Upgraded device OpenVPN no longer working

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
dirge
DD-WRT Novice


Joined: 06 Aug 2019
Posts: 3

PostPosted: Tue Aug 06, 2019 20:48    Post subject: Upgraded device OpenVPN no longer working Reply with quote
I’m having trouble getting OpenVPN to work on a device that previously had it running.

First, I inherited this box after the nontechnical owners upgraded the firmware to the latest version to address an FTP issue. However, the VPN that was working before the upgrade has now stopped working. I've recreated all of the certificates for both sides already using easy-RSA as I understood that was a possible issue.

The error I am seeing is around TLS authentication, and I’ve looked and tried a bunch of stuff I’ve found in various places in this forum and elsewhere to no avail. I’ve seen that TLS is not necessarily required and I am happy to kill it as it was not configured before my starting to troubleshoot it.

The current client configuration is from egc’s document here: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795 although I’ve added the ta.key to it to shut up other errors. I’ve included the original client config file as well as the server Additional Config settings that I have not played with as removing any of them throws new errors into the Syslog when the settings get applied.

The details I have are as follows:

Router ModelAsus RT-N66U
Firmware Version DD-WRT v3.0-r40189 mega (07/04/19)


Server side log message:
=============================================
TLS Error: reading acknowledgement record from packet
=============================================

Client side log messages:
=============================================
Tue Aug 06 16:19:32 2019 us=596181 MANAGEMENT: >STATE:1565122772,AUTH,,,,,,
Tue Aug 06 16:19:32 2019 us=596181 TLS: Initial packet from [AF_INET]142.X.X.X:1194, sid=2007078b c93b5ff3
Tue Aug 06 16:19:32 2019 us=596181 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]142.X.X.X:1194
=============================================


Client Config (current):
=============================================
client
dev tun
proto udp
remote warp.SERVERNAME.ca 1194
nobind
persist-key
persist-tun
remote-cert-tls server
auth-nocache
verb 4
float
comp-lzo no
tun-mtu 1500
auth SHA256
cipher AES-256-CBC
ca ca.crt
cert ivan.crt
key ivan.key
tls-auth ta.key
=============================================


Client Config (original):
=============================================
client
dev tap0
proto udp
remote warp.SERVERNAME.ca 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert ivan.crt
key ivan.key
remote-cert-tls server
ns-cert-type server
=============================================


Server Additional Config:
=============================================
mode server
push "dhcp-option DNS 10.22.0.1"
proto udp4
port 1194
dev tap0
server-bridge 10.22.0.1 255.255.0.0 10.22.0.150 10.22.0.200
keepalive 10 120
daemon
client-to-client
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
cipher AES-256-CBC
=============================================
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Wed Aug 07, 2019 8:55    Post subject: Reply with quote
Are you setting up an OpenVPN server on the DDWRT router?

If so what client are you using to connect to it?

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
dirge
DD-WRT Novice


Joined: 06 Aug 2019
Posts: 3

PostPosted: Wed Aug 07, 2019 12:15    Post subject: Reply with quote
Yes, I'm trying to set up (or get working again) an OpenVPN server on the DDWRT router, and I am using the OpenVPN client to connect to it; or at least trying to.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Wed Aug 07, 2019 13:19    Post subject: Reply with quote
OK you can only connect from outside so from another subnet. The DDWRT client and the DDWRT server have to be on different subnets.

The guide you are referring to is a good starting point.

With the settings you show it can never work, too much to mention.

So my advice start over, reset the routers to default.

You can use the certificates if you have recently created them be sure that key length was set to 2048.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
dirge
DD-WRT Novice


Joined: 06 Aug 2019
Posts: 3

PostPosted: Wed Aug 07, 2019 15:40    Post subject: Reply with quote
Thanks for the response,

I managed to figure this out. The issue was that ultimately the original settings I was fighting with had been configured as Daemon mode instead of Server mode. I found another post with similar issues that posited that was the issue and ultimately was the solution there and for me. I was unable to reset the router to default as there was other business traffic in play and configurations in place that I couldn't disrupt.

The setup word doc was a great help, but did not identify how those settings were to be set one way or the other so I had incorrectly assumed that they were unimportant, or set correctly Sad If it was to be updated I'd humbly suggest a screenshot of what the default looks like might be of use to anyone else that ends up in my situation down the road.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Wed Aug 07, 2019 15:52    Post subject: Reply with quote
The picture of the server settings show you have to Config as "Server", is that not what you mean?
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum