Posted: Thu Mar 26, 2020 7:24 Post subject: Cannot make openvpn peer-to-peer work
I run Firmware: DD-WRT v3.0-r40559 std (08/06/19) on Linksys wrt1900AC.
I have now tried over and over again to make peer-to-peer openvpn work with my other router running PF-Sense. I have set it up with a preshared key on the PF-sense router and it works fine connecting to is using OpenVPN clien on my windows machine.
I have used the GUI on the DD-WRT box to set the parameters. This did not work at all, and it did not even try to connect, until I found out from the syslog that the GUI puts a wrong item in the config file when using preshared key. It adds both the secret and client item, which is not allowed (bug). So I deletd the client option manually (which means whenever I use the UI again the profile becomes corrupt again) and have this config on the DD-WRT router:
I have also tried to push route from the pf-sense server configuration which does not help at all
push "route 192.168.0.0 255.255.255.0"
Now it connects but no data goes through the tunnel in either direction. I believe that the PF-sense figures it out fine, since two pfsense routers connect just fine using preshared key peer2peer, but seems like DD-WRT routing and interfaces are not set up using the GUI (if so - what is the GUI worth?)
I have searched this forum and the internet for months on how to setup a peer-to-peer connection between dd-wrt and pf-sense and have not figured it out although reading a lot of (very different) explanation, that never really seem to work since they are only telling half the story and does a lot of manuel configuration. Is the GUI not working at all for this and if not - why is it there?
When the router starts openvpn it seems also to run two scripts that I guess should take care of routing:
route-down.sh route-up.sh
but the routes on the dd-wrt box are not updated when connecting as e.g. on my windows machine using the openvpn client to the same tunnel on pfsense.
Joined: 18 Mar 2014 Posts: 12877 Location: Netherlands
Posted: Thu Mar 26, 2020 8:35 Post subject:
Right, running a site-to-site OpenVPN (if that is what you mean by peer-to-peer) needs some more then just a connection.
You are using an old build and lots of things changed so research updating. The latest build is 42803 as of today.
A link to the OpenVPN setup guide also for setting up site-to-site OpenVPN is in my signature (bottom of this post)
It is of course not for PfSense but might put you on the right track.
If you use the GUI to set up, OpenVPN should run normally with all its routes setup properly (I cannot vouch for your build that was a particular bad one)
Thousands of user are using the GUI to setup a VPN to VPN providers or to their own VPS server in the cloud or other DDWRT OVPN servers.
I never run OVPN with a static key only but will look into the matter, I do not exclude a user misconfiguration
Oh and route-up and route-down scripts do not make the routing, they are executed on route-up and rout-pre-down, the scripts do make the necessary firewall rules among other things.
Below some pointers which might help to get the best out of DDWRT and out of the forum:
1. Research your router, start with the supported devices wiki:
https://wiki.dd-wrt.com/wiki/index.php/Supported_Devices .
2. In the supported devices wiki you can see if your router is supported and what architecture your router has and if you are lucky also an install guide/wiki.
3. Post in the right forum, from the former step you can see if your router is Broadcom, Qualcomm/Atheros, Marvell or other, use that forum to post router specific questions, for networking questions post in the Advanced Networking forum and for other things in the General Questions forum.
4. When posting always state router model, build number and when applicable the Kernel version.
Describe your problem and how you think it can be solved.
Give as much detail as you can also provide your network setup if applicable.
If you followed a wiki or manual let us know which one(s).
For your Network setup, state what wiki you have used: https://wiki.dd-wrt.com/wiki/index.php/Linking_Routers
5. When posting pictures make sure the maximum width is not more than 600 pixels.
6. Do not hijack a thread, meaning do not post your own problem in someone else's thread. Just start your own thread. This so that it can be searched and found by others.
7. If your post is answered and your problem solved, mark your thread with [SOLVED] (the header of your first post).
8. Do NOT use the router database, builds can be found at:
https://dd-wrt.com/support/other-downloads/?path=betas%2F2020%2F
All builds are beta including those from the router database.
9. Before uploading a new build to your router, research the build by looking in the build threads.
This is an example of a build thread for build 42617 for Broadcom routers:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=323436
Search build threads with the search function and search on build number.
10. Use the build threads from the former step to report success or problems.
11. For older Broadcom routers (Linksys WRT54 and E series) read the peacock thread although some of it is outdated: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=51486
Builds can be found in the Broadcom directory for Linux kernel 2.4, in Broadcom_K26 for Linux K2.6 and in Broadcom_K3X for Linux K3.X.
12. If you are sure you have discovered a bug, after asking and querying the forum, you can report a real bug in the bug tracker: https://svn.dd-wrt.com/
This is also the place where the commits/changes to the source are administrated.
13. Recommended reading:
https://forum.dd-wrt.com/wiki/index.php/Main_Page https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=54845 https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=54959
14. If you are happy with DDWRT and want it to live on then donate:
https://dd-wrt.com/donations/ _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399 Install guide R7800/XR500:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614 Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Concerning build, I just installed the newest build I could find for my router (in the router database) but saw burried in some text on the link you gave the you cannot trust the router database - how would people know?
Well have installed that 42803 now and same thing.
which includes client and openvpn then complains:
Mar 26 10:13:59 WRT1900AC daemon.err openvpn[1788]: Options error: specify only one of --tls-server, --tls-client, or --secret
As soon as I remove the client word it connects (after restarting openvpn daemon)[/b]
So in that sense it works when using the workaround the bug adding client when running with static preshared key.
Sorry I could not find your site-to-site guide in your signature, and tried to look at them all.
The guides I've seen all involve a lot of manual configuration. So do you say that using the GUI should normally work also for site-to-site using preshared key without any need to manually setup any routing afterwards? When you create the server side for site-to-site in pfsense, you also specify remote subnet and tunnel network and it produces this file below for an openvpn client that works fine on my PC:
Found the guide - PDF in post, right?
Will take a look, but still puzzled, if
1) There isn't a bug creating the configs from GUI using preshared key
2) impossible to setup site-to-site without command line / manual config in addition to UI
Joined: 18 Mar 2014 Posts: 12877 Location: Netherlands
Posted: Thu Mar 26, 2020 12:10 Post subject:
for site-to-site
Enable "Firewall Protection"
Disable the CVE patch
Extra routes are normally pushed from the server, because the client does not know the servers own subnet (normally)
So if there is no route it is a fault in the server setup it either pushes its own route or it pushes redirect default gateway to route all traffic from client to the server.
ifconfig should not be necessary that should be handled by the server it could be another misconfiguration on the server side, the server hands out the interface otherwise you could have duplicates
You can always add extra routes on the client side if you misconfigured your server, as it appears in your case, just in the Additional config of the GUI add:
Firstly, when you write "vpn_gateway" as in the pdf manual - what does that mean? is that the tunnel network IP or?
Why should NAT be enabled? I tried with and now disabled it again. Makes no difference.
I believe it is set up correctly on the server side but I don't think that the ifconfig can be pushed. The Win10 openvpn client does not get that pushed either but responds, if it not in the config file:
Options error: On Windows, --ifconfig is required when --dev tun is used
But maybe that is only on windows. Is there any way to see what the client "gets" from the server?
The configs now are like below and now I have contact in both directions - but very slow file copy in direction from server to client:
Server - pf-sense
dev ovpns1
verb 9
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-128-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local <my_server_public_ip>
ifconfig 10.0.8.1 10.0.8.2
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 1
route 192.168.112.0 255.255.255.0
secret /var/etc/openvpn/server1.secret
comp-lzo adaptive
fast-io
push "ifconfig 10.0.8.2 10.0.8.1"
the last line does not make a difference. Works both with and without.
Also I turned firewall on in the openvpn clien setting with NAT on - makes no difference. Also whether NAT is on or not makes no difference.
So the bug, that puts a client with secret, slow me down for weeks, since nothing worked. I'll report that since it is still quite annoying since you have to stop and restart openvpn every time you use the UI. The UI also produce some CTRL+M line feeds (Windows) in the conf files - not sure if the matter or not.
Now I just need to get the speed up from server to client - it is super slow and maybe has something to do with MTU / Windows - not sure.
No - I was wrong about NAT and firewall. It worked because I forgot to turn off my SW OpenVPN client in Windows. So NAT has to be on for it to work, but why? It there any translation going on? And does the firewall mean "enable firewall rule" instead of meaning "enable firewall"?
Joined: 18 Mar 2014 Posts: 12877 Location: Netherlands
Posted: Thu Mar 26, 2020 14:20 Post subject:
Regarding NAT you can use it but if you got your routing right is is not necessary, it is explained in the guide.
the Firewall protection Enabled actually disables it so that you can also have traffic from both directions, If you already have a connection made from the client side the firewall is opened but after some time it can close and you can have difficulty starting a connection from the server side (some clients keep the connection open)
The server setup seems missing:
–server network netmask
Code:
–server network netmask [‘nopool’]
A helper directive designed to simplify the configuration of OpenVPN’s server mode. This directive will set up an OpenVPN server which will allocate addresses to clients out of the given network/netmask. The server itself will take the “.1” address of the given network for use as the server-side endpoint of the local TUN/TAP interface.For example, –server 10.8.0.0 255.255.255.0 expands as follows:
mode server
tls-server
push "topology [topology]"
if dev tun AND (topology == net30 OR topology == p2p):
ifconfig 10.8.0.1 10.8.0.2
if !nopool:
ifconfig-pool 10.8.0.4 10.8.0.251
route 10.8.0.0 255.255.255.0
if client-to-client:
push "route 10.8.0.0 255.255.255.0"
else if topology == net30:
push "route 10.8.0.1"
if dev tap OR (dev tun AND topology == subnet):
ifconfig 10.8.0.1 255.255.255.0
if !nopool:
ifconfig-pool 10.8.0.2 10.8.0.253 255.255.255.0
push "route-gateway 10.8.0.1"
if route-gateway unset:
route-gateway 10.8.0.2
Don’t use –server if you are ethernet bridging. Use –server-bridge instead.
Then you do not need ifconfig because the server should handle this.
Of course you can setup manually, but if you manually ifconfig you are easily getting duplicates and of course have to manually configure all the clients. In this case you also have to push the VPN's subnet or add it in the client with the route directive
You are also not pushing routes from the server you should either push redirect default gateway or push the server local subnet and yes you can set it also on the client with the route directive in the Additional config, the route directive will add routes either via the VPN (vpn_gateway which is the default) or via the WAN: net_gateway)
So with a proper server setup DDWRT should just work with the GUI, the only thing I do not understand is what you mean with the key, if you just copy the static key in the static key box (copy everything from -----BEGIN until the last -----) then the key should be put in a file which is referenced in the openvpn.conf file.
Is that not the case? If so I will check and will correct this bug.
Well, I thought I did just not understand the whole thing.
I only need to connect two sub-nets, so there will only be one client - the dd-wrt router and one server - the pf-sense box and all devices on 192.168.0.0 should be able to see all on 192.168.112.0 and vice versa, so it works like one network. And the tunnel should be kept open all the time.
So I then also assume there does not need to be assigned any ip addresses to any devices. But then the main reason to turn NAT on is to be able to turn Firewall off?
Concerning the bug:
If you (as I did) just copy the static key then that is referenced in the config files as:
secret /path/to/key.key
But openvpn does not allow to have both the "secret" item and the item "client" in the same config file. It can only have either server, client, or secret option (according to the error message that prevents openvpn from starting if you use a preshared key in the client setting in the GUI)
And then the quick question: When you write "vpn_gateway" as in the pdf manual - what does that mean? is that the tunnel network IP or?
Joined: 18 Mar 2014 Posts: 12877 Location: Netherlands
Posted: Thu Mar 26, 2020 15:21 Post subject:
hoegge wrote:
Well, I thought I did just not understand the whole thing.
I only need to connect two sub-nets, so there will only be one client - the dd-wrt router and one server - the pf-sense box and all devices on 192.168.0.0 should be able to see all on 192.168.112.0 and vice versa, so it works like one network. And the tunnel should be kept open all the time.
So I then also assume there does not need to be assigned any ip addresses to any devices. But then the main reason to turn NAT on is to be able to turn Firewall off?
Concerning the bug:
If you (as I did) just copy the static key then that is referenced in the config files as:
secret /path/to/key.key
But openvpn does not allow to have both the "secret" item and the item "client" in the same config file. It can only have either server, client, or secret option (according to the error message that prevents openvpn from starting if you use a preshared key in the client setting in the GUI)
And then the quick question: When you write "vpn_gateway" as in the pdf manual - what does that mean? is that the tunnel network IP or?
/Hoegge
vpn_gateway is the VPN tunnel so if you add in the Additional config of the client:
Code:
route 192.168.0.0/24 vpn_gateway
traffic for that subnet will be routed via the VPN.
Regarding the secret key, I now understand what you are saying I think that is a "limitation" of OpenVPN with a static key there is no client and no server it is just a point-to-point connection you can have only one appliance to another appliance.
It is rarely used so it never came up, but i will make a note of it.
You better setup as a client-server
Regarding NAT that is not for the firewall, the firewall on the client side is open if "Enable Firewall Protection (which might give you the opposite impression ) and of course do not tick Inbound Firewall on TUN.
In the guide is a picture of client setting just follow that.
NAT is just to make it easy for routing, if you persist on this setup you also have to route the VPN subnet through the the tunnel and each others subnet.
If you have done that you can disable NAT
Anyway I would just make a proper setup with a server and a client
Also one other thing, if you have NAT enabled on the pfSense you should disable the CVE patch on your DDWRT router.
I'll consider to try the client server part again then - never could make it work then - never found a good tutorial describing what all the certificates, keys, etc. are - searched quite a bit though. Why should that be better than point to point connection?
I still don't understand the vpn_gateway part. Does it mean that I should replace it with the IP of the vpn_gateway whatever that is or is it a magic variable that gets replaced in some way? Is it standard openvpn client stuff or special for the dd-wrt?
Joined: 18 Mar 2014 Posts: 12877 Location: Netherlands
Posted: Sat Mar 28, 2020 9:11 Post subject:
hoegge wrote:
Thanks a lot again.
I'll consider to try the client server part again then - never could make it work then - never found a good tutorial describing what all the certificates, keys, etc. are - searched quite a bit though. Why should that be better than point to point connection?
I still don't understand the vpn_gateway part. Does it mean that I should replace it with the IP of the vpn_gateway whatever that is or is it a magic variable that gets replaced in some way? Is it standard openvpn client stuff or special for the dd-wrt?
Best
Hoegge
With my tutorial you should be able to generate keys and certs and setup a client/server, thousands of users have done this with this guide and were succesful .
It gives you a lot more possibilities.
vpn_gateway (and its counterpart net_gateway) is just standard openvpn, if you add it in the openvpn additional config (which is just actually adding it to the .conf file), it routes via the tunnel (vpn_gateway) or via the WAN (net_gateway)
So if you add to the addtional openvpn config:
route 8.8.8.8 vpn_gateway
all traffic for 8.8.8.8 is routed via the VPN.
Have a look at the OVPN Policy Based Routing guide (see signature) for destination based routing.
