Category: Standards

  • Setting up OpenVPN on Tomato firmware for WRT54GL and configure for Tunnelblick client

    Setting up OpenVPN on Tomato firmware for WRT54GL and configure for Tunnelblick client

    Setting up OpenVPN on a Tomato based router (e.g. WRT54GL) is actually pretty easy once you know the steps involved in generating the required server and client certificates. First, let’s download easy-rsa from Github, which makes the process of generating the required artefacts a lot easier and start with the server setup. Once we have the server running we will setup the client configuration to be used by Tunnelblick.

    Server setup

    Once you’ve downloaded and extracted easy-rsa we first need to set some required parameters. Do so by copying the existing vars_example file to vars:

    cd ./easy-rsa-master/
    cd ./easyrsa3/
    cp vars.example vars
    

    You now should have the following files inside easyrsa3:

    MBP:easyrsa3 mak$ ls -alh
    -rwxr-xr-x@  1 mak  staff    33K 14 Sep 09:50 vars
    -rwxr-xr-x@  1 mak  staff   4,5K 14 Sep 09:50 openssl-1.0.cnf
    -rwxr-xr-x@  1 mak  staff   7,9K 14 Sep 09:50 vars.example
    drwxr-xr-x@  6 mak  staff   204B 14 Sep 09:50 x509-types
    

    Vars file

    Let’s edit the vars file:

    Note: These parameters must match your OpenVPN server’s configuration, specially options like EASYRSA_ALGO in case you changed the default settings in Tomato.

    I’ve extracted only the lines you are required to edit, feel free to adjust the other options too but make sure you know what you are doing 😉

    set_var EASYRSA_REQ_COUNTRY	   "AT"
    set_var EASYRSA_REQ_PROVINCE  "Steiermark"
    set_var EASYRSA_REQ_CITY	   "Graz"
    set_var EASYRSA_REQ_ORG	           "Your company"
    set_var EASYRSA_REQ_EMAIL	   "you@your-company.com"
    set_var EASYRSA_REQ_OU		   "Some OU"
    
    set_var EASYRSA_KEY_SIZE	   4096
    

    Public Key Infrastructure PKI

    Now that we’ve setup easy-rsa it’s time to initialize the public key infrastructure PKI:

    MBP:easyrsa3 mak$ ./easyrsa init-pki
    
    Note: using Easy-RSA configuration from: ./vars
    
    init-pki complete; you may now create a CA or requests.
    Your newly created PKI dir is: /Users/mak/easy-rsa-master/easyrsa3/pki
    

    Certificate Authority CA

    Then build the certificate authority CA:

    MBP:easyrsa3 mak$ ./easyrsa build-ca
    
    Note: using Easy-RSA configuration from: ./vars
    Generating a 4096 bit RSA private key
    ....................................++
    ....................................
    writing new private key to '/Users/mak/easy-rsa-master/easyrsa3/pki/private/ca.key'
    Enter PEM pass phrase:
    Verifying - Enter PEM pass phrase:
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Common Name (eg: your user, host, or server name) [Easy-RSA CA]:YOURSERVER
    
    CA creation complete and you may now import and sign cert requests.
    Your new CA certificate file for publishing is at:
    /Users/mak/easy-rsa-master/easyrsa3/pki/ca.crt
    

    Server key

    Now it’s time to build the server key:

    MBP:easyrsa3 mak$ ./easyrsa build-server-full YOURSERVER
    
    Note: using Easy-RSA configuration from: ./vars
    Generating a 4096 bit RSA private key
    ............................................................++
    ......................................................++
    writing new private key to '/Users/mak/easy-rsa-master/easyrsa3/pki/private/YOURSERVER.key'
    Enter PEM pass phrase:
    Verifying - Enter PEM pass phrase:
    -----
    Using configuration from /Users/mak/easy-rsa-master/easyrsa3/openssl-1.0.cnf
    Enter pass phrase for /Users/mak/easy-rsa-master/easyrsa3/pki/private/ca.key:
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    commonName            :ASN.1 12:'YOURSERVER'
    Certificate is to be certified until Dec  6 07:38:24 2024 GMT (3650 days)
    
    Write out database with 1 new entries
    Data Base Updated
    

    In order for Tomato to be able to use your key we need to remove the passphrase. Otherwise OpenVPN will fail to start since it does not offer a way to enter the passphrase interactively:

    MBP:easyrsa3 mak$ cd pki/private
    MBP:private mak$ openssl rsa -in YOURSERVER.key -out YOURSERVER_NO_PASS.key 
    Enter pass phrase for YOURSERVER.key:
    writing RSA key
    

    Diffie Hellman prime number

    For OpenVPN to work we need a Diffie Hellman configuration, which will take a long time for the 4096 bit long prime number generation to complete:

    MBP:easyrsa3 mak$ ./easyrsa gen-dh
    
    Note: using Easy-RSA configuration from: ./vars
    Generating DH parameters, 4096 bit long safe prime, generator 2
    This is going to take a long time
    .................................................+.
    

    Enter artefacts into tomato

    Finally, simply set the generated artefacts in the OpenVPN configuration in the tomato admin backend: openvpn-config

     

    openvpn-config-2

    openvpn-config-3

    openvpn-config-4 For the keys section you need the content of the following artefacts:

    • ca.crt
    • YOURSERVER.crt
    • YOURSERVER_NO_PASS.key
    • dh.pem

    Client setup

    Now that we have the server setup propery it’s time to generate client certificates.

    Client certificate

    Note: You should always generate separate certificates for your clients!

    MBP:easyrsa3 mak$ ./easyrsa build-client-full some_user
    
    Note: using Easy-RSA configuration from: ./vars
    Generating a 4096 bit RSA private key
    ..++
    ....................................++
    writing new private key to '/Users/mak/easy-rsa-master/easyrsa3/pki/private/some_user.key'
    Enter PEM pass phrase:
    Verifying - Enter PEM pass phrase:
    -----
    Using configuration from /Users/mak/easy-rsa-master/easyrsa3/openssl-1.0.cnf
    Enter pass phrase for /Users/mak/easy-rsa-master/easyrsa3/pki/private/ca.key:
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    commonName            :ASN.1 12:'some_user'
    Certificate is to be certified until Dec  7 07:38:55 2024 GMT (3650 days)
    
    Write out database with 1 new entries
    Data Base Updated
    

    Now we simply remove the passphrase from the client key like we did with the server key:

    openssl rsa -in some_user.key -out some_user_NO_PASS.key 
    

    OpenVPN configuration file

    Next, we need to create a .ovpn configuration file, based on the settings in tomato from earlier, e.g. some_user.ovpn:

    ##############################################
    # Sample client-side OpenVPN 2.0 config file #
    # for connecting to multi-client server.     #
    #                                            #
    # This configuration can be used by multiple #
    # clients, however each client should have   #
    # its own cert and key files.                #
    #                                            #
    # On Windows, you might want to rename this  #
    # file so it has a .ovpn extension           #
    ##############################################
    
    # Specify that we are a client and that we
    # will be pulling certain config file directives
    # from the server.
    client
    
    # Use the same setting as you are using on
    # the server.
    # On most systems, the VPN will not function
    # unless you partially or fully disable
    # the firewall for the TUN/TAP interface.
    ;dev tun
    dev tap
    
    # Windows needs the TAP-Win32 adapter name
    # from the Network Connections panel
    # if you have more than one.  On XP SP2,
    # you may need to disable the firewall
    # for the TAP adapter.
    ;dev-node MyTap
    
    # Are we connecting to a TCP or
    # UDP server?  Use the same setting as
    # on the server.
    proto udp
    
    # The hostname/IP and port of the server.
    # You can have multiple remote entries
    # to load balance between the servers.
    remote YOURSERVER 1194
    
    # Choose a random host from the remote
    # list for load-balancing.  Otherwise
    # try hosts in the order specified.
    ;remote-random
    
    # Keep trying indefinitely to resolve the
    # host name of the OpenVPN server.  Very useful
    # on machines which are not permanently connected
    # to the internet such as laptops.
    resolv-retry infinite
    
    # Most clients don't need to bind to
    # a specific local port number.
    nobind
    
    # Downgrade privileges after initialization (non-Windows only)
    ;user nobody
    ;group nobody
    
    # Try to preserve some state across restarts.
    persist-key
    persist-tun
    
    # If you are connecting through an
    # HTTP proxy to reach the actual OpenVPN
    # server, put the proxy server/IP and
    # port number here.  See the man page
    # if your proxy server requires
    # authentication.
    ;http-proxy-retry # retry on connection failures
    ;http-proxy [proxy server] [proxy port #]
    
    # Wireless networks often produce a lot
    # of duplicate packets.  Set this flag
    # to silence duplicate packet warnings.
    ;mute-replay-warnings
    
    # SSL/TLS parms.
    # See the server config file for more
    # description.  It's best to use
    # a separate .crt/.key file pair
    # for each client.  A single ca
    # file can be used for all clients.
    ca ca.crt
    cert client.crt
    key client.key
    
    # Verify server certificate by checking
    # that the certicate has the nsCertType
    # field set to "server".  This is an
    # important precaution to protect against
    # a potential attack discussed here:
    #  http://openvpn.net/howto.html#mitm
    #
    # To use this feature, you will need to generate
    # your server certificates with the nsCertType
    # field set to "server".  The build-key-server
    # script in the easy-rsa folder will do this.
    ;ns-cert-type server
    
    # If a tls-auth key is used on the server
    # then every client must also have the key.
    ;tls-auth ta.key 1
    
    # Select a cryptographic cipher.
    # If the cipher option is used on the server
    # then you must also specify it here.
    ;cipher x
    
    # Enable compression on the VPN link.
    # Don't enable this unless it is also
    # enabled in the server config file.
    comp-lzo
    
    # Set log file verbosity.
    verb 3
    
    # Silence repeating messages
    ;mute 20
    

    As you can see this configuration file references several other files:

    • ca.crt
    • client.crt
    • client.key

    Of course you need to use the actual user files (e.g. some_user_NO_PASS.key) here. It’s best to keep the artefact filenames generic. Thus, simply copy some_user_NO_PASS.key to client.key. To make things even easier simply create a folder that holds all your user’s configuration files, e.g. some_user:

    OpenVPN client configuration folder

     

    Setup Tunnelblick in Mac

    In order to distribute your client configuration folder just rename it to end with .tblk to be used by Tunnelblick for Mac:

    OpenVPN client configuration .tblk Tunnelblick

    In order to install the client configuration for Tunnelblick simply double-click the .tblk file and you are all set!