DD-WRT v24-sp2 VPN - GUI settings don't match setup guide

edited May 2015 in VPN Setup Support Posts: 6
Hello,

I'm running a WRT310N with v24-sp2 VPN version of DD-WRT, and as I started using the handy DD-WRT OpenVPN guide in client support, got to Step 9 and got stuck because there was no "Encryption Cipher" option. There was also no "Hash Algorithm" option, nor a NAT or Additional Config. I assume the instructions were written for a build of DD-WRT that has different features than mine, but I was hoping someone might have an older guide for getting my version to work. Failing that, what router can I purchase that will absolutely work as directed based on the instructions from the Client Support section? I am not looking to purchase one from FlashRouters because they cost roughly double what Amazon is charging for the same models.


EDIT: Including a screenshot of what my OpenVPN options are.image
Post edited by DEADBEEF on

Comments

  • Posts: 4,013
    Download this and unzip it.
    https://www.privateinternetaccess.com/openvpn/openvpn.zip
    Open the ca.crt file in a text editor like notepad. Copy and paste the entire thing into the CA Cert field you see in your screenshot of your router.
  • Posts: 6
    Thanks Omni - I'm not actually at the point of adding the certs yet. I'm specifically asking about the following steps in the setup guide, which I do not appear to have settings for in DD-WRT build v24-sp2

    9. Set the Encryption Cipher to Blowfish CBC (Default).
    10. Set the Hash Algorithm to SHA1.
    12. Set the Advanced Options to Enabled.
    14. Set NAT to Enable.
    15. In the Additional Config enter the following

    I'm hoping that someone else has used v24-sp2 and can comment on how to proceed with a setup that is obviously outside of the guide provided in the client support area.
  • Posts: 4,013
    On a router you can only use SHA1, so you need not worry about that. And since you use port 1194, it will be Blowfish CBC anyway.

    As for the NAT, I see no option for that in your screenshot, but if you add the certificate, I bet it will start right up without any problem. Disregard the steps that seem different until something actually fails to work. Playing with it can often show you what was wrong much easier than finding instructions that perfectly match your exact model router and firmware.

    Do not hesitate to keep asking if something does not work. We can find a solution. And if not, the Asus AC68 series routers are the best for the price. You can flash Merlin firmware on them to make them even better and easier to use. Here is an old thread with loads of details on them, and other routers.
    https://www.privateinternetaccess.com/forum/discussion/2845/openvpn-router-speeds

    It is a big thread, but it has step by step guides for how to do many things.
  • Posts: 6
    Thanks, Omni.

    So I'm halfway to a solution; turns out that sure enough, the v24-sp2 GUI doesn't expose some of the advanced options even though they're supported. I SSH'ed into the device and the OpenVPN config had the following:

    client
    dev tun
    proto udp
    remote us-east.privateinternetaccess.com 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    tun-mtu 1500
    tun-mtu-extra 32
    mssfix 1450
    ca /tmp/openvpncl/ca.crt
    cert /tmp/openvpncl/client.crt
    key /tmp/openvpncl/client.key
    comp-lzo

    So what would be extremely useful is if someone who has successfully followed the GUI setup in Client Support and is up and running could cat /tmp/openvpncl/openvpn.conf and then I can test with that. Assuming it works, I can just cat the differences between the one mine generates and what I need in the Administration>Startup command field so that my changes persist across device reboots.
  • edited May 2015 Posts: 6
    See post below
    Post edited by DEADBEEF on
  • Posts: 6
    I finally got it to work after an afternoon of troubleshooting this. I really wish support had this information more handy. The following is what appears to be the "minimum" in the OpenVPN conf to make PIA work:

    client
    dev tun
    proto udp
    remote us-east.privateinternetaccess.com 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    tun-mtu 1500
    tun-mtu-extra 32
    mssfix 1450
    ca /tmp/openvpncl/ca.crt
    comp-lzo
    auth-user-pass /tmp/password.txt
    persist-key
    persist-tun
    tls-client
    remote-cert-tls server

    Using this guide on adding scripts in DD-WRT, I have configured a script that will write this to the OpenVPN config in /tmp on wanup.
  • Posts: 4,013
    I am glad to hear it is working for you. And thank you for sharing the solution with the rest of us. I am sure it will help another with a similar problem.
  • Posts: 6
    UPDATE:

    For those of you who want a really braindead-simple solution and don't want to deal with big scripts in your startup, this holds a copy of a stable PIA config in NVRAM and will persist across reboots. Note that this will kill any customization you currently have in your startup, but if you just have the PIA stuff, this will properly replace it.

    Add your username/password where indicated in the script below, and then paste and save the following as a "Custom Script" (in Administration>Commands)

    #/bin/sh
    for i in `nvram show|grep openvpn|cut -d '=' -f1`; do nvram unset $i; done
    nvram set rc_startup='mkdir /tmp/ovpn
    cd /tmp/ovpn
    nvram get ovpn_up>up
    nvram get ovpn_dn>dn
    chmod +x up dn
    nvram get ovpn_cfg>piavpn.conf
    mkdir -p /tmp/etc/config
    echo -e "#!/bin/sh\nkillall openvpn\nping -c4 localhost\nopenvpn --daemon --config /tmp/ovpn/piavpn.conf">/tmp/etc/config/ovpn.wanup
    chmod +x /tmp/etc/config/ovpn.wanup
    echo -e "PIA_USERNAME_GOES_HERE\nPIA_PASSWORD_GOES_HERE"> /tmp/ovpn/pass
    openvpn --daemon --config piavpn.conf'
    nvram set ovpn_cfg='client
    dev tun
    proto udp
    remote us-east.privateinternetaccess.com 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    tun-mtu 1500
    tun-mtu-extra 32
    mssfix 1450
    comp-lzo
    auth-user-pass /tmp/ovpn/pass
    persist-key
    persist-tun
    tls-client
    remote-cert-tls server
    route-up "/tmp/ovpn/up"
    down "/tmp/ovpn/dn"

    <ca>
    -----BEGIN CERTIFICATE-----
    MIID2jCCA0OgAwIBAgIJAOtqMkR2JSXrMA0GCSqGSIb3DQEBBQUAMIGlMQswCQYD
    VQQGEwJVUzELMAkGA1UECBMCT0gxETAPBgNVBAcTCENvbHVtYnVzMSAwHgYDVQQK
    ExdQcml2YXRlIEludGVybmV0IEFjY2VzczEjMCEGA1UEAxMaUHJpdmF0ZSBJbnRl
    cm5ldCBBY2Nlc3MgQ0ExLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRlaW50
    ZXJuZXRhY2Nlc3MuY29tMB4XDTEwMDgyMTE4MjU1NFoXDTIwMDgxODE4MjU1NFow
    gaUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMx
    IDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2
    YXRlIEludGVybmV0IEFjY2VzcyBDQTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHBy
    aXZhdGVpbnRlcm5ldGFjY2Vzcy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
    AoGBAOlVlkHcxfN5HAswpryG7AN9CvcvVzcXvSEo91qAl/IE8H0knKZkIAhe/z3m
    hz0t91dBHh5yfqwrXlGiyilplVB9tfZohvcikGF3G6FFC9j40GKP0/d22JfR2vJt
    4/5JKRBlQc9wllswHZGmPVidQbU0YgoZl00bAySvkX/u1005AgMBAAGjggEOMIIB
    CjAdBgNVHQ4EFgQUl8qwY2t+GN0pa/wfq+YODsxgVQkwgdoGA1UdIwSB0jCBz4AU
    l8qwY2t+GN0pa/wfq+YODsxgVQmhgaukgagwgaUxCzAJBgNVBAYTAlVTMQswCQYD
    VQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50
    ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2YXRlIEludGVybmV0IEFjY2VzcyBD
    QTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
    b22CCQDrajJEdiUl6zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAByH
    atXgZzjFO6qctQWwV31P4qLelZzYndoZ7olY8ANPxl7jlP3YmbE1RzSnWtID9Gge
    fsKHi1jAS9tNP2E+DCZiWcM/5Y7/XKS/6KvrPQT90nM5klK9LfNvS+kFabMmMBe2
    llQlzAzFiIfabACTQn84QLeLOActKhK8hFJy2Gy6
    -----END CERTIFICATE-----
    </ca>
    '
    nvram set ovpn_up='iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
    '
    nvram set ovpn_dn='iptables -t nat -D POSTROUTING -o tun0 -j MASQUERADE
    '
    nvram commit

    Once saved, then paste the following and click "Run Commands"
    sh /tmp/custom.sh

    What this is doing is creating a custom script that sets a couple of values in NVRAM (Non-volatile, meaning it persists across router reboots). The first value is "rc_startup" which is the system startup commands that you can see in the Administration>Commands dialog. The next is "ovpn_cfg" and represents the config file OpenVPN should use. The last two are ovpn_up and ovpn_down, and are commands that OpenVPN uses when it starts and stops - in our case, just making a change to iptables to ensure that traffic properly flows through your OpenVPN connection when it starts, and works as a normal router when you turn off OpenVPN. You will need to have about 2,000 bytes free in NVRAM to store this, but all of my devices had enough space and are 4+ years old.

    Reboot your router and OpenVPN should be connected to PrivateInternetAccess in about 2 minutes.
  • Posts: 1
    Hello all.

    Let me start by saying I'm a total noob with regard to OpenVPN and *nix based systems in general so please be patient with me.

    I've followed Deadbeef's directions on my DD-wrt (Kong 22000M VPN version) and enabled the OpenVPN client selection on the Services/VPN tab but I am still not seeing the OpenVPN connection.  I'm not seeing any information on the Status/OpenVPN tab which should give me something if this is properly configured and connected, yes?

    Thanks for any help/suggestions you may have.

    Duke
  • DEADBEEF,

    I used your script today on my WRT310N. Worked great! Thanks!

    Starting with the default settings, plus some basic setting to get it working on my network I needed to use the telnet connection to create the script and run it.

    Just an FYI to others using it. You will not see any of the settings on the WebUI side, so don't really trust that for confirmation, but after waiting 2 minutes the VPN connection becomes active - I could see that I was VPNd by confirming it with other websites and services.

    Thanks again!
  • CTACTA
    edited May 2016 Posts: 1
    DEADBEEF said:
    UPDATE:

    For those of you who want a really braindead-simple solution and don't want to deal with big scripts in your startup, this holds a copy of a stable PIA config in NVRAM and will persist across reboots. Note that this will kill any customization you currently have in your startup, but if you just have the PIA stuff, this will properly replace it.

    Thanks for posting this. Unfortunately, it didn't work for me. Waiting two minutes or longer resulted in the inability to get any WAN traffic whatsoever.

    Here's what I'm using:
    Router Model
    Netgear WNDR4300
    Firmware Version
    DD-WRT v24-sp2 (03/25/13) std - build 21061


    After pasting in the script with my username and password, saving it, and running the command with sh /tmp/custom.sh, the dialog prints:
    "size: 29048 bytes (36488 left)"
    I can see that a startup script has been created.

    Upon rebooting the router, I simply cannot communicate over the WAN.
    Post edited by CTA on
  • Posts: 8
    Hey DEADBEEF, sorry if this is a stupid question but when you say "turn it on or turn it off" are you just talking about turning off OpenVPN Client in the DD-WRT control panel?

    I'm just curious if leaving that custom script will be fine if you disable OpenVPN.  
  • Hi DEADBEEF, after a few mods for my particular IPVanish circumstances this script is running really well, so thank you.

    Being a bit of a newbie, and similar to the last poster, I was just wondering how one takes the VPN down (and brings it back up) manually. Are there shell commands that can be run? 
    Thanks

  • Just copied and pasted the script into my router using the dd-wrt openvpn edition and it works flawlessly. Just wanted to say thank you for this information and helpful post on this topic!
Sign In or Register to comment.