Setting up OpenVPN on Tomato firmware for WRT54GL and configure for Tunnelblick client

Setting up OpenVPN on a Tomato based router (e.g. WRT54GL) is actually pretty easy once you know the steps involved in generating the required server and client certificates. First, let’s download easy-rsa from Github, which makes the process of generating the required artefacts a lot easier and start with the server setup. Once we have the server running we will setup the client configuration to be used by Tunnelblick.

Server setup

Once you’ve downloaded and extracted easy-rsa we first need to set some required parameters. Do so by copying the existing vars_example file to vars:

cd ./easy-rsa-master/
cd ./easyrsa3/
cp vars.example vars

You now should have the following files inside easyrsa3:

MBP:easyrsa3 mak$ ls -alh
-rwxr-xr-x@  1 mak  staff    33K 14 Sep 09:50 vars
-rwxr-xr-x@  1 mak  staff   4,5K 14 Sep 09:50 openssl-1.0.cnf
-rwxr-xr-x@  1 mak  staff   7,9K 14 Sep 09:50 vars.example
drwxr-xr-x@  6 mak  staff   204B 14 Sep 09:50 x509-types

Vars file

Let’s edit the vars file:

Note: These parameters must match your OpenVPN server’s configuration, specially options like EASYRSA_ALGO in case you changed the default settings in Tomato.

I’ve extracted only the lines you are required to edit, feel free to adjust the other options too but make sure you know what you are doing 😉

set_var EASYRSA_REQ_COUNTRY	   "AT"
set_var EASYRSA_REQ_PROVINCE  "Steiermark"
set_var EASYRSA_REQ_CITY	   "Graz"
set_var EASYRSA_REQ_ORG	           "Your company"
set_var EASYRSA_REQ_EMAIL	   "you@your-company.com"
set_var EASYRSA_REQ_OU		   "Some OU"

set_var EASYRSA_KEY_SIZE	   4096

Public Key Infrastructure PKI

Now that we’ve setup easy-rsa it’s time to initialize the public key infrastructure PKI:

MBP:easyrsa3 mak$ ./easyrsa init-pki

Note: using Easy-RSA configuration from: ./vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /Users/mak/easy-rsa-master/easyrsa3/pki

Certificate Authority CA

Then build the certificate authority CA:

MBP:easyrsa3 mak$ ./easyrsa build-ca

Note: using Easy-RSA configuration from: ./vars
Generating a 4096 bit RSA private key
....................................++
....................................
writing new private key to '/Users/mak/easy-rsa-master/easyrsa3/pki/private/ca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:YOURSERVER

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/Users/mak/easy-rsa-master/easyrsa3/pki/ca.crt

Server key

Now it’s time to build the server key:

MBP:easyrsa3 mak$ ./easyrsa build-server-full YOURSERVER

Note: using Easy-RSA configuration from: ./vars
Generating a 4096 bit RSA private key
............................................................++
......................................................++
writing new private key to '/Users/mak/easy-rsa-master/easyrsa3/pki/private/YOURSERVER.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
Using configuration from /Users/mak/easy-rsa-master/easyrsa3/openssl-1.0.cnf
Enter pass phrase for /Users/mak/easy-rsa-master/easyrsa3/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'YOURSERVER'
Certificate is to be certified until Dec  6 07:38:24 2024 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

In order for Tomato to be able to use your key we need to remove the passphrase. Otherwise OpenVPN will fail to start since it does not offer a way to enter the passphrase interactively:

MBP:easyrsa3 mak$ cd pki/private
MBP:private mak$ openssl rsa -in YOURSERVER.key -out YOURSERVER_NO_PASS.key 
Enter pass phrase for YOURSERVER.key:
writing RSA key

Diffie Hellman prime number

For OpenVPN to work we need a Diffie Hellman configuration, which will take a long time for the 4096 bit long prime number generation to complete:

MBP:easyrsa3 mak$ ./easyrsa gen-dh

Note: using Easy-RSA configuration from: ./vars
Generating DH parameters, 4096 bit long safe prime, generator 2
This is going to take a long time
.................................................+.

Enter artefacts into tomato

Finally, simply set the generated artefacts in the OpenVPN configuration in the tomato admin backend: openvpn-config

 

openvpn-config-2

openvpn-config-3

openvpn-config-4 For the keys section you need the content of the following artefacts:

  • ca.crt
  • YOURSERVER.crt
  • YOURSERVER_NO_PASS.key
  • dh.pem

Client setup

Now that we have the server setup propery it’s time to generate client certificates.

Client certificate

Note: You should always generate separate certificates for your clients!

MBP:easyrsa3 mak$ ./easyrsa build-client-full some_user

Note: using Easy-RSA configuration from: ./vars
Generating a 4096 bit RSA private key
..++
....................................++
writing new private key to '/Users/mak/easy-rsa-master/easyrsa3/pki/private/some_user.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
Using configuration from /Users/mak/easy-rsa-master/easyrsa3/openssl-1.0.cnf
Enter pass phrase for /Users/mak/easy-rsa-master/easyrsa3/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'some_user'
Certificate is to be certified until Dec  7 07:38:55 2024 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Now we simply remove the passphrase from the client key like we did with the server key:

openssl rsa -in some_user.key -out some_user_NO_PASS.key 

OpenVPN configuration file

Next, we need to create a .ovpn configuration file, based on the settings in tomato from earlier, e.g. some_user.ovpn:

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tun
dev tap

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote YOURSERVER 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca ca.crt
cert client.crt
key client.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20

As you can see this configuration file references several other files:

  • ca.crt
  • client.crt
  • client.key

Of course you need to use the actual user files (e.g. some_user_NO_PASS.key) here. It’s best to keep the artefact filenames generic. Thus, simply copy some_user_NO_PASS.key to client.key. To make things even easier simply create a folder that holds all your user’s configuration files, e.g. some_user:

OpenVPN client configuration folder

 

Setup Tunnelblick in Mac

In order to distribute your client configuration folder just rename it to end with .tblk to be used by Tunnelblick for Mac:

OpenVPN client configuration .tblk Tunnelblick

In order to install the client configuration for Tunnelblick simply double-click the .tblk file and you are all set!

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *