Unable to redirect gateway with OpenVPN GUI

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
Chunger
DD-WRT Novice


Joined: 17 Aug 2012
Posts: 4

PostPosted: Fri Aug 17, 2012 17:01    Post subject: Unable to redirect gateway with OpenVPN GUI Reply with quote
Hello I've been wrestling with this for awhile now, and after doing some searching on the boards, I haven't been able to find a solution for my problem, so I'm hoping the gurus here can help.

I'm trying to setup a site to site sever/client OpenVPN setup where client gets DHCP and tunnels all traffic through the server side.

Both the server and client are running on the cisco/linksys E3200 running dd-wrt.v24-17201_NEWD-2_K2.6_openvpn-nv60k.bin

The Server is using the OpenVPN Server GUI configuration and the Client is using the OpenVPN Client GUI configuration.

Currently the client connects to the server successfully, and I'm able to ping/access all the machines connected on the server LAN, but the client side remains on its own IP range and subnet instead of getting DHCP from server, and traffic is not routed through the server. I configured through the GUI and here is the .conf files DD-WRT created:

This is my server config...
Quote:

dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
keepalive 10 120
verb 4
mute 5
log-append /var/log/openvpn
tls-server
management 127.0.0.1 5002
management-log-cache 50
mtu-disc yes
topology subnet
client-config-dir /tmp/openvpn/peers
script-security 2
port 1194
proto udp
cipher bf-cbc
auth sha1
comp-lzo yes
client-to-client
push "redirect-gateway def1"
fast-io
tun-mtu 1500
server-bridge
dev tap0


And my Client config:

Quote:
ca /tmp/openvpncl/ca.crt
cert /tmp/openvpncl/client.crt
key /tmp/openvpncl/client.key
management 127.0.0.1 5001
management-log-cache 50
verb 4
mute 5
log-append /var/log/openvpncl
client
tls-client
resolv-retry infinite
nobind
persist-key
persist-tun
script-security 2
mtu-disc yes
dev tap1
proto udp
cipher bf-cbc
auth sha1
RemoteServerIP 1194
tun-mtu 1500
comp-lzo adaptive
fast-io


This is the log outputs I receive with personal info edited out.

Server :

Quote:

20120817 09:19:24 CLIENT/"client wan IP":32770 TLS: new session incoming connection from "client wan IP":32770
20120817 09:19:25 CLIENT/"client wan IP":32770 VERIFY OK: depth=1 /C=XX/ST=XX/L=XXXX/O=x/OU=xx/CN=xxxx/name=XxXx/emailAddress=xxx@gmail.com
20120817 09:19:25 CLIENT/"client wan IP":32770 VERIFY OK: depth=0 /C=XX/ST=XX/L=XXXX/O=x/OU=xx/CN=xxxx/name=XxXx/emailAddress=xxx@gmail.com
20120817 09:19:25 CLIENT/"client wan IP":32770 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
20120817 09:19:25 CLIENT/"client wan IP":32770 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
20120817 09:19:25 CLIENT/"client wan IP":32770 NOTE: --mute triggered...
20120817 09:19:28 CLIENT/"client wan IP":32770 5 variation(s) on previous 5 message(s) suppressed by --mute
20120817 09:19:28 CLIENT/"client wan IP":32770 PUSH: Received control message: 'PUSH_REQUEST'
20120817 09:19:28 CLIENT/"client wan IP":32770 SENT CONTROL [CLIENT]: 'PUSH_REPLY redirect-gateway def1 route-gateway dhcp ping 10 ping-restart 120' (status=1)
20120817 09:19:28 CLIENT/"client wan IP":32770 MULTI: Learn: 00:ff:80:8c:b2:65 -> CLIENT/"client wan IP":32770


Client:

Quote:

Serverlog Clientlog 20120817 09:19:23 Socket Buffers: R=[114688->131072] S=[114688->131072]
20120817 09:19:23 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
20120817 09:19:23 Local Options String: 'V4 dev-type tap link-mtu 1574 tun-mtu 1532 proto UDPv4 comp-lzo cipher BF-CBC auth SHA1 keysize 128 key-method 2 tls-client'
20120817 09:19:23 Expected Remote Options String: 'V4 dev-type tap link-mtu 1574 tun-mtu 1532 proto UDPv4 comp-lzo cipher BF-CBC auth SHA1 keysize 128 key-method 2 tls-server'
20120817 09:19:23 Local Options hash (VER=V4): 'd79ca330'
20120817 09:19:23 Expected Remote Options hash (VER=V4): 'f7df56b8'
20120817 09:19:23 I UDPv4 link local: [undef]
20120817 09:19:23 I UDPv4 link remote: "Server WAN IP":1194
20120817 09:19:23 TLS: Initial packet from "Server WAN IP":1194 sid=e7da6984 5d1f0ba4
20120817 09:19:23 N TLS Error: local/remote TLS keys are out of sync: "Server WAN IP":1194 [0]
20120817 09:19:23 N TLS Error: local/remote TLS keys are out of sync: "Server WAN IP":1194 [0]
20120817 09:19:23 N TLS Error: local/remote TLS keys are out of sync: "Server WAN IP":1194 [0]
20120817 09:19:23 N TLS Error: local/remote TLS keys are out of sync: "Server WAN IP":1194 [0]
20120817 09:19:23 N TLS Error: local/remote TLS keys are out of sync: "Server WAN IP":1194 [0]
20120817 09:19:23 NOTE: --mute triggered...
20120817 09:19:23 1 variation(s) on previous 5 message(s) suppressed by --mute
20120817 09:19:23 VERIFY OK: depth=1 /C=XX/ST=XX/L=XXXX/O=x/OU=xx/CN=xxxx/name=XxXx/emailAddress=xxx@gmail.com
20120817 09:19:23 VERIFY OK: depth=0 /C=US/ST=XX/L=XXXX/O=x/OU=xx/CN=xxxx/name=XxXx/emailAddress=xxx@gmail.com
20120817 09:19:24 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
20120817 09:19:24 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
20120817 09:19:24 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
20120817 09:19:24 NOTE: --mute triggered...
20120817 09:19:24 2 variation(s) on previous 5 message(s) suppressed by --mute
20120817 09:19:24 I [CLIENT] Peer Connection Initiated with "Server WAN IP":1194
20120817 09:19:26 SENT CONTROL [CLIENT]: 'PUSH_REQUEST' (status=1)
20120817 09:19:26 PUSH: Received control message: 'PUSH_REPLY redirect-gateway def1 route-gateway dhcp ping 10 ping-restart 120'
20120817 09:19:26 OPTIONS IMPORT: timers and/or timeouts modified
20120817 09:19:26 OPTIONS IMPORT: route options modified
20120817 09:19:26 OPTIONS IMPORT: route-related options modified
20120817 09:19:26 I TUN/TAP device tap1 opened
20120817 09:19:26 TUN/TAP TX queue length set to 100
20120817 09:19:26 W NOTE: unable to redirect default gateway -- VPN gateway parameter (--route-gateway or --ifconfig) is missing
20120817 09:19:26 I Initialization Sequence Completed


I see in the client log that the "unable to redirect default gateway" error, but I can't seem to resolve it.

The TLS error 20120817 09:19:23 N TLS Error: local/remote TLS keys are out of sync: "Server WAN IP":1194 [0] is usually not there.

Here is my firewall startup script:
Quote:

iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source "ServerLANGateway"/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tap1 -j ACCEPT
iptables -I FORWARD -i tap1 -o br0 -j ACCEPT


I hope someone has some insight and can help.

Thanks in advance!
Sponsor
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17619
Location: Hesse/Germany

PostPosted: Sun Aug 19, 2012 17:09    Post subject: Reply with quote
upgrade 1st.
and use the gui

_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
Chunger
DD-WRT Novice


Joined: 17 Aug 2012
Posts: 4

PostPosted: Mon Aug 20, 2012 18:26    Post subject: Reply with quote
Thanks for the info. I'll try upgrading... I guess the redirect gateway in the GUI for build 17201 doesn't work. I'll try the latest 19519 build.

I'll post my results once I get the routers upgraded.

Thanks!
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17619
Location: Hesse/Germany

PostPosted: Mon Aug 20, 2012 22:35    Post subject: Reply with quote
http://svn.dd-wrt.com/ticket/2536
_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
Chunger
DD-WRT Novice


Joined: 17 Aug 2012
Posts: 4

PostPosted: Tue Aug 21, 2012 4:06    Post subject: Reply with quote
Thanks for the quick reply, but yeah I read your post a little too late... I ran into the plaintext read error.

I'll try rolling back to the last good release mentioned in the bug report; build 18730. Or I guess build 18740 for the E3200's that I have.

I'll post my outcome of that as well.
Chunger
DD-WRT Novice


Joined: 17 Aug 2012
Posts: 4

PostPosted: Tue Aug 21, 2012 17:01    Post subject: Reply with quote
Back to square one with build 18740. Both routers (Server/Client using GUI mode are on same build). I'm able to see the network on the server side, but still getting the unable to redirect gateway error just like with build 17201.

Any ideas?
pwei
DD-WRT Novice


Joined: 06 Sep 2012
Posts: 2

PostPosted: Thu Sep 06, 2012 21:58    Post subject: Reply with quote
You need to push a dhcp command. In the server config you would have something like:

push "dhcp-option DNS <VPN ip address of the server>"

You will also need to route the traffic that comes through the vpn:
iptables -t nat -A POSTROUTING -s <VPN subnet>/24 -o eth0 -j MASQUERADE

I managed to get things setup so that a desktop client connects to the server fully routed; however, I did not manage to get this setup to work for the DD-WRT OpenVPN client -- the gateway-redirect command causes the client router to become inaccessible to the LAN sitting behind it.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum