Be on my home network when I’m away from home via OpenVPN


Vinh Nguyen


November 10, 2010

In my previous employments, I remember co-workers having to use VPN when they work from home. They can access everything at the company as if they were physically on-site. I haven't tried configuring it on my home network since if I ever needed anything, I ssh'd into my home NAS, and grabbed stuff from there. I guess VPN can be useful in that everything I do on the remote machine will seem like I'm at home, meaning all my mounted access to different directories on the NAS, access to the router, etc, are available while I'm away.

Been wanting to play around with VPN for a while since I know both DD-WRT and Tomato routers has OpenVPN bundled in them.

Instructions are clearly documented at the USB Tomato wiki (look here to get the easy rsa files in newer versions (14.04) of Ubuntu). Note that when pasting stuff into the web browser, include the BEGIN and END lines. Also note that in order to generate the files, you have to do so as root; sudo doesn't cut it. On Ubuntu, do sudo -i to imitate su.

Keep the generated files in a safe place. The files that I keep on my laptop (client) to VPN into my home network are ca.crt, Client1.crt, and Client1.key. Then create this Client1 file:

# ______ __
# /_ __/___ ____ ___ ____ _/ /_____
# / / / __ / __ `__ / __ `/ __/ __ 
# / / / /_/ / / / / / / /_/ / /_/ /_/ /
# /_/ ____/_/ /_/ /_/__,_/__/____/
# The hostname/IP and port of the server. You can have multiple remote entries to load balance between the servers.
remote 1194
# Specify that we are a client and that we will be pulling certain config file directives from the server.
ns-cert-type server
# On most systems, the VPN will not function unless you partially or fully disable the firewall for the TUN/TAP interface.
dev tun21
# Are we connecting to a TCP or UDP server?
proto udp
# Keep trying indefinitely to resolve the host name of the OpenVPN server. Useful for machines which are not permanently connected to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to a specific local port number.
# The persist options will try to avoid accessing certain resources on restart that may no longer be accessible because of the privilege downgrade.
# SSL/TLS parms.
ca ca.crt
cert Client1.crt
key Client1.key
# Enable compression on the VPN link.
# Silence repeating messages
;verb 3
# Silence repeating messages
mute 20

When I need to VPN, just do

sudo openvpn Client1 ## do this in directory where the 3 files are stored

Thank you open source community!

Update (12/14/2010): Password-protect OpenVPN

I wanted to add a password feature to my VPN since I'm afraid someone might get access to my key files. I asked how to do so on the Tomato forum, and was referred to this post. It is quite easy to implement. 10/25/2014: Did more research to see if it's better to implement a passphrase for the key instead of what I implemented before, but this post confirms that the auth-user-pass-verify method is indeed the recommended way to implement authentication.

In the tomato web config, add the following:

init script (under Administration):

echo '#!/bin/sh
test "$user1" = "${username}" && test "$pass1" = "${password}" && exit 0
exit 1' > /tmp/
chmod 755 /tmp/

Restart the router or, better yet, execute the above code on the "System" page under "Tools".

Under the "Advanced" tab on the VPN Server page, enter the following under "Custom Configuration":

script-security 3
auth-user-pass-verify /tmp/ via-env

Now, on my Client1 file above, add the line auth-user-pass somewhere (I placed it after comp-lzo).

Now when I vpn to the network, I have to enter a username and password. This is awesome.

UPDATE 1/1/2011: Issue with PeerGuardian/MoBlock

I have issues connecting to a computer on the local network through OpenVPN. See this post for more details. To connect to it, just turn off PeerGuardian (sudo pglcmd stop).

UPDATE 10/6/2011: Channel all internet traffic through VPN

The above method allows me to access computers on my home network. To direct all internet traffic from my current device to the VPN network (so that the IP the world would see is the VPN's network), check the Direct clients to redirect Internet traffic checkbox in the Advanced Tab when setting up VPN in Tomato (according to this post). That way, I can use the internet securely when on a public network. I will only turn this feature on when I truly need it.

Unfortunately, there DNS names doesn't resolve (only IP addresses will work). I seeked help here obtained a solution there and here. To fix the DNS issue, I added the following three lines to the end of the config we created earlier:

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

and added

push "dhcp-option DNS"

to the "custom configuration" field under the "Advance" tab of the VPN server page on Tomato. The latter just says to use Google's DNS server.

UPDATE 10/25/2014: Use on Android

I can VPN on Android via the OpenVPN app. It should work after I copy all my files (Client1.ovpn, Client1.key, Client1.crt, and ca.crt) into a single directory on Android, and import Client1.ovpn in the app. However, I don't want to leave my keys on my phone like that for security reasons, so the Help file in the OpenVPN app suggests creating a pkcs12 file and adding that to the Android keychain. To do so, first remove the 3 lines referencing in Client1.key, Client1.crt, and ca.crt in Client1.ovpn file. Import this ovpn file instead. On Linux, do

openssl pkcs12 -export -in Client1.crt -inkey Client1.key -certfile ca.crt -out Client1.p12

to generate Client1.p12. Enter an extracting password (will be asked when importing into Android keychain). Transfer to phone and import it via the OpenVPN app (so only Client1.ovpn and Client1.p12 files needed); enter the extracting password. Now one should be able to connect to the VPN after entering the username and password from the auth-user-pass-verify method. This is cool!