====== OpenVPN Bridge to Another Country ====== Certain content is only available to other country's IP addresses. Set up a Virtual Access Point on your DD-WRT router which is bridged to an OpenVPN server in the other country. The focus here will be configuring the client bridge on your router. I am assuming you already have the server portion configured and working with IP masquerading (NAT) configured.
1. Use easy-rsa scripts to generate a new client certificate on the OpenVPN server.
Edit the file 'vars' to set sane defaults like setting the expiry to 10 years rather than the default 1 year.
root@openvpn:/etc/openvpn/easy-rsa# ./build-key nexus.mrzesty.net
Generating a 1024 bit RSA private key
.................++++++
...................++++++
...
Certificate is to be certified until Mar 16 16:49:28 2020 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Copy the resulting private key nexus.mrzesty.net.key, certificate nexus.mrzesty.net.crt and CA cert ca.crt from the keys/ directory to the client.
3. Create the new Virtual Interface on your local DD-WRT router. Go to Configure WPA2 wireless security
4. Create a new ethernet bridge on your router
/etc/network/interfaces on Debian/Ubuntu:
auto tap0
iface tap0 inet static
pre-up /usr/sbin/openvpn --mktun --dev tap0
address 192.168.x.1
netmask 255.255.255.0
5. Add an additional DHCP server on the Setup -> Networking page for the bridge br1.
6. Configure the DHCP server to hand out 192.168.x.1 as the gateway IP to clients.
dhcp-option=br1,3,192.168.3.1
7. Configure the OpenVPN client of the DD-WRT router root@DD-WRT:/tmp/openvpncl# cat openvpn.conf
client
dev tap
proto udp
remote 66.55.44.33 1194
resolv-retry infinite
nobind
persist-key
persist-tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /tmp/openvpncl/ca.crt
cert /tmp/openvpncl/client.crt
ns-cert-type server
key /tmp/openvpncl/client.key
comp-lzo
8. Reboot the router and add the tap0 interface to the new bridge br1. I was not able to do this in the web interface, I ran the following from the SSH shell instead:
root@DD-WRT:~# brctl add br1 tap0
You will want to have this command run when the router reboots, so add to nvram rc_startup. I use 60 seconds so the OpenVPN tunnel has enough time to start.
nvram set rc_startup="
sleep 60
ip link set tap0 up
brctl addif br1 tap0
"
(You can also set the startup via the web interface on
Current Bridging Table
Bridge Name STP enabled Interfaces
br0 no vlan1 eth1
br1 no wl0.1 tap0