My Profile Photo

chris.heald.me


My personal blog. Software, devops, security, music, and general nerditry.


Mobile and secure - setting up OpenVPN with DD-WRT and Android

So, with all the hubbub about Firesheep lately, and the fact that I’m becoming more mobile in my computing, I figured that it was time for me to get a VPN set up. I didn’t want to pay for one, and hey, it turns out that I have all the tools I need to manage my own.

Like any good geek, I’m running a WRT54G with the aftermarket DD-WRT firmware. This is handy, since DD-WRT supports OpenVPN right out of the box, so to speak.

I have two targets I’d like to secure: My laptop (running Windows 7) and my Nexus One (running Cyanogen Mod 6.1).

Setting up OpenVPN on the router

This is straightforward and easily culled from online resources. Assuming you’re running DD-WRTv24, it’s dead simple to get up and running. I’ll be using a Fedora 11 box for certificate and key generation.

Install OpenVPN

yum install openvpn

Set up the key generation environment and generate a Certificate Authority cert

cd /usr/share/openvpn/easy-rsa/2.0
source ./vars
./clean-all
./build-dh
./build-ca

Provide whatever information you’d like for the cert, but set the Common Name to something usable, like “OpenVPN CA”.

Generate a certificate and key for your OpenVPN server (DD-WRT, in this case)

./build-key-server server

Provide whatever information you’d like for the cert, but set the Common Name to something usable, like “OpenVPN Server”.

Install the certificates and keys to the OpenVPN server

  1. In your DD-WRT install, go to Services -> VPN
  2. Set OpenVPN Daemon -> Start OpenVPN to “enable”
  3. Set Start Type to “WAN Up”
  4. Copy the contents of your ca.crt into “Public Server Cert”
  5. Copy the key bits of your server.crt into Public Client Cert. It looks something like this:

     -----BEGIN CERTIFICATE-----
     MIIDnjCCAwegAwIBAgIBATANBgkqhkiG9w0BAQUFADB0MQswCQYDVQQGEwJVUzEL
     MAkGA1UECBMCQVoxEDAOBgNVBAcTB1Bob2VuaXgxEDAOBgNVBAoTB09wZW5WUE4x
     ...
     i1fFhoNuFxC2z3D+Otg1SuBvA6v/zENRMTPduAr163G105brjN2BiAyEcTjxsqfl
     c6H57iwLaoyxxiJZVYx2WBYX0+13qf/jPoCd/IkCDnOv64R+8z4stgQlAUmNlNLU
     J/8BjCn+3FmA7uosamYi3bsW
     -----END CERTIFICATE-----
    

Be sure to include the BEGIN and END lines.

  1. Copy the contents of server.key into “Private Client Key”
  2. Copy the contents of dh1024.pem into “DH PEM”
  3. Copy something like the following into “OpenVPN config”:

     push "route 192.168.1.0 255.255.255.0"
     server 192.168.66.0 255.255.255.0
    
     dev tun0
     proto udp
     keepalive 10 120
     dh /tmp/openvpn/dh.pem
     ca /tmp/openvpn/ca.crt
     cert /tmp/openvpn/cert.pem
     key /tmp/openvpn/key.pem
     management localhost 5001
    

The “push” line should be the subnet of your local network (“192.168.1.0 255.255.255.0” means “all addresses between 192.168.1.1 and 192.168.1.255), and the “server” line should be the subnet of your new virtual network. In most cases, these defaults should work just fine.

  1. Click “Save”
  2. Go to Administration -> Commands
  3. Enter the following:

     iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
     iptables -I FORWARD 1 --source 192.168.66.0/24 -j ACCEPT
    
     iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
     iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
    
  4. Click Save Firewall
  5. Go to Administration -> Management, then click Reboot Router

Now, it’s time to configure our clients.

Generate certificates for the laptop and phone

./build-key laptop
./build-key phone

Package relevant certificates into a .p12 file for the phone

Android can import .p12 files, which consist of a root certificate, client certificate, and client key. We already have those three, so we just need to package them up.

cd /usr/share/openvpn/easy-rsa/2.0/keys
openssl pkcs12 -export -in phone.crt -inkey phone.key -certfile ca.crt -name "Phone VPN" -out phone.p12

Once that’s done, copy the .p12 file to the root of your phone’s SD card. To install it, you’re going to go to Settings -> Location and Security -> Install from SD Card. Just follow the steps - the import should find your .p12 file and import your certificates. You’ll be asked to create a certificate storage password if you haven’t imported any certificates before. Do so.

Configure the phone VPN

  1. Go to Settings -> Wireless & Networks -> VPN Settings
  2. Click Add VPN
  3. Select Add OpenVPN VPN
  4. Set a name for your network (I chose “home”)
  5. Under Set VPN Server you need to set your router’s WAN address. The easiest way to do this is to use something like DynDNS to get a host name to map to your IP address, but this is a topic for another post.
  6. Set the CA and user certificates to the certificates you just imported
  7. Hit the back button and connect! Your phone should now be using your VPN, and you can connect to public wifi with it with impunity.

Configuring the Windows VPN

  1. Grab the client download from openvpn.net and install it.
  2. Once installed, open a text editor. We have to create our VPN config file manually, but it’s not much of an issue to do so.
  3. Create a file in C:\Program Files (X86)\OpenVPN\config (or equivalent) called home.ovpn. In it, paste the following:

     remote xxx.homedns.org 1194
     client
     remote-cert-tls server
     dev tun0
     proto udp
     resolv-retry infinite
     nobind
     persist-key
     persist-tun
     float
     route-delay 30
     ca ca.crt
     cert laptop.crt
     key laptop.key
    

Save it. Be sure to replace the hostname in the first line with your home hostname or IP.

  1. You probably noticed the certificate key references in the config file. Copy the laptop.crt, laptop.key, and ca.crt files you generated earlier into the same directory as the home.ovpn file
  2. Start the OpenVPN GUI. I had to run it as an administrator to get it to work properly.
  3. Double-click the tray icon and hit Connect. After a few seconds, your machine should be connected to your VPN, and the systray will notify you of your new virtual IP.

Congrats, that’s all there is to it! You can now route all your mobile traffic securely through your home connection, and rest assured that it’s safe from prying eyes. In my case, I get some extra benefits like being able to access my development servers and Samba shares without any extra hassle - definitely a nice perk!

Enjoy, and be secure!

comments powered by Disqus