Okay this is harder than it should have been. Tons of information on the internet, NONE of it in one place. Why, SpongeBob, why?
This is a tutorial done on a Linksys WRT3200ACM with BrainSlayer DD-WRT dated May 27, 2017. And I'm doing this from a Mac. If you are doing this from Windows or Linux you need to ask Mr. Google what to do.
First we need a program called Tunnelblick. Download and install it.
Now we need to make some encryption keys. Type the following in your Terminal program. And make sure you replace "john" with whatever your path name is.
$cd /Users/john/Library/Application\ Support/Tunnelblick/easy-rsa
Or let me show you a cool Mac Trick. Go in Finder to the Library path above. Open Terminal and type cd and add a space. Then highlight and drag the easy-rsa folder into the terminal. It fills out that long complicated path for you.
We'll do some housework in the vars file by changing our locations and setting up a 2048 bit key.
sudo nano vars
Now adjust the following parameters regarding your location and change the 1024 to 2048 as per the example below. Scroll down a bit until you find this section. Then change:
export KEY_SIZE=1024 to export KEY_SIZE=2048
A little further down where it says "These are the default values for fields" Fill in the information to match your key best. Make sure to uncomment the lines (if they are commented out) by removing the # in front of the word export.
Once that is done hit CTL +X and Y to save then run the following commands.
$ . vars $ ./clean-all
This will create a directory called "keys" which will create server and client keys that you need to pull this off.
$ ./pkitool --initca
The command above will make your ca.crt and ca.key files
$ ./build-key-server server
This makes your server.crt and server.key files
This makes your SSL/TLS parameters.
$ ./build-key john
This makes your client keys. You can name this anything you want. john, jane, phone, computer, mom, whatever.
The files circled are the ones you'll need for configuring DD-WRT OpenVPN. You won't have a "config" directory. I did that for convenience.
Now go to "Services > VPN > OpenVPN Server / Daemon and configure as below.
Add your keys by right clicking on them and Open With "Text Editor" and copy the contents between these two lines and make sure to include the Begin Certificate and End Certificate lines with all the dashes as well:
All the crap between these lines.
Paste these four fields in the corresponding boxes.
Public Server Cert = server.crt
CA Cert = ca.crt
Private Server Key = server.key
DH PEM = dh2048.pem
WHOOPS GOT THE CA Cert Field Copied Twice. Ignore please.
In Additional Conig add the following
keepalive 10 120
push "redirect-gateway def 1"
Now we need to set up our client certificate. Add the following by opening Text Edit. Make sure you are making a plain text doc and paste in the following. Make sure on the fifth line this points to your ddns server or static IP address (if your ISP gives you one). Make sure the three lines about the certs match the name of your certs as well. Mine are john.crt and john.key. Remember yours could be phone.crt or whatever. Also note that I have changed the VPN port from 1194 to 1195. It never hurts to take a service and move it to another port. Does that make you foolproof from hacking? No but it's another layer somebody has to punch through. Make it harder.
client dev tun0 proto udp float remote yourddnswebsite.com 1195 remote-cert-tls server tls-cipher TLS-RSA-WITH-AES-256-CBC-SHA256 cipher aes-256-cbc auth sha1 ca ca.crt cert john.crt key john.key comp-lzo adaptive keepalive 15 60 resolv-retry infinite nobind redirect-gateway def1
Save this file and call it
and place it in a directory called HomeVPN with the following other files (or whatever you named your client keys)
Now rename the folder from HomeVPN to HomeVPN.tblk
That will place the 4 files into one container.
You can now double click this container file to import into Tunnelblick. After configuring your firewall you should be good to go with your OpenVPN server.
If you have an iPad or iPhone download the OpenVPN app, then connect your phone or iPad to iTunes to sync. Go to "Apps" and scroll down the Apps page to the "File Sharing" section and then click on the OpenVPN app. Drag those 4 files in and sync again.
Now when you open the OpenVPN app it will ask you if you want to import the connection. It'll be ready to roll after we complete the following steps.
Now set up the firewall:
Go to "Administration > Commands" and insert the following then click on "Save Firewall"
iptables -I INPUT 1 -p udp --dport 1195 -j ACCEPT iptables -I INPUT 3 -i tun0 -j ACCEPT iptables -I FORWARD 3 -i tun0 -o tun0 -j ACCEPT iptables -I FORWARD 1 --source 10.8.0.0/24 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE iptables -I FORWARD -i br0 -o tun0 -j ACCEPT iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
One final step. Let's set up DDNS. This allows you to be able to find your OpenVPN server even when your ISP changes your IP address. If your ISP assigns a static IP address you don't need to do this.
There are a multitude of free DDNS servers out there. In this instance I used NoIP.com. Another favorite of mine is DuckDNS. With DD-WRT NoIP is in the drop down list which makes it a little easier to configure. Only bad thing about NoIP is that you have to confirm once a month that you are still using the DDNS. They send an email, and you update it. No biggie but a pain sometimes.
Once you create an account you can make a hostname, like yourlastname.ddns.net, or bigpoodleinthesky.ddns.net or whatever. Now go to Server > DDNS and fill in your account name, password, and hostname. When you click Apply it should say it updated successfully.
You should now be able to connect to your OpenVPN instance from an outside network. Congrats.