OpenVPN - Server or Daemon??

Post new topic   Reply to topic    DD-WRT Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.)
Goto page Previous  1, 2, 3, 4  Next
Author Message
Seferex
DD-WRT Novice


Joined: 21 Apr 2017
Posts: 6

PostPosted: Fri Apr 21, 2017 16:43    Post subject: Reply with quote
Hello everybody and thank you all for all the tips you wrote.

I was able to connect my android phone to my openvpn and i am able to surf the internet.

The problem is the speed...
I have a 100mbps net and when i connect my phone to the openvpn, the client (my phone) will have a super slow speed of even less than 1mbps...

I use a WZR-HP-AG300H (buffalo's router) that has a 680 MHz cpu...

Am i missing something? I do attach the screenshots of my config..

and this is my opvn file

Code:
client
dev tun
proto tcp
remote myddnsip.org 1194
nobind
persist-key
persist-tun
verb 4
float
ca ca.crt
cert xxx.crt
key xxx.key
comp-lzo yes
tun-mtu 1400
auth SHA1
cipher AES-128-CBC


Please help me out Sad


Last edited by Seferex on Sat Apr 22, 2017 0:35; edited 1 time in total
Sponsor
Seferex
DD-WRT Novice


Joined: 21 Apr 2017
Posts: 6

PostPosted: Sat Apr 22, 2017 1:09    Post subject: Reply with quote
Hello d0ug, thank you for the info you game me.

I did exactly what you did (did just change my gateway as you see in the pics)

My local lan: 192.168.1.1
VPN ip: 10.1.1.0
My opvn file:

client
proto udp
remote xxxxxxxxx.org 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert xxx.crt
key xxx.key
ns-cert-type server
cipher AES-256-CBC
comp-lzo
verb 3
float

But my phone starts with a message of "connecting" than stuck on it and after few seconds it says "waiting for server"

Did i miss something?
Seferex
DD-WRT Novice


Joined: 21 Apr 2017
Posts: 6

PostPosted: Sat Apr 22, 2017 2:53    Post subject: Reply with quote
UPDATE:

I did manage to fix my speed's problem with my configuration....

All i had to do was to update the firmware (i was using a 2013's build)...

So guys, if you have problems, try to first update your firmware's version to the last one.

Thank you all guys
isquaredr
DD-WRT Novice


Joined: 16 Dec 2014
Posts: 3

PostPosted: Wed May 03, 2017 21:47    Post subject: HappyDaddy, you are AMAZING Reply with quote
Thank you thank you thank you!
I've been trying to get this working for days (getting just close enough that I couldn't give up completely) and you got me up and running in less than 5 minutes. Is it possible to add your guide to the Wiki? If we ever meet in the wild, drinks are on me. Thanks again!
cby016
DD-WRT Novice


Joined: 18 May 2017
Posts: 1

PostPosted: Sat May 20, 2017 23:13    Post subject: Reply with quote
stanleycup wrote:


After years trying to get OpenVPN to work, after following HappyDaddy's (Thank you!) guide, I finally got it to work with a few modifications to get it working on Android.

I kept start type at System
Server
TUN
TCP

For Network, it's the subnet that you want your OpenVPN clients to be in. For example, if you use the 192.168.1.0 subnet for your LAN, then you might choose something say 192.168.10.0. This should be different than your LAN subnet. The last octet should be a 0.

Netmask: 255.255.255.0

All other settings according to HappyDaddy's post. It worked for me with either the Additional Config filled in or empty.

At this point, I could connect, but have no internet access. I had to add the following under the Administration -> Command Tab and save it to the firewall. The IP should be the same as the subnet you entered for the Network setting.

iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j MASQUERADE
iptables -I INPUT 1 -p tcp -–dport 1194 -j ACCEPT
iptables -I FORWARD 1 –-source 192.168.10.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

After adding this, I have full access to the LAN and WAN through the tunnel.


This information from stanleycup and the post from HappyDaddy is what helped me to finally get open vpn working on my router. Thanks guys!
ZARK
DD-WRT Novice


Joined: 19 Aug 2017
Posts: 1

PostPosted: Sun Aug 20, 2017 0:41    Post subject: Reply with quote
Thanks A Million ------> happy Daddy <----- finally got this working Very Happy
Boogalooz
DD-WRT User


Joined: 13 Oct 2017
Posts: 52

PostPosted: Thu Oct 26, 2017 19:16    Post subject: Reply with quote
edited to delete duplicate... sorry.

Last edited by Boogalooz on Thu Oct 26, 2017 22:15; edited 1 time in total
sarumans
DD-WRT Novice


Joined: 01 Dec 2013
Posts: 18

PostPosted: Thu Oct 26, 2017 20:02    Post subject: wdr3600 openVPN Reply with quote
hello somebody can help me with wdr3600? I'm trying everything but nothing to do
omega-3
DD-WRT Novice


Joined: 23 Feb 2009
Posts: 24

PostPosted: Thu Oct 26, 2017 20:06    Post subject: Reply with quote
@Boogalooz -- Answered in your other thread http://www.dd-wrt.com/phpBB2/viewtopic.php?p=1101243#1101243

Posting the same question in two forums fragments the replies and causes confusion.
Boogalooz
DD-WRT User


Joined: 13 Oct 2017
Posts: 52

PostPosted: Thu Oct 26, 2017 22:50    Post subject: Reply with quote
omega-3 wrote:
@Boogalooz -- Answered in your other thread http://www.dd-wrt.com/phpBB2/viewtopic.php?p=1101243#1101243

Posting the same question in two forums fragments the replies and causes confusion.


Copy that. I just deleted the post in this thread, and asked an additional question over in my thread.

In response to this thread, I did everything according to the quazi-guide listed here, and I can in fact now connect to the router through the tunnel, but I cannot connect to the internet from my client.

I have these exact settings in my Administration/Commands section:


iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j MASQUERADE
iptables -I INPUT 1 -p tcp -–dport 1194 -j ACCEPT
iptables -I FORWARD 1 –-source 192.168.10.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

Still no internet access while the tunnel is active.
Boogalooz
DD-WRT User


Joined: 13 Oct 2017
Posts: 52

PostPosted: Sun Oct 29, 2017 3:23    Post subject: MAJOR UPDATE Reply with quote
I finally succeeded in making this work by following this guide and reading every post in it to find the tidbits necessary for a successful set up.

After many failed attempts, what I learned was that I needed to hard reset my router and set it back to DD-WRT defaults and start from zero. That was the best thing I did in this whole process.

I also deleted my entire OpenVPN folder and every .ovpn file I had created in previous attempts so that I could start fresh all across the board. That was the second best thing I did.

Next, I followed the process outlined by HappyDaddy (thank you) and used the firewall code supplied by StanleyCup (thank you) and started out to get one client up and running with internet and lan access.

The fresh start approach was the key and it worked like a charm.

My set up:

(1) Linksys WRT-1900AC (v2) running build r33555 10/20/17 (std).
Behind a FIOS router with 150/150 speed.
(2) Windows 7 client (same machine I built the certs/keys on).

The system has been up and running stable for the last 8 hours now, with zero issues.

My WRT-1900ACv2 has the same processor speed as a 1900ACS (1600 mhz). Speed test results indicate I am losing right around 40 Mbps through the VPN with 2048 level encryption set up. I am getting anywhere between 113 and 108 Mbps results which is totally acceptable to me, considering that the PiVPN I was using could only chug out between 20-30 Mbps... The speed hit was enormous through the Pi.

I went back in and generated 5 more keys for the various devices in my LAN successfully, and as of this post, I have 5 devices connected to and routing traffic through the VPN. To say that I am ecstatic is the understatement of the year indeed.

I am using a slightly different process in my .ovpn files, in that I have the certs and key within each .ovpn file.

Here is an example:

Code:

client
dev tun
proto tcp
remote my.ip.myddns.org 11989
nobind
persist-key
persist-tun
remote-cert-tls server
auth-nocache
verb 4
float
comp-lzo yes
tun-mtu 1500
auth SHA256
cipher AES-256-CBC
<ca>
-----BEGIN CERTIFICATE-----
CA.CRT gobble-d-gook-here-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
CLIENT.CRT gobble-d-gook-here-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
CLIENT.KEY gobble-d-gook-here-----
-----END PRIVATE KEY-----
</key>


I also put the "auth-nocache" line in my client files because I have always hated the RED WARNING message that flashes by during connection, so I just added it, even though I know it is probably not an issue. Now the red warning message is no longer there...

Again, I did NOT have to put ANY additional "code" in the "Additional Config" section at all. My set up works perfectly without it.

I did however, use the following firewall settings provided by StanleyCup (modified the port # I am actually using):

iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j MASQUERADE
iptables -I INPUT 1 -p tcp -–dport 11989 -j ACCEPT
iptables -I FORWARD 1 –-source 192.168.10.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

Prior to starting fresh with clean everything, I was able to connect via lan only. I could not get internet access until I placed StanleyCup's code in the firewall and saved the firewall. I did not have to reboot the router for that setting to take, although it did take a minute or 2 of refreshing web pages to finally get a connection, but it happened and it was a beautiful thing.

Not sure what else I can share with everyone that may be helpful, but if you can think of anything let me know and I will post it up.

P.S. 3 of the devices I have connected using this set up are Android.


Last edited by Boogalooz on Tue Oct 31, 2017 3:22; edited 1 time in total
sarumans
DD-WRT Novice


Joined: 01 Dec 2013
Posts: 18

PostPosted: Sun Oct 29, 2017 19:04    Post subject: Reply with quote
Hello,
if you can and if you want can you help me please!!!!!!!!!!

I am so disperated.

I have a wdr3600 router i have installed the r33555 ddwrt firmware.
I have windows7 64bit and try to create certificate with openvpn 2.1.4 and 2.2.2.

But i cant connect from my ANDROID phone i have a lot of different error.

19:54 library versions: OpenSSL 1.1.0f 25 May 2017, LZO 2.10

19:54 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

19:54 MGMT: Got unrecognized command>FATAL:Cannot load inline certificate file

19:54 OpenSSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak

19:54 OpenSSL reproted a certificate with a weak hash, please the in app FAQ about weak hashes

19:54 Cannot load inline certificate file

19:54 Exiting due to fatal error

19:54 Process exited with exit value 1

My router ip 192.168.0.1

TypeWAN
asServer
(TUN)
192.168.0.1
255.255.255.0
1194
UDP
AES-128-CBC
SHA1
LZO
Redirect default Gateway Enable
Allow Client to Client Enable
Allow duplicate cn Disable
1400

Tunnel UDP MSS-Fix Enable




ADV OPT

push "route 192.168.0.1 255.255.255.0"
push "dhcp-option DNS 192.168.0.1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 208.67.222.222"
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"


FIREWALL

#!/bin/sh
OVPN_SERVER="10.8.0.0/24"
OVPN_DEV="tun0"
OVPN_DEV="tun2"
OVPN_PROTO="udp"
OVPN_PORT="1194"

WAN_IF="$(ip route | awk '/^default/{print $NF}')"

# open the OpenVPN server port
iptables -I INPUT -i $WAN_IF -p $OVPN_PROTO --dport $OVPN_PORT -j ACCEPT

# allow OpenVPN clients to access the OpenVPN server
iptables -I INPUT -i $OVPN_DEV -m state --state NEW -j ACCEPT

# allow OpenVPN clients to access ALL other devices on the LAN
iptables -I FORWARD -i $OVPN_DEV -o -m state --state NEW -j ACCEPT
# nat OpenVPN clients over the local internet gateway
iptables -t nat -A POSTROUTING -s $OVPN_SERVER -o $WAN_IF -j MASQUERADE

iptables -I INPUT -p udp --dport 443 -j ACCEPT
iptables -I INPUT -p udp --dport 1194 -j ACCEPT

iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

iptables -I FORWARD -i br0 -o tun2 -j ACCEPT
iptables -I FORWARD -i tun2 -o br0 -j ACCEPT



PLEASE...help me!!!!!!!!!!!


IF IS POSSIBLE....a link to correctly set all ddwrt router
sarumans
DD-WRT Novice


Joined: 01 Dec 2013
Posts: 18

PostPosted: Tue Oct 31, 2017 17:27    Post subject: Reply with quote
hello @Boogalooz can you help me please??
I am trying everything from months but no way.

I have a wdr3600 router lan 192.168.0.1 and i am trying to connect with my android phone.

Can you post your settings on the router?(image if is possible)

which version of openvpn are you using?
I have windows 7 64bit. how do you generate the keys?
Boogalooz
DD-WRT User


Joined: 13 Oct 2017
Posts: 52

PostPosted: Wed Nov 01, 2017 0:15    Post subject: Reply with quote
sarumans wrote:
hello @Boogalooz can you help me please??
I am trying everything from months but no way.

I have a wdr3600 router lan 192.168.0.1 and i am trying to connect with my android phone.

Can you post your settings on the router?(image if is possible)

which version of openvpn are you using?
I have windows 7 64bit. how do you generate the keys?


I followed the instructions in post #2 on page 1 of this thread.

I strongly suggest you do the same, it is the ONLY thing that worked for me.

The other things I STRONGLY suggest you do, is throw out everything you have done so far, clean all of your files out delete everything you have stored in any folder that relates to OPenVPN on your computer, and then re-install OpenVPN from scratch, and finally, do a MEDIUM reset on your router by holding the reset button down for 20 seconds, and then let it reboot, to set everything back to defaults in DD-WRT. Make sure you know what your basic settings for your router are before you do the MEDIUM reset, so you can put those back in place when you log in for the first time.

From there, you can actually start with a clean slate, follow the instructions precisely, and you should be able to make it work.

I cannot re-write everything in this thread, but I can tell you that everything you need to make it work is here.

That being said, I do NOT have the same router as you do. Mine is a Linksys WRT-1900AC(v2). But we are running the same firmware (r33555) so your setup should be the same as mine is, and everything I needed to know, was found here in this thread.

Just take your time, follow the steps outlined and you should be able to get it.

I used a Windows 7, 64bit computer to generate the keys.
sarumans
DD-WRT Novice


Joined: 01 Dec 2013
Posts: 18

PostPosted: Wed Nov 01, 2017 8:55    Post subject: Reply with quote
@Boogalooz ok just some question if is possible

1. but you use openvpn 2.2.2? or the last release?

client
dev tun
proto tcp <---use this or udp?
remote my.ip.myddns.org 11989 <--or 1194?

2. on the server you use tcp or udp?
i am testing my router ports but are all closed

3. my lan is 192.168.0.1
can you tell me the correct value for vpn?

4. can you write the correct settings on :

OpenVPN Server/Daemon on ddwrt:

OpenVPN:
Start Type:
Config as:
Server modeRouter:
Network:
Netmask:
Port:
Tunnel Protocol:
Encryption Cipher
Hash Algorithm
Advanced Options:
TLS Cipher:
LZO Compression:
Redirect default Gateway:
Allow Client to Client:
Tunnel MTU setting:

Tunnel UDP Fragment:

Tunnel UDP MSS-Fix:

thanks so so much.
Goto page Previous  1, 2, 3, 4  Next Display posts from previous:    Page 3 of 4
Post new topic   Reply to topic    DD-WRT Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.) All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum