Quick Links

A few weeks ago we covered installing Tomato, an open-source router firmware, on your Linksys WRT54GL. Today we'll be going over how to install OpenVPN alongside Tomato, and setting it up to access your home network from anywhere in the world!

What is OpenVPN?

A virtual private network (VPN) is a trusted, secure connection between one local area network (LAN) and another. Think of your router as the middle man between the networks that you're connecting to. Both your computer and the OpenVPN server (your router in this case) "shake hands" using certificates that validate each other. Upon validation, both the client and server agree to trust each other and the client is then allowed access on the server's network.

Typically, VPN software and hardware cost a lot of money to implement. If you haven't guessed it already, OpenVPN is an open-source VPN solution that is (drum roll) free. Tomato, alongside OpenVPN, is a perfect solution for those who want a secured connection between two networks without having to open their wallet. Of course, OpenVPN won't work right out of the box. It takes a little bit of tweaking and configuring to get it just right. Not to worry though; we're here to make that process easier for you, so grab yourself a warm cup of coffee and let's get started.

For more information about OpenVPN, visit the official What Is OpenVPN? page.

Prerequisites

This guide assumes that you are currently running Windows 7 on your PC and that you're using an administrative account. If you're a Mac or Linux user, this guide will give you an idea of how things work, however, you may have to do a little more research on your own to get things perfect. Also, we will be installing a special version of Tomato called TomatoUSB VPN on a Linksys WRT54GL version 1.1 router. To find out if your router is compatible with TomatoUSB check out their Build Types page.

The beginning of this guide assumes you have either:

  1. the original Linksys firmware installed on your router or
  2. the Tomato firmware we described in our last article

Take note of the text above certain steps indicating whether it's for Linksys firmware or Tomato firmware.

Installing TomatoUSB

In a previous article we discussed how to install the original Tomato v1.28 firmware from PolarCloud's website. Unfortunately, that version of Tomato didn't come with OpenVPN support, so we'll be installing a newer version called TomatoUSB VPN.

The first thing you'll want to do is head over to the TomatoUSB homepage and click the Download Tomato USB link.

Download VPN under the Kernel 2.4 (stable) section. Save the .rar file to your computer.

You'll need a program to extract the .rar file. We suggest using WinRAR since it's free to try and easy to use. You can download yourself a copy of the free version on their website. After installing WinRAR, right click on the file you downloaded and click Extract Here. You should then see two files called CHANGELOG and tomato-NDUSB-1.28.8754-vpn3.6.trx.

If you're running Linksys firmware...

Open up your browser and enter in your router's IP address (default is 192.168.1.1). You'll be prompted for a username and password. The defaults for a Linksys WRT54GL are "admin" and "admin".

Click the Administration tab at the top. Next, click Firmware Upgrade as seen below.

tomato2

Click the Browse button and navigate to the extracted TomatoUSB VPN files. Select the tomato-NDUSB-1.28.8754-vpn3.6.trx file, and click the Upgrade button in the web interface. Your router will start installing TomatoUSB VPN, and should take less than a minute to complete. After about a minute, open up a command prompt and type ipconfig --release to determine your router's new IP address. Then type ipconfig --renew. The IP address to the right of Default Gateway... is your router's IP address.

tomatoovpn11

Note: After installing Tomato go to Administration > Configuration and select "Erase all NVRAM...".

If you're running Tomato firmware...

Open up your browser and enter in your router's IP address. We assume that if you installed Tomato, you know the IP address of your router. If you're not sure, then it's probably set to the default of 192.168.1.1. After, type in your username and password.

Although it's not required, you may want to backup your current Tomato configuration before upgrading to TomatoUSB VPN, just in case. To save your configuration, navigate to Administration > Configuration and click the Backup button. This will prompt you to save the .cfg file to your computer.

Now it's time to upgrade Tomato to TomatoUSB VPN. Click Upgrade in the left column and click the Choose File button. Navigate to the files we extracted earlier and choose the tomato-NDUSB-1.28.8754-vpn3.6.trx file. Then click the upgrade button.

You'll be asked to confirm the upgrade; just click OK.

Your router will begin uploading the new firmware and will restart within a minute.

It may have the same or a different IP address after it restarts. In our case, the router configuration was still the same therefore our IP address was still the same. To determine your router's new IP address, open up a command prompt and type ipconfig --release. Then type ipconfig --renew. The IP address to the right of Default Gateway... is your router's address. If your configuration is set back to the defaults, go back to the Configuration page (Administration > Configuration) and click the Choose File button under Restore Configuration. Browse for the .cfg file you saved to your computer earlier and click the Restore button.

Configuring OpenVPN

Whether you had Linksys firmware or Tomato firmware installed, you should now have the new TomatoUSB VPN installed on your router. You'll notice a few new menus in the left column including Web Usage, USB and NAS, and VPN Tunneling. For this guide, we're only concerned with the VPN Tunneling menu so go ahead and click VPN Tunneling. Keep this browser window open; We'll be coming back to it shortly.

Now let's head over to OpenVPN's Downloads page and download the OpenVPN Windows Installer. In this guide, we'll be using the second latest version of OpenVPN called 2.1.4. The latest version (2.2.0) has a bug in it that would make this process even more complicated. The file we're downloading will install the OpenVPN program that allows you to connect to your VPN network, so be sure to install this program on any other computers that you want to act as clients (as we'll be seeing how to do that later). Save the openvpn-2.1.4-install .exe file to your computer.

tomatoovpn17

Navigate to the OpenVPN file we just downloaded and double click it. This will begin the installation of OpenVPN on your computer. Run through the installer with all the defaults checked. During the installation, a dialog box will pop up asking to install a new virtual network adapter called TAP-Win32. Click the Install button.

tomatoovpn18

Now that you have OpenVPN installed on your computer, we have to start creating the certificates and keys to authenticate devices.

Creating the Certificates and Keys

Click the Windows Start button and navigate under Accessories. You'll see the Command Prompt program. Right click on it and click Run as administrator.

tomatoovpn12

In the command prompt, type cd c:\Program Files (x86)\OpenVPN\easy-rsa if you're running 64-bit Windows 7 as seen below. Type cd c:\Program Files\OpenVPN\easy-rsa if you're running 32-bit Windows 7. Then hit Enter.

tomatoovpn13

Now type init-config and hit Enter to copy two files called vars.bat and openssl.cnf into the easy-rsa folder. Keep your command prompt up as we'll be coming back to it shortly.

tomatoovpn14

Navigate to C:\Program Files (x86)\OpenVPN\easy-rsa (or C:\Program Files\OpenVPN\easy-rsa on 32-bit Windows 7) and right click on the file called vars.bat. Click Edit to open it up in Notepad. Alternatively, we recommend opening this file with Notepad++ as it formats the text in the file much better. You can download Notepad++ from their homepage.

tomatoovpn15

The bottom portion of the file is what we are concerned with. Starting at line 31, change the KEY_COUNTRY value, KEY_PROVINCE value, etc. to your country, province, etc. For example, we changed our province to "IL", city to "Chicago", org to "HowToGeek", and email to our own email address. Also, if you're running Windows 7 64-bit, change the HOME value in line 6 to %ProgramFiles (x86)%\OpenVPN\easy-rsa. Do not change this value if you're running 32-bit Windows 7. Your file should look similar to ours below (with your respective values, of course). Save the file by overwriting it once you're done editing.

tomatoovpn16

Go back to your command prompt and type vars and hit Enter. Then type clean-all and hit Enter. Finally, type build-ca and hit Enter.

tomatoovpn19

After executing the build-ca command, you will be prompted to enter in your Country Name, State, Locality, etc. Since we already set up these parameters in our vars.bat file, we can skip past these options by hitting Enter, but! Before you start slamming away at the Enter key, watch out for the Common Name parameter. You can enter anything in this parameter (i.e. your name). Just make sure you enter something. This command will output two files (a Root CA certificate and a Root CA key) in the easy-rsa/keys folder.

tomatoovpn20

Now we're going to build a key for a client. In the same command prompt type build-key client1. You can change "client1" to anything you'd like (i.e. Acer-Laptop). Just be sure to enter the same name as the Common Name when prompted. For example, when you run the command build-key Acer-Laptop, your Common Name should be "Acer-Laptop". Run through all the defaults like the last step we did (except for Common Name, of course). However, at the end you will be asked to sign the certificate and to commit. Type "y" for both and click Enter.

Also, don't worry if you received the "unable to write 'random state'" error. I've noticed that your certificates still get made without a problem. This command will output two files (a Client1 Key and a Client1 Certificate) in the easy-rsa/keys folder. If you want to create another key for another client, repeat the previous step, but be sure to change the Common Name.

tomatoovpn21

The last certificate we'll be generating is the server key. In the same command prompt, type build-key-server server. You can replace "server" at the end of the command with anything you'd like (i.e. HowToGeek-Server). As always, be sure to enter the same name as the Common Name when prompted. For example, when you run the command build-key-server HowToGeek-Server, your Common Name should be "HowToGeek-Server". Hit Enter and run through all the defaults except Common Name. At the end, type "y" to sign the certificate and commit. This command will output two files (a Server Key and a Server Certificate) in the easy-rsa/keys folder.

tomatoovpn22

Now we have to generate the Diffie Hellman parameters. The Diffie Hellman protocol "allows two users to exchange a secret key over an insecure medium without any prior secrets". You can read more about Diffie Hellman on RSA's website.

In the same command prompt type build-dh. This command will output one file (dh1024.pem) in the easy-rsa/keys folder.

tomatoovpn23

Creating the Configuration Files for the Client

Before we edit any configuration files, we should set up a dynamic DNS service. Use this service if your ISP issues you a dynamic external IP address every so often. If you have a static external IP address, skip down to the next step.

We suggest using DynDNS.com, a service that allows you to point a hostname (i.e. howtogeek.dyndns.org) to a dynamic IP address. It's important for OpenVPN to always know your network's public IP address, and by using DynDNS, OpenVPN will always know how to locate your network no matter what your public IP address is. Sign up for a hostname and point it to your public IP address. Once you've signed up for the service, don't forget to set up the auto-update service in Tomato under Basic > DDNS.

Now back to configuring OpenVPN. In Windows Explorer, navigate to C:\Program Files (x86)\OpenVPN\sample-config if you're running 64-bit Windows 7 or C:\Program Files\OpenVPN\sample-config if you're running 32-bit Windows 7. In this folder you will find three sample configuration files; we're only concerned with the client.ovpn file.

tomatoovpn24

Right click on client.ovpn and open it with Notepad or Notepad++. You'll notice your file will look like the picture below:

tomatoovpn26

However, we want our client.ovpn file to look similar to this picture below. Be sure to change the DynDNS hostname to your hostname in line 4 (or change it to your public IP address if you have a static one). Leave the port number to 1194 as it is the standard OpenVPN port. Also, be sure to change lines 11 and 12 to reflect the name of your client's certificate file and key file. Save this as new file .ovpn file in the OpenVPN/config folder.

tomatoovpn25

Configuring Tomato's VPN Tunneling

The basic idea now is to copy the server certificates and keys we made earlier and paste them into the Tomato VPN server menus. Then we will check a few settings in Tomato, test the VPN connection, and then we'll be able to wash our hands and call it a day!

Open up a browser and navigate to your router. Click the VPN Tunneling menu in the left sidebar. Make sure Server1 and Basic are selected, too. Set up your settings exactly as they appear below. Click Save.

Update: The default mode is TUN, or tunnel, but you probably want to change it to TAP, which bridges the network instead.  The tunnel mode will put your external clients on a different network than the internal network. So definitely change Interface Type to TAP instead.

tomatoovpn27

Next, click the Advanced tab next to Basic. Just like before, make sure your settings are exactly as they appear below. Click Save.

tomatoovpn28

Our last step is pasting the keys and certificates we originally created. Open up the Keys tab next to Advanced. In Windows Explorer, navigate to C:\Program Files (x86)\OpenVPN\easy-rsa\keys on 64-bit Windows 7 (or C:\Program Files\OpenVPN\easy-rsa\keys on 32-bit Windows 7). Open each corresponding file below (ca.crt, server.crt, server.key, and dh1024.pem) with Notepad or Notepad++ and copy the contents. Paste the contents in the corresponding boxes as seen below. I should note that you only need to paste everything below -----BEGIN CERTIFICATE----- in the server.crt. OpenVPN will still work properly if you paste the entire file, but it's more "clean" only pasting the actual certificate info. Click Save and then click Start Now.

tomatoovpn29

Before we test our VPN connection, there's one more thing we have to check inside of Tomato. Click Basic in the left hand column and then Time. Be sure that the Router Time is correct and Time Zone displays your current time zone. Set the NTP Time Server to your country.

tomatoovpn30

Setting Up an OpenVPN Client

In this example we will be using a Windows 7 laptop as our client. The first thing you'll want to do is install OpenVPN on your client like we did above in the first steps under Configuring OpenVPN. Then navigate to C:\Program Files\OpenVPN\config which is where we'll be pasting our files.

Now we have to go back on our original computer and collect a total of four files to copy over to our client laptop. Navigate to C:\Program Files (x86)\OpenVPN\easy-rsa\keys again and copy ca.crt, client1.crt, and client1.key. Paste these files in the client's config folder.

tomatoovpn31

Finally, we need to copy one more file over. Navigate to C:\Program Files (x86)\OpenVPN\config and copy over the new client.ovpn file we created earlier. Paste this file in the client's config folder also.

Testing the OpenVPN Client

On the client laptop, click the Windows Start button and navigate to All Programs > OpenVPN. Right click on the OpenVPN GUI file and click Run as administrator. Note that you must always run OpenVPN as an administrator in order for it to work properly. To permanently set the file to always run as administrator, right click the file and click Properties. Under the Compatibility tab check Run this program as an administrator.

tomatoovpn32

The OpenVPN GUI icon will appear next to the clock in the taskbar. Right click the icon and click Connect. Since we only have one .ovpn file in our config folder, OpenVPN will connect to that network by default.

tomatoovpn33

A dialog box will pop up displaying a connection log.

tomatoovpn34

Once you're connected to the VPN, the OpenVPN icon in the taskbar will turn green and will display your virtual IP address.

tomatoovpn35

And that's it! You now have a secured connection between your server and client's network using OpenVPN and TomatoUSB. To further test the connection, try opening a browser on the client laptop and navigating to your Tomato router on the server's network.

Image by The Ewan