OpenVPN server setup guide by egc

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next
Author Message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4203
Location: Netherlands

PostPosted: Sun Sep 15, 2019 11:07    Post subject: Reply with quote
I can only advise yo about the OVPN settings and those seem OK as your router can connect.
Why the router misbehaves I can not tell , maybe your build or maybe other settings, sometimes a router which has a disconnection needs a reboot to connect again.

You can always use a VPN watchdog script to reboot the router when the VPN is down.
see: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=311060&sid=9fb368b859347d2f2421a494a8776c71

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Sponsor
tayshun123
DD-WRT Novice


Joined: 05 Sep 2019
Posts: 2

PostPosted: Wed Sep 18, 2019 23:14    Post subject: ca cert deletes after restart Reply with quote
hello all,

Does anybody have an issue where the end of ca.crt deletes the --end certificate-- after a reboot? I save and apply settings then restart and openvpn does not start. Log says "Options error: error parsing --server parameters" , presumably because
the end of my ca cert is missing.

Running on a Linksys EA6700
Firmware Version: DD-WRT v3.0-r40559 std (08/06/19)

Kernel Version: Linux 4.4.187 #650 SMP PREEMPT Tue Aug 6 11:38:46 +04 2019 armv7l

Thank you in advance for your help!
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 4833
Location: Texas

PostPosted: Wed Sep 18, 2019 23:51    Post subject: Re: ca cert deletes after restart Reply with quote
tayshun123 wrote:
hello all,

Does anybody have an issue where the end of ca.crt deletes the --end certificate-- after a reboot? I save and apply settings then restart and openvpn does not start. Log says "Options error: error parsing --server parameters" , presumably because
the end of my ca cert is missing.

Running on a Linksys EA6700
Firmware Version: DD-WRT v3.0-r40559 std (08/06/19)

Kernel Version: Linux 4.4.187 #650 SMP PREEMPT Tue Aug 6 11:38:46 +04 2019 armv7l

Thank you in advance for your help!


Might check its webif page ..Status_Router.asp and see what nvram is being used.
Usually when things refuse to go like you describe is because run outta nvram.
Then again, I wouldn't think that the problem with that router unless you have a bunch other stuff setup and/or maybe using some really bigass cert/keys.

Have you tried with another build?
or
reset & recofig to see what happens?
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 2316
Location: Texas, USA

PostPosted: Thu Sep 19, 2019 1:38    Post subject: Re: ca cert deletes after restart Reply with quote
mrjcd wrote:
tayshun123 wrote:
hello all,

Does anybody have an issue where the end of ca.crt deletes the --end certificate-- after a reboot? I save and apply settings then restart and openvpn does not start. Log says "Options error: error parsing --server parameters" , presumably because
the end of my ca cert is missing.

Running on a Linksys EA6700
Firmware Version: DD-WRT v3.0-r40559 std (08/06/19)

Kernel Version: Linux 4.4.187 #650 SMP PREEMPT Tue Aug 6 11:38:46 +04 2019 armv7l

Thank you in advance for your help!


Might check its webif page ..Status_Router.asp and see what nvram is being used.
Usually when things refuse to go like you describe is because run outta nvram.
Then again, I wouldn't think that the problem with that router unless you have a bunch other stuff setup and/or maybe using some really bigass cert/keys.

Have you tried with another build?
or
reset & recofig to see what happens?



Isn't this one of the routers that has the 32k nvram bug?
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 4833
Location: Texas

PostPosted: Thu Sep 19, 2019 1:48    Post subject: Re: ca cert deletes after restart Reply with quote
kernel-panic69 wrote:
Isn't this one of the routers that has the 32k nvram bug?

Might be probably and that would explain the outta nvram issue, if that is what is happening.
Maybe egc will be thru directly and he would likely know and besides he knows all 'bout ovpn stuff anyways, in case it's another problem he has seen.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4203
Location: Netherlands

PostPosted: Thu Sep 19, 2019 7:10    Post subject: Re: ca cert deletes after restart Reply with quote
tayshun123 wrote:
hello all,

Does anybody have an issue where the end of ca.crt deletes the --end certificate-- after a reboot? I save and apply settings then restart and openvpn does not start. Log says "Options error: error parsing --server parameters" , presumably because
the end of my ca cert is missing.

Running on a Linksys EA6700
Firmware Version: DD-WRT v3.0-r40559 std (08/06/19)

Kernel Version: Linux 4.4.187 #650 SMP PREEMPT Tue Aug 6 11:38:46 +04 2019 armv7l

Thank you in advance for your help!


Like my fellow forum members already noted this can be the 32k NVRAM bug, so check your NVRAM at the Status/Router page.
If this is your porblem see my signature at the bottom of this page for the EA6900 setup guide with some tricks to lower your used NVRAM.

If this is not the case then start a new thread stating your problem, router model, build, network setup, and pictures of your OVPN settings page and OVPN Status page

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
tayshun123
DD-WRT Novice


Joined: 05 Sep 2019
Posts: 2

PostPosted: Fri Sep 20, 2019 15:40    Post subject: Re: ca cert deletes after restart Reply with quote
egc wrote:
tayshun123 wrote:
hello all,

Does anybody have an issue where the end of ca.crt deletes the --end certificate-- after a reboot? I save and apply settings then restart and openvpn does not start. Log says "Options error: error parsing --server parameters" , presumably because
the end of my ca cert is missing.

Running on a Linksys EA6700
Firmware Version: DD-WRT v3.0-r40559 std (08/06/19)

Kernel Version: Linux 4.4.187 #650 SMP PREEMPT Tue Aug 6 11:38:46 +04 2019 armv7l

Thank you in advance for your help!


Like my fellow forum members already noted this can be the 32k NVRAM bug, so check your NVRAM at the Status/Router page.
If this is your porblem see my signature at the bottom of this page for the EA6900 setup guide with some tricks to lower your used NVRAM.

If this is not the case then start a new thread stating your problem, router model, build, network setup, and pictures of your OVPN settings page and OVPN Status page


I figured it had something to do with the NVRAM. I have 25kb in use. I'll try the tricks in your guide. If it doesn't work I have a kong Build that I will try to install. If all else fails I found a cheap EA8500 on sale that I'll have to buy and hope for the best!

Thanks for your responses everyone! and thank you egc for your great tutorial !!
deadeye09
DD-WRT Novice


Joined: 23 Jul 2018
Posts: 15

PostPosted: Thu Sep 26, 2019 16:48    Post subject: Firewall rule disconnected my router? Reply with quote
Hi,
I was working through this guide (as an absolute newbie, so forgive me if I misinterpreted something obvious) and I got to Step 8 which says:

<SNIP>
Step- 8a Setting up the Firewall
A lot of guides have redundant firewall rules, in case of firewall rules less is more.
Actually you do not need any rules to make a connection, but if you want to have an outside/internet connection for your client when "Redirect Default Gateway" is enabled then you have to add the rule described below.

iptables -t nat -A POSTROUTING -o $(nvram get wan_ifname) -j MASQUERADE

Click on the "Administration" tab in the DD-WRT GUI, and then on the "Commands" tab. Copy the following code, and paste the contents into the "Commands" window.

Then click "Save Firewall".

(If you want to make this rule more specific then use:
WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o $WAN_IF -j MASQUERADE)
</SNIP>

It mentions "Copy the following code" but is it referring to the previous rule:
iptables -t nat -A POSTROUTING -o $(nvram get wan_ifname) -j MASQUERADE

or was there another rule that was supposed to be included in there? I thought it was the previous rule, so I added it to my firewall and it seemed to cut traffic to my router (I'm trying to set up the router remotely from work through a system at home using RDP, and it booted me off and I can no longer connect), so I'm really not sure what that rule did or how it killed my connection. I did enable "Redirect Default Gateway" only because I saw it in the following screenshot, so I assume that I would need that rule. Did I mess something up or is there a missing rule that I was supposed to use?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4203
Location: Netherlands

PostPosted: Thu Sep 26, 2019 17:06    Post subject: Re: Firewall rule disconnected my router? Reply with quote
deadeye09 wrote:
Hi,
I was working through this guide (as an absolute newbie, so forgive me if I misinterpreted something obvious) and I got to Step 8 which says:

<SNIP>
Step- 8a Setting up the Firewall
A lot of guides have redundant firewall rules, in case of firewall rules less is more.
Actually you do not need any rules to make a connection, but if you want to have an outside/internet connection for your client when "Redirect Default Gateway" is enabled then you have to add the rule described below.

iptables -t nat -A POSTROUTING -o $(nvram get wan_ifname) -j MASQUERADE

Click on the "Administration" tab in the DD-WRT GUI, and then on the "Commands" tab. Copy the following code, and paste the contents into the "Commands" window.

Then click "Save Firewall".

(If you want to make this rule more specific then use:
WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o $WAN_IF -j MASQUERADE)
</SNIP>

It mentions "Copy the following code" but is it referring to the previous rule:
iptables -t nat -A POSTROUTING -o $(nvram get wan_ifname) -j MASQUERADE

or was there another rule that was supposed to be included in there? I thought it was the previous rule, so I added it to my firewall and it seemed to cut traffic to my router (I'm trying to set up the router remotely from work through a system at home using RDP, and it booted me off and I can no longer connect), so I'm really not sure what that rule did or how it killed my connection. I did enable "Redirect Default Gateway" only because I saw it in the following screenshot, so I assume that I would need that rule. Did I mess something up or is there a missing rule that I was supposed to use?


Thanks for poiting this out, it should be copy the above code.

The rule is just for routing traffic out via the WAN coming form the VPN and should not hinder any normal traffic (unless you have a really strange setup)

If you have contact to the router again can you show the output (telnet/putty) of the four following commands?
Code:
nvram get wan_ifname
nvram get wan_iface
echo "$(get_wanface)"
echo "$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
deadeye09
DD-WRT Novice


Joined: 23 Jul 2018
Posts: 15

PostPosted: Fri Sep 27, 2019 1:28    Post subject: Reply with quote
Interesting, it looks like my router was locked up. I've seen that happen a couple of times now since I flashed DDWRT. Whenever I save a change, it just dies.

Anyway, the output for all three of those commands was vlan2
Is that correct? I don't think I have a very strange setup. I don't have that much experience when it comes to networking (hence why I was using your guide) so if I have something odd in my setup, it's purely unintentional.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4203
Location: Netherlands

PostPosted: Fri Sep 27, 2019 7:09    Post subject: Reply with quote
deadeye09 wrote:
Interesting, it looks like my router was locked up. I've seen that happen a couple of times now since I flashed DDWRT. Whenever I save a change, it just dies.

Anyway, the output for all three of those commands was vlan2
Is that correct? I don't think I have a very strange setup. I don't have that much experience when it comes to networking (hence why I was using your guide) so if I have something odd in my setup, it's purely unintentional.


VLAN2 is OK for a normal setup , so that is not the problem.
When you save changes (depending on what) the router rebuilds things like firewall and routing, so yes it "dies" momentarily that is normal behaviour.
For some things (OpenVPN among one of them) and on some routers you have to apply twice (probably a timing issue).
If you are connected locally it is not a problem (you do not need the routing function to connect locally when you are already connected) but if you are setting up a router from remote, then that can get you into trouble. Sad

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
deadeye09
DD-WRT Novice


Joined: 23 Jul 2018
Posts: 15

PostPosted: Fri Sep 27, 2019 15:32    Post subject: Reply with quote
Oh, when I meant it "died" it was dead. Not just momentarily. I had to go home and power-cycle it hours later to get it back up. The wife was not impressed not having WiFi for the day. Shocked

I've tried re-applying several times and rebooting as well and I'm still stuck at the "TLS Error: TLS key negotiation failed to occur within 60 seconds" error. I got to this step using another guide I found online that was somewhat similar to yours, but I'm still stumped on this step and everything I read online says it's my router (firewall or some setting blocking traffic) but I don't think I have anything that would be doing that. The other guide had different firewall rules then you recommended (shown here), but they didn't seem to make any difference for me:

iptables -I INPUT 1 -p udp –dport 1194 -j ACCEPT
iptables -I FORWARD 1 –source 192.168.1.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

Here are some screenshots of my VPN settings on my router:
https://www.dropbox.com/s/3leztlubmaxbqrp/OpenVpnSettings1.png?dl=0
https://www.dropbox.com/s/i2ncgzv3y74ui1d/OpenVpnSettings2.png?dl=0
and my current firewall settings:
https://www.dropbox.com/s/eacc9f8alfg4iwk/Firewall.png?dl=0

I've GOT to be missing something simple, but I just can't figure it out.
deadeye09
DD-WRT Novice


Joined: 23 Jul 2018
Posts: 15

PostPosted: Fri Sep 27, 2019 15:54    Post subject: Reply with quote
Just out of curiosity (thinking that maybe my IT department at my work was blocking VPN traffic), I tried to connect using my phone going over the cellular network and it still failed.

So the issue is definitely with the router blocking VPN traffic. I just have no idea how.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4203
Location: Netherlands

PostPosted: Fri Sep 27, 2019 16:33    Post subject: Reply with quote
The OpenVPN server is by default on tun2, and takes care of the necessary firewall rules so the rules from the other guide will not be helping.
(From the guide: "A lot of existing guides are obsolete or wrong" Smile (but this guide is also not perfect )).

From your firewall rules I get the impression that you are also running a VPN client, when you are using Policy Based Routing ((which you probably are, seeing your rules,) that is not a problem.
But you can not use a VPN server and client on the same router without PBR.

the TLS error you are seeing indicates you have a network problem, your phone/client can not reach your server.

Be sure to do a reboot and if you still have the error check if you can reach your network.

From the troubleshooting document:
Quote:
Make sure to reboot the router after changing!

TLS Error: TLS key negotiation failed to occur within 60 seconds
Server is not reachable:
• Check server address/DDNS
• Check DDNS,
• Check port,
• Check Port Forward if server is not on the primary router.
• Check /disable firewall
• Sometimes an ISP blocks often used ports, Check with your ISP and/or use TCP port 443, this is not blocked.
• Older DDWRT version block UDP ports when SFE is enabled


Normally I would ask to post a picture of the OVPN/Status page (whole page) but in this case it should show the server running (Status Connected) and no further messages

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
deadeye09
DD-WRT Novice


Joined: 23 Jul 2018
Posts: 15

PostPosted: Fri Sep 27, 2019 20:08    Post subject: Reply with quote
No, I haven't set up a VPN client on this router, but I was planning on it (to obfuscate my traffic from my ISP) in the future. I didn't know that I couldn't run OpenVPN server on this router AND connect to a third-party VPN service and run a client as well. That's good to know. What is PBR so that I could investigate a way to do is (as I would like to go down that path, but getting a remote VPN connection to my home is the more important task for me right now).

Which rules indicate that I was running a VPN client/policy base routing? I have the rule that you recommended in the guide, two rules to block my Hikvision cameras from sending any data to the internet (don't want anything going back to China that shouldn't) and one that drops all traffic from an IP that kept hammering my router trying to find a vulnerability.

So, I turned on logging and checked out the messages log and tried to connect again and got this:

Dec 31 21:25:04 <SERVER_NAME> daemon.notice openvpn[7233]: <CLIENT_WAN_IP>:60766 TLS: Initial packet from [AF_INET]<CLIENT_WAN_IP>:60766, sid=30cd9bd2 8243b63c
Dec 31 21:25:04 <SERVER_NAME> daemon.err openvpn[7233]: <CLIENT_WAN_IP>:60766 VERIFY ERROR: depth=1, error=certificate is not yet valid: C=CA, ST=<MYPROVINCE>, L=<MYCITY>, O=REMOTECorp, OU=REMOTENet, CN=REMOTEVPNCA, name=REMOTEVPN, emailAddress=<MY_EMAIL@ADDRESS.COM>
Dec 31 21:25:04 <SERVER_NAME> daemon.err openvpn[7233]: <CLIENT_WAN_IP>:60766 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Dec 31 21:25:04 <SERVER_NAME> daemon.err openvpn[7233]: <CLIENT_WAN_IP>:60766 TLS_ERROR: BIO read tls_read_plaintext error
Dec 31 21:25:04 <SERVER_NAME> daemon.notice openvpn[7233]: <CLIENT_WAN_IP>:60766 NOTE: --mute triggered...
Dec 31 21:25:04 <SERVER_NAME> daemon.notice openvpn[7233]: <CLIENT_WAN_IP>:60766 2 variation(s) on previous 3 message(s) suppressed by --mute
Dec 31 21:25:04 <SERVER_NAME> daemon.notice openvpn[7233]: <CLIENT_WAN_IP>:60766 SIGUSR1[soft,tls-error] received, client-instance restarting

I removed any identifying data, but it looks like it's able to connect to the router, but has an issue with the certificate? I'm also not sure why the date is showing December as I updated my NTP settings. Could the incorrect date be why it may not think the certificate is YET valid?
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next Display posts from previous:    Page 6 of 8
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum