Posted: Sun Apr 01, 2018 4:02 Post subject: moving from Build 21061 to latest 35531. OpenVPN Trouble.
So I want to move to a later Build I have OpenVPN up and running on the older build.
I know that there are updated configurations but not sure where to put some of the new commands. Any thoughts?
Setup:
Cisco E3000 Mega Build 21061
30-30-30 and loaded Mega Build 35531 and retyped the setup did not just reload a saved config.
The Following OpenVPN configuration works on the 21061 but not on the 35531.
The one thing I don't know is where to put mtu-disc yes.
I know Certs are fine. I am running in Daemon and not server GUI. It is pretty much the sample server and client config for OpenVPN 2.0 I did update UDP to UDP4 in both server and client config and Firewall config to confirm working on older build.
Router Server Info.
Additional Config:
push "route 192.168.10.0 255.255.255.0"
push "dhcp-option DNS 192.168.20.1"
server 192.168.20.0 255.255.255.0
dev tun0
proto udp4
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
# Only use crl-verify if you are using the revoke list - otherwise leave it commented out
# crl-verify /tmp/openvpn/ca.crl
# management parameter allows DD-WRT\s OpenVPN Status web page to access the server\s management port
# port must be 5001 for scripts embedded in firmware to work
management localhost 5001
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp4
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote xx.xx.xx.xx 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert client2.crt
key client2.key
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
;comp-lzo
# Set log file verbosity.
verb 5
# Silence repeating messages
mute 100
Configuration: _________________ WRT600n BS Mega r15962 --Broadband Router
WRT600n BS Mega r15962 --Repeater Bridge
WRT54G-TM BS Mega r15962 --Broadband Router and OpenVPN Server
WRT54G-TM BS Mega r15962 --Broadband Router
WRT54G v2.0 EKO Std r15943_VINT --Idle
WRT54G v1.1 --Idle
WRT54GS V6.0 BS VPN r15962 --Idle
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Sun Apr 01, 2018 9:59 Post subject:
Proto and MTU Disc are handled correctly by recent builds so you do not need to specify this.
The only firewall rule really needed (to give the VPN clients access to your network/internet) is the following:
Code:
iptables -t nat -A POSTROUTING -j MASQUERADE
You are using tun0 that could be a problem as DDWRT in most builds uses tun2 by default and thus inserts the necessary firewall rules for tun2.
You might try to delete tun0 and let DDWRT handle this.
For recent versions you have to regenerate your certificates