moving from Build 21061 to latest 35531. OpenVPN Trouble.

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
DD-WRT Novice

Joined: 16 Jun 2009
Posts: 23

PostPosted: Sun Apr 01, 2018 4:02    Post subject: moving from Build 21061 to latest 35531. OpenVPN Trouble. Reply with quote
So I want to move to a later Build I have OpenVPN up and running on the older build.

I know that there are updated configurations but not sure where to put some of the new commands. Any thoughts?


Cisco E3000 Mega Build 21061

30-30-30 and loaded Mega Build 35531 and retyped the setup did not just reload a saved config.

The Following OpenVPN configuration works on the 21061 but not on the 35531.

The one thing I don't know is where to put mtu-disc yes.

I know Certs are fine. I am running in Daemon and not server GUI. It is pretty much the sample server and client config for OpenVPN 2.0 I did update UDP to UDP4 in both server and client config and Firewall config to confirm working on older build.

Router Server Info.

Additional Config:

push "route"
push "dhcp-option DNS"

dev tun0
proto udp4
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem

# Only use crl-verify if you are using the revoke list - otherwise leave it commented out
# crl-verify /tmp/openvpn/ca.crl

# management parameter allows DD-WRT\s OpenVPN Status web page to access the server\s management port
# port must be 5001 for scripts embedded in firmware to work
management localhost 5001


iptables -I INPUT 1 -p udp4 --dport 1194 -j ACCEPT

iptables -I FORWARD 1 --source -j ACCEPT

Computer Client Info:

Installed Openvpn 2.4.4-1601

Config file:


dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp4

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote xx.xx.xx.xx 1194

# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.

# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert client2.crt
key client2.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.

# Set log file verbosity.
verb 5

# Silence repeating messages
mute 100

WRT600n BS Mega r15962 --Broadband Router
WRT600n BS Mega r15962 --Repeater Bridge
WRT54G-TM BS Mega r15962 --Broadband Router and OpenVPN Server
WRT54G-TM BS Mega r15962 --Broadband Router
WRT54G v2.0 EKO Std r15943_VINT --Idle
WRT54G v1.1 --Idle
WRT54GS V6.0 BS VPN r15962 --Idle

Joined: 18 Mar 2014
Posts: 7463
Location: Netherlands

PostPosted: Sun Apr 01, 2018 9:59    Post subject: Reply with quote
Proto and MTU Disc are handled correctly by recent builds so you do not need to specify this.

The only firewall rule really needed (to give the VPN clients access to your network/internet) is the following:
iptables -t nat -A POSTROUTING -j MASQUERADE

You are using tun0 that could be a problem as DDWRT in most builds uses tun2 by default and thus inserts the necessary firewall rules for tun2.
You might try to delete tun0 and let DDWRT handle this.

For recent versions you have to regenerate your certificates

Attached my notes for setting up a VPN server hope it will help

Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
WireGuard Documents & Guides:
OpenVPN Documents & Guides:
Install guide R6400v2:
Install guide R7800:
Forum Guide Lines (important read):
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT


Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum