and, of course, if you want to reach your 192.168.x.x home network ( whatever x now is, after your cleanup ),you need to set this routes, too.
on your remote nexus client it should be
192.168.x.x mask 255.255.255.0 gw 10.8.0.1. if you want to use your home internetconnection from remote, you have to do some MASQUERADING. in your first post, you wrote, you did. but why on eth0?`main interface dd-wrt is br0. _________________ RT-N66U @ Build 25697M K3.10.63
TL-WR842ND v1 @ BS-build 23919 WDS AP
TL-WR841ND @ BS-build 23919 WDS Client
TL-WR841ND @ BS-build 23919 Client Bridge ( Routed )
I'm a little confused (again), as I thought the routes were pulled from the server side, and as I've used the gui to configure I haven't entered any routing information. Is the wrong routing information being pushed by dd-wrt?
FYI, the connections between local and VPN subnets are working fine, it's just the internet access that's not.
in terms of the masquerading, I used the following command - "iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o br0 -j MASQUERADE" but it does not have any effect.
I'm lost. _________________ Linksys WRT610n v1
DD-WRT v24-sp2 (02/11/13) mega
(SVN revision 20675)
i have no idea, i do not use my default gateway through vpn . but you can set your route manually. however, i am only using linux. but: default gw looks always this: net: 0.0.0.0 mask 0.0.0.0 <gateway>
in my first posts i told ya, GUI sucks
once opevpn is up and running, you can use --route-up / --route-down option on client side to set your route manually in a script. maybe thats better than getting it from ovpn server. better do all config manually
you may also go to your client config dir on vpn server side and set for the nexus device an IROUTE:
if you wish, generate the 3 neccessary cert files for me and send it over, then i may have a look. mostly it better than guessing.
Posted: Fri Apr 05, 2013 16:44 Post subject: Thanks for sharing
squidmata wrote:
FIXED
For those who are interested, the fix turned out to be the addition of the following masquerading rule:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
Thanks for sharing your findings.
I think I have the same problem as I cannot access the internet once connected via VPN to my DD-WRT.
Were did you add that rule that you mentioned? Is it in the DD-WRT VPN settings? Could you please let me know?
Does it allow to access the Internet thru DD-WRT from a client connected from outside?
I'll be honest, I don't understand why it works, but it does. After adding this firewall rule, vpn clients can connect to the internet through the vpn server.
On the web interface, go to 'administration', 'commands' and then paste the rule into the 'commands' box and then click 'save firewall'. If it saved ok, you'll see it in a text box labelled 'firewall' below. Don't forget to adjust the text if your vpn subnet is different.
Good luck, let us know how it goes.. _________________ Linksys WRT610n v1
DD-WRT v24-sp2 (02/11/13) mega
(SVN revision 20675)
I'm needing a little help too as I'm really hoping for the HTTP proxy redirect. I have a good connection from an outside 4g network to my server and authentication is working fine (via the OpenVPN Android app), I just want that extra web traffic being pushed through the VPN.
@squidmata, after adding your rule, I'm still getting packets dropped, 1 eg: (out of many from the server log)
Code:
20130412 10:34:19 client2/x.x.x.x:52138 MULTI: bad source address from client [x.x.x.x] packet dropped
Here's my current rules (tried various combinations already):
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.66.1"
push "redirect-gateway def1"
server 192.168.66.0 255.255.255.0
dev tun0
port 50116
proto udp
keepalive 10 120
tls-auth /tmp/openvpn/ta.key 0
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
# Only use crl-verify if you are using the revoke list - otherwise leave it commented
# crl-verify /tmp/openvpn/ca.crl
# management parameter allows DD-WRT\s OpenVPN Status web page to access the server\s
# port must be 5001 for scripts embedded in firmware to work
management localhost 5001
cipher AES-256-CBC
script-security 2
verb 4
comp-lzo
Here's my client config file:
Code:
remote x.x.x.x 50116
client
remote-cert-tls server
dev tun0
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
float
#If the pushed routes appear not to be added on windows hosts, add the following:
route-delay 30
ca ca.crt
cert client2.crt
key client2.key
tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
Here's the initialization log, take a look at the highlighted line and see if that's an issue:
20130412 11:14:41 I OpenVPN 2.1_rc18 mipsel-unknown-linux-gnu [SSL] [LZO1] [EPOLL] built on Jul 21 2009
20130412 11:14:41 MANAGEMENT: TCP Socket listening on 127.0.0.1:5001
20130412 11:14:41 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20130412 11:14:41 Diffie-Hellman initialized with 1024 bit key
20130412 11:14:41 W WARNING: file '/tmp/openvpn/key.pem' is group or others accessible
20130412 11:14:41 W WARNING: file '/tmp/openvpn/ta.key' is group or others accessible
20130412 11:14:41 I Control Channel Authentication: using '/tmp/openvpn/ta.key' as a OpenVPN static key file
20130412 11:14:41 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
20130412 11:14:41 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
20130412 11:14:41 TLS-Auth MTU parms [ x ]
20130412 11:14:41 I TUN/TAP device tun0 opened
20130412 11:14:41 TUN/TAP TX queue length set to 100
20130412 11:14:41 I /sbin/ifconfig tun0 192.168.66.1 pointopoint 192.168.66.2 mtu 1500
20130412 11:14:41 /sbin/route add -net 192.168.66.0 netmask 255.255.255.0 gw 192.168.66.2
20130412 11:14:41 W Route script failed: could not execute external program
20130412 11:14:41 Data Channel MTU parms [ x ]
20130412 11:14:41 Socket Buffers: R=[32767->65534] S=[32767->65534]
20130412 11:14:41 I UDPv4 link local (bound): [undef]:50116
20130412 11:14:41 I UDPv4 link remote: [undef]
20130412 11:14:41 MULTI: multi_init called r=256 v=256
20130412 11:14:41 IFCONFIG POOL: base=192.168.66.4 size=62
20130412 11:14:41 I Initialization Sequence Completed
Here's a screenie of the my DHCP settings (I have some static leases in order to not have to manage local static IP's on the network):
Here's a few things missing to keep in mind after reading the somewhat-dated VPN (the easy way) v24+ guide:
1. If you want to change the default port 1194 to something else, be sure to include your custom port in the server config file. The format is:
Code:
port [number]
2. The text fields in the OpenVPN Daemon section to enter your certificates and keys will not like tab whitespace. Only use single spaces.
3. You can implement additional security/efficiency options. For security, these are outlined in the OpenVPN HOWTO. The TLS Auth static key is shared by all clients and the server and may mitigate DOS attacks and remote port sniffing. A stronger cipher of 256bit AES is also available. LZO compression is available as well.
Don't know what else to try. Any ideas?
I'm running 12533 -- it's stable, I like it, and I'm used to it. Plus the "recommended" build for my router is only 12548. Should I just start ALL over again with 14929?
I have a feeling many anonymous eyes are following this thread since what I'm asking will effectively turn my router into a functional, secure HTTP proxy, albeit with a high amount of configuration. If you have the answer and it's relatively simple -- that I only need to include 1 or 2 lines, feel free to PM me since this will be for personal use only.
Unless I've misunderstood, that's what I have now. There really wasn't a great deal of config, apart from the firewall rule that BasCom helped me with. Have you set your Android app to use default route in settings under 'Routing'?
Btw, as far as I can tell, the "MULTI: packets dropped" message doesn't affect VPN performance in any way, but of course YMMV..
Are you configuring the VPN server with the gui or config file method?
I'm nothing other than a googling amateur but I'm happy to help if I can _________________ Linksys WRT610n v1
DD-WRT v24-sp2 (02/11/13) mega
(SVN revision 20675)
Any chance you could post your final settings that worked? (server config, firewall gui additions needed, client config)
This would help me a lot! Thanks.
squidmata wrote:
AV,
Unless I've misunderstood, that's what I have now. There really wasn't a great deal of config, apart from the firewall rule that BasCom helped me with. Have you set your Android app to use default route in settings under 'Routing'?
Btw, as far as I can tell, the "MULTI: packets dropped" message doesn't affect VPN performance in any way, but of course YMMV..
Are you configuring the VPN server with the gui or config file method?
I'm nothing other than a googling amateur but I'm happy to help if I can
I'll be honest, I've since changed routers and jumped ship to Merlin's builds for Asus, but I've attached a text file of my settings, most of which were default. As you'll see from the thread it was the firewall rule which fixed it for me in the end. Hope it's of some use.. _________________ Linksys WRT610n v1
DD-WRT v24-sp2 (02/11/13) mega
(SVN revision 20675)
