OpenVPN Bridge to Another Country

Certain content is only available to other country's IP addresses. Set up a Virtual Access Point on your DD-WRT router which is bridged to an OpenVPN server in the other country.

The focus here will be configuring the client bridge on your router. I am assuming you already have the server portion configured and working with IP masquerading (NAT) configured. <p>1. Use easy-rsa scripts to generate a new client certificate on the OpenVPN server.</p><p>Edit the file 'vars' to set sane defaults like setting the expiry to 10 years rather than the default 1 year.</p>

root@openvpn:/etc/openvpn/easy-rsa# ./build-key nexus.mrzesty.net
Generating a 1024 bit RSA private key
.................++++++
...................++++++
...
Certificate is to be certified until Mar 16 16:49:28 2020 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Copy the resulting private key nexus.mrzesty.net.key, certificate nexus.mrzesty.net.crt and CA cert ca.crt from the keys/ directory to the client.

3. Create the new Virtual Interface on your local DD-WRT router. Go to <uri strref=“http://192.168.1.1/Wireless_Basic.asp”/> and Add a new Virtual Interface wl0.1. <p>Configure WPA2 wireless security <uri strref=“http://192.168.1.1/WL_WPATable.asp”/> on your new Virtual wireless.</p><p>4. Create a new ethernet bridge on your router <uri strref=“http://192.168.1.1/Networking.asp”/> and assign the new Virtual Interface wl0.1 to the new bridge br1. Assign an IP of 192.168.x.2. 192.168.x.1 will be on the OpenVPN server, assigned to the tap0 interface there.</p><p>/etc/network/interfaces on Debian/Ubuntu:</p>

auto tap0
iface tap0 inet static
        pre-up /usr/sbin/openvpn --mktun --dev tap0
        address 192.168.x.1
        netmask 255.255.255.0

5. Add an additional DHCP server on the Setup -&gt; Networking page for the bridge br1.

6. Configure the DHCP server to hand out 192.168.x.1 as the gateway IP to clients. <p><uri strref=“http://192.168.1.1/Services.asp”/> -&gt; DNSmasq</p>

dhcp-option=br1,3,192.168.3.1

7. Configure the OpenVPN client of the DD-WRT router <uri strref=“http://192.168.1.1/PPTP.asp”/>

If you SSH to the router, the resulting configuration file should look like: <p>root@DD-WRT:/tmp/openvpncl# cat openvpn.conf</p>

client
dev tap
proto udp
remote 66.55.44.33 1194
resolv-retry infinite
nobind
persist-key
persist-tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /tmp/openvpncl/ca.crt
cert /tmp/openvpncl/client.crt
ns-cert-type server
key /tmp/openvpncl/client.key
comp-lzo

8. Reboot the router and add the tap0 interface to the new bridge br1. I was not able to do this in the web interface, I ran the following from the SSH shell instead:

root@DD-WRT:~# brctl add br1 tap0

You will want to have this command run when the router reboots, so add to nvram rc_startup. I use 60 seconds so the OpenVPN tunnel has enough time to start.

nvram set rc_startup=&quot;
sleep 60
ip link set tap0 up
brctl addif br1 tap0
&quot;

(You can also set the startup via the web interface on <uri strref=“http://192.168.1.1/Diagnostics.asp”/>)

Verify the Current Bridging Table on the <uri strref=“http://192.168.1.1/Networking.asp”/> page is correct, so that tap0 is now bridged to your Virtual AP wl0.1.

Current Bridging Table
Bridge Name     STP enabled     Interfaces
br0    no    vlan1 eth1
br1    no    wl0.1 tap0