OpenVPN Server on R40559 not working

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
BarryBennett
DD-WRT Novice


Joined: 26 May 2020
Posts: 8

PostPosted: Fri Jun 26, 2020 0:26    Post subject: OpenVPN Server on R40559 not working Reply with quote
Summary Of The Problem:
Trying to get OpenVPN server to run on my Linksys WRTSL54GS router running R40559 with very little progress after many weeks of effort. I have read lots of posts and documents that seem to suggest that doing so should not be too difficult but I must be missing something. I am using the instructions shared by user "egc" for configuring the OpenVPN server on the router and I feel like they make sense and that I am doing everything correct. Unfortunately once I reboot I am pretty sure the OpenVPN server is not up and running properly. The
fact that I use the words "pretty sure" is part of the problem which I will explain in the following paragraphs. I have tried to provide the information
that I think will be helpful up front and I have grouped my questions near the end of the post.

Screenshots:
I am including screenshots for the following items in this post so please refer to them as needed:
1. GUI Status-OpenVPN-State screen
2. Network diagram showing my basic configuration

Test Setup:
For the client side I am using the latest client available for Windows (V11.15.0.0). I generated the keys and certficates as described in the setup guide. I verified the keys and certificates appear to be okay by using two Windows 10 PCs as a server and client with these same keys and they appear to
work okay. My test configuration is basically a Windows 10 PC (which I call the remote PC) attached to the WAN side of the VPN router. On the LAN side of this router I have another Windows 10 PC (which I call the Desktop PC). When I start the VPN client on the remote PC and try to establish the connection to the VPN server on the router I eventually get a time out condition with the error message of "TLS Error: TLK key negotiation failed." I am trying to establish the connection using the router's WAN IP address and port 1194. In my specific test configuration I do not believe there is a need to forward port 1194 on the server router given where my remote PC is located at.

Here is the config used by the Windows client side:
*******************************
client
dev tun
proto udp4
remote 192.168.0.128 1194
nobind
persist-key
persist-tun
remote-cert-tls server
auth-nocache
verb 4
float
tun-mtu 1500
auth SHA256
cipher AES-128-CBC
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\client1.crt"
key "C:\\Program Files\\OpenVPN\\config\\client1.key"
*******************************

Server Configuration Deviations:
The deviations that I had to make in the server and client settings due to my router's firmware version not having a feature as shown in the document are:
1. CVE-2019-14899 Mitigation not available as an option.

2. Encryption Cipher setting of AES-128 CBC not available as an option.

3. Additional Config directives "dh none" and "ecdh-curve secp384r1" not included because it was not clear if my version supported the requirements to
remove these. I therefore added the DH PEM data from the dh2048.pem file that I generated.

4. Additional Config directive "management 127.0.0.1 16" was added to get around what I think is a bug in my version that incorrectly specifies port 14 for the
OpenVPN management interface. (I comment more on this later on.)

Here is a dump of the server configuration file:
*******************************
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
keepalive 10 120
verb 3
mute 3
syslog
writepid /var/run/openvpnd.pid
management 127.0.0.1 14
management-log-cache 100
topology subnet
script-security 2
port 1194
proto udp4
cipher aes-128-cbc
auth sha256
client-connect /tmp/openvpn/clcon.sh
client-disconnect /tmp/openvpn/cldiscon.sh
client-config-dir /tmp/openvpn/ccd
tls-server
duplicate-cn
client-to-client
push "redirect-gateway def1"
fast-io
tun-mtu 1500
mtu-disc yes
server 10.8.0.0 255.255.255.0
dev tun2
ncp-disable
management 127.0.0.1 16
*******************************


Here is a dump of the syslog information:
*******************************
Dec 31 19:00:05 DD-WRT syslog.info syslogd started: BusyBox v1.31.0
Dec 31 19:00:05 DD-WRT user.info syslog: resetbutton : resetbutton daemon successfully started
Dec 31 19:00:08 DD-WRT user.info syslog: bridge : bridge br0 successfully added
Dec 31 19:00:08 DD-WRT user.info syslog: bridge : interface eth0 successfully added to bridge br0
Dec 31 19:00:09 DD-WRT user.info syslog: bridge : interface eth2 successfully deleted from bridge br0
Dec 31 19:00:09 DD-WRT user.info syslog: syslogd : syslog daemon successfully stopped
Dec 31 19:00:09 DD-WRT syslog.info syslogd exiting
Dec 31 19:00:09 DD-WRT syslog.info syslogd started: BusyBox v1.31.0
Dec 31 19:00:09 DD-WRT user.info syslog: wland : daemon successfully started
Dec 31 19:00:10 DD-WRT user.info syslog: dnsmasq : daemon successfully started
Dec 31 19:00:13 DD-WRT daemon.info httpd[235]: httpd : httpd server started at port 80
Dec 31 19:00:15 DD-WRT user.info syslog: nas : wait for network init
Dec 31 19:00:15 DD-WRT user.info syslog: dnsmasq : daemon successfully stopped
Dec 31 19:00:15 DD-WRT user.info syslog: dnsmasq : daemon successfully started
Dec 31 19:00:15 DD-WRT user.info syslog: wland : daemon successfully stopped
Dec 31 19:00:15 DD-WRT user.info syslog: wland : daemon successfully started
Dec 31 19:00:15 DD-WRT user.info syslog: wan : WAN is up. IP: 192.168.0.128
Dec 31 19:00:15 DD-WRT user.info syslog: openvpn : OpenVPN daemon (Server) starting/restarting...
Dec 31 19:00:17 DD-WRT daemon.warn openvpn[308]: WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
Dec 31 19:00:17 DD-WRT daemon.notice openvpn[308]: OpenVPN 2.4.7 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Aug 6 2019
Dec 31 19:00:17 DD-WRT daemon.notice openvpn[308]: library versions: OpenSSL 1.1.1c 28 May 2019, LZO 2.09
Dec 31 19:00:17 DD-WRT user.info syslog: process_monitor : successfully started
Dec 31 19:00:17 DD-WRT daemon.notice openvpn[311]: MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
Dec 31 19:00:17 DD-WRT daemon.warn openvpn[311]: WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
Dec 31 19:00:17 DD-WRT daemon.warn openvpn[311]: NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes th
Dec 31 19:00:17 DD-WRT daemon.warn openvpn[311]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 31 19:00:18 DD-WRT daemon.debug ntpclient[314]: Connecting to time-a.nist.gov [129.6.15.28] ...
Jun 25 19:55:33 DD-WRT daemon.info ntpclient[314]: Time set from time-a.nist.gov [129.6.15.28].
Jun 25 19:55:33 DD-WRT daemon.info process_monitor[310]: cyclic NTP Update success (servers time-a.nist.gov)
Jun 25 19:55:37 DD-WRT daemon.debug process_monitor[310]: Restarting cron (time sync change)
Jun 25 19:55:37 DD-WRT user.info syslog: cron : daemon successfully stopped
Jun 25 19:55:37 DD-WRT user.info syslog: vpn modules : vpn modules successfully unloaded
Jun 25 19:55:37 DD-WRT user.info syslog: process_monitor : daemon successfully stopped
Jun 25 19:55:37 DD-WRT user.info syslog: vpn modules : nf_conntrack_proto_gre successfully loaded
Jun 25 19:55:37 DD-WRT user.info syslog: vpn modules : nf_nat_proto_gre successfully loaded
Jun 25 19:55:37 DD-WRT user.info syslog: cron : daemon successfully started
Jun 25 19:55:37 DD-WRT cron.info cron[398]: (CRON) STARTUP (fork ok)
Jun 25 19:55:37 DD-WRT user.info syslog: vpn modules : nf_conntrack_pptp successfully loaded
Jun 25 19:55:38 DD-WRT user.info syslog: vpn modules : nf_nat_pptp successfully loaded
Jun 25 19:55:38 DD-WRT user.info syslog: process_monitor : successfully started
Jun 25 19:55:39 DD-WRT daemon.debug process_monitor[425]: We need to re-update after 3600 seconds
Jun 25 19:55:39 DD-WRT daemon.info process_monitor[425]: process_monitor : set timer: 3600 seconds, callback: ntp_main()
Jun 25 19:55:39 DD-WRT user.info syslog: dnsmasq : daemon successfully stopped
Jun 25 19:55:40 DD-WRT user.info syslog: httpd : daemon successfully stopped
Jun 25 19:55:40 DD-WRT daemon.info httpd[257]: httpd : httpd server shutdown
Jun 25 19:55:40 DD-WRT daemon.info httpd[444]: httpd : httpd server started at port 80
Jun 25 19:55:40 DD-WRT user.info syslog: resetbutton : daemon successfully stopped
Jun 25 19:55:40 DD-WRT user.info syslog: resetbutton : resetbutton daemon successfully started
Jun 25 19:55:42 DD-WRT user.info syslog: dnsmasq : daemon hanging, send SIGKILL
Jun 25 19:55:42 DD-WRT user.info syslog: wland : daemon successfully stopped
Jun 25 19:55:42 DD-WRT user.info syslog: wland : daemon successfully started
Jun 25 19:55:42 DD-WRT user.info syslog: wan : WAN is up. IP: 192.168.0.128
Jun 25 19:55:42 DD-WRT user.info syslog: openvpnserver : OpenVPN daemon (Server) successfully stopped
Jun 25 19:55:44 DD-WRT user.debug syslog: ttraff: data collection started
Jun 25 19:55:45 DD-WRT user.info syslog: openvpnserver : OpenVPN daemon (Server) hanging, send SIGKILL
Jun 25 19:55:45 DD-WRT user.info syslog: openvpn : OpenVPN daemon (Server) starting/restarting...
Jun 25 19:55:46 DD-WRT daemon.warn openvpn[577]: WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
Jun 25 19:55:46 DD-WRT daemon.notice openvpn[577]: OpenVPN 2.4.7 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Aug 6 2019
Jun 25 19:55:46 DD-WRT daemon.notice openvpn[577]: library versions: OpenSSL 1.1.1c 28 May 2019, LZO 2.09
Jun 25 19:55:46 DD-WRT user.info syslog: process_monitor : daemon successfully stopped
Jun 25 19:55:46 DD-WRT daemon.notice openvpn[581]: MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
Jun 25 19:55:46 DD-WRT daemon.warn openvpn[581]: WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
Jun 25 19:55:46 DD-WRT daemon.warn openvpn[581]: NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes th
Jun 25 19:55:46 DD-WRT daemon.warn openvpn[581]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 25 19:55:46 DD-WRT user.info syslog: process_monitor : successfully started
Jun 25 19:55:46 DD-WRT daemon.debug ntpclient[594]: Connecting to time-a.nist.gov [129.6.15.28] ...
Jun 25 19:55:46 DD-WRT daemon.info ntpclient[594]: Time set from time-a.nist.gov [129.6.15.28].
Jun 25 19:55:46 DD-WRT daemon.info process_monitor[584]: cyclic NTP Update success (servers time-a.nist.gov)
Jun 25 19:55:46 DD-WRT daemon.debug process_monitor[584]: We need to re-update after 3600 seconds
Jun 25 19:55:46 DD-WRT daemon.info process_monitor[584]: process_monitor : set timer: 3600 seconds, callback: ntp_main()
Jun 25 19:55:49 DD-WRT user.info syslog: vpn modules : vpn modules successfully unloaded
Jun 25 19:55:49 DD-WRT user.info syslog: vpn modules : nf_conntrack_proto_gre successfully loaded
Jun 25 19:55:49 DD-WRT user.info syslog: vpn modules : nf_nat_proto_gre successfully loaded
Jun 25 19:55:49 DD-WRT user.info syslog: vpn modules : nf_conntrack_pptp successfully loaded
Jun 25 19:55:49 DD-WRT user.info syslog: vpn modules : nf_nat_pptp successfully loaded
*******************************

Here is a list of processes running:
*******************************
PID USER VSZ STAT COMMAND
1 root 1840 S /sbin/init noinitrd
2 root 0 SW [keventd]
3 root 0 RWN [ksoftirqd_CPU0]
4 root 0 SW [kswapd]
5 root 0 SW [bdflush]
6 root 0 SW [kupdated]
11 root 0 SW [mtdblockd]
15 root 2620 S watchdog
187 root 2628 S telnetd
188 root 2624 S syslogd -Z -L
278 root 2624 S ttraff
398 root 1028 S cron
422 root 2636 S udhcpc -i eth1 -p /var/run/udhcpc.pid -s /tmp/udhcpc
451 root 6172 S httpd -p 80
452 root 2356 S resetbutton
488 root 1420 S dnsmasq -u root -g root --conf-file=/tmp/dnsmasq.con
499 root 2556 S wland
581 root 5504 S /tmp/openvpnserver --config /tmp/openvpn/openvpn.con
584 root 2632 S process_monitor
703 root 6172 S httpd -p 80
753 root 2648 S -sh
820 root 2632 R ps
*******************************

Question #1:
I see lots of posts that say "do not use the database" to determine what version to use but I am at a loss on what that really means. I see lots of later versions that are available for download but it is not clear to me how to know if these later versions will work on my device. I am asking this question in this forum because perhaps my OpenVPN problem is just that it does not work in R40559? I have read through various posts that suggest that might be the case but others indicate having success with this version so there is very conflicting information with no definitive conclusion. The question comes down to how does one determine if a major feature such as the OpenVPN server works in
a specific version and how does one determine what other versions to safely load onto a device if not using the database?

Question #2:
The Status-OpenVPN-State screen is very uninformative which makes me think something is very wrong. Note that the screenshot provided is after adding the
configuration directive to use port 16 instead of port 14. Without this configuration change the State screen is completely blank. I assume what I am
seeing here is a sign of a problem?

Question #3:
The log files seem to indicate that OpenVPN is hanging early on but then it seems to restart okay. Later on there is an entry showing OpenVPN modules were unloaded, but then additional entries indicating they were successfully loaded. Bottom line is I am not sure what is good or bad here but some of the entries look suspicious or concerning. Using the "ps" command I see an entry for something related to OpenVPN but again not sure what it should look like. Can someone tell me if the log files are indicating a problem or is this normal behavior?


Question #4:
Can someone tell me what I am doing wrong and how to get past this?
Sponsor
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14129
Location: Texas, USA

PostPosted: Fri Jun 26, 2020 0:49    Post subject: Reply with quote
You wasted a rather detailed post over a bad build.
https://dd-wrt.com/support/router-database/ wrote:
DISCLAIMER
This database may not have up-to-date information and may even recommend a build which might cause issues. As such, you should check the device specific forum (Broadcom, Atheros, MediaTek, etc.) first before flashing any build recommended in this database. There you will find build specific topics that discuss any issues with a particular build/release. For more up-to-date firmware files, please visit the firmware faq.

YOU HAVE BEEN GIVEN FRIENDLY AND FAIR NOTICE

Firmware FAQ

Where Do I Download Firmware?

Please consider upgrading to a more recent build, like today's: https://download1.dd-wrt.com/dd-wrtv2/downloads/betas/2020/06-25-2020-r43516/broadcom/

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=325537

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324541

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
BarryBennett
DD-WRT Novice


Joined: 26 May 2020
Posts: 8

PostPosted: Fri Jun 26, 2020 3:21    Post subject: Reply with quote
I have looked through these newer releases before but I have struggled to figure out which folder to use and I would not have selected the Broadcom one over one that had Linksys in the name. In the folder you referenced there is one file that has my router's model number in it but it is a "mini" build which I doubt includes the VPN features. (And yes I did read through the information you suggested before responding here.) My point is I am not sure which of the files in the referenced folder I should use at this point. I am thinking the model specific file I mentioned is for an initial OEM to DD-WRT upgrade but since I am already running DD-WRT I can probably go straight to the "mega_generic" version. Greatly appreciate the quick response here and eager to upgrade once I know for sure which file to go with.
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14129
Location: Texas, USA

PostPosted: Fri Jun 26, 2020 3:53    Post subject: Reply with quote
Well, I would've posted the wiki, but it looks like it is completely ancient as far as anything of useful information:
https://wiki.dd-wrt.com/wiki/index.php/Linksys_WRTSL54GS

But, going by one of the "new" wikidevi pages: https://wikidevi.wi-cat.ru/Linksys_WRTSL54GS

You *should* be able to use the mega_generic.bin file, which *should* include VPN. That's my best semi-educated guess.

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12840
Location: Netherlands

PostPosted: Fri Jun 26, 2020 8:01    Post subject: Reply with quote
As @kp69 already told you you should get a better = recent build.

Than you can use the modern setup options besides that build you are using is really crap.

If the OpenVPN status page is still blank after upgrading you have made a major configuration error.
Start then with checking your certificates.

If the server starts you see a lot of information (it says "CONNECTED SUCCESS" that does not mean it has a connection but that it started and you have connected to the management interface).

The TLS key error you got means that you cannot reach the server so we interpret that as a network connection error but in your case you cannot reach the server because there is none (as it is not started)

So upgrade use the modern options and check configuration

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
BarryBennett
DD-WRT Novice


Joined: 26 May 2020
Posts: 8

PostPosted: Fri Jun 26, 2020 20:26    Post subject: Reply with quote
I installed the R43516 firmware on the router with no issues. I did a factory reset of the configuration both before and after the upgrade. I set up the VPN settings once again following the setup guide exactly. With this new firmware version there was no need to deviate from any setting. I of course rebooted the router once all settings were in place.

The differences from what I observed/posted before are minimal. The OpenVPN status page does populate now without having to change the management port, but it is still basically blank just as my original post showed. The start up log looks cleaner but there are still a few warnings from OpenVPN - exactly the same as I posted before. I am not seeing any signs of the OpenVPN process hanging and having to restart so that seems to be a positive change. The "ps" command still shows the OpenVPN process is active just like my original post. Even though the OpenVPN status was blank (probably not a good sign) I tried connecting from the Windows client and got the same timeout error just like my original post. I checked the server configuration file on the router and it looks correct as far as matching what the GUI settings are set to. The key/certificate files are present and match what I copied over from my Windows machine when I generated them. (FYI - These files were verified to be correct using a Windows OpenVPN server configuration as previously mentioned.)

To summarize I see almost no difference with this latest build as compared to the earlier 40559 release. Startup log is a little cleaner and status page is not completely blank but still not right. Please advise on what information I can provide to help with diagnosing the issue. I must be doing something wrong but I am at a loss as to what.
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14129
Location: Texas, USA

PostPosted: Fri Jun 26, 2020 21:17    Post subject: Reply with quote
I forget. Is the Windows 10 default VPN client PPTP or actually VPN? Or are you using a 3rd-party client?
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
BarryBennett
DD-WRT Novice


Joined: 26 May 2020
Posts: 8

PostPosted: Fri Jun 26, 2020 22:51    Post subject: Reply with quote
On the Windows side I am using the OpenVPN client that I downloaded from the OpenVPN.net site so to answer your question I believe this is using the OpenVPN protocol in a true VPN connection and not PPTP.

The one thing I realized after reviewing the setup documentation again is that I am using a 4096 bit key and not a 2048 bit key as is recommended in the setup guide. When I created the current keys I was following an OpenVPN guide for the Windows clients which is nearly identical to the DD-WRT guide's instructions for key creation. In reading a little further in the DD-WRT instructions it seems as if as long as I am using at least a 2048 bit key and not exceeding the NVRAM limitations that the 4096 bit key should be okay. My NVRAM space is about 90% filled but I still have 3KB left so I believe I am okay here. It is a slight difference though so is it possible that the DD-WRT implementation does not handle 4096 bit keys? I will say that several weeks ago I had been using a 2048 bit key (albeit with release R40559) and it made no difference in the outcome.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12840
Location: Netherlands

PostPosted: Sat Jun 27, 2020 6:23    Post subject: Reply with quote
The syslog is mostly not very helpful (information is also on status page) but send out put (from CLI (telnet/putty ) of:
grep -i openvpn /var/log/messages

Send:
screenshot of OpenVPN settings page (whole page)
screenshot of OpenVPN status page (whole page)

width no more than 760 pixels

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
BarryBennett
DD-WRT Novice


Joined: 26 May 2020
Posts: 8

PostPosted: Sat Jun 27, 2020 13:47    Post subject: Reply with quote
Here are the log messages you requested:
********************************************
Dec 31 19:00:15 DD-WRT user.info syslog: openvpn : OpenVPN daemon (Server) starting/restarting...
Dec 31 19:00:16 DD-WRT daemon.warn openvpn[236]: WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
Dec 31 19:00:16 DD-WRT daemon.notice openvpn[236]: OpenVPN 2.4.9 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [MH/PKTINFO] [AEAD] built on Jun 25 2020
Dec 31 19:00:16 DD-WRT daemon.notice openvpn[236]: library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.09
Dec 31 19:00:16 DD-WRT daemon.notice openvpn[237]: MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:14
Dec 31 19:00:16 DD-WRT daemon.warn openvpn[237]: WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
Dec 31 19:00:16 DD-WRT daemon.warn openvpn[237]: NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes th
Dec 31 19:00:16 DD-WRT daemon.warn openvpn[237]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
********************************************

I am attaching screen shots of the GUI settings but given the limited resolution I think they are hard to read. They match the setup guide exactly. For any part of the settings screen that I did not include there is nothing filled in just as the setup guide shows. I am including a dump of the configuration file which of course mimics these settings:
********************************************
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
keepalive 10 120
verb 3
mute 3
syslog
writepid /var/run/openvpnd.pid
management 127.0.0.1 14
management-log-cache 100
topology subnet
script-security 2
port 1194
proto udp4
cipher aes-128-gcm
auth sha256
client-connect /tmp/openvpn/clcon.sh
client-disconnect /tmp/openvpn/cldiscon.sh
client-config-dir /tmp/openvpn/ccd
tls-server
duplicate-cn
client-to-client
push "redirect-gateway def1"
fast-io
tun-mtu 1500
mtu-disc yes
server 10.8.0.0 255.255.255.0
dev tun2
route-up /tmp/openvpn/route-up.sh
route-pre-down /tmp/openvpn/route-down.sh
ncp-disable
dh none
ecdh-curve secp384r1
********************************************

The OpenVPN Status page is exactly as I initially posted. There are some field labels shown but no values. Since it is identical to my original posting I did not include it again.

I verified that the keys and certificates stored as files on the router do contain the data they are supposed to. By that I mean they match the original data that was placed into the GUI boxes for each item.

I also tried modifying the configuration to use the dh2048 information instead of the built-in elliptical curve but the result was the same.

I have not tried generating 2048 private keys in lieu of the 4096 keys I am using but as I commented in a previous post I had done this several weeks ago with the R40559 release and got the same non-working results. If you think it is worth trying 2048 keys I can certainly do it.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12840
Location: Netherlands

PostPosted: Sat Jun 27, 2020 14:15    Post subject: Reply with quote
Cannot see any obvious mistakes in setup.

Using 4096 key length is usually a bad idea.
On a lot of routers the keys do not fit in nvram
As your OpenVPN server does not start and that is usually a key problem generate the keys again with 2048 Keys

It can be that on this old router using an old kernel OpenVPN is simply broken.

These old routers are seldom used for OpenVPN any more as you do not get more than a few Mb/s bandwidth

when the server starts you should see this on the status page:

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
BarryBennett
DD-WRT Novice


Joined: 26 May 2020
Posts: 8

PostPosted: Sat Jun 27, 2020 15:09    Post subject: Reply with quote
Regenerated keys with a 2048 length as requested.
Absolutely no change in the results.
Status page still not populating.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12840
Location: Netherlands

PostPosted: Sat Jun 27, 2020 16:42    Post subject: Reply with quote
Well that means the server does not start (well technically it starts but shuts down because of an error)

As you are sure the keys and certs are OK and the setup looks OK, the logical conclusion is that OpenVPN is broken on K2.4 Sad

Normally I would advise to use Wireguard but Wireguard is only for K3.10 and higher.

I have an WRT54GS but it is in the summer house (as spare router) so cannot test at the moment.

So nothing I can think of at this moment

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum