[johnnyboyq]

Firmware: DD-WRT v3.0-r31870M kongac (04/16/17)
Time: 00:05:56 up 26 min, load average: 0.00, 0.01, 0.00
HW:netgear r8000, ver 2.4.38 running openvpn with ipvanish

1.Is there a way to force dd-wrt to logout?
2.When logging in, the login box says the connection is not secure. What is that about?
3.I have the below entries in my syslog and don't know what they mean. I'd appreciate any explanation of them.

Apr 24 23:39:43 r8000 daemon.warn openvpn[1428]: WARNING: file '/tmp/openvpncl/credentials' is group or others accessible

Apr 24 23:39:43 r8000 daemon.warn openvpn[1430]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Apr 24 23:40:48 r8000 daemon.warn openvpn[1430]: Option 'explicit-exit-notify' in [PUSH-OPTIONS]:5 is ignored by previous blocks

Apr 24 23:48:45 r8000 daemon.warn dnsmasq[1687]: possible DNS-rebind attack detected: using.svc.opendns.com

thanks for any help...

[hubermania]

Sounds like you have two or three isues in play:
1. In DD-WRT UI you should have HTTPS and not HTTP checkmarked on the Administration tab. This forces a secure SSL login at e.g. https://192.168.1.1/ . There is no Logout option, though it will eventually timeout.
2. In DD-WRT UI you should have no remote access allowed on the Administration tab.
3. dnsmasq might be detecting a client using its own DNS. Setup->Basic should have DNS 1-3 set to 1) VPN provider's LAN-side DNS typically a 10.x.x.x, 2) VPN provider's public side DNS, 3) non-ISP DNS server like OpenDNS. There are also some forced dnsmasq options on Setup->Basic and Services->Services that I don't recall offhand. (Edit: Forced DNS Redirection on Basic, No DNS Rebind on Services.)

[jwh7]

[johnnyboyq]

hello and thanks to you both for your replies and advice! I seem to be having some difficulty entering the basic command of changing from http to https settings and I don't know why. I have my syslog attached as a pdf along with the admin tab diagram. When I set the https setting and reboot the router, I get the msg that therouter refuses the connection and I then have to manually reboot the router. On my 1st attempt, I followed all your instructions and set to https, the allow any remote IP is defaulted to enable, then disabling it comes up with allowed remote IP range which I set to my static dhcp addresses and got the refusal. I figured out later that the http to https setting is causing the problem by itself. Does anything in my logs stand out to you as a problem??? thanks much!!

[johnnyboyq]

Oh, additionally, the SSH Management Enable selection is grayed out and unavailable, but the Telnet can be enabled. I have Putty installed and trying to come up to speed on using that program. Does SSH Mgmt need to be enabled to connect to the router??
Thanks!

[hubermania]

When you checkmark HTTPS, uncheck HTTP, and hit Apply, remember to switch the browser prefix to https:// . The whole point is to block the plain text http:// URL that you've been using to set up the router. I usually have the opposite problem and try to use https:// after a factory reset.

Once the web UI is set to HTTPS, I think it unlocks the ssh options.

[hubermania]

There is a whole wiki page devoted to Putty and other clients, and another wiki page discussing ssh key creation

[johnnyboyq]

hello, you were of course correct, I had not changed the url address to https. But a new issue popped up, still a not secure message but a different one. Please see my attachment showing the url message and my updated syslog... And thx for the wiki webpage info on SSH.
thanks much!

[hubermania]

The triangle /!\ in the corner of the browser address is because the DD-WRT UI certificate is not for that specific host. The browser will pop up an untrusted cert message after a flash of a new DD-WRT version, for which you will add a permanent exception. BTW your ssh client will also pop up a warning after a flash.

The red highlighted syslog line about resolving the VPN host is more curious. Says it couldn't resolve a remote address like blah.vpn.net:443 . Services->VPN should have just the VPN host like blah.vpn.net, and the port set to 443 or whatever the VPN said.

[johnnyboyq]

Hello, I have tried a number of different ipnvanish authorized vpn sites and can't get rid of the "can't resolve" error msg. I followed the V3 openvpn instructions available on ipvanish website. I noticed that I have always had this error previously but wasn't sure what the cause was.

The exception that you mentioned regarding the not secure error msg; were you saying that I needed to reflash my dd-wrt config in order to setup an exception? I poked around the msg itself and I get options to change some of the permissions for the website but I can't find anywhere to actually submit an exception.

Logs in pdf and thanks!!!

the ipvanish v3 router setup guide is located here:
https://support.ipvanish.com/customer/portal/articles/2762802

[johnnyboyq]

Hi,
attaching the openvpn log as pdf.
thanks!

[hubermania]

You're stuck with the Not Secure warning in the address bar. My point about flashing a new version is, afterward your router will have a different cert that still isn't for your specific host, so the browser will popup a fresh untrusted cert warning and prompt you to allow/add a permanent exception for it.

The remote server definitely resolves to an IP, so it must be something wonky in your setup. It could be as simple as your ISP blocking that host name! On the Setup->Basic tab, switch the #1 and #2 DNS to OpenDNS at 208.67.222.222 and 208.67.220.220.

[johnnyboyq]

Hey hubermania, I changed out the and still show the "can't resolve" error...weird! I'm sending my logs over to ipvanish support and maybe they can take a look at them and see where the error is. I followed their setup instructions so hopefully they can add some other eyes. I sure do appreciate your assistance though. My current logs are in pdf...
thanks!

[hubermania]

I took a look at my own syslog this evening after powering up my router and cable modem. Guess what I found. Unresolved hostname for my VPN provider! It turns out that OpenVPN gets two WAN up events during power up. One is the cable modem powering up and giving the router an offline 192.168.100.x address from its internal DHCP. That's where my VPN hostname lookup fails, since the modem is still offline. The second WAN up is when the cable modem goes online and the router gets a public IP from the ISP DHCP.

From your syslog, it looks like OpenVPN succeeds in setting up the tunnel at 13:09:37 where it says "TUN/TAP device tun1 opened". As long as your VPN tunnel connects and works, you can probably ignore that one earlier unresolved VPN host mesage.

[johnnyboyq]

Hey hubermania,thank you for following up and verifying that the error msg was in fact not applicable due to the time that it was generated. I am very new at this and had trouble initially getting openvpn setup so of course my 1st reaction was that something had to be wrong. I am at ease now and interested in learning more about this whole process. Again, your efforts are majorly appreciated!!