Setting up OpenVPN Server

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
apomarinov
DD-WRT Novice


Joined: 26 Oct 2018
Posts: 6

PostPosted: Fri Jan 18, 2019 15:56    Post subject: Setting up OpenVPN Server Reply with quote
Hi, Ive been trying to setup an OpenVPN server on my router so I can access the dd-wrt nas from the internet, by using the official tutorial.
This is my setup:

Config:
Code:
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.66.1"
server 192.168.66.0 255.255.255.0

dev tun0
proto udp4
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem

# Only use crl-verify if you are using the revoke list - otherwise leave it commented out
# crl-verify /tmp/openvpn/ca.crl

# management parameter allows DD-WRT\s OpenVPN Status web page to access the server\s management port
# port must be 5001 for scripts embedded in firmware to work
management localhost 5001

verb 5


Firewall Script:
Code:

iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT

iptables -I FORWARD 1 --source 192.168.66.0/24 -j ACCEPT

 # These next two lines may or may not be necessary.
 # I (dereks) did not need them, but bmatthewshea did.
 # Thus, we include them so that this works for more people:
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT


Client .ovpn:
Code:

remote my-routers-static-ip 1194

client
remote-cert-tls server
dev tun0
proto udp4
resolv-retry infinite
nobind
persist-key
persist-tun
float

#If the pushed routes appear not to be added on windows hosts, add the following:
route-delay 30

ca ca.crt
cert client.crt
key client.key


OpenVPN startup log:

    Jan 18 15:43:22 DD-WRT user.info : openvpn : OpenVPN daemon (Server) starting/restarting...
    Jan 18 15:43:22 DD-WRT daemon.warn openvpn[2754]: WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
    Jan 18 15:43:22 DD-WRT daemon.notice openvpn[2754]: Current Parameter Settings:
    Jan 18 15:43:22 DD-WRT daemon.notice openvpn[2754]: config = '/tmp/openvpn/openvpn.conf'
    Jan 18 15:43:22 DD-WRT daemon.notice openvpn[2754]: mode = 1
    Jan 18 15:43:22 DD-WRT daemon.notice openvpn[2754]: NOTE: --mute triggered...
    Jan 18 15:43:22 DD-WRT daemon.notice openvpn[2754]: 232 variation(s) on previous 3 message(s) suppressed by --mute
    Jan 18 15:43:22 DD-WRT daemon.notice openvpn[2754]: OpenVPN 2.4.6 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Oct 19 2018
    Jan 18 15:43:22 DD-WRT daemon.notice openvpn[2754]: library versions: OpenSSL 1.1.1 11 Sep 2018, LZO 2.09
    Jan 18 15:43:22 DD-WRT daemon.notice openvpn[2756]: MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:5001
    Jan 18 15:43:22 DD-WRT daemon.warn openvpn[2756]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jan 18 15:43:22 DD-WRT daemon.notice openvpn[2756]: Diffie-Hellman initialized with 2048 bit key
    Jan 18 15:43:22 DD-WRT daemon.notice openvpn[2756]: TLS-Auth MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
    Jan 18 15:43:22 DD-WRT daemon.notice openvpn[2756]: TUN/TAP device tun0 opened
    Jan 18 15:43:22 DD-WRT daemon.notice openvpn[2756]: TUN/TAP TX queue length set to 100
    Jan 18 15:43:22 DD-WRT daemon.notice openvpn[2756]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
    Jan 18 15:43:22 DD-WRT daemon.notice openvpn[2756]: /sbin/ifconfig tun0 192.168.66.1 netmask 255.255.255.0 mtu 1500 broadcast 192.168.66.255
    Jan 18 15:43:23 DD-WRT daemon.notice openvpn[2756]: Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
    Jan 18 15:43:23 DD-WRT daemon.notice openvpn[2756]: Socket Buffers: R=[180224->180224] S=[180224->180224]
    Jan 18 15:43:23 DD-WRT daemon.notice openvpn[2756]: UDPv4 link local (bound): [AF_INET][undef]:1194
    Jan 18 15:43:23 DD-WRT daemon.notice openvpn[2756]: UDPv4 link remote: [AF_UNSPEC]
    Jan 18 15:43:23 DD-WRT daemon.notice openvpn[2756]: MULTI: multi_init called, r=256 v=256
    Jan 18 15:43:23 DD-WRT daemon.notice openvpn[2756]: IFCONFIG POOL: base=192.168.66.2 size=252, ipv6=0
    Jan 18 15:43:23 DD-WRT daemon.notice openvpn[2756]: ifconfig_pool_read(), in='client,192.168.66.2', TODO: IPv6
    Jan 18 15:43:23 DD-WRT daemon.notice openvpn[2756]: succeeded -> ifconfig_pool_set()
    Jan 18 15:43:23 DD-WRT daemon.notice openvpn[2756]: IFCONFIG POOL LIST
    Jan 18 15:43:23 DD-WRT daemon.notice openvpn[2756]: client,192.168.66.2
    Jan 18 15:43:23 DD-WRT daemon.notice openvpn[2756]: Initialization Sequence Completed


Log after I connect with the client:

    Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: MULTI: multi_create_instance called
    Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client-ip:10407 Re-using SSL/TLS context
    Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client-ip:10407 LZO compression initializing
    Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client-ip:10407 Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
    Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client-ip:10407 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
    Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client-ip:10407 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
    Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client-ip:10407 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
    Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client-ip:10407 TLS: Initial packet from [AF_INET]client-ip:10407, sid=26fe6615 d3e3e458
    Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client-ip:10407 VERIFY OK: depth=1, CN=server
    Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client-ip:10407 VERIFY OK: depth=0, CN=client
    Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client-ip:10407 peer info: IV_VER=3.2
    Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client-ip:10407 peer info: IV_PLAT=ios
    Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client-ip:10407 peer info: IV_NCP=2
    Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client-ip:10407 peer info: IV_TCPNL=1
    Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client-ip:10407 peer info: IV_PROTO=2
    Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client-ip:10407 peer info: IV_AUTO_SESS=1
    Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client-ip:10407 peer info: IV_BS64DL=1
    Jan 18 15:47:18 DD-WRT daemon.warn openvpn[2756]: client-ip:10407 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1570', remote='link-mtu 1541'
    Jan 18 15:47:18 DD-WRT daemon.warn openvpn[2756]: client-ip:10407 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
    Jan 18 15:47:18 DD-WRT daemon.warn openvpn[2756]: client-ip:10407 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
    Jan 18 15:47:18 DD-WRT daemon.warn openvpn[2756]: client-ip:10407 WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'
    Jan 18 15:47:18 DD-WRT daemon.warn openvpn[2756]: client-ip:10407 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
    Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client-ip:10407 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
    Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client-ip:10407 [client] Peer Connection Initiated with [AF_INET]client-ip:10407
    Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client/client-ip:10407 MULTI_sva: pool returned IPv4=192.168.66.2, IPv6=(Not enabled)
    Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client/client-ip:10407 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_6991bbc720e3d700.tmp
    Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client/client-ip:10407 MULTI: Learn: 192.168.66.2 -> client/client-ip:10407
    Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client/client-ip:10407 MULTI: primary virtual IP for client/client-ip:10407: 192.168.66.2
    Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client/client-ip:10407 PUSH: Received control message: 'PUSH_REQUEST'
    Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client/client-ip:10407 SENT CONTROL [client]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,dhcp-option DNS 192.168.66.1,route-gateway 192.168.66.1,topology subnet,ping 10,ping-restart 120,ifconfig 192.168.66.2 255.2
    Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client/client-ip:10407 Data Channel: using negotiated cipher 'AES-256-GCM'
    Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client/client-ip:10407 Data Channel MTU parms [ L:1550 D:1450 EF:50 EB:406 ET:0 EL:3 ]
    Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client/client-ip:10407 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
    Jan 18 15:47:18 DD-WRT daemon.notice openvpn[2756]: client/client-ip:10407 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key


The time in the logs is 2hours behind my pc even though Ive set the correct location and added ntp pool url for my country, but in the router info page the time is correct.

Even with the firewall disabled, I connect to the VPN successfully but the app that has the nas drive saved doesnt connect to it and I cant open the router Web page 192.168.1.1. Any ideas?
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Sat Jan 19, 2019 12:07    Post subject: Reply with quote
Attached my notes maybe they are helpfull.

The most common mistakes are the use of unnecessary firewall rules (you do not need any for basic setup with the GUI on modern builds unless you want internet access then you need one rule to NAT the VPN traffic) and the use of uncessary settings in the additional config of the OpenVPN server (you do not need any when enabling direct default gateway)

So start with deleting all firewall rules and deleting anything in the additional config, Enable advanced options in the GUI and tick Redirect default Gateway Enabled.

Your client files are also missing some parameters

See my notes there is also a chapter on client settings

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
apomarinov
DD-WRT Novice


Joined: 26 Oct 2018
Posts: 6

PostPosted: Sat Jan 19, 2019 18:16    Post subject: Reply with quote
Thanks! I followed your guide as closely as I could, but I still got nothing, client isnt even connecting.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Sat Jan 19, 2019 20:39    Post subject: Reply with quote
Can you post a picture of your OVPN server settings and a picture of your OVPN server status page with the log and stats?
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
apomarinov
DD-WRT Novice


Joined: 26 Oct 2018
Posts: 6

PostPosted: Sun Jan 20, 2019 8:06    Post subject: Reply with quote
Sure,here they are:
https://ibb.co/ZcSggp5
https://ibb.co/LpLLbD9
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Sun Jan 20, 2019 9:26    Post subject: Reply with quote
I do not see anything obviously wrong with the server setup.
How are you testing, you can only test from the outside of you network i.e. with a phone on cellular or from a friend, but the IP subnet of client, server and VPN has to be all different.

What does the log of the client show?
What are the settings of the client?

Is your Router connected to the internet or behind anothe router if so did you port forward?

Has your client the right Public IP from your router?


It can be that your ISP is blocking port 1194 in that case use 443 TCP as port and protocol.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
apomarinov
DD-WRT Novice


Joined: 26 Oct 2018
Posts: 6

PostPosted: Sun Jan 20, 2019 14:25    Post subject: Reply with quote
This is my client .ovpn following your doc:
Code:

client
dev tun
proto tcp
remote router-static-ip 443
nobind
persist-key
persist-tun
remote-cert-tls server
auth-nocache
verb 4
float
comp-lzo no
tun-mtu 1500
auth SHA256
cipher AES-256-CBC
ca ca.crt
cert client.crt
key client.key


This is the log when trying to connect:
Code:

Jan 20 14:10:12 DD-WRT daemon.notice openvpn[7335]: MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
Jan 20 14:10:12 DD-WRT daemon.notice openvpn[7335]: MANAGEMENT: CMD 'state'
Jan 20 14:10:12 DD-WRT daemon.notice openvpn[7335]: MANAGEMENT: Client disconnected
Jan 20 14:10:12 DD-WRT daemon.notice openvpn[7335]: MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
Jan 20 14:10:12 DD-WRT daemon.notice openvpn[7335]: MANAGEMENT: CMD 'state'
Jan 20 14:10:12 DD-WRT daemon.notice openvpn[7335]: MANAGEMENT: Client disconnected
Jan 20 14:10:12 DD-WRT daemon.notice openvpn[7335]: MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
Jan 20 14:10:12 DD-WRT daemon.notice openvpn[7335]: MANAGEMENT: CMD 'state'
Jan 20 14:10:12 DD-WRT daemon.notice openvpn[7335]: MANAGEMENT: Client disconnected
Jan 20 14:10:12 DD-WRT daemon.notice openvpn[7335]: MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
Jan 20 14:10:12 DD-WRT daemon.notice openvpn[7335]: MANAGEMENT: Client disconnected
Jan 20 14:10:12 DD-WRT daemon.notice openvpn[7335]: NOTE: --mute triggered...
Jan 20 14:10:12 DD-WRT daemon.notice openvpn[7335]: 1 variation(s) on previous 3 message(s) suppressed by --mute
Jan 20 14:10:12 DD-WRT daemon.notice openvpn[7335]: MANAGEMENT: CMD 'status 2'
Jan 20 14:10:12 DD-WRT daemon.notice openvpn[7335]: MANAGEMENT: Client disconnected
Jan 20 14:10:12 DD-WRT daemon.notice openvpn[7335]: MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
Jan 20 14:10:12 DD-WRT daemon.notice openvpn[7335]: MANAGEMENT: CMD 'status 2'
Jan 20 14:10:12 DD-WRT daemon.notice openvpn[7335]: MANAGEMENT: Client disconnected
Jan 20 14:10:12 DD-WRT daemon.notice openvpn[7335]: MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
Jan 20 14:10:12 DD-WRT daemon.notice openvpn[7335]: MANAGEMENT: CMD 'log 500'
Jan 20 14:10:12 DD-WRT daemon.notice openvpn[7335]: MANAGEMENT: Client disconnected


Im attempting to connect using OpenVPN from my iPhone on the mobile network. The router is directly connected to the internet.

Im not really sure about the "IP subnet of client, server and VPN has to be all different", but this is my setup:
WAN:
Static IP
Subnet 255.255.255.0

Router:
IP: 192.168.49.1
Subnet 255.255.255.0

VPN:
IP: 10.8.0.0
Subnet 255.255.255.0

I have accessed a server on my pc through my static IP so that definitely works.
Dr_K
DD-WRT User


Joined: 23 Mar 2018
Posts: 445

PostPosted: Mon Jan 21, 2019 0:05    Post subject: Reply with quote
@egc asked to see the client's log

You just showed the server log...without even showing anything about your attempted connection...like in your first post

What he means by subnet....I'll try to explain untecnicaly...

IPv4 addresses have 4 octles..(or octives?) seperated by periods

So if 192.168.0.0 is one subnet then (usually) at a minimum another would be 192.168.1.0 or 192.168.7.0

255.255.255.0 is a subnet mask witch dictates how many ip addresses that particular subnet can contain..

Or say if it was 255.255.0.0 it can have enough adresses to use the last two octles, instead of just the last one in the first example

That all said.....all your networks look to be on different subnets

In that post with links to the site that doesn't like when you zoom in to a picture

One pic showes your server log with 4 lines about TSL errors

The other pic showes the GUI with the TSL Auth key box blank

Your client config contains the line

remote-cert-tls server

Im not sure that will all work....Though I have never personally set up a server without a TSL key....or it's cipher

_________________
Location 1
R7800- DD-WRT v3.0-r53562 (10/03/23) Gateway
WNDR3400v1 DD-WRT v3.0-r35531_mega-nv64k (03/26/18 ) Access Point
WRT160Nv3 DD-WRT ?v3?.0-r35531 mini (03/26/18 ) Access Point
WRT54GSv5 DD-WRT v24-r33555_micro_generic (10/20/17) Repeater
Location 2
R7800- DD-WRT v3.0-r51855 (02/25/23) Gateway
R6300v2- DD-WRT v3.0-r50671 (10-26-22) Access Point
WNDR3700v2 DD-WRT v3.0-r35531 std (03/26/18 ) Access Point
E1200 v2 DD-WRT v3.0-r35531 mega-nv64k (03/26/18 ) Gateway(for trivial reasons)
RBWAPG-5HACT2HND-BE RouterOS-v6.46.4 (2/21/20) Outdoor Access Point
2x RBSXTG-5HPACD RouterOS-v6.46.4 (2/21/20) PTP Bridge 866.6Mbps-1GbpsLAN
Location 3
2x R7000- DD-WRT v3.0-r50671 (10/26/22) Access Points
2x RBWAPG-60AD RouterOS-v6.45.9 (04/30/20) PTP Bridge 2.3Gbps-1GbpsLAN
2x RBSXTsqG-5acD RouterOS-v6.49.7 (10/14/22) PTP Bridge 866.6Mbps-1GbpsLAN

Thank You BrainSlayer for ALL that you do & have done, also to "most" everyone here that shares their knowledge
apomarinov
DD-WRT Novice


Joined: 26 Oct 2018
Posts: 6

PostPosted: Mon Jan 21, 2019 8:10    Post subject: Reply with quote
Oh thanks, that clears some things up.

I wasnt aware there were dedicated client logs, where are they located?

I guess I`ll try removing the "remote-cert-tls server", or setting up TLS on the server.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum