Page tree

Welcome to FreeSoftwareServers Confluence Wiki

Skip to end of metadata
Go to start of metadata

# Config DD-WRT for OpenVPN

[NOTE]This is a WIP. Currently things like remote desktop accross lan, ssh and other things work. But browsing router WebUI/Network Shares do not. But I can remote desktop and then view remote shares.

- I will remove this when this is 100% working, please comment if you figure it out.

I need help improving this line for IPTABLES.

iptables -t nat -A POSTROUTING -j MASQUERADE


  1. Gather all required Keys/Files
    * ca.crt
    * server.crt
    * server.key
    * dh*.pem
  2. Configure Time Zone
  3. Configure DDNS
  4. Configure Firewall (IPTABLES)
  5. Configure OpenVPN Daemon
  6. Test-Connect & Profit

4) Administration >> Commands


iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE



Save Firewall Rules It should look like this after! [Note I had trouble pasting, might have to type it out!]


5) Copy the text from these files into corresponding boxes in DD-WRT web UI.



Only paste the sections of text starting with (and including):

and ending with (and including):

in the text files. That is, include the two ---BEGIN/END CERTIFICATE--- lines. Do not paste all the descriptive stuff above that section.

Note: To be able to "see" the rest of the network you must use additional configs >> push "route".


OpenVPN >> Enable

Start Type >> System

Config As >> Daemon

CA Cert >> ca.crt
Public Server Cert >> server.crt
Private Server Key >> server.key
DH PEM >> dh2048.pem
Additional Config >>

dev tun0
proto udp
keepalive 10 120
push "route"
push "dhcp-option DNS"
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem



TLS Auth Key >> Blank
Certificate Revoke List >> Blank

It should look like this! Apply Settings :)




In reply to Arne Kleijn.

I think the biggest changes you made are Config options as Server and WAN UP, also you made your MASQUERADE statement more specific which is what I needed. My biggest issue is my router is behind a wireless repeater bridge, so that makes things even more complicated!

Unapprove | Reply | Quick Edit | Edit | History | Spam | Trash
In reply to Arne Kleijn.

Also note, I prefer to use DNS options of instead of google servers, because I have domain names that resolve to private IP’s set in my gateway router on the far end of the VPN, and push “redirect-gateway def1” redirect ALL traffic over VPN, which may be what you want, but in my case, I only want the traffic destined for the remote VPN to go over the VPN and regular internet traffic can just go out to the internet without going over the VPN. Depends on your situation, are you trying to mask your browsing at a coffee shop, or just get remote access to a LAN.

Unapprove | Reply | Quick Edit | Edit | History | Spam | Trash
In reply to Arne Kleijn.

I will test this ASAP! And thank you!!! I hate projects I don’t complete successfully, and this was one of the very few I just couldn’t get to work. I wonder why tun2 vs tun0, but alas, this computers, and if it works, I will accept that!

Unapprove | Reply | Quick Edit | Edit | History | Spam | Trash
Arne Kleijn

I got this working on this specific router model here is how:
follow this tutorial with these differences
* Start Type >> WAN Up
* Config as >> Server

Additional Config >>

push “route”
push “redirect-gateway def1”
push “dhcp-option DNS”
dev tun2
proto udp
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem

*Note “dev tun2” must be “tun2” not “tun0” and first line change to your ip range..

Goto. tab Services and the first tab is also Services
Goto. DNSMasq and Enable: “DNSMasq”, “Local DNS” and “No DNS Rebind”
put this in the “Additional DNSMasq Options:” >> dhcp-option=6,,

*Note i’am note sure if the “Additional DNSMasq Options” are a must

Last but not least the firewall rules:

iptables -I INPUT 1 -p udp –dport 1194 -j ACCEPT
iptables -I FORWARD 1 –source -j ACCEPT
iptables -I FORWARD -i br0 -o tun2 -j ACCEPT
iptables -I FORWARD -i tun2 -o br0 -j ACCEPT
iptables -t nat -A POSTROUTING -s -j MASQUERADE

*Note “tun2″not “tun0”

In my case this is working as it is supposed to on a Linksys EA6500v1

  • No labels