By Wi-Fi Planet Staff
May 31, 2010
Virtual Private Networks (VPNs) aren’t just for corporate networks. You can setup your own VPN sever in your home or small office using a wireless router and free, Open Source DD-WRT.
Virtual Private Networks (VPNs) aren’t just for corporate networks. You can setup your own VPN sever in your home or small office. Use it to securely connect to your network when away to get access to your network shares and computers. You might also find it useful when on public networks or Wi-Fi hotspots, to secure your traffic from local eavesdroppers.
One way to quickly setup a simple VPN server is to load DD-WRT onto your router, if it’s compatible. DD-WRT is a firmware replacement. It replaces the factory brains of your router, giving it a new control panel with more features, such as a VPN server. You can check your router’s compatibility here.
In this article, we’ll go through the process of setting up the Point-to-Point Tunneling Protocol (PPTP) VPN feature of DD-WRT. It’s no secret that PPTP has vulnerabilities like many other computing protocols, however sometimes taking some risks is acceptable. In addition to being easier to configure and manage, PPTP is already supported in Windows.
However, if you’re dealing with customer data or other highly sensitive info you might want to go with a more secure VPN implementation. Maybe later in another tutorial we’ll discuss how to setup OpenVPN in DD-WRT, which is more secure but a bit more complicated to setup. Plus users must download and configure a client utility in order to connect.
Flash the Router
A good place to start is the Router Database. Type in your vendor or model number and hopefully it will spit out a list of compatible firmware versions and variants. So you don’t “brick” your router (render it useless), be sure to follow all the installation instructions carefully.
The most current stable release of DD-WRT at the time of this writing is v24 SP1 (Build 10020), which is what we’re using for this tutorial. These directions should also work with v24 SP2 as we tested against the Beta 13064 build.
Remember, you don’t have to use the VPN variant if you just want to use the PPTP VPN server or client; they are included in all variants except Mini. The special VPN variant gives you the more secure OpenVPN server and client, so use it if you plan to try that later.
Enable the PPTP VPN Server
- How to: Install DD-WRT (X86) On a PC
- The DD-WRT Controversy
- Create Your Own Hotspot (Using DD-WRT)
- DD-WRT Tutorial 5: Wireless Repeater
- DD-WRT Tutorial 4: Defining Priorities with QoS
- DD-WRT Tutorial 3: Building a Wireless Bridge
- DD-WRT Tutorial 2: Extend Range with WDS
- DD-WRT Tutorial 1: Static DHCP
To get started, login to the Web-based control panel. Type the default IP address of 192.168.1.1 into a web browser. The first time accessing the router, you’ll be prompted to create a username and password.
Click the Services tab and choose the PPTP sub-tab. In the PPTP Server area, select Enable. Then input the IP address of the router (192.168.1.1) for the Server IP.
For the Client IP(s), input a single address if you’re the only user. If there’s more than one user, you can specify a range. You should choose an address or range that doesn’t conflict with the router’s IP and client IPs (192.168.1.100 – 192.168.1.149). An acceptable range could be 192.168.1.2-99 (which is 192.168.1.2 – 192.168.1.99) or even 192.168.1.200-249 (which is 192.168.1.200 – 192.168.1.249). Make sure you specify ranges with the shorter format; don’t include the whole address for the ending IP.
The CHAP-Secrets textbox is where you specify the usernames and passwords. Be sure to input them in the special format: username, space, asterisk, space, password, space, and asterisk. Here’s an example:
joe * joespassword *
jane * janespassword *
If you’re running a RADIUS/AAA server, you can optionally authenticate VPN users against it by enabling RADIUS and inputting your server details.
When you’re all done, click Apply Settings, which will save and then apply the changes.
Test It Out
Now you should have a working VPN server, so let’s test it out on the local network first:
In Windows XP, click Start > Connect to > Show all connections. Then on the window, double-click New Connection Wizard. On the wizard, click Next. Click Connect to the network at my workplace and hit Next. Select Virtual Private Network connection and click Next. Type in some name for the Company Name and click Next. Enter the router’s local IP (192.168.1.1), click Next, and then click Finish. The login dialog should appear where you can enter a username and password you created on the server. Then click Connect and it should work.
In Windows 7, bring up the Network and Sharing Center and click Set up a new connection or network. On the Wizard, select Connect to a workplace and click Next. Click Use my Internet connection (VPN). On the next page, enter the router’s local IP (192.168.1.1) for the Internet address, type in a destination name, and then click Next. You should be prompted for your username and password. Enter one that you defined earlier when configuring the server and click Connect. Give it a minute, and if all is successful, it should say You are connected.
Create a Hostname for Your Dynamic IP
If the DD-WRT router is connected to an Internet connection that has a dynamic or changing IP address, you’ll probably want to setup a hostname (sub-domain). This gives you an Internet address (for instance, myhomenet.getmyip.com) that always points to your router’s current Internet IP. This lets you connect to your VPN server when away without worrying about the IP changing. Otherwise, if it did change, someone would have to physically check the router and give you the new IP.
No-IP and Afraid.org are two free dynamic DNS services that you may consider. Once you sign up for a service, you’ll have a host name, account name, and password. Bring up the DD-WRT control panel, click Setup > DDNS and input these pieces of information. Then your router will keep the service and hostname up-to-date with your current IP.
Now don’t forget to use your hostname instead of your Internet IP when configuring your VPN client settings.
Configure It for Remote Access
To connect to your VPN server from the Internet when away, Windows must be configured with your Internet IP address (or hostname, if you created one), not the local IP (192.168.1.1). If you followed the directions earlier and already created a connection from within the local network, you can simply change the IP:
In Windows XP, click Start > Connect to > Show all connections. Then right-click the VPN connection and select Properties.
In Windows 7, click the network icon, right-click the VPN connection from the list, and select Properties.
Now you should have everything ready to go. Next time you need to access your network when away or secure your traffic on a public network, you can use your own VPN server. Just remember that the remote router and network must also allow VPN connections. However usually isn’t a problem.
Eric Geier is the Founder and CEO of NoWiresSecurity, which helps businesses easily protect their Wi-Fi with enterprise-level encryption by offering an outsourced RADIUS/802.1X authentication service. He is also the author of many networking and computing books, for brands such as For Dummies and Cisco Press.