Joined: 18 Mar 2014 Posts: 12922 Location: Netherlands
Posted: Tue Oct 08, 2019 18:48 Post subject:
Ok we are getting there.
You are using an older build which does not have the new encryption ciphers.
On the server the encryption cipher is AES-128-CBC
So on the client (in the clientx.ovpn) also use:
Code:
cipher AES-128-CBC
and not the AES-128-GCM cipher.
This will get rid of the AEAD error and HMAC error and you should be able to connect and ping to your network.
But for the internet connection you need the second rule:
As far as I can tell you are using ADSL and have a pppoe connection, and in recent builds the name of the vlan interface is not updated, I was suspecting as much but you have now confirmed it thanks
Regarding LZO compression, it is not safe and will be deprecated, besides although it seems a good thing you can squeeze more through the pipe it actually does not work, the compression/decompression takes away valuable CPU cycles so the net result on these litle routers is 0. _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399 Install guide R7800/XR500:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614 Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Another issue I had up until last night, just in case it helps anyone else reading this thread.
I could connect to the server just fine from the Android client on the LAN and outside it.
However with clients running on Windows 10 if I put any other IP address in the client config file other than 192.168.0.1 (the ip of the router) such as 10.8.0.1 or the router WAN IP, it would fail to connect whereby it would just time-out each time.
The exact same thing happened to me when I was using the stock TP-Link firmware too.
After a bit of frustration, it turns out it was the Windows firewall blocking the OpenVPN client, even after setting the TAP adapter profile to Private.
I had to allow the OpenVPN daemon openvpn.exe through the firewall. My Windows 10 clients work fine now too.
Posted: Tue Oct 15, 2019 4:15 Post subject: Able to VPN to router, but cannot reach PC behind the router
Thank you for the guidelines of setting up the OpenVPN server on DD-WRT. I followed that and able to connect VPN from another Internet IP to the VPN via OpenVPN client, and get the VPN IP address (192.168.60.2). I even can ping the internal IP address of the router (192.168.1.1), but I cannot access and ping any computers (e.g. 192.168.1.10) belong to the routers. I can go on the Internet when I am connected to the VPN
I set up the VPN to enable me to get into services running at computers (192.168.1.XX) under the router. So please help advise what's wrong I have done. At the beginning I just simply use push "redirect-gateway def1" but it doesn't work, so I further add more but also doesn't work at all.
Router IP: 192.168.1.1
Subnet Mask: 255.255.255.0
No local DNS is set at Router or DHCP side
Use DNSMasq for DNS - ticked
DHCP-Authoritative - ticked
IPV6 - Disable
VPN server:
Router(TUN)
Network: 192.168.60.0
Netwask: 255.255.255.0
Port: 443
Tunnel Protocol: TCP
Encryption Cipher: AES-256 CBC
Redirect default Gateway: Enable
Allow Client to Client: Enable
Allow duplicate cn: Enable
The rest of settings follow the instruction PDF file.
Additional Config:
ncp-disable
server 192.168.60.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0 vpn_gateway"
push "dhcp-option DNS 192.168.60.1"
client-to-client
Routing Table:
Destination LAN NET Subnet Mask Gateway Flags Metric Interface
default 0.0.0.0 58.177.71.1 UG 0 WAN
58.177.71.0 255.255.255.0 * U 0 WAN
192.168.1.0 255.255.255.0 * U 0 LAN & WLAN
192.168.60.0 255.255.255.0 * U 0 tun2
Client1.ovpn:
client
dev tun
proto tcp
remote EXTERNAL_IP 443
nobind
persist-key
persist-tun
remote-cert-tls server
auth-nocache
verb 4
float
tun-mtu 1500
auth SHA256
cipher AES-256-CBC
ca ca.crt
cert client1.crt
key client1.key
Joined: 18 Mar 2014 Posts: 12922 Location: Netherlands
Posted: Tue Oct 15, 2019 12:25 Post subject:
First a remark (which has nothing to do with your problem):
The last four firewall rules are not needed/wrong.
You only need the NAT rule (the first two lines), everything else is taken care of by DDWRT so loose them
Now on to your problem, if you can connect and even have internet via the VPN (you can do a traceroute/tracert to see if traffic really flows via the VPN) and you can reach your router at 192.168.1.1, then you know that you have a succesfull connection and can have traffic via the VPN.
So the most logical explanation is that other clients you want to reach have a firewall which is preventing traffic from the VPN, normally windows clients only allow traffic from their own subnet.
This post is about to describe the solution that worked for me to get a functional vpn when I got TLS Error
Many thanks to egc for sending me input.
Presumed set up: routers subnet (192.168.1.0) , the OpenVPN's subnet (10.8.0.0)
I have got the following error:
Code:
Oct 20 18:41:56 DD-WRT daemon.err openvpn[1450]: xxx.xxx.xxx.xxx:65147 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Which usually means a network connection error: client cannot reach your server.
egc took a look at my openvpn configuration and it was OK
Then we should look for something wrong in the network setup.
Things to check:
1. On the client side if your PC is connected to your phone (using as hotspot) do you have normal internet connection?
2. Has your server an internet connection can you ping your server from higher up?
To observe (anyway in my set up):
3. Don't set port forward to 10.8.0.0:1194 in the router with openvpn (this can destroy the communication between subnet 10.8.0.0 to 192.168.1.0).
4. Even though the router uses interface tun2 for openvpn the client config should NOT use "dev tun2". Right in client config is "dev tun" (without ending with 2)
5. A port forward is needed if the OVPN server is running on a secondary router and of course the port FORWARD has to be set on the primary router pointing to the routers address but if you place your secondary router in the DMZ of the primary router then you do not need a port forward.
Ex. Main router subnet 192.168.0.0 with DMZ activated on ip 192.168.0.2
Second router with Openvpn with WAN IP set to 192.168.0.2 and subnet 192.168.1.0 (according to no.3 above).Openvpn subnet set to 10.8.0.0
6. If errormessages comes concerning read of the certificates-generate a new set of certificates
Functional configs:
Client config file:
client
push "route 192.168.1.0 255.255.255.0"
push "block-outside-dns"
dev tun
proto udp4
remote xxx.xxx.xxx.xxx 1194
nobind
persist-key
persist-tun
remote-cert-tls server
resolv-retry infinite
verb 4
float
tun-mtu 1500
auth SHA256
cipher AES-128-GCM
ca ca.crt
cert my.crt
key my.key
Posted: Mon Dec 23, 2019 20:25 Post subject: local access problem
Thanks for the excellent guide egc. I was able to set this up without much difficulty but I have the following issue:
I cannot use Remote desktop or access all of the local network. I witness the following behaviour:
---status: away from home and connect to the vpn server----
1. I go to what's my ip address.com, it tells me that my ip address is the correct static ip assigned to my home network 162.something
2. I open up my network places on the win10 pc, it shows the smart tv that is installed on the remote network at 10.0.0.93.
3. I can for some reason access my synology diskstation on the home network at 192.168.50.115 but nothing else (local router ip 192.168.50.100).
4. I connect my iphone to the vpn using its cellular network I can see my laptop on the same network at 10.0.0.216, i.e. the clients can see each other.
I don't think the networks are bridged/forwarded properly for some reason but I'm an amateur and don't know how to set this up correctly.
I originally had the setting "Redirect default Gateway" enabled, but after reading some comments I changed this to disabled and added the following command **push "route 192.168.50.0 255.255.255.0 vpn_gateway"** into the additional config and then rebooted the router. This did not help. Also I have the following firewall rule:
Joined: 18 Mar 2014 Posts: 12922 Location: Netherlands
Posted: Mon Dec 23, 2019 21:36 Post subject:
Most clients on your network have their own firewall and will not allow any clients from another network.
The VPN clients have the 10.8.0.0 subnet and the local clients have the 192.168.50.0 subnet.
The trick is to adapt the firewall of the local clients to allow incoming traffic from the 10.8.0.0. subnet.
As a test that this is the case just disable the firewall on one of the machines you have difficulty connecting to.
As an alternative you can SNAT the traffic from the OVPN on to the network with this firewall rule:
iptables -t nat -I POSTROUTING -o br0 -s 10.8.0.0/24 -j SNAT --to $(nvram get lan_ipaddr)
Posted: Tue Jan 21, 2020 10:49 Post subject: Subnets & IPs
Hi,
sorry I do not unterstand the thing with subnets and IP range.
I have IP Range for my clients in the LAN 10.76.0.x
My Router has IP 10.76.0.254
Open VPN Connections works, if I use for OpenVPN Server Network 10.8.0.0 and Firewall Command I have from OpenVPN Client Internet Access, but I can not reach all Clients in my LAN.
So I changed only in Services / VPN to 10.76.100.0 I can reach all clients, but I have no Internet Access - which I can understand, since I do not have adjusted the firewall rule.
Joined: 18 Mar 2014 Posts: 12922 Location: Netherlands
Posted: Tue Jan 21, 2020 11:38 Post subject: Re: Subnets & IPs
k3067e3 wrote:
Hi,
sorry I do not unterstand the thing with subnets and IP range.
I have IP Range for my clients in the LAN 10.76.0.x
My Router has IP 10.76.0.254
Open VPN Connections works, if I use for OpenVPN Server Network 10.8.0.0 and Firewall Command I have from OpenVPN Client Internet Access, but I can not reach all Clients in my LAN.
So I changed only in Services / VPN to 10.76.100.0 I can reach all clients, but I have no Internet Access - which I can understand, since I do not have adjusted the firewall rule.
Can you help me with IP issue?
In order to work you have to have 3 different subnets, the router/server, the OpenVPN and the router/client have to have different subnets.
(I am talking about a routed (TUN) setup, you can setup as a bridge (TAP) but that is a different chapter)
When you have a connection and even internet access via the OpenVPN server (check with traceroute) and so assuming that you Redirect Default Gateway enabled, there can be a couple of problems, on recent builds (and you have sinned by not telling us your router model and build number ) the CVE 14899 patch is blocking this so disable the patch (in the OpenVPN server GUI), if this is not the case then the client you want to reach has its own firewall and that prevents traffic from the OpenVPN subnet.
So on the client you want to reach disable or adapt the firewall to allow traffic from the OpenVPN subnet. _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399 Install guide R7800/XR500:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614 Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Posted: Tue Jan 21, 2020 23:09 Post subject: Re: Subnets & IPs
egc wrote:
In order to work you have to have 3 different subnets, the router/server, the OpenVPN and the router/client have to have different subnets.
(I am talking about a routed (TUN) setup, you can setup as a bridge (TAP) but that is a different chapter)
When you have a connection and even internet access via the OpenVPN server (check with traceroute) and so assuming that you Redirect Default Gateway enabled, there can be a couple of problems, on recent builds (and you have sinned by not telling us your router model and build number ) the CVE 14899 patch is blocking this so disable the patch (in the OpenVPN server GUI), if this is not the case then the client you want to reach has its own firewall and that prevents traffic from the OpenVPN subnet.
So on the client you want to reach disable or adapt the firewall to allow traffic from the OpenVPN subnet.
Thank you, it is working now.
Kept my build 41113 on Netgear R9000.
I have Router IP 10.76.0.254, Subnet 255.255.255.0
Open VPN Server Network ist 10.76.100.0, Subnet 255.255.255.0
I am total noob when it comes to networking. I followed your guide to the letter and managed to get the openvpn started on the router but the openvpn client on my android wouldn't connect to the router. My set up is isp gateway ->dd-wrt. I tried DMZ mode on my ISP gateway to no avail. After a long research I had to manually add UDP port 1194 to the firewall. After that client connected. Might be a good idea to mention this for other noobs who reads the guide.
Instead of uploading certificates and keys to the client and reference them in the config I added them to the config file. It might be useful to some other noobs if you add this option to your manual. That way only one config file needs to be sent to the client side. Though I suppose its not a big deal.
I would like to take a moment and recognize your input in to this difficult (to me and many others) task. I spent three days going through outdated guides, re-generating certificates, keys and such until I accidentally found your guide. I finally have a VPN tunnel. How exciting. Thank you a lot for this!
Posted: Thu Jan 30, 2020 15:07 Post subject: openVPN on DD-WRT v3.0-r41791 mega (12/24/19)
Can somebody confirm if openVPN works or not on DD-WRT v3.0-r41791 mega (12/24/19)
I have an WRT600N and it does not seem to work where the same config works on another router using build r40559.
The openVPN does not seem to even start on the new build as I can't open the status page and no connection can be made.
If you know a newer build that works with openVPN also please let me know.