DD-WRT multi VPN host?

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
egosumumbravir
DD-WRT User


Joined: 19 Jun 2020
Posts: 58

PostPosted: Mon Sep 12, 2022 2:27    Post subject: DD-WRT multi VPN host? Reply with quote
Greetings all.

A long while ago I bodged together a single site-to-site TUN between two DD-WRT routers using OpenVPN GUI. It's been working fairly reliably and with some tickling of DNS (BIND server on this side, DNSmasq on the remote) we've been successful at accessing LAN resources in both directions over the VPN.

However, this was done with a fairly old revisions of DD-WRT on both sides and I'm feeling the urge to NOT be running a year old internet facing device so I've started the updating process.

Firstly, I'm hoping for some feedback on my settings or any suggestions to make things better.

Secondly, I'd really like to add a second and third site2site and ideally an additional link for remotely accessing my LAN from a phone/laptop on the road. Hoping for some advice and guidance as to if this is possible and how it might be done!

For the site2sites, there's no need for the sites to interact with each other nor need for anything other than accessing remote LAN resources (commonly SSH, RDP & SMB). All the sites have broadband connections and different subnets.

Router is a Netgear R9000 running DD-WRT v3.0-r50146 std (09/10/22). We're not pushing a ton of traffic so hopefully it's beefy enough. Clients are R8000's and will be migrated to r50146 as this project progresses. Pretty sure they're r47822 or older currently.

Apologies in advance though, I have an ABI that's making these concepts pretty deep going. I'm attempting to crash the v25 open vpn guide into my cerebellum bit by bit.

cheers
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12812
Location: Netherlands

PostPosted: Mon Sep 12, 2022 6:56    Post subject: Reply with quote
You are not pushing any routes, is that what you want?

The openvpn server setup guide has a paragraph about site to site setup, but regarding all your other wishes consider using WireGuard.

Docs are also a sticky in this forum

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
egosumumbravir
DD-WRT User


Joined: 19 Jun 2020
Posts: 58

PostPosted: Mon Sep 12, 2022 12:05    Post subject: Reply with quote
egc wrote:
You are not pushing any routes, is that what you want?

Old build carryover - routes have been defined in the additional options.

"#push a route to the client, which will send traffic destined for the Server's LAN over the VPN.
push "route 192.168.xx.yy 255.255.255.0 vpn_gateway"

#Define a local (serverside) route to remote client
route 192.168.aa.bb 255.255.255.0 vpn_gateway
"

I note the guide section where this should be deprecated now.

I've also got a statement in my startup script
"echo "iroute 192.168.aa.bb 255.255.255.0" > /tmp/openvpn/ccd/RemoteLAN"
No idea quite where I got that from. Guess I'll have to try removing it and see what breaks...

While it's working, my understanding of why it's working and what is redundant or can be changed for the better is insufficient.

I should note that I'm doing split tunnelling here on the site2site. Only traffic destined for servers inside each LAN should be transiting the VPN. Everything else should be using the WAN port.

Conversely, ideally the roadwarrior VPN will carry all traffic.

Is it possible to run two instances of OpenVPN on different ports?

egc wrote:
WireGuard.

Cheers, will see how I go digesting that.

Slow going so far, but the testing router got updated to r50146 + entware installed today and seems to work OK (despite double NAT) through a 4G hotspot.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12812
Location: Netherlands

PostPosted: Mon Sep 12, 2022 14:37    Post subject: Reply with quote
yes iroute is necessary (and also route ) for site-to-site (on the server side) but not the way you are doing it.

The guide should talk you through

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
egosumumbravir
DD-WRT User


Joined: 19 Jun 2020
Posts: 58

PostPosted: Tue Sep 13, 2022 4:31    Post subject: Reply with quote
egc wrote:
The guide should talk you through

Thanks. Gonna backup current configs, wipe and start again fresh.
egosumumbravir
DD-WRT User


Joined: 19 Jun 2020
Posts: 58

PostPosted: Wed Sep 21, 2022 0:31    Post subject: Reply with quote
Is there an easy way to wipe just the OpenVPN config?

A little text file somewhere I can erase? I'd really prefer not having to reset the entire config, there's a lot of changes to remember to remake.
dale_gribble39
DD-WRT Guru


Joined: 11 Jun 2022
Posts: 1889

PostPosted: Wed Sep 21, 2022 1:29    Post subject: Reply with quote
It's a good idea to print all the router config pages to PDF and just do a hard reset so that any gremlins or old nvram variables are cleared out.
Code:
nvram erase && reboot

AND / OR
Code:
nvram clear && reboot

_________________
"The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost

"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio

<fact>code knows no gender</fact>

This is me, knowing I've ruffled your feathers, and not giving a ****
Some people are still hard-headed.

--------------------------------------
Mac Pro (Mid 2012) - Two 2.4GHz 6-Core Intel Xeon E5645 processors 64GB 1333MHz DDR3 ECC SDRAM OpenSUSE Leap 15.5
egosumumbravir
DD-WRT User


Joined: 19 Jun 2020
Posts: 58

PostPosted: Wed Sep 21, 2022 1:34    Post subject: Reply with quote
dale_gribble39 wrote:
It's a good idea to print all the router config pages to PDF and just do a hard reset so that any gremlins or old nvram variables are cleared out.

I don't disagree. It's just a massive PITA to do all of this just because I want to reset and try a different VPN configuration.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12812
Location: Netherlands

PostPosted: Wed Sep 21, 2022 17:29    Post subject: Reply with quote
Yes it is a PITA but there is no solution to reset the OpenVPN server Sad

The Client can be reset: importvpncl.sh /dev/null

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
300000
DD-WRT Novice


Joined: 18 Aug 2011
Posts: 20

PostPosted: Wed Sep 21, 2022 20:34    Post subject: Reply with quote
It is possible to run multi instance of openvpn server so you can link multi site to site connections. do you try it out or what error pop up so we can help to make it work for you? on my router i can run 6 instance of openvpn server and it work very good .
egosumumbravir
DD-WRT User


Joined: 19 Jun 2020
Posts: 58

PostPosted: Wed Sep 21, 2022 23:01    Post subject: Reply with quote
egc wrote:
Yes it is a PITA but there is no solution to reset the OpenVPN server Sad

The Client can be reset: importvpncl.sh /dev/null

Cheers egc. Memory note: save a config of everything else before VPN fiddling.

300000 wrote:
It is possible to run multi instance of openvpn server

Excellent. How did you do it?
300000
DD-WRT Novice


Joined: 18 Aug 2011
Posts: 20

PostPosted: Fri Sep 23, 2022 21:20    Post subject: Reply with quote
this is how I can run multi instance Openvpn server.

you need to prepare a working version openvpn config file with extension conf. running on ddwrt first so we known before doing this.

go to router/service/usb tab and enable all of them . move to NAS and make samba enable so we create a file server . make sure it working and we will store all config file on that usb so it will easy to edit and change as we like. Now create a folder call openvpn and put all config files on that folder.

this is my config you can use it and add your owe certificate
Code:


server 10.10.90.0 255.255.255.0
mute-replay-warnings
port  700

dev tun2


fast-io
reneg-sec 0
tls-version-min "1.2"  version
proto  tcp4
tls-version-min 1.2
tls-version-max 1.2
txqueuelen  10000
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
tls-ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
tls-cipher TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
script-security 4
tls-timeout 90
hand-window  900
engine dynamic
remap-usr1 SIGHUP
push "ping 190"
mute-replay-warnings
push "route-method exe"
push "socket-flags TCP_NODELAY"
remote-cert-eku "TLS Web Client Authentication"
remote-cert-tls client
topology subnet
mode server
hash-size  13552   15372
bcast-buffers  13070
tcp-queue-limit 4500
tls-server
tun-mtu 60000
mssfix 0
fragment  0
sndbuf  393216
rcvbuf   393216
push "sndbuf  393216"
push "rcvbuf  393216"
push "route-method exe"
;push "route 192.168.20.0 255.255.255.0 vpn_gateway "
push "dhcp-option WINS xxx.xxx.xxx.xxx"
push "dhcp-option DNS xxx.xxx.xxx.xxx "
push "dhcp-option DNS xxx.xxx.xxx.xxx"
push "dhcp-option NBT  2 "
push "dhcp-option DOMAIN-SEARCH  xxx.xxx.xxx.xxx"
push "dhcp-option DOMAIN  xxx.xxx.xxx.xxx"
push "persist-key "
push " persist-tun "
client-to-client
keepalive  3600 9000
persist-key
persist-tun
verb 2
mute 2
ecdh-curve secp521r1
;status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn.log
data-ciphers-fallback AES-256-CBC
auth SHA512
dh none
<ca>

</ca>
<cert>

</cert>
<key>

</key>
<tls-crypt-v2>

</tls-crypt-v2>




please note first port is 700 . ip range 10.10.90.0 and dev tun2 . this is differnce from each config . the second config is the same but only need difference port ,range dev

Code:
server 10.10.80.0 255.255.255.0
mute-replay-warnings
port  710

dev tun3


fast-io
reneg-sec 0
tls-version-min "1.2"  version
proto  tcp4
tls-version-min 1.2
tls-version-max 1.2
txqueuelen  10000
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
tls-ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
tls-cipher TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
script-security 4
tls-timeout 90
hand-window  900
engine dynamic
remap-usr1 SIGHUP
push "ping 190"
mute-replay-warnings
push "route-method exe"
push "socket-flags TCP_NODELAY"
remote-cert-eku "TLS Web Client Authentication"
remote-cert-tls client
topology subnet
mode server
hash-size  13552   15372
bcast-buffers  13070
tcp-queue-limit 4500
tls-server
tun-mtu 60000
mssfix 0
fragment  0
sndbuf  393216
rcvbuf   393216
push "sndbuf  393216"
push "rcvbuf  393216"
push "route-method exe"
;push "route 192.168.20.0 255.255.255.0 vpn_gateway "
push "dhcp-option WINS xxx.xxx.xxx.xxx"
push "dhcp-option DNS xxx.xxx.xxx.xxx "
push "dhcp-option DNS xxx.xxx.xxx.xxx"
push "dhcp-option NBT  2 "
push "dhcp-option DOMAIN-SEARCH  xxx.xxx.xxx.xxx"
push "dhcp-option DOMAIN  xxx.xxx.xxx.xxx"
push "persist-key "
push " persist-tun "
client-to-client
keepalive  3600 9000
persist-key
persist-tun
verb 2
mute 2
ecdh-curve secp521r1
;status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn.log
data-ciphers-fallback AES-256-CBC
auth SHA512
dh none
<ca>

</ca>
<cert>

</cert>
<key>

</key>
<tls-crypt-v2>

</tls-crypt-v2>



You can create as many config file as you like and store on usb . after that we need create virtual network card ,going to Administration /commands copy and paste into idit box and save as start up
the first command is create virtual network card name tun 0 to tun 6

Next command is start openvpn from reboot router.

Code:
cd /tmp
openvpn --mktun --dev tun2
ifconfig tun2 0.0.0.0 promisc up
cd /tmp
openvpn --mktun --dev tun3
ifconfig tun3 0.0.0.0 promisc up
cd /tmp
openvpn --mktun --dev tun4
ifconfig tun4 0.0.0.0 promisc up
cd /tmp
openvpn --mktun --dev tun5
ifconfig tun5 0.0.0.0 promisc up
cd /tmp
openvpn --mktun --dev tun6
ifconfig tun6 0.0.0.0 promisc up

 openvpn --config /mnt/sda1/openvpn/test.conf  --daemon
 openvpn --config /mnt/sda1/openvpn/test1.conf  --daemon
 openvpn --config /mnt/sda1/openvpn/test2.conf  --daemon
 openvpn --config /mnt/sda1/openvpn/test3.conf  --daemon
 openvpn --config /mnt/sda1/openvpn/test4.conf  --daemon



Now openvpn can run but it need firewall to work correct

iptables -t nat -I POSTROUTING -s 10.10.50.0/24 -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`

First conmand making nat so client can get out then the rest will make it work.


iptables -I INPUT 2 -i tun2+ -j ACCEPT
iptables -I FORWARD 1 -i tun2+ -j ACCEPT



Code:
iptables -t nat -I POSTROUTING -s 10.10.90.0/24 -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -t nat -I POSTROUTING -s 10.10.80.0/24 -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -t nat -I POSTROUTING -s 10.10.70.0/24 -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -t nat -I POSTROUTING -s 10.10.60.0/24 -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -t nat -I POSTROUTING -s 10.10.50.0/24 -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`


iptables -I INPUT 2 -i tun6+ -j ACCEPT
iptables -I INPUT 2 -i tun2+ -j ACCEPT
iptables -I INPUT 2 -i tun3+ -j ACCEPT
iptables -I INPUT 2 -i tun4+ -j ACCEPT
iptables -I INPUT 2 -i tun5+ -j ACCEPT

iptables -I FORWARD 1 -i tun6+ -j ACCEPT
iptables -I FORWARD 1 -i tun5+ -j ACCEPT
iptables -I FORWARD 1 -i tun4+ -j ACCEPT
iptables -I FORWARD 1 -i tun3+ -j ACCEPT
iptables -I FORWARD 1 -i tun2+ -j ACCEPT


Last edited by 300000 on Fri Sep 23, 2022 22:10; edited 3 times in total
300000
DD-WRT Novice


Joined: 18 Aug 2011
Posts: 20

PostPosted: Fri Sep 23, 2022 21:38    Post subject: Reply with quote
you want to make site to site so in config you need this one

client-config-dir /tmp/openvpn/ccd


echo
"ifconfig-push\"xxx.xxx.xxx.xxx 255.255.255.0\"
iroute 192.168.xx.xx 255.255.255.0
"
> /tmp/openvpn/ccd/RemoteLAN"


you need to have correct remote lan subnet to make it work copy all this into start up so it will create file name call remote lan with contain iroute and ifconfig stament.


engine dynamic will use hardware speed up openvpn and remap will restart openvpn in care it stop.
engine dynamic
remap-usr1 SIGHUP
egosumumbravir
DD-WRT User


Joined: 19 Jun 2020
Posts: 58

PostPosted: Mon Sep 26, 2022 6:00    Post subject: Reply with quote
300000 wrote:
this is how I can run multi instance Openvpn server.

Thankyou very much for this excellent guide. I look forwards to testing it out.
egosumumbravir
DD-WRT User


Joined: 19 Jun 2020
Posts: 58

PostPosted: Wed Sep 28, 2022 10:50    Post subject: Reply with quote
Still puzzling my way through this. Currently trying to wrap my broken brain around wireguard.

egc, it's probably my stupid brain, but it'd be a lot easier if your instructions lists actually corresponded with the order of fields in the DD-WRT gui.

ie, WG server setup guide v44 pg4, CVE-2019-14899 is step 8. when it's field #3 in the GUI. Jumping around is doing my head in and makes it too easy to miss stuff. Embarassed
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum