Skip to content
October 25, 2014 / lasseathome

Setting up OpenVPN on a Tomato router with Tunnelblick as client

On many occasions I want to access my computers and servers behind my firewall and the normal solution was to have only the ssh port open and then work on the command line with the machines inside. A better solution is to set up a VPN and connect to it, but I though for a long time that it was too difficult as it seemd to be so much of a threshold. I have now gone into that endeavor and it was not too hard and this documents my steps. My hardware is:

  • OpenVPN Server – An ASUS RT-N16 router with Tomato by Shibby, using K26-RT-N5x-AIO (all in one) image.
  • OpenVPN Client – Mac book where I have installed the Tunnelblick-Client and run the key generation scripts.

Starting up

Prerequisites are installing Tomato on the ASUS RT-N16. Downloading and installing Tunnelblick client on the Mac. It is good to install the Tunnelblick client before the server is finished since the keys can be generated with the easy-rsa utility included with it. I guess any other OpenVPN client also includes easy-rsa.

Setting up OpenVPN on the router

In VPN Tunneling > OpenVPN Server > Basic Tab

OpenVPN-1

In VPN Tunneling > OpenVPN Server > Advanced Tab

OpenVPN-2

Generating keys for the OpenVPN Keys tab

This is where we use the fact that we are on a mac with Tunnelblick installed, since Tunnelblick brings easy-rsa in its package, we go to tunnelblick’s easy-rsa folder and edit the configuration file called “vars”. We need to “sudo edit vars” the file since root is the owner to the directory. Read README and Google helped me to understand what to write in the file. (after starting Tunnelblick I saw that in Tunnelblick’s utilities tab one can open easy-rss in a terminal directly.)

cd /Applications/Tunnelblick.app/Contents/Resources/easy-rsa-tunnelblick
sudo nano vars

Now we can start to generate some keys I followed the order according to the last lines in the README. Does a sudo bash since all commands needs to be done with root permissions in the directory.

sudo bash
export ./vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server mysever
./build-key client

This gives the following files, placed in the subdirectory keys: dh1024.pem, ca.key, ca.crt, myserver.crt, myserver.csr, myserver.key, client.crt, client.csr, client.key, and some other files. The file ca.key is private and must be stored in a safe place. The contents of these files are entered into the Tomato according to the following template:

OpenVPN-3

This was the most difficult things to do, but it was not so difficult as I thought a few weeks ago.

Setting up the Client

The startup of Tunnelblick generated a directory with a sample config file for me, “config.ovpn“, that I edited and then I added the ca.crt file and my client files client.crt and client.key, to the same directory. After that I just double clicked on the config.ovpn which starts Tunnelblick and loads this configuration file, as well as the other files. I selected to install this for my user only and not all users on the machine.

As a final comment, added after the main publication of the post, I can now confirm that it works well. I could sit in China and read and post on my Facebook account and I could also Google on the Swedish and American servers, which was not possible without the VPN connection due to the net filters active in China.

References

The following places were the main sources for this set up procedure and installation.

  1. OpenVPN Documentation.
  2. The blog by Maciej Mensfield, with essentially the same information as here but with a different path for generating keys and others.
  3. The README file in the directory for the easy-rsa included in the installation.
Advertisements

2 Comments

Leave a Comment
  1. kriznik / Dec 8 2015 8:17 pm

    hello, strange that you were able to do that on N16 because I have same router, but I’m not having enought free NVRAM to store certs and keys. What is your trick here?

  2. kriznik / Dec 8 2015 8:35 pm

    nevermind, i’ve figured that out 😉

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: