John's Musings

Yeah, Me Neither


Okay this is harder than it should have been. Tons of information on the internet, NONE of it in one place. Why, SpongeBob, why?

This is a tutorial done on a Linksys WRT3200ACM with BrainSlayer DD-WRT dated May 27, 2017. And I'm doing this from a Mac. If you are doing this from Windows or Linux you need to ask Mr. Google what to do.

First we need a program called Tunnelblick. Download and install it.

Now we need to make some encryption keys. Type the following in your Terminal program. And make sure you replace "john" with whatever your path name is.

$ cd /Users/john/Library/Application\ Support/Tunnelblick/easy-rsa

Or let me show you a cool Mac Trick. Go in Finder to the Library path above. Open Terminal and type cd and add a space. Then highlight and drag the easy-rsa folder into the terminal. It fills out that long complicated path for you.

We'll do some housework in the vars file by changing our locations and setting up a 2048 bit key.

Now type:

sudo nano vars

Now adjust the following parameters regarding your location and change the 1024 to 2048 as per the example below. Scroll down a bit until you find this section. Then change:

export KEY_SIZE=1024 to export KEY_SIZE=2048

A little further down where it says "These are the default values for fields" Fill in the information to match your key best. Make sure to uncomment the lines (if they are commented out) by removing the # in front of the word export.

Once that is done hit CTL +X and Y to save then run the following commands.

$ . vars
$ ./clean-all

This will create a directory called "keys" which will create server and client keys that you need to pull this off.

$ ./pkitool --initca

The command above will make your ca.crt and ca.key files

$ ./build-key-server server

This makes your server.crt and server.key files

$ ./build-dh

This makes your SSL/TLS parameters.

$ ./build-key john

This makes your client keys. You can name this anything you want. john, jane, phone, computer, mom, whatever.

The files circled are the ones you'll need for configuring DD-WRT OpenVPN. You won't have a "config" directory. I did that for convenience.

Now go to "Services > VPN > OpenVPN Server / Daemon and configure as below.

Add your keys by right clicking on them and Open With "Text Editor" and copy the contents between these two lines and make sure to include the Begin Certificate and End Certificate lines with all the dashes as well:


All the crap between these lines.


Paste these four fields in the corresponding boxes.

Public Server Cert = server.crt

CA Cert = ca.crt

Private Server Key = server.key

DH PEM = dh2048.pem

WHOOPS GOT THE CA Cert Field Copied Twice. Ignore please.

In Additional Conig add the following

dev tun0

keepalive 10 120

push "redirect-gateway def 1"

Now we need to set up our client certificate. Add the following by opening Text Edit. Make sure you are making a plain text doc and paste in the following. Make sure on the fifth line this points to your ddns server or static IP address (if your ISP gives you one). Make sure the three lines about the certs match the name of your certs as well. Mine are john.crt and john.key. Remember yours could be phone.crt or whatever. Also note that I have changed the VPN port from 1194 to 1195. It never hurts to take a service and move it to another port. Does that make you foolproof from hacking? No but it's another layer somebody has to punch through. Make it harder.

dev tun0
proto udp
remote 1195
remote-cert-tls server
tls-cipher TLS-RSA-WITH-AES-256-CBC-SHA256 
cipher aes-256-cbc
auth sha1
ca ca.crt
cert john.crt
key john.key
comp-lzo adaptive 
keepalive 15 60
resolv-retry infinite
redirect-gateway def1

Save this file and call it


and place it in a directory called HomeVPN with the following other files (or whatever you named your client keys)




Now rename the folder from HomeVPN to HomeVPN.tblk

That will place the 4 files into one container.

You can now double click this container file to import into Tunnelblick. After configuring your firewall you should be good to go with your OpenVPN server.

If you have an iPad or iPhone download the OpenVPN app, then connect your phone or iPad to iTunes to sync. Go to "Apps" and scroll down the Apps page to the "File Sharing" section and then click on the OpenVPN app. Drag those 4 files in and sync again.

Now when you open the OpenVPN app it will ask you if you want to import the connection. It'll be ready to roll after we complete the following steps.

Now set up the firewall:

Go to "Administration > Commands" and insert the following then click on "Save Firewall"

iptables -I INPUT 1 -p udp --dport 1195 -j ACCEPT
iptables -I INPUT 3 -i tun0 -j ACCEPT
iptables -I FORWARD 3 -i tun0 -o tun0 -j ACCEPT
iptables -I FORWARD 1 --source -j ACCEPT
iptables -t nat -A POSTROUTING -s -j MASQUERADE
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

One final step. Let's set up DDNS. This allows you to be able to find your OpenVPN server even when your ISP changes your IP address. If your ISP assigns a static IP address you don't need to do this.

There are a multitude of free DDNS servers out there. In this instance I used Another favorite of mine is DuckDNS. With DD-WRT NoIP is in the drop down list which makes it a little easier to configure. Only bad thing about NoIP is that you have to confirm once a month that you are still using the DDNS. They send an email, and you update it. No biggie but a pain sometimes.

Once you create an account you can make a hostname, like, or or whatever. Now go to Server > DDNS and fill in your account name, password, and hostname. When you click Apply it should say it updated successfully.

You should now be able to connect to your OpenVPN instance from an outside network. Congrats.