OpenVPN and DHCP issue

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
nikolay.zhelev
DD-WRT Novice


Joined: 02 Apr 2013
Posts: 20

PostPosted: Sat Apr 06, 2013 16:52    Post subject: OpenVPN and DHCP issue Reply with quote
Dear fellows,

I'm using Linksys WRT54GL router with DD WRT SVN revision 14929.

I would like to use my router's DHCP server for my OpenVPN clients, but now when I connect to the OpenVPN server, I can't receive any IP and my windows 7 network manager says "Identifying" and after while "Unidentified Network" and no IP for OpenVPN Client.

As a result my OpenVPN client has no network address.

My final goal is to reach the internal router network and route all my client's traffic through my router network.

My server config is:

local "my external router IP"
mode server
tls-server
auth-user-pass-verify /tmp/custom.sh via-file
script-security 3
tmp-dir /tmp
server-bridge
dev tap0
proto udp
port 1194
persist-key
persist-tun
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
tls-auth /tmp/openvpn/ta.key
tls-cipher DHE-RSA-AES256-SHA
cipher BF-CBC
auth MD5
keepalive 10 120
comp-lzo
client-to-client
verb 6
mute 20
management localhost 5001
push "default-gateway def1"
push "dhcp-option DNS (my router IP)"

My Client Configuration is:

client
dev tap0
proto udp
tls-client
remote (router's external IP) 1194
nobind
persist-key
persist-tun
auth-user-pass
ca "C:\\path\\ca.crt"
cert "C:\\path\\client1.crt"
key "C:\\path\\client1.key"
tls-auth "C:\\path\\ta.key"
tls-cipher DHE-RSA-AES256-SHA
cipher BF-CBC
auth MD5
pull "redirect-gateway def1"
pull "dhcp-option DNS (my router internal IP)"
comp-lzo
ns-cert-type server
verb 6
mute 20


P.S. Does the order of commands in the conf file matters?

I'm looking forward to hearing you fellows!

---
Kind Regards,
Zhelev
Sponsor
nikolay.zhelev
DD-WRT Novice


Joined: 02 Apr 2013
Posts: 20

PostPosted: Sat Apr 06, 2013 19:49    Post subject: Problem Solved Reply with quote
Hi fellows,

I lost two weeks trying to get my OpenVPN on dd wrt to perform one simple function, to route all my traffic through my home IP.

Finally I managed to do it.

From my experience, I would like to share the following information:

1. I tried several dd wrt build: 14929, 15962 and 17990.
Build 17990 has great GUI, but big problems with TLS encryption. I couldn't manage to make it work.
Build 15962 was OK, except the problem with custom script running.
Still the best build is 14929. OpenVPN works great.

2. Here is my experience:
Regarding my problem in the previous post I couldn't get IP from my router's DHCP pool, because I was missing the bridging rule at start-up between my tap interface and the rest of the network, therefore I added the following command under Administration Tab/Command as start-up command:

brctl addif br0 tap0 # creates bridge between my virtual interface and my ethernet interface
ifconfig tap0 0.0.0.0 promisc up # all packets will be received by tap0 interface

Those commands connected my OpenVPN server with my DHCP server.

3. I had problems accessing my OpenVPN server from outside. I mean, when I have local IP received from my Linksys router, I'm able to connect to my OpenVPN server, but when I have an external IP, I cannot connect to my OpenVPN server.

The problem was, that udp port 1194 was not forwarded and all incoming packets for udp 1194 were unable to reach my OpenVPN server. I added the following command in the firewall rules:

iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT

In general that's my experience to the moment with OpenVPN. I hope this will give some answers to people have similar issues.

---
Kind Regards,
Zhelev
nikolay.zhelev
DD-WRT Novice


Joined: 02 Apr 2013
Posts: 20

PostPosted: Mon Apr 08, 2013 19:01    Post subject: Reply with quote
Dear fellows,

Today I tested my new configuration and I found that when in my client config file the function redirect-gateway stays with the following syntax:

pull "redirect-gateway def1"

my client does not have any routing. My IP address is the IP of the network which I'm using for VPN connection, not my router's IP as I expected.

When I put the following syntax:

redirect-gateway def1

without any pull command, my IP becomes my router IP, just like I want.

Unfortunately I'm still unable to redirect all packages to go out of my home router. When I print something from my workplace, while I'm connected to my home VPN, I shouldn't be able to print, because I use network printer, but the situation is different. Even when I'm connected to my VPN, I still can print, through my work network. That gives me the impression, that not all of my traffic is routed through my VPN.

The question is why?

In my server config file I have the following commands:

push "redirect-gateway def1"
push "dhcp-option DNS [my external IP]"

I'm looking forward to hearing from you!

---
Kind Regards,
Zhelev
nikolay.zhelev
DD-WRT Novice


Joined: 02 Apr 2013
Posts: 20

PostPosted: Tue Apr 09, 2013 8:06    Post subject: Reply with quote
Hi fellows,

A quick update to my case. I found the after and hour or two, my router drops me down from the VPN network, asking for username and password again.

Any ideas, why this is happening?

DD WRT Build 14929.

---
Kind Regards,
Zhelev
nikolay.zhelev
DD-WRT Novice


Joined: 02 Apr 2013
Posts: 20

PostPosted: Tue Apr 09, 2013 16:31    Post subject: Username and Password Reply with quote
I have a feeling, that I'm talking to myself Smile However, another thing came on my mind. Do you have idea regarding the authentication method with username and password in OpenVPN, is it encrypted? I mean, when I enter the password in my OpenVPN client on my laptop, the user and pass is transferred to my router for verification, but is it encrypted during the transfer?
I know, that my router script for pass verification uses encryption, but does my OpenVPN client uses encryption during the initial transfer?

---
Regards,
Zhelev
nikolay.zhelev
DD-WRT Novice


Joined: 02 Apr 2013
Posts: 20

PostPosted: Tue Apr 09, 2013 18:18    Post subject: Reply with quote
Dear eibgrad,

I't always good to see some activity on my topic Smile

Thank you for your reply! That makes perfect sense. I forgot to check in the OpenVPN official page.

---
Kind Regards,
Zhelev
lori_2001
DD-WRT Novice


Joined: 01 Mar 2013
Posts: 8

PostPosted: Tue Apr 09, 2013 21:15    Post subject: Reply with quote
Well, we are waiting for a final and working solution, with the needed settings.
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17619
Location: Hesse/Germany

PostPosted: Tue Apr 09, 2013 22:09    Post subject: Reply with quote
at nikolay.zhelev

use a current beta!

_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
nikolay.zhelev
DD-WRT Novice


Joined: 02 Apr 2013
Posts: 20

PostPosted: Wed Apr 10, 2013 9:32    Post subject: Reply with quote
Hi Sash,

Yesterday I saw on the official DD WRT page that there is a new firmware release for my router [Linksys WRT54GL].

Router Database now reccomends: "v24 preSP2 [BETA] Build 13064"

Is that what you mean?

I'm asking you, because the Peacock Thread in the forum still refer to Brainslayer 14929 Build.
---
Kind Regards,
Zhelev
nikolay.zhelev
DD-WRT Novice


Joined: 02 Apr 2013
Posts: 20

PostPosted: Fri Apr 12, 2013 10:59    Post subject: Reply with quote
Hi fellows,

Just a quick update. For the last two days my OpenVPN network behaves quite stable. I managed to solve a problem with connection drop. It used to happen every hour or so, asking to type username and password again. Then I realize that this is default advanced security function in OpenVPN.
I solve this problem by adding in the server configuration file and client configuration file the following command:

reneg-sec 0 // where 0 means that OpenVPN server or client will never ask for username and password retyping again.

You can put instead of “0” the number of seconds after you would like to re-enter the username and password for example:

reneg-sec 3600 //means that after an hour you will be asked to enter the username and password again

Regarding my case with the routing, every TCP request is routed through my default OpenVPN gateway, but when I try to ping a local IP of my office network it just bypasses the default gateway and connects straight to the local IP, which I’m pinging. Also when I allow network discovery everything within my office network is visible, which also means, that this traffic is not routed through my OpenVPN network, but through my office one.

However the VPN channel looks stable and later I’ll post my configuration.

---
Kind Regards,
Zhelev
nikolay.zhelev
DD-WRT Novice


Joined: 02 Apr 2013
Posts: 20

PostPosted: Mon Apr 22, 2013 11:55    Post subject: Stable Configuration Reply with quote
Hi fellows,

After two week testing I would like to post my stable VPN configuration with username and password authentication and TLS as well. Still this configuration is applicable for DD WRT Brainslayer 14929 Build.

Server Configuration:

local [Router's external IP address"
mode server
tls-server
auth-user-pass-verify /tmp/custom.sh via-file
script-security 3
tmp-dir /tmp
server-bridge
dev tap0
proto udp
port 1194
persist-key
persist-tun
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
tls-auth /tmp/openvpn/ta.key
tls-cipher DHE-RSA-AES256-SHA
cipher BF-CBC
auth MD5
keepalive 10 120
comp-lzo
client-to-client
verb 6
mute 20
management localhost 5001
push "redirect-gateway def1"
push "dhcp-option DNS [Router's local IP address]"
reneg-sec 0

Client:

client
dev tap0
proto udp
tls-client
remote [Router's IP address] 1194
nobind
persist-key
persist-tun
dev-node OpenVPN
auth-user-pass
ca "C:\\ca.crt"
cert "C:\\client1.crt"
key "C:\\client1.key"
tls-auth "C:\\ta.key"
tls-cipher DHE-RSA-AES256-SHA
cipher BF-CBC
pull "redirect-gateway def1"
pull "dhcp-option DNS [Router's local IP address]"
auth MD5
comp-lzo
ns-cert-type server
resolv-retry infinite
keepalive 10 120
verb 6
mute 20
reneg-sec 0

This configuration is working on Windows XP without any problems, but Windows 7 can't get an IP. I believe that there is a problem with the rights in windows 7, because I checked the routing table, and the client log says, that it cannot modify the routing table.
I couldn't solve the problem.

However one more thing is problematic for me.
On my windows XP, after connection to my router via VPN, everything is fine, the default gateway is my VPN gateway, but still I'm able to see all computers on my work network (the one that I'm using for VPN connection). Is that normal? As far as I know, when I use udp tunnelling, everything has to be routed through the VPN, am I right?

Looking forward to hearing from you guys!

--
Kind Regards,
Zhelev
laggyluk
DD-WRT Novice


Joined: 21 Apr 2013
Posts: 7

PostPosted: Mon Apr 22, 2013 16:48    Post subject: Reply with quote
thanks dude, those two lines saved me few hours of life Wink
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum