Turn Router with DD-WRT into Remote Proxy?
You have a few options:
- DD-WRT supports a PPTP VPN server in most builds.
- If you have control of an SSH server you can use its built-in SOCKS proxy.
- The Tor Network can provide you with anonymity.
If your primary goal is to avoid the watchful eyes of a country that censors and/or monitors Internet traffic you should be very careful; encrypted traffic is a huge red flag for authorities. It is best to hide among the noise using something like Tor and then additionally ensure that you are using some kind of end-to-end encryption if you are transferring sensitive information.
Additional info for those looking to get this done:
PPTP
This is the easy, insecure way, if you're just trying to do something simple like what I'm trying to do here. These instructions cover it:
http://www.howtogeek.com/51772/how-to-setup-a-vpn-server-using-a-dd-wrt-router/
Additional info: http://www.dd-wrt.com/wiki/index.php/VPN
But I found I had to reboot my router in order for the settings to take. Once I did, connecting from Windows 7 was simple. I was able to test the connection while still sitting behind the router.
OpenVPN
This is not easy. I began with these instructions: http://www.dd-wrt.com/wiki/index.php/VPN_(the_easy_way)_v24%2B
They're for an older version of DD-WRT unfortunately. Some addendum to the instructions there:
Every time it says "Common Name," you need to name the certificate/keypair the same thing as the Common Name. So for example when generating server keys, if you plan to end up with ddwrt.crt and ddwrt.key, you need to use the command:
build-key-server ddwrt
Then when it asks for Common Name, again enter ddwrt.
The newer version of DD-WRT has "GUI" and "config file" options. Use the GUI option.
That interface has changed, to have 2 fields: Public Server Cert, and CA Cert. This eliminates the confusion about what to place in each. Obviously you copy/paste your ca.crt into CA Cert, and your server.crt (or ddwrt.crt or whatever you named it) into the Public Server Cert, and only the portions between BEGIN and END.
Where they describe a server config file, they're referring to the field Additional Config. Here's what I used:
push "route 192.168.9.1 255.255.255.0"
server 192.168.8.0 255.255.255.0
dev tun0
proto tcp
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
# Only use crl-verify if you are using the revoke list &#-106; otherwise leave it commented out
# crl-verify /tmp/openvpn/ca.crl
# management parameter allows DD-WRTs OpenVPN Status web page to access the servers management port
# port must be 5001 for scripts embedded in firmware to work
management localhost 5001
In my case, 192.168.9.1 is the local IP of my router I've setup elsewhere in the DD-WRT interface. 192.168.8.0 refers to a new network specifically for OpenVPN, not in use anywhere else. It's the starting IP for the network; you'll have to enter this same IP in the new field "Network," and then enter the standard netmask in Netmask (255.255.255.0).
I used TCP, AES-128-CBC, and SHA1.
The firewall step had text that, if copy/pasted directly, caused crazy HTML entities to appear in the firewall commands that screwed everything up, so here they are without the problematic formatting (like emdashes):
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.8.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
Notice that I'm using the OpenVPN network IP - 192.168.8.0 - in the second line. Remember to click Save Firewall after filling this in, not Run Commands.
And again, after saving everything, I had to reboot for the settings to take.