Problem with Site-to-Site routed VPN

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
jamesb0nd
DD-WRT Novice


Joined: 22 Nov 2009
Posts: 6

PostPosted: Tue Oct 25, 2011 19:22    Post subject: Problem with Site-to-Site routed VPN Reply with quote
I used this link: http://www.dd-wrt.com/wiki/index.php/OpenVPN_-_Site-to-Site_routed_VPN_between_two_routers

These are the errors i got from the log dumps:

10-23-2011 13:47:50 Daemon.Notice 192.168.123.1 Oct 23 20:47:51 openvpn[693]: UDPv4 link remote: [undef]
10-23-2011 13:47:50 Daemon.Notice 192.168.123.1 Oct 23 20:47:51 openvpn[693]: UDPv4 link local (bound): [undef]:2000
10-23-2011 13:47:50 Daemon.Notice 192.168.123.1 Oct 23 20:47:51 openvpn[693]: Expected Remote Options hash (VER=V4): '62cf4b05'
10-23-2011 13:47:50 Daemon.Notice 192.168.123.1 Oct 23 20:47:51 openvpn[693]: Local Options hash (VER=V4): '62cf4b05'
10-23-2011 13:47:50 Daemon.Notice 192.168.123.1 Oct 23 20:47:51 openvpn[693]: Data Channel MTU parms [ L:1545 D:1450 EF:45 EB:135 ET:0 EL:0 AF:3/1 ]
10-23-2011 13:47:50 Daemon.Notice 192.168.123.1 Oct 23 20:47:51 openvpn[693]: TUN/TAP TX queue length set to 100
10-23-2011 13:47:50 Daemon.Notice 192.168.123.1 Oct 23 20:47:51 openvpn[693]: TUN/TAP device tun0 opened
10-23-2011 13:47:50 Daemon.Notice 192.168.123.1 Oct 23 20:47:51 openvpn[693]: Socket Buffers: R=[109568->131072] S=[109568->131072]
10-23-2011 13:47:50 Daemon.Notice 192.168.123.1 Oct 23 20:47:51 openvpn[693]: LZO compression initialized
10-23-2011 13:47:50 Daemon.Notice 192.168.123.1 Oct 23 20:47:51 openvpn[693]: Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
10-23-2011 13:47:50 Daemon.Notice 192.168.123.1 Oct 23 20:47:51 openvpn[693]: Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
10-23-2011 13:47:50 Daemon.Notice 192.168.123.1 Oct 23 20:47:51 openvpn[693]: Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
10-23-2011 13:47:50 Daemon.Notice 192.168.123.1 Oct 23 20:47:51 openvpn[693]: Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
10-23-2011 13:47:50 Daemon.Warning 192.168.123.1 Oct 23 20:47:51 openvpn[693]: WARNING: file '/tmp/static.key' is group or others accessible
10-23-2011 13:47:50 Daemon.Warning 192.168.123.1 Oct 23 20:47:51 openvpn[693]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
10-23-2011 13:47:48 Daemon.Notice 192.168.123.1 Oct 23 20:47:49 openvpn[693]: Restart pause, 2 second(s)
10-23-2011 13:47:48 Daemon.Notice 192.168.123.1 Oct 23 20:47:49 openvpn[693]: SIGUSR1[soft,ping-restart] received, process restarting
10-23-2011 13:47:48 Daemon.Notice 192.168.123.1 Oct 23 20:47:49 openvpn[693]: Closing TUN/TAP interface
10-23-2011 13:47:48 Daemon.Notice 192.168.123.1 Oct 23 20:47:49 openvpn[693]: TCP/UDP: Closing socket
10-23-2011 13:47:48 Daemon.Notice 192.168.123.1 Oct 23 20:47:49 openvpn[693]: Inactivity timeout (--ping-restart), restarting
10-23-2011 13:46:48 Daemon.Notice 192.168.123.1 Oct 23 20:46:48 openvpn[693]: UDPv4 link remote: [undef]
10-23-2011 13:46:48 Daemon.Notice 192.168.123.1 Oct 23 20:46:48 openvpn[693]: UDPv4 link local (bound): [undef]:2000
10-23-2011 13:46:48 Daemon.Notice 192.168.123.1 Oct 23 20:46:48 openvpn[693]: Expected Remote Options hash (VER=V4): '62cf4b05'
10-23-2011 13:46:48 Daemon.Notice 192.168.123.1 Oct 23 20:46:48 openvpn[693]: Local Options hash (VER=V4): '62cf4b05'
10-23-2011 13:46:48 Daemon.Notice 192.168.123.1 Oct 23 20:46:48 openvpn[693]: Data Channel MTU parms [ L:1545 D:1450 EF:45 EB:135 ET:0 EL:0 AF:3/1 ]
10-23-2011 13:46:48 Daemon.Notice 192.168.123.1 Oct 23 20:46:48 openvpn[693]: TUN/TAP TX queue length set to 100
10-23-2011 13:46:48 Daemon.Notice 192.168.123.1 Oct 23 20:46:48 openvpn[693]: TUN/TAP device tun0 opened
10-23-2011 13:46:48 Daemon.Notice 192.168.123.1 Oct 23 20:46:48 openvpn[693]: Socket Buffers: R=[109568->131072] S=[109568->131072]
10-23-2011 13:46:48 Daemon.Notice 192.168.123.1 Oct 23 20:46:48 openvpn[693]: LZO compression initialized
10-23-2011 13:46:48 Daemon.Notice 192.168.123.1 Oct 23 20:46:48 openvpn[693]: Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
10-23-2011 13:46:48 Daemon.Notice 192.168.123.1 Oct 23 20:46:48 openvpn[693]: Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
10-23-2011 13:46:48 Daemon.Notice 192.168.123.1 Oct 23 20:46:48 openvpn[693]: Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
10-23-2011 13:46:48 Daemon.Notice 192.168.123.1 Oct 23 20:46:48 openvpn[693]: Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
10-23-2011 13:46:48 Daemon.Warning 192.168.123.1 Oct 23 20:46:48 openvpn[693]: WARNING: file '/tmp/static.key' is group or others accessible
10-23-2011 13:46:48 Daemon.Warning 192.168.123.1 Oct 23 20:46:48 openvpn[693]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
10-23-2011 13:46:46 Daemon.Notice 192.168.123.1 Oct 23 20:46:46 openvpn[693]: Restart pause, 2 second(s)
10-23-2011 13:46:46 Daemon.Notice 192.168.123.1 Oct 23 20:46:46 openvpn[693]: SIGUSR1[soft,ping-restart] received, process restarting
10-23-2011 13:46:46 Daemon.Notice 192.168.123.1 Oct 23 20:46:46 openvpn[693]: Closing TUN/TAP interface
10-23-2011 13:46:46 Daemon.Notice 192.168.123.1 Oct 23 20:46:46 openvpn[693]: TCP/UDP: Closing socket
10-23-2011 13:46:46 Daemon.Notice 192.168.123.1 Oct 23 20:46:46 openvpn[693]: Inactivity timeout (--ping-restart), restarting


Here are the 2 configs:

Startup
# Move to writable directory and create scripts
cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn

# Config for Site-to-Site SiteA-SiteB
echo "
proto udp
port 2000
dev tun0
secret /tmp/static.key
verb 3
comp-lzo
keepalive 15 60
daemon
" > SiteA-SiteB.conf

# Config for Static Key
echo "
-----BEGIN OpenVPN Static key V1-----
{cert}
-----END OpenVPN Static key V1-----
" > static.key

# Create interfaces
/tmp/myvpn --mktun --dev tun0
ifconfig tun0 10.0.0.1 netmask 255.255.255.0 promisc up

# Create routes
route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.0.0.2

# Initiate the tunnel
sleep 5
/tmp/myvpn --config SiteA-SiteB.conf


Firewall
# Open firewall holes
iptables -I INPUT 2 -p udp --dport 2000 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT



2nd Site:

# Move to writable directory and create scripts
cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn

# Config for Site-to-Site SiteA-SiteB
echo "
remote bcs.serveftp.com
proto udp
port 2000
dev tun0
secret /tmp/static.key
verb 3
comp-lzo
keepalive 15 60
daemon
" > SiteA-SiteB.conf

# Config for Static Key
echo "
-----BEGIN OpenVPN Static key V1-----
{cert}
-----END OpenVPN Static key V1-----
" > static.key

# Create interfaces
/tmp/myvpn --mktun --dev tun0
ifconfig tun0 10.0.0.2 netmask 255.255.255.0 promisc up

# Create routes
route add -net 192.168.123.0 netmask 255.255.255.0 gw 10.0.0.1

# Initiate the tunnel
sleep 5
/tmp/myvpn --config SiteA-SiteB.conf
Sponsor
jamesb0nd
DD-WRT Novice


Joined: 22 Nov 2009
Posts: 6

PostPosted: Tue Oct 25, 2011 19:24    Post subject: Firmware Reply with quote
the main is running:

Firmware Version
DD-WRT v24-sp2 (05/17/11) mega - build 17084M NEWD Eko

The other side is running buffalo's image from 3 months ago.
jamesb0nd
DD-WRT Novice


Joined: 22 Nov 2009
Posts: 6

PostPosted: Wed Nov 09, 2011 17:41    Post subject: Reply with quote
Bump?!?
donphillipe
DD-WRT User


Joined: 18 Jun 2008
Posts: 166

PostPosted: Sun Dec 04, 2011 18:32    Post subject: No help Reply with quote
Unfortunately I don't have an answer for you but I do have issues myself trying to get my setup working. I have been playing with OpenVPN and dd-wrt for years trying to get it to work for my road warrior activity but always end up giving up and using alternate but more tedious methods to communicate back home.

With the V24 sp2 iteration of OpenVPN and with the link below I finally got a server running and was able to VPN in from a remote laptop with no errors. Hooray!! I do have to run the server with the SPI firewall off but that is another issue for another long session of read, try to figure out what the hell they are talking about and attempt another guess to fix the problem.

I am confused on the instructions in the link you posted here and wonder first why the static.key creation is being called in the logon script if there is room for keys to be input on the web gui now itself? Again, I don't know much about this.

Regardless, here is the link that I used to finally get my first remote laptop to dd-wrt OpenVPN daemon setup working. It is a step by step process and worked for me:

http://www.howtogeek.com/64433/how-to-install-and-configure-openvpn-on-your-dd-wrt-router/

My current frustration is trying to now set up another client, this time a dd-wrt client instead of a Vista laptop running OpenVPN, to link into this working configuration.

====== EDIT:
One problem I see with the OpenVPN Client piece of dd-wrt is there is no input area for a client profile - you have to trust one being created from the tic marks you select above the encryption key entry fields. As "finicky" as the server is, it seems like one needs this control (well obviously, actually). I am going to see if I can figure out how to write over the client.cfg (?) file from the startup script and try to match the same configuration options from my windows OpenVPN profile that works in that environment. Maybe that will supply the changes needed to allow it to work in unison as well as it does from Windows OpenVPN.
donphillipe
DD-WRT User


Joined: 18 Jun 2008
Posts: 166

PostPosted: Sun Dec 04, 2011 18:59    Post subject: Tracing OpenVPN messages Reply with quote
Just a side note to other non Linux gurus out there, some info I found in another wiki about how one can fairly easily debug OpenVPN errors. Simply turn on syslogd with no need to specify a syslog server. Then ensure that ssh is enabled (with the password setting or if you desire then do the more complicated secure key access - if you can get the secure key to work). I then use the Windows program WinSCP to go into SCP mode on port 22 with the IP address of the dd-wrt machine and user of root, password of the web interface to look at the directory structure on the dd-wrt server. Once logged in with WinSCP, you have to click the up directory tic several times to show the whole directory file structure, then navigate to /var/log/messages. This will show you your OpenVPN errors.
donphillipe
DD-WRT User


Joined: 18 Jun 2008
Posts: 166

PostPosted: Sun Dec 04, 2011 19:58    Post subject: It works! Reply with quote
I guess I just needed to talk myself through this process because I looked at the logs again and saw error messages but it said "initialized"!!!!

All I did was with the same setup, go into Administration, commands and first run and then add permanently a startup script:

route add -net 192.168.158.0 netmask 255.255.255.0 gw 10.0.1.1

Above, 192.168.158.0 is the submet of the LAN side of the dd-wrt box I am VPNing into. I can now go to url 192.168.158.1 and get the password prompt to access the VPN server router. Fantastic!!!

Here is my console. Not sure what the warnings mean but for now it works. I am not sure where the gw 10.0.1.1 came from put I am doing a lot of copy and paste programming it seems.

Code:

Dec  4 13:12:02 DD-WRT daemon.notice openvpn[850]: OpenVPN 2.1_rc20 mipsel-unknown-linux-gnu [SSL] [LZO1] [EPOLL] built on Nov  2 2009
Dec  4 13:12:02 DD-WRT daemon.warn openvpn[850]: WARNING: file '/tmp/openvpncl/client.key' is group or others accessible
Dec  4 13:12:02 DD-WRT daemon.notice openvpn[850]: LZO compression initialized
Dec  4 13:12:02 DD-WRT daemon.notice openvpn[886]: UDPv4 link local: [undef]
Dec  4 13:12:02 DD-WRT daemon.notice openvpn[886]: UDPv4 link remote: 192.168.2.197:1194
Dec  4 13:12:04 DD-WRT daemon.notice openvpn[886]: [server] Peer Connection Initiated with 192.168.2.197:1194
Dec  4 13:12:06 DD-WRT daemon.notice openvpn[886]: TUN/TAP device tun0 opened
Dec  4 13:12:06 DD-WRT daemon.notice openvpn[886]: /sbin/ifconfig tun0 10.8.0.6 pointopoint 10.8.0.5 mtu 1500
Dec  4 13:12:07 DD-WRT daemon.notice openvpn[886]: Initialization Sequence Completed


Again what I did to configure a dd-wrt OpenVPN server initially with a single windows client was go here:
1 - set up a dd-wrt OpenVPN server and a windows OpenVPN client as per this guide:
http://www.howtogeek.com/64433/how-to-install-and-configure-openvpn-on-your-dd-wrt-router/
(note: be sure to create enough extra unique client keys to address future needs)
2 - pay attention to the comments at the end of the post and change your profiles to adjust for mistakes in the original article
3 - debug by using the syslogd and view via WinSCP as I pointed out before
4 - to set up now a dd-wrt client, refer to this wiki for client code under topic "Client Configuration - DD-WRT"
http://www.dd-wrt.com/wiki/index.php/VPN_%28the_easy_way%29_v24%2B
5 - use one of the extra client(x) series of client key files that you created in your initial key creation exercise. Copy them and paste them in the respective web gui for OpenVPN Client option.
6 - check the /var/log/messages file using WinSCP on the dd-wrt client OpenVPN router to see if you get a successful link as in my example above
7 - add the route statement with the OpenVPN servers subnet named to the login script of the dd-wrt OpenVPN client
8 - use run command from Admin first to see if it works, then if it does, then add permanently
9 - now ping addresses on the dd-wrt OpenVPN server subnet
10 - edit note: the dd-wrt OpenVPN server has to have the SPI firewall set off in order for this configuration to work. I am still looking for something to put in the firewall script on the server that will allow it to be turned back on. Will update if I find it.

Again cut and paste programming at it's absolute best!
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum