OpenVPN configuration

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.)
Author Message
Mojave83
DD-WRT Novice


Joined: 07 Jul 2019
Posts: 3

PostPosted: Tue Sep 03, 2019 13:49    Post subject: OpenVPN configuration Reply with quote
Hi All,

Trying to setup openvpn client on my 1900acs v2 with build 40559.

It goes to CONNECTED SUCCES but no internet access at all.

Please help!


ovpn config file
Code:

dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA512
tls-client
client
resolv-retry infinite
remote 185.56.89.176 2022 udp
setenv opt block-outside-dns
auth-user-pass
remote-cert-tls server
compress lzo

<ca>
-----BEGIN CERTIFICATE-----
MIIDKzCCAhOgAwIBAgIJALB5DE0mW8PEMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNV
BAMMCENoYW5nZU1lMB4XDTE5MDUzMTA5NTkyMVoXDTM5MTIxMjA5NTkyMVowEzER
MA8GA1UEAwwIQ2hhbmdlTWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCl0NwI1ZT7f4aZ0IwXTTjVtm7/JfexDSJDzBqCeqlSZyuLVbcDCwL20CnWnn7X
kQMgHB3bpWkFHEdg3E5T6iEkPReVqNElSaOCamdvg8vmksPpI2FaURPj+yCaxP8E
tWeMSsTiygQPvAk19d5n2HPJtMEUfddMlr90/uDXyk6xJckkRayg/8A6Hv39c+y1
S5QY8gC06hIa2SLPBrM9dp38uySe77I/Jh5FUuyG9IKDOCKCIwxFwIEjvzcLnZ64
JzIaE4gEYsea2whvo8ifKn+gNcJZZMt8ZLv7Md9sCQt+fnF8GYja7ha1oVUSaBE1
UjA4/a7Uqd3FUjECDdmBarAjAgMBAAGjgYEwfzAdBgNVHQ4EFgQUIyv8LUaKyuPV
DamhZQHEK4z6jP8wQwYDVR0jBDwwOoAUIyv8LUaKyuPVDamhZQHEK4z6jP+hF6QV
MBMxETAPBgNVBAMMCENoYW5nZU1lggkAsHkMTSZbw8QwDAYDVR0TBAUwAwEB/zAL
BgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAIFqcwIe557abrxWVq5PfeWy
MdpTJhHu/gx2fwapBSAFMZ73+VOp0hFAdaNH3FbmaOt/ANqMN6gDM8dMke123Yjg
kWab3fjYfixc+z84+URR7iLQfe6YUC986aez2OdeVvrgkCFSbM1AZKKXA26la4GM
RU1qtUcSE84hiAnNWjr2KI8kKc3B2qhBqRQL8ce7F/c7zJCyli7ZqjEyiSoyM009
ziKhUK+zdOX6VAvFvcFnTs5LXYLajHwuHHjnMbe8RlbcNDkXU04lTWhAkxoEHpXr
k7Dt9+cGC82iuAXDWaPo75908ju+RdXLA1LlD/z9hS3Rm9+S4aCLh2J8RM9QWXo=
-----END CERTIFICATE-----
</ca>
setenv CLIENT_CERT 0
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
01bd983bd149d4d899b7233c5a049d47
e70f8fcf616199212289922180d212ef
32d8f451fa89a6f29bb22c37b4e42bf3
8729646422d4deba1751bdf159d76f5e
28b039054e33f4ac5b3a8cf4c511dae4
59361e372ca1fe0af6bdb6e02752659d
948a45ba2ef018955de862d8e19d632b
32f6226329141f5fa70cb52c36f1d481
bb084d044e84ee0e7c425c54ce0105fa
e1374bf760ca39bdb232b138fca9f631
a5e53c1a9082a4ae4aa95d54c14f5780
a0ee40e5dfa08bf3d74c111601182bb8
e118b4308af2dab039cb73f17c952267
d0d83b427e12821ffcc4285a5fcf2b05
da8c5760f8ed8440edc6b0644504dc04
e3cf0ab36727deb796608c218e1123e8
-----END OpenVPN Static key V1-----
</tls-auth>


Output
Code:

State
Client: CONNECTED SUCCESS
Local Address: 10.2.0.18
Remote Address: 10.2.0.17

Status
VPN Client Stats
TUN/TAP read bytes   243848
TUN/TAP write bytes   74904
TCP/UDP read bytes   97365
TCP/UDP write bytes   343853
Auth read bytes   78440
pre-compress bytes   12517
post-compress bytes   12652
pre-decompress bytes   19431
post-decompress bytes   22473

Log
Clientlog:
20190903 16:49:56 W WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
20190903 16:49:56 W WARNING: file '/tmp/openvpncl/ta.key' is group or others accessible
20190903 16:49:56 W WARNING: file '/tmp/openvpncl/credentials' is group or others accessible
20190903 16:49:56 I OpenVPN 2.4.7 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Aug 6 2019
20190903 16:49:56 I library versions: OpenSSL 1.1.1c 28 May 2019 LZO 2.09
20190903 16:49:56 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
20190903 16:49:56 W WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
20190903 16:49:56 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20190903 16:49:56 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
20190903 16:49:56 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
20190903 16:49:56 I TCP/UDP: Preserving recently used remote address: [AF_INET]185.56.89.176:2022
20190903 16:49:56 Socket Buffers: R=[180224->180224] S=[180224->180224]
20190903 16:49:56 I UDPv4 link local: (not bound)
20190903 16:49:56 I UDPv4 link remote: [AF_INET]185.56.89.176:2022
20190903 16:49:56 TLS: Initial packet from [AF_INET]185.56.89.176:2022 sid=c9452ed5 920d78f0
20190903 16:49:56 W WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
20190903 16:49:56 VERIFY OK: depth=1 CN=ChangeMe
20190903 16:49:56 VERIFY OK: nsCertType=SERVER
20190903 16:49:56 VERIFY OK: depth=0 CN=ChangeMe
20190903 16:49:56 NOTE: --mute triggered...
20190903 16:49:56 1 variation(s) on previous 3 message(s) suppressed by --mute
20190903 16:49:56 I [ChangeMe] Peer Connection Initiated with [AF_INET]185.56.89.176:2022
20190903 16:49:57 SENT CONTROL [ChangeMe]: 'PUSH_REQUEST' (status=1)
20190903 16:49:57 PUSH: Received control message: 'PUSH_REPLY redirect-gateway def1 dhcp-option DNS 1.1.1.1 dhcp-option DNS 1.0.0.1 route 10.2.0.1 topology net30 ping 10 ping-restart 120 ifconfig 10.2.0.18 10.2.0.17 peer-id 1 cipher AES-256-GCM'
20190903 16:49:57 OPTIONS IMPORT: timers and/or timeouts modified
20190903 16:49:57 NOTE: --mute triggered...
20190903 16:49:57 6 variation(s) on previous 3 message(s) suppressed by --mute
20190903 16:49:57 Data Channel: using negotiated cipher 'AES-256-GCM'
20190903 16:49:57 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20190903 16:49:57 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20190903 16:49:57 I TUN/TAP device tun1 opened
20190903 16:49:57 TUN/TAP TX queue length set to 100
20190903 16:49:57 I /sbin/ifconfig tun1 10.2.0.18 pointopoint 10.2.0.17 mtu 1500
20190903 16:49:57 /sbin/route add -net 185.56.89.176 netmask 255.255.255.255 gw 192.168.1.1
20190903 16:49:57 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.2.0.17
20190903 16:49:57 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.2.0.17
20190903 16:49:57 /sbin/route add -net 10.2.0.1 netmask 255.255.255.255 gw 10.2.0.17
20190903 16:49:57 W WARNING: Failed running command (--route-up): could not execute external program
20190903 16:49:57 I Initialization Sequence Completed
20190903 16:50:28 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190903 16:50:28 D MANAGEMENT: CMD 'state'
20190903 16:50:28 MANAGEMENT: Client disconnected
20190903 16:50:28 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190903 16:50:28 D MANAGEMENT: CMD 'state'
20190903 16:50:28 MANAGEMENT: Client disconnected
20190903 16:50:28 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190903 16:50:28 D MANAGEMENT: CMD 'state'
20190903 16:50:28 MANAGEMENT: Client disconnected
20190903 16:50:28 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190903 16:50:28 D MANAGEMENT: CMD 'status 2'
20190903 16:50:28 MANAGEMENT: Client disconnected
20190903 16:50:28 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190903 16:50:28 D MANAGEMENT: CMD 'log 500'
20190903 16:50:28 MANAGEMENT: Client disconnected


settings



Sponsor
Monza
DD-WRT User


Joined: 01 Jul 2018
Posts: 94

PostPosted: Tue Sep 03, 2019 15:24    Post subject: Reply with quote
If you disable the OpenVPN client do you have internet access?

If yes then I would re-enter ALL of your OpenVPN setup, certs and all. Save and Apply Settings again.

I noticed that your setup does not have inputs in Public Client Cert or Private Client Key? May not be required by your vpn service? If so disregard this observation.

If no internet connection with the vpn enabled or disabled try rebooting both the modem and router.

If you have any apps like NoScript in your browser make sure you have your router IP "trusted" in those apps.

All I can think of at the moment. =)
Mojave83
DD-WRT Novice


Joined: 07 Jul 2019
Posts: 3

PostPosted: Wed Sep 04, 2019 8:40    Post subject: Reply with quote
Monza wrote:
If you disable the OpenVPN client do you have internet access?

If yes then I would re-enter ALL of your OpenVPN setup, certs and all. Save and Apply Settings again.

I noticed that your setup does not have inputs in Public Client Cert or Private Client Key? May not be required by your vpn service? If so disregard this observation.

If no internet connection with the vpn enabled or disabled try rebooting both the modem and router.

If you have any apps like NoScript in your browser make sure you have your router IP "trusted" in those apps.

All I can think of at the moment. =)


Thanks Monza!

Yep without the vpn enabled, internet runs fine.

Will try a reconfig!
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3972
Location: Netherlands

PostPosted: Thu Sep 05, 2019 12:05    Post subject: Reply with quote
Enable NAT on the client.

You do have a strange error in your log about not being able to execute route up.

That is seen on older k2.6 builds.

Might try latest build

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.) All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum