OpenVPN server setup guide by egc

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3, 4, 5, 6  Next
Author Message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3781
Location: Netherlands

PostPosted: Tue Aug 20, 2019 7:32    Post subject: Reply with quote
Regarding the NAT rule of router C (your OVPN server), only the second NAT rule works on your router, which is strange, either something in this build or in your particular setup, but not important for now.
I will make a note of it for future reference

Your diagnosis of the problem of your OVPN client is spot on
Recent K2.6 builds are broken Sad

One of our esteemed forum members @KP69 not long ago revived a ticket, I will try to push also to correct this problem but it has been a long time already so not very high hopes.
(see: https://svn.dd-wrt.com/ticket/6373)

In the mean time try to find a K3.x build or go back to an earlier build in the ticket there is mentioning of 35531 so try that build

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN server setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Sponsor
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 1913
Location: Texas, USA

PostPosted: Tue Aug 20, 2019 8:29    Post subject: Reply with quote
wcnngt wrote:
I read the troubleshooting guide and it seems to be due to k2.6 not being able to execute external scripts. Is there any workaround other than finding a k3 build. My router is F7D4301v1 and according to the router database, the latest is a k2.6 build.


egc wrote:

Your diagnosis of the problem of your OVPN client is spot on
Recent K2.6 builds are broken Sad

One of our esteemed forum members @KP69 not long ago revived a ticket, I will try to push also to correct this problem but it has been a long time already so not very high hopes.
(see: https://svn.dd-wrt.com/ticket/6373)

In the mean time try to find a K3.x build or go back to an earlier build in the ticket there is mentioning of 35531 so try that build


First off, thanks for the back-up and support on that ticket, egc. I don't consider myself anyone special, but I try to do what I can to help, thank you for the kind words Smile

Unfortunately, there are no (trailed) K3.x builds for his device that I could find, so rolling back as far as at least 35531 is worth a try. One thing to keep in mind, is another ticket referenced in my ticket ( https://svn.dd-wrt.com/ticket/5784 ) about the invalid argument message in the shell via CLI. I never had issues with startup scripts in 35531 K2.6 build that I recall, but just something to keep in mind. My secondary choices to roll back to would probably be 33772 or as far back as 30880 for a K2.6 build.

Also, I found this thread: Belkin Play Max F7D4301v1 now partially supported .... so, this leads me to wonder, was FULL support ever really achieved to the point of configuring and compiling a (trailed or non-trailed) K3.x build? Somehow, I think that may have slipped through the cracks. I didn't read that thread in entirety, so NOT knowing off the top of my head whether the device is an nv60k or nv64k kinda leaves me with no logical suggestion on 'what to try' to flash up to K3.x, so, unless there is a means to de-brick, I wouldn't suggest trying a k3.x non-trailed mega build, but that is an option if someone feels like it's worth trying -- but ONLY if you have means to recover from a brick. You can read through that thread to see if there is any information that may be relevant. FWIW, there is NO wiki for that device, so someone needs to probably undertake writing one. Just thought I would chime in on this Smile
wcnngt
DD-WRT Novice


Joined: 06 Dec 2011
Posts: 13

PostPosted: Tue Aug 20, 2019 20:14    Post subject: Reply with quote
I flashed the 35531 build and it worked. But the speed is at about 2-3Mbps. This is less than half of the speed if I connect by iPhone. I know that OpenVPN is cpu intensive and my client router is an old one. If I don’t care about security and just want to use the server ip to access the internet, are there any parameters I can tweak to speed up? Thanks a lot for all the helps.
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 1913
Location: Texas, USA

PostPosted: Tue Aug 20, 2019 23:32    Post subject: Reply with quote
wcnngt wrote:
I flashed the 35531 build and it worked. But the speed is at about 2-3Mbps. This is less than half of the speed if I connect by iPhone. I know that OpenVPN is cpu intensive and my client router is an old one. If I don’t care about security and just want to use the server ip to access the internet, are there any parameters I can tweak to speed up? Thanks a lot for all the helps.


Depends on if you can overclock the CPU. From what it looks like on WikiDevi, there aren't any heatsinks, so that might require some modification to even think about it. Wikidevi doesn't state CPU speed, what does it say it is in the webUI? I do know there are some parameters that you can tweak via startup script and stuff, but it usually depends on how the defaults compare to the recommended tweaks. One thing to note is, the next public beta should fix shell scripts and openvpn in the k2.6 builds.
wcnngt
DD-WRT Novice


Joined: 06 Dec 2011
Posts: 13

PostPosted: Wed Aug 21, 2019 12:34    Post subject: Reply with quote
Physical alteration is beyond my reach. I was thinking of using less demanding encryption or switching to PPTP. Any thought?

kernel-panic69 wrote:
wcnngt wrote:
I flashed the 35531 build and it worked. But the speed is at about 2-3Mbps. This is less than half of the speed if I connect by iPhone. I know that OpenVPN is cpu intensive and my client router is an old one. If I don’t care about security and just want to use the server ip to access the internet, are there any parameters I can tweak to speed up? Thanks a lot for all the helps.


Depends on if you can overclock the CPU. From what it looks like on WikiDevi, there aren't any heatsinks, so that might require some modification to even think about it. Wikidevi doesn't state CPU speed, what does it say it is in the webUI? I do know there are some parameters that you can tweak via startup script and stuff, but it usually depends on how the defaults compare to the recommended tweaks. One thing to note is, the next public beta should fix shell scripts and openvpn in the k2.6 builds.
wcnngt
DD-WRT Novice


Joined: 06 Dec 2011
Posts: 13

PostPosted: Fri Sep 06, 2019 3:17    Post subject: Reply with quote
The vpn won’t stay connected for long. I put the log at:
https://drive.google.com/drive/folders/1-0rvzH6yr_Ps_ElZh7Zk-Zq7Ed86v9Dg
Could someone help me? Thanks a lot.

wcnngt wrote:
I flashed the 35531 build and it worked. But the speed is at about 2-3Mbps. This is less than half of the speed if I connect by iPhone. I know that OpenVPN is cpu intensive and my client router is an old one. If I don’t care about security and just want to use the server ip to access the internet, are there any parameters I can tweak to speed up? Thanks a lot for all the helps.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3781
Location: Netherlands

PostPosted: Fri Sep 06, 2019 10:13    Post subject: Reply with quote
Not much to work with.

I see a log of a DDWRT OVPN client which can not reach the server, this ususally indciates a network error.

Can you reach the server with other clients like your phone?

Show picture of the OVPN Status page of the server (whole page)

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN server setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
wcnngt
DD-WRT Novice


Joined: 06 Dec 2011
Posts: 13

PostPosted: Fri Sep 06, 2019 14:08    Post subject: Reply with quote
Rebooting the client router will reconnect. But connection gets dropped after a while.
Here is the server OpenVPN log:
https://drive.google.com/a/alumni.upenn.edu/file/d/1X6uD2QuHsTq3ujHs6QnTia7hc3p3FtMM/view?usp=drivesdk



egc wrote:
Not much to work with.

I see a log of a DDWRT OVPN client which can not reach the server, this ususally indciates a network error.

Can you reach the server with other clients like your phone?

Show picture of the OVPN Status page of the server (whole page)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3781
Location: Netherlands

PostPosted: Fri Sep 06, 2019 15:04    Post subject: Reply with quote
Can not see anything wrong with this, the management interface connecting and disconnecting is normal

After how long do you have a disconnection?

Is it only if the connection is idle?

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN server setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
wcnngt
DD-WRT Novice


Joined: 06 Dec 2011
Posts: 13

PostPosted: Sat Sep 07, 2019 1:10    Post subject: Reply with quote
Here is the new log from client router
https://drive.google.com/a/alumni.upenn.edu/file/d/1gmG_FUjVU_7HH2C3c0DSlPLS_2M8DK8S/view?usp=drivesdk

I used the vpn to connect a smart speaker which has country ip limit. Right after rebooting the router it worked. Then it might have timed out. I am not sure exactly when but Sep 5 23:44:31 looks suspicious.

Thanks.

egc wrote:
Can not see anything wrong with this, the management interface connecting and disconnecting is normal

After how long do you have a disconnection?

Is it only if the connection is idle?
blonde
DD-WRT Novice


Joined: 06 Sep 2019
Posts: 4

PostPosted: Sat Sep 07, 2019 6:50    Post subject: Is this for installing Openvpn latest release on the VPS? Reply with quote
Hiya,


I briefly look at your thread but I couldn't understand what kind of Openvpn installation is it? Is this Openvpn automatic installation on the VPS with manual settings that will be asked during the installation progress?

Tnx
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3781
Location: Netherlands

PostPosted: Sat Sep 07, 2019 9:25    Post subject: Reply with quote
wcnngt wrote:
Here is the new log from client router
https://drive.google.com/a/alumni.upenn.edu/file/d/1gmG_FUjVU_7HH2C3c0DSlPLS_2M8DK8S/view?usp=drivesdk

I used the vpn to connect a smart speaker which has country ip limit. Right after rebooting the router it worked. Then it might have timed out. I am not sure exactly when but Sep 5 23:44:31 looks suspicious.

Thanks.

egc wrote:
Can not see anything wrong with this, the management interface connecting and disconnecting is normal

After how long do you have a disconnection?

Is it only if the connection is idle?


The entry you noticed at 23:44:31 has nothing to do with OpenVPN it is you logging in to the router, you can disregard this.

But one other thing I noticed, there seem to be two remote addresses into play:

Sep 6 06:34:27 DD-WRT daemon.notice openvpn[998]: TCP/UDP: Preserving recently used remote address: [AF_INET]116.3.240.96:1194


Sep 6 06:35:32 DD-WRT daemon.notice openvpn[998]: TCP/UDP: Preserving recently used remote address: [AF_INET]175.171.153.122:1194

This last address is not reachable.

One other thing I noticed: you have some AEAD decrypt error which sometimes can be seen because of MTU problems most of the time you can ignore this but if it is frequent use TCP instead of UDP (alternatively enable "Tunnel UDP MSS-Fix" sometimes helps)

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN server setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
wcnngt
DD-WRT Novice


Joined: 06 Dec 2011
Posts: 13

PostPosted: Sat Sep 14, 2019 2:14    Post subject: Reply with quote
I have been testing according to you recommendations. Changing it to TCP doesn’t work. The 2 IPs came from server DDNS didn’t update correctly. After I checked the “check external ip”, it works now.

Now the last connection lasted 2 days. It was broken again today. I took the server and client vpnlog below. It will reconnect after I reboot the client router. Any idea?
https://drive.google.com/drive/folders/1t5zkCVX05vA4mxLhw9_-1ugY6BHS9339

egc wrote:
wcnngt wrote:
Here is the new log from client router
https://drive.google.com/a/alumni.upenn.edu/file/d/1gmG_FUjVU_7HH2C3c0DSlPLS_2M8DK8S/view?usp=drivesdk

I used the vpn to connect a smart speaker which has country ip limit. Right after rebooting the router it worked. Then it might have timed out. I am not sure exactly when but Sep 5 23:44:31 looks suspicious.

Thanks.

egc wrote:
Can not see anything wrong with this, the management interface connecting and disconnecting is normal

After how long do you have a disconnection?

Is it only if the connection is idle?


The entry you noticed at 23:44:31 has nothing to do with OpenVPN it is you logging in to the router, you can disregard this.

But one other thing I noticed, there seem to be two remote addresses into play:

Sep 6 06:34:27 DD-WRT daemon.notice openvpn[998]: TCP/UDP: Preserving recently used remote address: [AF_INET]116.3.240.96:1194


Sep 6 06:35:32 DD-WRT daemon.notice openvpn[998]: TCP/UDP: Preserving recently used remote address: [AF_INET]175.171.153.122:1194

This last address is not reachable.

One other thing I noticed: you have some AEAD decrypt error which sometimes can be seen because of MTU problems most of the time you can ignore this but if it is frequent use TCP instead of UDP (alternatively enable "Tunnel UDP MSS-Fix" sometimes helps)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3781
Location: Netherlands

PostPosted: Sun Sep 15, 2019 9:20    Post subject: Reply with quote
The one that stands out is:

Code:
20190913 21:23:10 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20190913 21:23:10 N TLS Error: TLS handshake failed


Usually meaning a network error so the server or client cannot reach each other over the network so check if you have intrnet access without the VPN and also:

TLS Error: TLS key negotiation failed to occur within 60 seconds
Server is not reachable:
• Check server address/DDNS
• Check DDNS,
• Check port,
• Check Port Forward if server is not on the primary router.
• Check /disable firewall
• Sometimes an ISP blocks often used ports, Check with your ISP and/or use TCP port 443, this is not blocked.

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN server setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
wcnngt
DD-WRT Novice


Joined: 06 Dec 2011
Posts: 13

PostPosted: Sun Sep 15, 2019 10:54    Post subject: Reply with quote
The client router keeps trying but won’t connect. Why rebooting the client router helps it to connect immediately?


egc wrote:
The one that stands out is:

Code:
20190913 21:23:10 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20190913 21:23:10 N TLS Error: TLS handshake failed


Usually meaning a network error so the server or client cannot reach each other over the network so check if you have intrnet access without the VPN and also:

TLS Error: TLS key negotiation failed to occur within 60 seconds
Server is not reachable:
• Check server address/DDNS
• Check DDNS,
• Check port,
• Check Port Forward if server is not on the primary router.
• Check /disable firewall
• Sometimes an ISP blocks often used ports, Check with your ISP and/or use TCP port 443, this is not blocked.
Goto page Previous  1, 2, 3, 4, 5, 6  Next Display posts from previous:    Page 5 of 6
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum