LJ's Blog

DD-WRT OpenVPN Configuration Script

DD-WRT A Linux based Firmware

With client software available for iOS, Android, Windows, Linux, OS X and most SOHO routers and NAS devices, OpenVPN has gained quite some popularity in the home/SOHO network domain. The problem is that most home/SOHO network devices have a not so decent CPU while OpenVPN, being crypto software, needs decent processing power in order to perform properly. I will keep this article simple and clean and not bother you with lots of details or irrelevant information. I will not elaborate on the problem of low-end CPU’s in this article. Basically I will provide you with a script to setup an OpenVPN client using the dd-wrt firmware. The reason for not providing a script for setting up OpenVPN on the tomato firmware is because I think that the GUI on the tomato provides enough options as such that reverting back to the command line is not needed.

##########################################################################
#
#       I Know - dd-wrt is not that much user friendly.
#
#       If you want an all GUI solution providing advanced options
#       then I really advise you to use the tomato firmware instead.
#
#       It looks funny that we are doing this in the /tmp partition
#       but that is because only the /tmp and /jffs partitions are
#       writable.
#       One more thing, just realize that your Linksys or whatever
#       comsumer network device you might be using might not have
#       the adequate processing power to drive OpenVPN decently.
#       For instance, on a Linksys E1200 I get like 6 Mbit/s down.
#       With a faster client device on the same line, same config
#       and same server, I get about 80 Mbit/s down.
#       So the advice here is; don't waste your time trying to figure out
#       how to get faster download speeds if you have a low-end network
#       client device.
#
##########################################################################

OPVPNENABLE=`nvram get openvpncl_enable | awk '$1 == "0" {print $1}'`

if [ "$OPVPNENABLE" != 0 ]; then
  nvram set openvpncl_enable=0
  nvram commit
fi

sleep 10

mkdir /tmp/2u2

cat > /tmp/2u2/openvpn.conf << CLIENTCONF
client
dev tun
proto udp
sndbuf 393216
rcvbuf 393216
remote 11.11.111.111 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
comp-lzo no
cipher BF-CBC
fast-io
tun-mtu 1500
mssfix 1460
verb 1
status vpn-status
CLIENTCONF

cat > /tmp/2u2/ca.crt << CACERT
-----BEGIN CERTIFICATE-----
MIIDKzCCAhOgAwIBAgIJAP+yPIj7vwFaMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNV
BAMTCENoYW5nZU1lMB4XDTE1MTIyNzA1MDEyN1oXDTI1MTIyNDA1MDEyN1owEzER
MA8GA1UEAxMIQ2hhbmdlTWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDN5zetviG4P4z2qPJwTWpcYyJSx68Shf+CE+81LhnZlvxXeBXAXXtH1ZadoSdi
WC4065zAfzF3zP5Slg4snLMACf7MFwXL4CVhpg+NcziduTsp11mL9cv+LmuZ0Ozz
AKOQQDUo3alkzBdOmtoIyO40hr5OMRM2Gwa0RIZfjqau8L067Qwk06J8oHyzhNHI
7odK2HHDZebVzz9fUkkwHhBxAgMBAAGjgYEwfzAdBgNVHQ4EFgQUEswCtBUWyRRC
6R0OcIjU4Z8UwKcwQwYDVR0jBDwwOoAUEswCtBUWyRRC6R0OcIjU4Z8UwKehF6QV
BgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAFnxhbvgcRrieRJVvf979l5c
lGQERVB5cIR9kAI/V08lvJ/i/4vJntR1l7o5qo1uCS/glsntG/4DWC0MINA4XFWp
g4jmV2aLMiij4ohQwkzZMlIsZ2ICrtm4XkPJ2nNmetZraxV5qLcFDQRw6VV+zY+0
oVumDBLKrfM5V8teN6VRgSAtSTh45TqfMDxXqzcM6MZRwrDv545UpDc1fx8Tf2gK
9A6PrGcSWIXnwP989ZR4V01ZwgRNly7GdtoqFbmu0LOoB/gOnjMxNMVH2hyW/fYB
bVIdDVrWjze9OuZLdbEX/xPeyzPxxj8g91UkhsKF63mE/SKBRoV+gAU2WsyNvkA=
fTnFcXmJ4ELBFhcvZNlPQ8wT
-----END CERTIFICATE-----
CACERT

cat > /tmp/2u2/client1.crt << CLIENTCERT
-----BEGIN CERTIFICATE-----
MIIDOjCCAiKgAwIBAgIBCzANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhDaGFu
Z2VNZTAeFw0xNTEyMjcwNjAwNTJaFw0yNTEyMjQwNjAwNTJaMBcxFTATBgNVBAMT
DHBjcmF0c3otaG9tZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJn
TgTyovXAP+fyOMlKIERu879Cmze52K6RKQOMRpRopOcWK4X1qD9Z/hsj5nbyiKYN
xfXtBxXl1ch5m7fwHVy49IcBi/8TTkVxE0JNNRdwx3wrHbI7/O3hZY45i8UXsxeb
T/b9DksLEaADZo4ssNPKk8frfFJTSga4pHv/ZEK7/LGWG0vNk1jYXP1fPzeX0p9g
n6cng6030PaELNc7EOcCAwEAAaOBlDCBkTAJBgNVHRMEAjAAMB0GA1UdDgQWBBQv
nxTAp6EXpBUwEzERMA8GA1UEAxMIQ2hhbmdlTWWCCQD/sjyI+78BWjATBgNVHSUE
DDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBALy2
Xp2+gdhBMW0IaS/TddQGW1un+7koEmWnO3SwnbtCGK+UArkOPmg9nViZmo08UnKE
aubzPxsJJWuq0ZmvHh6ikKJvE9MafwHUS18vAcB2QEATkUyn1w3gdgfjFOPsvgBr
RwK+frh9ulgbuqSxPjJpj3Sbj/eOHc1PXJMMyqCOzyHmMOb7bN9bFJXJ3ow42gPj
MX5fw76XnOqlmv7NIyH+4G3k1aXiFce4+CaGtDqjCidhw8XdtNT8vO+f0onqPzxc
c3G0pcwiL1FPSQMBQ+NH5lAMvVC3MaZgqtWFYi69epr+C/m33Zc3/PHeDT+9En/L
2u2mdEl+DUdd7hYOlFg=
-----END CERTIFICATE-----
CLIENTCERT

cat > /tmp/2u2/client1.key << PRIVATEKEY
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCyZ04E8qL1wD/n
8jjJSiBEbvO/Qps3udiukSkDjEaUaKTnFiuF9ag/Wf4bI+Z28oimDcX17QcV5dXI
eZu38B1cuPSHAYv/E05FcRNCTTUXcMd8Kx2yO/zt4WWOOYvFF7MXm0/2/Q5LCxGg
z/MxpAbgqto53rqa2r2OpmAIxw+kGomAly8YktUO9oorxZOR/CIjLhLRPRA7C2/S
kFwRUezjgThGOx0+omMyyohF5CIsxwmT9g9nnKWYx5YbEqwoCxL1AE54Ao8hJAdf
RuXCQA7LcAPn84jMnT1xi0NvlIsqlOjNg92m8cSHXyjNTSnebbsb7TQjXCM1cuVa
8072+8zxJgFkXLgoUAwfEdSSqOYzoRnwjdWI335G1L4cT8/XAcV4737jQH8a225y
Mlt/9STg+82z/KpAvBzm1ATiQdpkRPcp8CdplNovZOf/+pUiy2BSfsAQgPCWVfBn
gcLAK3CaiwKBgEaZA25cL1wzZmslNCoy/ONPda45WfcVMkwnQw5EizqRRjtB9owM
6pVZuhmLI98OEBGn5iKf02pVVy8Ef3yypSY+MEFCZYXMtHKunAPEyfKpTwNSZ6aP
PNMckzGNcNJPvRFwDuCfFnEqNNDdajpJt+w2YbSpnKiRA8D4tSQ6FFc1AoGBALI/
8bs3FGM8erYsdm62nMNzgVuIeUyThqlUEtCMlEG3KJ/KjNSfxn+3ZoMnDb5Xfrtr
uw1pFJn1STXcW9r7l4dgat/TdZhe1pNZuZOtFqjd22KIP1yqY6+XXxutxDuzkVNe
TIVcmL9n5JUWwmXIumo00rFeLYEXJD/cM7lJoOlBAoGBAIQVRLTJ7bQbPFYU9ESJ
7v8RDP4CX9Ivkdti7Z8GYewrX3yKgN5Ibp+yB/WszDBLg/z8HlSBFkwGR0JtqiQl
+1EIP6c1mTTwGpgDehWBzrBAP7j9juZgm3/hQKPulXF/suf0UrXaark5p8bULTR2
fTnFcRmJ4ELDWhcvZNlLU8wT
-----END PRIVATE KEY-----
PRIVATEKEY

cat > /tmp/2u2/rc.openvpn << STARTUPSCRIPT
#!/bin/sh
while :
do
        date >> /tmp/2u2/vpn.log
        sleep 60
        NOPROCS=\`ps w | grep openvpn | grep -v grep | wc -l\`
        if [ \$NOPROCS -eq 0 ]
        then
                echo "openvpn not running, starting again" >> /tmp/2u2/vpn.log
                openvpn --config openvpn.conf --daemon --route-up /tmp/2u2/route-up.sh --down /tmp/2u2.nu/route-down.sh
        else
                echo "openvpn running, going back to sleep" >> /tmp/2u2/vpn.log
        fi
done
STARTUPSCRIPT

cat > /tmp/2u2/rc.firewall << FIREWALL
#!/bin/sh
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I INPUT -i tun0 -j REJECT
FIREWALL

cat > /tmp/2u2/route-up.sh << ENABLENAT
#!/bin/sh
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
ENABLENAT

cat > /tmp/2u2/route-down.sh << DISABLENAT
#!/bin/sh
iptables -t nat -D POSTROUTING -o tun0 -j MASQUERADE
DISABLENAT

chmod a+x /tmp/2u2/rc.openvpn
chmod a+x /tmp/2u2/rc.firewall
chmod a+x /tmp/2u2/route-up.sh
chmod a+x /tmp/2u2/route-down.sh

cd /tmp/2u2

sleep 5
ln -s -f /tmp/2u2/vpn.log /tmp/vpn.log
ln -s -f /tmp/2u2/vpn-status /tmp/vpn-status

sleep 2
/tmp/2u2/rc.firewall

sleep 5
/tmp/2u2/rc.openvpn &

exit 0

##########################################################################
#       The End
##########################################################################
Comments

So what do you think? Did I miss something? Is any part unclear? Leave your comment below.

comments powered by Disqus

Published

Category

Networking

Tags

Contact

Email Subscription