How to set up a secure VPN Router for under $70.00 USD

Posted: 2007-07-05

Just finished this one and it took about two days to go from zip to a fully-functioning Linksys VPN router with a 2048-bit key. So I present this abridged version to you, so it'll probably take about an hour and lots less coffee and cursing.

Step 1: Set up your router.

First, you're going to need to set up the OpenVPN server. In this case, I used a Linksys WRT54GL ($62.99 on NewEgg) however you can also use a WRT54G as long as the hardware version is before 5.0. To check the hardware version on the WRT54G box, refer to the methods here.

Once you've got your new router all shiny and new, it's time to flash it with third-party firmware. Firmware is software programmed into non-volatile memory. That means it sticks around even after a reboot. For my setup, I used DD-WRT version 23 sp2 with VPN (found here under the downloads, then stable sections). Follow the steps in the documentation to flash your router with that firmware.

Step 2: Generate a Static Key.

Now, here's where I had to enlist the help of my trusty Parallels-run Windows XP machine. If you have access to a Windows XP machine, download and install the OpenVPN client (found here) then click on the Start button, All Programs, OpenVPN, then Generate A Static OpenVPN Key. That will create a file in the "C:\Program Files\OpenVPN\config" folder named "key.txt". Copy that file (via USB or other secure method not involving a network connection) onto your computer. The contents of that file contain your key, which is what the server and client will use to authenticate. You wanna keep that safe for later.

Step 3: Customize and initialize OpenVPN Server

Now that you have your key, it's time to put it to good use. Copy the below text:

openvpn --mktun --dev tap0 brctl addif br0 tap0 ifconfig tap0 0.0.0.0 promisc up echo " -----BEGIN OpenVPN Static key V1----- INSERT YOUR KEY HERE! -----END OpenVPN Static key V1----- " > /tmp/static.key ln -s /usr/sbin/openvpn /tmp/myvpn /tmp/myvpn --dev tap0 --secret /tmp/static.key --comp-lzo --port 1194 --proto tcp-server --verb 3 --daemon

into a blank notepad or textedit file. Now, take note of the "INSERT YOUR KEY HERE!" field. Remember that key you generated? You get the idea. Open that file in notepad and copy the contents of that file (between the comments) into the area above.

Now, copy and paste your brand spanking new startup script (what we did in the new notepad file) into the commands box in the DD-WRT firmware. This means you must be logged into your router firmware and in the DD-WRT interface. The commands box can be found under the Administration tab and the Commands subtab. Once it's pasted into the box, scroll down and click on the "Save Startup" button. This will save the script so it executes every time your router reboots. Now, copy this:

iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT

into the box once it's reloaded and click the "Save Firewall" button. That sets up a rule in the firewall on your router so it'll let you connect from outside your network. Reboot your router.

Step 4: Configure your OpenVPN client

Now, this step is tricky. Basically, you want your client to use this config file:

# Use the following for simple connections: remote XXXX.dyndns.org port 1194 dev tap secret static.key proto tcp-client comp-lzo

Also, don't forget to rename that static key file to "static.key" and place it in the folder your OpenVPN client looks for the static key. In my case, since I used TunnelBlick, I put it in the ~/Library/openvpn directory.

Step 5: Connect!

For this step, you'll need to get out of your house and off your network. The easiest way to do this (assuming you have a laptop of course), is to head to the nearest Starbucks or your favorite local coffee house and use their wifi (also, be nice and buy a cup of coffee. It helps pay for that wireless you're using). Open your VPN client and connect to your VPN. It should work the first time without any problems.

Congratulations! You just set up a secure VPN for only the cost of a router (if you didn't already have one) and about an hour of your time!

For more reading, and an admittedly longer and more in-depth setup guide, check out the OpenVPN setup Wiki, courtesy of DD-WRT at this link. (All script samples taken from the OpenVPN - WRT Wiki and available under the GNU Free Documentation License 1.2).