OpenVPN client on dd-wrt 2nd router

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
YadiMolina
DD-WRT Novice


Joined: 18 Dec 2018
Posts: 8

PostPosted: Wed Feb 13, 2019 2:36    Post subject: OpenVPN client on dd-wrt 2nd router Reply with quote
Greetings,
I am trying to get a router to act as an OpenVPN client.

It is a Linksys E2500 running DD-WRT v3.0-r33772 mega (11/16/17). I have a Raspberry Pi running PIVPN server at a remote location with a dyndns.org domain. It took forever to get the OpenVPN client to connect, but thanks to other posts here, I finally accomplished that (using an older firmware). In the pivpn server, I see the dd-wrt router connection reported as connected. I use the same pivpn server to connect to other android and PC clients, all functioning perfectly, with great speed and functionality.

My network configuration is as listed below:

1. ISP modem
2. Main Router running DD-WRT, 192.168.99.0/24
3. Cable from a LAN port on the main router to the WAN port of the VPN Router
3. VPN Router with subnet of 192.168.101.0/24
4. VPN Router has a fixed IP for the WAN of 99.3, and the main router has a DMZ assigned to that IP.


This configuration worked perfectly when I used a commercial VPN for several years. Although, I never paid much attention to the commands or configuration that was used in the commercial setup. The WAN IP always showed the remote IP in the top right corner and the Status page, WAN tab.

Everything works fine in both subnets without the VPN. When I finally got the VPN connected, I have no internet availability in the VPN subnet. It won't communicate via domain names or IP addresses. Now, after the new VPN connects, I still see the local WAN IP displayed.

The NAT is enabled on the OpenVPN client configuration page.

I've switched between router or a gateway in the Setup, Advanced Routing tab, Operating Mode, no effect it seems.

Here's the top of the openvpn config file.

client
dev tun
proto udp
remote <dynamicdns+port>
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server_blahblahblah name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3



Status, VPN tab reports connected, but no remote address. The status section shows plenty of read and write bytes. The local address shown below is the IP range for devices connected to PIVPN.

Client: CONNECTED SUCCESS

Local Address: 10.8.0.9
Remote Address:


19691231 19:00:11 I OpenVPN 2.4.4 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 16 2017
19691231 19:00:11 I library versions: OpenSSL 1.1.0g 2 Nov 2017 LZO 2.09
19691231 19:00:11 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
19691231 19:00:11 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20190212 20:58:32 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
20190212 20:58:32 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
20190212 20:58:32 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
20190212 20:58:32 NOTE: --mute triggered...
20190212 20:58:32 1 variation(s) on previous 3 message(s) suppressed by --mute
20190212 20:58:32 I TCP/UDP: Preserving recently used remote address: [AF_INET]<resolvedIP-port>
20190212 20:58:32 Socket Buffers: R=[163840->163840] S=[163840->163840]
20190212 20:58:32 W --mtu-disc is not supported on this OS
20190212 20:58:32 I UDP link local: (not bound)
20190212 20:58:32 I UDP link remote: [AF_INET]<resolvedIP-port>
20190212 20:58:32 TLS: Initial packet from [AF_INET]<resolvedIP-port> sid=b63cbca6 21e84d7c
20190212 20:58:32 VERIFY OK: depth=1 CN=ChangeMe
20190212 20:58:32 VERIFY KU OK
20190212 20:58:32 NOTE: --mute triggered...
20190212 20:58:33 5 variation(s) on previous 3 message(s) suppressed by --mute
20190212 20:58:33 W WARNING: 'link-mtu' is used inconsistently local='link-mtu 1570' remote='link-mtu 1569'
20190212 20:58:33 W WARNING: 'comp-lzo' is present in local config but missing in remote config local='comp-lzo'
20190212 20:58:33 Control Channel: TLSv1.2 cipher TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 256 bit EC curve: prime256v1
20190212 20:58:33 I [server_J8LYl58uzalUDqUZ] Peer Connection Initiated with [AF_INET]<resolvedIP-port>
20190212 20:58:34 SENT CONTROL [server_J8LYl58uzalUDqUZ]: 'PUSH_REQUEST' (status=1)
20190212 20:58:34 PUSH: Received control message: 'PUSH_REPLY dhcp-option DNS 8.8.8.8 dhcp-option DNS 8.8.4.4 block-outside-dns redirect-gateway def1 route-gateway 10.8.0.1 topology subnet ping 1800 ping-restart 3600 ifconfig 10.8.0.9 255.255.255.0 peer-id 0 cipher AES-256-GCM'
20190212 20:58:34 N Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:3: block-outside-dns (2.4.4)
20190212 20:58:34 OPTIONS IMPORT: timers and/or timeouts modified
20190212 20:58:34 OPTIONS IMPORT: --ifconfig/up options modified
20190212 20:58:34 OPTIONS IMPORT: route options modified
20190212 20:58:34 NOTE: --mute triggered...
20190212 20:58:34 5 variation(s) on previous 3 message(s) suppressed by --mute
20190212 20:58:34 Data Channel: using negotiated cipher 'AES-256-GCM'
20190212 20:58:34 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20190212 20:58:34 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20190212 20:58:34 I TUN/TAP device tun0 opened
20190212 20:58:34 TUN/TAP TX queue length set to 100
20190212 20:58:34 D do_ifconfig tt->did_ifconfig_ipv6_setup=0
20190212 20:58:34 I /sbin/ifconfig tun0 10.8.0.9 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
20190212 20:58:34 /sbin/route add -net <resolvedremoteIP> netmask 255.255.255.255 gw 192.168.99.1
20190212 20:58:34 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.0.1
20190212 20:58:34 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.0.1
20190212 20:58:34 I Initialization Sequence Completed


I assume this is some routing issue, hopefully simple but I am very weak in such things. I appreciate any direction.
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5785
Location: Netherlands

PostPosted: Wed Feb 13, 2019 11:46    Post subject: Reply with quote
Can you ping your VPN server: ping 10.8.0.1
_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
YadiMolina
DD-WRT Novice


Joined: 18 Dec 2018
Posts: 8

PostPosted: Wed Feb 13, 2019 13:29    Post subject: Reply with quote
I cannot ping the VPN server behind the VPN router.

I can ping the VPN server from a pc using the client.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5785
Location: Netherlands

PostPosted: Wed Feb 13, 2019 18:53    Post subject: Reply with quote
If I understand it correctly you have two routers daisy chained (LAN<>WAN), on the second router you have a VPN client to an external VPN server.

If so the secondary router has to be setup as default gateway mode.
Important is that the secondary router, the OpenVPN subnet and the OVPN servers subnet are all different, you have to have 3 different subnets.

You do have an error:
20190212 20:58:34 N Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:3: block-outside-dns (2.4.4)

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
YadiMolina
DD-WRT Novice


Joined: 18 Dec 2018
Posts: 8

PostPosted: Wed Feb 13, 2019 23:01    Post subject: Reply with quote
Thanks for your responses. Yes, the routers are daisy-chained. The VPN router is set as Gateway. I am curious if Setup, Advanced Routing, Dynamic Routing should be enabled.

I noticed the DNS error. I tried various sites via IP instead of names, no luck.

Yes, 3 subnets. Looking at the routing table.
YadiMolina
DD-WRT Novice


Joined: 18 Dec 2018
Posts: 8

PostPosted: Sun May 05, 2019 17:23    Post subject: Reply with quote
After much googling and just blind trial-and-error, I finally got my system to work by adding this to Administration, Commands, Firewall:

iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE


The WAN IP status on the top right still shows the local WAN IP, but that doesn't seem affect anything. Everything behind the VPN router shows as the remote public IP.
YadiMolina
DD-WRT Novice


Joined: 18 Dec 2018
Posts: 8

PostPosted: Sun May 05, 2019 20:49    Post subject: Reply with quote
I appreciate your kind and detailed response.

I tried to remove the dev tun line from the additional config field, as well as the Firewall commands, but it was unsuccessful, same problem as before, no web pages opened. I didn't do any troubleshooting, just restored the previous config and I'm good.


fwiw... the openvpn client in this case is severely over configured, in the sense that the only way I could get the thing to connect at all was to paste the entirety of the openvpn config file generated by the pivpn into the Additional Config field, including all the certs.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum