KeepSolid OpenVPN Working Config

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
securedparty
DD-WRT Novice


Joined: 07 Dec 2017
Posts: 17

PostPosted: Mon Mar 30, 2020 15:22    Post subject: KeepSolid OpenVPN Working Config Reply with quote
Attached image showing a working configuration (as of Mar/2020) of KeepSolid VPN (aka VPN Unlimited) under DDWRT using OpenVPN.



I am sharing this for three reasons:
[1] I had to relearn the working configuration after updating a router.
[2] I have found KeepSolid's DDWRT Guide to be flawed and technically incorrect, seeing as how it does NOT work.
[3] For anyone else who may be attempting to get this VPN to work in their router.

Server IP/Name: FILL
Port: 1194
Tunnel Device: TUN
Tunnel Protocol: UDP
Encryption Cipher: AES-256-CBC
Hash Algorithm: SHA512
TLS Cipher: NONE
LZO Adaptive
nsCertType verification CHECKED FOR ON

Additional config
#cipher AES-256-CBC
reneg-sec 0
persist-tun
persist-key
ping 5
ping-exit 30
nobind
remote-random
remote-cert-tls server
route-metric 1
#auth-nocache
verb 2
mute 20

TLS Auth Key: Unused/EMPTY
PKCS12 Key: Unused/EMPTY
Static Key: Unused/EMPTY
CA Cert: FILL
Public Client Cert: FILL
Private Client Key: FILL


I hope this can be as useful for others as this will be for me, again, in the future, possibly-maybe.


Last edited by securedparty on Sat Apr 04, 2020 21:42; edited 1 time in total
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 10099
Location: Netherlands

PostPosted: Mon Mar 30, 2020 16:14    Post subject: Reply with quote
Thanks for sharing.

One remark, I would not recommend using auth-nocache, DDWRT uses the cache on reconnect so it might get you into trouble when there is a disconnect (you are trying to keep the tunnel open with ping but that is not always succesful Sad )

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
saadbashir
DD-WRT Novice


Joined: 20 May 2020
Posts: 6

PostPosted: Wed May 20, 2020 11:23    Post subject: Reply with quote
I am trying to configure VPNUNLIMITED on DDWRT flashed on LinkSys E1200V2.

I am following configurations stated on https://www.vpnunlimitedapp.com/help/manuals/dd-wrt-open-vpn-configuration-guide but found this post here.

Thank you for this post. I am trying to follow your instructions but getting following error:

Code:

Clientlog:
19691231 19:00:21 W WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
19691231 19:00:21 W WARNING: file '/tmp/openvpncl/client.key' is group or others accessible
19691231 19:00:21 I OpenVPN 2.4.9 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 19 2020
19691231 19:00:21 I library versions: OpenSSL 1.1.1g 21 Apr 2020 LZO 2.09
19691231 19:00:48 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
19691231 19:00:48 W WARNING: Your certificate is not yet valid!
19691231 19:00:53 N RESOLVE: Cannot resolve host address: us-la.vpnunlimitedapp.com:1194 (Try again)
19691231 19:00:58 N RESOLVE: Cannot resolve host address: us-la.vpnunlimitedapp.com:1194 (Try again)
19691231 19:00:58 W Could not determine IPv4/IPv6 protocol
19691231 19:00:58 I SIGUSR1[soft init_instance] received process restarting
19691231 19:01:03 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
19691231 19:01:03 I TCP/UDP: Preserving recently used remote address: [AF_INET]64.31.33.154:1194
19691231 19:01:03 I UDPv4 link local: (not bound)
19691231 19:01:03 I UDPv4 link remote: [AF_INET]64.31.33.154:1194
19691231 19:01:04 N VERIFY ERROR: depth=1 error=certificate is not yet valid: C=US ST=NY L=New York O=Simplex Solutions Inc. OU=Vpn Unlimited CN=server.vpnunlimitedapp.com name=server.vpnunlimitedapp.com emailAddress=support@simplexsolutionsinc.com
19691231 19:01:04 N OpenSSL: error:1416F086:lib(20):func(367):reason(134)
19691231 19:01:04 N TLS_ERROR: BIO read tls_read_plaintext error
19691231 19:01:04 N TLS Error: TLS object -> incoming plaintext read error
19691231 19:01:04 N TLS Error: TLS handshake failed
19691231 19:01:04 I SIGUSR1[soft tls-error] received process restarting
19691231 19:01:09 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
19691231 19:01:09 I TCP/UDP: Preserving recently used remote address: [AF_INET]23.83.37.209:1194
19691231 19:01:09 I UDPv4 link local: (not bound)
19691231 19:01:09 I UDPv4 link remote: [AF_INET]23.83.37.209:1194
19691231 19:01:09 N VERIFY ERROR: depth=1 error=certificate is not yet valid: C=US ST=NY L=New York O=Simplex Solutions Inc. OU=Vpn Unlimited CN=server.vpnunlimitedapp.com name=server.vpnunlimitedapp.com emailAddress=support@simplexsolutionsinc.com
19691231 19:01:09 N OpenSSL: error:1416F086:lib(20):func(367):reason(134)
19691231 19:01:09 N TLS_ERROR: BIO read tls_read_plaintext error
19691231 19:01:09 N TLS Error: TLS object -> incoming plaintext read error
19691231 19:01:09 N TLS Error: TLS handshake failed
19691231 19:01:09 I SIGUSR1[soft tls-error] received process restarting
19691231 19:00:00


Settings
Code:
#cipher AES-256-CBC
reneg-sec 0
persist-tun
persist-key
ping 5
ping-exit 30
nobind
remote-random
remote-cert-tls server
route-metric 1
#auth-nocache
verb 2
mute 20


[img]https://postimg.cc/yDm07Vqj[/img]
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 10099
Location: Netherlands

PostPosted: Wed May 20, 2020 11:50    Post subject: Reply with quote
I have not looked in detail but I noticed a couple of things.

You do not have the right time on your router and thus your certificate is not valid.

NAT is disabled, for almost all VPN providers I know you have to enable NAT (this might be an exception)

You can most probably remove all settings in the Additional config save: remote-random and reneg-sec 0 (this one is to make your connection stay up but it is less safe)

I use Keep solid but only for WireGuard

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
saadbashir
DD-WRT Novice


Joined: 20 May 2020
Posts: 6

PostPosted: Wed May 20, 2020 12:35    Post subject: Reply with quote
Thank you for your kind response.

Fixed the time. Thank you for pointing it out.

Secondly I enabled NAT because I was following the guidelines in this post. I have disabled NAT and removed all additional settings except the two mentioned by you. But unfortunately still didn't work.

Following is the current log:

Code:

Clientlog:
19700101 05:00:21 W WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
19700101 05:00:21 W WARNING: file '/tmp/openvpncl/client.key' is group or others accessible
19700101 05:00:21 I OpenVPN 2.4.9 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 19 2020
19700101 05:00:21 I library versions: OpenSSL 1.1.1g 21 Apr 2020 LZO 2.09
19700101 05:00:21 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
19700101 05:00:49 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
19700101 05:00:49 W WARNING: Your certificate is not yet valid!
19700101 05:00:54 N RESOLVE: Cannot resolve host address: us-la.vpnunlimitedapp.com:1194 (Try again)
19700101 05:00:59 N RESOLVE: Cannot resolve host address: us-la.vpnunlimitedapp.com:1194 (Try again)
19700101 05:00:59 W Could not determine IPv4/IPv6 protocol
19700101 05:00:59 I SIGUSR1[soft init_instance] received process restarting
19700101 05:00:59 Restart pause 5 second(s)
19700101 05:00:59 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
19700101 05:00:59 D MANAGEMENT: CMD 'state'
19700101 05:00:59 MANAGEMENT: Client disconnected
19700101 05:00:59 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
19700101 05:00:59 D MANAGEMENT: CMD 'state'
19700101 05:00:59 MANAGEMENT: Client disconnected
19700101 05:00:59 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
19700101 05:00:59 D MANAGEMENT: CMD 'state'
19700101 05:00:59 MANAGEMENT: Client disconnected
19700101 05:01:04 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
19700101 05:01:09 N RESOLVE: Cannot resolve host address: us-la.vpnunlimitedapp.com:1194 (Try again)
19700101 05:01:09 Socket Buffers: R=[172032->172032] S=[172032->172032]
19700101 05:01:09 I UDPv4 link local: (not bound)
19700101 05:01:09 I UDPv4 link remote: [AF_INET]23.83.37.213:1194
19700101 05:01:09 TLS: Initial packet from [AF_INET]23.83.37.213:1194 sid=1f8e7654 d47630c3
19700101 05:01:10 N VERIFY ERROR: depth=1 error=certificate is not yet valid: C=US ST=NY L=New York O=Simplex Solutions Inc. OU=Vpn Unlimited CN=server.vpnunlimitedapp.com name=server.vpnunlimitedapp.com emailAddress=support@simplexsolutionsinc.com
19700101 05:01:10 N OpenSSL: error:1416F086:lib(20):func(367):reason(134)
19700101 05:01:10 N TLS_ERROR: BIO read tls_read_plaintext error
19700101 05:01:10 NOTE: --mute triggered...
19700101 05:01:10 2 variation(s) on previous 3 message(s) suppressed by --mute
19700101 05:01:10 I SIGUSR1[soft tls-error] received process restarting
19700101 05:01:10 Restart pause 5 second(s)
19700101 05:01:12 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
19700101 05:01:12 D MANAGEMENT: CMD 'state'
19700101 05:01:12 MANAGEMENT: Client disconnected
19700101 05:01:12 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
19700101 05:01:12 D MANAGEMENT: CMD 'state'
19700101 05:01:12 MANAGEMENT: Client disconnected
19700101 05:01:12 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
19700101 05:01:12 D MANAGEMENT: CMD 'state'
19700101 05:01:12 MANAGEMENT: Client disconnected
19700101 05:01:12 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
19700101 05:01:12 D MANAGEMENT: CMD 'status 2'
19700101 05:01:12 MANAGEMENT: Client disconnected
19700101 05:01:13 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
19700101 05:01:13 D MANAGEMENT: CMD 'log 500'
19700101 05:00:00


Please suggest what should I do?


Last edited by saadbashir on Wed May 20, 2020 12:46; edited 1 time in total
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 10099
Location: Netherlands

PostPosted: Wed May 20, 2020 12:46    Post subject: Reply with quote
Time is not fixed your date shows 01 01 1970:
19700101 05:01:10 N TLS_ERROR: BIO read tls_read_plaintext error

VPN cannot operate without correct date and time.
That should go automatically so there is something wrong with your settings.
Do not enter anything in the time server field just keep it blank.

To be clear NAT should be enabled (normally )

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
saadbashir
DD-WRT Novice


Joined: 20 May 2020
Posts: 6

PostPosted: Wed May 20, 2020 13:17    Post subject: Reply with quote
egc thank you for your assistance.

I tried removing the NTP server and press apply settings and now suddenly my router has stopped responding. All its lights are continuously on. They aren't flashing or anything. Have unplugged it and the lights are still on. Any idea what I can do to fix this?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 10099
Location: Netherlands

PostPosted: Wed May 20, 2020 13:35    Post subject: Reply with quote
If turning it off and on does not help a reset is the next step.

But bricking your router by removing an entry in the NTP time server field (time works best when left blank) is hard to understand, it indicates that there is something else going on either wrong settings or hardware failure

BTW you did not even tell us your router model and build number (it is recent as you are using OpenVPN 2.4.9)
Latest build 43192 appears to work good.

So if you have to reset, research updating to this latest build.

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
saadbashir
DD-WRT Novice


Joined: 20 May 2020
Posts: 6

PostPosted: Wed May 20, 2020 13:39    Post subject: Reply with quote
Thank you for your kind reply.

It is odd. I don't know what happened there. This was a very old router Linksys E1200 V2. Didn't want to risk going out because of all this corona. So since this was compatible I thought I will give it a try.

I have tried reset, 30:30:30 reset but nothing seems to work. Those lights are here to stay!

Is there any other trick up your sleeve? If not, can you recommend a new router in low-mid budget which might work good. Any feedback on Linksys E900? I only need it for VPN Client mode. Thanks
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 10099
Location: Netherlands

PostPosted: Wed May 20, 2020 14:59    Post subject: Reply with quote
This is the wiki: https://wiki.dd-wrt.com/wiki/index.php/Linksys_E1200v2

There is a link to recovery instructions.

These old routers will not get you more than a few MB/s for OpenVPN and maybe 10 for WireGuard?

For reasonable OpenVPN performance (30 MB/s) you need something like a dual core Arm 800 MHz CPU

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1350
Location: Appalachian mountains, USA

PostPosted: Wed May 20, 2020 15:35    Post subject: Reply with quote
Just to add a little to egc's comments...

The inexpensive router most recommended in the forums is the Netgear R7800 (see egc's sig for link to setup), which definitely has the CPU power to handle VPN well. The R7000 (older, cheaper) is also mentioned often, and the (newer, pricey) R9000 is mentioned occasionally. The R7000 and R7800 are often available used for good prices. Part of what's going on with the Netgear models is that you want to stick to those with Qualcomm/Atheros wifi hardware, which is far less troublesome than the Broadcom wifi hardware of some models.

If you want to stick with Linksys, you want the EA8500 or the WRT1900ACSv2 (specifically the ACS and specifically the v2), which also have Atheros wifi. Stay away from the more popular WRT3200ACM (especially) and WRT32X models, as their wifi drivers have issues that drive people nuts. If you go with the WRT1900ACSv2, which I use, note you should add a USB fan. Also, the "v2" is never advertised in commercial listings for that router, but it can be verified by looking at the upper-right corner of the blue label on the bottom of the router. The earlier AC (particularly its v1) and ACSv1 (not marked at all with a version number on the blue label) have been tricky for people. Setup for the WRT1900ACSv2 is per the "Cliff Notes" sticky at the beginning of the Marvell forum. (I'm not familiar enough with the EA8500 to point you at setup info.)

If you are bargain hunting for another router, the right way to go is going to depend on what you can locate at a decent price, but this little list should get you started.

Use the new-build threads in the appropriate (for the particular router) forum to pick a build. Never depend on the router database, which is obsolete and often recommends disastrous build choices.

_________________
4 Linksys WRT1900ACSv2 routers on 49081, 2 on 48141: VLANs, VAPs, NAS, client mode, OpenVPN client (AirVPN), DDNS, wireguard servers and clients (AzireVPN), three DNSCrypt DNS providers (incl Quad9) via VPN clients.
saadbashir
DD-WRT Novice


Joined: 20 May 2020
Posts: 6

PostPosted: Wed May 20, 2020 17:48    Post subject: Reply with quote
Hey guys thank you for your kind responses.

Egc I have tried simple reset, 30:30:30 reset and even plugging the router into LAN port of computer directly to see if I can access the http page but to no avail. I guess it is time to throw the router in the bin. It has all lights on dim. I have also changed 3 power sources to see if that might be the issue.

Actually I just need VPN because for some odd reason my SMA solar inverter using SIP protocol to share production data and SIP has been blocked by government. Now I need a VPN to bypass and get the data feed from my inverter. So won’t be a lot of data transfer and I am not even sure if it would work so don’t want to spend a lot of money.

In my junk I found some more linksys routers
1) WRT54G2 V1.5
2) E1000 v2.1
3) E1000 v1

Guys, I am thinking of flashing E1000 v2.1 to try my luck tomorrow. As you suggested that the wiki is outdated from where can I get latest firmware which might work with this router? In the forum I could only find a mini.bin. Will mini firmware will have support for VPN client?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 10099
Location: Netherlands

PostPosted: Wed May 20, 2020 17:53    Post subject: Reply with quote
See the forum guidelines about what and where to download:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

Almost no routers with 4 MB flash have OpenVPN, I think

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 12866
Location: Texas, USA

PostPosted: Wed May 20, 2020 18:33    Post subject: Reply with quote
4MB flash devices will not have openvpn, and probably won't have wireguard. I think the only option they have it pptp.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Pogo - A minimal level of ability is expected and needed...
At some point, people just get plain tired of this place.

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum