OpenVPN Server Setup guide

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3 ... 8, 9, 10, 11, 12  Next
Author Message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Thu Jan 30, 2020 15:33    Post subject: Reply with quote
I have not tried all builds but you should look in the build threads.
All recent builds works for me (Broadcom R6400 and Atheros R7800) but I do not have your router so research the build threads

Chances are you made a mistake in setup, if the OVPN does not start it is a serious mistake, start with reviewing your keys/certs.

Other wise open a new thread and post pictures of your settings

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Sponsor
fmuntean
DD-WRT Novice


Joined: 30 Jan 2020
Posts: 49

PostPosted: Fri Jan 31, 2020 2:07    Post subject: Reply with quote
egc wrote:
I have not tried all builds but you should look in the build threads.
All recent builds works for me (Broadcom R6400 and Atheros R7800) but I do not have your router so research the build threads

Chances are you made a mistake in setup, if the OVPN does not start it is a serious mistake, start with reviewing your keys/certs.

Other wise open a new thread and post pictures of your settings


what can be wrong when the same certificates were used on another router with no issues?
There are no errors in the logs either:
an 31 00:02:23 DD-WRT user.info syslog: openvpn : OpenVPN daemon (Server) starting/restarting... Jan 31 00:02:23 DD-WRT daemon.warn openvpn[1510]: NOTE: debug verbosity (--verb 7) is enabled but this build lacks debug support. Jan 31 00:02:23 DD-WRT daemon.warn openvpn[1510]: WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure Jan 31 00:02:23 DD-WRT daemon.notice openvpn[1510]: Current Parameter Settings: Jan 31 00:02:23 DD-WRT daemon.notice openvpn[1510]: config = '/tmp/openvpn/openvpn.conf' Jan 31 00:02:23 DD-WRT daemon.notice openvpn[1510]: mode = 1 Jan 31 00:02:23 DD-WRT daemon.notice openvpn[1510]: NOTE: --mute triggered... Jan 31 00:02:23 DD-WRT daemon.notice openvpn[1510]: 231 variation(s) on previous 3 message(s) suppressed by --mute Jan 31 00:02:23 DD-WRT daemon.notice openvpn[1510]: OpenVPN 2.4.8 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 29 2019 Jan 31 00:02:23 DD-WRT daemon.notice openvpn[1510]: library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.09 Jan 31 00:02:23 DD-WRT daemon.notice openvpn[1515]: MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:14 Jan 31 00:02:23 DD-WRT daemon.warn openvpn[1515]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
c0l0c0d0s
DD-WRT Novice


Joined: 10 Mar 2019
Posts: 28

PostPosted: Sat Feb 01, 2020 23:32    Post subject: Madness in new build Reply with quote
Was having NAT loopback issues in my last Kong build, obvs couldn't update as his retired, so I got fed up trying to get it to work 30/30/30 reset and installed BS build on my R7000
DD-WRT v3.0-r42174 std (01/30/20)

Reprogrammed everything from scratch, including making new certs after updating OPVN on PC etc.

All worked perfect regs NAT loopback and was happy until I tried the OPVN.

Read both your guides, VPN and troubleshooting, my Iptables outputs are perfect like you descriptions, compared to my old config (apart from new features) everything was the same.

Tried the original Firewall as before:

iptables -t nat -A POSTROUTING -o $(get_wanface)-j MASQUERADE

The above doesn't get me internet on any client so I'm using this instead which gets me it:

WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o $WAN_IF -j MASQUERADE


Only other setting I have is the interface=tun2, but this is late on your guide after if you DONT use Redirect default Gateway, I do, and client to client too.

So my issue (on clients) is I can only hit the router in terms of client to client, in other words I can hit only 192.168.49.254 (DDWRT) but not any other LAN devices.

Spent most of the day mucking around, killing Google!

What I found hence the subject name is if I go to Setup, advanced routing, I have op mode: gateway (correct), dynamic routing int: disable

My R7000 is behind ISP hub in "modem mode" plugged into R7000 WAN port so I don't believe I've ever used dynamic routing interface in any of the available modes, tell me if I am wrong there please.

So anyway in trying anything/everything I switched it on, tried advanced routing various diff options and whenever I would touch it the OVPN clients all get Internet and full LAN machine access.

However I discovered on a reboot, the full LAN machine access doesn't work again, just internet and router IP access.

So where I am at, I have dynamic routing int: disable.

To get full OVPN client internet & full LAN machine access (AFTER a ddwrt restart) I go to the advanced routing page, don't change a SINGLE thing, but click on Apply settings and bang my LAN clients are accessible!!!

Any clue mate!!!
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sun Feb 02, 2020 7:35    Post subject: Reply with quote
First 30/30/30 is not recommended on Broadcom ARM routers to do a full reset telnet to your router and do:
Code:
nvram erase && reboot


As you maybe have been tinkering with your router a lot trying to solve this it might not hurt to do that reset and put settings in manually.

Not being able to connect to your clients on the VPN server is probably due to the CVE 14889 patch.
In the OVPN GUI disable "CVE-2019-14899 Mitigation" which is the second item.
Save/Apply and Reboot

Download the latest guide and read up on the subject Smile

I am very interested why the POSTROUTING rule with the use of get_wanface does not work for you as it is supposed to work in all cases where you have a WAN interface, (this in contrast to formerly used nvram get wan_ifname or nvram get wan_iface)

Can you send me the output of the following commands:
nvram get wan_iface
nvram get wan_ifname
get_wanface
echo WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
c0l0c0d0s
DD-WRT Novice


Joined: 10 Mar 2019
Posts: 28

PostPosted: Sun Feb 02, 2020 11:02    Post subject: Reply with quote
egc wrote:
First 30/30/30 is not recommended on Broadcom ARM routers to do a full reset telnet to your router and do:
Code:
nvram erase && reboot


As you maybe have been tinkering with your router a lot trying to solve this it might not hurt to do that reset and put settings in manually.

Not being able to connect to your clients on the VPN server is probably due to the CVE 14889 patch.
In the OVPN GUI disable "CVE-2019-14899 Mitigation" which is the second item.
Save/Apply and Reboot

Download the latest guide and read up on the subject Smile

I am very interested why the POSTROUTING rule with the use of get_wanface does not work for you as it is supposed to work in all cases where you have a WAN interface, (this in contrast to formerly used nvram get wan_ifname or nvram get wan_iface)

Can you send me the output of the following commands:
nvram get wan_iface
nvram get wan_ifname
get_wanface
echo WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"


I thought what I did was the 30/30/30 method as I followed a post about going from Kong to BS, what I actually did was from a SSH session issued one at a time:-
erase nvram
reboot

Then as router was factory defaulted it asked for first time PW, I then flashed the bin BS file with option to reset to default.

After that again enter new first time PW and started the set up again!

Okay so to double check this morning I am doing your tests here I have changed the FW cmd back to so you can see both tests:-

TEST ONE:
iptables -t nat -A POSTROUTING -o $(get_wanface)-j MASQUERADE

1. Rebooted.

2. Connected with Android OVPN client, NO internet, NO LAN IPs (except 192.168.49.254).

3. Hit apply settings in Advanced Routing (no changes made).

4. Disconnect Android OVPN client then reconnect, NO internet, ALL LAN IPs.

Outputs of TEST ONE:

A. nvram get wan_iface = vlan2

B. nvram get wan_ifname = vlan2

C. get_wanface = vlan2

D. echo WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')" = WAN_IF=vlan2


TEST TWO:
WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o $WAN_IF -j MASQUERADE

1. Rebooted.

2. Connected with Android OVPN client, YES internet, NO LAN IPs (except 192.168.49.254).

3. Hit apply settings in Advanced Routing (no changes made).

4. Disconnect Android OVPN client then reconnect, YES internet, ALL LAN IPs.

Outputs of TEST ONE:

A. nvram get wan_iface = vlan2

B. nvram get wan_ifname = vlan2

C. get_wanface = vlan2

D. echo WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')" = WAN_IF=vlan2



So exactly the same mate.
c0l0c0d0s
DD-WRT Novice


Joined: 10 Mar 2019
Posts: 28

PostPosted: Sun Feb 02, 2020 11:23    Post subject: Reply with quote
egc wrote:

Not being able to connect to your clients on the VPN server is probably due to the CVE 14889 patch.
In the OVPN GUI disable "CVE-2019-14899 Mitigation" which is the second item.
Save/Apply and Reboot


Just tried this and perfect there is no need for me to press the APPLY SETTING button in advanced routing!

Woohoo!

I know this was a patch to stop a security hole, is there another work-around or do you think something is broken in the build? Or is one of those security issues that are so unlikely, like SHA1 potential security hole but requires a super computer!!

I mentioned in the original post about the interface=tun2, do I need that still as I am not using any PBR and AM using Redirect Default Gateway?

Also interested to see other PPLs DNSMASQ radio buttons and basic page including DHCP settings as I USED to include the router IP as the 1st DNS server then 1.1.1.1, then 1.0.0.1 (cleaner than 8.8.8.Cool, but I see advice the whole section should be turned off!
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sun Feb 02, 2020 11:24    Post subject: Reply with quote
The command to reset has chanced it is: nvram erase
and not erase nvram.
So really you should do: nvram erase && reboot

Both postrouting rules do the same as they MASQUERADE over vlan2 so there should be no difference between them.

Do not forget to disable the CVE 14899 mitigation patch or you will not be able to connect to your LAN clients.

Edit: BS has been tinkering with startup sequence so it is possible that startup is not in the right order and you have to Save/Apply on the OVPN page without changing anything, I will look into it

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087


Last edited by egc on Sun Feb 02, 2020 11:37; edited 1 time in total
c0l0c0d0s
DD-WRT Novice


Joined: 10 Mar 2019
Posts: 28

PostPosted: Sun Feb 02, 2020 11:34    Post subject: Reply with quote
TetraHydro wrote:

I would like to take a moment and recognize your input in to this difficult (to me and many others) task. I spent three days going through outdated guides, re-generating certificates, keys and such until I accidentally found your guide. I finally have a VPN tunnel. How exciting. Thank you a lot for this!


Damn right EGC is a legend!

And thanks TetraHydro for your little tip ref tokens withing OPVN files.
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Sun Feb 02, 2020 11:42    Post subject: Reply with quote
egc wrote:
Do not forget to disable the CVE 14899 mitigation patch or you will not be able to connect to your LAN clients.

don't make no nevermind on the EA8500 --- I have it enabled

just masquerade the ovpn server net
example: if 10.8.0.0/24 is ovpn sever network

firewall:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE

should also have interface=tun2 in 'Additional Dnsmasq Options' if wanta use local DNS while connecetd to ovpn server
c0l0c0d0s
DD-WRT Novice


Joined: 10 Mar 2019
Posts: 28

PostPosted: Sun Feb 02, 2020 12:05    Post subject: Reply with quote
egc wrote:
The command to reset has chanced it is: nvram erase
and not erase nvram.
So really you should do: nvram erase && reboot

Both postrouting rules do the same as they MASQUERADE over vlan2 so there should be no difference between them.

Do not forget to disable the CVE 14899 mitigation patch or you will not be able to connect to your LAN clients.

Edit: BS has been tinkering with startup sequence so it is possible that startup is not in the right order and you have to Save/Apply on the OVPN page without changing anything, I will look into it


Okay it wasn't too old a thread that I copied, but anyway it must have erased the nvram as I said it prompted me for fresh PW and it was back to factory.

It works now with CVE 14899 disabled so I am reluctant to muck around with it for now!

I reckon the pressing apply in advanced router basically was reloading/starting a service and was why it was working, however without the CVE 14899 running I don't have too.
c0l0c0d0s
DD-WRT Novice


Joined: 10 Mar 2019
Posts: 28

PostPosted: Sun Feb 02, 2020 12:10    Post subject: Reply with quote
mrjcd wrote:
egc wrote:
Do not forget to disable the CVE 14899 mitigation patch or you will not be able to connect to your LAN clients.

don't make no nevermind on the EA8500 --- I have it enabled

just masquerade the ovpn server net
example: if 10.8.0.0/24 is ovpn sever network

firewall:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE

should also have interface=tun2 in 'Additional Dnsmasq Options' if wanta use local DNS while connecetd to ovpn server


Hiya MrJCD

Are you suggesting trying that FW cmd (yes that is oVPN range) as an addition to my earlier FW cmds (currently using 2 lines of EBGs recommendation not 1 liner).

Is the suggestion as a work around with the CVE 14899 patch having to be "disabled" on my environment?

And yes I do indeed have interface=tun2 enabled in my DNSmasq options mate.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sun Feb 02, 2020 12:17    Post subject: Reply with quote
I edited my last post but it maybe crossed.

I just checked 42132 and that build had trouble starting the OVPN server on reboot, I had to Apply on the OVPN GUI page to start the server.

The latest build 42174 seems to start on reboot.

Regarding the CVE patch, that is why I wrote in my earlier post:
Quote:
Download the latest guide and read up on the subject


When the patch was first introduced there was no option to disable it, I have devised some workarounds (like the one @mrjcd is using) but those also can have drawbacks.

I personally have the patch disabled but I know @mrjcd does dangerous things and wants the utmost safety.
( Just kidding, he is a highly valued forum member Very Happy )

Anyway it is all discussed in the guide.

Have fun

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Sun Feb 02, 2020 12:19    Post subject: Reply with quote
c0l0c0d0s wrote:
Are you suggesting trying that FW cmd (yes that is oVPN range) as an addition to my earlier FW cmds

NO, NOT as an addition Wink

egc knows what he is taking about so his guide is prolly best for all.

I just mentioned what I used --- AND I have a ISP fiber connection ... so NO modem nonsense in front of me
Twisted Evil
c0l0c0d0s
DD-WRT Novice


Joined: 10 Mar 2019
Posts: 28

PostPosted: Sun Feb 02, 2020 14:17    Post subject: Reply with quote
I'll give these another read tomorrow as I'm off down the pub!

Anyway, I could probably recite most of the guides I originally referenced after a loooonnngg time double checking but RTFM and all that so I will double check gents.

Thanks again for both helping. Laughing
univac1710
DD-WRT Novice


Joined: 02 Nov 2019
Posts: 12

PostPosted: Sun Feb 02, 2020 15:33    Post subject: OPENVPN Routing issue Reply with quote
I went through the Openvpn server setup guide and when I applied all the settings none of my devices were able to browse the internet. I only want to use the VPN for when I am on a public WiFi and not for every home device. I had setup a VPN in the past using one of the referenced guides but they had the routes configured differently. What should my configuration look like. I am using Firmware: DD-WRT v3.0-r42132 std (01/28/20) on a Netgear WNDR4300 router.
Thank you.
Goto page Previous  1, 2, 3 ... 8, 9, 10, 11, 12  Next Display posts from previous:    Page 9 of 12
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum