Posted: Fri Jan 18, 2019 15:56 Post subject: Setting up OpenVPN Server
Hi, Ive been trying to setup an OpenVPN server on my router so I can access the dd-wrt nas from the internet, by using the official tutorial.
This is my setup:
Config:
Code:
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.66.1"
server 192.168.66.0 255.255.255.0
dev tun0
proto udp4
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
# Only use crl-verify if you are using the revoke list - otherwise leave it commented out
# crl-verify /tmp/openvpn/ca.crl
# management parameter allows DD-WRT\s OpenVPN Status web page to access the server\s management port
# port must be 5001 for scripts embedded in firmware to work
management localhost 5001
# These next two lines may or may not be necessary.
# I (dereks) did not need them, but bmatthewshea did.
# Thus, we include them so that this works for more people:
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
Client .ovpn:
Code:
remote my-routers-static-ip 1194
client
remote-cert-tls server
dev tun0
proto udp4
resolv-retry infinite
nobind
persist-key
persist-tun
float
#If the pushed routes appear not to be added on windows hosts, add the following:
route-delay 30
ca ca.crt
cert client.crt
key client.key
OpenVPN startup log:
Jan 18 15:43:22 DD-WRT user.info : openvpn : OpenVPN daemon (Server) starting/restarting...
Jan 18 15:43:22 DD-WRT daemon.warn openvpn[2754]: WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
Jan 18 15:43:22 DD-WRT daemon.notice openvpn[2754]: Current Parameter Settings:
Jan 18 15:43:22 DD-WRT daemon.notice openvpn[2754]: config = '/tmp/openvpn/openvpn.conf'
Jan 18 15:43:22 DD-WRT daemon.notice openvpn[2754]: mode = 1
Jan 18 15:43:22 DD-WRT daemon.notice openvpn[2754]: NOTE: --mute triggered...
Jan 18 15:43:22 DD-WRT daemon.notice openvpn[2754]: 232 variation(s) on previous 3 message(s) suppressed by --mute
Jan 18 15:43:22 DD-WRT daemon.notice openvpn[2754]: OpenVPN 2.4.6 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Oct 19 2018
Jan 18 15:43:22 DD-WRT daemon.notice openvpn[2754]: library versions: OpenSSL 1.1.1 11 Sep 2018, LZO 2.09
Jan 18 15:43:22 DD-WRT daemon.notice openvpn[2756]: MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:5001
Jan 18 15:43:22 DD-WRT daemon.warn openvpn[2756]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 18 15:43:22 DD-WRT daemon.notice openvpn[2756]: Diffie-Hellman initialized with 2048 bit key
Jan 18 15:43:22 DD-WRT daemon.notice openvpn[2756]: TLS-Auth MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Jan 18 15:43:22 DD-WRT daemon.notice openvpn[2756]: TUN/TAP device tun0 opened
Jan 18 15:43:22 DD-WRT daemon.notice openvpn[2756]: TUN/TAP TX queue length set to 100
Jan 18 15:43:22 DD-WRT daemon.notice openvpn[2756]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Jan 18 15:43:22 DD-WRT daemon.notice openvpn[2756]: /sbin/ifconfig tun0 192.168.66.1 netmask 255.255.255.0 mtu 1500 broadcast 192.168.66.255
Jan 18 15:43:23 DD-WRT daemon.notice openvpn[2756]: Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Jan 18 15:43:23 DD-WRT daemon.notice openvpn[2756]: Socket Buffers: R=[180224->180224] S=[180224->180224]
Jan 18 15:43:23 DD-WRT daemon.notice openvpn[2756]: UDPv4 link local (bound): [AF_INET][undef]:1194
Jan 18 15:43:23 DD-WRT daemon.notice openvpn[2756]: UDPv4 link remote: [AF_UNSPEC]
Jan 18 15:43:23 DD-WRT daemon.notice openvpn[2756]: MULTI: multi_init called, r=256 v=256
Jan 18 15:43:23 DD-WRT daemon.notice openvpn[2756]: IFCONFIG POOL: base=192.168.66.2 size=252, ipv6=0
Jan 18 15:43:23 DD-WRT daemon.notice openvpn[2756]: ifconfig_pool_read(), in='client,192.168.66.2', TODO: IPv6
Jan 18 15:43:23 DD-WRT daemon.notice openvpn[2756]: succeeded -> ifconfig_pool_set()
Jan 18 15:43:23 DD-WRT daemon.notice openvpn[2756]: IFCONFIG POOL LIST
Jan 18 15:43:23 DD-WRT daemon.notice openvpn[2756]: client,192.168.66.2
Jan 18 15:43:23 DD-WRT daemon.notice openvpn[2756]: Initialization Sequence Completed
Log after I connect with the client:
Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: MULTI: multi_create_instance called
Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client-ip:10407 Re-using SSL/TLS context
Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client-ip:10407 LZO compression initializing
Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client-ip:10407 Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client-ip:10407 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client-ip:10407 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client-ip:10407 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client-ip:10407 TLS: Initial packet from [AF_INET]client-ip:10407, sid=26fe6615 d3e3e458
Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client-ip:10407 VERIFY OK: depth=1, CN=server
Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client-ip:10407 VERIFY OK: depth=0, CN=client
Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client-ip:10407 peer info: IV_VER=3.2
Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client-ip:10407 peer info: IV_PLAT=ios
Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client-ip:10407 peer info: IV_NCP=2
Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client-ip:10407 peer info: IV_TCPNL=1
Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client-ip:10407 peer info: IV_PROTO=2
Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client-ip:10407 peer info: IV_AUTO_SESS=1
Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client-ip:10407 peer info: IV_BS64DL=1
Jan 18 15:47:18 DD-WRT daemon.warn openvpn[2756]: client-ip:10407 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1570', remote='link-mtu 1541'
Jan 18 15:47:18 DD-WRT daemon.warn openvpn[2756]: client-ip:10407 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Jan 18 15:47:18 DD-WRT daemon.warn openvpn[2756]: client-ip:10407 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
Jan 18 15:47:18 DD-WRT daemon.warn openvpn[2756]: client-ip:10407 WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'
Jan 18 15:47:18 DD-WRT daemon.warn openvpn[2756]: client-ip:10407 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client-ip:10407 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client-ip:10407 [client] Peer Connection Initiated with [AF_INET]client-ip:10407
Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client/client-ip:10407 MULTI_sva: pool returned IPv4=192.168.66.2, IPv6=(Not enabled)
Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client/client-ip:10407 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_6991bbc720e3d700.tmp
Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client/client-ip:10407 MULTI: Learn: 192.168.66.2 -> client/client-ip:10407
Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client/client-ip:10407 MULTI: primary virtual IP for client/client-ip:10407: 192.168.66.2
Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client/client-ip:10407 PUSH: Received control message: 'PUSH_REQUEST'
Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client/client-ip:10407 SENT CONTROL [client]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,dhcp-option DNS 192.168.66.1,route-gateway 192.168.66.1,topology subnet,ping 10,ping-restart 120,ifconfig 192.168.66.2 255.2
Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client/client-ip:10407 Data Channel: using negotiated cipher 'AES-256-GCM'
Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client/client-ip:10407 Data Channel MTU parms [ L:1550 D:1450 EF:50 EB:406 ET:0 EL:3 ]
Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client/client-ip:10407 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client/client-ip:10407 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
The time in the logs is 2hours behind my pc even though Ive set the correct location and added ntp pool url for my country, but in the router info page the time is correct.
Even with the firewall disabled, I connect to the VPN successfully but the app that has the nas drive saved doesnt connect to it and I cant open the router Web page 192.168.1.1. Any ideas?
Joined: 18 Mar 2014 Posts: 12834 Location: Netherlands
Posted: Sat Jan 19, 2019 12:07 Post subject:
Attached my notes maybe they are helpfull.
The most common mistakes are the use of unnecessary firewall rules (you do not need any for basic setup with the GUI on modern builds unless you want internet access then you need one rule to NAT the VPN traffic) and the use of uncessary settings in the additional config of the OpenVPN server (you do not need any when enabling direct default gateway)
So start with deleting all firewall rules and deleting anything in the additional config, Enable advanced options in the GUI and tick Redirect default Gateway Enabled.
Your client files are also missing some parameters
Joined: 18 Mar 2014 Posts: 12834 Location: Netherlands
Posted: Sun Jan 20, 2019 9:26 Post subject:
I do not see anything obviously wrong with the server setup.
How are you testing, you can only test from the outside of you network i.e. with a phone on cellular or from a friend, but the IP subnet of client, server and VPN has to be all different.
What does the log of the client show?
What are the settings of the client?
Is your Router connected to the internet or behind anothe router if so did you port forward?
Has your client the right Public IP from your router?
You just showed the server log...without even showing anything about your attempted connection...like in your first post
What he means by subnet....I'll try to explain untecnicaly...
IPv4 addresses have 4 octles..(or octives?) seperated by periods
So if 192.168.0.0 is one subnet then (usually) at a minimum another would be 192.168.1.0 or 192.168.7.0
255.255.255.0 is a subnet mask witch dictates how many ip addresses that particular subnet can contain..
Or say if it was 255.255.0.0 it can have enough adresses to use the last two octles, instead of just the last one in the first example
That all said.....all your networks look to be on different subnets
In that post with links to the site that doesn't like when you zoom in to a picture
One pic showes your server log with 4 lines about TSL errors
The other pic showes the GUI with the TSL Auth key box blank
Your client config contains the line
remote-cert-tls server
Im not sure that will all work....Though I have never personally set up a server without a TSL key....or it's cipher _________________ Location 1
R7800- DD-WRT v3.0-r53562 (10/03/23) Gateway
WNDR3400v1 DD-WRT v3.0-r35531_mega-nv64k (03/26/18 ) Access Point
WRT160Nv3 DD-WRT ?v3?.0-r35531 mini (03/26/18 ) Access Point
WRT54GSv5 DD-WRT v24-r33555_micro_generic (10/20/17) Repeater
Location 2
R7800- DD-WRT v3.0-r51855 (02/25/23) Gateway
R6300v2- DD-WRT v3.0-r50671 (10-26-22) Access Point
WNDR3700v2 DD-WRT v3.0-r35531 std (03/26/18 ) Access Point
E1200 v2 DD-WRT v3.0-r35531 mega-nv64k (03/26/18 ) Gateway(for trivial reasons)
RBWAPG-5HACT2HND-BE RouterOS-v6.46.4 (2/21/20) Outdoor Access Point
2x RBSXTG-5HPACD RouterOS-v6.46.4 (2/21/20) PTP Bridge 866.6Mbps-1GbpsLAN
Location 3
2x R7000- DD-WRT v3.0-r50671 (10/26/22) Access Points
2x RBWAPG-60AD RouterOS-v6.45.9 (04/30/20) PTP Bridge 2.3Gbps-1GbpsLAN
2x RBSXTsqG-5acD RouterOS-v6.49.7 (10/14/22) PTP Bridge 866.6Mbps-1GbpsLAN Thank You BrainSlayer for ALL that you do & have done, also to "most" everyone here that shares their knowledge