DD-Wrt and Cyberghost

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page 1, 2, 3  Next
Author Message
mattygg
DD-WRT Novice


Joined: 02 Jan 2011
Posts: 8

PostPosted: Sat Feb 24, 2018 23:18    Post subject: DD-Wrt and Cyberghost Reply with quote
Good Evening All,

I was wondering whether anyone can help me, I have been trying all evening to get this working, but to no avail.

I currently have a Linksys E900 router running build 21061, which is the latest build for my router. The router works fine at the moment with no VPN added, so I know that my network is running fine. I am trying to install Cyberghost onto the router via the OpenVPN settings, however i cannot seem to do it. I have followed the guide on their website, which didn't work, and after looking through some forums i found that it appears to be quite old. I cannot even seem to get any information appearing on the "status" tab, so i cant even find any error codes to try and "google"

https://support.cyberghostvpn.com/hc/en ... RT-routers

I have also changed the DNS servers on the front page to the current google ones, as that was advised on a forum.

Due to this being an older build i have added the line "auth-user-pass /tmp/key.txt" and then added the username and password given from the website (not my log in detail).

I'm hoping that someone here has it working and could send me through their config.

Any help, guidance or things to try would be greatly appreciated

Thanks Matt
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Sun Feb 25, 2018 1:09    Post subject: Reply with quote
Just another case of the VPN provider providing outdated instructions.

You don't need any additional firewall rules. In fact, the following one in particular makes no sense. It's actually blocking replies back from the VPN server and into the router.

Code:
iptables -I INPUT -i tun1 -j REJECT


Just get rid of it all.

Also, you don't need anything at all in the Additional Config field. Everything you need should be available via the GUI fields. That includes specifying sha256 for the Hash Algorithm (at least if that's what the specific config file they give you demands; Hash Algorithm in the GUI = OpenVPN auth directive).

There's also an option to specify the User Auth on the GUI, at least if you're using a relatively recent build, thus eliminating the need for the auth-user-path directive and username/password file. But if your build doesn't have it, then that's the one exception where you'll need to use that directive in the Additional Config field and provide the file via the startup script.

Finally, you *must* enable the NAT option on the GUI.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Sun Feb 25, 2018 1:43    Post subject: Reply with quote
Might also want to look into updating that firmware. I believe this is the right one from BS (Brainslayer) builds.

ftp://ftp.dd-wrt.com/betas/2018/02-17-2018-r35034/broadcom_K26/dd-wrt.v24-35034_NEWD-2_K2.6_mega-nv64k.bin

At least the naming seems consistent when compared to the 21061 files listed in the dd-wrt database. Perhaps someone else would like to confirm my findings, just in case I'm missing something.

I bring it up for two reasons. A number of serious bugs have since been fixed (most notably KRACK), and that 21061 build is notorious for having numerous SSH issues.

But as always, it's your call, and you do so at your own risk. Smile
mattygg
DD-WRT Novice


Joined: 02 Jan 2011
Posts: 8

PostPosted: Sun Feb 25, 2018 21:15    Post subject: Nearly There Reply with quote
Thanks very much for the reply. I think I am nearly there, I'm hoping its just one box that I need to tick.

I have managed to update my firmware to the latest one and i have put all of my details into the Service>OpenVPN page. I also ticked the NAT box. I also port forwarded port 1194 on my main router too.

Im not sure whether this is correct or not but when i download my config files from the website i get 4 files , ca.crt (copied into CA Cert box), client.crt (copied into Piblic Client Cert box) and client.key (copied into Private Client Key box).

When i goto Status>OpenVPN i now have lots of writing which i didnt have before, however i think i have a TLS error. I was wondering whether you could help, i cannot seem to find any tls config files to input.

I have also copied the log from the file for you to see:

20180225 21:07:57 I [UNDEF] Inactivity timeout (--ping-restart) restarting
20180225 21:07:57 I SIGUSR1[soft ping-restart] received process restarting
20180225 21:07:57 Restart pause 5 second(s)
20180225 21:08:02 W WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
20180225 21:08:02 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20180225 21:08:02 I TCP/UDP: Preserving recently used remote address: [AF_INET]217.151.98.47:1194
20180225 21:08:02 Socket Buffers: R=[114688->114688] S=[114688->114688]
20180225 21:08:02 I UDPv4 link local: (not bound)
20180225 21:08:02 I UDPv4 link remote: [AF_INET]217.151.98.47:1194
20180225 21:09:02 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20180225 21:09:02 N TLS Error: TLS handshake failed
20180225 21:09:02 I SIGUSR1[soft tls-error] received process restarting
20180225 21:09:02 Restart pause 5 second(s)
20180225 21:09:07 W WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
20180225 21:09:07 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20180225 21:09:07 I TCP/UDP: Preserving recently used remote address: [AF_INET]89.238.139.199:1194
20180225 21:09:07 Socket Buffers: R=[114688->114688] S=[114688->114688]
20180225 21:09:07 I UDPv4 link local: (not bound)
20180225 21:09:07 I UDPv4 link remote: [AF_INET]89.238.139.199:1194
20180225 21:09:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20180225 21:09:32 D MANAGEMENT: CMD 'state'
20180225 21:09:32 MANAGEMENT: Client disconnected
20180225 21:09:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20180225 21:09:32 D MANAGEMENT: CMD 'state'
20180225 21:09:32 MANAGEMENT: Client disconnected
20180225 21:09:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20180225 21:09:32 D MANAGEMENT: CMD 'state'
20180225 21:09:32 MANAGEMENT: Client disconnected
20180225 21:09:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20180225 21:09:32 D MANAGEMENT: CMD 'status 2'
20180225 21:09:32 MANAGEMENT: Client disconnected
20180225 21:09:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20180225 21:09:32 D MANAGEMENT: CMD 'log 500'
20180225 21:09:32 MANAGEMENT: Client disconnected
20180225 21:10:07 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20180225 21:10:07 N TLS Error: TLS handshake failed
20180225 21:10:07 I SIGUSR1[soft tls-error] received process restarting
20180225 21:10:07 Restart pause 5 second(s)
20180225 21:10:12 W WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

Thanks again for your help
mattygg
DD-WRT Novice


Joined: 02 Jan 2011
Posts: 8

PostPosted: Sun Feb 25, 2018 21:21    Post subject: Reply with quote
Also, I'm not sure which Encryption cipher I need to use. The default was blowfish CBC, however I'm wondering whether I need AES-256 so it matches the hashing algorithm.

Cheers again
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Sun Feb 25, 2018 22:12    Post subject: Reply with quote
You need to examine the openvpn config file for that specific server and see what it uses for cipher and auth (unless the VPN provider uses the same settings for all their servers, which sometimes happens).

In the GUI, Encryption Cipher = cipher, and Hash Algorithm = auth.

Since you've port forwarded to this router, I assume its WAN is connected to a LAN port on the primary router? And it's configured w/ Gateway as its Operating Mode?
mattygg
DD-WRT Novice


Joined: 02 Jan 2011
Posts: 8

PostPosted: Sun Feb 25, 2018 23:39    Post subject: Reply with quote
I have looked in the config file and I have seen that its AES-256 and SHA256 for both values.

I have also checked and it is showing as gateway for operating mode.

I am still however getting tls-error messages.

Yes the router is using the LAN to WAN connection
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Sun Feb 25, 2018 23:42    Post subject: Reply with quote
Duh, what am I saying. I was thinking for a second this was an OpenVPN server when you mentioned port forwarding. For the OpenVPN client, port forwarding is irrelevant. Remove any such port forwarding from all routers.
mattygg
DD-WRT Novice


Joined: 02 Jan 2011
Posts: 8

PostPosted: Sun Feb 25, 2018 23:44    Post subject: Reply with quote
Also in the config file it says 443. I'm not sure whether this is the port number or not.

However when I change it within the settings from 1194 to 443 I seem to lose connection.

Not sure if that helps or not
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Mon Feb 26, 2018 0:12    Post subject: Reply with quote
Port 443 is another common port used by VPN providers. It's for ppl whose firewall may only be open (outbound) on ports 80 and/or 443. Something you might encounter at the workplace, for example. But dd-wrt, by default, doesn't block any outbound ports. And I have no reason suspect your ISP and his modem+router would either.

Again, port forwarding is totally irrelevant wrt the OpenVPN client.

All I can suggest at this point is letting use see the VPN provider's config file (don't need to see keys, certs, etc., just the basic config) and your OpenVPN client setup page. Maybe it's an obvious error once seen.

Also, double check you have the correct certs and keys in the correct fields. It's oh so easy to mess this up!
mattygg
DD-WRT Novice


Joined: 02 Jan 2011
Posts: 8

PostPosted: Mon Feb 26, 2018 0:16    Post subject: Reply with quote
Hiya,

This is the config file from the website:

client
remote 1-gb.cg-dialup.net 443
dev tun
proto udp
auth-user-pass


resolv-retry infinite
redirect-gateway def1
persist-key
persist-tun
nobind
cipher AES-256-CBC
auth SHA256
ping 5
ping-exit 60
ping-timer-rem
explicit-exit-notify 2
script-security 2
remote-cert-tls server
route-delay 5
tun-mtu 1500
fragment 1300
mssfix 1300
verb 4
comp-lzo


ca ca.crt

cert client.crt

key client.key


I hope that helps
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Mon Feb 26, 2018 0:35    Post subject: Reply with quote
When I do an nslookup for that domain name, I get the following.

Code:
C:\Users\Owner>nslookup 1-gb.cg-dialup.net
Server:  router
Address:  192.168.61.1

Non-authoritative answer:
Name:    1-gb.cg-dialup.net
Addresses:  217.151.98.43
          81.92.203.79
          89.238.183.229
          89.238.183.231
          81.92.203.247
          89.238.136.151
          89.238.139.199
          217.151.98.47
          89.238.139.198
          81.92.203.84



IOW, there are multiple servers associated w/ that domain name. Try using other explicit IPs from that list, or try some other domain name. Maybe it's just a problem w/ that server. Sometimes they just aren't up and running!
mattygg
DD-WRT Novice


Joined: 02 Jan 2011
Posts: 8

PostPosted: Mon Feb 26, 2018 12:03    Post subject: Reply with quote
Thanks very much for your help.

I have managed to get it working. Im not sure why, but the UK servers dont seem to like the OpenVPN however, i have changed to the US servers and it seems to be working ok.

The only other thing i did was looking on the config file it shows the "tunnel udp fragment" disabled as a default. however it looks at though I have the value of 1300 in my config file. I have changed it to 1300 also and it seems to be ok.

Thanks again for your help
spikey1973
DD-WRT Novice


Joined: 20 Feb 2017
Posts: 29

PostPosted: Fri May 24, 2019 23:00    Post subject: Reply with quote
hello Matt, Matt here Wink

unfortunately we do not only have the same name but also the same issue. unlike you i still cant seem to get it solved.

may i ask you to do for me what you asked for?
and send me a copy of your setup (without username and passw and other identifier markers)

you would seriously help me out there!

kind regards in advance!

Matt
spikey1973
DD-WRT Novice


Joined: 20 Feb 2017
Posts: 29

PostPosted: Fri May 24, 2019 23:37    Post subject: Reply with quote
i will add two screenshots of my settings
Goto page 1, 2, 3  Next Display posts from previous:    Page 1 of 3
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum