Lean MES Open Source Manufacturing Execution System
Flexible Manufacturing Solutions through Open Standards and Free Software....
Walkthrough. Basic bridged OpenVPN tunnel with ASUS RT-N12B1
router running DD-WRT with OpenVPN Daemon version of firmware. 
Using GUI, no configuration scripts/commands required.

Objective: Enable remote, secure OpenVPN communication with a small private network,

without deploying a dedicated computer with OpenVPN server software.

OpenVPN server/daemon to be hosted on the DD-WRT compatible

network appliance (router) connected to the Internet using DHCP address. 

 

Mode: Ethernet Bridge (remote users are seeing as part of a small physical private network).

 

Limitations:  1-5 concurrent remote users.

Note! 2 concurrent users simultaneously performing upload or download

at 1 MB/sec will maxed out the CPU (has been tested). In reality, typical ISP limits connection

to 124KB/sec for upload, thus potentially 10 concurrent remote users may be handled. 

 

Protocol: UDP - preferred over TCP due to higher efficiency. 

 

Network Appliances Tested:

1. Model ASUS RT-N12B1

CPU: BCM5357 chip rev.2 (300Mhz)

Ram: 32MB DDR

FLASH: 8MB

  http://www.broadcom.com/products/Wireless-LAN/802.11-Wireless-LAN-Solutions/BCM5357

and variant:

2. Model ASUS RT-N12B1

CPU: BCMD144 chip rev.1 (300Mhz)

Ram: 32MB DDR

FLASH: 8MB


Important! The B1 revision of RT-N12 is the key information here. Other

revisions are not compatible with the firmware versions indicated below.

 

Where to get the firmware:

  http://dd-wrt.com/site/support/other-downloads

then go > others > eko > BrainSlayer-V24-preSP2 > 2012 > 03-19-12-r18777 > broadcom_K26

download: dd-wrt.v24-18777_NEWD-2_K2.6_mini_RT-N12B1.trx

and dd-wrt.v24-18777_NEWD-2_K2.6_openvpn_small.bin

 

*************************************************************************************************************************************

PHASE 1, Preparing device, upgrading to the required level of firmware:

 

 1.1 Set device to "Router" mode (switch located in the back),

then hard Reset (power-up while holding the "WPS" button).

Connect LAN1 to the computer and power-cycle again.

 

 1.2 Wait for DHCP to assign address, default network 192.168.1.0/24

Using Safari or IExplorer7 browser access:

http://192.168.1.1 - same address for original and dd-wrt firmwares

Default http login: user=admin, password=admin

 

 1.3 Upgrade firmware with the special image for initial flashing: 

Advanced Settins>Administration>Firmware Upgrade>

Choose File =dd-wrt.v24-18777_NEWD-2_K2.6_mini_RT-N12B1.trx

 [Update] - will take several minutes

 

 1.4 Update DD-WRT router username & password:

Router Username=root, password=admin

 

 1.5 Upgrade device with the target firmware:

Administration>Firmware Upgrade>After flashing ,reset to =Reset to Default settings

Choose File =dd-wrt.v24-18777_NEWD-2_K2.6_openvpn_small.bin

 [Update] - will take several minutes.

 

 1.6 Update DD-WRT router username & password update:

Router Username=root, password=admin

Confirm top right corner reads the following:

 

  Firmware: DD-WRT v24-sp2 (03/19/12) vpn-small           

  Time: 00:02:19 up 2 min, load average: 0.18, 0.11, 0.04  

  WAN IP: <ipaddress>                                                              

 

While the GUI http page name = DD-WRT (build 18777)

 

 1.7 Telnet to devece and check NVRAM size

telnet 192.168.1.1

user=root, password=admin

 

DD-WRT v24-sp2 vpn (c) 2012 NewMedia-NET GmbH

Release: 03/19/12 (SVN revision: 18777)

 

DD-WRT login: root

Password: 

==========================================================

 

 ____  ___    __        ______ _____         ____  _  _ 

 | _ \| _ \   \ \      / /  _ \_   _| __   _|___ \| || | 

 || | || ||____\ \ /\ / /| |_) || |   \ \ / / __) | || |_ 

 ||_| ||_||_____\ V  V / |  _ < | |    \ V / / __/|__   _| 

 |___/|___/      \_/\_/  |_| \_\|_|     \_/ |_____|  |_| 

 

                       DD-WRT v24-sp2

                   http://www.dd-wrt.com

 

==========================================================

BusyBox v1.19.4 (2012-03-19 05:36:16 CET) built-in shell (ash)

Enter 'help' for a list of built-in commands.

root@DD-WRT:~# nvram show | grep size

qos_dfragment_size=0

size: 30840 bytes (1928 left)

root@DD-WRT:~#

 

 1.8 Erase NVRAM,:

root@DD-WRT:~# erase nvram

erase[65536]

root@DD-WRT:~# reboot

Connection closed by foreign host.

 

 1.9 Telnet to device again and check nvram free space:

root@DD-WRT:~# nvram show | grep size

size: 17651 bytes (15117 left)

root@DD-WRT:~# exit

Connection closed by foreign host.

 

Important! left(free) size must be > 5200 bytes! Otherwise risk to "brick" the device.

 

 1.10 Login to device with http GUI, Update DD-WRT router username & password update:

Router Username=root, password=admin

 

Setup>Time Settings (Example):

Enable =true

Time Zone =UTC-06:00  (US, Dallas, TX)

Summer Time(DST) =2nd Sun Mar - first Sun Nov

Server IP/Name =us.pool.ntp.org

[Apply Settings]

[Save]

 

*************************************************************************************************************************************

PHASE 2, Building PKI (Public Key Infrastructure)

 

TIP: Offset computer (with easy-rsa) clock back by 1 day (-24 hrs),

otherwise certificate will become available the next day.  

 

 2.1 Download openvpn-2.1.4-install.exe (bundled with Easy-RSA),

and perform default install to C:\Program Files (x86)\OpenVPN\ .

  

 2.2 Preparing to create certificates using Easy RSA in Windows7:

C:\Program Files (x86)\OpenVPN\easy-rsa>init-config

C:\Program Files (x86)\OpenVPN\easy-rsa>copy vars.bat.sample vars.bat

        1 file(s) copied.

C:\Program Files (x86)\OpenVPN\easy-rsa>copy openssl.cnf.sample openssl.cnf

        1 file(s) copied.

C:\Program Files (x86)\OpenVPN\easy-rsa>vars

C:\Program Files (x86)\OpenVPN\easy-rsa>clean-all

The system cannot find the path specified.

        1 file(s) copied.

        1 file(s) copied.

 

 2.3 Creating certificate authority:

C:\Program Files (x86)\OpenVPN\easy-rsa>build-ca

The system cannot find the path specified.

Loading 'screen' into random state - done

Generating a 1024 bit RSA private key

..................++++++

........................++++++

unable to write 'random state'

writing new private key to 'keys\ca.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [US]:

State or Province Name (full name) [CA]:TX

Locality Name (eg, city) [SanFrancisco]:Frisco

Organization Name (eg, company) [OpenVPN]:AAT

Organizational Unit Name (eg, section) []:IT

Common Name (eg, your name or your server's hostname) []:AAT-CA

Email Address [mail@host.domain]:user@host.domain

 

 2.4 Creating server certificate:

C:\Program Files (x86)\OpenVPN\easy-rsa>vars


C:\Program Files (x86)\OpenVPN\easy-rsa>build-key-server server

The system cannot find the path specified.

Loading 'screen' into random state - done

Generating a 1024 bit RSA private key

........++++++

...............................++++++

unable to write 'random state'

writing new private key to 'keys\server.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [US]:

State or Province Name (full name) [CA]:TX

Locality Name (eg, city) [SanFrancisco]:Frisco

Organization Name (eg, company) [OpenVPN]:AAT

Organizational Unit Name (eg, section) []:IT

Common Name (eg, your name or your server's hostname) []:server

Email Address [mail@host.domain]:user@host.domain

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from openssl.cnf

Loading 'screen' into random state - done

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'US'

stateOrProvinceName   :PRINTABLE:'TX'

localityName          :PRINTABLE:'Frisco'

organizationName      :PRINTABLE:'AAT'

organizationalUnitName:PRINTABLE:'IT'

commonName            :PRINTABLE:'server'

emailAddress          :IA5STRING:'user@host.domain'

Certificate is to be certified until Dec 27 01:56:26 2022 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

unable to write 'random state'

 

 2.5 Creating client certificate. If necessary repeat this step with options clientB, clientC, .. etc. in order to create

requiered number of client certificates.

C:\Program Files (x86)\OpenVPN\easy-rsa>vars

C:\Program Files (x86)\OpenVPN\easy-rsa>build-key clientA

The system cannot find the path specified.

Loading 'screen' into random state - done

Generating a 1024 bit RSA private key

.......................................................++++++

......................................................++++++

unable to write 'random state'

writing new private key to 'keys\clientA.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [US]:

State or Province Name (full name) [CA]:TX

Locality Name (eg, city) [SanFrancisco]:Frisco

Organization Name (eg, company) [OpenVPN]:AAT

Organizational Unit Name (eg, section) []:IT

Common Name (eg, your name or your server's hostname) []:clientA

Email Address [mail@host.domain]:user@host.domain

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from openssl.cnf

Loading 'screen' into random state - done

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'US'

stateOrProvinceName   :PRINTABLE:'TX'

localityName          :PRINTABLE:'Frisco'

organizationName      :PRINTABLE:'AAT'

organizationalUnitName:PRINTABLE:'IT'

commonName            :PRINTABLE:'clientA'

emailAddress          :IA5STRING:'user@host.domain'

Certificate is to be certified until Dec 27 01:58:31 2022 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

unable to write 'random state'

 

 2.6 Creating Diffie-Hellman key

C:\Program Files (x86)\OpenVPN\easy-rsa>vars

C:\Program Files (x86)\OpenVPN\easy-rsa>build-dh -creates .\keys\dh1024.pem

The system cannot find the path specified.

Loading 'screen' into random state - done

Generating DH parameters, 1024 bit long safe prime, generator 2

This is going to take a long time

.+............................+..................+.............

......................+.........+...........................+..

...............................................................

................................+..............................

............................................................+..

...............................................................

......+............................................+...........

unable to write 'random state'

  

 2.7 Checking PKI files created:

C:\Program Files (x86)\OpenVPN\easy-rsa>cd keys

C:\Program Files (x86)\OpenVPN\easy-rsa\keys>dir


 Directory of C:\Program Files (x86)\OpenVPN\easy-rsa\keys

12/28/2012  08:00 PM    <DIR         .

12/28/2012  08:00 PM    <DIR         ..

12/28/2012  07:56 PM             3,667 01.pem

12/28/2012  07:58 PM             3,564 02.pem

12/28/2012  07:54 PM             1,253 ca.crt       - used in both server & client

12/28/2012  07:54 PM               887 ca.key

12/28/2012  07:58 PM             3,564 clientA.crt  - used in client

12/28/2012  07:58 PM               688 clientA.csr

12/28/2012  07:58 PM               887 clientA.key  - used in client

12/28/2012  08:00 PM               245 dh1024.pem   - used in server

12/28/2012  07:58 PM               205 index.txt

12/28/2012  07:58 PM                21 index.txt.attr

12/28/2012  07:58 PM                 3 serial

12/28/2012  07:56 PM             3,667 server.crt   - used in server

12/28/2012  07:56 PM               688 server.csr

12/28/2012  07:56 PM               887 server.key   - used in server

              14 File(s)         20,226 bytes


*************************************************************************************************************************************
PHASE 3, Configuring OpenVPN daemon to accept clients
 

 3.1 Setting up the gateway.

In the Web Interface of the DD-WRT router, go to:

Services>VPN>OpenVPN Server/Daemon> 

OpenVPN Server........ =Enable

Start Type..................... =WAN Up

Config via..................... =GUI

Server mode................ =Bridge(TAP)

DHCP-proxy mode..... =Enable

Port................................ =1194

Tunnel Protocol........... =UDP

Encryption Cipher....... =Blowfish CBC

Hash Algorithm........... =SHA1

Advanced Options...... =Enable

TLS Cipher................... =none

LZO Compression...... =Adaptive

Redirect Gateway....... =Disable

Allow Client to Client.. =Enable

Allow duplicate cn...... =Disable

TUN MTU Setting....... =1500

 3.2 Paste certificate files with Notepad++

Public Server Cert...... =server.crt

CA Cert........................ =ca.crt

Private Server Key..... =server.key

DH PEM....................... =dh1024.pem

[Apply Settings]

[Save]

 Fig.1 DD-WRT VPN Server configuration page example.

 3.3 Enable WAN ping reply:

In the Web Interface of DD-WRT router, go to:

Security>Firewall>Block WAN Requests>Block Anonymous WAN Requests (ping) =false

[Apply Settings]

[Save]

  

*********************************************************************************************************************************

PHASE 4, Configure DDNS (Assuming device is actively connected to the Internet)


 4.1 In the Web Interface of the DD-WRT router, go to:

Setup>DDNS

DDNS Service......... =DynDNS.org (or whatever service preffered)

User Name.............. =<userid>

Password................ =<password>

Host Name.............. =myhost.dyndns.biz

The rest of the settings are default.

[Apply Settings]

[Save]


 4.2 Check DDNS Status, must indicate successful update.

 

 4.3 Testing DDNS service:

PING myhost.dyndns.biz (76.185.84.246): 56 data bytes

64 bytes from 76.185.84.246: icmp_seq=0 ttl=64 time=0.542 ms

64 bytes from 76.185.84.246: icmp_seq=1 ttl=64 time=0.552 ms

64 bytes from 76.185.84.246: icmp_seq=2 ttl=64 time=0.623 ms

64 bytes from 76.185.84.246: icmp_seq=3 ttl=64 time=0.530 ms


--- myhost.dyndns.biz ping statistics ---

4 packets transmitted, 4 packets received, 0.0% packet loss

round-trip min/avg/max/stddev = 0.530/0.562/0.623/0.036 ms

 

*********************************************************************************************************************************

PHASE 5, Configuring OpenVPN client on the remote user computer.

(Assuming computer has connection to the Internet which is different

 then the device's connection. In this scenario iPhone hotspot was used.

 Both, device and iPhone have their upload speed limited to 128 KB/s by ISPs.

 Download speed limited to 1.5 MB/s for device and 300-400 KB/s for iPhone. 

 Alternatively it is possible to test in isolation with static IP addresses.)


 5.1 Configure OpenVPN client, in this case Viscosity for OSX

(also available for x86)  http://www.sparklabs.com/viscosity/

Alternatively, free OpenVPN or TunnelBlick (tested) clients are available.


For Viscosity client:

General:

Name.................... =TestConnection

Address................ =myhost.dyndns.biz

Port....................... =1194

Protocol................ =UDP

Device.................. =tap

Enable DHCP..... =checked


Authentication:

SSL/TLS

Type...................... =SSL/TLS Client

Use Username.... =false

CA......................... =ca.crt

Cert....................... =clientA.crt

Key........................ =clientA.key


Option: (default, except)

LZO Compression............. =On(Adaptive)


The rest of the settings are default


[Save]

Fig. 2 Viscosity preferences, General tab configuration.
Fig.3 Viscosity preferences, Authentication tab configuration.
Fig.4 Viscosity preferences, Options tab configuration.
 5.2 Establishing OpenVPN tunnel:

Viscosity >Details >Display Log

Viscosity>Connect TestConnection


Dec 29 23:25:10: Viscosity Mac 1.4.2 (1092)

Dec 29 23:25:10: Viscosity OpenVPN Engine Started

Dec 29 23:25:10: Running on Mac OS X 10.6.8

Dec 29 23:25:10: ---------

Dec 29 23:25:10: Checking reachability status of connection...

Dec 29 23:25:11: Connection is reachable. Starting connection attempt.

Dec 29 23:25:13: OpenVPN 2.2.1 x86_64-apple-darwin10.8.0 [SSL] [LZO2] [PKCS11] [eurephia] built on Aug  1 2011

Dec 29 23:25:13: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

Dec 29 23:25:13: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables

Dec 29 23:25:13: LZO compression initialized

Dec 29 23:25:13: UDPv4 link local: [undef]

Dec 29 23:25:13: UDPv4 link remote: 76.185.84.246:1194

Dec 29 23:25:15: [server] Peer Connection Initiated with 76.185.84.246:1194

Dec 29 23:25:19: DHCP enabled on tap interface tap0

Dec 29 23:25:17: TUN/TAP device /dev/tap0 opened

Dec 29 23:25:17: Initialization Sequence Completed


 5.3 OpenVPN DD-WRT device server log:

Serverlog 20121229 23:23:29 I OpenVPN 2.2.1 mipsel-linux [SSL] [LZO2] built on Mar 19 2012 

20121229 23:23:29 W NOTE: when bridging your LAN adapter with the TAP adapter note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to 

20121229 23:23:29 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 

20121229 23:23:29 Diffie-Hellman initialized with 1024 bit key 

20121229 23:23:29 W WARNING: file '/tmp/openvpn/key.pem' is group or others accessible 

20121229 23:23:29 TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ] 

20121229 23:23:29 Socket Buffers: R=[114688->131072] S=[114688->131072] 

20121229 23:23:29 I TUN/TAP device tap0 opened 

20121229 23:23:29 TUN/TAP TX queue length set to 100 

20121229 23:23:32 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ] 

20121229 23:23:33 I UDPv4 link local (bound): [undef]:1194 

20121229 23:23:33 I UDPv4 link remote: [undef] 

20121229 23:23:33 MULTI: multi_init called r=256 v=256 

20121229 23:23:33 I Initialization Sequence Completed 

.

.

.

20121229 23:25:13 MULTI: multi_create_instance called 

20121229 23:25:13 I 166.137.122.84:33224 Re-using SSL/TLS context 

20121229 23:25:13 I 166.137.122.84:33224 LZO compression initialized 

20121229 23:25:13 166.137.122.84:33224 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ] 

20121229 23:25:13 166.137.122.84:33224 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ] 

20121229 23:25:13 166.137.122.84:33224 Local Options String: 'V4 dev-type tap link-mtu 1574 tun-mtu 1532 proto UDPv4 comp-lzo cipher BF-CBC auth SHA1 keysize 128 key-method 2 tls-server' 

20121229 23:25:13 166.137.122.84:33224 Expected Remote Options String: 'V4 dev-type tap link-mtu 1574 tun-mtu 1532 proto UDPv4 comp-lzo cipher BF-CBC auth SHA1 keysize 128 key-method 2 tls-client' 

20121229 23:25:13 166.137.122.84:33224 Local Options hash (VER=V4): 'f7df56b8' 

20121229 23:25:13 166.137.122.84:33224 Expected Remote Options hash (VER=V4): 'd79ca330' 

20121229 23:25:13 166.137.122.84:33224 TLS: Initial packet from 166.137.122.84:33224 sid=6558b6ae 860a5b37 

20121229 23:25:15 166.137.122.84:33224 VERIFY OK: depth=1 /C=US/ST=TX/L=Frisco/O=AAT/OU=IT/CN=AAT-CA/emailAddress=user@host.domain 

20121229 23:25:15 166.137.122.84:33224 VERIFY OK: depth=0 /C=US/ST=TX/O=AAT/OU=IT/CN=clientA/emailAddress=peter.tiagunov@leanmes.net 

20121229 23:25:15 166.137.122.84:33224 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key 

20121229 23:25:15 166.137.122.84:33224 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication 

20121229 23:25:15 166.137.122.84:33224 NOTE: --mute triggered... 

20121229 23:25:15 166.137.122.84:33224 3 variation(s) on previous 5 message(s) suppressed by --mute 

20121229 23:25:15 I 166.137.122.84:33224 [clientA] Peer Connection Initiated with 166.137.122.84:33224 

20121229 23:25:15 N clientA/166.137.122.84:33224 MULTI: no dynamic or static remote --ifconfig address is available for clientA/166.137.122.84:33224 

20121229 23:25:17 clientA/166.137.122.84:33224 PUSH: Received control message: 'PUSH_REQUEST' 

20121229 23:25:17 clientA/166.137.122.84:33224 SENT CONTROL [clientA]: 'PUSH_REPLY ping 10 ping-restart 120' (status=1) 

20121229 23:25:19 clientA/166.137.122.84:33224 MULTI: Learn: b6:57:9c:50:da:e9 -> clientA/166.137.122.84:33224



Fig.5 Viscosity client connection log.

 5.4 Ping host located on the home physical network from connected OpenVPN client computer:

PING 192.168.1.13 (192.168.1.13): 56 data bytes

64 bytes from 192.168.1.13: icmp_seq=0 ttl=64 time=572.409 ms

64 bytes from 192.168.1.13: icmp_seq=1 ttl=64 time=540.135 ms

64 bytes from 192.168.1.13: icmp_seq=2 ttl=64 time=541.507 ms

64 bytes from 192.168.1.13: icmp_seq=3 ttl=64 time=570.463 ms

64 bytes from 192.168.1.13: icmp_seq=4 ttl=64 time=580.553 ms

64 bytes from 192.168.1.13: icmp_seq=5 ttl=64 time=555.860 ms

64 bytes from 192.168.1.13: icmp_seq=6 ttl=64 time=560.594 ms

64 bytes from 192.168.1.13: icmp_seq=7 ttl=64 time=630.441 ms

64 bytes from 192.168.1.13: icmp_seq=8 ttl=64 time=579.038 ms

64 bytes from 192.168.1.13: icmp_seq=9 ttl=64 time=570.613 ms


--- 192.168.1.13 ping statistics ---

10 packets transmitted, 10 packets received, 0.0% packet loss

round-trip min/avg/max/stddev = 540.135/570.161/630.441/24.175 ms


 5.5 Ping connected OpenVPN client computer from the host located on the home network:

PING 192.168.1.128 (192.168.1.128): 56 data bytes

64 bytes from 192.168.1.128: icmp_seq=0 ttl=64 time=580.635 ms

64 bytes from 192.168.1.128: icmp_seq=1 ttl=64 time=619.437 ms

64 bytes from 192.168.1.128: icmp_seq=2 ttl=64 time=575.240 ms

64 bytes from 192.168.1.128: icmp_seq=3 ttl=64 time=701.715 ms

64 bytes from 192.168.1.128: icmp_seq=4 ttl=64 time=607.847 ms

64 bytes from 192.168.1.128: icmp_seq=5 ttl=64 time=596.239 ms

64 bytes from 192.168.1.128: icmp_seq=6 ttl=64 time=684.345 ms

64 bytes from 192.168.1.128: icmp_seq=7 ttl=64 time=730.680 ms

64 bytes from 192.168.1.128: icmp_seq=8 ttl=64 time=583.770 ms

64 bytes from 192.168.1.128: icmp_seq=9 ttl=64 time=544.142 ms


--- 192.168.1.128 ping statistics ---

10 packets transmitted, 10 packets received, 0.0% packet loss

round-trip min/avg/max/stddev = 544.142/622.405/730.680/58.603 ms


Important! Only client's outgoing traffic related to 192.168.1.0/24 network sinks into the tunnel, all other traffic bypasses the tunnel. If needed, it is possible to configure that all client's traffic will sink into the tunnel (not covered in this document).
Fig.6 Viscosity chart, upload and download 1MB file to and from the host located on the home physical network.

 5.7 Wrapping-up. Do not forget to apply critical settings applicable to your individual scenario, e.g.

Wi-Fi security, mode and tuning output TX power if necessary. It is recommended to change default username and password for DD-WRT device GUI administration access. Once OpenVPN tested successfully reply to ping on WAN may be disabled.


Sources used to write this walkthrough:


Tune-Up. Fragmentation.

While communicating using wireless providers delays and lags in communications were observed.
Root cause was identified as a result of smaller packet fragmentation. While default MTU is 1500 bytes,
the wireless provider may reduce this number for UDP to 1200-1400.

Simple mtu test was performed to test mtu settings.
Fig.7 mtu-test command in Advanced tab of Viscosity OpenVPN client.

Open Viscosity preferences window, select connection and add the mtu-test command (Fig.7).
Open Viscosity Details window, select log for target connection.
Initiate Connection. Among other entries, the log will contain the following information:

 Jan 2 09:06:49: NOTE: Beginning empirical MTU test -- results should be available in 3 to 4 minutes.
...
Jan 2 09:09:49: NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1573,1573] remote->local=[1429,1277]
Jan 2 09:09:49: NOTE: This connection is unable to accomodate a UDP packet size of 1573. Consider using --fragment or --mssfix options as a workaround.


The "1277" value is a clue, (Assuming the default fragmentation values used in both Server and Client prior test).
Setting the Client fragmentation to a number that slightly lower than "1277", e.g. "1200" (Fig.8).
Fig.8 OpenVPN client fragmentation settings.

And Server fragment settings (Fig.9), is a fragment of VPN server configuration interface depicted in Fig.1.
Fig.9 DD-WRT OpenVPN fragmentation settings.

Once both (server and client) configurations were updated and mtu-test disabled in client configuration, connectivity showed no more issues, demonstrating excellent integrity and stability.

Thank you!
Copyright (C) 2012 Agile Automation Technology LLC