Posted: Wed Feb 13, 2019 2:36 Post subject: OpenVPN client on dd-wrt 2nd router
I am trying to get a router to act as an OpenVPN client.
It is a Linksys E2500 running DD-WRT v3.0-r33772 mega (11/16/17). I have a Raspberry Pi running PIVPN server at a remote location with a dyndns.org domain. It took forever to get the OpenVPN client to connect, but thanks to other posts here, I finally accomplished that (using an older firmware). In the pivpn server, I see the dd-wrt router connection reported as connected. I use the same pivpn server to connect to other android and PC clients, all functioning perfectly, with great speed and functionality.
My network configuration is as listed below:
1. ISP modem
2. Main Router running DD-WRT, 192.168.99.0/24
3. Cable from a LAN port on the main router to the WAN port of the VPN Router
3. VPN Router with subnet of 192.168.101.0/24
4. VPN Router has a fixed IP for the WAN of 99.3, and the main router has a DMZ assigned to that IP.
This configuration worked perfectly when I used a commercial VPN for several years. Although, I never paid much attention to the commands or configuration that was used in the commercial setup. The WAN IP always showed the remote IP in the top right corner and the Status page, WAN tab.
Everything works fine in both subnets without the VPN. When I finally got the VPN connected, I have no internet availability in the VPN subnet. It won't communicate via domain names or IP addresses. Now, after the new VPN connects, I still see the local WAN IP displayed.
The NAT is enabled on the OpenVPN client configuration page.
I've switched between router or a gateway in the Setup, Advanced Routing tab, Operating Mode, no effect it seems.
Here's the top of the openvpn config file.
verify-x509-name server_blahblahblah name
Status, VPN tab reports connected, but no remote address. The status section shows plenty of read and write bytes. The local address shown below is the IP range for devices connected to PIVPN.
Client: CONNECTED SUCCESS
Local Address: 10.8.0.9
19691231 19:00:11 I OpenVPN 2.4.4 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 16 2017
19691231 19:00:11 I library versions: OpenSSL 1.1.0g 2 Nov 2017 LZO 2.09
19691231 19:00:11 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
19691231 19:00:11 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20190212 20:58:32 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
20190212 20:58:32 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
20190212 20:58:32 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
20190212 20:58:32 NOTE: --mute triggered...
20190212 20:58:32 1 variation(s) on previous 3 message(s) suppressed by --mute
20190212 20:58:32 I TCP/UDP: Preserving recently used remote address: [AF_INET]<resolvedIP-port>
20190212 20:58:32 Socket Buffers: R=[163840->163840] S=[163840->163840]
20190212 20:58:32 W --mtu-disc is not supported on this OS
20190212 20:58:32 I UDP link local: (not bound)
20190212 20:58:32 I UDP link remote: [AF_INET]<resolvedIP-port>
20190212 20:58:32 TLS: Initial packet from [AF_INET]<resolvedIP-port> sid=b63cbca6 21e84d7c
20190212 20:58:32 VERIFY OK: depth=1 CN=ChangeMe
20190212 20:58:32 VERIFY KU OK
20190212 20:58:32 NOTE: --mute triggered...
20190212 20:58:33 5 variation(s) on previous 3 message(s) suppressed by --mute
20190212 20:58:33 W WARNING: 'link-mtu' is used inconsistently local='link-mtu 1570' remote='link-mtu 1569'
20190212 20:58:33 W WARNING: 'comp-lzo' is present in local config but missing in remote config local='comp-lzo'
20190212 20:58:33 Control Channel: TLSv1.2 cipher TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 256 bit EC curve: prime256v1
20190212 20:58:33 I [server_J8LYl58uzalUDqUZ] Peer Connection Initiated with [AF_INET]<resolvedIP-port>
20190212 20:58:34 SENT CONTROL [server_J8LYl58uzalUDqUZ]: 'PUSH_REQUEST' (status=1)
20190212 20:58:34 PUSH: Received control message: 'PUSH_REPLY dhcp-option DNS 188.8.131.52 dhcp-option DNS 184.108.40.206 block-outside-dns redirect-gateway def1 route-gateway 10.8.0.1 topology subnet ping 1800 ping-restart 3600 ifconfig 10.8.0.9 255.255.255.0 peer-id 0 cipher AES-256-GCM'
20190212 20:58:34 N Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:3: block-outside-dns (2.4.4)
20190212 20:58:34 OPTIONS IMPORT: timers and/or timeouts modified
20190212 20:58:34 OPTIONS IMPORT: --ifconfig/up options modified
20190212 20:58:34 OPTIONS IMPORT: route options modified
20190212 20:58:34 NOTE: --mute triggered...
20190212 20:58:34 5 variation(s) on previous 3 message(s) suppressed by --mute
20190212 20:58:34 Data Channel: using negotiated cipher 'AES-256-GCM'
20190212 20:58:34 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20190212 20:58:34 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20190212 20:58:34 I TUN/TAP device tun0 opened
20190212 20:58:34 TUN/TAP TX queue length set to 100
20190212 20:58:34 D do_ifconfig tt->did_ifconfig_ipv6_setup=0
20190212 20:58:34 I /sbin/ifconfig tun0 10.8.0.9 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
20190212 20:58:34 /sbin/route add -net <resolvedremoteIP> netmask 255.255.255.255 gw 192.168.99.1
20190212 20:58:34 /sbin/route add -net 0.0.0.0 netmask 220.127.116.11 gw 10.8.0.1
20190212 20:58:34 /sbin/route add -net 18.104.22.168 netmask 22.214.171.124 gw 10.8.0.1
20190212 20:58:34 I Initialization Sequence Completed
I assume this is some routing issue, hopefully simple but I am very weak in such things. I appreciate any direction.
Joined: 18 Mar 2014 Posts: 6228 Location: Netherlands
Posted: Wed Feb 13, 2019 18:53 Post subject:
If I understand it correctly you have two routers daisy chained (LAN<>WAN), on the second router you have a VPN client to an external VPN server.
If so the secondary router has to be setup as default gateway mode.
Important is that the secondary router, the OpenVPN subnet and the OVPN servers subnet are all different, you have to have 3 different subnets.
I tried to remove the dev tun line from the additional config field, as well as the Firewall commands, but it was unsuccessful, same problem as before, no web pages opened. I didn't do any troubleshooting, just restored the previous config and I'm good.
fwiw... the openvpn client in this case is severely over configured, in the sense that the only way I could get the thing to connect at all was to paste the entirety of the openvpn config file generated by the pivpn into the Additional Config field, including all the certs.