I, at the time of writing, will be going on a trip, and thought I should finally do a task I had been setting aside for years now: Setting up a VPN server in my home network.
All the things that can be done with such a service are numerous, but I only wanted to be able to access my NAS from elsewhere, and to protect my traffic whenever I was on a public or hotel Wi-Fi network. Sounds like a simple enough task, right?
Well, the 20-minute videos and 5 page tutorial guides that required using CLI commands had my head spinning a bit, and I’m the technical one in my family. Point-To-Point-Tunneling would’ve been a much simpler setup, but it also is not as secure (why Apple removed it from macOS and iOS).
It wasn’t until I decided to just poke around in my router’s GUI that I realized the custom firmware I had installed (FreshTomato) actually made the task I wanted to complete a LOT easier.
Since no other tutorial covered this specific use-case, I figured I’d share the information I have with you.
Prerequisites:
- You have 7-zip and an OpenVPN client installed on your computer/device
- You have a router with Fresh Tomato installed
- You have set up a DNS service on your network under Basic > Network > Wan Settings (I’d recommend 8.8.8.8 and 1.1.1.1 for your DNS servers)
- You have set up some kind of dynamic DNS service such as duckdns set to auto-renew on your router so that you have a URL that points to it in case your IP address changes (tutorials linked).
Server Configuration
First, navigate to your router’s GUI, which should be at 192.168.1.1 or 192.168.0.1 (check your Default Gateway by following this tutorial if those do not work). Login, and then look at the sidebar for a tab titled “VPN Tunneling”. Click that, and then click on OpenVPN Server.
First, let’s click on the basic tab. If you would like to start the server automatically when the router boots, check start with WAN. Most of the options here can be left as is, albeit, I would recommend changing the port to a higher one, such as in the 40,000+ range.
Then Press “Save” at the bottom
Next, under advanced, we’ll have a few options to change. The first few regarding “Push LAN …” can be left as is. If you want all your traffic when you’re connected away from home to go through your router (for example: so that it looks like you’re watching Netflix from your home’s IP address), then check “Direct clients to redirect Internet traffic”. Next, tick “Respond to DNS” and “Advertise DNS to clients” so that when you connect over VPN, your router can fulfill DNS requests (and if you have ad blocking enabled, it’ll work). Disable compression.
Finally, I would recommend (albeit, it’s not strictly necessary) to enable User/Pass Auth so that a malicious user will need both a valid certificate and a user/password combo to get into your network. Set one up for each of your users by clicking enable, typing a username, a password, and then clicking add (make sure you click add so that the username/password is actually added).
Then Press “Save” at the bottom
Now onto the tab titled “Keys”. This right here is why FreshTomato has made this part of the process so much easier than the tutorials: They added three buttons that you press, and it does all the complicated CLI work for you.
To complete this step, all you need to do is tap “Generate keys”, wait for it to finish, then press “Generate DH Params”, wait for it to finish (it can take a while), and then save. After saving, press “Generate client config”, which should download a .tgz file named “ClientConfig”.
Client Configuration
First, extract the .tgz file using 7-zip.
Next, look for a file with an extension of “.ovpn” (it should be labeled connection.ovpn). You will need to open this using a text editor such as Notepad.
Look for a line starting with the word remote. Next to it should be a string of numbers of the form 123.45.67.890 (not the exact numbers), followed by the port we specified earlier. The first number with periods in it is your public IP address: replace that with your duckdns URL.
Most home internet connections have an IP address from their internet provider that may change regularly, which if we left the configuration as it was before would make it stop working in a few months (since it will be pointing to the wrong IP address). Using a duckdns URL will allow your configuration to still work so long as your router updates it regularly to point to your public IP address. Therefore, the line should be “remote example.duckdns.org 51234” (replace 51234 with your port number).
Now, take all 4 files (including your updated connection.ovpn file), and put them on your target device in the same folder. Then you can import them into your OpenVPN client.
For each of your devices, if you want multiple connected at the same time, you will need to go to your router, tap “Generate client config” on the VPN Keys page, extract it, and modify the connection.ovpn file as shown above.
