WRT router / OpenVPN Howto

This page describes my experience installing open source firmware (Tomato) on my router, and installing OpenVPN server and clients (on both Windows XP and Ubuntu 9.10 Karmic Koala).

First let me describe my hardware:

  • AT&T Uverse Residential Gateway
  • ASUS WL-500g Premium V2 Router
  • (Local) Windows XP laptop
  • (Local) Ubuntu laptop
  • (Remote) Windows XP desktop
  • (Remote) Ubuntu desktop

Why ASUS WL-500g Premium?

I chose this from among the supported routers on DD-WRT’s router database). In particular, both versions V1 and V2 have the same hardware specs and higher than average memory sizes (32MB RAM, 8MB flash)

Now let me describe my software choices:

Why OpenVPN?

At first, I wanted to use PPTP for my VPN due to its built-in support in Windows. However it’s been found to be very insecure, and not well supported in Linux. So I chose OpenVPN due to it’s better Linux support, better security, and community support.

Why Tomato?

Actually I decided on DD-WRT first but switched to Tomato due to its nicely done logging features.

Why TomatoVPN?

I chose the modified TomatoVPN due to its built-in OpenVPN support. It made installing the OpenVPN server quite easy.

A) Installing the router firmware

This method varies by router, and is well discussed on the internet and on the dd-wrt wiki. But with my WL-500gP, I took the following steps:

  1. Downloaded the most recent TomatoVPN firmware (ND version) here
  2. Installed the ASUS software on my Windows XP desktop (it did not work from my Windows 7 machine)
  3. Connected my Windows XP computer to the router, and unplugged all other ports from the router including WAN.
  4. Disabled my Windows XP firewall
  5. Ran Rescue.exe from the ASUS utility pack, chose the TomatoVPN firmware and let it go.
  6. Re-enabled my Windows XP firewall

B) Setting up the UVerse router to work with my new Tomato

The UVerse router is not completely plug-and-play when using another router behind it. But getting them to play nicely is not too bad. The final result is that you want the Tomato router in the DMZ of the UVerse router.

  1. Plugged the WAN port of the Tomato router into one of the LAN ports on the UVerse router.
  2. Plugged my Windows XP computer into a LAN port on the UVerse router.
  3. Browsed to http://gateway.2wire.net or http://192.168.1.254/ to get to my UVerse admin site
  4. Clicked “Home Network” and disabled HomePNA, Wireless, and USB. (Note: If you’re using UVerse TV, you will probably want to keep HomePNA enabled).
  5. Found my Tomato router in the “Local Devices” list, and clicked “Edit Firewall Settings” for that device.
  6. Chose the “Allow all applications (DMZplus mode)” radio button and clicked “Done”. The Tomato was then assigned a new public IP address.

C) Configuring the Tomato

  1. Plugged my computer into a LAN port of my Tomato router.
  2. At the command prompt, typed: 
    ipconfig /release
ipconfig /renew

    (By this point, I had an internet connection. Try browsing to a website.)

  3. Browsed to http://192.168.1.1 to customize my settings.
  4. NOTE: Because of the UVerse router, I had to follow the instructions on this forum post to keep my connection from getting dropped every 10 minutes. This took me a LONG time to figure out. First I found the UVerse gateway IP address, by looking at Status->Overview->WAN->Gateway. Let’s say it’s 75.33.222.1. Then I entered this line on Administration->Scripts->Firewall: 
    iptables -I INPUT -p UDP -i vlan1 --dport 68 --sport 67 --source 75.33.222.1 -j ACCEPT

    After that, I clicked save changes, and Reboot… to get the change to take effect.

D) Configuring OpenVPN server settings

Thanks to the TomatoVPN spinoff of Tomato, this part is not too bad at all.

You will need to generate several keys to use with the server: a Certificate Authority, server public/private keypair, and Diffie Hellman parameters. Then each client will also need its own public/private keypair. My suggestion is to generate all your keys on the same computer, and then transfer the public/private keypair to each individual client as needed.

So that means you first need to install OpenVPN on at least one of the client computers. The OpenVPN HOWTO is quite thorough.

Once the proper 4 files are generated, just copy and paste them into the textareas on the VPN Tunneling -> Server -> Server1 -> Keys page on your Tomato configuration site.