OpenVPN server setup on WRT1200AC [solved]

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
Szellem
DD-WRT Novice


Joined: 14 Sep 2012
Posts: 16

PostPosted: Tue Jan 15, 2019 19:24    Post subject: OpenVPN server setup on WRT1200AC [solved] Reply with quote
Hi,

I hate to create a new thread since this topic already has several similar threads actively running, but I'm unable to make my configuration work, and could use help finding what I've done wrong.

I have a home LAN that I'd like to be able to access remotely. Right now I use forwarded ports, which is messy to maintain in the GUI and doesn't model my usage well (my home services are exposed to the internet, but only I use them). So I'd like to set up a VPN; I've used openvpn as a client previously, and it was recommended over PPTP, so it became my choice for a server. And since I already have a relatively powerful WRT1200AC, I decided to try hosting the VPN from there.

The first step was to update dd-wrt. The router is now at version v3.0-r38155 std (12/31/18).

I'm following two initial guides:

https://wiki.dd-wrt.com/wiki/index.php/VPN_(the_easy_way)_v24+

https://wiki.dd-wrt.com/wiki/index.php/OpenVPN#GUI:_Server_Configuration

I also just read over egc's setup guide.

But found that my Linux distribution packages easy-rsa version 3. So I created the keys and certs with: https://github.com/OpenVPN/easy-rsa/blob/v3.0.6/README.quickstart.md

After following the easyrsa instructions I had a ca.crt, ca.key, server.cert, server.key, client.cert, client.key, dh.pem, and made a ta.key in the course of troubleshooting.

I used the dd-wrt gui to set up openvpn server, with this resulting config file (copied over ssh):

Code:
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
keepalive 10 120
verb 3
mute 3
syslog
writepid /var/run/openvpnd.pid
management 127.0.0.1 14
management-log-cache 100
topology subnet
script-security 2
port 1194
proto udp4
cipher aes-256-cbc
auth sha256
client-connect /tmp/openvpn/clcon.sh
client-disconnect /tmp/openvpn/cldiscon.sh
client-config-dir /tmp/openvpn/ccd
comp-lzo no
tls-server
ifconfig-pool-persist /tmp/openvpn/ip-pool 86400
client-to-client
fast-io
tun-mtu 1500
mtu-disc yes
server 10.10.31.0 255.255.255.0
dev tun2


openvpn runs successfully, and I can see it with `ps`.

Code:

Serverlog:
20190115 12:33:34 W WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
20190115 12:33:34 I OpenVPN 2.4.6 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 31 2018
20190115 12:33:34 I library versions: OpenSSL 1.1.1a 20 Nov 2018 LZO 2.09
20190115 12:33:34 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:14
20190115 12:33:34 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20190115 12:33:34 Diffie-Hellman initialized with 2048 bit key
20190115 12:33:34 I TUN/TAP device tun2 opened
20190115 12:33:34 TUN/TAP TX queue length set to 100
20190115 12:33:34 D do_ifconfig tt->did_ifconfig_ipv6_setup=0
20190115 12:33:34 I /sbin/ifconfig tun2 10.10.31.1 netmask 255.255.255.0 mtu 1500 broadcast 10.10.31.255
20190115 12:33:34 Socket Buffers: R=[180224->180224] S=[180224->180224]
20190115 12:33:34 I UDPv4 link local (bound): [AF_INET][undef]:1194
20190115 12:33:34 I UDPv4 link remote: [AF_UNSPEC]
20190115 12:33:34 MULTI: multi_init called r=256 v=256
20190115 12:33:34 IFCONFIG POOL: base=10.10.31.2 size=252 ipv6=0
20190115 12:33:34 IFCONFIG POOL LIST
20190115 12:33:34 I Initialization Sequence Completed
20190115 12:39:20 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20190115 12:39:20 D MANAGEMENT: CMD 'state'
20190115 12:39:20 MANAGEMENT: Client disconnected
20190115 12:39:20 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20190115 12:39:20 D MANAGEMENT: CMD 'state'
20190115 12:39:20 MANAGEMENT: Client disconnected
20190115 12:39:20 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20190115 12:39:20 D MANAGEMENT: CMD 'state'
20190115 12:39:20 MANAGEMENT: Client disconnected
20190115 12:39:20 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20190115 12:39:20 MANAGEMENT: Client disconnected
20190115 12:39:20 NOTE: --mute triggered...
20190115 12:39:20 1 variation(s) on previous 3 message(s) suppressed by --mute
20190115 12:39:20 D MANAGEMENT: CMD 'status 2'
20190115 12:39:20 MANAGEMENT: Client disconnected
20190115 12:39:20 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20190115 12:39:20 D MANAGEMENT: CMD 'status 2'
20190115 12:39:20 MANAGEMENT: Client disconnected
20190115 12:39:20 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20190115 12:39:20 D MANAGEMENT: CMD 'log 500'
20190115 12:39:20 MANAGEMENT: Client disconnected
20190115 13:14:21 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20190115 13:14:21 D MANAGEMENT: CMD 'state'
20190115 13:14:21 MANAGEMENT: Client disconnected
20190115 13:14:21 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20190115 13:14:21 D MANAGEMENT: CMD 'state'
20190115 13:14:21 MANAGEMENT: Client disconnected
20190115 13:14:21 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20190115 13:14:21 D MANAGEMENT: CMD 'state'
20190115 13:14:21 MANAGEMENT: Client disconnected
20190115 13:14:21 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20190115 13:14:21 MANAGEMENT: Client disconnected
20190115 13:14:21 NOTE: --mute triggered...
20190115 13:14:21 1 variation(s) on previous 3 message(s) suppressed by --mute
20190115 13:14:21 D MANAGEMENT: CMD 'status 2'
20190115 13:14:21 MANAGEMENT: Client disconnected
20190115 13:14:21 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20190115 13:14:21 D MANAGEMENT: CMD 'status 2'
20190115 13:14:21 MANAGEMENT: Client disconnected
20190115 13:14:21 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20190115 13:14:21 D MANAGEMENT: CMD 'log 500'


I have this client configuration:

Code:

$ cat ovpn.conf
client
verb 6
mute 3
float
remote 'me.com' 1194
ca '/etc/openvpn/client/ca.crt'
cert '/etc/openvpn/client/client.crt'
key '/etc/openvpn/client/client.key'
cipher AES-256-CBC
;comp-lzo adaptive
comp-lzo no
tun-mtu 1500
dev tun
proto udp4
auth sha256
remote-cert-tls server
;tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
;tls-auth '/etc/openvpn/client/ta.key' 1
;tls-client
nobind
auth-nocache
;script-security 2
persist-key
persist-tun


When I try to connect, I get TLS errors:

Code:

Tue Jan 15 12:34:00 2019 us=873613 WARNING: file '/etc/openvpn/client/client.key' is group or others accessible
Tue Jan 15 12:34:00 2019 us=873686 Current Parameter Settings:
Tue Jan 15 12:34:00 2019 us=873700   config = 'ovpn.conf'
Tue Jan 15 12:34:00 2019 us=873709   mode = 0
Tue Jan 15 12:34:00 2019 us=873718 NOTE: --mute triggered...
Tue Jan 15 12:34:00 2019 us=873742 278 variation(s) on previous 3 message(s) suppressed by --mute
Tue Jan 15 12:34:00 2019 us=873754 OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2018
Tue Jan 15 12:34:00 2019 us=873777 library versions: OpenSSL 1.1.1a  20 Nov 2018, LZO 2.10
Enter Private Key Password: ****************
Tue Jan 15 12:34:04 2019 us=351922 Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Tue Jan 15 12:34:04 2019 us=632228 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Tue Jan 15 12:34:04 2019 us=632351 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
Tue Jan 15 12:34:04 2019 us=632379 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
Tue Jan 15 12:34:04 2019 us=632412 TCP/UDP: Preserving recently used remote address: [AF_INET][ip]:1194
Tue Jan 15 12:34:04 2019 us=632467 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Jan 15 12:34:04 2019 us=632490 UDPv4 link local: (not bound)
Tue Jan 15 12:34:04 2019 us=632511 UDPv4 link remote: [AF_INET][ip]:1194
Tue Jan 15 12:34:04 2019 us=632590 UDPv4 WRITE [14] to [AF_INET][ip]:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Tue Jan 15 12:34:06 2019 us=795918 UDPv4 WRITE [14] to [AF_INET][ip]:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Tue Jan 15 12:34:10 2019 us=38958 UDPv4 WRITE [14] to [AF_INET][ip]:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Tue Jan 15 12:34:19 2019 us=34576 NOTE: --mute triggered...
Tue Jan 15 12:35:04 2019 us=816469 2 variation(s) on previous 3 message(s) suppressed by --mute
Tue Jan 15 12:35:04 2019 us=816553 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Jan 15 12:35:04 2019 us=816577 TLS Error: TLS handshake failed
Tue Jan 15 12:35:04 2019 us=816787 TCP/UDP: Closing socket
Tue Jan 15 12:35:04 2019 us=816872 SIGUSR1[soft,tls-error] received, process restarting
Tue Jan 15 12:35:04 2019 us=816933 Restart pause, 5 second(s)


The TLS error seems to indicate I cannot reach the router. I know that the URL resolves to the correct IP, because I am able to reach the forwarded ports. And I've read that the IPtables rules in the wiki are outdated, but that's the only thing I could think of that would keep the client from reaching the server.

I'd appreciate any help troubleshooting this. Please let me know if I've left pertinent information out.


Last edited by Szellem on Fri May 17, 2019 21:42; edited 1 time in total
Sponsor
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Tue Jan 15, 2019 20:22    Post subject: Reply with quote
Try with "tun-mtu 1400"
Szellem
DD-WRT Novice


Joined: 14 Sep 2012
Posts: 16

PostPosted: Tue Jan 15, 2019 20:31    Post subject: Reply with quote
Thanks, I gave that a shot but it didn't seem to work.

Changed "Tunnel MTU setting" on the dd-wrt gui to 1400, and hit save, then 'apply' to restart the service (is that right?). Then changed tun-mtu to 1400 on my client config.

Code:

$ sudo openvpn --config ovpn.conf
[sudo] password for user:
Tue Jan 15 14:27:38 2019 us=227267 WARNING: file '/etc/openvpn/client/client.key' is group or others accessible
Tue Jan 15 14:27:38 2019 us=227576 Current Parameter Settings:
Tue Jan 15 14:27:38 2019 us=227597   config = 'ovpn.conf'
Tue Jan 15 14:27:38 2019 us=227614   mode = 0
Tue Jan 15 14:27:38 2019 us=227634 NOTE: --mute triggered...
Tue Jan 15 14:27:38 2019 us=227665 278 variation(s) on previous 3 message(s) suppressed by --mute
Tue Jan 15 14:27:38 2019 us=227682 OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2018
Tue Jan 15 14:27:38 2019 us=227709 library versions: OpenSSL 1.1.1a  20 Nov 2018, LZO 2.10
Enter Private Key Password: ****************
Tue Jan 15 14:27:42 2019 us=368924 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
Tue Jan 15 14:27:42 2019 us=369070 Control Channel MTU parms [ L:1522 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Tue Jan 15 14:27:42 2019 us=460034 Data Channel MTU parms [ L:1522 D:1450 EF:122 EB:389 ET:0 EL:3 ]
Tue Jan 15 14:27:42 2019 us=460169 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1470,tun-mtu 1400,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
Tue Jan 15 14:27:42 2019 us=460196 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1470,tun-mtu 1400,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
Tue Jan 15 14:27:42 2019 us=460226 TCP/UDP: Preserving recently used remote address: [AF_INET]:1194
Tue Jan 15 14:27:42 2019 us=460283 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Jan 15 14:27:42 2019 us=460305 UDPv4 link local: (not bound)
Tue Jan 15 14:27:42 2019 us=460326 UDPv4 link remote: [AF_INET]:1194
Tue Jan 15 14:27:42 2019 us=460409 UDPv4 WRITE [14] to [AF_INET]:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Tue Jan 15 14:27:44 2019 us=567746 UDPv4 WRITE [14] to [AF_INET]:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Tue Jan 15 14:27:48 2019 us=784306 UDPv4 WRITE [14] to [AF_INET]:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Tue Jan 15 14:27:56 2019 us=389265 NOTE: --mute triggered...
Tue Jan 15 14:28:42 2019 us=803284 2 variation(s) on previous 3 message(s) suppressed by --mute
Tue Jan 15 14:28:42 2019 us=803368 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Jan 15 14:28:42 2019 us=803392 TLS Error: TLS handshake failed
Tue Jan 15 14:28:42 2019 us=803553 TCP/UDP: Closing socket
Tue Jan 15 14:28:42 2019 us=803618 SIGUSR1[soft,tls-error] received, process restarting
Tue Jan 15 14:28:42 2019 us=803668 Restart pause, 5 second(s)
^CTue Jan 15 14:28:44 2019 us=372177 SIGINT[hard,init_instance] received, process exiting
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Tue Jan 15, 2019 22:14    Post subject: Reply with quote
Yhe MTU 1400 is clearly wrong.

Another thing that can prevent the handshake is compression mismatch.

comp-lzo is no longer a valid option in OpenVPN 2.4.

https://forums.openvpn.net/viewtopic.php?t=25000
Szellem
DD-WRT Novice


Joined: 14 Sep 2012
Posts: 16

PostPosted: Wed Jan 16, 2019 16:50    Post subject: Reply with quote
Per Yngve Berg wrote:
Yhe MTU 1400 is clearly wrong.

Another thing that can prevent the handshake is compression mismatch.

comp-lzo is no longer a valid option in OpenVPN 2.4.

https://forums.openvpn.net/viewtopic.php?t=25000


Thanks Per Yngve Berg.

I don't quite know what you mean by 1400 being wrong. Should I change back to 1500?

And thanks for the heads up about compression. That thread doesn't seem to have a clear resolution though. I just checked and both my systems are using version 2.4.6, so that would mean I should use "--compress lz4"? The dd-wrt config's "--comp-lzo" was generated by the GUI, is there a way for me to change that?
Dr_K
DD-WRT User


Joined: 23 Mar 2018
Posts: 445

PostPosted: Wed Jan 16, 2019 18:11    Post subject: Reply with quote
Try adding "key-direction 1" to your client config and uncommenting the "tsl-auth......" line, assuming it points to is where it is located

My client config has "comp-lzo". While dd-wrt's gui has it set to "adaptive"

Also my MTU is set to 1500 on the server......while it is NOT specified in my client config

Hope any of this helps

_________________
Location 1
R7800- DD-WRT v3.0-r53562 (10/03/23) Gateway
WNDR3400v1 DD-WRT v3.0-r35531_mega-nv64k (03/26/18 ) Access Point
WRT160Nv3 DD-WRT ?v3?.0-r35531 mini (03/26/18 ) Access Point
WRT54GSv5 DD-WRT v24-r33555_micro_generic (10/20/17) Repeater
Location 2
R7800- DD-WRT v3.0-r51855 (02/25/23) Gateway
R6300v2- DD-WRT v3.0-r50671 (10-26-22) Access Point
WNDR3700v2 DD-WRT v3.0-r35531 std (03/26/18 ) Access Point
E1200 v2 DD-WRT v3.0-r35531 mega-nv64k (03/26/18 ) Gateway(for trivial reasons)
RBWAPG-5HACT2HND-BE RouterOS-v6.46.4 (2/21/20) Outdoor Access Point
2x RBSXTG-5HPACD RouterOS-v6.46.4 (2/21/20) PTP Bridge 866.6Mbps-1GbpsLAN
Location 3
2x R7000- DD-WRT v3.0-r50671 (10/26/22) Access Points
2x RBWAPG-60AD RouterOS-v6.45.9 (04/30/20) PTP Bridge 2.3Gbps-1GbpsLAN
2x RBSXTsqG-5acD RouterOS-v6.49.7 (10/14/22) PTP Bridge 866.6Mbps-1GbpsLAN

Thank You BrainSlayer for ALL that you do & have done, also to "most" everyone here that shares their knowledge
Szellem
DD-WRT Novice


Joined: 14 Sep 2012
Posts: 16

PostPosted: Thu Jan 17, 2019 17:26    Post subject: Reply with quote
Thanks Dr_K. I've updated the configuration as shown below, but it still does not connect with the same symptoms.

Code:

# cat /tmp/openvpn/openvpn.conf
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
keepalive 10 120
verb 3
mute 3
syslog
writepid /var/run/openvpnd.pid
management 127.0.0.1 14
management-log-cache 100
topology subnet
script-security 2
port 1194
proto udp4
cipher aes-256-cbc
auth sha256
client-connect /tmp/openvpn/clcon.sh
client-disconnect /tmp/openvpn/cldiscon.sh
client-config-dir /tmp/openvpn/ccd
comp-lzo adaptive
tls-server
ifconfig-pool-persist /tmp/openvpn/ip-pool 86400
client-to-client
fast-io
tun-mtu 1500
mtu-disc yes
server 10.10.13.0 255.255.255.0
dev tun2
tls-auth /tmp/openvpn/ta.key 0


Client:
Code:

$ cat ovpn.conf
client
verb 6
mute 3
float
remote '' 1194
ca '/etc/openvpn/client/ca.crt'
cert '/etc/openvpn/client/client.crt'
key '/etc/openvpn/client/client.key'
cipher AES-256-CBC
;comp-lzo adaptive
comp-lzo no
tun-mtu 1400
dev tun
proto udp4
auth sha256
remote-cert-tls server
;tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
tls-auth '/etc/openvpn/client/ta.key'
key-direction 1
;tls-client
nobind
auth-nocache
;script-security 2
persist-key
persist-tun


Run:
Code:

$ sudo openvpn --config ovpn.conf
[sudo] password for :
Thu Jan 17 11:23:42 2019 us=864762 WARNING: file '/etc/openvpn/client/client.key' is group or others accessible
Thu Jan 17 11:23:42 2019 us=864866 WARNING: file '/etc/openvpn/client/ta.key' is group or others accessible
Thu Jan 17 11:23:42 2019 us=864900 Current Parameter Settings:
Thu Jan 17 11:23:42 2019 us=864925   config = 'ovpn.conf'
Thu Jan 17 11:23:42 2019 us=864948   mode = 0
Thu Jan 17 11:23:42 2019 us=864969 NOTE: --mute triggered...
Thu Jan 17 11:23:42 2019 us=865007 278 variation(s) on previous 3 message(s) suppressed by --mute
Thu Jan 17 11:23:42 2019 us=865026 OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2018
Thu Jan 17 11:23:42 2019 us=865064 library versions: OpenSSL 1.1.1a  20 Nov 2018, LZO 2.10
Enter Private Key Password: ****************
Thu Jan 17 11:23:52 2019 us=668919 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Jan 17 11:23:52 2019 us=668985 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Jan 17 11:23:52 2019 us=669027 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
Thu Jan 17 11:23:52 2019 us=669201 Control Channel MTU parms [ L:1522 D:1172 EF:78 EB:0 ET:0 EL:3 ]
Thu Jan 17 11:23:52 2019 us=732491 Data Channel MTU parms [ L:1522 D:1450 EF:122 EB:389 ET:0 EL:3 ]
Thu Jan 17 11:23:52 2019 us=732645 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1470,tun-mtu 1400,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
Thu Jan 17 11:23:52 2019 us=732696 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1470,tun-mtu 1400,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
Thu Jan 17 11:23:52 2019 us=732738 TCP/UDP: Preserving recently used remote address: [AF_INET]:1194
Thu Jan 17 11:23:52 2019 us=732812 Socket Buffers: R=[212992->212992] S=[212992->212992]
Thu Jan 17 11:23:52 2019 us=732847 UDPv4 link local: (not bound)
Thu Jan 17 11:23:52 2019 us=732880 UDPv4 link remote: [AF_INET]:1194
Thu Jan 17 11:23:52 2019 us=733000 UDPv4 WRITE [54] to [AF_INET]:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0
Thu Jan 17 11:23:54 2019 us=882401 UDPv4 WRITE [54] to [AF_INET]:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ ] pid=0 DATA len=0
Thu Jan 17 11:23:58 2019 us=104267 UDPv4 WRITE [54] to [AF_INET]:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #3 ] [ ] pid=0 DATA len=0
Thu Jan 17 11:24:07 2019 us=185227 NOTE: --mute triggered...


Last edited by Szellem on Wed Jan 23, 2019 0:17; edited 1 time in total
Dr_K
DD-WRT User


Joined: 23 Mar 2018
Posts: 445

PostPosted: Thu Jan 17, 2019 20:09    Post subject: Reply with quote
3 things to try 1 at a time.….all in client config

1: get rid of or comment out "tun-mtu 1400"

2: change "tls-auth '/etc/openvpn/client/ta.key'" to "tls-auth '/etc/openvpn/client/ta.key' 1"

3: change "dev tun" to "dev tun0" or another number that better reflects your setup

All without the quotes of course

Good luck

_________________
Location 1
R7800- DD-WRT v3.0-r53562 (10/03/23) Gateway
WNDR3400v1 DD-WRT v3.0-r35531_mega-nv64k (03/26/18 ) Access Point
WRT160Nv3 DD-WRT ?v3?.0-r35531 mini (03/26/18 ) Access Point
WRT54GSv5 DD-WRT v24-r33555_micro_generic (10/20/17) Repeater
Location 2
R7800- DD-WRT v3.0-r51855 (02/25/23) Gateway
R6300v2- DD-WRT v3.0-r50671 (10-26-22) Access Point
WNDR3700v2 DD-WRT v3.0-r35531 std (03/26/18 ) Access Point
E1200 v2 DD-WRT v3.0-r35531 mega-nv64k (03/26/18 ) Gateway(for trivial reasons)
RBWAPG-5HACT2HND-BE RouterOS-v6.46.4 (2/21/20) Outdoor Access Point
2x RBSXTG-5HPACD RouterOS-v6.46.4 (2/21/20) PTP Bridge 866.6Mbps-1GbpsLAN
Location 3
2x R7000- DD-WRT v3.0-r50671 (10/26/22) Access Points
2x RBWAPG-60AD RouterOS-v6.45.9 (04/30/20) PTP Bridge 2.3Gbps-1GbpsLAN
2x RBSXTsqG-5acD RouterOS-v6.49.7 (10/14/22) PTP Bridge 866.6Mbps-1GbpsLAN

Thank You BrainSlayer for ALL that you do & have done, also to "most" everyone here that shares their knowledge
Dr_K
DD-WRT User


Joined: 23 Mar 2018
Posts: 445

PostPosted: Thu Jan 17, 2019 20:36    Post subject: Reply with quote
Looking again....in client config

You have "remote '' 1194" ???

Should be

"remote XXX.IpAddressOfServer.XXX 1194"

"port 1194"

Again no quotes...or XXX's


Once you do get this to work, may I suggest using a more obscure port that will be less likely targeted by "script-kiddies"

_________________
Location 1
R7800- DD-WRT v3.0-r53562 (10/03/23) Gateway
WNDR3400v1 DD-WRT v3.0-r35531_mega-nv64k (03/26/18 ) Access Point
WRT160Nv3 DD-WRT ?v3?.0-r35531 mini (03/26/18 ) Access Point
WRT54GSv5 DD-WRT v24-r33555_micro_generic (10/20/17) Repeater
Location 2
R7800- DD-WRT v3.0-r51855 (02/25/23) Gateway
R6300v2- DD-WRT v3.0-r50671 (10-26-22) Access Point
WNDR3700v2 DD-WRT v3.0-r35531 std (03/26/18 ) Access Point
E1200 v2 DD-WRT v3.0-r35531 mega-nv64k (03/26/18 ) Gateway(for trivial reasons)
RBWAPG-5HACT2HND-BE RouterOS-v6.46.4 (2/21/20) Outdoor Access Point
2x RBSXTG-5HPACD RouterOS-v6.46.4 (2/21/20) PTP Bridge 866.6Mbps-1GbpsLAN
Location 3
2x R7000- DD-WRT v3.0-r50671 (10/26/22) Access Points
2x RBWAPG-60AD RouterOS-v6.45.9 (04/30/20) PTP Bridge 2.3Gbps-1GbpsLAN
2x RBSXTsqG-5acD RouterOS-v6.49.7 (10/14/22) PTP Bridge 866.6Mbps-1GbpsLAN

Thank You BrainSlayer for ALL that you do & have done, also to "most" everyone here that shares their knowledge
Szellem
DD-WRT Novice


Joined: 14 Sep 2012
Posts: 16

PostPosted: Wed Jan 23, 2019 0:16    Post subject: Reply with quote
Thanks Dr_K

I gave your edits, one at a time, a shot and couldn't get any further. Resulting in the config below.

The missing IP is because I'm trying to edit it out after copying the config and logs into this thread. Sorry about that.

client.conf
Code:

client
verb 6
mute 3
float
remote 'ip' 1194
port 1194
ca '/etc/openvpn/client/ca.crt'
cert '/etc/openvpn/client/client.crt'
key '/etc/openvpn/client/client.key'
cipher AES-256-CBC
;comp-lzo adaptive
comp-lzo no
;tun-mtu 1400
dev tun0
proto udp4
auth sha256
remote-cert-tls server
;tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
tls-auth '/etc/openvpn/client/ta.key' 1
;key-direction 1
;tls-client
nobind
auth-nocache
;script-security 2
persist-key
persist-tun
Nightbridge
DD-WRT User


Joined: 09 Jan 2017
Posts: 76
Location: Dublin

PostPosted: Wed Jan 23, 2019 9:56    Post subject: Reply with quote
Hi Szellem, I have your same router and OpenVPN server running.

Here is my setup from UI:

Start Type: WAN Up
Config as: Server
Server mode: Router (TUN)
Network: choose a different subnet from your main. My case 192.168.2.0
Netmask: 255.255.255.0
Port: 1194
Tunnel Protocol: UDP
Encryption Cyfer: Blowfish CBC
Hash Algorithm: SHA1
Advanced Options: Enabled
TLS Cipher: None
LZO Compression: Adaptive
Redirect Default Gateway: Enabled
Allow client to client: Enabled
Allow duplicate cn: Disable
Tunnel MTU setting: 1500
Tunnel UDP Fragment: Blank
Tunnel UDP MSS-Fix: Disabled

Add then your:
- Public Server Cert
- CA Cert
- Public Server Key
- DH PEM

save.

Now open Administration -> Commands.

Add the following as Firewall:

iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j MASQUERADE

The IP adderss must match the one you used before, again this is the one I used.

I would recommend a reset in order to clean previous changes.
Szellem
DD-WRT Novice


Joined: 14 Sep 2012
Posts: 16

PostPosted: Thu Feb 21, 2019 20:06    Post subject: Reply with quote
Thank you for sharing that config with me Nightbridge, but I haven't been able to get it to work either.

dd-wrt config:
[img]https://imgur.com/4dxQWYG[/img]
[img]https://imgur.com/WQdCFuX[/img]

client config:
Code:

$ cat ovpn.conf
client
verb 6
mute 3
float
remote 'ip-addr' 1194
port 1194
;secret '/home/user/static.key'
ca '/etc/openvpn/client/ca.crt'
cert '/etc/openvpn/client/user.crt'
key '/etc/openvpn/client/user.key'
;cipher AES-256-CBC
cipher BF-CBC
comp-lzo adaptive
;comp-lzo no
;compress lz4
;tun-mtu 1400
dev tun0
proto udp4
;auth sha256
auth sha1
remote-cert-tls server
;tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
;tls-auth '/etc/openvpn/client/ta.key' 1
;key-direction 1
;tls-client
nobind
auth-nocache
;script-security 2
persist-key
persist-tun


The output:
Code:
$ sudo openvpn --config ovpn.conf
[sudo] password for user:
Thu Feb 21 13:54:02 2019 us=126447 WARNING: file '/etc/openvpn/client/user.key' is group or others accessible
Thu Feb 21 13:54:02 2019 us=126503 Current Parameter Settings:
Thu Feb 21 13:54:02 2019 us=126515   config = 'ovpn.conf'
Thu Feb 21 13:54:02 2019 us=126525   mode = 0
Thu Feb 21 13:54:02 2019 us=126533 NOTE: --mute triggered...
Thu Feb 21 13:54:02 2019 us=126552 278 variation(s) on previous 3 message(s) suppressed by --mute
Thu Feb 21 13:54:02 2019 us=126562 OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2018
Thu Feb 21 13:54:02 2019 us=126578 library versions: OpenSSL 1.1.1a  20 Nov 2018, LZO 2.10
Enter Private Key Password: ****************
Thu Feb 21 13:54:04 2019 us=858172 LZO compression initializing
Thu Feb 21 13:54:04 2019 us=858386 Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Thu Feb 21 13:54:04 2019 us=903851 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Thu Feb 21 13:54:04 2019 us=903997 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Thu Feb 21 13:54:04 2019 us=904055 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Thu Feb 21 13:54:04 2019 us=904113 TCP/UDP: Preserving recently used remote address: [AF_INET]ip-address:1194
Thu Feb 21 13:54:04 2019 us=904181 Socket Buffers: R=[212992->212992] S=[212992->212992]
Thu Feb 21 13:54:04 2019 us=904234 UDPv4 link local: (not bound)
Thu Feb 21 13:54:04 2019 us=904289 UDPv4 link remote: [AF_INET]ip-addr:1194
Thu Feb 21 13:54:04 2019 us=904398 UDPv4 WRITE [14] to [AF_INET]ip-addr:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Thu Feb 21 13:54:07 2019 us=76745 UDPv4 WRITE [14] to [AF_INET]ip-addr:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
^CThu Feb 21 13:54:11 2019 us=319635 event_wait : Interrupted system call (code=4)
Nightbridge
DD-WRT User


Joined: 09 Jan 2017
Posts: 76
Location: Dublin

PostPosted: Thu Apr 04, 2019 13:39    Post subject: Reply with quote
No problem, sorry for the late reply.

That's very strange, to me it works like a charm. Have you tried by resetting the router with 30-30-30 method and applying those changes from GUI?

Are you using from both sides IPv4 or IPv6? I had problems in the past with IPv6 with this.
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Thu Apr 04, 2019 14:58    Post subject: Reply with quote
With NAT, always state the output interface.

iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE

Check if the interface is tun0 or tun1.

The comp-lzo much also match on both sides.
Szellem
DD-WRT Novice


Joined: 14 Sep 2012
Posts: 16

PostPosted: Fri May 17, 2019 14:02    Post subject: Reply with quote
Nightbridge wrote:
No problem, sorry for the late reply.

That's very strange, to me it works like a charm. Have you tried by resetting the router with 30-30-30 method and applying those changes from GUI?

Are you using from both sides IPv4 or IPv6? I had problems in the past with IPv6 with this.


I haven't tried resetting, will keep that in mind! IPv4 on both sides, which I think I'm telling openvpn about with 'proto udp4'

Per Yngve Berg wrote:
With NAT, always state the output interface.

iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE

Check if the interface is tun0 or tun1.

The comp-lzo much also match on both sides.


Thanks, I'll have to go back through and refresh on the iptables situation.

eibgrad wrote:
JMTC.

Make sure whenever you're establishing an OpenVPN configuration that you use the *simplest* config possible. Don't add things that are optional (e.g., tls-auth), because it just creates another point of failure. KEEP IT SIMPLE! Once you have a working connection, THEN you can fuss and tweak it all you like.

One thing I've noticed about these connection failures from the OpenVPN client is that we never see the OpenVPN server logs! At the very least, we can tell if the OpenVPN client is reaching the OpenVPN server (even if it ultimately fails). And hopefully it will tell us more.

On the OpenVPN server side, all you need beyond the basic GUI elements is to push the local network on which the OpenVPN server is running over to the OpenVPN client, by adding the following directive in Additional Config.

Code:
push "route 192.168.1.0 255.255.255.0"


Of course, I'm just using 192.168.1.x as an example. Use whatever network is on the server side.

If you're doing anything more than that, you're making a mistake. Less is more! Time and again I see ppl get into trouble because they *over* configure the OpenVPN server and/or client.

Also, when it comes to compression, if the two sides are mismatched, they usually get connected, but no traffic can cross the tunnel. But from the perspective of the OpenVPN client logs, it doesn't seem to be getting connected at all.


Thanks for the suggestions! What you said about the simplest config makes sense, so I gave that a try and was able to make a connection! It's with the static key though, so I still need to go back and do the PKI stuff again.

I followed directions from: https://openvpn.net/community-resources/static-key-mini-howto/

The configs provided in that page did not work for me, so I adjusted them:

Server:
Code:

# cat static.conf
dev tun
ifconfig 10.8.0.1 10.8.0.2
secret static.key
proto udp4
verb 3


Client:
Code:

$ cat static.conf
remote my.url
dev tun
ifconfig 10.8.0.2 10.8.0.1
secret static.key
proto udp4
float


And I can ping:
Code:

$ ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=292 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=237 ms
64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=244 ms
^C
--- 10.8.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 5ms
rtt min/avg/max/mdev = 236.894/257.685/292.153/24.551 ms


But the server still shows some errors while the connection is ongoing:
Code:

# openvpn --config static.conf
Fri May 17 08:51:21 2019 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Fri May 17 08:51:21 2019 OpenVPN 2.4.6 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 31 2018
Fri May 17 08:51:21 2019 library versions: OpenSSL 1.1.1a  20 Nov 2018, LZO 2.09
Fri May 17 08:51:21 2019 Outgoing Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Fri May 17 08:51:21 2019 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Fri May 17 08:51:21 2019 Outgoing Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 17 08:51:21 2019 Incoming Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Fri May 17 08:51:21 2019 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Fri May 17 08:51:21 2019 Incoming Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 17 08:51:21 2019 TUN/TAP device tun0 opened
Fri May 17 08:51:21 2019 TUN/TAP TX queue length set to 100
Fri May 17 08:51:21 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Fri May 17 08:51:21 2019 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Fri May 17 08:51:21 2019 Socket Buffers: R=[180224->180224] S=[180224->180224]
Fri May 17 08:51:21 2019 UDPv4 link local (bound): [AF_INET][undef]:1194
Fri May 17 08:51:21 2019 UDPv4 link remote: [AF_UNSPEC]
Fri May 17 08:51:24 2019 Peer Connection Initiated with [AF_INET]ip:55116
Fri May 17 08:51:24 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri May 17 08:51:24 2019 Initialization Sequence Completed
Fri May 17 08:54:04 2019 Authenticate/Decrypt packet error: packet HMAC authentication failed
Fri May 17 08:54:06 2019 Authenticate/Decrypt packet error: packet HMAC authentication failed
Fri May 17 08:54:07 2019 Authenticate/Decrypt packet error: packet HMAC authentication failed
Fri May 17 08:54:08 2019 Authenticate/Decrypt packet error: packet HMAC authentication failed
Fri May 17 08:54:14 2019 Authenticate/Decrypt packet error: packet HMAC authentication failed
Fri May 17 08:54:18 2019 Authenticate/Decrypt packet error: packet HMAC authentication failed
Fri May 17 08:54:19 2019 Authenticate/Decrypt packet error: packet HMAC authentication failed
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum