OpenVPN Server on DD-WRT with iOS 10 Client

By | October 9, 2016

iOS 10 removed PPTP support. Sure, as a protocol it’s not secure and open to man-in-the-middle attacks so I get it. But I want a way to network back home.

So… if you have DD-WRT installed on your router and want VPN access to your home network then you’ve got to choose another option. DD-WRT supports OpenVPN. That can work with your iOS 10 devices with the OpenVPN Client from the App Store. I have it working on my Linksys 1900AC (Nighthawk running Firmware: DD-WRT v3.0-r29147 std (02/23/16)).

Here’s how:

Step 0: Check your free memory

All the data from the Web GUI is permanently stored in memory. You must have the free space to accommodate it. Before you start test how much NVRAM space is left (and used). You need about 6000 bytes available in NVRAM.

Telnet or ssh into your router and type:

nvram show | grep size

[source]

Step 1: Self-sign certificates and create keys

I followed this post on dd-wrt wiki. Read that post.

I used an Ubuntu box to create all the certificates so I’m not providing any Windows instructions for this section. To keep things simple I did not use TLS auth. This was my flow:

  1. sudo apt-get install easy-rsa
  2. make-cadir path
  3. cd path
  4. // edit the “vars” file as in the post – really easy: just use your location, organization, email, etc.
  5. // As “root” user
    source ./vars
    ./clean-all
    ./build-ca
    ./build-key-server server
    ./build-key client1
    ./build-dh

Now you have all the key and cert files you need in <path> on your Ubuntu box.

Step 2: Configure DD-WRT

This was a pain because the docs are out of date. In short you need to copy-paste:

Box File to insert
CA Cert ca.crt
Public Server Cert server.crt
Private Server Key server.key
DH PEM dh1024.pem
TLS Auth Key blank
Additonal Config push “route 192.168.54.0 255.255.255.0”
push “dhcp-option DNS 192.168.66.1”
server 192.168.66.0 255.255.255.0dev tun0
proto udp4
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem# Only use crl-verify if you are using the revoke list – otherwise leave it commented out
# crl-verify /tmp/openvpn/ca.crl# management parameter allows DD-WRT’s OpenVPN Status web page to access the server’s management port
# port must be 5001 for scripts embedded in firmware to work
management localhost 5001script-security 2
comp-lzo

 

And finally, the firewall rules. Go to the “Administration” tab then subtab “Commands” and paste:

iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.66.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

Click “Save Firewall”

Step 3: Configure iPhone / iPad with iOS 10

Install the OpenVPN client from the App store.

This app needs an “.opvn” file and the certificates/keys from step 1. The ovpn file is just a text file that must match the server config from Step 2. If you run into problems carefully think through your server and client configurations. Make sure they match.

My .ovpn file which I called “home.ovpn”:

##############################################
# Sample client-side OpenVPN 2.0 config file
# for connecting to multi-client server. 
# 
# This configuration can be used by multiple 
# clients, however each client should have 
# its own cert and key files. #
###############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote MYDOMAIN.ddns.net 1194

# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert client1.crt
key client1.key

# Verify server certificate by checking that the
# certicate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
# digitalSignature, keyEncipherment
# and the extendedKeyUsage to
# serverAuth
# EasyRSA can do this for you.
remote-cert-tls server

# If a tls-auth key is used on the server
# then every client must also have the key.
# tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
# Note that 2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
;cipher AES-256-CBC
cipher bf-cbc

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20

The key thing in this file was to use “cipher bf-cbc”.

Step 4: Upload the .ovpn and key/crt files to your iOS device

Plug your iPhone/iPad into your laptop. In iTunes Click on the iPhone and then “Apps”. Scroll down to “File Uploads” and click on OpenVPN client.

Add the files:

  • home.ovpn
  • ca.cert
  • client1.key
  • client1.cert

Step 5: Test it works

Turn off wifi and launch OpenVPN on your iPhone. Import the new profile and tap the slider to “connect”. You should be asked about allowing OpenVPN to manage VPN connections on your phone. Click OK then you’ll connect.