AnyConnect" to connect to the company VPN, I want my network to "appear" like I am working from Canada!! Is it possible? ( I hate these new rules).
I got this working, but I can't connect to it from outside when OpenVPN client is enabled on dd wrt router, as it connects to commercial VPN service. As soon as I disable client, boom, remote connection works from outside of home network. Any ideas how get those two together?
Hey quick question, let's say I have an asus router or this linksys router (Both with the OpenVPN capability), would I be able to connect the first to the second and vice versa, while in different countries. It may be a silly question, but I just want to be safe before I buy a second router.
Great video! We have been using VPN with DDWRT for a year now. Can you please list the steps to revoke a client .crt in EASYRSA, since an employee left the company and I don't want to regenerate the entire key authority and generate new certificates. Also please indicate how to add revoked .crt to the Certificate Revocation List in DD-WRT. These added instructions will complete your tutorial for a fully functional VPN certificate Authority for DD-WRT!
So I found the solution to revoking certificates as follows: $ ./easyrsa revoke $ ./easyrsa gen-crl Type yes when prompted. Copy the contents of the generated crl.pem file in the PKI directory (including BEGIN and END lines) to the DD_WRT->Services->VPN Certificate Revocation List and Apply Settings and Save. Done!
Great Video and I have it working on almost all my devices now so thank you. Has anyone had any luck getting this to work on an iphone? Mine is asking me to share the cert / key files along with the config file simultaneously, however when I do that OpenVpn is not an option to share the files to. Maybe I just need to switch back to android.😄
It does have it. Just above the public certificate text box there is an option to enable Advanced Settings. After you enable that there is another option at the bottom of the list that says "Use ECHD Instead of DH.PEM". Disable that option and the DH PEM field will show.
Thanks for the great video! I would appreciate if you could explain how to create an .ovpn out of the client .crt. and .key for Android phone or if i could take a different path to use those 2 files in OpenVpn app on my android phone. Probably a video tutorial would be GREATE! Thanks!
Thankyou Thankyou Thankyou! I wish i found your tutorial 8 hours ago before I started the trainwreck of blindly trying to set this up on my router. When is Canada going to start commencing world domination? It would be a better place.
Glad you liked it. I'm honestly not quite sure, and just now realized I likely have the same issue since I have a few hardcoded names in my router's DNS config. The first place I'd look is at my connection parameters for my wifi or ethernet (on my laptop) - possibly set your dns server to your router address (assuming DNS is running on your router). Would only work once you are connected to the VPN of course
@@DevbaseMedia No running pi-hole on a raspberry 3 and OMV with docker on RASP 4 with adguard (dhcp). So I did find an code somewhere do add to additional blabla of the VPN on DDWRT though my internet wasnt working via VPN anymore (LAN did)
Can you advise if I want the vpn client to be able to reach devices on the lan behind the vpn server, but not use the vpn for its default internet traffic?
Whatever you do DON'T add a password to your certificates. I have retried this tutorial multiple times with and without passwords and every time i add a password it spits out "TLS key negotiation failed" in OpenVPN. It's not worth it to have a password on them.. You just have to take extra good care of your certificates and don't share them or expose them to anyone.
Thanks for this, I'm going to pin this comment :)
But I want to add username and password because winbox will not allow you to do so. I came from OpenWrt but I can't figured out how to set up openvpn with username, so I am seeking another way, DD-WRT may be.
@@DevbaseMedia how to do it by the way? Thanks!
@@rexsovelllejes9383 What you are talking about is a completely different thing. You can't put a username on certificates you can only put passwords on them as far as i know. The whole point of certificates is that the certificate IS your "username". If you wanna authenticate using usernames and passwords there wouldn't really be any reason to use certificates.. well except maybe a server certificate.
@@iTzStick I didn't mean to put username on certificate. I just wanted to use auth-user-pass so that I can use username and password to client side.
The best video ever. Forget all other 'tutorials'. I now have OpenVPN working like a charm. Thank you.
Тhis is such a well done guide, easy to follow, worked on first try, well explained. I have been trying to configure it with no luck for so long it feels like cheating using your instructions. Thank you!
Man, I've been looking for this almost since 4 years, but nowhere was as detailed as here. Awesome, and it works! I love it! Finally!
Glad I could help!
THANK YOU! That Firewall code was the last piece of the puzzle I needed! I had an OpenVPN setup on a basic Netgear firmware, but upgraded to DD-WRT since it supported more DDNS capabilities, but I got hung up on trying to configure this thing.
Awesome tutorial bud. Was a breeze to setup my openvpn server. The only issue I had was that I am behind my service providers router and they would not give me access to it, but they did put my personal dd-wrt router in a DMZ. Later on I found out through nmap that all UDP ports are blocked on my internet service so I had to switch to the TCP protocol instead which than worked like a charm.
Clear, concise and works! Im using iy on an Ubuntu server, so the router part didnt apply, but you made sense out of my setup. I created a power shell script to add clients, after. Great tutorial!
fantastic tutorial, straighforward with very good narration. As it goes for DH parameters and ciphers.. ARMv8 based devices has the AES-NI instructions within the CPU, so one can make use of the -GCM ciphers, for the ARMv7 based devices, CHACHA-POLY1305 brings some optimizations which can go hand in hand with the elliptic curve cryptography.
Then you do not need to generate diffie helman at all, and leave it empty within the gui, but add following entries within the custom config:
dh none
ecdh-curve secp384r1
It seems to apply starting openVPN 2.4 and it should bring the TLS 1.3 along with more throughput over your tunnel, and optimizations towards the mobile devices.
cheers!
I've been trying to get my non compatable rotuer to connect to the internet for months and finally a video that helped thank you so much
This tutorial is FANTASTIC!
What a great video! Easy to follow, concise and superb narration.
Thank you kindly!
Great tutorial. Thank you. Newer builds have "Allow Clients WAN access (internet)" option which might allow you to skip the firewall config iptables command.
Thanks for this clear and concise tutorial!
Even over a year later this guide has made this process incredibly easy! ONE QUESTION: How would I go about allowing traffic between my OpenVPN clients and LAN? I'm trying to access one of my local servers, but can't.
Ivz actually answered this in another comment. Thank you very much!! "In dd wrt change the server mode to bridge (tap)"
Hi, this is a great tutorial. I have followed it exactly, and I have successfully connected the OpenVPN server running on my DD-WRT router. But I cannot ping or access anything on the 192.168.1.x network or 10.8.0.x either. Am I missing something? I'm seeing error code 122 in OpenVPN GUI logs.
Great tutorial. Got me up and running. Many thanks!
Odd... my DDWRT router just reset itself back to factory settings after I applied that firewall rule... not fun...
nice tutorial and it works great for windows... but how do you add the ovpn config files to a mac and android.... is there a way to include the cert and key in the ovpn file ?
Yes you can use inline directives. If you copy the .ovpn file template from the description just delete the last 3 lines:
"ca ca.crt
cert laptop-client1.crt
key laptop-client1.key"
Instead of those three lines you can do this:
COPY CA TEXT IN HERE
COPY CERT TEXT IN HERE
COPY KEY TEXT IN HERE
Awesome stuff. Great tutorial. Thank you very much.
there's a lot of tutorials out there to create openVpn server/daemon but how would I setup a Start OpenVPN Client
? Ive got a VPS that hosts openVpn so I want to connect through it. Most guides I find online are not very helpful.
Can you show us how to have both a server and client service running on the router at the same time and being able to VPN into your home router while on the road, for some reason I need to turn off my router (PIA) VPN client in order for me to connect to my home server VPN.
great tutorial dude!, really tranks for that!
My dd-wrt router has the latest firmware but it doesn't have advanced options in OpenVPN server/daemon settings. Any idea what is wrong?
I would like to know if you can created on a repeater ( my router is a Asus RT-AC68u) a VPN using DD-WRT that I can then add to my network, my main router is a TP-Link TL-WR840N?
Hello, great tuto, thank you, only connects over LAN, I think something wrong in my dd-wrt firewall, any idea ?
Great video!! Thank you.
Quick question: Can I setup a VPN Server on a router at my home (Canada), and connect to that VPN server using another router (VPN Client) from USA? My office laptop uses "Cisco AnyConnect" to connect to the company VPN, I want my network to "appear" like I am working from Canada!! Is it possible? ( I hate these new rules).
I second this
@@jdnoble8961 It worked, I was working from “home” (India) for 4 months 😂
Awesome Tutorial, Thanks 👌
I can't find the open vpn option on my ddwrt routerm there's only PPTP Server
and PPTP Client options
Excelent! Thank you!
I got this working, but I can't connect to it from outside when OpenVPN client is enabled on dd wrt router, as it connects to commercial VPN service. As soon as I disable client, boom, remote connection works from outside of home network. Any ideas how get those two together?
Thnaks you so much for this
Excellent tutorial!
Thank you!
Awesome, thank you
Can you demonstrate this setup via Windows instead of linux?
Hey quick question, let's say I have an asus router or this linksys router (Both with the OpenVPN capability), would I be able to connect the first to the second and vice versa, while in different countries. It may be a silly question, but I just want to be safe before I buy a second router.
Yes
Great video! We have been using VPN with DDWRT for a year now. Can you please list the steps to revoke a client .crt in EASYRSA, since an employee left the company and I don't want to regenerate the entire key authority and generate new certificates. Also please indicate how to add revoked .crt to the Certificate Revocation List in DD-WRT. These added instructions will complete your tutorial for a fully functional VPN certificate Authority for DD-WRT!
So I found the solution to revoking certificates as follows:
$ ./easyrsa revoke
$ ./easyrsa gen-crl
Type yes when prompted.
Copy the contents of the generated crl.pem file in the PKI directory (including BEGIN and END lines) to the DD_WRT->Services->VPN Certificate Revocation List and Apply Settings and Save.
Done!
I got stuck on the make-cadir step... on macos
awesome thanks man..
Great Video and I have it working on almost all my devices now so thank you.
Has anyone had any luck getting this to work on an iphone? Mine is asking me to share the cert / key files along with the config file simultaneously, however when I do that OpenVpn is not an option to share the files to. Maybe I just need to switch back to android.😄
I followed this to the T but my server refuses to start.
The newest version of openvpn on ddwrt does not have dh.pem. And it has a static key, which isn't the pem. Any ideas what to do?
It does have it. Just above the public certificate text box there is an option to enable Advanced Settings. After you enable that there is another option at the bottom of the list that says "Use ECHD Instead of DH.PEM". Disable that option and the DH PEM field will show.
Thanks for the great video!
I would appreciate if you could explain how to create an .ovpn out of the client .crt. and .key for Android phone or if i could take a different path to use those 2 files in OpenVpn app on my android phone. Probably a video tutorial would be GREATE! Thanks!
I want to only access VPN LAN and not WAN, how do I set the VPN to only work with LAN traffic?
set to bridge instead of tap
Hi! Anybody used this with WRT54GL router? I used this a new router and works fine then broke down. I did it with this old router and it doesn't work
How do you put a certicate like that one to an iphone?
I found out, but i am having an error : TLS Error: TLS handshake failed
hi thanks for video ... but there is one problem why facebook not working after using openvpn -
use this in commands and save it as firewall iptables -t nat -IPOSTROUTING -s 10.8.0.0/24 -o $(get_wanface) -j MASQUERADE
Is need set iptables every time when I reboot router?
my router command window has a "save firewall" option
Thankyou Thankyou Thankyou! I wish i found your tutorial 8 hours ago before I started the trainwreck of blindly trying to set this up on my router. When is Canada going to start commencing world domination? It would be a better place.
Great video thanks a lot!!! Kudo's for this guy!
[Any idea?] :-P
Glad you liked it. I'm honestly not quite sure, and just now realized I likely have the same issue since I have a few hardcoded names in my router's DNS config. The first place I'd look is at my connection parameters for my wifi or ethernet (on my laptop) - possibly set your dns server to your router address (assuming DNS is running on your router). Would only work once you are connected to the VPN of course
@@DevbaseMedia No running pi-hole on a raspberry 3 and OMV with docker on RASP 4 with adguard (dhcp). So I did find an code somewhere do add to additional blabla of the VPN on DDWRT though my internet wasnt working via VPN anymore (LAN did)
I think but though not sure got a little tired after 10 hrs
""serverfault. com/questions/318563/ how-to-push-my-own-dns-server-to-openvpn""
Can you advise if I want the vpn client to be able to reach devices on the lan behind the vpn server, but not use the vpn for its default internet traffic?
In dd wrt change the server mode to bridge (tap)
@@iTzStick THANK YOU!!
It’s easier on fresh tomato
this seems like such a complicated process for like no reason lol...
I hate this, this is for masochists. There should be a Download .ovpn File button like the stock firmware has.