OpenVPN Server Setup guide

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3 ... 7, 8, 9, 10, 11, 12  Next
Author Message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Tue Oct 08, 2019 18:48    Post subject: Reply with quote
Ok we are getting there.

You are using an older build which does not have the new encryption ciphers.
On the server the encryption cipher is AES-128-CBC
So on the client (in the clientx.ovpn) also use:
Code:
cipher AES-128-CBC
and not the AES-128-GCM cipher.

This will get rid of the AEAD error and HMAC error and you should be able to connect and ping to your network.

But for the internet connection you need the second rule:
Quote:
WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o $WAN_IF -j MASQUERADE


As far as I can tell you are using ADSL and have a pppoe connection, and in recent builds the name of the vlan interface is not updated, I was suspecting as much but you have now confirmed it thanks Smile

Regarding LZO compression, it is not safe and will be deprecated, besides although it seems a good thing you can squeeze more through the pipe it actually does not work, the compression/decompression takes away valuable CPU cycles so the net result on these litle routers is 0.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Sponsor
Zoot7
DD-WRT Novice


Joined: 07 Oct 2019
Posts: 6

PostPosted: Tue Oct 08, 2019 19:06    Post subject: Reply with quote
Okay the addition of the 2nd rule in the firewall settings and changing the cipher in the client config seems to have worked.

I now have a working VPN connection on my phone on the cellular 4G network! I can talk to my server and the router GUI once again. Smile

Thank you ever so much for your help. I'd have been lost without it. Smile
Zoot7
DD-WRT Novice


Joined: 07 Oct 2019
Posts: 6

PostPosted: Thu Oct 10, 2019 7:29    Post subject: Reply with quote
Another issue I had up until last night, just in case it helps anyone else reading this thread.

I could connect to the server just fine from the Android client on the LAN and outside it.

However with clients running on Windows 10 if I put any other IP address in the client config file other than 192.168.0.1 (the ip of the router) such as 10.8.0.1 or the router WAN IP, it would fail to connect whereby it would just time-out each time.

The exact same thing happened to me when I was using the stock TP-Link firmware too.

After a bit of frustration, it turns out it was the Windows firewall blocking the OpenVPN client, even after setting the TAP adapter profile to Private.

I had to allow the OpenVPN daemon openvpn.exe through the firewall. My Windows 10 clients work fine now too.

Just in case anyone else has this issue.
testaaa
DD-WRT Novice


Joined: 17 Sep 2016
Posts: 4

PostPosted: Tue Oct 15, 2019 4:15    Post subject: Able to VPN to router, but cannot reach PC behind the router Reply with quote
Thank you for the guidelines of setting up the OpenVPN server on DD-WRT. I followed that and able to connect VPN from another Internet IP to the VPN via OpenVPN client, and get the VPN IP address (192.168.60.2). I even can ping the internal IP address of the router (192.168.1.1), but I cannot access and ping any computers (e.g. 192.168.1.10) belong to the routers. I can go on the Internet when I am connected to the VPN

I set up the VPN to enable me to get into services running at computers (192.168.1.XX) under the router. So please help advise what's wrong I have done. At the beginning I just simply use push "redirect-gateway def1" but it doesn't work, so I further add more but also doesn't work at all.

Please help. Thanks!!

==============================

Here are the details:

Router: TP Link Archer C9 v1
Firmware: DD-WRT v3.0-r40559 std (08/06/19)

Router IP: 192.168.1.1
Subnet Mask: 255.255.255.0
No local DNS is set at Router or DHCP side
Use DNSMasq for DNS - ticked
DHCP-Authoritative - ticked
IPV6 - Disable

VPN server:
Router(TUN)
Network: 192.168.60.0
Netwask: 255.255.255.0
Port: 443
Tunnel Protocol: TCP
Encryption Cipher: AES-256 CBC
Redirect default Gateway: Enable
Allow Client to Client: Enable
Allow duplicate cn: Enable
The rest of settings follow the instruction PDF file.

Additional Config:
ncp-disable
server 192.168.60.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0 vpn_gateway"
push "dhcp-option DNS 192.168.60.1"
client-to-client

Firewall commands:
WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"
iptables -t nat -I POSTROUTING -s 192.168.60.0/24 -o $WAN_IF -j MASQUERADE
iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.60.0/24 -j ACCEPT

iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

Routing Table:
Destination LAN NET Subnet Mask Gateway Flags Metric Interface
default 0.0.0.0 58.177.71.1 UG 0 WAN
58.177.71.0 255.255.255.0 * U 0 WAN
192.168.1.0 255.255.255.0 * U 0 LAN & WLAN
192.168.60.0 255.255.255.0 * U 0 tun2

Client1.ovpn:
client
dev tun
proto tcp
remote EXTERNAL_IP 443
nobind
persist-key
persist-tun
remote-cert-tls server
auth-nocache
verb 4
float
tun-mtu 1500
auth SHA256
cipher AES-256-CBC
ca ca.crt
cert client1.crt
key client1.key
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Tue Oct 15, 2019 12:25    Post subject: Reply with quote
First a remark (which has nothing to do with your problem):
The last four firewall rules are not needed/wrong.

You only need the NAT rule (the first two lines), everything else is taken care of by DDWRT so loose them Smile

Now on to your problem, if you can connect and even have internet via the VPN (you can do a traceroute/tracert to see if traffic really flows via the VPN) and you can reach your router at 192.168.1.1, then you know that you have a succesfull connection and can have traffic via the VPN.

So the most logical explanation is that other clients you want to reach have a firewall which is preventing traffic from the VPN, normally windows clients only allow traffic from their own subnet.

So as a test, disable the firewall on the clients you want to reach

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
ddwrt28143
DD-WRT Novice


Joined: 23 Sep 2019
Posts: 1

PostPosted: Tue Oct 22, 2019 9:25    Post subject: Reply with quote
This post is about to describe the solution that worked for me to get a functional vpn when I got TLS Error
Many thanks to egc for sending me input.

Presumed set up: routers subnet (192.168.1.0) , the OpenVPN's subnet (10.8.0.0)
I have got the following error:
Code:
Oct 20 18:41:56 DD-WRT daemon.err openvpn[1450]: xxx.xxx.xxx.xxx:65147 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

Which usually means a network connection error: client cannot reach your server.

egc took a look at my openvpn configuration and it was OK

Then we should look for something wrong in the network setup.
Things to check:
1. On the client side if your PC is connected to your phone (using as hotspot) do you have normal internet connection?
2. Has your server an internet connection can you ping your server from higher up?

To observe (anyway in my set up):
3. Don't set port forward to 10.8.0.0:1194 in the router with openvpn (this can destroy the communication between subnet 10.8.0.0 to 192.168.1.0).
4. Even though the router uses interface tun2 for openvpn the client config should NOT use "dev tun2". Right in client config is "dev tun" (without ending with 2)
5. A port forward is needed if the OVPN server is running on a secondary router and of course the port FORWARD has to be set on the primary router pointing to the routers address but if you place your secondary router in the DMZ of the primary router then you do not need a port forward.
Ex. Main router subnet 192.168.0.0 with DMZ activated on ip 192.168.0.2
Second router with Openvpn with WAN IP set to 192.168.0.2 and subnet 192.168.1.0 (according to no.3 above).Openvpn subnet set to 10.8.0.0
6. If errormessages comes concerning read of the certificates-generate a new set of certificates

Functional configs:
Client config file:
client
push "route 192.168.1.0 255.255.255.0"
push "block-outside-dns"
dev tun
proto udp4
remote xxx.xxx.xxx.xxx 1194
nobind
persist-key
persist-tun
remote-cert-tls server
resolv-retry infinite
verb 4
float
tun-mtu 1500
auth SHA256
cipher AES-128-GCM
ca ca.crt
cert my.crt
key my.key

Server Additional config (just 1 row)
ncp-disable
BretG57
DD-WRT Novice


Joined: 07 Dec 2019
Posts: 24

PostPosted: Mon Dec 23, 2019 20:25    Post subject: local access problem Reply with quote
Thanks for the excellent guide egc. I was able to set this up without much difficulty but I have the following issue:

I cannot use Remote desktop or access all of the local network. I witness the following behaviour:

---status: away from home and connect to the vpn server----
1. I go to what's my ip address.com, it tells me that my ip address is the correct static ip assigned to my home network 162.something
2. I open up my network places on the win10 pc, it shows the smart tv that is installed on the remote network at 10.0.0.93.
3. I can for some reason access my synology diskstation on the home network at 192.168.50.115 but nothing else (local router ip 192.168.50.100).
4. I connect my iphone to the vpn using its cellular network I can see my laptop on the same network at 10.0.0.216, i.e. the clients can see each other.

I don't think the networks are bridged/forwarded properly for some reason but I'm an amateur and don't know how to set this up correctly.

I originally had the setting "Redirect default Gateway" enabled, but after reading some comments I changed this to disabled and added the following command **push "route 192.168.50.0 255.255.255.0 vpn_gateway"** into the additional config and then rebooted the router. This did not help. Also I have the following firewall rule:

WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o $WAN_IF -j MASQUERADE

I'm using a new build, 41686 on a wrt1900AC v1.

Thanks for any help

-Bret
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Mon Dec 23, 2019 21:36    Post subject: Reply with quote
Most clients on your network have their own firewall and will not allow any clients from another network.
The VPN clients have the 10.8.0.0 subnet and the local clients have the 192.168.50.0 subnet.

The trick is to adapt the firewall of the local clients to allow incoming traffic from the 10.8.0.0. subnet.

As a test that this is the case just disable the firewall on one of the machines you have difficulty connecting to.

As an alternative you can SNAT the traffic from the OVPN on to the network with this firewall rule:
iptables -t nat -I POSTROUTING -o br0 -s 10.8.0.0/24 -j SNAT --to $(nvram get lan_ipaddr)

I have the instructions to tweak the Windows firewall here somewhere and can look them up if you need them (something like: set a new incoming rule, set scope to allow local IP access from the OVPN subnet)

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
k3067e3
DD-WRT Novice


Joined: 18 Jul 2012
Posts: 15

PostPosted: Tue Jan 21, 2020 10:49    Post subject: Subnets & IPs Reply with quote
Hi,

sorry I do not unterstand the thing with subnets and IP range.

I have IP Range for my clients in the LAN 10.76.0.x
My Router has IP 10.76.0.254

Open VPN Connections works, if I use for OpenVPN Server Network 10.8.0.0 and Firewall Command I have from OpenVPN Client Internet Access, but I can not reach all Clients in my LAN.

So I changed only in Services / VPN to 10.76.100.0 I can reach all clients, but I have no Internet Access - which I can understand, since I do not have adjusted the firewall rule.

Can you help me with IP issue?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Tue Jan 21, 2020 11:38    Post subject: Re: Subnets & IPs Reply with quote
k3067e3 wrote:
Hi,

sorry I do not unterstand the thing with subnets and IP range.

I have IP Range for my clients in the LAN 10.76.0.x
My Router has IP 10.76.0.254

Open VPN Connections works, if I use for OpenVPN Server Network 10.8.0.0 and Firewall Command I have from OpenVPN Client Internet Access, but I can not reach all Clients in my LAN.

So I changed only in Services / VPN to 10.76.100.0 I can reach all clients, but I have no Internet Access - which I can understand, since I do not have adjusted the firewall rule.

Can you help me with IP issue?


In order to work you have to have 3 different subnets, the router/server, the OpenVPN and the router/client have to have different subnets.
(I am talking about a routed (TUN) setup, you can setup as a bridge (TAP) but that is a different chapter)

When you have a connection and even internet access via the OpenVPN server (check with traceroute) and so assuming that you Redirect Default Gateway enabled, there can be a couple of problems, on recent builds (and you have sinned by not telling us your router model and build number Sad ) the CVE 14899 patch is blocking this so disable the patch (in the OpenVPN server GUI), if this is not the case then the client you want to reach has its own firewall and that prevents traffic from the OpenVPN subnet.
So on the client you want to reach disable or adapt the firewall to allow traffic from the OpenVPN subnet.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
k3067e3
DD-WRT Novice


Joined: 18 Jul 2012
Posts: 15

PostPosted: Tue Jan 21, 2020 23:09    Post subject: Re: Subnets & IPs Reply with quote
egc wrote:

In order to work you have to have 3 different subnets, the router/server, the OpenVPN and the router/client have to have different subnets.
(I am talking about a routed (TUN) setup, you can setup as a bridge (TAP) but that is a different chapter)

When you have a connection and even internet access via the OpenVPN server (check with traceroute) and so assuming that you Redirect Default Gateway enabled, there can be a couple of problems, on recent builds (and you have sinned by not telling us your router model and build number Sad ) the CVE 14899 patch is blocking this so disable the patch (in the OpenVPN server GUI), if this is not the case then the client you want to reach has its own firewall and that prevents traffic from the OpenVPN subnet.
So on the client you want to reach disable or adapt the firewall to allow traffic from the OpenVPN subnet.


Thank you, it is working now.
Kept my build 41113 on Netgear R9000.

I have Router IP 10.76.0.254, Subnet 255.255.255.0

Open VPN Server Network ist 10.76.100.0, Subnet 255.255.255.0

Firewall Rule iptables -t nat -A POSTROUTING -s 10.76.100.0/24 -o $(get_wanface) -j MASQUERADE

With this config I can reach from my OpenVPN Client all necessary IPs in my LAN and I also have Internet Connection
denebe
DD-WRT Novice


Joined: 17 Sep 2008
Posts: 1

PostPosted: Wed Jan 22, 2020 3:25    Post subject: Reply with quote
Hello,

I would like to make a try with OpenVPN. I am not sure if my router is enough modern.

It is a Linksys WRT610N v.2.

I don't know how many memory the router has, where should I have a look.

Thank you for your help.
TetraHydro
DD-WRT Novice


Joined: 24 Oct 2012
Posts: 7

PostPosted: Wed Jan 22, 2020 3:36    Post subject: Reply with quote
EGC,

I am total noob when it comes to networking. I followed your guide to the letter and managed to get the openvpn started on the router but the openvpn client on my android wouldn't connect to the router. My set up is isp gateway ->dd-wrt. I tried DMZ mode on my ISP gateway to no avail. After a long research I had to manually add UDP port 1194 to the firewall. After that client connected. Might be a good idea to mention this for other noobs who reads the guide.

Instead of uploading certificates and keys to the client and reference them in the config I added them to the config file. It might be useful to some other noobs if you add this option to your manual. That way only one config file needs to be sent to the client side. Though I suppose its not a big deal.

Code:
lient
dev tun
proto udp4
remote mydns.domain 1194
nobind
persist-key
persist-tun
remote-cert-tls server
auth-nocache
verb 4
float
tun-mtu 1500
auth SHA256
cipher AES-128-GCM
<ca>
-----BEGIN CERTIFICATE-----
MIIEvTCCA6WgAwIBAgIJAKkRkVTxVEclMA0GCSqGSIb3DQEBCwUAMIGaMQswCQYD
VQQGE
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIE+TCCA+GgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBmjELMAkGA1UEBhM
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAo
-----END PRIVATE KEY-----
</key>


I would like to take a moment and recognize your input in to this difficult (to me and many others) task. I spent three days going through outdated guides, re-generating certificates, keys and such until I accidentally found your guide. I finally have a VPN tunnel. How exciting. Thank you a lot for this!

I also sent you a PM.
Cheers and thank you again!
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Wed Jan 22, 2020 9:13    Post subject: Reply with quote
I did not include ithat as the keys/certs are generated individually but it certainly is an option and I will make a note of it.

Thanks for bringing it up.

Cheers Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
fmuntean
DD-WRT Novice


Joined: 30 Jan 2020
Posts: 49

PostPosted: Thu Jan 30, 2020 15:07    Post subject: openVPN on DD-WRT v3.0-r41791 mega (12/24/19) Reply with quote
Can somebody confirm if openVPN works or not on DD-WRT v3.0-r41791 mega (12/24/19)
I have an WRT600N and it does not seem to work where the same config works on another router using build r40559.
The openVPN does not seem to even start on the new build as I can't open the status page and no connection can be made.

If you know a newer build that works with openVPN also please let me know.
Goto page Previous  1, 2, 3 ... 7, 8, 9, 10, 11, 12  Next Display posts from previous:    Page 8 of 12
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum