Connection Refused can't connect to OpenVPN dd-wrt

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
okashira
DD-WRT Novice


Joined: 17 Jan 2010
Posts: 23

PostPosted: Mon May 19, 2014 3:27    Post subject: Connection Refused can't connect to OpenVPN dd-wrt Reply with quote
I setup OpenVPN per this guide:
http://www.dslreports.com/shownews/OpenVPN-on-DDWRT-A-Secure-Connection-To-Home-Networks-128133

I followed it to a "T"
and am trying to connect via android client.
I used a TLS Auth Key and have it on the server config and on the phone config.


My issue is I get the error (per log):

Code:
 
 Transport Error: TCP connect error on 'xxxxx.duckdns.org:1194' (xxx.xxx.xxx.xxx:1194): Connection refused
 
Here is my firewall commands:
https://www.dropbox.com/s/j5lr6pt7hwveadc/222.PNG
And my OpenVPN config on the router:
https://www.dropbox.com/s/eyww3eva0wbl879/111.PNG
And the .ovpn profile used to import to android client:
Code:
 
client
dev tun0
proto tcp
remote xxxxxx.duckdns.org 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert ClientCert1.crt
key ClientCert1.key
ns-cert-type server
tls-auth ta.key 1
comp-lzo
verb 5
 
And finally the OpenVPN Additional config on the router:
Code:
 
push "route 192.168.1.0 255.255.255.0"
server 10.8.0.0 255.255.255.0
dev tun0
proto tcp
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
tls-auth ta.key 0
 # Only use crl-verify if you are using the revoke list - otherwise leave it commented out
# crl-verify /tmp/openvpn/ca.crl
# management parameter allows DD-WRT's OpenVPN Status web page to access the server's management port
# port must be 5001 for scripts embedded in firmware to work
management localhost 16
 
I think the issue must be in my routing or subnet settings... but I am clueless in this area. My router IP is 192.168.1.1. I get the connection refused error immediately and it happens weather im on wifi on the same network and also when im on cellular data.

I am also concerned about the extra commands on the server config and the firewall? Do I really need those last three lines on the firewall commands? how about the "push" command and the "server" command on the openvpn addl config? isn't that taken care of in the above settings boxes already there in dd-wrt?

Thanks!!!!!
Sponsor
okashira
DD-WRT Novice


Joined: 17 Jan 2010
Posts: 23

PostPosted: Wed May 21, 2014 4:01    Post subject: Reply with quote
I removed the TLS Auth key and have gotten past the connection refused issue.
However I'm still not getting a useful connection.

Can't connect to my router IP (192.168.1.1) or mount smb shares.

I have tried every combination possible I can on the router and server commands, but I am just doing trial and error at this point.

I even removed ALL firewall commands, even the one opening UDP 1194, and the connection is occurring just fine according to the android client. lol

Here is where I am at now:

Server addl config:
Code:
server 10.0.10.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
route 192.168.2.0 255.255.255.0 10.0.10.2
dev tun
proto udp
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
#tls-auth ta.key 0
 # Only use crl-verify if you are using the revoke list - otherwise leave it commented out
# crl-verify /tmp/openvpn/ca.crl
# management parameter allows DD-WRT\s OpenVPN Status web page to access the server\s management port
# port must be 5001 for scripts embedded in firmware to work
management localhost 16
Firewall commands:
Code:
iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.2.0/24 -j ACCEPT
iptables -I INPUT -i tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT
iptables -I FORWARD -i br0 -o tun -j ACCEPT
iptables -I FORWARD -i tun -o br0 -j ACCEPT
iptables -I FORWARD 1 --source 10.0.10.0/24 -j ACCEPT
Recent representative server log (pulled from dd-wrt interface in status):
Code:
20140520 22:33:43 W 107.107.188.191:8017 WARNING: normally if you use --mssfix and/or --fragment you should also set --tun-mtu 1500 (currently it is 1400)
 20140520 22:33:43 107.107.188.191:8017 TLS: Initial packet from [AF_INET]107.107.188.191:8017 sid=18d874b7 da7e4b5d
 20140520 22:33:44 107.107.188.191:8017 VERIFY OK: depth=1 C=US ST=XX L=MYCITY O=OpenVPN OU=OU1 CN=xxxxxxxxxxx name=JON emailAddress=MYEMAIL@EMAIL
 20140520 22:33:44 107.107.188.191:8017 VERIFY OK: depth=0 C=US ST=XX L=MYCITY O=OpenVPN OU=OU1 CN=xxxxxxxxxxx name=JON emailAddress=MYEMAIL@EMAIL
 20140520 22:33:44 W 107.107.188.191:8017 WARNING: 'link-mtu' is used inconsistently local='link-mtu 1470' remote='link-mtu 1542'
 20140520 22:33:44 W 107.107.188.191:8017 WARNING: 'tun-mtu' is used inconsistently local='tun-mtu 1400' remote='tun-mtu 1500'
 20140520 22:33:44 W 107.107.188.191:8017 WARNING: 'cipher' is used inconsistently local='cipher AES-192-CBC' remote='cipher BF-CBC'
 20140520 22:33:44 W 107.107.188.191:8017 WARNING: 'auth' is used inconsistently local='auth SHA256' remote='auth SHA1'
 20140520 22:33:44 W 107.107.188.191:8017 WARNING: 'keysize' is used inconsistently local='keysize 192' remote='keysize 128'
 20140520 22:33:44 107.107.188.191:8017 Data Channel Encrypt: Cipher 'AES-192-CBC' initialized with 192 bit key
 20140520 22:33:44 107.107.188.191:8017 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
 20140520 22:33:44 107.107.188.191:8017 Data Channel Decrypt: Cipher 'AES-192-CBC' initialized with 192 bit key
 20140520 22:33:44 107.107.188.191:8017 NOTE: --mute triggered...
 20140520 22:33:44 107.107.188.191:8017 2 variation(s) on previous 3 message(s) suppressed by --mute
 20140520 22:33:44 I 107.107.188.191:8017 [xxxxxxxxxxx] Peer Connection Initiated with [AF_INET]107.107.188.191:8017
 20140520 22:33:44 MULTI: new connection by client 'xxxxxxxxxxx' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
 20140520 22:33:44 I MULTI_sva: pool returned IPv4=10.0.10.2 IPv6=(Not enabled)
 20140520 22:33:44 MULTI: Learn: 10.0.10.2 -> xxxxxxxxxxx/107.107.188.191:8017
 20140520 22:33:44 MULTI: primary virtual IP for xxxxxxxxxxx/107.107.188.191:8017: 10.0.10.2
 20140520 22:33:45 xxxxxxxxxxx/107.107.188.191:8017 PUSH: Received control message: 'PUSH_REQUEST'
 20140520 22:33:45 I xxxxxxxxxxx/107.107.188.191:8017 send_push_reply(): safe_cap=940
 20140520 22:33:45 xxxxxxxxxxx/107.107.188.191:8017 SENT CONTROL [xxxxxxxxxxx]: 'PUSH_REPLY route 192.168.1.0 255.255.255.0 route-gateway 10.0.10.1 topology subnet ping 10 ping-restart 120 ifconfig 10.0.10.2 255.255.255.0' (status=1)
 20140520 22:33:46 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
 20140520 22:33:46 D MANAGEMENT: CMD 'state'
 20140520 22:33:46 MANAGEMENT: Client disconnected
 20140520 22:33:46 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
 20140520 22:33:46 D MANAGEMENT: CMD 'state'
 20140520 22:33:46 MANAGEMENT: Client disconnected
 20140520 22:33:46 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
 20140520 22:33:46 D MANAGEMENT: CMD 'state'
 20140520 22:33:46 MANAGEMENT: Client disconnected
 20140520 22:33:46 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
 20140520 22:33:46 D MANAGEMENT: CMD 'log 500'
 20140520 22:33:46 MANAGEMENT: Client disconnected
 20140520 22:33:55 N xxxxxxxxxxx/107.107.188.191:8017 Authenticate/Decrypt packet error: packet HMAC authentication failed
 20140520 22:34:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
 20140520 22:34:05 D MANAGEMENT: CMD 'state'
 20140520 22:34:05 MANAGEMENT: Client disconnected
 20140520 22:34:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
 20140520 22:34:05 D MANAGEMENT: CMD 'state'
 20140520 22:34:05 MANAGEMENT: Client disconnected
 20140520 22:34:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
 20140520 22:34:05 D MANAGEMENT: CMD 'state'
 20140520 22:34:05 MANAGEMENT: Client disconnected
 20140520 22:34:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
 20140520 22:34:05 D MANAGEMENT: CMD 'log 500'
 19700101 00:00:00
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum