OpenVPN Server Setup guide

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3, ... 10, 11, 12  Next
Author Message
c0l0c0d0s
DD-WRT Novice


Joined: 10 Mar 2019
Posts: 28

PostPosted: Tue Mar 12, 2019 21:17    Post subject: Reply with quote
Going to try this now!

Quick question regds DNSmasq, expressVPN had me set this already to
interface=tun1

Should i have this to interface=tun2 which is my serverTUN you helped me create?

Also this may help someone else, but I struggled a moment ago to add my expressVPN connection to my android app, i kept getting a "fragmentation not supported" error, I looked at the oVPN FAQ and this is not supported so I removed in from the import file and bang works perfect!
Sponsor
c0l0c0d0s
DD-WRT Novice


Joined: 10 Mar 2019
Posts: 28

PostPosted: Tue Mar 12, 2019 22:09    Post subject: Reply with quote
egc wrote:
You did not miss anything.
But when using an OVPN server and client on the same router you have to use Policy based routing on the OVPN client.
Otherwise traffic goes in through the WAN and is routed out through the vpn client and the firewall wiil not do that.

For policy based routing enter the ip addresses of the clients you want to route via the VPN client in the PBR field of the client use CIDR notation and do not include the router itself.
The ddwrt PBR implementation has some flaws, if you run into that then see my signature for a better implementation.

If you have your android client connected to your OVPN server you can have it use your outbound vpn client by adding the IP's of the OVPN server added to the PBR field
I.e add 10.8.0.2 to the PBR field

In the next iteration of the guide I will dedicate a chapter to this kind of setup


Okay tried that, in fact the IP you suggested was my "virtual IP" so i added this in PBR of WRT-clientVPN, and brill I can connect with both the client/server running together.

However I cannot hit my CCTV in the 192.168.49.x in this scenario.

So i tried adding that IP address as another seperate line in PBR, no joy.

I tried /32 each one also to no avail.

I have had a read of your script that again, and credit to you looks great, but I was struggling with it somewhat, but am sure it is what I want as I have a push access controller here that also needs to go out and loopback via the WAN from Googles push servers, but that is another story, at the moment I am not sure what I am missing ref the issue above?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Wed Mar 13, 2019 7:07    Post subject: Reply with quote
The problem with the PBR implementation of DDWRT is such that clients in the PBR can not see other clients so your virtual ip when placed in the PBR can not see your cctv.

Just to test, place another ip address in the PBR, does not matter what and not your virtual ip.
Now you should be able to contact/ping other clients.

I have written a better PBR implementation see my signature but it is still somewhat experimental

Viewing streaming services via vpn can be somewhat of a challenge because it is udp traffic we sometimes have to lower the MTU size

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Wed Mar 13, 2019 10:39    Post subject: Reply with quote
Chapter about Running an OpenVPN server and OpenVPN client on the same router added to the guide using Policy Based Routing, now v1.31
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
c0l0c0d0s
DD-WRT Novice


Joined: 10 Mar 2019
Posts: 28

PostPosted: Wed Mar 13, 2019 17:44    Post subject: Reply with quote
egc wrote:
Chapter about Running an OpenVPN server and OpenVPN client on the same router added to the guide using Policy Based Routing, now v1.31


Nice update thanks Smile

Trying to keep mine simple still as you recommended ref PBR, not the script option.

Mine has to have an external virtual IP (mobile device) defined to allow a remote client & server to run together at once, to allow this I added the only two i use:-

10.8.0.2/32
10.8.0.3/32

ServerVPN only running results:- (from 4G mobile)
1. Can browse the internet etc.
2. IP resolved is the TRUE one my ISP provides me.
3. Can access local CCTV client 192.168.49.232

ServerVPN & ClientVPN running results:- (from 4G mobile)
1. Can browse the internet etc.
2. IP resolved is the FAKE one my expressVPN provides me.
3. CANNOT access local CCTV client 192.168.49.232

Ammended PBR to:-

10.8.0.2/32
10.8.0.3/32
192.168.49.232 (and tried with 192.168.49.232/32)

But cannot access the LAN client, or any LAN client?
MLandi
DD-WRT Guru


Joined: 04 Dec 2007
Posts: 1008

PostPosted: Thu Mar 14, 2019 2:09    Post subject: Reply with quote
From egc's excellent instructions:

"The problem is that you access your OpenVPN server via the WAN, and if you also have an OpenVPN client running, the return traffic will go out via the VPN client and your firewall will not allow that."

I never thought about that when trying to set up both an OPVN client and server. Thank you

_________________
Netgear R9000
DD-WRT v3.0-r55460 std (03/25/24)
Linux 4.9.337 #715 SMP Mon Mar 25 06:15:53 +07 2024 armv7l
Gateway, AP, DNSMasq, Clock 2000MHz
VAP on wlan1 for internet devices
IPv4 & IPv6 (Prefix Delegation)
Static Leases & DHCP
CloudFlare, no SFE, SmartDNS, no QoS
2.4GHz: Vanilla, Airtime Fairness, NG-Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
5GHz: Vanilla, Airtime Fairness, AC/N Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
2 Netgear AX1800 WiFi Mesh Extenders
Xfinity 1.2Gbps/35Mbps
MLandi
DD-WRT Guru


Joined: 04 Dec 2007
Posts: 1008

PostPosted: Thu Mar 14, 2019 2:17    Post subject: Reply with quote
Let me see if I have this right.

My network is 192.168.16.128/25. The router is 192.168.16.128, clients start at 129. I hope I am using the

My OPVN server is 10.8.0.0/24

Do I have this correct?

_________________
Netgear R9000
DD-WRT v3.0-r55460 std (03/25/24)
Linux 4.9.337 #715 SMP Mon Mar 25 06:15:53 +07 2024 armv7l
Gateway, AP, DNSMasq, Clock 2000MHz
VAP on wlan1 for internet devices
IPv4 & IPv6 (Prefix Delegation)
Static Leases & DHCP
CloudFlare, no SFE, SmartDNS, no QoS
2.4GHz: Vanilla, Airtime Fairness, NG-Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
5GHz: Vanilla, Airtime Fairness, AC/N Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
2 Netgear AX1800 WiFi Mesh Extenders
Xfinity 1.2Gbps/35Mbps
MLandi
DD-WRT Guru


Joined: 04 Dec 2007
Posts: 1008

PostPosted: Thu Mar 14, 2019 2:40    Post subject: Reply with quote
Well, I had that wrong (as I'm sure anyone who knows this new notation figured out. :))

A couple of hints to those reading this thread. First, make da*n sure you backup your configuration before messing with routing tables. My PBR sent DNS requests out the VPN and I lost the ability to contact the router! Reset the router and restore my backup and I'm back in business.

Second note, use a calculator like https://www.ipaddressguide.com/cidr. I plugged in the IP range of my network and it nicely spit out the table I needed.

Lesson learned, don't try this at home (meaning setting routing tables off the top of your head.) The pros make it look easy. It is not-so-easy. :)

My proper table is:
192.168.16.129/32
192.168.16.130/31
192.168.16.132/30
192.168.16.136/29
192.168.16.144/28
192.168.16.160/27
192.168.16.192/26

192.168.16.128 is my router and my local DNS! Oh well, learned something new.

Again thanks to egc for the great guide.

_________________
Netgear R9000
DD-WRT v3.0-r55460 std (03/25/24)
Linux 4.9.337 #715 SMP Mon Mar 25 06:15:53 +07 2024 armv7l
Gateway, AP, DNSMasq, Clock 2000MHz
VAP on wlan1 for internet devices
IPv4 & IPv6 (Prefix Delegation)
Static Leases & DHCP
CloudFlare, no SFE, SmartDNS, no QoS
2.4GHz: Vanilla, Airtime Fairness, NG-Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
5GHz: Vanilla, Airtime Fairness, AC/N Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
2 Netgear AX1800 WiFi Mesh Extenders
Xfinity 1.2Gbps/35Mbps
slidermike
DD-WRT Guru


Joined: 11 Nov 2013
Posts: 1487
Location: USA

PostPosted: Thu Mar 14, 2019 4:31    Post subject: Reply with quote
lol,
glad you saw the error of your ways man.
Yeah I read your post and thought "thats not gonna work, he put the network where his first addressable host should be." then read your 2nd post.

It really isnt hard but unless you know one of the shortcuts or have it down to memory I recommend a free calc for ease of use.

I still use a calc once in a while when dealing with subnets I dont typically address in my job.

_________________
Router currently owned:
Netgear R7800 - Router
Netgear R7000 - AP mode

R7000 specific Tips/Tricks.
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=264152
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Thu Mar 14, 2019 7:45    Post subject: Reply with quote
Due to the flaws in the DDWRT PBR implementation you can not add your routers own IP to the PBR range or you will lock yourself out as you found out the hard way.

This is because the alternate routing table does not have any local routes, only the VPN clients route.

A warning is in the latest guide.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Thu Mar 14, 2019 7:54    Post subject: Reply with quote
c0l0c0d0s wrote:
egc wrote:
Chapter about Running an OpenVPN server and OpenVPN client on the same router added to the guide using Policy Based Routing, now v1.31


Nice update thanks Smile

Trying to keep mine simple still as you recommended ref PBR, not the script option.

Mine has to have an external virtual IP (mobile device) defined to allow a remote client & server to run together at once, to allow this I added the only two i use:-

10.8.0.2/32
10.8.0.3/32

ServerVPN only running results:- (from 4G mobile)
1. Can browse the internet etc.
2. IP resolved is the TRUE one my ISP provides me.
3. Can access local CCTV client 192.168.49.232

ServerVPN & ClientVPN running results:- (from 4G mobile)
1. Can browse the internet etc.
2. IP resolved is the FAKE one my expressVPN provides me.
3. CANNOT access local CCTV client 192.168.49.232

Ammended PBR to:-

10.8.0.2/32
10.8.0.3/32
192.168.49.232 (and tried with 192.168.49.232/32)

But cannot access the LAN client, or any LAN client?


You have stumbled upon the flaws in the DDWRT PBR implementation, there are no local routes in the alternate routing table so your PBR clients can not see other LAN clients.

You can either use my PBR implentation with the script (see my signature) or use a script from @Eibgrad which copies the local routes from main routing table to alternate routing table.
Both involve a script running as Startup, my PBR implementation of course also has local routes copied to the alternate routing table but my implementation has some more benefits but is still somewhat experimental.
@Eibgrad's coding skills are far superior to mine

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
slybin
DD-WRT Novice


Joined: 08 Jun 2011
Posts: 5

PostPosted: Tue Apr 16, 2019 12:15    Post subject: Reply with quote
Thanks for the guide, it helped me re-configuring openvpn after a firmware update.

I only have one issue left. I can't connect to my nas using http but I can connect to it as a file server. I get a "Could not connect to the server" when I try http://192.168.1.35:8080

Router: Netgear R7000
Firmware: 37015M kongac

The configuration of openvpn is as in your document except for network, cipher and hash. I have the firewall rule to allow internet access.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Tue Apr 16, 2019 12:22    Post subject: Reply with quote
My guess it is the firewall of the NAS.
It could be only allowing local traffic for http
So disable the firewall of the NAS for testing

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
slybin
DD-WRT Novice


Joined: 08 Jun 2011
Posts: 5

PostPosted: Tue Apr 16, 2019 12:49    Post subject: Reply with quote
Thanks for the quick answer.

I will have to talk to the synology people. I have a virtual DSM running on my NAS and it's on that system that I can't connect.

Sorry to have bother you.
slybin
DD-WRT Novice


Joined: 08 Jun 2011
Posts: 5

PostPosted: Tue Apr 16, 2019 14:23    Post subject: Reply with quote
Is there any problem running OpenVPN in TCP instead of UDP?

I read about performance issue but could there be any security issue?
Goto page Previous  1, 2, 3, ... 10, 11, 12  Next Display posts from previous:    Page 2 of 12
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum