Author
Message
x53sv DD-WRT Novice Joined: 26 May 2018 Posts: 20
Posted: Sat Aug 28, 2021 7:26 Post subject: v3.0-r47206 OpenVPN DD-WRT - cannot ping self/anything
DD-WRT v3.0-r47206 std (08/19/21)
ASUS R7000
Ok. OpenVPN Clint or Server setup.
I have an OpenVPN server in the cloud. I can configure DD-WRT to connect to this server. After much trial and error. I had to remove the TA.KEY section.
But once connected, I cannot ping my own IP address while I am logged into the router via SSH to the router.
So I figured I would try server mode instead.
I setup my DD-WRT as an OpenVPN Server on the router. When done and the OpenVPN server is running on the router, I cannot ping the IP of the OpenVPN server while I am logged into the router via SSH.
So let's only look at the simplest option first. The OpenVPN server is running on the router but the router cannot ping the OpenVPN IP address. It can ping it's primary address. It can ping its alternate addresses from the guest network. But not the OpenVPN gateway address. No other routers are involved.
I *would* like point out that while the router is restarting the tunnel, the ping succeeds once or twice. But then as it finishes, the pings stop working. I had the same results in client mode as well.
Any assistance in solving this would be great. I used to be able to use OpenVPN readily on routers before, a few years ago. Not sure what has changed.
Config
Code: ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
keepalive 10 120
verb 3
mute 3
syslog
writepid /var/run/openvpnd.pid
management 127.0.0.1 14
management-log-cache 100
topology subnet
script-security 2
port 8443
proto tcp-server
auth sha256
cipher CHACHA20-POLY1305
data-ciphers AES-128-GCM:AES-256-GCM:AES-256-CBC
client-connect /tmp/openvpn/clcon.sh
client-disconnect /tmp/openvpn/cldiscon.sh
client-config-dir /jffs/etc/openvpn/ccd
comp-lzo no
tls-server
duplicate-cn
client-to-client
tcp-nodelay
tun-mtu 1500
mtu-disc yes
server 10.60.60.0 255.255.255.0
dev tun2
dh none
ecdh-curve secp384r1
route-up /tmp/openvpn/route-up.sh
route-pre-down /tmp/openvpn/route-down.sh
iptables:
Code: Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1341 216K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- vlan2 * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 ACCEPT tcp -- vlan2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443
0 0 ACCEPT all -- tun2 * 0.0.0.0/0 0.0.0.0/0
329 23793 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 logbrute tcp -- vlan2 * 0.0.0.0/0 192.168.1.1 tcp dpt:22
0 0 ACCEPT tcp -- vlan2 * 0.0.0.0/0 192.168.1.1 tcp dpt:22
0 0 ACCEPT icmp -- vlan2 * 0.0.0.0/0 0.0.0.0/0
10 320 logdrop 2 -- vlan2 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT udp -- wl0.1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT udp -- wl0.1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- wl0.1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 logdrop all -- wl0.1 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT all -- wl0.1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- wl1.1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT udp -- wl1.1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- wl1.1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 logdrop all -- wl1.1 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT all -- wl1.1 * 0.0.0.0/0 0.0.0.0/0
484 89422 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- tun2 * 0.0.0.0/0 0.0.0.0/0
0 0 logdrop all -- wl0.1 * 0.0.0.0/0 192.168.1.0/24 state NEW
0 0 logdrop all -- wl1.1 * 0.0.0.0/0 192.168.1.0/24 state NEW
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 upnp all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 lan2wan all -- wl0.1 * 0.0.0.0/0 0.0.0.0/0
0 0 lan2wan all -- wl1.1 * 0.0.0.0/0 0.0.0.0/0
0 0 lan2wan all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br0 vlan2 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * vlan2 192.168.1.0/24 0.0.0.0/0 tcp dpt:1723
0 0 ACCEPT 47 -- * vlan2 192.168.1.0/24 0.0.0.0/0
0 0 TRIGGER all -- vlan2 br0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out all -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 TRIGGER all -- vlan2 eth0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 TRIGGER all -- vlan2 eth1 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 TRIGGER all -- vlan2 eth2 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out all -- eth2 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth2 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 TRIGGER all -- vlan2 vlan1 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out all -- vlan1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- vlan1 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 logdrop all -- br0 wl0.1 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 TRIGGER all -- vlan2 wl0.1 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out all -- wl0.1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- wl0.1 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 logdrop all -- br0 wl1.1 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 TRIGGER all -- vlan2 wl1.1 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out all -- wl1.1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- wl1.1 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 3 packets, 252 bytes)
pkts bytes target prot opt in out source destination
1442 448K ACCEPT all -- * br0 0.0.0.0/0 0.0.0.0/0
Chain advgrp_1 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_10 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_11 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_12 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_13 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_14 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_15 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_16 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_17 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_18 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_19 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_2 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_20 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_3 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_4 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_5 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_6 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_7 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_8 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_9 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_1 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_10 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_11 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_12 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_13 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_14 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_15 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_16 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_17 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_18 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_19 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_2 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_20 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_3 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_4 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_5 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_6 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_7 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_8 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_9 (0 references)
pkts bytes target prot opt in out source destination
Chain lan2wan (3 references)
pkts bytes target prot opt in out source destination
Chain logaccept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logbrute (1 references)
pkts bytes target prot opt in out source destination
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: BRUTEFORCE side: source mask: 255.255.255.255
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ! recent: UPDATE seconds: 60 hit_count: 4 name: BRUTEFORCE side: source mask: 255.255.255.255
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/min burst 1
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (10 references)
pkts bytes target prot opt in out source destination
494 89742 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
Chain trigger_out (7 references)
pkts bytes target prot opt in out source destination
Chain upnp (1 references)
pkts bytes target prot opt in out source destination
NAT table
Code:
Chain PREROUTING (policy ACCEPT 2368 packets, 576K bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- wl0.1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 to:8.8.8.8
0 0 DNAT tcp -- wl0.1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 to:8.8.8.8
0 0 DNAT udp -- wl1.1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 to:8.8.8.8
0 0 DNAT tcp -- wl1.1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 to:8.8.8.8
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.10.192 tcp dpt:22 to:192.168.1.1:22
0 0 DNAT icmp -- * * 0.0.0.0/0 192.168.10.192 to:192.168.1.1
0 0 TRIGGER all -- * * 0.0.0.0/0 192.168.10.192 TRIGGER type:dnat match:0 relate:0
Chain INPUT (policy ACCEPT 375 packets, 27093 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1 packets, 84 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1 packets, 84 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * vlan2 192.168.1.0/24 0.0.0.0/0 to:192.168.10.192
0 0 SNAT all -- * vlan2 10.60.6.0/24 0.0.0.0/0 to:192.168.10.192
0 0 SNAT all -- * vlan2 10.60.7.0/24 0.0.0.0/0 to:192.168.10.192
0 0 RETURN all -- * br0 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
0 0 MASQUERADE all -- * br0 192.168.1.0/24 192.168.1.0/24
Back to top
Sponsor
egc DD-WRT Guru Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Back to top
x53sv DD-WRT Novice Joined: 26 May 2018 Posts: 20
Posted: Sat Aug 28, 2021 7:42 Post subject: Let's try to simplify.
I have followed the tutorial on how to set up OpenVPN.
I am not lost on OpenVPN but I am lost on why the networking is not working via the GUI. Been working with OpenVPN since v1. But this is unprecedented. I have the same OpenVPN configuration working on a digital ocean server.
I've been working with DD-WRT since WRT54g but this behavior is new. In the past, setting up the OpenVPN server via GUI worked easily.
Steps to repeat what I'm trying to do. (I've included my config from /tmp/openvpn/openvpn.conf)
Router IP address: 192.168.1.1
OpenVPN subnet: 10.60.60.0/255.255.255.0
OpenVPN gateway address on Router: 10.60.60.1
Configure and run OpenVPN server.
SSH to router (192.168.1.1)
Ping 10.60.60.1
Failure. (no packets except 1 or 2 when openvpn restarts)
This is where I am.
Thank you for the link. Could you point me to the most helpful section? There's a lot there and I feel like my problem almost very basic. Even though I followed the tutorial.
Back to top
egc DD-WRT Guru Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Back to top
x53sv DD-WRT Novice Joined: 26 May 2018 Posts: 20
Posted: Sat Aug 28, 2021 20:26 Post subject: CVE setting worked - but why?
Ok. Turning off CVE worked for the r47206. (where is that setting in the config anyway - or is it on the command line?).
When I turned this off on the openvpn client on the r47206, everything works again to connect to the cloud OpenVPN 2.5.3.
Figured out my other problem. I had an unnecessary forward for openvpn.
Still wondering where the CVE setting is used.
Fixed.
Back to top
egc DD-WRT Guru Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Back to top
x53sv DD-WRT Novice Joined: 26 May 2018 Posts: 20
Back to top