OPENVPN 用 certificate 設定分享 : DD-WRT server,DD-WRT client, Windows, Android

tomlee0101

爬了無數文章和做了無數試驗,成功研究到將DD-WRT client router, Android client, Windows client連到DD-WRT server router做破網翻墻,設定和大家分享..

PPTP非常容易設定,但在大陸用PPTP破網翻墻,非常容易被官方 block,好快無用,可能已經無用..

現在用OpenVPN (用cert), 除了可以支援 Multi-clients同時連線 ,亦不容易被反破網反翻墻,因為可以設定用其他不會被官方 block 的 Port number

Create OpenVPN certiciates and keys
http://openvpn.net/index.php/ope ... tion/howto.html#pki
1. cd to \Program Files\OpenVPN\easy-rsa
2. Run the following batch file to copy configuration files into place (this will overwrite any preexisting vars.bat and openssl.cnf files):
     init-config
3. Now edit the vars file (called vars.bat on Windows) and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Don't leave any of these parameters blank.
4. On Windows:
     vars
     clean-all
     build-ca
   The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive openssl command.
   The only parameter which must be explicitly entered is the Common Name. In the example above, I used "OpenVPN-CA".
5. Generate certificate & key for server
   On Windows:
     build-key-server server
     As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter "server". Two other queries require positive responses, "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]".

     build-key client1
     build-key client2
     build-key client3
     Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. "client1", "client2", or "client3". Always use a unique common name for each client.
6. Generate Diffie Hellman parameters
   On Windows:
     build-dh
7. Now we will find our newly-generated keys and certificates in the keys subdirectory.
     ca.crt
     ca.key
     dh{n}.pem
     server.crt
     server.key
     client1.crt
     client1.key
     client2.crt
     client2.key
     client3.crt
     client3.key

Remark :
If you want to implement TLS  authentication, which may be helpful (not proved/tested yet) to resolve the issue "Great Firewall 升咗呢，全面封殺 OpenVPN"
http://www.telecom-cafe.com/forum/viewthread.php?tid=5150
https://forums.openvpn.net/topic11688.html
https://www.facebook.com/notes/% ... 7/10150993099683078

Click on "Start > Programs ->OpenVPN ->Utility-> Generate a static OpenVPN key"
Note: this will create a c:\Program Files\OpenVPN\config\static.key file, you will can rename it as ta.key which is to be used in the later configuration steps.

Both server(DD-WRT) and clients ( Windows/Android/DD-WRT) need to do the corresponding configuration with this ta.key file to make connection.

tomlee0101

Configure DD-WRT as OPENVPN server  ( e.g. Hong Kong Side as OpenVPN server  that you can freely surf )

Tested with DD-WRT v24-sp2 (05/17/11) vpn-small - build 17084M NEWD Eko

1. IMPORTANT : Need to synchronize the DD-WRT router's clock by proper configuration at Setup > BasicSetup > Time Settings
2. GUI > Service > VPN
3. Enable OpenVPN Daemon >
   OpenVPN = "Enable" ; Startup Type = "Wan Up"
   Config via - GUI
   Server mode - Router(Tun) or Bridge (TAP) , I used Router(Tun)
   Network - 192.168.60.0
   Netmask - 255.255.255.0
   port    - 1194 or 用其他不會被官方 block 的 Port number
   Tunnel Protocol - TCP or UDP, I used TCP
   Encryption Cipher - Blowfish CBC
   Hash Algorithm - SHA1
   Advanced Options - Enable
   Use LZO Compression - Enable
   Redirect default Gateway - Enable
   Allow Client to Client - Enable
   Allow duplicate cn - Enable
   Additional Config - push "dhcp-option DNS <Your DNS server IP>"
                             push "dhcp-option DNS 8.8.8.8"   


   CA Cert = ca.crt
   Certificate Revoke List = blank
   Public Server Cert = server.crt
   Private Server Key = server.key
   DH PEM = dh1024/2048.pem
  
4. GUI > Administration > Commands

   iptables -I INPUT -p tcp --dport 1194 -j ACCEPT
   iptables -I INPUT -p udp --dport 1194 -j ACCEPT

   iptables -I FORWARD 1 --source 192.168.60.0/24 -j ACCEPT

   # These next two lines may or may not be necessary.
   # Thus, we include them so that this works for more people:
   iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
   iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

   >>Save Firewall

Attention : 1194 is Port number, must match with OPENVPN server config


5. Reboot router and see status at Status > OpenVPN
   If VPN server is up properly, GUI>Status > OpenVPN, State will show message "Server: CONNECTED: Local Address:Remote Address 192.168.60.1".


Remark :
1) If your server's IP from ISP is dynamic, you can use DDNS to resolve. See other articles for DDNS setup in DD-WRT.
2) dd-wrt.v24-18946_NEWD_openvpn__jffs_small.bin (07-Apr-2012) tested to be fail in OpenVPN. Even after successful connection with OpenVPN server, the client's request could not be routed to WAN/internet.
3) dd-wrt.v24-17990_NEWD_openvpn_jffs_small.bin (08-Dec-2011) tested to be fail in OpenVPN. Even after successful connection with OpenVPN server, the client's request could not be routed to WAN/internet.
4) Therefore, dd-wrt.v24-17084_NEWD_openvpn_jffs_small.bin (17-May-2011) is the most-updated firmware that tested to be fully working in OpenVPN and general AP/Router functions for me .
5) Remark 2), 3) and 4) were tested/verified again on 27-28/Nov 2012 on the same router.
6) If TLS authentication is to be implemented, populate the content of ta.key(generated in step #1 remark) to the field "TLS Auth Key "
Begin from "-----BEGIN OpenVPN Static key V1-----" to "-----END OpenVPN Static key V1-----" inclusive.

tomlee0101

Configure DD-WRT as OPENVPN client ( e.g. China side router as openvpn client where you need to 破網翻墻 )

成功 Tested with DD-WRT OPENVPN client with firmware DD-WRT v24-sp2 (05/17/11) vpn-small - build 17084M NEWD Eko connection with DD-WRT  OPENVPN server with firmware DD-WRT v24-sp2 (05/17/11) vpn-small - build 17084M NEWD Eko

This is OpenVPN site-to-site connection, router-to-router connection.

IMPORTANT :

- Need to synchronize the DD-WRT OpenVPN client router's clock to the same time zone of OpenVPN server by proper configuration at Setup > BasicSetup > Time Settings

- Need to use different subnets for DD-WRT client router and DD-WRT server router
e.g. If DD-WRT server router uses 192.168.10.x,  then DD-WRT client router can use 192.168.20.x

1. Services > VPN
   Start OpenVPN Client - Enable
   Server IP/Name                         - <OpenVPN server URL name or IP address>
   Port                                   - OpenVPN connection port number, default 1194, must match with OpenVPN server config, or 用其他不會被官方 block 的 Port number
   Tunnel Protocol                        - UDP or TCP, I used TCP, must match with OpenVPN server config
   Tunnel Device                          - TUN or TAP, I used TUN, must match with OpenVPN server config
   Encryption Cipher                      - Blowfish CBC, must match with OpenVPN server config
   Hash Algorithm                         - SHA1, must match with  OpenVPN server config
   nsCerttype verification                - Checked, must match with  OpenVPN server config
   Advanced Options                       - Enable
   Use LZO Compression                    - Enable
   Enable NAT                             - Enable
   Local IP Address                       - Leave blank
   TUN MTU Setting                        - Leave blank
   MSS-Fix/Fragment across the tunnel     - Leave blank
   TLS Cipher                             - OFF
   TLS Auth Key                           - Leave blank
   CA Cert                                - ca.crt
   Public Client Cert                     - client1.crt
   Public Client Key                      - client1.key

If TLS authentication is implemented on DD-WRT OpenVPN server, populate the content of ta.key(generated in step #1 remark) to the field "TLS Auth Key ".
Begin from "-----BEGIN OpenVPN Static key V1-----" to "-----END OpenVPN Static key V1-----" inclusive.

2. Setup > Basic Setup
   Network Setup > Local DNS     8.8.8.8                                       <= Optional, use 8.8.8.8 in case the connected client cannot retrieve properly DNS, otherwise, use default value 0.0.0.0
   Network Address Server Setting(DHCP) > Use DNSMasq for DNS    uncheck box       <= Important, for proper DNS lookup

3. Make sure clock is properly synchronized
   either by proper configuration at Setup > BasicSetup > Time Settings
   or set the time manually at Administration > Commands
        date MMDDHHMMYYYY

3. Reboot DD-WRT OpenVPN client router and test
   - Make sure clock is properly synchronized
   - At Status > OpenVPN, it should show DD-WRT openVPN client router's connection virtual IP address, e.g. 192.168.60.2
   - Use a PC to connect to DD-WRT openVPN client router, the PC should be able to ping the DD-WRT OpenVPN server's virtual IP address, e.g. 192.168.60.1

After the DD-WRT OpenVPN client router (China side) has successfully called/connected to the DD-WRT OpenVPN server router (Hong Kong side),  for any PC, Android, i-phone (China side) connected to DD-WRT openVPN client router (China side) via LAN port or WIFI afterwards, the traffic will be routed to DD-WRT OpenVPN server router (Hong Kong side) as gateway to access the internet. The PC, Android, i-phone (China side) does NOT need to install any software or do any special configuration. The DD-WRT OpenVPN client router (China side) will handle the 破網翻墻 job for the PC, Android, i-phone (China side) connected.

tomlee0101

Configure Windows OPENVPN client configuration (e.g. China side PC as openvpn client where you need to 破網翻墻)

成功 Tested with Windows OPENVPN client connection with DD-WRT OpenVPN server with firmware DD-WRT v24-sp2 (05/17/11) vpn-small - build 17084M NEWD Eko

IMPORTANT : Need to synchronize the Windows workstation to the same time zone of  OpenVPN server

1) Edit  c:\program files\OpenVPN\config\client.ovpn

         remote <OpenVPN server IP> 1194  ( or 用其他不會被官方 block 的 Port number, must match with OPENVPN server config)
         client
         dev tun0
         proto tcp-client                              
         resolv-retry infinite
         nobind
         persist-key
         persist-tun
         ca ca.crt
         cert client1.crt
         key client1.key
         ns-cert-type server
         comp-lzo

2) Copy ca.crt, client1.crt and client1.key to c:\program files\OpenVPN\config\

If TLS authentication is implemented on DD-WRT OpenVPN server, copy the file ta.key(generated in step #1 remark) to the  c:\program files\OpenVPN\config\ and add the statement

tls-auth   ta.key   1

to the file c:\program files\OpenVPN\config\client.ovpn

tomlee0101

Configure Android client ( e.g. China side Android client where you need to 破網翻墻 )

成功Tested with CM 7.2 內置openvpn client connection with DD-WRT OPENVPN server with firmware DD-WRT v24-sp2 (05/17/11) vpn-small - build 17084M NEWD Eko

IMPORTANT : Need to synchronize the Android's clock to the same time zone of the OpenVPN server.

1) you have to merge three files into a .p12 file for certification.
Use a terminal on Linux or command window on Windows to merge these files. Just type "openssl pkcs12 -export -in client1.crt -inkey client1.key -certfile ca.crt -out client1.p12"

2) copy the file client1.p12 to sdcard in your phone, put client1.p12 in root folder

3) install certification on Android. Settings>>Location&security>>Install from SD card
Select client1.p12 and it will prompt for name (e.g. give it VPNDDWRT)

4) setup your Openvpn. Settings>>Wireless&networks>>VPN settings>>Add VPN>>Add OpenVPN VPN

5) VPN name: as you wish
Set VPN server : IP of your OpenVPN server, without port.
User authentication: No
Set CA certificate: your ca installed in step3. (i.e. VPNDDWRT)
Set user certificate: your ca installed in step3. (i.e. VPNDDWRT)
DNS search domains: For me, leave it blank. For some situation you can use 8.8.8.8, google's free server.

Then tap "menu" and go to "Advanced".
Server port: this is the port you specified in your openvpn server, must match with server setup or 用其他不會被官方 block 的 Port number
Protocol to use: tcp or udp, I used tcp, this is the protocol you set in your openvpn server, must match with server setup
Device to use: tun or tap, I used tun, must match with server setup
LZO compression: Yes, must match with server setup
Redirect gateway: Yes
Remote Sets Addresses: Yes
Cipher algorithm:default
Size of cipher key:default

If TLS authentication is implemented on DD-WRT OpenVPN server, copy the file ta.key ( generated in step #1 remark) to root directory of SD card  and do the corresponding configuration
TLS-Auth: <- Check this box
TA key file location: /mnt/sdcard/ta.key
Tls-Auth key direction:1(Client default)

lcs9000

請問可否於大陸的一邊 router 後加一隻 dd-wrt router 行 site to site openvpn 呢？

lttliang

請問可否於大陸的一邊 router 後加一隻 dd-wrt router 行 site to site openvpn 呢？
lcs9000 發表於 2012-12-27 14:54

    完全可行，我就是这样，不过我用的是tomato

lcs9000

是否如上設定後把 dd-wrt router 接到大陸的 router 後就已經可以？

角色

回復 1# tomlee0101

谢谢CHing的无私地奉献！其实我以前用DD-WRT都只能回用static key，而CHing你能把DD-WRT的OpenVPN发挥的淋漓尽致！

tomlee0101

回復  tomlee0101

谢谢CHing的无私地奉献！其实我以前用DD-WRT都只能回用static key，而CHing你能把DD-WR ...
角色 發表於 2012-12-27 19:22

Hope my sharing can really help those working in China..

I do not have Iphone. Hope someone can share the experience/skill of using OpenVPN client on Iphone later as well.

tomlee0101

回復 8# lcs9000

大陸的一邊 router 後加一隻 dd-wrt router, remember the router and 後加的一隻 DD-WRT router should use different LAN segments.

e.g. if router uses LAN segment 192.168.1.x then 後加的一隻 DD-WRT router cannot use LAN segment 192.168.1.x. The 後加的一隻 DD-WRT router should use LAN segment e.g. 192.168.2.x.

亞星

回復 5# tomlee0101
師兄, 如果在無 root 機情況下應該如何設定 OPENVPN for android 呢?

tomlee0101

回復 12# 亞星

Factory Android does not provide built-in OpenVPN client and therefore you need to install third-party OpenVPN client.

If you do not root the phone, many such third-party OpenVPN client cannot work or even cannot be installed.

It appears to me that many users reported functionality and stability problem for these third-party client and therefore I did not even care to try it out at all.

lcs9000

回復 2# tomlee0101
師兄你個 DD-WRT v24-sp2 (05/17/11) vpn-small - build 17084M NEWD Eko 0向邊度 download? TPLink 1043nd 用唔用到?

tomlee0101

回復 14# lcs9000

Follows :
www.dd-wrt.com
>Router database
>Other downloads
>Others
>eko
>V24_TNG
>svn17084

Select the firmware file with 'openvpn' as a part of filename and fits with your router's hardware

All my dd-wrt routers are broadcom chipset based and therefore can safely use the appropriate EKO versions.

TP-link 1043nd uses AR9132 chipset and I am also asking/finding if EKO versions can be used on non-broadcom chipset based router.