OpenVPN server setup guide by egc

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next
Author Message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3921
Location: Netherlands

PostPosted: Tue Apr 16, 2019 15:38    Post subject: Reply with quote
There is no security issue but indeed TCP has more overhead and is somewhat slower
_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Sponsor
ivar.ubuntu@gmail.com
DD-WRT Novice


Joined: 17 Apr 2019
Posts: 2

PostPosted: Sat Apr 20, 2019 18:50    Post subject: Tap bridge setup Windows firewall Reply with quote
Thx for a nice guide Very Happy
When using tap bridge setup remember to add OpenVPNGUI.exe on client to firewall.
I spend a lot of time trying to connect from LAN to client.
Client to VPN (Pc and router) was working fine.
Only thing you have to do , add firewall rule inn windows from client pc.

Firmware: DD-WRT v3.0-r36698 vpn ( 08/22/18 )
Linksys WRT54GL v.1.1
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3921
Location: Netherlands

PostPosted: Sat Apr 20, 2019 19:09    Post subject: Reply with quote
Ivar thanks for your comment, you will have firewall problems when using TAP setup.
One way to mitigate this is setting the profile on the TAP adapter, from the guide:

Quote:
The TAP Network Adapter will have a Public Network profile and thus will be firewalled.
Disable the firewall or set the TAP adapter on a private profile:

Run cmd as administrator and do:
powershell.exe -ExecutionPolicy Bypass
to get the name of the TAP adapter: Get-NetConnectionProfile
Set-NetConnectionProfile -Name "[Name of TAP adapter]" -NetworkCategory Private

The default name is Unidentified Network in that case use:
Set-NetConnectionProfile -Name "Unidentified Network" -NetworkCategory Private

Check with Get-NetConnectionProfile to see if the Network Adapter is changed from Public to Private


Have you tried this and is it not working?

But of course setting a firewall rule to allow OpenVPNGUI.exe should also work, perhaps I should add this to the guide?

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
ivar.ubuntu@gmail.com
DD-WRT Novice


Joined: 17 Apr 2019
Posts: 2

PostPosted: Sun Apr 21, 2019 10:24    Post subject: Firewall Reply with quote
Changing from Public to Private network did not help me. Inn W10 y can do this by right clicking network icon (bottom right corner). I then disabled firewall , everything worked. I think y should add to guide recommend disable windows firewall for troubleshoot.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3921
Location: Netherlands

PostPosted: Mon Apr 22, 2019 6:51    Post subject: Reply with quote
Ok I can see where you possibly went wrong.
With right clicking on the adapter you can change the Connection Profile of the Ethernet or Wifi adapter, but you have to change the Connection Profile of the TAP adapter.

You have to use the powershell scripts I provided to do this.

Disabling the Windows Firewall is in the text, I have highlighted it in the next version.

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
ronajon
DD-WRT Novice


Joined: 20 Mar 2019
Posts: 5

PostPosted: Thu May 02, 2019 7:33    Post subject: Reply with quote
thx for the guide, its very helpfull.
in my client.ovpn file i needed to add 'comp-lzo no'.
without that line i got error messages upon connecting

Code:

WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1571', remote='link-mtu 1572'
WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'


i checked the /tmp/openvpn/openvpn.conf on the router and that had the same line in it
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3921
Location: Netherlands

PostPosted: Thu May 02, 2019 7:39    Post subject: Reply with quote
Thanks for your comment and glad you got it working.

Because of the Voracle bug it is better to not use LZO compression.
You should leave it out on the client and set the server as Disabled for LZO-compression
According to your log the server is set as adaptive

From the guide (latest version):
Quote:
comp-lzo is removed be sure to disable it also in the OVPN server

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
ronajon
DD-WRT Novice


Joined: 20 Mar 2019
Posts: 5

PostPosted: Fri May 03, 2019 8:46    Post subject: Reply with quote
egc wrote:
Thanks for your comment and glad you got it working.

Because of the Voracle bug it is better to not use LZO compression.
You should leave it out on the client and set the server as Disabled for LZO-compression
According to your log the server is set as adaptive

From the guide (latest version):
Quote:
comp-lzo is removed be sure to disable it also in the OVPN server


thx, i had it set to 'no' before, but with disabled i also removed the line from my client ovpn file
griphook
DD-WRT Novice


Joined: 26 May 2019
Posts: 1

PostPosted: Sun May 26, 2019 21:15    Post subject: Reply with quote
Thanks for a awesome guide on this! I have a question. I don't have access to a windows machine only Linux. How can I use this guide using linux?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3921
Location: Netherlands

PostPosted: Mon May 27, 2019 11:58    Post subject: Reply with quote
griphook wrote:
Thanks for a awesome guide on this! I have a question. I don't have access to a windows machine only Linux. How can I use this guide using linux?


Actually it is not much different, windows (easy RSA 2) uses batch files to invoke openssl with its parameters and on linux you are actually doing the same although a batch file is called a script Smile

See: https://openvpn.net/community-resources/how-to/#setting-up-your-own-certificate-authority-ca-and-generating-certificates-and-keys-for-an-openvpn-server-and-multiple-clients

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
rgrichar45
DD-WRT Novice


Joined: 29 May 2019
Posts: 4

PostPosted: Wed May 29, 2019 18:35    Post subject: OpenVPN problems/changes with recent dd-wrt builds Reply with quote
Router Model TP-Link ARCHER-C7 v4
Firmware Version DD-WRT v3.0-r39866 std (05/27/19)
Kernel Version Linux 3.18.140 #41832 Mon May 27 04:52:15 CEST 2019 mips

I had complete success setting up OpenVPN server on build r37305 (many thanks for the guide!!) but build problems prevented the wifi from working with any security.

Trying newer and most recent builds (38159 39866, plus others) I could get at least one (2.4) radio to work with some security, but OpenVPN tab is different. No VPN network info (address and subnet mask) or button for Advanced Options to set Redirect Default Gateway: Enable

Has something changed in the OpenVPN config, or are these loads just broke or not working with my router.

I did ask same question on the r39866 thread but thought you may be aware of the OpenVPN specific issue with these newer loads.
rgrichar45
DD-WRT Novice


Joined: 29 May 2019
Posts: 4

PostPosted: Wed May 29, 2019 18:53    Post subject: OpenVPN problems/changes with recent dd-wrt builds Reply with quote
Nevermind - not a problem, but seems something changed as I don't recall having to toggle the OpenVPN server network info on.

Config as: Server or Daemon - select Server to reveal the config I was looking for.
veekay
DD-WRT Novice


Joined: 09 Mar 2009
Posts: 38

PostPosted: Thu Jun 13, 2019 2:42    Post subject: Reply with quote
So I have things work great, but had a question. With OpenVPN is there a way to route only certain local traffic through versus all internet?

My ultimate goal is using this for remote desktop so ideally I'd like only that traffic to use the vpn, versus having to route *everything*.

Example - say I'm on 192.168.0.1 and the vpn network is 10.0.0.1 - can I have it only allow access to 10.0.0.x items when on the vpn?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3921
Location: Netherlands

PostPosted: Thu Jun 13, 2019 8:04    Post subject: Reply with quote
veekay wrote:
So I have things work great, but had a question. With OpenVPN is there a way to route only certain local traffic through versus all internet?

My ultimate goal is using this for remote desktop so ideally I'd like only that traffic to use the vpn, versus having to route *everything*.

Example - say I'm on 192.168.0.1 and the vpn network is 10.0.0.1 - can I have it only allow access to 10.0.0.x items when on the vpn?


If you only want to access your OVPN servers network then Disable "Redirect default Gateway" in the OVPN servers GUI.

Instead you have to push a route to the OVPN's servers network, assuming your OVPN server sits on a router with 192.168.1.1 as its IP (as is used in the example in the guide) you add the following in the Additional Config:
Code:
push "route 192.168.1.0 255.255.255.0 vpn_gateway"


Now your client knows to route all IP addresses in 192.168.1.1 - 254 through the VPN.

As always your OVPN router, the OVPN servers network and the clients network must be different.

This is described in the Advanced section

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
veekay
DD-WRT Novice


Joined: 09 Mar 2009
Posts: 38

PostPosted: Thu Jun 13, 2019 14:35    Post subject: Reply with quote
egc wrote:

If you only want to access your OVPN servers network then Disable "Redirect default Gateway" in the OVPN servers GUI.


Thanks - eventually got it working. I'm using tap, so only two networks. I had to disable dhcp proxy mode, redirect and add that code and everything seems to be working perfectly.
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next Display posts from previous:    Page 3 of 8
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum