Joined: 18 Mar 2014 Posts: 12839 Location: Netherlands
Posted: Thu Jan 30, 2020 15:33 Post subject:
I have not tried all builds but you should look in the build threads.
All recent builds works for me (Broadcom R6400 and Atheros R7800) but I do not have your router so research the build threads
Chances are you made a mistake in setup, if the OVPN does not start it is a serious mistake, start with reviewing your keys/certs.
I have not tried all builds but you should look in the build threads.
All recent builds works for me (Broadcom R6400 and Atheros R7800) but I do not have your router so research the build threads
Chances are you made a mistake in setup, if the OVPN does not start it is a serious mistake, start with reviewing your keys/certs.
Other wise open a new thread and post pictures of your settings
what can be wrong when the same certificates were used on another router with no issues?
There are no errors in the logs either:
an 31 00:02:23 DD-WRT user.info syslog: openvpn : OpenVPN daemon (Server) starting/restarting... Jan 31 00:02:23 DD-WRT daemon.warn openvpn[1510]: NOTE: debug verbosity (--verb 7) is enabled but this build lacks debug support. Jan 31 00:02:23 DD-WRT daemon.warn openvpn[1510]: WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure Jan 31 00:02:23 DD-WRT daemon.notice openvpn[1510]: Current Parameter Settings: Jan 31 00:02:23 DD-WRT daemon.notice openvpn[1510]: config = '/tmp/openvpn/openvpn.conf' Jan 31 00:02:23 DD-WRT daemon.notice openvpn[1510]: mode = 1 Jan 31 00:02:23 DD-WRT daemon.notice openvpn[1510]: NOTE: --mute triggered... Jan 31 00:02:23 DD-WRT daemon.notice openvpn[1510]: 231 variation(s) on previous 3 message(s) suppressed by --mute Jan 31 00:02:23 DD-WRT daemon.notice openvpn[1510]: OpenVPN 2.4.8 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 29 2019 Jan 31 00:02:23 DD-WRT daemon.notice openvpn[1510]: library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.09 Jan 31 00:02:23 DD-WRT daemon.notice openvpn[1515]: MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:14 Jan 31 00:02:23 DD-WRT daemon.warn openvpn[1515]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Posted: Sat Feb 01, 2020 23:32 Post subject: Madness in new build
Was having NAT loopback issues in my last Kong build, obvs couldn't update as his retired, so I got fed up trying to get it to work 30/30/30 reset and installed BS build on my R7000
DD-WRT v3.0-r42174 std (01/30/20)
Reprogrammed everything from scratch, including making new certs after updating OPVN on PC etc.
All worked perfect regs NAT loopback and was happy until I tried the OPVN.
Read both your guides, VPN and troubleshooting, my Iptables outputs are perfect like you descriptions, compared to my old config (apart from new features) everything was the same.
Tried the original Firewall as before:
iptables -t nat -A POSTROUTING -o $(get_wanface)-j MASQUERADE
The above doesn't get me internet on any client so I'm using this instead which gets me it:
Only other setting I have is the interface=tun2, but this is late on your guide after if you DONT use Redirect default Gateway, I do, and client to client too.
So my issue (on clients) is I can only hit the router in terms of client to client, in other words I can hit only 192.168.49.254 (DDWRT) but not any other LAN devices.
Spent most of the day mucking around, killing Google!
What I found hence the subject name is if I go to Setup, advanced routing, I have op mode: gateway (correct), dynamic routing int: disable
My R7000 is behind ISP hub in "modem mode" plugged into R7000 WAN port so I don't believe I've ever used dynamic routing interface in any of the available modes, tell me if I am wrong there please.
So anyway in trying anything/everything I switched it on, tried advanced routing various diff options and whenever I would touch it the OVPN clients all get Internet and full LAN machine access.
However I discovered on a reboot, the full LAN machine access doesn't work again, just internet and router IP access.
So where I am at, I have dynamic routing int: disable.
To get full OVPN client internet & full LAN machine access (AFTER a ddwrt restart) I go to the advanced routing page, don't change a SINGLE thing, but click on Apply settings and bang my LAN clients are accessible!!!
Joined: 18 Mar 2014 Posts: 12839 Location: Netherlands
Posted: Sun Feb 02, 2020 7:35 Post subject:
First 30/30/30 is not recommended on Broadcom ARM routers to do a full reset telnet to your router and do:
Code:
nvram erase && reboot
As you maybe have been tinkering with your router a lot trying to solve this it might not hurt to do that reset and put settings in manually.
Not being able to connect to your clients on the VPN server is probably due to the CVE 14889 patch.
In the OVPN GUI disable "CVE-2019-14899 Mitigation" which is the second item.
Save/Apply and Reboot
Download the latest guide and read up on the subject
I am very interested why the POSTROUTING rule with the use of get_wanface does not work for you as it is supposed to work in all cases where you have a WAN interface, (this in contrast to formerly used nvram get wan_ifname or nvram get wan_iface)
First 30/30/30 is not recommended on Broadcom ARM routers to do a full reset telnet to your router and do:
Code:
nvram erase && reboot
As you maybe have been tinkering with your router a lot trying to solve this it might not hurt to do that reset and put settings in manually.
Not being able to connect to your clients on the VPN server is probably due to the CVE 14889 patch.
In the OVPN GUI disable "CVE-2019-14899 Mitigation" which is the second item.
Save/Apply and Reboot
Download the latest guide and read up on the subject
I am very interested why the POSTROUTING rule with the use of get_wanface does not work for you as it is supposed to work in all cases where you have a WAN interface, (this in contrast to formerly used nvram get wan_ifname or nvram get wan_iface)
Can you send me the output of the following commands:
nvram get wan_iface
nvram get wan_ifname
get_wanface
echo WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"
I thought what I did was the 30/30/30 method as I followed a post about going from Kong to BS, what I actually did was from a SSH session issued one at a time:-
erase nvram
reboot
Then as router was factory defaulted it asked for first time PW, I then flashed the bin BS file with option to reset to default.
After that again enter new first time PW and started the set up again!
Okay so to double check this morning I am doing your tests here I have changed the FW cmd back to so you can see both tests:-
TEST ONE:
iptables -t nat -A POSTROUTING -o $(get_wanface)-j MASQUERADE
1. Rebooted.
2. Connected with Android OVPN client, NO internet, NO LAN IPs (except 192.168.49.254).
3. Hit apply settings in Advanced Routing (no changes made).
4. Disconnect Android OVPN client then reconnect, NO internet, ALL LAN IPs.
Outputs of TEST ONE:
A. nvram get wan_iface = vlan2
B. nvram get wan_ifname = vlan2
C. get_wanface = vlan2
D. echo WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')" = WAN_IF=vlan2
Not being able to connect to your clients on the VPN server is probably due to the CVE 14889 patch.
In the OVPN GUI disable "CVE-2019-14899 Mitigation" which is the second item.
Save/Apply and Reboot
Just tried this and perfect there is no need for me to press the APPLY SETTING button in advanced routing!
Woohoo!
I know this was a patch to stop a security hole, is there another work-around or do you think something is broken in the build? Or is one of those security issues that are so unlikely, like SHA1 potential security hole but requires a super computer!!
I mentioned in the original post about the interface=tun2, do I need that still as I am not using any PBR and AM using Redirect Default Gateway?
Also interested to see other PPLs DNSMASQ radio buttons and basic page including DHCP settings as I USED to include the router IP as the 1st DNS server then 1.1.1.1, then 1.0.0.1 (cleaner than 8.8.8., but I see advice the whole section should be turned off!
I would like to take a moment and recognize your input in to this difficult (to me and many others) task. I spent three days going through outdated guides, re-generating certificates, keys and such until I accidentally found your guide. I finally have a VPN tunnel. How exciting. Thank you a lot for this!
Damn right EGC is a legend!
And thanks TetraHydro for your little tip ref tokens withing OPVN files.
The command to reset has chanced it is: nvram erase
and not erase nvram.
So really you should do: nvram erase && reboot
Both postrouting rules do the same as they MASQUERADE over vlan2 so there should be no difference between them.
Do not forget to disable the CVE 14899 mitigation patch or you will not be able to connect to your LAN clients.
Edit: BS has been tinkering with startup sequence so it is possible that startup is not in the right order and you have to Save/Apply on the OVPN page without changing anything, I will look into it
Okay it wasn't too old a thread that I copied, but anyway it must have erased the nvram as I said it prompted me for fresh PW and it was back to factory.
It works now with CVE 14899 disabled so I am reluctant to muck around with it for now!
I reckon the pressing apply in advanced router basically was reloading/starting a service and was why it was working, however without the CVE 14899 running I don't have too.
Do not forget to disable the CVE 14899 mitigation patch or you will not be able to connect to your LAN clients.
don't make no nevermind on the EA8500 --- I have it enabled
just masquerade the ovpn server net
example: if 10.8.0.0/24 is ovpn sever network
firewall:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
should also have interface=tun2 in 'Additional Dnsmasq Options' if wanta use local DNS while connecetd to ovpn server
Hiya MrJCD
Are you suggesting trying that FW cmd (yes that is oVPN range) as an addition to my earlier FW cmds (currently using 2 lines of EBGs recommendation not 1 liner).
Is the suggestion as a work around with the CVE 14899 patch having to be "disabled" on my environment?
And yes I do indeed have interface=tun2 enabled in my DNSmasq options mate.
Joined: 18 Mar 2014 Posts: 12839 Location: Netherlands
Posted: Sun Feb 02, 2020 12:17 Post subject:
I edited my last post but it maybe crossed.
I just checked 42132 and that build had trouble starting the OVPN server on reboot, I had to Apply on the OVPN GUI page to start the server.
The latest build 42174 seems to start on reboot.
Regarding the CVE patch, that is why I wrote in my earlier post:
Quote:
Download the latest guide and read up on the subject
When the patch was first introduced there was no option to disable it, I have devised some workarounds (like the one @mrjcd is using) but those also can have drawbacks.
I personally have the patch disabled but I know @mrjcd does dangerous things and wants the utmost safety.
( Just kidding, he is a highly valued forum member )
I'll give these another read tomorrow as I'm off down the pub!
Anyway, I could probably recite most of the guides I originally referenced after a loooonnngg time double checking but RTFM and all that so I will double check gents.
Posted: Sun Feb 02, 2020 15:33 Post subject: OPENVPN Routing issue
I went through the Openvpn server setup guide and when I applied all the settings none of my devices were able to browse the internet. I only want to use the VPN for when I am on a public WiFi and not for every home device. I had setup a VPN in the past using one of the referenced guides but they had the routes configured differently. What should my configuration look like. I am using Firmware: DD-WRT v3.0-r42132 std (01/28/20) on a Netgear WNDR4300 router.
Thank you.