OpenVPN Server on DD-WRT with iOS 10 Client

October 9th, 2016

iOS 10 removed PPTP support. Sure, as a protocol it’s not secure and open to man-in-the-middle attacks so I get it. But I want a way to network back home.

So… if you have DD-WRT installed on your router and want VPN access to your home network then you’ve got to choose another option. DD-WRT supports OpenVPN. That can work with your iOS 10 devices with the OpenVPN Client from the App Store. I have it working on my Linksys 1900AC (Nighthawk running Firmware: DD-WRT v3.0-r29147 std (02/23/16)).

Here’s how:

Step 0: Check your free memory

All the data from the Web GUI is permanently stored in memory. You must have the free space to accommodate it. Before you start test how much NVRAM space is left (and used). You need about 6000 bytes available in NVRAM.

Telnet or ssh into your router and type:

nvram show | grep size


Step 1: Self-sign certificates and create keys

I followed this post on dd-wrt wiki. Read that post.

I used an Ubuntu box to create all the certificates so I’m not providing any Windows instructions for this section. To keep things simple I did not use TLS auth. This was my flow:

  1. sudo apt-get install easy-rsa
  2. make-cadir path
  3. cd path
  4. // edit the “vars” file as in the post – really easy: just use your location, organization, email, etc.
  5. // As “root” user
    source ./vars
    ./build-key-server server
    ./build-key client1

Now you have all the key and cert files you need in <path> on your Ubuntu box.

Step 2: Configure DD-WRT

This was a pain because the docs are out of date. In short you need to copy-paste:

Box File to insert
CA Cert ca.crt
Public Server Cert server.crt
Private Server Key server.key
DH PEM dh1024.pem
TLS Auth Key blank
Additonal Config push “route”
push “dhcp-option DNS”
server tun0
proto udp
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem# Only use crl-verify if you are using the revoke list – otherwise leave it commented out
# crl-verify /tmp/openvpn/ca.crl# management parameter allows DD-WRT’s OpenVPN Status web page to access the server’s management port
# port must be 5001 for scripts embedded in firmware to work
management localhost 5001script-security 2


And finally, the firewall rules. Go to the “Administration” tab then subtab “Commands” and paste:

iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

Click “Save Firewall”

Step 3: Configure iPhone / iPad with iOS 10

Install the OpenVPN client from the App store.

This app needs an “.opvn” file and the certificates/keys from step 1. The ovpn file is just a text file that must match the server config from Step 2. If you run into problems carefully think through your server and client configurations. Make sure they match.

My .ovpn file which I called “home.ovpn”:

# Sample client-side OpenVPN 2.0 config file
# for connecting to multi-client server. 
# This configuration can be used by multiple 
# clients, however each client should have 
# its own cert and key files. #

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.

# Use the same setting as you are using on the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 1194

# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.

# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert client1.crt
key client1.key

# Verify server certificate by checking that the
# certicate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
# digitalSignature, keyEncipherment
# and the extendedKeyUsage to
# serverAuth
# EasyRSA can do this for you.
remote-cert-tls server

# If a tls-auth key is used on the server
# then every client must also have the key.
# tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
# Note that 2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
;cipher AES-256-CBC
cipher bf-cbc

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20

The key thing in this file was to use “cipher bf-cbc”.

Step 4: Upload the .ovpn and key/crt files to your iOS device

Plug your iPhone/iPad into your laptop. In iTunes Click on the iPhone and then “Apps”. Scroll down to “File Uploads” and click on OpenVPN client.

Add the files:

  • home.ovpn
  • ca.cert
  • client1.key
  • client1.cert

Step 5: Test it works

Turn off wifi and launch OpenVPN on your iPhone. Import the new profile and tap the slider to “connect”. You should be asked about allowing OpenVPN to manage VPN connections on your phone. Click OK then you’ll connect.

Reset Prius Maintenance Light

June 23rd, 2013

It’s probably in the manual somewhere but Google is so much faster. The Prius Chat forum had the answer:

  1. Press start (ignition) button
  2. Make sure your odometer displays “ODO” and not “TRIP”
  3. Press and hold the ODO trip reset button
  4. Press start button to turn car off
  5. Press start button (again) to start car
  6. Hold the ODO button in until all the flashing lines on the odometer go away and the mileage returns and the “maintenance” light stops flashing


Sync Google and iCloud contacts

October 6th, 2012

I was trying to get FaceTime on my macbook to load up all the contacts from my iPhone via iCloud. I enabled iCloud contact sync on my phone and logged in on the macbook but only a dozen-ish contacts appeared on laptop.

The problem was that  I sync all contacts via Google (Exchange) and my phone.

The fix:

“Synchronize your Gmail contacts to your Mac by enabling the “Synchronize with Google” option within your Mac Address Book using the ‘On My Mac’ database. This will create a local copy on your Mac of all of your Gmail contact”

Of course, I found this on the Google forums and not on the Apple ones. Read into that what you will.

iPhone 4S Storing Numbers in Wrong Format

October 26th, 2011

My new Verizon iPhone 4S was showing incoming SMS messages with different numbers than incoming calls. I save my contacts with +1 (NNN) NNN-NNNN format so that I can call when roaming abroad without adding the US country code prefix. But SMS messages were coming in (NNN) NNN-NNNN which the phone didn’t match to the +1 version I’ve stored and I noticed that when I stored new numbers they were an odd NNNNNNNNNN form.

Anyway, I found a post that explained how to force an update from Verizon on the Apple Forum. It says:

  1. Open the Phone and dial *228. This is a Verizon over-the-air programming number.
  2. When the system answer press 1 for “Program or activate your phone”
  3. Wait for the call to disconnect. You should get a prompt stating something like, “Settings updated.”
  4. Open the Task Manager and kill the Phone, Message, and Contacts Applications
  5. Wait a few minutes (I waited 3 just to be extra safe)
  6. Open the Message App to verify the fix.

This fixed it.

My old iPhone was AT&T and I set up my new 4S by restoring from the old data. I’m not sure if that caused this problem but I’m glad it went away.

Scumbag Windows 7 where is my disk space?

September 12th, 2011

I dual boot my laptop between Ubuntu and Win7. The Win7 partition began at 25GB whereas Ubuntu is 15GB. Win7 used up all its space so I increased the partition size. Then again and again. Now it has 40GB and just filled it up again.

I tried using disk cleanup and deleting all temporary files. That freed up about 15MB. Then I found an article explaining that hibernate in Win7 stores off a file called hiberfil.sys that can grow and grow in size. Here is how to get rid of it:

  1. run command prompt as Administrator (right-click on its icon)
  2. type in powercfg.exe -h off
  3. reboot
  4. boom! Have 7 GB back

My next laptop will be a Mac.

Easy jailbreak your iPhone

September 8th, 2010

With jail breaking an iPhone suddenly became too easy not to do. I’ve jail broken iPhones before with ultrasn0w but this is too simple. Just go to that site on your pre-4.0.1 iPhone, slide your finger across the screen and you’re done.

Simple! But what next?

Your new app installer is called “Cydia”. It’ll be on your home screen. Go play with Cydia and install some apps. Not all are free and none of them are approved by Apple. Now that you can install anything on your iPhone you need to be a little more cautious. It is no different from downloading apps from the web and installing them on your computer — the code is not vetted by any single governing body and you need to be thoughtful as to what you’re installing.

First thing is to fix the root password. iPhones have a default root password of alpine. So install “mobile terminal”, open it and type “passwd” to change your password. Alternatively, connect to your home wifi network, install openssh on your iPhone then go to Settings  -> WiFi and take note of your IP address. Then from your laptop ssh into your iPhone and change your password with the passwd command. Also change the “mobile” account password with “passwd mobile”.

Next install the PDF Patch fix (since that security vulnerability let you jailbreak your iPhone via in the first place).

Now follow these simple steps to unlock your iPhone so you can use it on different networks.

Finally, go have fun. Change themes, message alert tones and customize to your heart’s content. When new versions of IOS come out be sure to download and jailbreak before you install them to your device. Don’t just click “install” in iTunes.

Shuffles & randoms

January 20th, 2010

I was asked a question about shuffling yesterday which got me thinking. How do you write an algorithm to truly shuffle a deck of cards without any bias?

There are a couple of well-known algorithms to do this, both popularized by Donald Knuth. At a very abstract high-level they are:

  1. generate a random number for each card in the deck then sort the cards by number. If two cards are assigned the same number then try again;
  2. go through the deck, taking each card in turn and swap it with some random position in the deck.

Clearly #1 could take a longer time to run since you’ve got to sort cards and deal with clashes. Although with only 52 cards in a deck you are probably not too worried about algorithmic complexity.

#2 looks good on the surface but there are a few gotchas to be aware of. With a deeper mathematical analysis you can see why. The first is that if you swap cards with any position in the pack you will not get an even distribution with shuffles. This is because you’ve written an algorithm that has n^n execution paths and there are only n! permutations. Using the wikipedia example consider just 3 cards: your algorithm can produce 3^3 = 27 outcomes but there are only 6 permutations for shuffling. You cannot fit 27 into 6 so there must be some outcomes from your algorithm that are more likely (see pigeonhole principal).

The solution is to swap with the portion of the pack that has not yet been swapped with.

Wikipedia has a clear article on shuffling and implementations with further details on the impact of using the mod operator with random numbers (again, the space of randoms being generated then having mod applied is not an even distribution). A final note is that you need to seed your random number generator or it’ll be pseudo-random. Or better yet use

Location based services for mobiles

January 8th, 2010

Location based services have been around for a number of years in the research community. They were always fun to build and excellent research vehicles but needed something to change before hitting the streets. Well, now we’re beginning to carry GPS enabled devices these services have hit the mainstream. I regularly use Yelp and Around Me on the iPhone to find local restaurants, gas stations, and coffee shops. The integration with the maps application is a fantastic coupling. Now Google have released their search services with the “Near me now” service (iPhone and Andriod in US only).

Location data for these applications is usually derived from GPS readings but it is not limited to that. You can use wifi spotting, video capture, parse user calendars or discover location by inference (I am near Alice and Alice knows where she is so I can find where I am). But in practice are these other inputs really required? Or are they all part of a larger model of the real world?

Location based services are a manifestation of pervasive computing in the real world. Next will come more complex context aware services with social aspects and recommendations. I’ve oft heard the question “who will pay for the infrastructure for pervasive computing?”. I think the answer is still “we will” but now you can add “and already are”.

Installing dd-wrt on a Linksys WRT160N-RM v.3

December 8th, 2009

So I cheaped out and bought a refurbished Linksys WRT160N from Amazon for $28. Great price for a 802.11n enabled router (most are in the $100 range) but it kept dropping wifi connections, slowing up and refusing to respond. Wired connections were fine so I suspected a dodgy radio. Linksys support couldn’t fix the wifi issues so I was about to send it back when I decided to wipe the Linksys firmware and flash dd-wrt to it. The router wasn’t doing much anyhow.

The latest version of dd-wrt supports the WRT160N v.3 router. It is easy to install via the router’s web admin interface and rather than repeat myself here I’ve updated the dd-wrt community wiki page with the step-by-step instructions.

Note: when you search the dd-wrt router database it’ll give you back three different bin files to choose from. You only need one of those to kick off: dd-wrt.v24-13309_NEWD-2_K2.6_mini_wrt160nv3.bin AKA “mini” is the basic dd-wrt firmware that I used. It has more than enough features to keep most users happy.

My router has been up and running with dd-wrt for the last 4h29m without any problems and it feels faster (not sure if that is psychological). The best part is that the nerd in me is now super excited to have a working, fully featured, Linux-based router in the office.

Construct at University of Colorado at Boulder

December 7th, 2009

I’ve been talking with faculty staff at CU CSCI about the kind of work they’re doing and to see if there is any projects that we might collaborate on. After a chat with Katie Siek we decided that the most efficient way to introduce my research from UCD and Glasgow was to drop by and give a presentation.

For the opening I talked a little about the data binding technologies we developed at Strathclyde. These “type projection” systems provide a safe and extremely efficient mechanism for computing over semistructured data sources (if you’ve ever used JAXB from Sun they’re kind of similar). I skipped pretty quickly over that, hopefully didn’t loose too many listeners, and jumped into Construct.

Construct is our open-source community platform for Pervasive Computing. It is a middleware that provides the plumbing for developers of Pervasive or Ubiquitous systems. Rather than spend time writing code for management of services and data flow across the network developers can concentrate on the problem domain for their specific project.

I was invited back to talk with Ric Han‘s group early January.