This may seem like a long post but it’s mostly screenshots, sprinkled with some ‘how-to’ stuff. I know how you guys like pictures. 🙂
In this section, we’re going to setup a secure VPN tunnel using TLS (Transport Layer Security). Unlike the Static key method which uses the same pre-shared key, this type of VPN uses certificates to validate peers and then establish an encrypted connection between them. As a result, the connection between your Tomato Router, and the OpenVPN client will be secure –even if you are connected to an insecure public WiFi hotspot.
This post assumes that you:
- Are running a version of Tomato that supports VPN.
- You have setup Dynamic DNS on your router
- You have downloaded and installed OpenVPN software onto your client computer.
Before we proceed, I want to touch base on something. Just because you use a VPN, doesn’t mean that everything you do online is secure. Yes, your VPN connection is secure. But your Internet browsing activities are not. After you setup your VPN, you might consider using a VPN proxy to shield your browsing activities too.
When we installed OpenVPN, it installed some programming scripts to help us out. These scripts were installed so that we can quickly and easily build the necessary certificates and keys directly from the command prompt. We’ll start by generating certificates. Then, we’ll configure the VPN server settings within the router, copy the certs and keys and ‘Start’ the VPN.
Run as Admin
Click Start > Accessories > Command Prompt >
Right-click on ‘Run as Administrator’.
CMD prompt
- Type: cd c:\Program Files\OpenVPN\easy-rsa and hit Enter.
- Type: ‘init-config’ and hit ‘Enter’
This will copy the vars.bat file to the \easy-rsa directory. The vars.bat file is a variable file that OpenVPN uses to build the certificates and keys. We must edit some of these variables using a text editor. You can use Microsoft NotePad, but I prefer Notepad++.
Minimize your command prompt window but don’t close it because we’ll need it again after we edit the vars.bat file.
Now, open your notepad editor of choice and run it as administrator. If you do not select ‘Run as administrator’, you may not be able to save the file after editing it. Or, it will ask you to save it in a different location (which is inconvenient).
Text Editor
Navigate to: c:\Program Files\OpenVPN\easy-rsa
Easy RSA Folder
Using your text editor, open the vars.bat file.
vars .bat file
Edit the following variables: Country, Province, City, Org, and Email. You can leave the rest of the variables alone. We’ll fill them in momentarily via the command prompt. When you’re finished, click ‘Save’.
Go back to your command prompt:
CMD: build-ca
- Type vars and hit Enter.
- Type clean-all and hit Enter.
- Type build-ca and hit Enter.
The ‘build-ca’ command will output two very important files; a CA certificate and key. These files can be found in the following directory: c:\Program Files\OpenVPN\easy-rsa\keys.
SSL Certificate
Upon running the ‘build-ca’ command, you’ll be prompted to enter some variables (Country, State, etc). These variables are pulled from the ‘vars.bat’ file we just edited so they should look familiar. Since we just edited some of them, simply hit ‘Enter’ for the majority of them. However, be absolutely certain to fill in the ‘Common Name’ parameter. I used ‘TomatoVPN’ for my Common Name. This can be anything, just don’t leave it blank!
Now we must build a key for our client device.
Client Key
Type: build-key client
You can replace ‘client’ with something more applicable such as Laptop1, Laptop2, etc. Whatever label you choose, you must also enter it for the Common Name parameter as well. Therefore, the command ‘build-key laptop1’ would require that you enter laptop1 for the Common Name. Just like the last command (with the exception of the common Name), fill out the variables or choose ‘Enter’ for the default parameters. This time, you’ll be asked two questions; (1) to sign the certificate and, (2) to commit. Select “y” for yes regarding both of them. Be sure to hit ‘Enter’. Repeat this process for each VPN client.
The last certificate we’ll be generating is the server key.
VPN Server Key
This command will output two files; a Server Certificate and key. Again, these files can be found in the following directory: c:\Program Files\OpenVPN\easy-rsa\keys.
Type: build-key-server server
Again, you can replace ‘server’ with a more suitable label. The important thing to remember is that you use the same label for the Common Name. Upon completing the variables, you must again choose “y” to sign and commit.
Now we must generate the Diffie Hellman parameters.
Build-dh
Type: build-dh
This process generates the Diffie Hellman parameters. Diffie Hellman is a protocol used to exchange cryptographic keys. Basically, it allows two devices with no prior relationship to establish trust by establishing a shared secret key over an unsecured connection.
We must now copy three of the files we created into the ‘config’ directory. Navigate to: C:\Program Files\OpenVPN\easy-rsa\keys
OpenVPN RSA Keys
Press the ‘Ctrl’ key on your keyboard while using your mouse to select and copy the following files:
- ca.crt
- client.crt
- client.key
Navigate to: C:\Program Files\OpenVPN\config
OpenVPN Config Directory
Paste the files into the ‘config’ directory
Now, we must create the client configuration profile. This is a simple text file used by OpenVPN to determine how and where to connect, encryption type, protocol type, etc.
Create Client Config File
Open your text editor. Be sure to select ‘Run as administrator’.
Text Editor
With your text editor opened, choose File > Open and navigate to: C:\Program Files\OpenVPN\sample-config
OpenVPN client
The file you open will look similar to the image below.
Sample Config
Each line with a “#” mark is commented out of the file (ignored); therefore, it’s not necessary and makes it challenging to find the variables you need to modify. The easiest way to clear the file is to hit ‘Ctrl + A’ on your keyboard to select everything in the file. Then, hit ‘Delete’. Now, you can start from scratch, entering your variables as shown in the image below.
Client config file
Enter the parameters exactly as seen in the image above.
Go to: File > Save As.
Save Config
- Select ‘All types’ next to ‘Save as type’.
- Name the file ‘Home VPN.ovpn’ and click ‘Save’.
Be sure to give the file the extension .ovpn and select ‘All types’ or the file will not save correctly. After saving this file, copy it to the ‘config’ directory: C:\Program Files\OpenVPN\config.
Configure the Tomato VPN Server
Navigate to: VPN Tunneling > OpenVPN Server
Tomato VPN Server Config (basic)
- Ensure that the ‘Server 1’, and ‘Basic’ tabs are selected.
- Set your settings as seen in the image above.
- Click ‘Save’.
Go to the ‘Advanced’ tab.
Tomato VPN Server Config (advanced)
Configure your settings exactly as shown in the image above. Click ‘Save’ and navigate to the ‘Keys’ tab.
Tomato VPN (keys)
Navigate to: C:\Program Files\OpenVPN\easy-rsa\keys.
- Open each key file, copy and paste the key into the text area. Click ‘Save’ to save the key.
- Click ‘Start’ to start the OpenVPN server.
Start the OpenVPN client (Run as Admin).
Run OpenVPN Client
Navigate to: Start > All Programs > OpenVPN
- Right-click on ‘OpenVPN GUI’ and choose ‘Run as Administrator’.
- Connect to the VPN
OpenVPN Connection
Right-click the OpenVPN icon in your system tray. Choose connect. The status window will open and notify you that the Initialization Sequence has completed. Upon a successful connection, the icon in the task bar will run green.
