OpenVPN client on dd-wrt 2nd router

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
YadiMolina
DD-WRT Novice


Joined: 18 Dec 2018
Posts: 8

PostPosted: Wed Feb 13, 2019 2:36    Post subject: OpenVPN client on dd-wrt 2nd router Reply with quote
Greetings,
I am trying to get a router to act as an OpenVPN client.

It is a Linksys E2500 running DD-WRT v3.0-r33772 mega (11/16/17). I have a Raspberry Pi running PIVPN server at a remote location with a dyndns.org domain. It took forever to get the OpenVPN client to connect, but thanks to other posts here, I finally accomplished that (using an older firmware). In the pivpn server, I see the dd-wrt router connection reported as connected. I use the same pivpn server to connect to other android and PC clients, all functioning perfectly, with great speed and functionality.

My network configuration is as listed below:

1. ISP modem
2. Main Router running DD-WRT, 192.168.99.0/24
3. Cable from a LAN port on the main router to the WAN port of the VPN Router
3. VPN Router with subnet of 192.168.101.0/24
4. VPN Router has a fixed IP for the WAN of 99.3, and the main router has a DMZ assigned to that IP.


This configuration worked perfectly when I used a commercial VPN for several years. Although, I never paid much attention to the commands or configuration that was used in the commercial setup. The WAN IP always showed the remote IP in the top right corner and the Status page, WAN tab.

Everything works fine in both subnets without the VPN. When I finally got the VPN connected, I have no internet availability in the VPN subnet. It won't communicate via domain names or IP addresses. Now, after the new VPN connects, I still see the local WAN IP displayed.

The NAT is enabled on the OpenVPN client configuration page.

I've switched between router or a gateway in the Setup, Advanced Routing tab, Operating Mode, no effect it seems.

Here's the top of the openvpn config file.

client
dev tun
proto udp
remote <dynamicdns+port>
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server_blahblahblah name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3



Status, VPN tab reports connected, but no remote address. The status section shows plenty of read and write bytes. The local address shown below is the IP range for devices connected to PIVPN.

Client: CONNECTED SUCCESS

Local Address: 10.8.0.9
Remote Address:


19691231 19:00:11 I OpenVPN 2.4.4 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 16 2017
19691231 19:00:11 I library versions: OpenSSL 1.1.0g 2 Nov 2017 LZO 2.09
19691231 19:00:11 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
19691231 19:00:11 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20190212 20:58:32 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
20190212 20:58:32 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
20190212 20:58:32 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
20190212 20:58:32 NOTE: --mute triggered...
20190212 20:58:32 1 variation(s) on previous 3 message(s) suppressed by --mute
20190212 20:58:32 I TCP/UDP: Preserving recently used remote address: [AF_INET]<resolvedIP-port>
20190212 20:58:32 Socket Buffers: R=[163840->163840] S=[163840->163840]
20190212 20:58:32 W --mtu-disc is not supported on this OS
20190212 20:58:32 I UDP link local: (not bound)
20190212 20:58:32 I UDP link remote: [AF_INET]<resolvedIP-port>
20190212 20:58:32 TLS: Initial packet from [AF_INET]<resolvedIP-port> sid=b63cbca6 21e84d7c
20190212 20:58:32 VERIFY OK: depth=1 CN=ChangeMe
20190212 20:58:32 VERIFY KU OK
20190212 20:58:32 NOTE: --mute triggered...
20190212 20:58:33 5 variation(s) on previous 3 message(s) suppressed by --mute
20190212 20:58:33 W WARNING: 'link-mtu' is used inconsistently local='link-mtu 1570' remote='link-mtu 1569'
20190212 20:58:33 W WARNING: 'comp-lzo' is present in local config but missing in remote config local='comp-lzo'
20190212 20:58:33 Control Channel: TLSv1.2 cipher TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 256 bit EC curve: prime256v1
20190212 20:58:33 I [server_J8LYl58uzalUDqUZ] Peer Connection Initiated with [AF_INET]<resolvedIP-port>
20190212 20:58:34 SENT CONTROL [server_J8LYl58uzalUDqUZ]: 'PUSH_REQUEST' (status=1)
20190212 20:58:34 PUSH: Received control message: 'PUSH_REPLY dhcp-option DNS 8.8.8.8 dhcp-option DNS 8.8.4.4 block-outside-dns redirect-gateway def1 route-gateway 10.8.0.1 topology subnet ping 1800 ping-restart 3600 ifconfig 10.8.0.9 255.255.255.0 peer-id 0 cipher AES-256-GCM'
20190212 20:58:34 N Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:3: block-outside-dns (2.4.4)
20190212 20:58:34 OPTIONS IMPORT: timers and/or timeouts modified
20190212 20:58:34 OPTIONS IMPORT: --ifconfig/up options modified
20190212 20:58:34 OPTIONS IMPORT: route options modified
20190212 20:58:34 NOTE: --mute triggered...
20190212 20:58:34 5 variation(s) on previous 3 message(s) suppressed by --mute
20190212 20:58:34 Data Channel: using negotiated cipher 'AES-256-GCM'
20190212 20:58:34 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20190212 20:58:34 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20190212 20:58:34 I TUN/TAP device tun0 opened
20190212 20:58:34 TUN/TAP TX queue length set to 100
20190212 20:58:34 D do_ifconfig tt->did_ifconfig_ipv6_setup=0
20190212 20:58:34 I /sbin/ifconfig tun0 10.8.0.9 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
20190212 20:58:34 /sbin/route add -net <resolvedremoteIP> netmask 255.255.255.255 gw 192.168.99.1
20190212 20:58:34 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.0.1
20190212 20:58:34 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.0.1
20190212 20:58:34 I Initialization Sequence Completed


I assume this is some routing issue, hopefully simple but I am very weak in such things. I appreciate any direction.
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4362
Location: Netherlands

PostPosted: Wed Feb 13, 2019 11:46    Post subject: Reply with quote
Can you ping your VPN server: ping 10.8.0.1
_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
YadiMolina
DD-WRT Novice


Joined: 18 Dec 2018
Posts: 8

PostPosted: Wed Feb 13, 2019 13:29    Post subject: Reply with quote
I cannot ping the VPN server behind the VPN router.

I can ping the VPN server from a pc using the client.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4362
Location: Netherlands

PostPosted: Wed Feb 13, 2019 18:53    Post subject: Reply with quote
If I understand it correctly you have two routers daisy chained (LAN<>WAN), on the second router you have a VPN client to an external VPN server.

If so the secondary router has to be setup as default gateway mode.
Important is that the secondary router, the OpenVPN subnet and the OVPN servers subnet are all different, you have to have 3 different subnets.

You do have an error:
20190212 20:58:34 N Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:3: block-outside-dns (2.4.4)

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
YadiMolina
DD-WRT Novice


Joined: 18 Dec 2018
Posts: 8

PostPosted: Wed Feb 13, 2019 23:01    Post subject: Reply with quote
Thanks for your responses. Yes, the routers are daisy-chained. The VPN router is set as Gateway. I am curious if Setup, Advanced Routing, Dynamic Routing should be enabled.

I noticed the DNS error. I tried various sites via IP instead of names, no luck.

Yes, 3 subnets. Looking at the routing table.
YadiMolina
DD-WRT Novice


Joined: 18 Dec 2018
Posts: 8

PostPosted: Sun May 05, 2019 17:23    Post subject: Reply with quote
After much googling and just blind trial-and-error, I finally got my system to work by adding this to Administration, Commands, Firewall:

iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE


The WAN IP status on the top right still shows the local WAN IP, but that doesn't seem affect anything. Everything behind the VPN router shows as the remote public IP.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Sun May 05, 2019 17:55    Post subject: Reply with quote
The following is probably the source of all your problems.

Code:
dev tun


That one little innocent looking line you added to Additional Config is a VPN wrecker. What that directive does is tell OpenVPN to select an arbitrary network interface name based on the prefix "tun". So it did. It used tun0. But here's the problem.

The dd-wrt OpenVPN client doesn't need that directive. It automatically uses tun1 as its network interface name. And all the firewall rules and routing assume the use of tun1. So by using the dev directive, you basically overrode the network interface name from tun1 to tun0 and broke it. None of the auto-generated firewall rules will work because they refer to tun1, NOT tun0. In the end, you fixed what you broke by adding firewall rules based on tun0.

This is why we tell ppl all the time, including egc's openvpn guides, do NOT over configure the OpenVPN client or server. 9 times out of 10, what you add to the Additional Config field is completely unnecessary. Sometimes you luck out and it's redundant or harmless. But sometimes it breaks things. And the use of the dev directive is a major no-no.

P.S. The dd-wrt developers are partially to blame here. They *should* have used the OpenVPN $dev variable in their firewall script so they picked up the correct network interface name, rather than just hardcoding tun1 into the OpenVPN client. If they had done so, then it wouldn't matter if the user had overridden the network interface name for some reason. The OpenVPN client would still have worked. The use of a hardcode network interface name is just bad design because it creates the opportunity for someone to break the OpenVPN client.

I'll probably report this as a bug (not sure it will ever get addressed though).
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Sun May 05, 2019 18:55    Post subject: Reply with quote
Bug reported created.

https://svn.dd-wrt.com/ticket/6638
YadiMolina
DD-WRT Novice


Joined: 18 Dec 2018
Posts: 8

PostPosted: Sun May 05, 2019 20:49    Post subject: Reply with quote
I appreciate your kind and detailed response.

I tried to remove the dev tun line from the additional config field, as well as the Firewall commands, but it was unsuccessful, same problem as before, no web pages opened. I didn't do any troubleshooting, just restored the previous config and I'm good.


fwiw... the openvpn client in this case is severely over configured, in the sense that the only way I could get the thing to connect at all was to paste the entirety of the openvpn config file generated by the pivpn into the Additional Config field, including all the certs.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Sun May 05, 2019 21:40    Post subject: Reply with quote
If you're happy w/ the current results, so am I. All I'm saying is that overriding things w/ the Additional Config field is one of the most common mistakes we see. And in all the YEARS I've been working w/ OpenVPN, and on the dd-wrt platform in particular, I've *never* seen a case where the OpenVPN client couldn't be configured normally (by which I mean, NOT dumping the VPN provider's config file into Additional Config). And unless I was configuring the OpenVPN client myself w/ that VPN provider, I can't diagnose what the specific problem/issue may be that's preventing normal usage.

If it ever came to be that I couldn't get it to work normally, I'd probably be more inclined to simply run the OpenVPN client from the command line, w/ my own scripting, and bypass the GUI entirely. After all, if you end up dumping everything into the Additional Config field and build all your own firewall rules, what's the real benefit of use the GUI anyway?!

P.S. Here's another example of where the developers could have done better. Just like Merlin's firmware, they could have provided the option to let the user provide their own OpenVPN config file! IOW, the GUI would do NONE of the configuration except perhaps for the firewall rules. But of course that would have require fixing the bug report I just filed.

Bottom line, the dd-wrt OpenVPN client and server (particularly the former) have some serious problems that need to be addressed.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum