DD-WRT :: View topic - Getting OpenVPN, Tunnelblick, OpenVPN for Android to Work

Getting OpenVPN, Tunnelblick, OpenVPN for Android to Work

DD-WRT Forum Index -> Advanced Networking

View previous topic :: View next topic

Author

Message

mache
DD-WRT User

Joined: 11 Apr 2010
Posts: 319
Location: San Francisco Bay Area

Posted: Mon Oct 15, 2018 0:35 Post subject: Getting OpenVPN, Tunnelblick, OpenVPN for Android to Work

I have a Netgear R7000 router running DD-WRT v3.0-r36527 std 08 / 09 / 18 and want to connect remotely to its OpenVPN server with my MacBook Pro running Tunnelblick. I want the remote MacBook Pro to be a first class citizen on the DD-WRT local LAN and be able to make full use of its DNS to resolve public and private domain names accessing LAN servers and printers. I have not been having good luck so far and to date am only able to only access local LAN IPv4 addresses, like the router web configuration page, once the VPN tunnel is established. I cannot resolve any public or private (LAN) domains nor access any public website. I have been talking to the Tunnelblick forum and they have not been able to help. Perhaps someone here can help. Details and logs are listed below.

Thanks for any help.

============================

The local LAN on my Netgear R7000 DD-WRT router is 192.168.133.0, 255.255.2550. The DNS is at 192.168.133.1. The OpenVPN server on DD-WRT is configured as: Start Type: WAN Up, Config: Server, Server Mode: Router (Tun), Network: 10.0.2.0, Netmask 255.255.255.0, Port 80, Tunnel Protocol: UDP, Encryption Cypher: AES-256 CBC, Hash Algorithm: SHA256, Advanced Options: Disabled. I have in place a Public Server Cert, CA Cert, Private Server Key, DH PEM, and a TLS Auth Key.

Additional Config:

Code:

proto udp
dev tun0
push "redirect-gateway def1"
push "route 192.168.133.0 255.255.255.0"
push "dhcp-option DNS 10.0.2.1"
keepalive 10 120
daemon
verb 5

Firewall:

Code:

iptables -I INPUT -i `get_wanface` -dport 22 -j ACCEPT
iptables -I OUTPUT -i `get_wanface` -dport 53 -j ACCEPT
iptables -I FORWARD --source 192.168.133.1/24 -j ACCEPT
iptables -I INPUT -p udp --dport 80 -j ACCEPT
iptables -I INPUT -i tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o tun0 -j ACCEPT
iptables -I FORWARD 1 --source 10.0.2.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.2.0/24 -j MASQUERADE
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

The client is a MacBook Pro running macOS 10.13.6 and Tunnelblick 3.7.8beta01 (build 5160) - Set DNS/WINS: Set Nameserver and OpenVPN version: 2.4.6 - OpenSSL v1.0.2p. Its config file is:

Code:

client
auth RSA-SHA256
auth-nocache

# Use the same setting as you are using on
# the server.
dev tun0

# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
proto udp

# The hostname/IP and port of the server.
remote XX.YY.XX 80

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Try to preserve some state across restarts.
persist-key
persist-tun

# SSL/TLS parms.
ca ca.crt
cert bucky.crt
key bucky.key
tls-auth ta.key 1

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
# ns-cert-type server
remote-cert-tls server

# Enable compression on the VPN link.
# comp-lzo
compress lzo

# Allow me to change my IP address
# and/or port number (if I get a new
# local IP address at Starbucks).
float

Before I start Tunnelblick I access a the WiFi link from my Verizon Wireless Smartphone as a hotspot for a remote network. Here is Network information from the MacBook Pro:

Code:

Wi-Fi:

Type: AirPort
Hardware: AirPort
BSD Device Name: en0
IPv4 Addresses: 192.168.43.117
IPv4:
AdditionalRoutes:
DestinationAddress: 192.168.43.117
SubnetMask: 255.255.255.255
DestinationAddress: 169.254.0.0
SubnetMask: 255.255.0.0
Addresses: 192.168.43.117
ARPResolvedHardwareAddress: 40:4e:36:1e:cf:7b
ARPResolvedIPAddress: 192.168.43.143
Configuration Method: DHCP
ConfirmedInterfaceName: en0
Interface Name: en0
Network Signature: IPv4.Router=192.168.43.143;IPv4.RouterHardwareAddress=40:4e:36:1e:cf:7b
Router: 192.168.43.143
Subnet Masks: 255.255.255.0
IPv6:
Addresses: 2600:1010:b016:c49b:893:44a:dfe:9691, 2600:1010:b016:c49b:dc59:d7ba:59e9:1e43
Configuration Method: Automatic
ConfirmedInterfaceName: en0
Interface Name: en0
Network Signature: IPv6.Prefix=2600:1010:b016:c49b::/64;IPv6.RouterHardwareAddress=40:4e:36:1e:cf:7b
Prefix Length: 64, 64
Router: fe80::424e:36ff:fe1e:cf7b
DNS:
Server Addresses: 192.168.43.143, 2600:1010:b016:c49b::64
DHCP Server Responses:
Domain Name Servers: 192.168.43.143
Lease Duration (seconds): 0
DHCP Message Type: 0x05
Routers: 192.168.43.143
Server Identifier: 192.168.43.143
Subnet Mask: 255.255.255.0
Ethernet:
MAC Address: 8c:85:90:b4:3a:23
Media Options:
Media Subtype: Auto Select
Proxies:
Exceptions List: *.local, 169.254/16
FTP Passive Mode: Yes
Service Order: 1

Code:

$ scutil --dns
DNS configuration

resolver #1
nameserver[0] : 2600:1010:b016:c49b::64
nameserver[1] : 192.168.43.143
if_index : 8 (en0)
flags : Request A records, Request AAAA records
reach : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2
domain : local
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300000

resolver #3
domain : 254.169.in-addr.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300200

resolver #4
domain : 8.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300400

resolver #5
domain : 9.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300600

resolver #6
domain : a.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300800

resolver #7
domain : b.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 301000

DNS configuration (for scoped queries)

resolver #1
nameserver[0] : 2600:1010:b016:c49b::64
nameserver[1] : 192.168.43.143
if_index : 8 (en0)
flags : Scoped, Request A records, Request AAAA records
reach : 0x00020002 (Reachable,Directly Reachable Address)

When I run Tunnelblick and setup the OpenVPN tunnel here is Network information from the MacBook Pro:

Code:

Wi-Fi:

Type: AirPort
Hardware: AirPort
BSD Device Name: en0
IPv4 Addresses: 192.168.43.117
IPv4:
AdditionalRoutes:
DestinationAddress: 192.168.43.117
SubnetMask: 255.255.255.255
DestinationAddress: 169.254.0.0
SubnetMask: 255.255.0.0
Addresses: 192.168.43.117
ARPResolvedHardwareAddress: 40:4e:36:1e:cf:7b
ARPResolvedIPAddress: 192.168.43.143
Configuration Method: DHCP
ConfirmedInterfaceName: en0
Interface Name: en0
Network Signature: IPv4.Router=192.168.43.143;IPv4.RouterHardwareAddress=40:4e:36:1e:cf:7b
Router: 192.168.43.143
Subnet Masks: 255.255.255.0
IPv6:
Addresses: 2600:1010:b016:c49b:893:44a:dfe:9691, 2600:1010:b016:c49b:dc59:d7ba:59e9:1e43
Configuration Method: Automatic
ConfirmedInterfaceName: en0
Interface Name: en0
Network Signature: IPv6.Prefix=2600:1010:b016:c49b::/64;IPv6.RouterHardwareAddress=40:4e:36:1e:cf:7b
Prefix Length: 64, 64
Router: fe80::424e:36ff:fe1e:cf7b
DNS:
Domain Name: openvpn
Search Domains: openvpn
Server Addresses: 10.0.2.1
DHCP Server Responses:
Domain Name Servers: 192.168.43.143
Lease Duration (seconds): 0
DHCP Message Type: 0x05
Routers: 192.168.43.143
Server Identifier: 192.168.43.143
Subnet Mask: 255.255.255.0
Ethernet:
MAC Address: 8c:85:90:b4:3a:23
Media Options:
Media Subtype: Auto Select
Proxies:
Exceptions List: *.local, 169.254/16
FTP Passive Mode: Yes
Service Order: 1

Code:

$ scutil --dns
DNS configuration

resolver #1
search domain[0] : openvpn
nameserver[0] : 10.0.2.1
flags : Request A records, Request AAAA records
reach : 0x00000002 (Reachable)

resolver #2
domain : local
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300000

resolver #3
domain : 254.169.in-addr.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300200

resolver #4
domain : 8.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300400

resolver #5
domain : 9.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300600

resolver #6
domain : a.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300800

resolver #7
domain : b.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 301000

DNS configuration (for scoped queries)

resolver #1
search domain[0] : openvpn
nameserver[0] : 10.0.2.1
if_index : 8 (en0)
flags : Scoped, Request A records, Request AAAA records
reach : 0x00000002 (Reachable)

Its interesting that before the OpenVPN tunnel is established, the IPv4 address assigned to the MacBook Pro is 192.168.43.117 and the DNS is 192.168.43.143. After the OpenVPN tunnel is established, the IPv4 address of the Mac is unchanged and the DNS is 10.0.2.1. neither the Mac or the DNS are re-assigned to the 192.168.133.x LAN.

Here is the TunnelBlick log of the session

Code:

*Tunnelblick: OS X 10.13.6; Tunnelblick 3.7.8beta01 (build 5160); prior version 3.7.7beta04 (build 5120); Admin user
git commit fc572c89d58d4ad4b515f37a14639c03b609bd35

Configuration Home

"Sanitized" condensed configuration file for /Users/xyz/Library/Application Support/Tunnelblick/Configurations/Home.tblk:

client
auth RSA-SHA256
auth-nocache
dev tun0
proto udp
remote XX.YY.ZZ 80
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert bucky.crt
key bucky.key
tls-auth ta.key 1
remote-cert-tls server
compress lzo
float

================================================================================

Non-Apple kexts that are loaded:

Index Refs Address Size Wired Name (Version) UUID <Linked Against>
156 3 0xffffff7f85cd6000 0x64000 0x64000 org.virtualbox.kext.VBoxDrv (5.2.18) 4B812769-A078-3E16-B9D1-DCAB645482E4 <7 5 4 3 1>
162 0 0xffffff7f85d3a000 0x8000 0x8000 org.virtualbox.kext.VBoxUSB (5.2.18) 38AC00F1-4F4C-3101-B8E0-4F07161A728E <161 156 50 7 5 4 3 1>
163 0 0xffffff7f85d42000 0x5000 0x5000 org.virtualbox.kext.VBoxNetFlt (5.2.18) 80DA38DE-39E0-3DE7-A207-73D55CF17079 <156 7 5 4 3 1>
164 0 0xffffff7f85d47000 0x6000 0x6000 org.virtualbox.kext.VBoxNetAdp (5.2.18) CC938DAD-56D8-3616-B7B0-709D040CE41B <156 5 4 1>

================================================================================

Files in Home.tblk:
Contents/Resources/ta.key
Contents/Resources/buc….key
Contents/Resources/ca.crt
Contents/Resources/config.ovpn
Contents/Resources/buc….crt

================================================================================

Configuration preferences:

autoConnect = 0
-onSystemStart = 0
useDNS = 1
-routeAllTrafficThroughVpn = 0
-runMtuTest = 0
-useRouteUpInsteadOfUp = 1
-openvpnVersion = 2.4.6-openssl-1.0.2p
-notOKToCheckThatIPAddressDidNotChangeAfterConnection = 1
-keepConnected = 1
-doNotDisableIpv6onTun = 1
-loggingLevel = 3
-allowChangesToManuallySetNetworkSettings = 1
-lastConnectionSucceeded = 1
-prependDomainNameToSearchDomains = 1

================================================================================

Wildcard preferences:

-notOKToCheckThatIPAddressDidNotChangeAfterConnection = 0

================================================================================

Program preferences:

launchAtNextLogin = 1
tunnelblickVersionHistory = (
"3.7.8beta01 (build 5160)",
"3.7.7beta04 (build 5120)",
"3.7.7beta01 (build 5070)",
"3.7.6beta04 (build 5050)",
"3.7.6beta03 (build 5031)",
"3.7.5a (build 5011)"
)
lastLaunchTime = 561232189.812816
showConnectedDurations = 1
lastLanguageAtLaunchWasRTL = 0
connectionWindowDisplayCriteria = showWhenConnecting
maxLogDisplaySize = 102400
lastConnectedDisplayName = Home
keyboardShortcutIndex = 1
updateCheckAutomatically = 1
updateCheckBetas = 1
NSWindow Frame SettingsSheetWindow = 228 0 829 524 0 0 1280 777
NSWindow Frame ConnectingWindow = 445 442 389 187 0 0 1280 777
NSWindow Frame SUUpdateAlert = 330 288 620 392 0 0 1280 777
NSWindow Frame ListingWindow = 374 138 500 422 0 0 1280 777
detailsWindowFrameVersion = 5160
detailsWindowFrame = {{360, 211}, {920, 468}}
detailsWindowLeftFrame = {{0, 0}, {165, 350}}
detailsWindowViewIndex = 0
detailsWindowConfigurationsTabIdentifier = settings
leftNavSelectedDisplayName = Home
AdvancedWindowTabIdentifier = connectingAndDisconnecting
haveDealtWithOldTunTapPreferences = 1
haveDealtWithOldLoginItem = 1
haveDealtWithAfterDisconnect = 1
SUEnableAutomaticChecks = 1
SUScheduledCheckInterval = 86400
SULastCheckTime = 2018-10-14 17:49:50 +0000
SUHasLaunchedBefore = 1
WebKitDefaultFontSize = 16
WebKitStandardFont = Times

================================================================================

Tunnelblick Log:

2018-10-14 17:12:42 *Tunnelblick: openvpnstart starting OpenVPN
*Tunnelblick: OS X 10.13.6; Tunnelblick 3.7.8beta01 (build 5160); prior version 3.7.7beta04 (build 5120)
2018-10-14 17:12:42 *Tunnelblick: Attempting connection with Home using shadow copy; Set nameserver = 769; monitoring connection
2018-10-14 17:12:42 *Tunnelblick: openvpnstart start Home.tblk 62782 769 0 1 0 115120 -ptADGNWradsgnw 2.4.6-openssl-1.0.2p
2018-10-14 17:12:43 *Tunnelblick: openvpnstart log:
OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):

/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.6-openssl-1.0.2p/openvpn
--daemon
--log
/Library/Application Support/Tunnelblick/Logs/-SUsers-Sxyz-SLibrary-SApplication Support-STunnelblick-SConfigurations-SHome.tblk-SContents-SResources-Sconfig.ovpn.769_0_1_0_115120.62782.openvpn.log
--cd
/Library/Application Support/Tunnelblick/Users/xyz/Home.tblk/Contents/Resources
--setenv
IV_GUI_VER
"net.tunnelblick.tunnelblick 5160 3.7.8beta01 (build 5160)"
--verb
3
--config
/Library/Application Support/Tunnelblick/Users/xyz/Home.tblk/Contents/Resources/config.ovpn
--verb
3
--cd
/Library/Application Support/Tunnelblick/Users/xyz/Home.tblk/Contents/Resources
--management
127.0.0.1
62782
/Library/Application Support/Tunnelblick/fappejolpgdhnojhdblhfggbkjfjedkjlcphkfkb.mip
--management-query-passwords
--management-hold
--script-security
2
--route-up
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -d -f -m -o -p -w -ptADGNWradsgnw
--down
/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -d -f -m -o -p -w -ptADGNWradsgnw

2018-10-14 17:12:42 OpenVPN 2.4.6 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Sep 29 2018
2018-10-14 17:12:42 library versions: OpenSSL 1.0.2p 14 Aug 2018, LZO 2.10
2018-10-14 17:12:42 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:62782
2018-10-14 17:12:42 Need hold release from management interface, waiting...
2018-10-14 17:12:43 *Tunnelblick: Established communication with OpenVPN
2018-10-14 17:12:43 >INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
2018-10-14 17:12:43 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:62782
2018-10-14 17:12:43 MANAGEMENT: CMD 'pid'
2018-10-14 17:12:43 MANAGEMENT: CMD 'auth-retry interact'
2018-10-14 17:12:43 MANAGEMENT: CMD 'state on'
2018-10-14 17:12:43 MANAGEMENT: CMD 'state'
2018-10-14 17:12:43 MANAGEMENT: CMD 'bytecount 1'
2018-10-14 17:12:43 MANAGEMENT: CMD 'hold release'
2018-10-14 17:12:43 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2018-10-14 17:12:43 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2018-10-14 17:12:43 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2018-10-14 17:12:43 MANAGEMENT: >STATE:1539562363,RESOLVE,,,,,,
2018-10-14 17:12:43 TCP/UDP: Preserving recently used remote address: [AF_INET]69.181.41.219:80
2018-10-14 17:12:43 Socket Buffers: R=[196724->196724] S=[9216->9216]
2018-10-14 17:12:43 UDP link local: (not bound)
2018-10-14 17:12:43 UDP link remote: [AF_INET]69.181.41.219:80
2018-10-14 17:12:43 MANAGEMENT: >STATE:1539562363,WAIT,,,,,,
2018-10-14 17:12:43 MANAGEMENT: >STATE:1539562363,AUTH,,,,,,
2018-10-14 17:12:43 TLS: Initial packet from [AF_INET]69.181.41.219:80, sid=1fa47464 45a394ee
2018-10-14 17:12:44 VERIFY OK: depth=1, CN=DD-WRT CA
2018-10-14 17:12:44 VERIFY KU OK
2018-10-14 17:12:44 Validating certificate extended key usage
2018-10-14 17:12:44 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2018-10-14 17:12:44 VERIFY EKU OK
2018-10-14 17:12:44 VERIFY OK: depth=0, CN=server
2018-10-14 17:12:44 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1554', remote='link-mtu 1570'
2018-10-14 17:12:44 WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC'
2018-10-14 17:12:44 WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
2018-10-14 17:12:44 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
2018-10-14 17:12:44 [server] Peer Connection Initiated with [AF_INET]69.181.41.219:80
2018-10-14 17:12:45 MANAGEMENT: >STATE:1539562365,GET_CONFIG,,,,,,
2018-10-14 17:12:45 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2018-10-14 17:12:45 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,redirect-gateway def1,route 192.168.133.0 255.255.255.0,dhcp-option DNS 10.0.2.1,route-gateway 10.0.2.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.0.2.2 255.255.255.0,peer-id 1,cipher AES-256-GCM'
2018-10-14 17:12:45 OPTIONS IMPORT: timers and/or timeouts modified
2018-10-14 17:12:45 OPTIONS IMPORT: --ifconfig/up options modified
2018-10-14 17:12:45 OPTIONS IMPORT: route options modified
2018-10-14 17:12:45 OPTIONS IMPORT: route-related options modified
2018-10-14 17:12:45 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2018-10-14 17:12:45 OPTIONS IMPORT: peer-id set
2018-10-14 17:12:45 OPTIONS IMPORT: adjusting link_mtu to 1625
2018-10-14 17:12:45 OPTIONS IMPORT: data channel crypto options modified
2018-10-14 17:12:45 Data Channel: using negotiated cipher 'AES-256-GCM'
2018-10-14 17:12:45 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2018-10-14 17:12:45 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2018-10-14 17:12:45 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2018-10-14 17:12:45 Opened utun device utun1
2018-10-14 17:12:45 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2018-10-14 17:12:45 MANAGEMENT: >STATE:1539562365,ASSIGN_IP,,10.0.2.2,,,,
2018-10-14 17:12:45 /sbin/ifconfig utun1 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2018-10-14 17:12:45 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2018-10-14 17:12:45 /sbin/ifconfig utun1 10.0.2.2 10.0.2.2 netmask 255.255.255.0 mtu 1500 up
2018-10-14 17:12:45 /sbin/route add -net 10.0.2.0 10.0.2.2 255.255.255.0
add net 10.0.2.0: gateway 10.0.2.2
2018-10-14 17:12:45 /sbin/route add -net 69.181.41.219 192.168.43.143 255.255.255.255
add net 69.181.41.219: gateway 192.168.43.143
2018-10-14 17:12:45 /sbin/route add -net 0.0.0.0 10.0.2.1 128.0.0.0
add net 0.0.0.0: gateway 10.0.2.1
2018-10-14 17:12:45 /sbin/route add -net 128.0.0.0 10.0.2.1 128.0.0.0
add net 128.0.0.0: gateway 10.0.2.1
2018-10-14 17:12:45 MANAGEMENT: >STATE:1539562365,ADD_ROUTES,,,,,,
2018-10-14 17:12:45 /sbin/route add -net 192.168.133.0 10.0.2.1 255.255.255.0
add net 192.168.133.0: gateway 10.0.2.1
**********************************************
Start of output from client.up.tunnelblick.sh
Retrieved from OpenVPN: name server(s) [ 10.0.2.1 ], search domain(s) [ ] and SMB server(s) [ ] and using default domain name [ openvpn ]
Not aggregating ServerAddresses because running on OS X 10.6 or higher
Prepending 'openvpn' to search domains '' because the search domains were not set manually (or are allowed to be changed) and 'Prepend domain name to search domains' was selected
Saved the DNS and SMB configurations so they can be restored
Changed DNS ServerAddresses setting from '2600:1010:b016:c49b::64 192.168.43.143' to '10.0.2.1'
Changed DNS SearchDomains setting from '' to 'openvpn'
Changed DNS DomainName setting from '' to 'openvpn'
Did not change SMB NetBIOSName setting of ''
Did not change SMB Workgroup setting of ''
Did not change SMB WINSAddresses setting of ''
DNS servers '10.0.2.1' will be used for DNS queries when the VPN is active
NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
Flushed the DNS cache via dscacheutil
/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
Notified mDNSResponder that the DNS cache was flushed
Setting up to monitor system configuration with process-network-changes
End of output from client.up.tunnelblick.sh
**********************************************
2018-10-14 17:12:49 *Tunnelblick: No 'connected.sh' script to execute
2018-10-14 17:12:49 Initialization Sequence Completed
2018-10-14 17:12:49 MANAGEMENT: >STATE:1539562369,CONNECTED,SUCCESS,10.0.2.2,69.181.41.219,80,,

================================================================================

"Sanitized" full configuration file

client
auth RSA-SHA256
auth-nocache

# Use the same setting as you are using on
# the server.
dev tun0

# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
proto udp

# The hostname/IP and port of the server.
remote XX.YY.ZZ 80

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Try to preserve some state across restarts.
persist-key
persist-tun

# SSL/TLS parms.
ca ca.crt
cert bucky.crt
key bucky.key
tls-auth ta.key 1

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
# ns-cert-type server
remote-cert-tls server

# Enable compression on the VPN link.
# comp-lzo
compress lzo

# Allow me to change my IP address
# and/or port number (if I get a new
# local IP address at Starbucks).
float

================================================================================

ifconfig output:

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP>
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
nd6 options=201<PERFORMNUD,DAD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
XHC1: flags=0<> mtu 0
XHC20: flags=0<> mtu 0
XHC0: flags=0<> mtu 0
en5: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether ac:de:48:00:11:22
inet6 fe80::aede:48ff:fe00:1122%en5 prefixlen 64 scopeid 0x7
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 8c:85:90:b4:3a:23
inet6 fe80::86e:782f:2796:ebb2%en0 prefixlen 64 secured scopeid 0x8
inet6 2600:1010:b016:c49b:893:44a:dfe:9691 prefixlen 64 autoconf secured
inet6 2600:1010:b016:c49b:dc59:d7ba:59e9:1e43 prefixlen 64 autoconf temporary
inet 192.168.43.117 netmask 0xffffff00 broadcast 192.168.43.255
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active
p2p0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2304
ether 0e:85:90:b4:3a:23
media: autoselect
status: inactive
awdl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1484
ether 52:95:b2:08:78:91
inet6 fe80::5095:b2ff:fe08:7891%awdl0 prefixlen 64 scopeid 0xa
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active
en3: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
options=60<TSO4,TSO6>
ether 76:00:54:d8:ae:05
media: autoselect <full-duplex>
status: inactive
en4: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
options=60<TSO4,TSO6>
ether 76:00:54:d8:ae:04
media: autoselect <full-duplex>
status: inactive
en1: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
options=60<TSO4,TSO6>
ether 76:00:54:d8:ae:01
media: autoselect <full-duplex>
status: inactive
en2: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
options=60<TSO4,TSO6>
ether 76:00:54:d8:ae:00
media: autoselect <full-duplex>
status: inactive
bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=63<RXCSUM,TXCSUM,TSO4,TSO6>
ether 76:00:54:d8:ae:01
Configuration:
   id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
   maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
   root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
   ipfilter disabled flags 0x2
member: en1 flags=3<LEARNING,DISCOVER>
   ifmaxaddr 0 port 13 priority 0 path cost 0
member: en2 flags=3<LEARNING,DISCOVER>
   ifmaxaddr 0 port 14 priority 0 path cost 0
member: en3 flags=3<LEARNING,DISCOVER>
   ifmaxaddr 0 port 11 priority 0 path cost 0
member: en4 flags=3<LEARNING,DISCOVER>
   ifmaxaddr 0 port 12 priority 0 path cost 0
nd6 options=201<PERFORMNUD,DAD>
media: <unknown type>
status: inactive
vboxnet0: flags=8842<BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 0a:00:27:00:00:00
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000
inet6 fe80::3111:cf48:55b7:d286%utun0 prefixlen 64 scopeid 0x10
nd6 options=201<PERFORMNUD,DAD>
utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet 10.0.2.2 --> 10.0.2.2 netmask 0xffffff00

================================================================================

Console Log:

2018-10-14 11:27:50 Tunnelblick[75493] Set 'expect disconnect' flag
2018-10-14 11:34:37 Tunnelblick[75493] Set 'expect disconnect' flag
2018-10-14 11:37:57 Tunnelblick[75493] Set 'expect disconnect' flag
2018-10-14 11:39:03 Tunnelblick[75493] Cleared 'expect disconnect' flag
2018-10-14 11:39:53 Tunnelblick[75493] Set 'expect disconnect' flag
2018-10-14 11:46:11 Tunnelblick[75493] Set 'expect disconnect' flag
2018-10-14 11:46:39 Tunnelblick[75493] Set 'expect disconnect' flag
2018-10-14 11:48:55 Tunnelblick[75493] Set 'expect disconnect' flag
2018-10-14 13:26:01 Tunnelblick[75493] Set 'expect disconnect' flag
2018-10-14 13:28:06 Tunnelblick[75493] Set 'expect disconnect' flag
2018-10-14 13:35:58 Tunnelblick[75493] Set 'expect disconnect' flag
2018-10-14 16:19:49 ksinstall[79784] 2018-10-14 16:19:49.556 ksinstall[79784/0x7fffac2a1380] [lvl=2] -[KeystoneInstallTool main] Google Software Update installer started.
2018-10-14 16:19:49 ksinstall[79784] 2018-10-14 16:19:49.566 ksinstall[79784/0x7fffac2a1380] [lvl=2] -[KeystoneInstallTool main] Google Software Update installer starting Installation.
2018-10-14 16:19:49 ksinstall[79784] 2018-10-14 16:19:49.980 ksinstall[79784/0x7fffac2a1380] [lvl=2] -[KeystoneInstallTool main] Google Software Update installer ran successfully.
2018-10-14 16:54:46 Tunnelblick[75493] Set 'expect disconnect' flag
2018-10-14 17:10:00 Tunnelblick[75493] Set 'expect disconnect' flag

Last edited by mache on Wed Oct 24, 2018 14:11; edited 1 time in total

Sponsor

egc
DD-WRT Guru

Joined: 18 Mar 2014
Posts: 12915
Location: Netherlands

Posted: Mon Oct 15, 2018 10:05 Post subject:

I agree with @jxm (he knows his stuff Smile

)

Some small additions:
The push route of:

Code:

push "route 10.0.2.0 255.255.255.0"

is redundant in most cases as modern DDWRT/OpenVPN server setups do that for you.

The push route of:

Code:

push "route 192.168.133.0 255.255.255.0"

is not strictly necessary if you Enable Redirect Default gateway, but you could keep it anyway

Regarding DNS when pushing your own router as DNS server then additional steps are necessary:

If you want to use your own router/OpenVPN server (my lan Domain is named "home"):
push “dhcp-option DNS 192.168.133.1”
push “dhcp-option DOMAIN HOME”

Here’s a breakdown of what’s going on:
The local DNS server at 192.168.1.1 is pushed to clients so they can make queries on the server’s network.
The domain is specified so hostnames will resolve without specification.

If you are using DD-WRT as a DNS server you’ll need to tell DNSMasq to listen for requests on the interface your VPN clients will query on. To do this you’ll need to figure out what interface that is.
To see the interface your VPN clients will query on, you can find this in the GUI by clicking “Setup” > “Advanced Routing” > “Routing Table.” In there you’ll see a route that specifies the tun adapter you are using and the IP net see below. For me it is tun2

Take that piece of information and navigate to “Services” > “Services.” Scroll down to “Additional DNSMasq Options” and enter

Code:

interface=tun#

where # is the number you pulled from routing table, in this case tun2.

Post your Status/OpenVPN tab in case of problems.

Remember this is a routed setup so there is no network discovery you have to use IP or local DNS

Good luck
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

mache
DD-WRT User

Joined: 11 Apr 2010
Posts: 319
Location: San Francisco Bay Area

Posted: Thu Oct 18, 2018 1:32 Post subject:

With help from egc, jxm and others I have a working configuration.

Here are the instructions:

*** Updated on October 24, 2018 *** - I included instructions for OpenVPN for Android as well.

=============================

Below are the steps I followed to get Tunnelblick 3.7.8beta01 (build 5160) on a MacBook Pro with macOS Mojave, 10.14 and/or OpenVPN for Android on Android 9 connecting to an OpenVPN server running DD-WRT v3.0-r36527 std 8/9/18 firmware on a Netgear R7000 router.

1. Create Certificates and Keys

Create OpenVPN certificates and keys by following the directions here - https://firxworx.com/blog/it-devops/sysadmin/creating-certificates-and-keys-for-openvpn-server-with-easyrsa-on-macos/

I would suggest that one generate 4096-bit keys rather than the default 2048-bit keys. This will require changes to the vars file prior to key generation.

This will generate an ~/EasyRSA-X.Y.Z directory.

2. Create ta.key

SSH or Telnet to the DD-WRT router command line.

Run the following commands

Code:

# openvpn –-genkey –-secret ta.key

# cat ta.key

Highlight the key contents and copy to TextEdit on the Mac.

Save TextEdit ta.key file to the ~/EasyRSA-X.Y.Z/pki/private/ directory on the Mac

Delete the ta.key file on router's DD-WRT command line

Code:

# rm ta.key

3. OpenVPN Server

On the Services, VPN area of the router's DD-WRT web configuration page add the following information.

OpenVPN Server/Daemon

OpenVPN: Enable

Start Type: System

Config as: Server

Server mode: Router (TUN)

Network: (local private network that is different from your primary LAN - My primary LAN is 192.168.x.0 and I put in 10.x.y.0)

Netmask: 255.255.255.0

Port: (default is 1194, I put in 80, others like 443)

Tunnel Protocol: UDP

Encryption Cipher: AES-256 CBC

Hash Algorithm: SHA256

Advanced Options: Enable

TLS Cipher: None

LZO Compression: Yes

Redirect default Gateway: Enable

Allow Client to Client: Enable

Allow duplicate cn: Disable

Tunnel MTU setting: 1500

Tunnel UDP Fragment: Leave blank

Tunnel UDP MSS-Fix: Disable

CCD-Dir DEFAULT file: Leave empty

Client connect script: Leave empty

Static Key: Leave empty

PKCS12 Key: Leave empty

Public Server Cert: Paste the contents of the ~/EasyRSA-X.Y.Z/pki/issued/server.crt file on the Mac. Make sure it only includes lines between and including -----BEGIN CERTIFICATE-----, -----END CERTIFICATE-----

CA cert: Paste the contents of ~/EasyRSA-X.Y.Z/pki/ca.crt file on the Mac. Make sure it only includes lines between and including -----BEGIN CERTIFICATE-----, -----END CERTIFICATE-----

Private Server Key: Paste the contents of the ~/EasyRSA-X.Y.Z/pki/private/server.key file found on the Mac. Make sure it only includes lines between and including -----BEGIN PRIVATE KEY-----, -----END PRIVATE KEY-----

DH PEM: Paste the contents of the ~/EasyRSA-X.Y.Z/pki/dh.pem file found on the Mac. Make sure it only includes lines between and including -----BEGIN DH PARAMETERS-----, -----END DH PARAMETERS-----

Additional Config:

Code:

push "route 192.168.x.0 255.255.255.0"
push "dhcp-option DNS 192.168.x.1"

TLS Auth Key: Paste the contents of the ~/EasyRSA-X.Y.Z/pki/private/ta.key file found on the Mac.

At the bottom of the web page, first click on Save, and when the page comes back, click on Apply Settings

Go to Services, Services web configuration page

Find the Additional DNSMasq Options window

Add the following statement.

Code:

interface=tun2

Click on Save, and after the page comes back click on Apply Settings

Go to Administration, Commands web page

Add the following command to the Firewall.

Code:

iptables -t nat -A POSTROUTING -o `get_wanface` -j MASQUERADE

Once you added this statement click on Save Firewall.

When the web page comes back, click on Administration, Management

At the bottom of the page click on the red Router Reboot button and reboot the router. Wait 3 minutes for the router to complete its reboot.

4. Tunnelblick on the Mac

Install Tunnelblick on the Mac

Launch Tunnelblick on the Mac.

Create a folder on your Desktop with the <session_name>. I called mine Home.

Add the following statements to TextEdit.

Code:

client
auth RSA-SHA256
cipher AES-256-CBC
auth-nocache

# Use the same setting as you are using on the server.
dev tun2

# Are we connecting to a TCP or UDP server? Use the same setting as on the server.
proto udp
tun-mtu 1500

# The hostname/IP and port of the server.
remote <internet domain of OpenVPN server> <port that was defined on the DD-WRT OpenVPN web configuration page>

resolv-retry infinite

# Most clients don't need to bind to a specific local port number.
nobind

# Try to preserve some state across restarts.
persist-key
persist-tun

# SSL/TLS parmeters
ca ca.crt
cert <client_name1>.crt
key <client_name1>.key
tls-auth ta.key 1

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
# ns-cert-type server
remote-cert-tls server

# Enable compression on the VPN link.
# comp-lzo
compress lzo

# Allow me to change my IP address and/or port number (if I get a new local IP address at Starbucks).
float

Save the file with the name <session_name>.conf to the <session_name> desktop folder

Copy to the Desktop <session_name> folder:

~/EasyRSA-X.Y.Z/pki/private/ta.key
~/EasyRSA-X.Y.Z/pki/private/<client_name1>.key
~/EasyRSA-X.Y.Z/pki/issued/<client_name1>.crt
~/EasyRSA-X.Y.Z/pki/ca.crt

Once all the files are in the folder rename the <session_name> folder to <session_name>.tblk

The folder will then convert itself to a file.

Click and drag that file to the Tunnelblick icon at the top of the screen. When you see a + show up, release the click.

Add the session to ALL users of the Mac

Delete the <session_name>.tblk file from the Desktop.

Click on the Tunnelblick icon at the top of the screen on the Mac and click on VPN Details.

Highlight the <session_name>.

In the VPN Details screen click on the gear icon at the bottom left of the window.

Scroll down and click on Make Configuration Private.

Type in the Mac password when requested.

Log into a WiFi link that is not on your local LAN. For testing I use my smartphone hotspot. Click on Tunnelblick icon and click on Connect to start up VPN.

5. OpenVPN for Android

Install OpenVPN for Android (OfA) from the Play Store

Copy the following files from your Mac laptop to a USB thumb drive.

~/EasyRSA-X.Y.Z/pki/private/ta.key
~/EasyRSA-X.Y.Z/pki/private/<client_name2>.key
~/EasyRSA-X.Y.Z/pki/issued/<client_name2>.crt
~/EasyRSA-X.Y.Z/pki/ca.crt

Transfer those files to the internal storage of the Android mobile device.

Open OfA

At the top portion of the screen tap on SETTINGS

Show log window: Checked

OpenVPN 3 Core: Checked

Connect on boot: Unchecked

Reconnect on network change: Checked

Pause VPN connection after screen off: Checked

At the top right portion of the screen tap the circle plus icon

Edit the profile by taping the pencil icon to the right of its name

Go to the BASIC tab

Name the profile. I use Home

Check LZO Compression

For the CA Certificate select the path to the ca.crt file
For the Client Certificate select the path to the <client_name2>.crt file
For the Client Certificate Key select the path to the <client_name2>.key file

Go to the SERVER tab

Server Address: <internet domain of OpenVPN server>

Server Port: <port that was defined on the DD-WRT OpenVPN web configuration page>

Protocol: UDP

Proxy: None

Connect Timeout: 120

Custom Options: Unchecked

Go to the IP AND DNS tab

Pull Settings: Enabled

No local binding: Checked

Override DNS Settings by Server: Unchecked

Go to ROUTING Tab

Ignore pushed routes: Unchecked

Bypass VPN for local networks: Unchecked

IPv4

Use default Route: Checked

IPv6

Use default Route: Unchecked

Go to the AUTHENTICATION/ENCRYPTION tab

Expect TLS server certificate: Checked

Certificate Hostname Check: Checked

Remote certificate subject

RDN (common name)

-- Leave Blank --

X.509 Username Field

-- Leave Blank --

TLS Authentication/Encryption

Use TLS Authentication: Enabled

TLS Auth File: Select the path to the ta.key file

TLS Direction: 1

Encryption

Encryption Cypher: AES-256-CBC

Go to the ADVANCED tab

Client behavior

Persistent tun: Checked

Push Peer info: Unchecked

Random Host Prefix: Unchecked

Allow floating server: Checked

Payload options

Override MSS value of TCP payload: Unchecked

Tunnel MTU (mtu-mtu): Using default (1500) MTU

Custom Options

Code:

persist-key
auth SHA256

Reconnection settings

Connection retries

Unlimited reconnection retries

Seconds between connections

2 s

Maximum time between connection attempts

300 s

To test, turn off WiFi on phone

Exit out of OfA edit mode to main screen. Tape profile name to connect to OpenVPN server.

Last edited by mache on Tue Nov 06, 2018 17:40; edited 5 times in total

mache
DD-WRT User

Joined: 11 Apr 2010
Posts: 319
Location: San Francisco Bay Area

Posted: Wed Oct 24, 2018 14:00 Post subject:
I updated / optimized my OpenVPN How To configuration guide for the DD-WRT OpenVPN server, the macos Tunnelblick client, and OpenVPN for Android client that was posted earlier in this thread.

Display posts from previous:

Page 1 of 1

DD-WRT Forum Index -> Advanced Networking

All times are GMT

Navigation

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum

Log in

Getting OpenVPN, Tunnelblick, OpenVPN for Android to Work

Quick Links

Log in