We wanted to connect two small business offices with a VPN. Our existing firewalls were Linksys WRT54Gs. We chose to run the DD-WRT VPN firmware and utilize OpenVPN to help resolve our need. (These instructions should also work on the DD-WRT support models like the Allnet ALL0277, Buffalo WHR-G54S, Buffalo WHR-HP-G54S, ASUS WL500G-Deluxe, Motorola WR850G, Siemens Gigaset SE505, Ravo W54-R, and Askey RT210W.)
OpenVPN can be run in two modes: routed and bridged. The steps below set up a bridged VPN where both sites are on the same subnet. If you are looking for routed VPN instructions click here. One of the WRTs should be the VPN server and the other should be the VPN client. This senerio works well when one site has a static internet IP address and a valid DNS entry while the other site is setup with DHCP. If both sites are setup with DHCP internet addresses, the server VPN should have a Dynamic DNS entry at a provider like www.dyndns.com. DynDNS.com is a free service and there is a client built into DD-WRT.
These instructions are written assuming that you will configure the VPN server WRT first and the client WRT second.
2) Logon to the web management interface in DD-WRT.
Select the Administration tab.
Scoll down until you find the JFFS2
Support information. JFFS2 must be enabled. If you have never
enabed JFFS2 before you will also need to select the Clean JFFS2 enable button to
initialize the file system. Scroll to the bottom and select Save Settings.
3) Select the Administration tab
and then the Services subtab.
Scroll down to the OpenVPN client section
and make sure that Start OpenVPN
is set to Disable. If you had
to disable it, make sure you scroll to the bottom and click Save Settings. You have to leave this
disable because the configuration in DD-WRT is design to act as a
client to a vPN server running on a full-blown linux or other host.
4) Telnet to your router and enter the username of root and your administrative password.
5a) If this is your second WRT (the VPN client DD-WRT) skip to step 5b. If this is the VPN server WRT type in openvpn --genkey --secret /jffs/static.key and hit <enter>. This will generate the static key we will use for our VPN. (Once the command is complete the WRT will return to the bash prompt. Now type cat /jffs/static.key and hit <enter>. Copy and paste the output into notepad or wordpad. You will need the key information for the next router. Now you can skip to step 6.
Below is a static key example. DO NOT USE THIS KEY YOUR VPN WILL NOT BE SECURE.
# 2048 bit OpenVPN static key
#-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
5b) At the prompt tyep vi /jffs/static.key and hit <enter>. Hit i to enter insert mode and then paste in the static key information your copied into notepad when working on your VPN server WRT. After you are done pasting, hit escape and then type :wq and hit <enter>
6) At the prompt type chmod 700 /jffs/static.key and hit <enter>
7a) If you are working on the VPN client WRT skip to step 7b. On the VPN server WRT copy the following script and paste on the command line. (Check the scipt for comments on the few items than need to be updated to match your environment.)
------------------- Copy starting below this line. -------------------
nvram set rc_firewall='
/tmp/myvpn --mktun --dev tap0
addif br0 tap0
/tmp/myvpn --dev tap0 --secret /jffs/static.key --comp-lzo --port 1194 --proto udp --verb 3 --daemon --ping 30 --ping-restart 120
--------------- Stop here when selecting text to copy --------------------------
7b) On the VPN clien WRT ctopy the following script and paste on the command line. (Check the scipt for comments on the few items than need to be updated to match your environment.)
------------------- Copy starting below this
nvram set rc_firewall='
/tmp/myvpn --mktun --dev tap0brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
/tmp/myvpn --dev tap0 --secret /jffs/static.key --comp-lzo --port 1194 --proto udp --verb 3 --daemon --remote VPNSERVER.dnsalias.com --ping 30 --ping-restart 120
Stop here when selecting text to copy --------------------------
8) Type nvram commit and hit <enter>
9) Now reboot you routers and attempt to ping hosts accross the VPN tunnel. (You will not be able to ping the WRTs addresses. You have to ping a host on the network other than the WRT.).
10) Remember that both sites need the same internal IP subnets.
That should be it and good luck!
Source : geek-pages.com