OpenVPN Server Setup guide

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3 ... 10, 11, 12
Author Message
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Sat Mar 07, 2020 10:49    Post subject: Reply with quote
egc wrote:
on Atheros it is eth0


ummm.... just to jump in --- (Atheros) Netgear WNDR3700v4 WAN is vlan2
AND
(more or less Atheros) QCA IPQ8064 Linksys EA8500 WAN always been vlan2 ...not sure about others
Code:
mrjcd@Will-Be-Was:~$ ssh root@citadel-station-homeworld.mrjcd.com
DD-WRT v3.0-r42634 std (c) 2020 NewMedia-NET GmbH
Release: 03/07/20
Board: Linksys EA8500
==========================================================
 
     ___  ___     _      _____  ______       ____  ___
    / _ \/ _ \___| | /| / / _ \/_  __/ _  __|_  / / _ \
   / // / // /___/ |/ |/ / , _/ / /   | |/ //_ <_/ // /
  /____/____/    |__/|__/_/|_| /_/    |___/____(_)___/
                                                     
                       DD-WRT v3.0
                   http://www.dd-wrt.com
 
==========================================================


BusyBox v1.31.1 (2020-03-07 01:05:19 +03) built-in shell (ash)

root@Citadel-Station-Homeworld:~# echo WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"
WAN_IF=vlan2
root@Citadel-Station-Homeworld:~# nvram get wan_ifname
vlan2
root@Citadel-Station-Homeworld:~# get_wanface
vlan2
root@Citadel-Station-Homeworld:~#

alright then ...carry on Razz
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sat Mar 07, 2020 11:06    Post subject: Reply with quote
Amazing the EA8500 is not that different from the R7800 but that one has eth0 as WAN interface
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Sat Mar 07, 2020 11:21    Post subject: Reply with quote
egc wrote:
Amazing the EA8500 is not that different from the R7800 but that one has eth0 as WAN interface

yea, that is also one reason why it was much easier to create VLANs on it few years back that were understandable to most everyone. Laughing
I think most now have the R7800 figured out now though.
AND your rule
Code:
WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o $WAN_IF -j MASQUERADE
should take care of them all anyways ....good job Wink
ChrisRex
DD-WRT Novice


Joined: 23 Dec 2015
Posts: 16

PostPosted: Sat Mar 28, 2020 18:44    Post subject: Re: OpenVPN server setup guide by egc Reply with quote
egc wrote:
OpenVPN Server Setup guide


Your remarks and corrections are more than welcome.
.....


Thanks for the great guide!
While I had the OpenVPN Server working before finding your guide, it has helped me great deal in understanding things and making things more secure.

With regard later builds and the CVE-2019-14899 patch -
I think this patch adds DROP to the vpn subnet in iptables PREROUTING; and your guide's 2nd option

Code:
iptables -t raw -I PREROUTING -i br0 -d $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j ACCEPT


inserts above the DROP an ACCEPT with same parameters?
Does this effectively disable the mitigation? Is it doing the same thing as ticking 'disable' on the web GUI in builds that have that option? Or, is keeping the CVE mitigation enabled doing more than the prerouting drop rule?

Thanks again EGC for your guide and all your help!!
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sat Mar 28, 2020 19:48    Post subject: Re: OpenVPN server setup guide by egc Reply with quote
ChrisRex wrote:
egc wrote:
OpenVPN Server Setup guide


Your remarks and corrections are more than welcome.
.....


Thanks for the great guide!
While I had the OpenVPN Server working before finding your guide, it has helped me great deal in understanding things and making things more secure.

With regard later builds and the CVE-2019-14899 patch -
I think this patch adds DROP to the vpn subnet in iptables PREROUTING; and your guide's 2nd option

Code:
iptables -t raw -I PREROUTING -i br0 -d $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j ACCEPT


inserts above the DROP an ACCEPT with same parameters?
Does this effectively disable the mitigation? Is it doing the same thing as ticking 'disable' on the web GUI in builds that have that option? Or, is keeping the CVE mitigation enabled doing more than the prerouting drop rule?

Thanks again EGC for your guide and all your help!!


OK, good question and will try to explain Smile

Yes that rule has to come above the DROP rule, so it has to be inserted after the DROP rule is in place and that is precisely the problem.
It takes some time before the OVPN runs and the DROP rule is added, you can of course manually, after boot up, add that rule and it will work, but if anything changes and the firewall or VPN restarts it will not work again so you actually need a script running that takes care of this, and I have not come around to make that.

Another possibility is adding the rule to the route up script, but you cannot override the route-up script, I have made a patch to do this but that was not accepted by our main developer Sad

To answer your question this rule does not do the same as disabling the patch.
You can be attack only from a source which is directly connected to your router so from your LAN side or directly from your WAN, e.g. if your ISP modem/router or the patch panel in the street is hacked.

This rule opens up an attack vector on your LAN side but on the WAN side it still stays closed.
So if yo have a tight grip on your LAN (like separating IoT on a different subnet etc.) the risk is minimal.

That said the risk is very small, I have the CVE 14899 patch disabled, but I live in a free country and I am a law abiding citizen, my hacking days are over although I still have Kali linux running Wink

Hope that answers your question

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
ChrisRex
DD-WRT Novice


Joined: 23 Dec 2015
Posts: 16

PostPosted: Sun Mar 29, 2020 1:13    Post subject: Re: OpenVPN server setup guide by egc Reply with quote
Thank you for taking the time to explain!
I really really appreciate it.

I had to set up another router today, and was pulling my hair out as something was not right and I was buggy-eyed trying to find out what I was doing wrong.

Well, on some of my (Windows network) setups, I use a machine that's always on running VisualSyslog Server 1.6.4 to get the router's syslog output - (and have it set up so it emails everytime there's an attempt whether successful or not to log on to the vpn). After few unsuccessful hours of trying to figure out what I was doing wrong, I decided to put a notebook that I have running VisualSyslog on the router and it didn't take more than a few minutes to realize the dumb mistake(s) I was making - the VPN server was never running (Status/VPN) - and the first thing I was doing wrong was I had put a bad address in for the Network (I had like 10.8.0.1 instead of ending in .0)! Anyway, maybe someone else will get idea of the VisualSyslog - which is opensource but orphaned I think - it would be nice if get some more development as it never has report with the right (local) time - maybe it's GMT, but never my time zone...
Here's link:
https://maxbelkov.github.io/visualsyslog/


egc wrote:

OK, good question and will try to explain Smile

Yes that rule has to come above the DROP rule, so it has to be inserted after the DROP rule is in place and that is precisely the problem.
It takes some time before the OVPN runs and the DROP rule is added, you can of course manually, after boot up, add that rule and it will work, but if anything changes and the firewall or VPN restarts it will not work again so you actually need a script running that takes care of this, and I have not come around to make that.

Another possibility is adding the rule to the route up script, but you cannot override the route-up script, I have made a patch to do this but that was not accepted by our main developer Sad

To answer your question this rule does not do the same as disabling the patch.
You can be attack only from a source which is directly connected to your router so from your LAN side or directly from your WAN, e.g. if your ISP modem/router or the patch panel in the street is hacked.

This rule opens up an attack vector on your LAN side but on the WAN side it still stays closed.
So if yo have a tight grip on your LAN (like separating IoT on a different subnet etc.) the risk is minimal.

That said the risk is very small, I have the CVE 14899 patch disabled, but I live in a free country and I am a law abiding citizen, my hacking days are over although I still have Kali linux running Wink

Hope that answers your question
[/url]
Alkap
DD-WRT Novice


Joined: 04 Mar 2020
Posts: 9

PostPosted: Tue Mar 31, 2020 8:31    Post subject: Reply with quote
@egc, I'm not sure to understand exactly how to reach securely my lan over openvpn. Probably my English language lack.

I disabled the mitigation patch and added your rule into firewall. Now my firewall looks like this :
Code:
### Nat OpenVPN subnet with lan subnet (Version 2) ###
WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"

iptables -t nat -I POSTROUTING -s 192.168.2.0/24 -o $WAN_IF -j MASQUERADE

iptables -t nat -I POSTROUTING -o br0 -s $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j MASQUERADE


But now, with this additional rule, all my lan is is exposed on the web (ports 53, 22 etc...).

Did I miss something ?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Tue Mar 31, 2020 8:56    Post subject: Reply with quote
Alkap wrote:
@egc, I'm not sure to understand exactly how to reach securely my lan over openvpn. Probably my English language lack.

I disabled the mitigation patch and added your rule into firewall. Now my firewall looks like this :
Code:
### Nat OpenVPN subnet with lan subnet (Version 2) ###
WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"

iptables -t nat -I POSTROUTING -s 192.168.2.0/24 -o $WAN_IF -j MASQUERADE

iptables -t nat -I POSTROUTING -o br0 -s $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -j MASQUERADE


But now, with this additional rule, all my lan is is exposed on the web (ports 53, 22 etc...).

Did I miss something ?


If you disable the CVE mitigation patch in the GUI (which I also do as the risk is not that great), you do not need the second rule with -o bro

However this should not have anything to do with exposing your lan

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Alkap
DD-WRT Novice


Joined: 04 Mar 2020
Posts: 9

PostPosted: Tue Mar 31, 2020 9:16    Post subject: Reply with quote
egc wrote:
If you disable the CVE mitigation patch in the GUI (which I also do as the risk is not that great), you do not need the second rule with -o bro

However this should not have anything to do with exposing your lan
Okay, now it's more clear, I understood the other way around.

I did a test with one machine and can't access it over VPN but following your reply, with more investigation, it's cause of a it's firewall issue. Other machines are reachables I apologize.

I did other tests with and without this rule and I confirm all the lan is exposed over the web with mitigation unchecked and this rule in DD-WRT Firewall. Think to add a warning about it into your fantastic PDF (?)

Without this line, my lan is protected.

Again, many thanx Smile
avalx
DD-WRT Novice


Joined: 23 Nov 2017
Posts: 5

PostPosted: Sat Apr 11, 2020 16:42    Post subject: Reply with quote
I'm trying to make OpenVPN to work on my network but until now I haven't succeeded completely.

I have a Netgear R7000 with DD-WRT v3.0-r42819 std (03/30/20), my local lan network is 10.55.66.0 and my local domain is 'lan'. I'm trying to connect from my phone over mobile network with OpenVPN for Android client.

So here are some different configurations and results. I have always CVE-2019-14899 Mitigation disabled and the firewall rule is as per instructions in the guide. Also Additional config is:
ncp-disable
dh none
ecdh-curve secp384r1

1. Redirect default Gateway is set to Enabled
Results:
- client connected OK
- I cannot access anything, not Internet not local lan (either by name or IP)
- in the OpenVPN log on client there is a warning about "No DNS servers being used", so this might mean something

2. Redirect default Gateway is set to Disabled and I put some push commands in Additional Config:

push "route 10.55.66.0 255.255.255.0 vpn_gateway"
push "dhcp-option DNS 10.55.66.1"
push "dhcp-option DOMAIN lan"

Also I added interface tun2 to the Dnsmasq Options

Results:
- client connected OK
- access to Internet OK
- access to local lan with browser not working (not name nor IP address); also some other programs accessing local resourses are not working.
- BUT:I can ping local host via name and IP address and I can connect to my Linux server via ssh (ConnectBot)

Anybody has any idea what might be wrong with my configuration?
foz111
DD-WRT Guru


Joined: 01 Oct 2017
Posts: 704
Location: Earth

PostPosted: Wed Feb 17, 2021 17:32    Post subject: Reply with quote
Vpn server working great for a long time now THANKS EGC but i wanted to try adding some user and passwords so had some spare time to try this today.
followed the v1.93 guide but for some reason the server fails to start any ideas? i didn't under stand what the "via-env" bit was for but didnt work with or without it but i may be missing something, is this why it's not starting the server?
Should i have a seperate file with just user and pass on seperate lines?

added to ovpn server config:
client-cert-not-required
auth-user-pass-verify /tmp/vpn_user.sh via-env
script-security 3
username-as-common-name

then copied the vpn_user.sh into startup and rebooted (i left script as is for now rather then change the user and password but the server never starts.

i assume i have missed something with the server not starting i have not gotten as far as adding the client directive: auth-user-pass xxx

Thanks for any input

_________________
Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.

No one can build you the bridge on which you, and only you, must cross the river of life!
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Wed Feb 17, 2021 17:55    Post subject: Reply with quote
When the server does not start you have wrong settings or keys/certs.

It might be due to:
client-cert-not-required was already deprecated in 2.4.
I think it is removed in 2.5.

Remove it and then try again

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
foz111
DD-WRT Guru


Joined: 01 Oct 2017
Posts: 704
Location: Earth

PostPosted: Wed Feb 17, 2021 19:08    Post subject: Reply with quote
yes that starts now egc as always you D man!
i have added the:
auth-user-pass login.conf to the client with user and password and it connects
how do i add a 2nd or 3rd users to the server side?
like this?
#=======BEGIN vpn_user.sh for setting username and password=========
SCRIPT="/tmp/vpn_user.sh"
cat << "EOF" > $SCRIPT
#!/bin/sh
(
#!/bin/bash
#vpn_user.sh
ALLOWED_USER="user1"
ALLOWED_PASS="password1"
#
ALLOWED_USER="user2"
ALLOWED_PASS="password2"
#
echo "$username"
echo "$password"
echo $ALLOWED_USER
echo $ALLOWED_PASS
if [[ "$username" == "$ALLOWED_USER" && "$password" = "$ALLOWED_PASS" ]]
then
exit 0
else
exit 1
fi
)2>&1 | logger -t $(basename $0)[$$]
EOF
chmod +x $SCRIPT
nohup $SCRIPT > /dev/null 2>&1 &
#=======END vpn_user.sh=========
Cheers egc

_________________
Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.

No one can build you the bridge on which you, and only you, must cross the river of life!
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Thu Feb 18, 2021 8:36    Post subject: Reply with quote
Using multiple users/passwords is outside the scope of this guide, it involves professional setups with the pam plugin and radius etc.

Not that it is impossible in this way, you need to do multiple passes comparing your user/password with the ones presented.
I would use a file as input with username and password on one line and use this file as input Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
foz111
DD-WRT Guru


Joined: 01 Oct 2017
Posts: 704
Location: Earth

PostPosted: Thu Feb 18, 2021 10:03    Post subject: Reply with quote
egc wrote:
Using multiple users/passwords is outside the scope of this guide, it involves professional setups with the pam plugin and radius etc.

Not that it is impossible in this way, you need to do multiple passes comparing your user/password with the ones presented.
I would use a file as input with username and password on one line and use this file as input Smile


Thanks egc, i just wanted to make it easy to see in the logs who had logged in but that's fine mate. i got the wrong end of the stick, thought that would have helped, i was thinking it being like a commercial server.
Its only family and they only have access to the relevant shares on the NAS and plex content.

_________________
Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.

No one can build you the bridge on which you, and only you, must cross the river of life!
Goto page Previous  1, 2, 3 ... 10, 11, 12 Display posts from previous:    Page 12 of 12
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum