Configuring OpenVPN server on RTN66U

The router firmware Tomato, see previous post RT-N66u with Tomato by Shibby firmware, can act as an OpenVPN server.

Using open Wi-Fi access points can be very useful and necessary, but it is inherently insecure. Using the router as an OpenVPN server can increase your privacy and security when you are on the go. By creating an encrypted VPN connection back home to the router, you don't only get protection from nosy eavesdroppers but you get access to all your equipment behind the router at home as well.

For OpenVPN to work we need to create our own CA for signing both server, the router, and optionally client certificates. This notes will only show how to create a server certificate and configure the router with user name and password authentication.

Preparations, create CA

Install necessary software. Although haveged, is not required, see Better entropy with haveged.

sudo apt-get install easy-rsa haveged

Create a work directory for OpenVPN. Take care to protect this directory and the files under it.

make-cadir «yourdomain»

Enter your CA directory.

cd «yourdomain»

Edit the vars file and change the following variables to something more sensible for you.

export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Funston-Fort"
export KEY_EMAIL="me@myhost.mydomain"

Source the variables into current bash session.

source ./vars

Do a initial clean.

./clean-all 

Create your CA public and private key.

./build-ca

Generate your Diffie–Hellman parameters.

./build-dh

Create your routers public and private key.

./build-key-server «yourrouter»

Listing of folder keys should look something like this now.

ca.crt  dh2048.pem  serial            «yourrouter».csr
ca.key  index.txt   «yourrouter».crt  «yourrouter».key

Now we are ready for configureing the OpenVPN server in the router running Tomato by Shibby.

Configuring OpenVPN in Tomato

  1. Log into the rouers admin interface.
  2. Go to the menu VPN Tunneling → OpenVPN Server.
  3. Select Server 1.
  4. Leave the Basic tab with the defaults.
  5. In the Advanced tab.
    1. Check Allow User/Pass Auth
    2. Check Allow Only User/Pass(Without cert)
    3. Create users and set corresponding passwords.
  6. Go to the Key tab.
    1. Paste content of ca.crt into Certificate Authority.
    2. Paste content of «yourrouter».crt into Server Certificate.
    3. Paste content of «yourrouter».key into Server Key.
    4. Paste content of dh2048.pem into Diffie Hellman parameters-
  7. Scroll to bottom of page and Save.
  8. Press Start Now.

That's it. Change listening port under Basic as needed. If you use port 80 or 443 and protocol TCP you will be able to connect through the most restrictive open access points. Be aware that some home ISPs tend to block common port as 80.

Clients

Network Manager

Now you can configure OpenVPN on your computer. Remember to install the correct plugin, network-manager-openvpn.

sudo apt-get install network-manager-openvpn

Android

Easy to use OpenVPN client for Android is OpenVPN for Android.

Comments