OpenVPN - Server or Daemon??

Post new topic   Reply to topic    DD-WRT Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.)
Goto page Previous  1, 2, 3, 4  Next
Author Message
jakesweldingllc
DD-WRT Novice


Joined: 21 Jan 2017
Posts: 1

PostPosted: Sun Jan 22, 2017 23:58    Post subject: Reply with quote
I have tried to follow the happydaddy wiki posted above twice or more. I cannot connect to my openVPN!!! can someone help? total newb at this thanks in advance
Sponsor
b-man
DD-WRT User


Joined: 09 May 2010
Posts: 107

PostPosted: Wed Jan 25, 2017 11:37    Post subject: Reply with quote
Hi i have tried setting it up but its not working from my android phone to router

Firmware: DD-WRT v3.0-r30534 std

i change the client stuff from tap to tun and tcp to udp as that's what the router was defaulted to and seems like others had done that too

setup openVPN server settings as follows

WAN Up
server
router (tun)

im assuming i put my dynamic dns address in the network spot on the router in openvpn server?

i have change netmask to 255.255.255.0 from 0.0.0.0 and still doesnt work

encryptions are set the same (AES-128-CBC)

i have nothing filled out in
additional config,tls auth key or certificate rekove list



i have forwarded the port 1194 back to the router ip

log file on android openvpn shows

Code:
EVENT:RESOLVE
Contacting (my wanip) via UDP
EVENT:WAIT
Connecting to [my ddns]:1194(my wanip) via UDP4
Server poll timeout, Trying next remote entry
EVENT:RECONNECTING

and that repeats until it eventually stops trying

i can ping the ddns fine and forwarding other things through work so im guessing its a setting i have stuffed up for ovpn
stanleycup
DD-WRT Novice


Joined: 07 Oct 2012
Posts: 4

PostPosted: Thu Jan 26, 2017 6:45    Post subject: Reply with quote
b-man wrote:
Hi i have tried setting it up but its not working from my android phone to router

Firmware: DD-WRT v3.0-r30534 std

i change the client stuff from tap to tun and tcp to udp as that's what the router was defaulted to and seems like others had done that too

setup openVPN server settings as follows

WAN Up
server
router (tun)

im assuming i put my dynamic dns address in the network spot on the router in openvpn server?

i have change netmask to 255.255.255.0 from 0.0.0.0 and still doesnt work

encryptions are set the same (AES-128-CBC)

i have nothing filled out in
additional config,tls auth key or certificate rekove list



i have forwarded the port 1194 back to the router ip

log file on android openvpn shows

Code:
EVENT:RESOLVE
Contacting (my wanip) via UDP
EVENT:WAIT
Connecting to [my ddns]:1194(my wanip) via UDP4
Server poll timeout, Trying next remote entry
EVENT:RECONNECTING

and that repeats until it eventually stops trying

i can ping the ddns fine and forwarding other things through work so im guessing its a setting i have stuffed up for ovpn


After years trying to get OpenVPN to work, after following HappyDaddy's (Thank you!) guide, I finally got it to work with a few modifications to get it working on Android.

I kept start type at System
Server
TUN
TCP

For Network, it's the subnet that you want your OpenVPN clients to be in. For example, if you use the 192.168.1.0 subnet for your LAN, then you might choose something say 192.168.10.0. This should be different than your LAN subnet. The last octet should be a 0.

Netmask: 255.255.255.0

All other settings according to HappyDaddy's post. It worked for me with either the Additional Config filled in or empty.

At this point, I could connect, but have no internet access. I had to add the following under the Administration -> Command Tab and save it to the firewall. The IP should be the same as the subnet you entered for the Network setting.

iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j MASQUERADE
iptables -I INPUT 1 -p tcp -–dport 1194 -j ACCEPT
iptables -I FORWARD 1 –-source 192.168.10.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

After adding this, I have full access to the LAN and WAN through the tunnel.
b-man
DD-WRT User


Joined: 09 May 2010
Posts: 107

PostPosted: Fri Jan 27, 2017 0:31    Post subject: Reply with quote
ah makes sense got caught up in putting host name since that's what i was having to do with the PPTP setup i was trying to get going that just wouldn't work.

I'll see if that works now.

edit: stanleycup you are a legend i overlooked something so simple changed network to my subnet and connected a treat. i left it at udp as the ovpn file on the phone was already udp if it failed i was going to change to tcp but it all works



edit2:
ok so it works when im connected to my wifi but when i turn that off and try to connect from outside the router it wont connect via mobile data
what am i missing?
i have the port forward in the router to the router but using port checking the port its not open.
so that probably explains it as in the local network its already going to the router where the port is not open on the internet side its not going to work.

when im forwaring ports im trying 192.168.10.0 (server) and 192.168.10.1 (router) with port 1194
but checking if ports are open shows they are closed
all other port forwards i have going atm are working fine and shows open.
hopefully with this going i only need 1 port open so i can connect to the others locally through the ovpn



also what do i need to do to set it up so the openvpn connects to a range 192.168.0.190-199 so
1. I know what connections are through the vpn
2. They are on the same subnet without interfering with the the dhcp clients.
3. i can then access all other computers be it my Pi's or HTPC etc
stanleycup
DD-WRT Novice


Joined: 07 Oct 2012
Posts: 4

PostPosted: Fri Jan 27, 2017 2:52    Post subject: Reply with quote
In your client config, are you trying to connect to your LAN address (192.168.0.1) or your WAN address (assigned by ISP)? You should try to connect through the WAN address.

I didn't have to port forward. The router that I have OpenVPN on connects directly to the ISP so it doesn't need to go through any other routers. In the case that you do need to port forward, you should port forward your router's address (192.168.0.1) rather than your OpenVPN server address because you want to connect to the router itself. At least that's how it worked when I ran OpenVPN on my Raspberry Pi.

Even though I have my OpenVPN server running on a different subnet, I can still access all my computer and Pi.
b-man
DD-WRT User


Joined: 09 May 2010
Posts: 107

PostPosted: Fri Jan 27, 2017 5:57    Post subject: Reply with quote
trying to connect to my wan address

my router connects directly to the ISP

do have it setup to port forward to my routers address tried none, to the vpn server and the routers address but none work. i have set back to the router

tried different ports, tcp udp and none work

do you have some firewall rules or something that link the subnets?

is there some sort of rule or iptable i need to do to get it to connect


without the forwarding rule to the router ip i cant even connect on the home network (wifi)

i have changed subnets to 10.0.0.0 and it still connects to the oVPN on wifi but still not from wan
stanleycup
DD-WRT Novice


Joined: 07 Oct 2012
Posts: 4

PostPosted: Fri Jan 27, 2017 7:57    Post subject: Reply with quote
It sure sounds like your setup is same as mine. Really not sure why it's not working.

The only firewall rules I have is the ones I listed in my first post.

That's so weird you can connect on wifi but not from WAN. It worked for me with both from the start. Once I was able to get a connection, my only issue was with getting internet access and that was fixed through the firewall rules.
b-man
DD-WRT User


Joined: 09 May 2010
Posts: 107

PostPosted: Fri Jan 27, 2017 12:19    Post subject: Reply with quote
ok so after a reboot of router and phone i can connect but now i'm getting a HMAC_ERROR

EDIT: removed stuff as i worked out the issue
a reboot was required for the port to be opened to access from wan

my HMAC issues was because i copied the client info from in this thread and didnt change auth SHA1 to suit my router setup of auth SHA256

i fixed the cipher but didnt realise the SHA1 was different

Before
Quote:
client
dev tap
proto udp
remote yourddns.com_or_ip_address 1194
nobind
persist-key
persist-tun
verb 4
float
ca ca.crt
cert client1.crt
key client1.key
comp-lzo yes
tun-mtu 1400
auth SHA1
cipher AES-128-CBC


After
Quote:
client
dev tun
proto tcp
remote yourddns.com_or_ip_address 1194
nobind
persist-key
persist-tun
verb 4
float
ca ca.crt
cert client1.crt
key client1.key
comp-lzo yes
tun-mtu 1400
auth SHA256
cipher AES-128-CBC (changed router to match this)



i also copied these firewall settings from stanleycup with my vpn subnet instead of his

Quote:
iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j MASQUERADE
iptables -I INPUT 1 -p tcp -–dport 1194 -j ACCEPT
iptables -I FORWARD 1 –-source 192.168.10.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT


so it connects... but
I cant connect to my lan and it seems its not using the VPN for internet even though it shows its connected

i ran a speed test from my phone and its not running through my vpn as my phone speed is 3 times faster than home internet and it was definately alot faster than what my home internet can do. also the openVPN client of the android phone wasnt showing and data being transferred

so what rules or settings do i need to implement to get it to direct traffic through my vpn

or do i need to bind my subnet and VPN subnet together somehow?

all im looking at doing is having a secure connection to my home network if i want to check how some things are running, remote desktop in if i need, be able to ssh into my PI's. and remote add torrents when connected to the vpn
b-man
DD-WRT User


Joined: 09 May 2010
Posts: 107

PostPosted: Sat Jan 28, 2017 6:41    Post subject: Reply with quote
when the android phone connects to my openVPN server on the router
i can see its IP on the status tab
i cant ping the router from my phone
i cant ping the vpn server from my phone
i cant ping the PC from my phone

i cant ping the phone from my pc

heres the log from the router


and another one i removed all my firewall ip tables and rebooted

i noticed it talks about Tun2... is there anything with that?
also WARNING: Your certificate is not yet valid
i'm not sure what that is . i created my certificates a few days ago and never seen that error before

Code:
Serverlog:
19700101 10:30:17 I OpenVPN 2.3.12 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Sep 1 2016
19700101 10:30:17 I library versions: OpenSSL 1.0.2h 3 May 2016 LZO 2.09
19700101 10:30:17 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:14
19700101 10:30:17 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
19700101 10:30:17 Diffie-Hellman initialized with 1024 bit key
19700101 10:30:17 W WARNING: Your certificate is not yet valid!
19700101 10:30:17 Socket Buffers: R=[87380->87380] S=[16384->16384]
19700101 10:30:17 I TUN/TAP device tun2 opened
19700101 10:30:17 TUN/TAP TX queue length set to 100
19700101 10:30:17 I do_ifconfig tt->ipv6=1 tt->did_ifconfig_ipv6_setup=0
19700101 10:30:17 I /sbin/ifconfig tun2 (VPNSERVER IP) netmask 255.255.255.0 mtu 1500 broadcast 192.168.10.255
19700101 10:30:17 I Listening for incoming TCP connection on [undef]
19700101 10:30:17 I TCPv4_SERVER link local (bound): [undef]
19700101 10:30:17 I TCPv4_SERVER link remote: [undef]
19700101 10:30:17 MULTI: multi_init called r=256 v=256
19700101 10:30:17 IFCONFIG POOL: base=(VPNCLIENT IP) size=252 ipv6=0
19700101 10:30:17 IFCONFIG POOL LIST
19700101 10:30:17 MULTI: TCP INIT maxclients=1024 maxevents=1028
19700101 10:30:17 I Initialization Sequence Completed
20170128 17:29:53 I TCP connection established with [AF_INET]1.125.48.54:9233
20170128 17:29:53 1.125.48.54:9233 TLS: Initial packet from [AF_INET]1.125.48.54:9233 sid=165e2005 601a7e24
20170128 17:29:54 1.125.48.54:9233 VERIFY OK: depth=1 C=AU ST=SA L=(MY LOCATION) O=(MY O) OU=(MY OU) CN=Server name=(MY NAME) emailAddress=(MY EMAIL)
20170128 17:29:54 1.125.48.54:9233 VERIFY OK: depth=0 C=AU ST=SA L=(MY LOCATION) O=(MY O) OU=(MY OU) CN=Client1 name=(MY NAME) emailAddress=(MY EMAIL)
20170128 17:29:54 1.125.48.54:9233 NOTE: --mute triggered...
20170128 17:29:54 1.125.48.54:9233 5 variation(s) on previous 3 message(s) suppressed by --mute
20170128 17:29:54 I 1.125.48.54:9233 [Client1] Peer Connection Initiated with [AF_INET]1.125.48.54:9233
20170128 17:29:54 I Client1/1.125.48.54:9233 MULTI_sva: pool returned IPv4=(VPNCLIENT IP) IPv6=(Not enabled)
20170128 17:29:54 Client1/1.125.48.54:9233 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_9a6084419cf7164a405212f64f8b083b.tmp
20170128 17:29:54 Client1/1.125.48.54:9233 MULTI: Learn: (VPNCLIENT IP) -> Client1/1.125.48.54:9233
20170128 17:29:54 Client1/1.125.48.54:9233 MULTI: primary virtual IP for Client1/1.125.48.54:9233: (VPNCLIENT IP)
20170128 17:29:54 Client1/1.125.48.54:9233 PUSH: Received control message: 'PUSH_REQUEST'
20170128 17:29:54 I Client1/1.125.48.54:9233 send_push_reply(): safe_cap=940
20170128 17:29:54 Client1/1.125.48.54:9233 SENT CONTROL [Client1]: 'PUSH_REPLY route-gateway (VPNSERVER IP) topology subnet ping 10 ping-restart 120 socket-flags TCP_NODELAY ifconfig (VPNCLIENT IP) 255.255.255.0' (status=1)
20170128 17:30:04 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170128 17:30:04 D MANAGEMENT: CMD 'state'
20170128 17:30:04 MANAGEMENT: Client disconnected
20170128 17:30:04 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170128 17:30:04 D MANAGEMENT: CMD 'state'
20170128 17:30:04 MANAGEMENT: Client disconnected
20170128 17:30:04 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170128 17:30:04 D MANAGEMENT: CMD 'state'
20170128 17:30:04 MANAGEMENT: Client disconnected
20170128 17:30:04 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170128 17:30:04 MANAGEMENT: Client disconnected
20170128 17:30:04 NOTE: --mute triggered...
20170128 17:30:04 1 variation(s) on previous 3 message(s) suppressed by --mute
20170128 17:30:04 D MANAGEMENT: CMD 'status 2'
20170128 17:30:04 MANAGEMENT: Client disconnected
20170128 17:30:04 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170128 17:30:04 D MANAGEMENT: CMD 'status 2'
20170128 17:30:04 MANAGEMENT: Client disconnected
20170128 17:30:04 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170128 17:30:04 D MANAGEMENT: CMD 'log 500'
20170128 17:30:04 MANAGEMENT: Client disconnected
20170128 17:31:25 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170128 17:31:25 D MANAGEMENT: CMD 'state'
20170128 17:31:25 MANAGEMENT: Client disconnected
20170128 17:31:25 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170128 17:31:25 D MANAGEMENT: CMD 'state'
20170128 17:31:25 MANAGEMENT: Client disconnected
20170128 17:31:25 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170128 17:31:25 D MANAGEMENT: CMD 'state'
20170128 17:31:25 MANAGEMENT: Client disconnected
20170128 17:31:25 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170128 17:31:25 MANAGEMENT: Client disconnected
20170128 17:31:25 NOTE: --mute triggered...
20170128 17:31:25 1 variation(s) on previous 3 message(s) suppressed by --mute
20170128 17:31:25 D MANAGEMENT: CMD 'status 2'
20170128 17:31:25 MANAGEMENT: Client disconnected
20170128 17:31:25 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170128 17:31:25 D MANAGEMENT: CMD 'status 2'
20170128 17:31:25 MANAGEMENT: Client disconnected
20170128 17:31:25 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170128 17:31:25 D MANAGEMENT: CMD 'log 500'
20170128 17:31:25 MANAGEMENT: Client disconnected
20170128 17:31:36 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170128 17:31:36 D MANAGEMENT: CMD 'state'
20170128 17:31:36 MANAGEMENT: Client disconnected
20170128 17:31:36 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170128 17:31:36 D MANAGEMENT: CMD 'state'
20170128 17:31:36 MANAGEMENT: Client disconnected
20170128 17:31:36 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170128 17:31:36 D MANAGEMENT: CMD 'state'
20170128 17:31:36 MANAGEMENT: Client disconnected
20170128 17:31:36 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170128 17:31:36 MANAGEMENT: Client disconnected
20170128 17:31:36 NOTE: --mute triggered...
20170128 17:31:36 1 variation(s) on previous 3 message(s) suppressed by --mute
20170128 17:31:36 D MANAGEMENT: CMD 'status 2'
20170128 17:31:36 MANAGEMENT: Client disconnected
20170128 17:31:36 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170128 17:31:36 D MANAGEMENT: CMD 'status 2'
20170128 17:31:36 MANAGEMENT: Client disconnected
20170128 17:31:36 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170128 17:31:36 D MANAGEMENT: CMD 'log 500'
19700101 10:30:00

dh /tmp/openvpn/dh.pem ca /tmp/openvpn/ca.crt cert /tmp/openvpn/cert.pem key /tmp/openvpn/key.pem keepalive 10 120 verb 3 mute 3 syslog writepid /var/run/openvpnd.pid management 127.0.0.1 14 management-log-cache 100 topology subnet script-security 2 port 1194 proto tcp-server cipher aes-128-cbc auth sha256 client-connect /tmp/openvpn/clcon.sh client-disconnect /tmp/openvpn/cldiscon.sh client-config-dir /tmp/openvpn/ccd comp-lzo adaptive tls-server ifconfig-pool-persist /tmp/openvpn/ip-pool 86400 client-to-client tcp-nodelay tun-mtu 1500 mtu-disc yes server (MY VPN ADDRESS) 255.255.255.0 dev tun2 tun-ipv6
philddwrt
DD-WRT Novice


Joined: 30 Jan 2017
Posts: 2

PostPosted: Mon Jan 30, 2017 16:34    Post subject: Reply with quote
b-man wrote:

i noticed it talks about Tun2... is there anything with that?

As someone who just went through this process, here is my .02...I wasn't able to ping other systems in my router subnet using a tunneled connection. Once I switched to bridged (tap), everything worked great. I suspect with tunneling, you need to set up the appropriate routes/forwarding in order to get from the vpn subnet to the router subnet.

Also, if you do decide to use a bridged connection, make sure to modify your client config to use "dev tap"
b-man
DD-WRT User


Joined: 09 May 2010
Posts: 107

PostPosted: Tue Jan 31, 2017 6:52    Post subject: Reply with quote
thanks for the input i solved it.... sort of

i still can't actually ping some devices but can ping my router now and can connect to the other devices.

i can't run tap as android doesn't work with it.


i added these to the server additional config
but trying to get all data through vpn doesnt work nothing internet loads so i gave up.

Quote:

# joins VPN to LAN
push "route 192.168.1.0 255.255.255.0"

#All Data Through VPN
#push "redirect-gateway def1"
#push "dhcp-option DNS 8.8.4.4" #needs work????


then had to do some firewall rules. don't know if i need all of them but it works so i'm happy

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A INPUT -i tap+ -j ACCEPT
iptables -A FORWARD -i tap+ -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o eth0 -j MASQUERADE
iptables -I INPUT 1 -p tcp -–dport 1194 -j ACCEPT
iptables -I FORWARD 1 –-source 192.168.10.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
ghiglie
DD-WRT Novice


Joined: 12 Apr 2016
Posts: 9
Location: Italy

PostPosted: Mon Feb 13, 2017 14:16    Post subject: Reply with quote
I mush thank you all - finally got working my OpenVPN server with clear commands.
Now, it's time to make DNSmasq serve DNS...! Razz
suniltg
DD-WRT Novice


Joined: 11 Dec 2015
Posts: 22

PostPosted: Mon Feb 13, 2017 17:42    Post subject: Reply with quote
HappyDaddy wrote:
Hi,

I just finished this same setup earlier today for the first time so hopefully I can save you some time and much frustration.....


Thanks a ton for this extremely useful post. This is probably the one and only guide to OpenVPN on dd-wrt that just works on the very first attempt.

You're a star.
nat123
DD-WRT Novice


Joined: 18 Apr 2017
Posts: 1

PostPosted: Tue Apr 18, 2017 2:33    Post subject: openvpn help Reply with quote
please post all the screen shots how you guys have configured the openvpn with dd-wrt router.\

i am having hard time figuring this out.

\thanks
whatsashell
DD-WRT Novice


Joined: 26 Mar 2017
Posts: 38

PostPosted: Tue Apr 18, 2017 2:46    Post subject: Reply with quote
This is good, but you you can use the latest OPenVPN version for windows to generate crts and keys. Just check "install key generation scripts" or something like that during the install and it will install easy rsa for you.

Also don't generate a password for your certs, or you will get tls errors.
Goto page Previous  1, 2, 3, 4  Next Display posts from previous:    Page 2 of 4
Post new topic   Reply to topic    DD-WRT Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.) All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum