OpenVPN server setup guide by egc

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3 ... 9, 10, 11, 12  Next
Author Message
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 5100
Location: Texas

PostPosted: Sun Feb 02, 2020 15:40    Post subject: Reply with quote
univac1710, You probably should update that router to r42174.
If still don't work you should post more about your configs.
Sponsor
univac1710
DD-WRT Novice


Joined: 02 Nov 2019
Posts: 9

PostPosted: Mon Feb 03, 2020 14:58    Post subject: Reply with quote
mrjcd wrote:
univac1710, You probably should update that router to r42174.
If still don't work you should post more about your configs.


Thanks. I will have to wait until this weekend to update the firmware. What I am trying to do is only use the VPN so I can use my home internet connection while I am using a public Wifi. I had a VPN working on the previous builds but I see there are newer options. I have my VPN configured as a Server in Router mode. I also have Redirect default Gateway, Allow Client to Client and Allow duplicate on as Enable. I also have the following rule,
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $(get_wanface) -j MASQUERADE

When this configuration was in place no one on the network could get to the internet. I am thinking that I have a routing issue because I had used the following rules in the past.

iptables -I INPUT 1 -p udp –dport 1194 -j ACCEPT
iptables -I FORWARD 1 –source [VPN tunnel ip] -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

What do I need to change in my configuration to use the VPN only for external connections.
Thanks again.
boris03
DD-WRT User


Joined: 17 Jan 2019
Posts: 139

PostPosted: Mon Feb 03, 2020 15:28    Post subject: Reply with quote
I do have OVPN client and server and watch dog successfully up and running.
My DD-WRT router is second router behind the internet router. DD-WRT router is in WAP mode and I configured the WAN port as LAN port (Can´t remember why).

Now I do have trouble with DHCP which is served by the internet router and I would like to move DHCP to my DD-WRT router.
Of course I don´t want to risk my working configuration because it cost me (and egc:) a lot of time to set the current config up and running.
Questions:
Can I just reset WAN port as WAN port and connect this to the internet router, switch on DHCP and all is good or is there a bit more I have to consider?
I also think I do need to assign fixed IP devices to the new gateway right?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5131
Location: Netherlands

PostPosted: Mon Feb 03, 2020 15:50    Post subject: Reply with quote
univac1710 wrote:
mrjcd wrote:
univac1710, You probably should update that router to r42174.
If still don't work you should post more about your configs.


Thanks. I will have to wait until this weekend to update the firmware. What I am trying to do is only use the VPN so I can use my home internet connection while I am using a public Wifi. I had a VPN working on the previous builds but I see there are newer options. I have my VPN configured as a Server in Router mode. I also have Redirect default Gateway, Allow Client to Client and Allow duplicate on as Enable. I also have the following rule,
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $(get_wanface) -j MASQUERADE

When this configuration was in place no one on the network could get to the internet. I am thinking that I have a routing issue because I had used the following rules in the past.

iptables -I INPUT 1 -p udp –dport 1194 -j ACCEPT
iptables -I FORWARD 1 –source [VPN tunnel ip] -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

What do I need to change in my configuration to use the VPN only for external connections.
Thanks again.


Without knowing all the details I am doing some estimated guessing.
All those firewall rules should be deleted (read the guide)
If you have your router in router mode instead of gateway mode it will not do SNAT you should leave the router in gateway mode.
If this is a secondary router configured as a WAP you might need the following rule:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5131
Location: Netherlands

PostPosted: Mon Feb 03, 2020 15:54    Post subject: Reply with quote
boris03 wrote:
I do have OVPN client and server and watch dog successfully up and running.
My DD-WRT router is second router behind the internet router. DD-WRT router is in WAP mode and I configured the WAN port as LAN port (Can´t remember why).

Now I do have trouble with DHCP which is served by the internet router and I would like to move DHCP to my DD-WRT router.
Of course I don´t want to risk my working configuration because it cost me (and egc:) a lot of time to set the current config up and running.
Questions:
Can I just reset WAN port as WAN port and connect this to the internet router, switch on DHCP and all is good or is there a bit more I have to consider?
I also think I do need to assign fixed IP devices to the new gateway right?


That will need considerable tweaking.

Consider using the DHCP server from the DDWRT router, although this is a WAP you should be able to use its DHCP server for your whole subnet.

Start a new thread asking for help about his subject

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
boris03
DD-WRT User


Joined: 17 Jan 2019
Posts: 139

PostPosted: Mon Feb 03, 2020 22:51    Post subject: Reply with quote
Ok I will create a new thread
blonde
DD-WRT User


Joined: 06 Sep 2019
Posts: 70

PostPosted: Fri Feb 07, 2020 6:05    Post subject: How to block outside DNS in the OpenVPN Client+Server? Reply with quote
Hiya egc and All DDWRT Guru's:



How can I block outside DNS in the OpenVPN? I mean my OS and browser in the OS that is running, should only be connecting to the DNS that is defined in the OpenVPN Client profile + Server counterpart?

Shall I write this question in a new topic if you find it appropriate?


Tnx and best of luck

_________________
---//signature
I'm a brave journalist, I support human rights <3
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5131
Location: Netherlands

PostPosted: Fri Feb 07, 2020 10:55    Post subject: Re: How to block outside DNS in the OpenVPN Client+Server? Reply with quote
blonde wrote:
Hiya egc and All DDWRT Guru's:



How can I block outside DNS in the OpenVPN? I mean my OS and browser in the OS that is running, should only be connecting to the DNS that is defined in the OpenVPN Client profile + Server counterpart?

Shall I write this question in a new topic if you find it appropriate?


Tnx and best of luck


Yes pleas create a new thread this is outside the scope of OpenVPN setup.

You should research Forced DNS redirection (there is even a GUI setting to force all DNS queries via the router)

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
univac1710
DD-WRT Novice


Joined: 02 Nov 2019
Posts: 9

PostPosted: Sat Feb 08, 2020 14:53    Post subject: Reply with quote
egc wrote:
univac1710 wrote:
mrjcd wrote:
univac1710, You probably should update that router to r42174.
If still don't work you should post more about your configs.


Thanks. I will have to wait until this weekend to update the firmware. What I am trying to do is only use the VPN so I can use my home internet connection while I am using a public Wifi. I had a VPN working on the previous builds but I see there are newer options. I have my VPN configured as a Server in Router mode. I also have Redirect default Gateway, Allow Client to Client and Allow duplicate on as Enable. I also have the following rule,
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $(get_wanface) -j MASQUERADE

When this configuration was in place no one on the network could get to the internet. I am thinking that I have a routing issue because I had used the following rules in the past.

iptables -I INPUT 1 -p udp –dport 1194 -j ACCEPT
iptables -I FORWARD 1 –source [VPN tunnel ip] -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

What do I need to change in my configuration to use the VPN only for external connections.
Thanks again.


Without knowing all the details I am doing some estimated guessing.
All those firewall rules should be deleted (read the guide)
If you have your router in router mode instead of gateway mode it will not do SNAT you should leave the router in gateway mode.
If this is a secondary router configured as a WAP you might need the following rule:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)


Sorry it took so long to reply back. I upgraded to the latest firmware yesterday and configured both the router and my client. I made the firewall changes and I can connect via my iPad but I am getting tls handshake errors. Both config files look okay but I am not sure. Here is both my router and client config files can you please take a look at them. Thank you.

Router config----
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
keepalive 10 120
verb 3
mute 3
syslog
writepid /var/run/openvpnd.pid
management 127.0.0.1 14
management-log-cache 100
topology subnet
script-security 2
port 1194
proto udp
cipher aes-128-gcm
auth sha256
client-connect /tmp/openvpn/clcon.sh
client-disconnect /tmp/openvpn/cldiscon.sh
client-config-dir /tmp/openvpn/ccd
comp-lzo adaptive
tls-server
duplicate-cn
push "redirect-gateway def1"
fast-io
tun-mtu 1500
mtu-disc yes
server 10.8.0.0 255.255.255.0
dev tun2

Client config---client
dev tun
proto udp
remote x.x.x.x 1194
nobind
persist-key
persist-tun
remote-cert-tls server
auth-nocache
verb 4
float
tun-mtu 1500
auth SHA256
cipher AES-128-GCM
ca ca.crt
cert client1.crt
key client1.key

I was able to connect using an outside connection but now I cannot access the internet from my client. I added the push "dhcp-option" DNS line to my route config. Should I add a push route command as well. Thanks
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5131
Location: Netherlands

PostPosted: Sat Feb 08, 2020 16:23    Post subject: Reply with quote
TLS error is usually caused by a network connection error, see the troubleshooting document in the third post of this thread.

That said there are some inconsistencies in your setup.

You have set Compression to Adaptive but there is no compression set in the client.
As compression is somewhat of a safety concern I have it default disabled.

Furthermore most newer clients use: proto udp4
Actually the server config should also show that so not sure what is going on.

But as said see the troubleshooting document for the TLS error (and/or to check for other problems).

If you still can not solve it, show the output of the OVPN status page (whole page) and picture of settings page and logs of the client.

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
univac1710
DD-WRT Novice


Joined: 02 Nov 2019
Posts: 9

PostPosted: Sat Feb 08, 2020 22:55    Post subject: Reply with quote
egc wrote:
TLS error is usually caused by a network connection error, see the troubleshooting document in the third post of this thread.

That said there are some inconsistencies in your setup.

You have set Compression to Adaptive but there is no compression set in the client.
As compression is somewhat of a safety concern I have it default disabled.

Furthermore most newer clients use: proto udp4
Actually the server config should also show that so not sure what is going on.

But as said see the troubleshooting document for the TLS error (and/or to check for other problems).

If you still can not solve it, show the output of the OVPN status page (whole page) and picture of settings page and logs of the client.


Thanks. I made the changes you said to make along with modifying the iptables to the below and I was able to connect to the internet.

WAN_IF="$(route -n |awk '/^0.0.0.0/{wif=$NF} END {print wif}')"
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o $WAN_IF -j MASQUERADE

Where does the first line that had WAN_IF get put at. Is it part of the Startup Command field or does is go into the Firewall Command field.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5131
Location: Netherlands

PostPosted: Sun Feb 09, 2020 9:38    Post subject: Reply with quote
univac1710 wrote:
egc wrote:
TLS error is usually caused by a network connection error, see the troubleshooting document in the third post of this thread.

That said there are some inconsistencies in your setup.

You have set Compression to Adaptive but there is no compression set in the client.
As compression is somewhat of a safety concern I have it default disabled.

Furthermore most newer clients use: proto udp4
Actually the server config should also show that so not sure what is going on.

But as said see the troubleshooting document for the TLS error (and/or to check for other problems).

If you still can not solve it, show the output of the OVPN status page (whole page) and picture of settings page and logs of the client.


Thanks. I made the changes you said to make along with modifying the iptables to the below and I was able to connect to the internet.

WAN_IF="$(route -n |awk '/^0.0.0.0/{wif=$NF} END {print wif}')"
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o $WAN_IF -j MASQUERADE

Where does the first line that had WAN_IF get put at. Is it part of the Startup Command field or does is go into the Firewall Command field.


Great work.

The WAN_IF= .. belongs to the iptables rule and both (in that order) should be put in the firewall startup.

The simpler rule:
Code:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $(get_wanface) -j MASQUERADE
should also work, if not, please send the output of the four following commands (telnet/putty):
Code:
nvram get wan_iface
nvram get wan_ifname
get_wanface
echo WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
univac1710
DD-WRT Novice


Joined: 02 Nov 2019
Posts: 9

PostPosted: Sun Feb 09, 2020 14:05    Post subject: Reply with quote
egc wrote:
univac1710 wrote:
egc wrote:
TLS error is usually caused by a network connection error, see the troubleshooting document in the third post of this thread.

That said there are some inconsistencies in your setup.

You have set Compression to Adaptive but there is no compression set in the client.
As compression is somewhat of a safety concern I have it default disabled.

Furthermore most newer clients use: proto udp4
Actually the server config should also show that so not sure what is going on.

But as said see the troubleshooting document for the TLS error (and/or to check for other problems).

If you still can not solve it, show the output of the OVPN status page (whole page) and picture of settings page and logs of the client.


Thanks. I made the changes you said to make along with modifying the iptables to the below and I was able to connect to the internet.

WAN_IF="$(route -n |awk '/^0.0.0.0/{wif=$NF} END {print wif}')"
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o $WAN_IF -j MASQUERADE

Where does the first line that had WAN_IF get put at. Is it part of the Startup Command field or does is go into the Firewall Command field.


Great work.

The WAN_IF= .. belongs to the iptables rule and both (in that order) should be put in the firewall startup.

The simpler rule:
Code:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $(get_wanface) -j MASQUERADE
should also work, if not, please send the output of the four following commands (telnet/putty):
Code:
nvram get wan_iface
nvram get wan_ifname
get_wanface
echo WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"


Thanks. Here is the output.
BusyBox v1.31.1 (2020-02-06 07:25:05 +04) built-in shell (ash)

root@LINKSYS:~# nvram get wan_iface
vlan2
root@LINKSYS:~# nvram get wan_ifname
vlan2
root@LINKSYS:~# get_wanface
vlan2
root@LINKSYS:~#
root@LINKSYS:~# echo WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"
WAN_IF=vlan2
root@LINKSYS:~#
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5131
Location: Netherlands

PostPosted: Sun Feb 09, 2020 14:21    Post subject: Reply with quote
Thanks,

Yes according to this the simpler rule should work but just leave it as it is, the rule you are now using is also excellent.

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
univac1710
DD-WRT Novice


Joined: 02 Nov 2019
Posts: 9

PostPosted: Sun Feb 09, 2020 15:03    Post subject: Reply with quote
egc wrote:
Thanks,

Yes according to this the simpler rule should work but just leave it as it is, the rule you are now using is also excellent.


I just made the changes in my setup. Many thanks.....
Goto page Previous  1, 2, 3 ... 9, 10, 11, 12  Next Display posts from previous:    Page 10 of 12
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum