Posted: Sat Apr 06, 2013 16:52 Post subject: OpenVPN and DHCP issue
Dear fellows,
I'm using Linksys WRT54GL router with DD WRT SVN revision 14929.
I would like to use my router's DHCP server for my OpenVPN clients, but now when I connect to the OpenVPN server, I can't receive any IP and my windows 7 network manager says "Identifying" and after while "Unidentified Network" and no IP for OpenVPN Client.
As a result my OpenVPN client has no network address.
My final goal is to reach the internal router network and route all my client's traffic through my router network.
My server config is:
local "my external router IP"
mode server
tls-server
auth-user-pass-verify /tmp/custom.sh via-file
script-security 3
tmp-dir /tmp
server-bridge
dev tap0
proto udp
port 1194
persist-key
persist-tun
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
tls-auth /tmp/openvpn/ta.key
tls-cipher DHE-RSA-AES256-SHA
cipher BF-CBC
auth MD5
keepalive 10 120
comp-lzo
client-to-client
verb 6
mute 20
management localhost 5001
push "default-gateway def1"
push "dhcp-option DNS (my router IP)"
My Client Configuration is:
client
dev tap0
proto udp
tls-client
remote (router's external IP) 1194
nobind
persist-key
persist-tun
auth-user-pass
ca "C:\\path\\ca.crt"
cert "C:\\path\\client1.crt"
key "C:\\path\\client1.key"
tls-auth "C:\\path\\ta.key"
tls-cipher DHE-RSA-AES256-SHA
cipher BF-CBC
auth MD5
pull "redirect-gateway def1"
pull "dhcp-option DNS (my router internal IP)"
comp-lzo
ns-cert-type server
verb 6
mute 20
P.S. Does the order of commands in the conf file matters?
Posted: Sat Apr 06, 2013 19:49 Post subject: Problem Solved
Hi fellows,
I lost two weeks trying to get my OpenVPN on dd wrt to perform one simple function, to route all my traffic through my home IP.
Finally I managed to do it.
From my experience, I would like to share the following information:
1. I tried several dd wrt build: 14929, 15962 and 17990.
Build 17990 has great GUI, but big problems with TLS encryption. I couldn't manage to make it work.
Build 15962 was OK, except the problem with custom script running.
Still the best build is 14929. OpenVPN works great.
2. Here is my experience:
Regarding my problem in the previous post I couldn't get IP from my router's DHCP pool, because I was missing the bridging rule at start-up between my tap interface and the rest of the network, therefore I added the following command under Administration Tab/Command as start-up command:
brctl addif br0 tap0 # creates bridge between my virtual interface and my ethernet interface
ifconfig tap0 0.0.0.0 promisc up # all packets will be received by tap0 interface
Those commands connected my OpenVPN server with my DHCP server.
3. I had problems accessing my OpenVPN server from outside. I mean, when I have local IP received from my Linksys router, I'm able to connect to my OpenVPN server, but when I have an external IP, I cannot connect to my OpenVPN server.
The problem was, that udp port 1194 was not forwarded and all incoming packets for udp 1194 were unable to reach my OpenVPN server. I added the following command in the firewall rules:
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
In general that's my experience to the moment with OpenVPN. I hope this will give some answers to people have similar issues.
Today I tested my new configuration and I found that when in my client config file the function redirect-gateway stays with the following syntax:
pull "redirect-gateway def1"
my client does not have any routing. My IP address is the IP of the network which I'm using for VPN connection, not my router's IP as I expected.
When I put the following syntax:
redirect-gateway def1
without any pull command, my IP becomes my router IP, just like I want.
Unfortunately I'm still unable to redirect all packages to go out of my home router. When I print something from my workplace, while I'm connected to my home VPN, I shouldn't be able to print, because I use network printer, but the situation is different. Even when I'm connected to my VPN, I still can print, through my work network. That gives me the impression, that not all of my traffic is routed through my VPN.
The question is why?
In my server config file I have the following commands:
push "redirect-gateway def1"
push "dhcp-option DNS [my external IP]"
Posted: Tue Apr 09, 2013 16:31 Post subject: Username and Password
I have a feeling, that I'm talking to myself However, another thing came on my mind. Do you have idea regarding the authentication method with username and password in OpenVPN, is it encrypted? I mean, when I enter the password in my OpenVPN client on my laptop, the user and pass is transferred to my router for verification, but is it encrypted during the transfer?
I know, that my router script for pass verification uses encryption, but does my OpenVPN client uses encryption during the initial transfer?
Just a quick update. For the last two days my OpenVPN network behaves quite stable. I managed to solve a problem with connection drop. It used to happen every hour or so, asking to type username and password again. Then I realize that this is default advanced security function in OpenVPN.
I solve this problem by adding in the server configuration file and client configuration file the following command:
reneg-sec 0 // where 0 means that OpenVPN server or client will never ask for username and password retyping again.
You can put instead of “0” the number of seconds after you would like to re-enter the username and password for example:
reneg-sec 3600 //means that after an hour you will be asked to enter the username and password again
Regarding my case with the routing, every TCP request is routed through my default OpenVPN gateway, but when I try to ping a local IP of my office network it just bypasses the default gateway and connects straight to the local IP, which I’m pinging. Also when I allow network discovery everything within my office network is visible, which also means, that this traffic is not routed through my OpenVPN network, but through my office one.
However the VPN channel looks stable and later I’ll post my configuration.
Posted: Mon Apr 22, 2013 11:55 Post subject: Stable Configuration
Hi fellows,
After two week testing I would like to post my stable VPN configuration with username and password authentication and TLS as well. Still this configuration is applicable for DD WRT Brainslayer 14929 Build.
Server Configuration:
local [Router's external IP address"
mode server
tls-server
auth-user-pass-verify /tmp/custom.sh via-file
script-security 3
tmp-dir /tmp
server-bridge
dev tap0
proto udp
port 1194
persist-key
persist-tun
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
tls-auth /tmp/openvpn/ta.key
tls-cipher DHE-RSA-AES256-SHA
cipher BF-CBC
auth MD5
keepalive 10 120
comp-lzo
client-to-client
verb 6
mute 20
management localhost 5001
push "redirect-gateway def1"
push "dhcp-option DNS [Router's local IP address]"
reneg-sec 0
Client:
client
dev tap0
proto udp
tls-client
remote [Router's IP address] 1194
nobind
persist-key
persist-tun
dev-node OpenVPN
auth-user-pass
ca "C:\\ca.crt"
cert "C:\\client1.crt"
key "C:\\client1.key"
tls-auth "C:\\ta.key"
tls-cipher DHE-RSA-AES256-SHA
cipher BF-CBC
pull "redirect-gateway def1"
pull "dhcp-option DNS [Router's local IP address]"
auth MD5
comp-lzo
ns-cert-type server
resolv-retry infinite
keepalive 10 120
verb 6
mute 20
reneg-sec 0
This configuration is working on Windows XP without any problems, but Windows 7 can't get an IP. I believe that there is a problem with the rights in windows 7, because I checked the routing table, and the client log says, that it cannot modify the routing table.
I couldn't solve the problem.
However one more thing is problematic for me.
On my windows XP, after connection to my router via VPN, everything is fine, the default gateway is my VPN gateway, but still I'm able to see all computers on my work network (the one that I'm using for VPN connection). Is that normal? As far as I know, when I use udp tunnelling, everything has to be routed through the VPN, am I right?