This weekend, I put a Linksys WRT54G at my sister’s apartment to enable her(and her boyfriend) to share the internet connection. No big deal off course but I also thought it would be nice if the router could act as an OpenVPN client so my network and her network would be securely connected through the VPN. This enables her to pop mail from our mailserver in a secure manner and it enables me to give some remote support by VNC-ing to her computer.

So how to do this?

1. Upload DD-wrt’s latest ‘VPN’ firmware build for the WRT 54G
2. Generate certificates for the WRT router on the central server (a linux box at my home network in this case which hosts the PKI)
3. Add the following to the central server OpenVPN conf file: route 192.168.10.0 255.255.255.0
4. Create a ccd file with the same filename as the name you chose for the WRT during certificate setup and put the following in the file: iroute 192.168.10.0 255.255.255.0
5. Make sure the WRT syncs its time through NTP. Otherwise certs might be detected as invalid!
6. Paste these certs in the web interface of the DD-WRT and do the basic configuration through the webinterface.
7. Adapt openvpn.conf to my specific setup by enabling the following in the DD-WRT startupscript:

   sleep 20
   echo "auth SHA1" >> /tmp/openvpn/openvpn.conf
   echo "cipher AES-256-CBC" >> /tmp/openvpn/openvpn.conf
   killall openvpn
   openvpn --config /tmp/openvpn/openvpn.conf --route-up /tmp/openvpn/route-up.sh \\
   --down /tmp/openvpn/route-down.sh --daemon

8. Adapt the firewall script to disable natting and accept traffic for the OpenVPN interface on the WRT. Real firewalling will be done on the central linux box

   iptables -t filter -I FORWARD -i tun0 -j ACCEPT
   iptables -t filter -I FORWARD -o tun0 -j ACCEPT
   iptables -t filter -I INPUT -i tun0 -j ACCEPT
   iptables -t filter -I OUTPUT -o tun0 -j ACCEPT
   iptables -t nat -I POSTROUTING -o tun0 -j ACCEPT
   iptables -t nat -I PREROUTING -o tun0 -j ACCEPT

9. Done! Both networks are now interconnected!

It took me some time to get it up and running Saturday but I think that the little hangover I had from a fine party I attended Friday night in Leuven was to blame for that (damn you Cristal beer )