Astaro Site to Site VPN with DD-WRT
So – I received my Astaro Security Gateway 220 last week and this morning I decided to get it hooked up and configured. The most important configuration being linking it to my second site. Soon i’ll have two Astaro’s but right now the other site still has a linksys router with DD-WRT v24 installed. First things first – DD-WRT does NOT support IPSEC so forget about it. In this post I’ll show you how to configure the Astaro as an OpenVPN server and the DD-WRT as a client.
Step 1
Log into the astaro and click on Site-to-site VPN
Choose SSL from the drop down. You will be presented with the connections tab. Click New SSL connection.
Connection Type: Server
Connection Name: Site B
Local Networks: Internal (Network)
Click the plus sign next to Remote Networks and fill it in according to your remote network.
Save that and then make sure you leave Automatic packet filter rules checked. Then click Save.
Next Click Settings your settings should look like this:
Save any changes and then click Advanced
Now I’m sure the encryption and authentication can be changed – but for the sake of this article this is how I’m going to configure it.
I’ve enabled debug mode for now so we can see whats going on. Apply those settings and then click back on Connections.
Now you want to download the configuration file – unencrypted – and open it in notepad++ or something similar.
Inside that file you should see 2 certificates and 1 RSA Private Key. The first cert in the file is the Public Client Cert the second is the CA Cert and the last RSA Private key is the Private Client Key
Open up your dd-wrt router (hopefully at this point you have remote access to a computer on the remote network)
You should copy and paste those values into the correct inputs in the DD-WRT (under services, VPN, OpenVPN Client) and save and apply.
Next inside the asg.apc file you downloaded – at the very end you should see something like this:
The first highlighted value is the username – the second is the password. We need to use these in a configuration startup script. On the DD-WRT click administration and then commands.
echo “REF_uClaMWVnny
REF_VMHOQOXAGW0000ref_vmhoqoxagw” > /tmp/openvpncl/user.conf
sleep 10
echo “client
dev tun
proto udp
hand-window 30
port 1195
remote REMOTE SERVER
resolv-retry infinite
nobind
persist-key
persist-tun
ca /tmp/openvpncl/ca.crt
cert /tmp/openvpncl/client.crt
key /tmp/openvpncl/client.key
cipher BF-CBC
auth SHA1
comp-lzo
route-delay 4
verb 3
reneg-sec 0
auth-user-pass /tmp/openvpncl/user.conf” > /tmp/openvpncl/vpn.conf
( sleep 10 ; killall openvpn ; /usr/sbin/openvpn –config /tmp/openvpncl/vpn.conf –auth-user-pass /tmp/openvpncl/user.conf –route-up /tmp/openvpncl/route-up.sh –down /tmp/openvpncl/route-down.sh –daemon ) &
Make sure you use YOUR username and password – also replace REMOTE GATEWAY with the Astaro Gateway IP.
Reboot the DD-WRT and you should be good to go.
How do you do it if you want the ddwrt as a client vs site to site?
Thanks in advance!
Well done and many thanks.
But be patient with copy and paste, it doesnt work. It breaks the quotes and double dashs
Check your pasted configs for the " " and the — in the last line.
First, Will, thanks so much for this. Excellent job. My biggest headaches were on the DD-WRT side, and not even directly related to OpenVPN. The good news is that this works, even going to Astaro v7 (I have not yet upgraded that particular client to v8).
Some tweaks/updates:
Your startup script is actually adding auth-user-pass as a config parameter *and* passing it on the command line. You should only need one *or* the other.
With SVN revision 18946M NEWD-2 K2.6 Eko (just flashed into a Cisco E1000 v2.1), after enabling OpenVPN in the web GUI, I was unable to get the DD-WRT-powered router to successfully pass the credentials to the Astaro. I found that it would work successfully, though, when I stopped the OpenVPN daemon and ran the command from a terminal.
So… I verified that all of the files specified in the config were getting written to /tmp (so I knew that the startup script was being processed to that point). Turning off OpenVPN in the web GUI yielded me a non-starting daemon, so apparently, the daemon instance configured in the web GUI was overriding the auth-user-pass parameter.
Finally, I enabled advanced settings for the OpenVPN setup in the web GUI, and added:
auth-user-pass /tmp/openvpncl/user.conf
in the "Additional Config" box.
That did the trick.
Also, I can confirm that the DD-WRT-to-ASG setup works with AES-128/MD5 on a non-standard port over TCP (vs UDP).