Posted: Sat Jan 29, 2011 11:54 Post subject: open vpn server with dd-wrt firmware on cascaded router
I’m convinced to setup a vpn server in my home with openVPN built into my Linksys WRT54GL router with dd-wrt v24-sp2 firmware
I use BSNL’s Dataone DSL with dynamic IP.
Their router (RTR1) terminates the DSL line and WRT54GL (RTR2) is connected to the DSL router. DHCP is off on RTR1 and no one will connect to it except RTR2
I got DDNS updater in RTR2 to update dynamic IP to resolve the host name
I got 3 options here
Setup-1: Bridged
[list=]RTR1 is bridged and its LAN is fed to RTR2’s WAN. RTR2 dials internet through PPPoE and its WAN is picking up the public IP
RTR2 is set in gateway mode and DHCP is active on this
RTR2 LAN IP set to 192.168.54.1
RTR2 LAN IP is set as DMZ in RTR2 so that all the packets from RTR2 WAN will flow to RTR2 LAN[/list]
Setup-2: Routed
[list=]RTR1 connects to ISP through PPPoE and its LAN is fed to RTR2’s WAN
RTR1 LAN IP is 192.168.1.1
RTR2 WAN is set to static IP 192.168.1.2
RTR2 WAN IP set as DMZ in RTR1 so all the traffic is routed to RTR2
RTR2 is set in gateway mode and DHCP is active on this
RTR2 LAN IP set to 192.168.54.1
RTR2 LAN IP is set as DMZ in RTR2 so that all the packets from WAN will flow to LAN within RTR2[/list]
Setup-3: Switched
[list=]RTR1 connects to ISP through PPPoE and its LAN is fed to RTR2’s LAN
RTR1 LAN IP is 192.168.1.1
RTR2 WAN is disabled
RTR2 LAN IP set to 192.168.1.2
RTR2 is set in gateway mode and DHCP is active on this
RTR2 LAN IP set as DMZ in RTR1 so all the traffic is routed to RTR2
NAT or DMZ not specified in RTR2 coz WAN is disabled[/list]
Copy pasted the ca.crt, server.crt, server.key and dh1024.pem and created the configuration parameters in RTR2 VPN configuration page
Added necessary iptables commands to firewall
Created the client certificates
But not getting the connection from client to server in any of the above 3 setups and I’m unable to find the problem
I’ve put off the SPI firewall in RTR2 and allowed UDP 1194 through windows firewall on client machines
I am able to reach RTR2 from outside LAN (using laptop and internet from my phone). SSH on port 22 of RTR2 is working. Why not port 1194?
Is port 1194 blocked on BSNL dataone? Should I switch to some other port like 443?
How to check if 1194 is blocked by my ISP? I dont know using a port scanner
VPN status is showing as Connected and Success on RTR2 status page. It is taking IP from the VPN subnet (192.168.66.1) in my case
Getting the following error when I try to connect from client outside LAN
(Error Msg-1)
Code:
Fri Jan 28 15:01:38 2011 OpenVPN 2.2-beta5 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov 30 2010
Fri Jan 28 15:01:38 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Jan 28 15:01:38 2011 UDPv4 link local: [undef]
Fri Jan 28 15:01:38 2011 UDPv4 link remote: 117.197.213.99:1194
Fri Jan 28 15:02:39 2011 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Jan 28 15:02:39 2011 TLS Error: TLS handshake failed
Fri Jan 28 15:02:39 2011 SIGUSR1[soft,tls-error] received, process restarting
Getting the following error when I try to connect from client within the LAN
(Error Msg-2)
Code:
Fri Jan 28 15:07:25 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Jan 28 15:07:25 2011 Re-using SSL/TLS context
Fri Jan 28 15:07:25 2011 UDPv4 link local: [undef]
Fri Jan 28 15:07:25 2011 UDPv4 link remote: 192.168.54.1:1194
Fri Jan 28 15:07:25 2011 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Fri Jan 28 15:07:25 2011 TLS Error: TLS object -> incoming plaintext read error
Fri Jan 28 15:07:25 2011 TLS Error: TLS handshake failed
Fri Jan 28 15:07:25 2011 SIGUSR1[soft,tls-error] received, process restarting
These two error messages corresponds to 2 different problems I guess
1st error message says inbound packets are not reaching the openVPN server
2nd error message says communication with server occurred but certificate verification failed
If it is so, how come the same error message is also showing on server log page when I try to connect client from outside LAN? Does that mean client is talking to server?
I know my case is more about networking than dd-wrt but I don’t find more suitable place to seek help
Also I’ve noticed SSH is too slow and inconsistent when using with setup-2 when compared to setup-1. Is this because RTR1 is slow in forwarding packets to RTR2 and is better to left bridged?
The steps outlined here work very well. Depending on the work that you have done, you 'might' have to reset to default settings and start afresh.
Starting with a clean slate would be my recommendation.
On the second page of the article above, there is a point (while setting up the firewall scripts and startup commands) where the code and the instructions are blended together. Watch out for that section.
If you go through this process, you will have a BRIDGED setup. Setting up a ROUTED configuration can be a little more challenging. I would suggest getting a BRIDGED config going first and then 'graduating' to a ROUTED config.
Keep us posted with the progress. _________________ ===================================
1 * DIR-866L - 29193 Mega (Main Gateway)
1 * EA4200 - 29193 Mega (Main Gateway)
1 * EA6500 - 29193 Mega (Repeater Bridge)
1 * EA6500v2 - 29193 Mega (Repeater Bridge)
1 * WRT610N - 29193 Mega (Repeater Bridge)
===================================