univac1710, You probably should update that router to r42174.
If still don't work you should post more about your configs.
Thanks. I will have to wait until this weekend to update the firmware. What I am trying to do is only use the VPN so I can use my home internet connection while I am using a public Wifi. I had a VPN working on the previous builds but I see there are newer options. I have my VPN configured as a Server in Router mode. I also have Redirect default Gateway, Allow Client to Client and Allow duplicate on as Enable. I also have the following rule,
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $(get_wanface) -j MASQUERADE
When this configuration was in place no one on the network could get to the internet. I am thinking that I have a routing issue because I had used the following rules in the past.
I do have OVPN client and server and watch dog successfully up and running.
My DD-WRT router is second router behind the internet router. DD-WRT router is in WAP mode and I configured the WAN port as LAN port (Can´t remember why).
Now I do have trouble with DHCP which is served by the internet router and I would like to move DHCP to my DD-WRT router.
Of course I don´t want to risk my working configuration because it cost me (and egc:) a lot of time to set the current config up and running.
Questions:
Can I just reset WAN port as WAN port and connect this to the internet router, switch on DHCP and all is good or is there a bit more I have to consider?
I also think I do need to assign fixed IP devices to the new gateway right?
Joined: 18 Mar 2014 Posts: 12882 Location: Netherlands
Posted: Mon Feb 03, 2020 15:50 Post subject:
univac1710 wrote:
mrjcd wrote:
univac1710, You probably should update that router to r42174.
If still don't work you should post more about your configs.
Thanks. I will have to wait until this weekend to update the firmware. What I am trying to do is only use the VPN so I can use my home internet connection while I am using a public Wifi. I had a VPN working on the previous builds but I see there are newer options. I have my VPN configured as a Server in Router mode. I also have Redirect default Gateway, Allow Client to Client and Allow duplicate on as Enable. I also have the following rule,
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $(get_wanface) -j MASQUERADE
When this configuration was in place no one on the network could get to the internet. I am thinking that I have a routing issue because I had used the following rules in the past.
What do I need to change in my configuration to use the VPN only for external connections.
Thanks again.
Without knowing all the details I am doing some estimated guessing.
All those firewall rules should be deleted (read the guide)
If you have your router in router mode instead of gateway mode it will not do SNAT you should leave the router in gateway mode.
If this is a secondary router configured as a WAP you might need the following rule:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr) _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399 Install guide R7800/XR500:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614 Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Joined: 18 Mar 2014 Posts: 12882 Location: Netherlands
Posted: Mon Feb 03, 2020 15:54 Post subject:
boris03 wrote:
I do have OVPN client and server and watch dog successfully up and running.
My DD-WRT router is second router behind the internet router. DD-WRT router is in WAP mode and I configured the WAN port as LAN port (Can´t remember why).
Now I do have trouble with DHCP which is served by the internet router and I would like to move DHCP to my DD-WRT router.
Of course I don´t want to risk my working configuration because it cost me (and egc:) a lot of time to set the current config up and running.
Questions:
Can I just reset WAN port as WAN port and connect this to the internet router, switch on DHCP and all is good or is there a bit more I have to consider?
I also think I do need to assign fixed IP devices to the new gateway right?
That will need considerable tweaking.
Consider using the DHCP server from the DDWRT router, although this is a WAP you should be able to use its DHCP server for your whole subnet.
Posted: Fri Feb 07, 2020 6:05 Post subject: How to block outside DNS in the OpenVPN Client+Server?
Hiya egc and All DDWRT Guru's:
How can I block outside DNS in the OpenVPN? I mean my OS and browser in the OS that is running, should only be connecting to the DNS that is defined in the OpenVPN Client profile + Server counterpart?
Shall I write this question in a new topic if you find it appropriate?
Tnx and best of luck _________________ ---//signature I'm a brave journalist, I support human rights <3
Joined: 18 Mar 2014 Posts: 12882 Location: Netherlands
Posted: Fri Feb 07, 2020 10:55 Post subject: Re: How to block outside DNS in the OpenVPN Client+Server?
blonde wrote:
Hiya egc and All DDWRT Guru's:
How can I block outside DNS in the OpenVPN? I mean my OS and browser in the OS that is running, should only be connecting to the DNS that is defined in the OpenVPN Client profile + Server counterpart?
Shall I write this question in a new topic if you find it appropriate?
Tnx and best of luck
Yes pleas create a new thread this is outside the scope of OpenVPN setup.
univac1710, You probably should update that router to r42174.
If still don't work you should post more about your configs.
Thanks. I will have to wait until this weekend to update the firmware. What I am trying to do is only use the VPN so I can use my home internet connection while I am using a public Wifi. I had a VPN working on the previous builds but I see there are newer options. I have my VPN configured as a Server in Router mode. I also have Redirect default Gateway, Allow Client to Client and Allow duplicate on as Enable. I also have the following rule,
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $(get_wanface) -j MASQUERADE
When this configuration was in place no one on the network could get to the internet. I am thinking that I have a routing issue because I had used the following rules in the past.
What do I need to change in my configuration to use the VPN only for external connections.
Thanks again.
Without knowing all the details I am doing some estimated guessing.
All those firewall rules should be deleted (read the guide)
If you have your router in router mode instead of gateway mode it will not do SNAT you should leave the router in gateway mode.
If this is a secondary router configured as a WAP you might need the following rule:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)
Sorry it took so long to reply back. I upgraded to the latest firmware yesterday and configured both the router and my client. I made the firewall changes and I can connect via my iPad but I am getting tls handshake errors. Both config files look okay but I am not sure. Here is both my router and client config files can you please take a look at them. Thank you.
Client config---client
dev tun
proto udp
remote x.x.x.x 1194
nobind
persist-key
persist-tun
remote-cert-tls server
auth-nocache
verb 4
float
tun-mtu 1500
auth SHA256
cipher AES-128-GCM
ca ca.crt
cert client1.crt
key client1.key
I was able to connect using an outside connection but now I cannot access the internet from my client. I added the push "dhcp-option" DNS line to my route config. Should I add a push route command as well. Thanks
Joined: 18 Mar 2014 Posts: 12882 Location: Netherlands
Posted: Sat Feb 08, 2020 16:23 Post subject:
TLS error is usually caused by a network connection error, see the troubleshooting document in the third post of this thread.
That said there are some inconsistencies in your setup.
You have set Compression to Adaptive but there is no compression set in the client.
As compression is somewhat of a safety concern I have it default disabled.
Furthermore most newer clients use: proto udp4
Actually the server config should also show that so not sure what is going on.
But as said see the troubleshooting document for the TLS error (and/or to check for other problems).
TLS error is usually caused by a network connection error, see the troubleshooting document in the third post of this thread.
That said there are some inconsistencies in your setup.
You have set Compression to Adaptive but there is no compression set in the client.
As compression is somewhat of a safety concern I have it default disabled.
Furthermore most newer clients use: proto udp4
Actually the server config should also show that so not sure what is going on.
But as said see the troubleshooting document for the TLS error (and/or to check for other problems).
If you still can not solve it, show the output of the OVPN status page (whole page) and picture of settings page and logs of the client.
Thanks. I made the changes you said to make along with modifying the iptables to the below and I was able to connect to the internet.
Joined: 18 Mar 2014 Posts: 12882 Location: Netherlands
Posted: Sun Feb 09, 2020 9:38 Post subject:
univac1710 wrote:
egc wrote:
TLS error is usually caused by a network connection error, see the troubleshooting document in the third post of this thread.
That said there are some inconsistencies in your setup.
You have set Compression to Adaptive but there is no compression set in the client.
As compression is somewhat of a safety concern I have it default disabled.
Furthermore most newer clients use: proto udp4
Actually the server config should also show that so not sure what is going on.
But as said see the troubleshooting document for the TLS error (and/or to check for other problems).
If you still can not solve it, show the output of the OVPN status page (whole page) and picture of settings page and logs of the client.
Thanks. I made the changes you said to make along with modifying the iptables to the below and I was able to connect to the internet.
TLS error is usually caused by a network connection error, see the troubleshooting document in the third post of this thread.
That said there are some inconsistencies in your setup.
You have set Compression to Adaptive but there is no compression set in the client.
As compression is somewhat of a safety concern I have it default disabled.
Furthermore most newer clients use: proto udp4
Actually the server config should also show that so not sure what is going on.
But as said see the troubleshooting document for the TLS error (and/or to check for other problems).
If you still can not solve it, show the output of the OVPN status page (whole page) and picture of settings page and logs of the client.
Thanks. I made the changes you said to make along with modifying the iptables to the below and I was able to connect to the internet.