Posted: Mon Nov 12, 2018 16:34 Post subject: Help configuring and troubleshooting OpenVPN server
Hello,
I am trying to configure OpenVPN server on my DDWRT router for my specific goal. If you look at the diagrams below, you can see I have installed DDWRT (Buffalo) with OpenVPN Server running a separate router connected to my 'regular' home router. On the other diagram, you can see my OpenVPN server settings (however, it is probably not configured properly).
Per the network diagram, I am trying to allow a certain number of devices (maximum of 5) to remotely connect to the OpenVPN server. I believe I have created the keys correctly using other sites I have found online, but I have a feeling something is not configured correctly on the OpenVPN Server since I am unable to connect to the server and there is nothing in the server logs that shows any kind of attempt, etc. At the end of the day, I want each of the devices to appear to be coming from inside my home (when surfing the internet, they should have the same public facing IP as the TP-Link and the same DNS as the TP-Link).
Can anyone guide me on the right track and see if I have anything configured incorrectly?
Joined: 18 Mar 2014 Posts: 12884 Location: Netherlands
Posted: Mon Nov 12, 2018 17:11 Post subject:
Attached my notes, however they deal with setting up a TUN server.
There is a section dealing with setting up on a Wireless Access Point (WAP) (LAN<>LAN connected), like the one you have.
If the OpenVPN status is empty this usually means you have misconfigured, certificate errors are the most likely culprit. if the configuration is done right the status page should show: "Server: CONNECTED SUCCES" (even if there are no connections).
You should enable Advanced Options and enable Redirect default Gateway.
You should also port forward from your main router
Attached my notes, however they deal with setting up a TUN server.
There is a section dealing with setting up on a Wireless Access Point (WAP) (LAN<>LAN connected), like the one you have.
If the OpenVPN status is empty this usually means you have misconfigured, certificate errors are the most likely culprit. if the configuration is done right the status page should show: "Server: CONNECTED SUCCES" (even if there are no connections).
You should enable Advanced Options and enable Redirect default Gateway.
You should also port forward from your main router
As I said, no experience with TAP but maybe my notes can be helpful in checking your certificates
Thank you for this! I will go through this and get back to you with any questions I might have. It is currently configured as Bridge (TAP) only because of another post where I set something up (that has been working great btw), but of course I am totally open to changing it to Router (TUN) as you have in the document.
I just wanted to update everyone and let them know that I have this solution working! Thank you to 'egc' for his guide and assistance getting this working. My VPN is configured using Router (TUN) per his guide.
After testing, there is one final housekeeping item that I'm wondering if someone can help me with? When I connect to the VPN, and go to ipchicken.com, my public IP address on my local PC that I'm using to test is from the remote location (this is perfect and is expected), however, when I run a dns leak test (www.dnsleaktest.com), it says I am using my DNS servers from local ISP (Comcast). When I connect to the VPN, what do I need to change in my config (either on the DDWRT VPN server or my config.opvn file) so that I am using the remote location's DNS servers when connected?
According to dnsleaktest.com, if I add 'block-outside-dns' to my config.ovpn file this should fix my issue. Unfortunately when I add this to my config.ovpn file, I can connect to the VPN with no issues, but I can't surf the internet.
Joined: 18 Mar 2014 Posts: 12884 Location: Netherlands
Posted: Thu Nov 22, 2018 20:33 Post subject:
You can push your DNS server to the clients:
If you want to resolve DNS names over the VPN you will need to add the below lines to “Additional Config.”
If you want to use a public DNS server (e.g. Google's ) :
Code:
push “dhcp-option DNS 8.8.8.8”
If you want to use your own router/OpenVPN server (my lan Domain is named "home"):
Code:
push “dhcp-option DNS 192.168.1.1”
push “dhcp-option DOMAIN HOME”
Here’s a breakdown of what’s going on:
The local DNS server at 192.168.1.1 is pushed to clients so they can make queries on the server’s network.
The domain is specified so hostnames will resolve without specification.
If you are using DD-WRT as a DNS server you’ll need to tell DNSMasq to listen for requests on the interface your VPN clients will query on. To do this you’ll need to figure out what interface that is.
To see the interface your VPN clients will query on, you can find this in the GUI by clicking “Setup” > “Advanced Routing” > “Routing Table.” In there you’ll see a route that specifies the tun adapter you are using and the IP net see below. For me it is tun2
Erratum: you use 192.168.0.1 as main router on your network, so you should use 192.168.0.1 instead of 192.168.1.1
Thank you for the info 'egc'. Yes, you are correct - I will need to use 192.168.0.1 (as opposed to 192.168.1.1)
So just to recap, since I want to use each of the connected VPN clients to use the DNS from OpenVPN server location, I will need to:
- Go into 'Services', 'Services', then under 'DHCP Server'
- Used Domain = LAN & WLAN
- LAN Domain = test
- Then under 'Services', 'VPN', 'OpenVPN Server / Daemon' under 'Additional Config'
- push “dhcp-option DNS 192.168.0.1”
- push “dhcp-option DOMAIN TEST”
Quick update on this..... in order to get local DNS working, I did the following 3 steps. Once I did step 2, I'm unable to connect to the VPN with a client. I'm not sure if the problem is related to the case (upper in one section vs lower in another)?
1. Go into 'Services', 'Services', then under 'DHCP Server' set the following:
Used Domain = LAN & WLAN
LAN Domain = test
2. Then under 'Services', 'VPN', 'OpenVPN Server / Daemon' under 'Additional Config' add the following:
push “dhcp-option DNS 192.168.0.1”
push “dhcp-option DOMAIN TEST”
3. Under 'Services', 'Services', scroll down to 'Additional DNSMasq Options (I'm using tun2 as well from the routing table):
interface=tun2
It did not matter if I tried, in order (step 1, 2, and 3), or if I tried step 1, 3, then 2. There is something about the 'push' commands that stopped the VPN client from connecting.
Quick update on this..... in order to get local DNS working, I did the following 3 steps. Once I did step 2, I'm unable to connect to the VPN with a client. I'm not sure if the problem is related to the case (upper in one section vs lower in another)?
1. Go into 'Services', 'Services', then under 'DHCP Server' set the following:
Used Domain = LAN & WLAN
LAN Domain = test
2. Then under 'Services', 'VPN', 'OpenVPN Server / Daemon' under 'Additional Config' add the following:
push “dhcp-option DNS 192.168.0.1”
push “dhcp-option DOMAIN TEST”
3. Under 'Services', 'Services', scroll down to 'Additional DNSMasq Options (I'm using tun2 as well from the routing table):
interface=tun2
It did not matter if I tried, in order (step 1, 2, and 3), or if I tried step 1, 3, then 2. There is something about the 'push' commands that stopped the VPN client from connecting.
I checked the VPN client logs, but I didn't really see anything that would point to the issue, but maybe the logs weren't verbose enough.
Hello all, I would like to revisit the pushing of the DNS server to the clients for my network.
First of all, from looking at the network diagram, I assume the config is 'all' done on the OpenVPN server (Primary Home router2) and not on the Primary Home (router1)?
Assuming the OpenVPN server (PH router2) is the correct device, I am confused by what needs to be done when comparing the update on this thread from Nov 22, 2018 and onwards vs the DDWRT OpenVPN Server Setup Public v1.98.pdf guide on page 19.
At the end of the day, I want any device (whether a Windows 10 PC that directly connects to my OpenVPN server from a coffee shop, or any client connected to the Vacation Home router2) to not only pull an IP from PH router2 (which works great), but to also use the DNS from inside the Primary Home. I think it is easiest I just focus on a Windows 10 PC (with OpenVPN GUI) pulling the DNS from the Primary Home.