-
Notifications
You must be signed in to change notification settings - Fork 0
/
0017.html
220 lines (204 loc) · 10.6 KB
/
0017.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
<!DOCTYPE html>
<html lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Setting Up DD-WRT OpenVPN Server and Certificate Creation</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta charset="UTF-8">
<meta name="keywords" content="DD-WRT OpenVPN Server,VPN To Your Home Network,Self-Hosted VPN Server,DD-WRT,OpenVPN,Network,Install Guide,Self-Signed SSL,IT Security,Public Key Infrastructure,Self-Signed,Certificate Authority,XCA,DD-WRT Setup,X Certificate Key Manager,Self-Signed PKI,Networking,Router,Home Lab,Self-Signed Certificate,Self-Hosted,Home Networking,Personal VPN,PKI,Certificates,Self-Hosted VPN,How To,Tutorial,i12bretro">
<meta name="author" content="i12bretro">
<meta name="description" content="Setting Up DD-WRT OpenVPN Server and Certificate Creation">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="revised" content="10/24/2022 09:58:15 AM" />
<link rel="icon" type="image/x-icon" href="includes/favicon.ico">
<script type="text/javascript" src="https://code.jquery.com/jquery-3.5.1.min.js"></script>
<script type="text/javascript" src="includes/js/steps.js"></script>
<link href="css/steps.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="gridContainer">
<div class="topMargin"></div>
<div id="listName" class="topMargin">
<h1>Setting Up DD-WRT OpenVPN Server and Certificate Creation</h1>
</div>
<div></div>
<div id="content">
<p>This is part five of a series of creating your own self-signed PKI and some ways to utilize the PKI to setup SSL for your web server or create your own OpenVPN server.</p>
<p>Disclaimer: I am not a security expert. This is just demonstrating an easy way to get OpenVPN up and running to allow access to a remote network from anywhere in the world.</p>
<p>For increased security, use a non-standard TCP or UDP port for your OpenVPN server, making sure to update the client "remote" line with the matching port number.</p>
<p>In this tutorial I am running DD-WRT in a VirtualBox VM. Learn how at <a href="https://youtu.be/BRLukj4dZxk" target="_blank">https://youtu.be/BRLukj4dZxk</a></p>
<h2>Prerequisites</h2>
<ul>
<li class="noCheckbox">A XCA PKI database <a href="https://youtu.be/ezzj3x207lQ" target="_blank">https://youtu.be/ezzj3x207lQ</a></li>
</ul>
<h2>Create Required Certificates</h2>
<ol>
<li>Launch XCA</li>
<li>Open the PKI database if it is not already (File > Open DataBase), enter password</li>
<li>Click on the Certificates tab, right click on your Intermediate CA certificate</li>
<li>Select New</li>
<li>On the Source tab, make sure Use this Certificate for signing is selected</li>
<li>Verify your Intermediate CA certificate is selected from the drop down</li>
<li>Click the Subject tab</li>
<li>Complete the Distinguished Name section
<p>internalName: OpenVPN Server<br />
countryName: US<br />
stateOrProvinceName: Virginia<br />
localityName: Northern<br />
organizationName: i12bretro<br />
organizationUnitName: i12bretro Certificate Authority<br />
commonName: vpn.i12bretro.local</p>
</li>
<li>Click the Generate a New Key button</li>
<li>Enter a name and set the key size to at least 2048</li>
<li>Click Create</li>
<li>Click on the Extensions tab</li>
<li>Set the Type dropdown to End Endity</li>
<li>Check the box next to Subject Key Identifier</li>
<li>Update the validity dates to fit your needs</li>
<li>Click the Key Usage tab</li>
<li>Under Key Usage select Digital Signature and Key Encipherment</li>
<li>Under Extended Key Usage select TLS Web Server Authentication</li>
<li>Click the Netscape tab</li>
<li>Deselect all options and clear the Netscape Comment field</li>
<li>Click OK to create the certificate</li>
<li>Click on the Certificates tab, right click on your Intermediate CA certificate again</li>
<li>Select New</li>
<li>On the Source tab, make sure Use this Certificate for signing is selected</li>
<li>Verify your Intermediate CA certificate is selected from the drop down</li>
<li>Click the Subject tab</li>
<li>Complete the Distinguished Name section
<p>internalName: OpenVPN Client #1<br />
countryName: US<br />
stateOrProvinceName: Virginia<br />
localityName: Northern<br />
organizationName: i12bretro<br />
organizationUnitName: i12bretro Certificate Authority<br />
commonName: VPN Client 1</p>
</li>
<li>Click the Generate a New Key button</li>
<li>Enter a name and set the key size to at least 2048</li>
<li>Click Create</li>
<li>Click on the Extensions tab</li>
<li>Set the Type dropdown to End Endity</li>
<li>Check the box next to Subject Key Identifier</li>
<li>Update the validity dates to fit your needs</li>
<li>Click the Key Usage tab</li>
<li>Under Key Usage select Digital Signature, Key Agreement</li>
<li>Under Extended Key Usage select TLS Web Client Authentication</li>
<li>Click the Netscape tab</li>
<li>Deselect all options and clear the Netscape Comment field</li>
<li>Click OK to create the certificate</li>
<li>On the Certificates tab, click the OpenVPN Server certificate</li>
<li>Select Extra > Generate DH Parameter</li>
<li>Type 2048 for DH parameter bits</li>
<li>Click OK</li>
<li>Select a location for dh2048.pem and click Save</li>
</ol>
<h2>Exporting Required Files for OpenVPN</h2>
<ol>
<li>In XCA, click on the Certificates tab</li>
<li>Right click the Intermediate CA certificate > Export > File</li>
<li>Set the file name with a .pem extension and verify the export format is PEM chain (*.pem)</li>
<li>Click OK</li>
<li>Right click the OpenVPN Server certificate > Export > File</li>
<li>Set the file name with a .crt extension and verify the export format is PEM (*.crt)</li>
<li>Click OK</li>
<li>Right click the OpenVPN Client #1 certificate > Export > File</li>
<li>Set the file name with a .crt extension and verify the export format is PEM (*.crt)</li>
<li>Click OK</li>
<li>Click on the Private Keys tab</li>
<li>Right click the OpenVPN Server key > Export > File</li>
<li>Set the file name with a .pk8 extension and verify the export format is PKCS #8 (*.pk8)</li>
<li>Click OK</li>
<li>Right click the OpenVPN Client #1 key> Export > File</li>
<li>Set the file name with a .pk8 extension and verify the export format is PKCS #8 (*.pk8)</li>
<li>Click OK</li>
</ol>
<h2>Setting Up OpenVPN Server in DD-WRT</h2>
<ol>
<li>Open a web browser and navigate to your DD-WRT IP address</li>
<li>Login when prompted</li>
<li>Select the Administration tab</li>
<li>Select the Backup sub tab</li>
<li>Click Backup at the very bottom</li>
<li>Save the nvrambak file somewhere safe</li>
<li>Select the Services tab</li>
<li>Select the VPN sub tab</li>
<li>Scroll down and select enable next to OpenVPN under the OpenVPN Server/Daemon header</li>
<li>Set the OpenVPN Settings as the following:
<ol start="1" style="list-style-type: lower-alpha;">
<li>Start Type: System</li>
<li>Config as: Server</li>
<li>Server mode: Router (TUN)</li>
<li>Network: 10.10.28.0</li>
<li>Netmask: 255.255.255.0</li>
<li>Port: 1194</li>
<li>Tunnel Protocol: TCP</li>
<li>Encyption Cipher: AES-256 GCM</li>
<li>Hash Algorithm: SHA256</li>
<li>Advanced Options: Enable</li>
<li>TLS Cipher: TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384</li>
<li>Compression: Compress lz4-v2</li>
<li>Redirect default Gateway: Disable</li>
<li>Allow Client to Client: Enable</li>
<li>Allow duplicate CN: Disable</li>
<li>Tunnel MT setting: 1500</li>
<li>Tunnel UDP MSS-Fix: Disable</li>
</ol>
</li>
<li>Paste the contents of OpenVPN_Server.crt into the Public Server Cert field</li>
<li>Paste the contents of CA_Chain.pem into the CA Cert field</li>
<li>Paste the contents of OpenVPN_Server.pem into the Private Server Key field</li>
<li>Paste the contents of dh2048.pem into the DH PEM field</li>
<li>Paste the following into the Additional Config field:
<p>push "route-gateway 10.10.27.27"<br />
push "route 10.10.27.0 255.255.255.0"<br />
push "dhcp-option DNS 10.10.27.1"<br />
push "dhcp-option DNS 208.67.222.222"</p>
</li>
<li>Note in the above:<br />
route-gateway is the IP address of the internet gateway on your local network<br />
route is the subnet of your local network<br />
dhcp-option DNS sets DNS servers, in my case my domain controller and an OpenDNS server</li>
<li>Click Save at the bottom</li>
<li>Click Apply Settings</li>
<li>Click the Administration tab</li>
<li>Click the Command sub tab</li>
<li>Paste the following into the Commands field
<p>iptables -t nat -I PREROUTING -p udp --dport 1194 -j ACCEPT<br />
iptables -I INPUT -p udp --dport 1194 -j ACCEPT<br />
iptables -t nat -I PREROUTING -p tcp --dport 1194 -j ACCEPT<br />
iptables -I INPUT -p tcp --dport 1194 -j ACCEPT<br />
iptables -I INPUT -i tun2 -j ACCEPT<br />
iptables -I FORWARD -i tun2 -j ACCEPT<br />
iptables -I FORWARD -o tun2 -j ACCEPT<br />
iptables -t nat -A POSTROUTING -s 10.10.28.0/24 -o eth0 -j MASQUERADE</p>
</li>
<li>Click Save Firewall at the bottom</li>
<li>Click the Management sub tab</li>
<li>Click Reboot Router at the very bottom</li>
</ol>
<h2>Installing OpenVPN Client Software and Testing</h2>
<ol>
<li>Download the OpenVPN software <a href="https://openvpn.net/community-downloads/" target="_blank">Download</a></li>
<li>Run the installer with all the default values</li>
<li>Click the Start button and search OpenVPN GUI</li>
<li>Select OpenVPN GUI from the results to start the application</li>
</ol>
<h2>Creating the OpenVPN Client Profile</h2>
<ol>
<li>Download the OVPN template <a href="https://drive.google.com/open?id=1cwgQfCoQmDOMbY1kW7JK4q07ijHdl37y" target="_blank">Download</a></li>
<li>Rename the .ovpn template something meaningful</li>
<li>Edit the .ovpn template replacing the following:
<p><#replace with dynamic dns#> with a dynamic DNS or external IP address to your server<br />
<#replace with CA chain#> with the contents of CA_Chain.pem<br />
<#replace with client 1 cert #> with the contents of OpenVPN_Client #1.crt<br />
<#replace with client 1 key #> with the contents of OpenVPN_Client #1.pk8</p>
</li>
<li>Save your changes</li>
<li>Copy the .ovpn template to OpenVPN install directory/config</li>
<li>Right click OpenVPN GUI in the system tray > Connect</li>
</ol> </div>
</div>
</body>
</html>