OpenVPN client on DD-WRT / Netgear WNDR 3800
This will be a terse and succinct guide on how to install and setup DD-WRT client on your Netgear WNDR 3800 router / access point.
It worked for me, it’s not guaranteed it will work for you. Continue at own risk.
Oh, and use a cable into the LAN ports. It will make the process much more simpler.
Do a hard reset on the router to restore factory defaults.
The router will be flashed, and all settings will be gone anyways. It’s better to have factory defaults and have a smaller chance of bricking the device with default settings.
Press the reset pinhole with a needle or something other thin device and keep it pressed for 5 seconds, until the power light starts blinking amber / orange.
Download the 1.0.0.16 firmware
Download the 1.0.0.16 firmware from Netgear. It’s the last known firmware allowing flashing with a non-signed image.
Download the latest DD-WRT version
Have a look at the folder in the betas section. Go to the latest year, and then the latest month. Locate netgear-wndr3800 in the list and download wndr3800-factory.img.
Install DD-WRT
Open the management interface of your router, it should be at 192.168.1.1. Default credentials are admin and password.
Open Administration -> Firmware Upgrade -> Choose file.
Select the downloaded image (wndr3800-factory.img), and install it.
After about 5 minutes the process should be completed. Do NOT power cycle the device. Doing so will probably brick it.
Configure DD-WRT
For some reason, the DD-WRT defaults to start the WiFi radio without any encryption. With the cable still connected to the LAN ports, open the management interface at 192.168.1.1. At the first screen, you’re able to set the username and password you’ll use to log on later. Do not forget either the username or password. The only way to recover is to reset the device.
Under Wireless -> Basic Settings, set the access point names you’d like.
Under Wireless -> Wireless Security set the security options you prefer. WPA2 Personal with AES algorithm is a sufficient setup, until WPA3 becomes available during 2019-2020.
OpenVPN client
Usually the router will run the OpenVPN server, but in this case I was travelling and needed a safe connection. The advantage is that every device connecting through the WiFi router won’t have to have OpenVPN installed and configured. It’s only necessary to configure one client, the WiFi router.
OpenVPN client will run on the router, connecting to another OpenVPN server running on a Linux box elsewhere.
Add client to the server
For veracity, the instructions on how to add a new client to an existing OpenVPN server running on Gentoo Linux are as follows (for my system):
Service name
It is possible to run multiple OpenVPN services under Gentoo, and as such, they have their own names. To simplify, I’m using the variable $vpn for this.
$ export vpn="vpn"Generate client certificates
$ cd /etc/openvpn/$vpn/easy-rsa
$ source vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/vpn/easy-rsa/keys
$ ./build-key routerclientAt this point, you’ll be filling out a certificate for your own use. Answer the questions.
Configure the router
Configuring OpenVPN on the router is pretty straight forward if you’ve configured any OpenVPN clients and server before.
Most of the settings are self-explainatory. It’s important the client settings are identical to the server settings.
- Server IP/hostname and port. Config
localandport. - Tunnel device (
TUNorTAP). Configdev. - Protocol. UDP is really recommended with OpenVPN. Config
proto.
If you’re using a static key file, most commonly called ta.key with configuration option tls-auth, the advanced settings have to be enabled and the contents of ta.key must be pasted into the field TLS Auth Key.
| Config option | Usual filename | DD-WRT OpenVPN GUI Option | Starts with |
|---|---|---|---|
tls-auth |
ta.key |
TLS-Auth | -----BEGIN OpenVPN Static key V1----- |
ca |
ca.crt |
CA Cert | -----BEGIN CERTIFICATE----- |
cert |
$vpn.crt |
Public Client Cert | -----BEGIN CERTIFICATE----- |
key |
$vpn.key |
Private Client Key | -----BEGIN PRIVATE KEY----- |
If there are additional options not covered by the GUI, they go into Additional Config. Custom values for sndbuf and rcvbuf goes there.
One final option. NAT must be enabled if you’re going to connect to anything behind the VPN.
Start
Press Save, and then Apply. Hopefully it will connect to your OpenVPN server.
