Tomato router OpenVPN setup

Got inspired this morning and set up OpenVPN on my router so I can proxy my traffic through it when I’m traveling. I think I got it working.

My goal here is mostly to get a working network environment when on hostile hotel wifi. I don’t really care about encryption security, although that’d be nice, and I explicitly don’t want to bridge my network so it looks like I’m inside my house LAN. Purely a tunnel for working around badly configured public networks. I may still be better off just buying VPN tunneling via Cloak or something similar with a simple client and reliable servers, but I wanted to try it myself.

For my server, the Tomato firmware on my router has an OpenVPN server built in, under the “VPN Tunneling” tab. It’s just like all the other Linksys-derived open router firmwares, but is poorly documented. So I followed this DD-WRT guide for the basic outline of what to do and an article about Tomato for some specifics of what’s in the Tomato GUI. The OpenVPN docs look quite good too, but I didn’t use them.

Key configuration options I altered:

  • Basic: Start with WAN, TUN interface, TCP protocol. VPN subnet; I think this can be most any private use network but you want it to not conflict with whatever public network you might be on.
  • Advanced: do not push LAN to clients. Do direct clients to redirect Internet traffic. Respond to DNS and advertise it.

I’m not positive that TCP is the right thing. I did that because on a badly configured network TCP is more likely to work than UDP. But UDP is probably the right protocol to be using for tunnel traffic. It’s a shame you can’t easily just do both in the server config.

Generating keys is harder, you’re quickly in the morass of X.509 certs and OpenSSL. Fortunately the easy-rsa package automates most of this for you, creating your own certificate authority and keys and certificates for both server and clients (a big pile of .crt and .key files) Don’t forget to build-dh to set the crypto up, too, building dh2048.pem. Should build a key for each client, with an easily remembered name. ./build-key name

For the MacOS client I’m using TunnelBlick. It seems surprisingly good and usable for open source software, I’m curious why folks prefer the commercial Viscosity. Installation was mostly straightforward. The wrinkle is you need a .ovpn file to configure the client. Happily, TunnelBlick will generate a template for you; just alter a few parameters like the VPN server name. You also need to copy a client key over, one of the ones you generated with easy-rsa.

For the iOS client I’m trying OpenVPN Connect, which I think is the only realistic option. It seems to work. The process of configuring the client and keys is pretty ugly, the only one that really would work for me was using iTunes file sync to copy stuff to the client.

It all seems to work. It’s a bit hard to test since I’m inside the network I’m then tunneling through, but I could verify that the clients connected and were given addresses in the VPN network block. I need to go to another network to verify it’s really tunneling traffic right.

Shame the usability on this stuff isn’t better. It suffers from crypto-nerd security-over-usability disease. OpenSSH nailed the whole “generate crypto automatically” thing years ago, since these certs are only self-signed all the authentication and naming stuff should be ignorable. Would also be nice if the OVPN file contained the key material as well so you just had a single file to install. Even a zip file would be better.