Tutorial: Connect to Access Server With a Connection Profile on DD-WRT
You can connect a network to Access Server using DD-WRT and a connection profile (.ovpn file).
Overview
Many users have expressed interest in using DD-WRT or related routers to connect to the Access Server. While router processing power and memory may limit this method, it could be useful in cases where convenience is required over high throughput.
Note
Consider this tutorial educational and informational. We are not responsible for any damages you incur using these instructions. For technical support, you should contact the router supplier or the appropriate community forums.
An installed Access Server.
A router with DD-WRT installed.
The latest firmware installed on the router (recommended).
Admin Web UI access.
Sign in to the Admin Web UI.
Click User Management > User Permissions.
Create a new user account by entering a New Username.
Set the password by clicking More Settings and entering it in the password field.
Tip
If you don't have a password field, check your authentication method. Local authentication provides password management in the Admin Web UI. If you're using LDAP, RADIUS, or SAML, you must create a user with your identity provider.
Sign in to the Client Web UI with your new user account.
Download an auto-login connection profile based on your Access Server version.
A .ovpn file downloads.
Open the file with an editor, such as Notepad. You'll copy the CA Cert, Public Client Cert, and Private Client Key from the connection profile and paste into your DD-WRT configuration in step 5.
Open your router configuration.
Click the Setup tab.
Under Time Settings, set NTP Client to Enable.
Ensure the Server IP / Name is set with the proper time server.
Tip
If you don't know your time server, enter time.nist.gove in the text box.
Click the Services tab.
Click the VPN tab.
Under the section, Start OpenVPN Client, click the Enable radio box.
Important
If you don't see this section, your DD-WRT build may not be OpenVPN enabled. Consult the proper DD-WRT documentation for more information on the various DD-WRT builds.
Once enabled, also check the Enable option under Advanced Options to allow defining options required for the VPN connection to work.
The OpenVPN Client configuration screen displays. The following configuration options likely display:
Start OpenVPN Client: Turn on the OpenVPN client connections.
Server IP/Name: The hostname of the VPN server you're trying to connect to. Refer to your .ovpn file for entries starting with "remote". For example, the entry remote vpn.yourbusiness.com 1194 udp indicates that the hostname is vpn.yourbusiness.com.
Port: The port number the VPN server is listening on. If you don't know what this is, look for the port number in remote (the previous example shows the udp port, 1194), or it may display using the port directive. UDP is preferable over TCP for better reliability.
Tunnel Device: Select TUN.
Tunnel Protocol: Select UDP.
Encryption Cipher: Find this value from the cipher line in the profile. Example: AES-256-CBC.
Hash Algorithm: Access Server uses sha256.
nsCertType verification: Checks to see if the remote server is using a valid certificate type meant for OpenVPN connections. Leave this enabled for security.
Advanced Options: Keep this enabled to set the required options for a successful VPN connection.
LZO Compression: Enables compression over VPN. This option should be disabled.
NAT: This function creates an NAT layer over the VPN tunnel. You should have enabled this if you plan to send all your clients' traffic over the VPN tunnel with the Access Server's IP address. If you switch from NAT to routing in the Admin Web UI, you'll disable this and work with routing tables on the router.
Local IP Address: Specify an IP address that your OpenVPN tunnel should use. This field is usually not applicable, as Access Server automatically assigns an IP address upon successful connection.
TUN MTU Setting: The maximum transmission unit (MTU) used over the VPN tunnel. This is set in the Admin Web UI on the Advanced VPN page. The default is 1500.
MSS-Fix/Fragment across the tunnel: Unless directed otherwise by a support staff or a network professional, leave this field blank.
TLS Cipher: What encryption algorithm OpenVPN should use for encrypting its control channel. Selecting None will allow DD-WRT to auto-negotiate the strongest available cipher.
TLS Auth Key: The static key OpenVPN should use for generating HMAC send/receive keys. This key may be surrounded by <tls-auth>, <tls-crypt>, or <tls-crypt-v2>. Copy the contents from your profile, starting with BEGIN. For example, with TLS Crypt, copy the key between BEGIN OpenVPN static key v1 and END OpenVPN Static key v1:
<tls-crypt> # # 2048 bit OpenVPN static key (Server Agent) # 1-----BEGIN OpenVPN Static key V1----- a305b4d976e05057aa78a1b1ada43baf a698679ac78c1e0e1d75fc524a7878b6 7193c078cee9516f70dd7e058e5d57e0 121d44ca994c55f558237d3f673b3242 f4ead180750164ef2d544521a15efdd6 53956fe74f70e2fdb3b7702f3722c13b deabfa9dddfa89b65e0a9d2b60f1ba66 b05cc8764603d66d40d50704f2e8652d e451be0511e02774bd99c3b5c734270c bfc983b101a1a0ae994d7e9f700e0f29 4c815d3345bfb756bc3e25374f039e8e 77b8f01b15888f2fa8f8d2c9b2936650 0fe86f38185262d05752d14633c2149e 5246c254e686becd5fb29cdd2d56b051 3e9c611fc2d191a84904f549d094bf88 393cf8c3d4b783d578384895d84ed55b -----END OpenVPN Static key V1-----2 </tls-crypt>
Additional Config: Any additional configurations you want to define for the VPN connection.
Policy based Routing: Leave this field blank.
PKCS12 Key: Leave this field blank.
Static Key: Leave this field blank.
CA Cert: The CA certificate used by the VPN server, found between the <ca>…</ca> brackets inside the connection profile. Start copying from --BEGIN CERTIFICATE-- until you hit the first --END CERTIFICATE--. Example:
<ca> 1-----BEGIN CERTIFICATE----- MIICvTCCAaWgAwIBAgIBJQANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZuZXcg Y2EwHhcNMjMwNjEzMTYzMTIwWhcNMzMwNjExMTYzMTIwWjARMQ8wDQYDVQQDDAZu ZXcgY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+uf0wqMXHWJem 1NWw+c5QHjbMY02ZRL77zUXeTNKPP22wOp5T5KQ2o0zwxpDqgeKiaJVY1RIgq9Qz eah6vxyuXfRSPIy53MEh02wY4JcFjk/9Q9ImC9MkwAzxXqBDKaYDPjRVd/X+Ma2G a+0M6GWp5UXGAx2k27beKFCr2L7HGeinfr7xY1nm67cC6yeDGM5tbdtFOWfokNA0 I5rMX6KH8lOKYLsY1Nnz1udG8Jqy/CL5ZuosuIt5PGCWQNOL1ofU9iISUIf6WwdE 0NhWj3YEivpksqq/HpC2V38QMBuoH17ErhuFmasntFqo7zWDlgDId+CZWGnbsOQv V7SqjjdPAgMBAAGjIDAeMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMA0G CSqGSIb3DQEBCwUAA4IBAQCqNOsl2DFcoEN/k1wbmMJkCU1B3xvqB2hbK6RRchM5 VfdtmFHiaMjuqnfEt7B93JpwifTy3vg+KvRaH+Otm/nv4ljES0OjTk0MbzQ4sM5/ XyHcZKiI3ouRlVjKA/tUmAM75YlGKeN006HajhqIRLB2JoLLwpoE9FEQp/Rd1y0v ydn/o6gEvMesEgTTmeBIXJQ6d9wFwQyOGHf2qjNmPRHyuRtA2rpJxo2Llo2174UC JluWAz+sw9GneKeRePE07S5W6f1snQkdtfaods98aMWTP3UlRdYmkGuiuchhZz7F GtFHbI/NNLdiE8lwbMQTaomJ+XjKhwZ5vyd8EmJVC/s8 -----END CERTIFICATE-----2 </ca>
Public Client Cert: The CA certificate used by the VPN client, found between the <cert>...</cert> brackets inside the connection profile. Start copying from ---BEGIN CERTIFICATE--- until the next ---END CERTIFICATE---. Example:
<cert> -----BEGIN CERTIFICATE----- MIIC7zCCAdegAwIBAgIBNDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZuZXcg Y2EwHhcNMjQwNjExMTcxNTM1WhcNMzQwNjEwMTcxNTM1WjAeMRwwGgYDVQQDDBNs YXJyaWUyNjlAZ21haWwuY29tMIIBIjANBgkqhkiG9w0gAQEFAAOCAQ8AMIIBCgKC AQEAreMeFsYezivnnGbhDG3PzjdEvAcqVAr5Y+guMxVhh7zIux/PlyLCuDCLQVdt JSIlhDLfQxj4iBX2daT43OG/9nsV8tj6aLguI6KarZZ8bbKEXPKWC//DYVvXj08f GejF2Ibct5/bSSRvLk8kfAYtJBcninbMk1c+0fnxEhZ+inwuQyleG7kY9v62X2Pv mOtg28Lnr4YXYK+JimJ9Msss62EYLYqzYxctDb5JDxw8hMuZDq5SVzIbqW8D8Iei fRfW05O7yLSwgq+aNdvOgr0eh+xLbIUnpM6tepTbjQ2SgGaVJCltNmsEz1ovSUWT EZGWwfc/0/hXrZZrFfGcs4O9+QIDAQABo0UwQzAMBgNVHRMBAf8EAjAAMAsGA1Ud DwQEAwIHgyATBgNVHSUEDDAKBggrBgEFBQcDAjARBglghkgBhvhCAQEEBAMCB4Aw DQYJKoZIhvcNAQELBQADggEBAIg0Aq9K56lQUngdPWBzvFTNm7YYE0zXOsvvud33 PO8gNOn38nzV+RtXxopGdCH4MilJFL+DScR7ofTkkMWKDao2oh+oRGMfmEn8/9Zr TjTTCyxpVOPke9DsVmz7hQZr8+VXB6uOwgvMhFC07KGpZ7QG7rL0Q0aA+HCKBvmI NbH3wotROPguyUd2+Skk48JTzSJOiUN0oLAlFvswRpy9OdUbgswWrewNqwr2v9m5 ocTRNYx1pwjKL7/gg9HgmpOsYBv8mIUilWVfU/9XGJo0TVWY/Vqzjl0UiI+ImA3k rFccX9CXDdMehLua9knN8fZOAJ0SVS/W/V7g66qE757hZsI= -----END CERTIFICATE----- </cert>
Private Client Key: The client's private key used by the VPN client, found between the <key>...</key> brackets inside the connection profile. Start copying from ---BEGIN PRIVATE KEY--- until ---END PRIVATE KEY---. Example:
<key> -----BEGIN PRIVATE KEY----- MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCt4x4Wxh7OK+ec ZuEMbc/ON0S8BypUCvlj6C4zFWGHvMi7H8+XIsK4MItBV20lIiWEMt9DGPiIFfZ1 pPjc4b/2exXy2PpouC4jopqtlnxtsoRc8pYL/8NhW9ePTx8Z6MXYhty3n9tJJG8u TyR8Bi0kFoeKdsyTVz7R+fESFn6KfC5DKV4buRj2/rZfY++Y62Dbwuevhhdgr4mK Yn0yyyzrYRgtirNjFy0NvkkPHDyEy5kOrlJXMhupbwPwh6J9F9bTk7vItLCCr5o1 286CvR6H7EtshSekzq16lNuNDZKAZpUkKW02awTPWi9JRZMRkZbB9z/T+FetlmsV 8Zyzg725AgMBAAECggEAF+lHVfJgghFfhA5RnBftn3nSJdkGZRAtQyPGVpf2FWhM Yg75yNqq1BE41P9krtqHNiqYsO1aH7yFa6AH6LfSYd6DIiXcKVJKZfQSORScf6kw smdZYsUE5PpwJfDHYhS0QBYre8Srrt8nusJ/Td87jl7wvQWhFBHHPbCVCdu2Auze kmQ0i9lOYa9qi9xroL1zI4R8+H1qcRgU6QWIpabktsCjUUE4pD05fb3b+rSYvUkB ZfudTarbO37Rmdl+l1rQRft8XQnRLwLu9fzFpYNHTvTa5pMT8L6+fJGFTTxxJu6V kbODlD/vAyFgqpqtI6eANMWLXNkOTMQ1TenbyNaoUQKBgQDMzGaUShzeEmR+a5eE pHr21hAbXrJAAMlQ3QSDISur0xdzAWSAlxmACeodbckoB2pcbnm1PCSQncft+eNU R0Mrlwol4NFcOsoEcQ1QehvvxVeIknAF0QefazmOmUWK+M/1E1dxjwJH26Bit8UG RkN4K13CVhiLyWdDJ+/OvxIbuwKBgQDZXFIZ7HyxNOKXiFZf5m62lDJF3jl0G4nJ Ssif32nOM0rWF3Q0r99J2TzFds/bgnGF1HHg53ZH8HAPPZH/yLWo0+T88zBOAgNp p9bpO2Tv+ZJSfeAcYNM8GSDX89hv+FApqLUy/yR4PBg6cgvc8rcdN47rTOOvF5Xt znFWV+k/2wKBgHY4G5LIQWezyEztwLYx2EV8hiu2e0DU82D5ZGxpjnMOVH/vsttD 3dV6Y6l/QVoZBb27jAghYp4UZl+qGx8AT/bupk39O/14djsgI2ZsRoofKYtNtNq2 sibFV6FIOsuhGzJGavjDa7adQjUaDeK0VqgcqG/RETRIG5K5kAWRaFuXAoGAYsnc 3r9m5LteiPSEHU4D36N3Pd4ESssBUqVUjaTi177kMm2yeQe9+jhrsGuRiPi+U878 evV4ArY6mBKpupEkTzkPCBAXUj0EBA8uVA6Uj6TkZe2j4AH5v4TEMqI3Kpy3AlgV Erp3ftYBRP70eVUu+G553GOzz65ujAiZ5l5KOqUCgYAY5hVrvAxwgz1vzg6+Sbfh b7mM9dPnlMkdWkfvOQwyYLkcCkd7l2v5SUiJAz0PKPvFdoKN/eSQR8e5Ws+ANAl/ qR3TNplg3rJJyX/TU+PfDe1a25LZHLs1SLoG5CEPQaBjqOkMdYnsLlSBj81ljzPn K8hiHbNEB/efl5qnUTnsew== -----END PRIVATE KEY----- </key>
After entering all configuration settings, click Apply Settings.
View the status of the VPN connection from the Status tab and click the OpenVPN tab.