Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Wednesday, November 7, 2012

Install and configure OpenVPN on your DD-WRT Router

First: (READ, install and configure, create certificates, transfer it to DD-WRT router)
Does anybody know which iptables rule(s), if any, I need to add/remove in order to allow my OpenVPN clients to use my LAN's local DNS server as well?
Some key info:
-DD-WRT v24-sp2 (12/20/11) vpn-small (SVN revision 18024)
-Router: Linksys WRT160Nv3
-Local-Gateway / Local-DNS :
-"No DNS Rebind" option is Disabled
-Redirect Gateway is enabled, so that all traffic is routed through the VPN.
-I did add push "dhcp-option DNS" on the OpenVPN server.
-Local DNS works fine on LAN
-I can ping from LAN to OpenVPN-LAN and viceversa. Yes, ping to local-DNS ( also works.
I'm currently able to access the Internet over the VPN, but only if I either use an external (public) DNS or use plane IP addresses (no DNS at all). That is, the VPN clients fail to resolve with the local DNS. I suspect either dns requests or dns replies are being dropped by iptables (?)
Can anybody shed some light?

OK, actually I found a solution for what I wanted. So I thought I'd post it here as a potential future reference for others...
Note: I won't write much details, I'll assume some technical expertise... also, please do realize the previous post has all the key info to follow this one.
1  Granting your OpenVPN clients Internet access:
you need to do NAT on the OpenVPN traffic properly with the following iptables rule, just save it as Firewall under the Administration - Commands tab.
iptables -t nat -A POSTROUTING -s -o vlan2 -j SNAT --to-source $(nvram get wan_ipaddr)
2 Getting DNSMasq to resolve for your OpenVPN clients:
you need to tell DNSMasq to also listen on your virtual (OpenVPN) LAN by adding this flag in "Additional DNSMasq Options" under your Services - Services tab.
I recently happened to upgrade to a WRT160NL router [firmware: DD-WRT v24-sp2 (07/20/12) std]. In this router the interfaces bear different names. So, in order to maintain the same scenario as described above, you need to update the instructions in my first post as follows:
In 1/: replace vlan2 by ethx, where ethx = your WAN interface (in my case: eth1), i.e. your public IP
In 2/: replace tun0 by tunx, where tunx = your local OpenVPN interface (in my case: tun2), i.e.

1 comment:

Tomás said...


sorry to disturb you.
Is it possible to share your wrt160nl config file?

i just cant set the WAN port to work since i upgraded
the firmware. It gets an IP on gui page, but i cant access the internet using the other 4 ports..
And it never worked fine with v24 sp2 stable too.

any suggestion is welcome too.

thank you