Posted: Tue Jul 02, 2019 3:04 Post subject: openVPN with static ip
I recently changed to a new-in-town fiber optic isp. I bought a Netgear 7800 and flashed the appropriate dd-wrt (build 40065). I'm following the above guide attempting to provide secure access to my desktop from my laptop when on the road. My issue is that with this isp the WAN ip address shown on the dd-wrt status page is different than the one I get from what's my ip or via my DDNS service. I'm told that to get OpenVPN working I have to get a static ip address from my isp, which I've requested. My question is, once I get it, what changes do I have to make to the procedure described in your excellent guide to accomplish my objective?
Joined: 18 Mar 2014 Posts: 12881 Location: Netherlands
Posted: Tue Jul 02, 2019 15:49 Post subject:
I am not sure if the problem is static versus dynamic, because if you have a dynamic address that is what DDNS is for.
Could it be that your new router is in router mode so that you are double natted?
Your new router should be in bridged/modem mode or you should place your R7800 in the DMZ of the ISP router, in that case enable "Use external IP check" on the DDNS page
Your new router should be in bridged/modem mode or you should place your R7800 in the DMZ of the ISP router, in that case enable "Use external IP check" on the DDNS page
I suspect that you are correct about the "double natted" business. The WAN ip shown on the dd-wrt status page begins with 100, which my research tells me is "reserved for carrier NAT". Does this mean that there is NAT going on before the signal ever gets to my house? Additionally, there is a VoIP box between the ISP-provided modem and my R7800, which may or may not functioning as an ISP router. Unfortunately I'm a networking newbie, and it is not apparent to me how to get my 7800 in the bridged/modem mode or place it in the DMZ of the ISP router. Following a guide I've found elsewhere in these forums, I've connected the ISP-provided modem directly to one of the computers on the network and run "ipconfig /all", and believe I've determined the router's ip address and the ip address provided to the client (both beginning with 100, and therefore not on the same network as the 7800 and my networked computers, whose addresses begin with 192). I have not yet figured out what to do with this information.
Posted: Wed Jul 03, 2019 0:46 Post subject: error:0B080074:x509
You've fixed my issue of it not showing anything the OpenVPN tab of DD-WRT! But unfortunately, got an error: error:0B080074:x509 (client side)
I got this error when right-clicking the .ovpn file and pressing "Start OpenPVN on this config file?
Tried it on two PCs and same error. Possibly I misconfigured something...
I've also tried importing it in the OpenVPN GUI but I get "exit code 1"
Joined: 18 Mar 2014 Posts: 12881 Location: Netherlands
Posted: Wed Jul 03, 2019 9:13 Post subject:
SomeOtherGuy2 wrote:
Quote:
Your new router should be in bridged/modem mode or you should place your R7800 in the DMZ of the ISP router, in that case enable "Use external IP check" on the DDNS page
I suspect that you are correct about the "double natted" business. The WAN ip shown on the dd-wrt status page begins with 100, which my research tells me is "reserved for carrier NAT". Does this mean that there is NAT going on before the signal ever gets to my house? Additionally, there is a VoIP box between the ISP-provided modem and my R7800, which may or may not functioning as an ISP router. Unfortunately I'm a networking newbie, and it is not apparent to me how to get my 7800 in the bridged/modem mode or place it in the DMZ of the ISP router. Following a guide I've found elsewhere in these forums, I've connected the ISP-provided modem directly to one of the computers on the network and run "ipconfig /all", and believe I've determined the router's ip address and the ip address provided to the client (both beginning with 100, and therefore not on the same network as the 7800 and my networked computers, whose addresses begin with 192). I have not yet figured out what to do with this information.
Joined: 18 Mar 2014 Posts: 12881 Location: Netherlands
Posted: Wed Jul 03, 2019 9:15 Post subject: Re: error:0B080074:x509
TOG_WAS_HERE wrote:
You've fixed my issue of it not showing anything the OpenVPN tab of DD-WRT! But unfortunately, got an error: error:0B080074:x509 (client side)
I got this error when right-clicking the .ovpn file and pressing "Start OpenPVN on this config file?
Tried it on two PCs and same error. Possibly I misconfigured something...
I've also tried importing it in the OpenVPN GUI but I get "exit code 1"
If your ISP router is behing a cg nat network (which indeed uses addresses starting with 100) you are in trouble. Ask your ISP about it and ask for a public IP address for your ISP router or for a solution where they do port forward to your router.
I got a static ip addresss from my isp and configured my router to use it. I'm still having issues with OpenVPN, however, getting the "TLS Negotiation failed etc." in the client's log. I'm seeing something strange in the router's OpenVPN status page (screenshot attached). The first several entries list the time and date as Dec 31, 1969, and include a message "Warning: your certificate is not yet valid". The certificates are valid 7/3/2019 to 6/30/2029. However, after the line "initialization sequence completed", the date and time on the subsequent lines are shown correctly. On the basic setup page, I have enabled the NTP client, selected the appropriate time zone (eastern US) and left the server/ip box empty. In your OpenVPN troubleshooting guide, the server log you show has the same recent date throughout, and the certificate not valid warning is absent, so I'm assuming that this is my OpenVPN problem. I just don't know how to solve it.
Posted: Wed Jul 10, 2019 20:55 Post subject: Never mind
Quote:
I'm still having issues with OpenVPN, however, getting the "TLS Negotiation failed etc." in the client's log
I had been trying to connect while at home and failing as above. I went down to the local public library and was able to connect successfully over their wifi connection. Problem solved!
I am trying to connect a dd-wrt router (A) behind a primary router (B) to another router (C) running dd-wrt openvpn. My goal is to access Internet through C's IP from A.
I followed the instruction exactly, setting
C: 192.168.1.1, VPN subnet: 10.8.0.0
B: 192.168.0.1
A: 192.168.2.1
I set "Redirect Default Gateway" to enable and first tried openvpn client by iphone. Using the firewall rule below won't get me to Internet.
iptables -t nat -A POSTROUTING -o $(nvram get wan_iface) -j MASQUERADE
I am able to go to Internet if I use:
WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o $WAN_IF -j MASQUERADE
So I settled on the later. Then I tried to setup router A. But the vpn won't work. After setting NAT to enable on the VPN page in A, I don't understand this paragraph in the instruction:
"Furthermore you have to NAT the clients traffic out of the WAN of the OVPN server if you want to have internet access, you already have a NAT rule to route the OVPN servers traffic but in this case you should use the general NAT rule"
Do I have to do anything? I will attached the log in a second post.
Joined: 18 Mar 2014 Posts: 12881 Location: Netherlands
Posted: Mon Aug 19, 2019 13:53 Post subject:
wcnngt wrote:
I am trying to connect a dd-wrt router (A) behind a primary router (B) to another router (C) running dd-wrt openvpn. My goal is to access Internet through C's IP from A.
I followed the instruction exactly, setting
C: 192.168.1.1, VPN subnet: 10.8.0.0
B: 192.168.0.1
A: 192.168.2.1
I set "Redirect Default Gateway" to enable and first tried openvpn client by iphone. Using the firewall rule below won't get me to Internet.
iptables -t nat -A POSTROUTING -o $(nvram get wan_iface) -j MASQUERADE
I am able to go to Internet if I use:
WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o $WAN_IF -j MASQUERADE
So I settled on the later. Then I tried to setup router A. But the vpn won't work. After setting NAT to enable on the VPN page in A, I don't understand this paragraph in the instruction:
"Furthermore you have to NAT the clients traffic out of the WAN of the OVPN server if you want to have internet access, you already have a NAT rule to route the OVPN servers traffic but in this case you should use the general NAT rule"
Do I have to do anything? I will attached the log in a second post.
Both NAT rules should work in 99,9 % of setups.
So either there is a typo in the first rule or you have a "non-standard" setup.
So tell us a bit more about router C where you have the OVPN server running.
Router model, build, setup, i.e. is this router connected with its WAN port to the internet and in normal gateway setup, has the WAN port a public IP? etc. _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399 Install guide R7800/XR500:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614 Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Router C is Netgear R6400 v1 running DD-WRT v3.0-r40527 std (08/04/19).
It is normal gateway setup and connects to public internet via PPPOE login. I also setup the DDNS through No-ip.
I will post some logs once I get home.
Because OpenVPN did not work, I also played around with PPTP to achieve the same goal. But i could not find an instruction written as detailed as yours.
Thanks a lot for your help.
egc wrote:
wcnngt wrote:
I am trying to connect a dd-wrt router (A) behind a primary router (B) to another router (C) running dd-wrt openvpn. My goal is to access Internet through C's IP from A.
I followed the instruction exactly, setting
C: 192.168.1.1, VPN subnet: 10.8.0.0
B: 192.168.0.1
A: 192.168.2.1
I set "Redirect Default Gateway" to enable and first tried openvpn client by iphone. Using the firewall rule below won't get me to Internet.
iptables -t nat -A POSTROUTING -o $(nvram get wan_iface) -j MASQUERADE
I am able to go to Internet if I use:
WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o $WAN_IF -j MASQUERADE
So I settled on the later. Then I tried to setup router A. But the vpn won't work. After setting NAT to enable on the VPN page in A, I don't understand this paragraph in the instruction:
"Furthermore you have to NAT the clients traffic out of the WAN of the OVPN server if you want to have internet access, you already have a NAT rule to route the OVPN servers traffic but in this case you should use the general NAT rule"
Do I have to do anything? I will attached the log in a second post.
Both NAT rules should work in 99,9 % of setups.
So either there is a typo in the first rule or you have a "non-standard" setup.
So tell us a bit more about router C where you have the OVPN server running.
Router model, build, setup, i.e. is this router connected with its WAN port to the internet and in normal gateway setup, has the WAN port a public IP? etc.
Joined: 18 Mar 2014 Posts: 12881 Location: Netherlands
Posted: Mon Aug 19, 2019 14:20 Post subject:
Even for PPPoE both rules should work, interesting.
Can you show the output on router C of:
Code:
nvram show | grep wan_ifname
ip route show
Regardless this queston if the second rule works with your Iphone it should normally work with your other ddwrt router setup as an OVPN client, if you follow the guide.
Even for PPPoE both rules should work, interesting.
Can you show the output on router C of:
Code:
nvram show | grep wan_ifname
ip route show
Regardless this queston if the second rule works with your Iphone it should normally work with your other ddwrt router setup as an OVPN client, if you follow the guide.
So post a picture of the setup page and status page (whole page) of OVPN server and OVPN client router (keeps you bizzy )
Aug 19 23:50:38 DD-WRT daemon.warn openvpn[951]: WARNING: Failed running command (--route-up): external program exited with error status: 2
Aug 19 23:50:38 DD-WRT daemon.warn openvpn[951]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
I read the troubleshooting guide and it seems to be due to k2.6 not being able to execute external scripts. Is there any workaround other than finding a k3 build. My router is F7D4301v1 and according to the router database, the latest is a k2.6 build.
Even for PPPoE both rules should work, interesting.
Can you show the output on router C of:
Code:
nvram show | grep wan_ifname
ip route show
Regardless this queston if the second rule works with your Iphone it should normally work with your other ddwrt router setup as an OVPN client, if you follow the guide.
So post a picture of the setup page and status page (whole page) of OVPN server and OVPN client router (keeps you bizzy )