[shutech]

So I want to move to a later Build I have OpenVPN up and running on the older build.

I know that there are updated configurations but not sure where to put some of the new commands. Any thoughts?

Setup:

Cisco E3000 Mega Build 21061

30-30-30 and loaded Mega Build 35531 and retyped the setup did not just reload a saved config.

The Following OpenVPN configuration works on the 21061 but not on the 35531.

The one thing I don't know is where to put mtu-disc yes.


I know Certs are fine. I am running in Daemon and not server GUI. It is pretty much the sample server and client config for OpenVPN 2.0 I did update UDP to UDP4 in both server and client config and Firewall config to confirm working on older build.

Router Server Info.

Additional Config:

push "route 192.168.10.0 255.255.255.0"
push "dhcp-option DNS 192.168.20.1"
server 192.168.20.0 255.255.255.0

dev tun0
proto udp4
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem

# Only use crl-verify if you are using the revoke list - otherwise leave it commented out
# crl-verify /tmp/openvpn/ca.crl

# management parameter allows DD-WRT\s OpenVPN Status web page to access the server\s management port
# port must be 5001 for scripts embedded in firmware to work
management localhost 5001

Firewall:

iptables -I INPUT 1 -p udp4 --dport 1194 -j ACCEPT

iptables -I FORWARD 1 --source 192.168.20.0/24 -j ACCEPT


Computer Client Info:

Installed Openvpn 2.4.4-1601


Config file:

client

dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp4


# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote xx.xx.xx.xx 1194



# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
mute-replay-warnings


# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert client2.crt
key client2.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server


# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
;comp-lzo

# Set log file verbosity.
verb 5

# Silence repeating messages
mute 100
Configuration:

[egc]

Proto and MTU Disc are handled correctly by recent builds so you do not need to specify this.

The only firewall rule really needed (to give the VPN clients access to your network/internet) is the following: