Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Sun Sep 15, 2019 11:07 Post subject:
I can only advise yo about the OVPN settings and those seem OK as your router can connect.
Why the router misbehaves I can not tell , maybe your build or maybe other settings, sometimes a router which has a disconnection needs a reboot to connect again.
Posted: Wed Sep 18, 2019 23:14 Post subject: ca cert deletes after restart
hello all,
Does anybody have an issue where the end of ca.crt deletes the --end certificate-- after a reboot? I save and apply settings then restart and openvpn does not start. Log says "Options error: error parsing --server parameters" , presumably because
the end of my ca cert is missing.
Running on a Linksys EA6700
Firmware Version: DD-WRT v3.0-r40559 std (08/06/19)
Kernel Version: Linux 4.4.187 #650 SMP PREEMPT Tue Aug 6 11:38:46 +04 2019 armv7l
Posted: Wed Sep 18, 2019 23:51 Post subject: Re: ca cert deletes after restart
tayshun123 wrote:
hello all,
Does anybody have an issue where the end of ca.crt deletes the --end certificate-- after a reboot? I save and apply settings then restart and openvpn does not start. Log says "Options error: error parsing --server parameters" , presumably because
the end of my ca cert is missing.
Running on a Linksys EA6700
Firmware Version: DD-WRT v3.0-r40559 std (08/06/19)
Kernel Version: Linux 4.4.187 #650 SMP PREEMPT Tue Aug 6 11:38:46 +04 2019 armv7l
Thank you in advance for your help!
Might check its webif page ..Status_Router.asp and see what nvram is being used.
Usually when things refuse to go like you describe is because run outta nvram.
Then again, I wouldn't think that the problem with that router unless you have a bunch other stuff setup and/or maybe using some really bigass cert/keys.
Have you tried with another build?
or
reset & recofig to see what happens?
Joined: 08 May 2018 Posts: 14246 Location: Texas, USA
Posted: Thu Sep 19, 2019 1:38 Post subject: Re: ca cert deletes after restart
mrjcd wrote:
tayshun123 wrote:
hello all,
Does anybody have an issue where the end of ca.crt deletes the --end certificate-- after a reboot? I save and apply settings then restart and openvpn does not start. Log says "Options error: error parsing --server parameters" , presumably because
the end of my ca cert is missing.
Running on a Linksys EA6700
Firmware Version: DD-WRT v3.0-r40559 std (08/06/19)
Kernel Version: Linux 4.4.187 #650 SMP PREEMPT Tue Aug 6 11:38:46 +04 2019 armv7l
Thank you in advance for your help!
Might check its webif page ..Status_Router.asp and see what nvram is being used.
Usually when things refuse to go like you describe is because run outta nvram.
Then again, I wouldn't think that the problem with that router unless you have a bunch other stuff setup and/or maybe using some really bigass cert/keys.
Have you tried with another build?
or
reset & recofig to see what happens?
Isn't this one of the routers that has the 32k nvram bug?
Posted: Thu Sep 19, 2019 1:48 Post subject: Re: ca cert deletes after restart
kernel-panic69 wrote:
Isn't this one of the routers that has the 32k nvram bug?
Might be probably and that would explain the outta nvram issue, if that is what is happening.
Maybe egc will be thru directly and he would likely know and besides he knows all 'bout ovpn stuff anyways, in case it's another problem he has seen.
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Thu Sep 19, 2019 7:10 Post subject: Re: ca cert deletes after restart
tayshun123 wrote:
hello all,
Does anybody have an issue where the end of ca.crt deletes the --end certificate-- after a reboot? I save and apply settings then restart and openvpn does not start. Log says "Options error: error parsing --server parameters" , presumably because
the end of my ca cert is missing.
Running on a Linksys EA6700
Firmware Version: DD-WRT v3.0-r40559 std (08/06/19)
Kernel Version: Linux 4.4.187 #650 SMP PREEMPT Tue Aug 6 11:38:46 +04 2019 armv7l
Thank you in advance for your help!
Like my fellow forum members already noted this can be the 32k NVRAM bug, so check your NVRAM at the Status/Router page.
If this is your porblem see my signature at the bottom of this page for the EA6900 setup guide with some tricks to lower your used NVRAM.
Posted: Fri Sep 20, 2019 15:40 Post subject: Re: ca cert deletes after restart
egc wrote:
tayshun123 wrote:
hello all,
Does anybody have an issue where the end of ca.crt deletes the --end certificate-- after a reboot? I save and apply settings then restart and openvpn does not start. Log says "Options error: error parsing --server parameters" , presumably because
the end of my ca cert is missing.
Running on a Linksys EA6700
Firmware Version: DD-WRT v3.0-r40559 std (08/06/19)
Kernel Version: Linux 4.4.187 #650 SMP PREEMPT Tue Aug 6 11:38:46 +04 2019 armv7l
Thank you in advance for your help!
Like my fellow forum members already noted this can be the 32k NVRAM bug, so check your NVRAM at the Status/Router page.
If this is your porblem see my signature at the bottom of this page for the EA6900 setup guide with some tricks to lower your used NVRAM.
If this is not the case then start a new thread stating your problem, router model, build, network setup, and pictures of your OVPN settings page and OVPN Status page
I figured it had something to do with the NVRAM. I have 25kb in use. I'll try the tricks in your guide. If it doesn't work I have a kong Build that I will try to install. If all else fails I found a cheap EA8500 on sale that I'll have to buy and hope for the best!
Thanks for your responses everyone! and thank you egc for your great tutorial !!
Posted: Thu Sep 26, 2019 16:48 Post subject: Firewall rule disconnected my router?
Hi,
I was working through this guide (as an absolute newbie, so forgive me if I misinterpreted something obvious) and I got to Step 8 which says:
<SNIP>
Step- 8a Setting up the Firewall
A lot of guides have redundant firewall rules, in case of firewall rules less is more.
Actually you do not need any rules to make a connection, but if you want to have an outside/internet connection for your client when "Redirect Default Gateway" is enabled then you have to add the rule described below.
iptables -t nat -A POSTROUTING -o $(nvram get wan_ifname) -j MASQUERADE
Click on the "Administration" tab in the DD-WRT GUI, and then on the "Commands" tab. Copy the following code, and paste the contents into the "Commands" window.
Then click "Save Firewall".
(If you want to make this rule more specific then use:
WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o $WAN_IF -j MASQUERADE)
</SNIP>
It mentions "Copy the following code" but is it referring to the previous rule:
iptables -t nat -A POSTROUTING -o $(nvram get wan_ifname) -j MASQUERADE
or was there another rule that was supposed to be included in there? I thought it was the previous rule, so I added it to my firewall and it seemed to cut traffic to my router (I'm trying to set up the router remotely from work through a system at home using RDP, and it booted me off and I can no longer connect), so I'm really not sure what that rule did or how it killed my connection. I did enable "Redirect Default Gateway" only because I saw it in the following screenshot, so I assume that I would need that rule. Did I mess something up or is there a missing rule that I was supposed to use?
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Thu Sep 26, 2019 17:06 Post subject: Re: Firewall rule disconnected my router?
deadeye09 wrote:
Hi,
I was working through this guide (as an absolute newbie, so forgive me if I misinterpreted something obvious) and I got to Step 8 which says:
<SNIP>
Step- 8a Setting up the Firewall
A lot of guides have redundant firewall rules, in case of firewall rules less is more.
Actually you do not need any rules to make a connection, but if you want to have an outside/internet connection for your client when "Redirect Default Gateway" is enabled then you have to add the rule described below.
iptables -t nat -A POSTROUTING -o $(nvram get wan_ifname) -j MASQUERADE
Click on the "Administration" tab in the DD-WRT GUI, and then on the "Commands" tab. Copy the following code, and paste the contents into the "Commands" window.
Then click "Save Firewall".
(If you want to make this rule more specific then use:
WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o $WAN_IF -j MASQUERADE)
</SNIP>
It mentions "Copy the following code" but is it referring to the previous rule:
iptables -t nat -A POSTROUTING -o $(nvram get wan_ifname) -j MASQUERADE
or was there another rule that was supposed to be included in there? I thought it was the previous rule, so I added it to my firewall and it seemed to cut traffic to my router (I'm trying to set up the router remotely from work through a system at home using RDP, and it booted me off and I can no longer connect), so I'm really not sure what that rule did or how it killed my connection. I did enable "Redirect Default Gateway" only because I saw it in the following screenshot, so I assume that I would need that rule. Did I mess something up or is there a missing rule that I was supposed to use?
Thanks for poiting this out, it should be copy the above code.
The rule is just for routing traffic out via the WAN coming form the VPN and should not hinder any normal traffic (unless you have a really strange setup)
If you have contact to the router again can you show the output (telnet/putty) of the four following commands?
Code:
nvram get wan_ifname
nvram get wan_iface
echo "$(get_wanface)"
echo "$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"
Interesting, it looks like my router was locked up. I've seen that happen a couple of times now since I flashed DDWRT. Whenever I save a change, it just dies.
Anyway, the output for all three of those commands was vlan2
Is that correct? I don't think I have a very strange setup. I don't have that much experience when it comes to networking (hence why I was using your guide) so if I have something odd in my setup, it's purely unintentional.
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Fri Sep 27, 2019 7:09 Post subject:
deadeye09 wrote:
Interesting, it looks like my router was locked up. I've seen that happen a couple of times now since I flashed DDWRT. Whenever I save a change, it just dies.
Anyway, the output for all three of those commands was vlan2
Is that correct? I don't think I have a very strange setup. I don't have that much experience when it comes to networking (hence why I was using your guide) so if I have something odd in my setup, it's purely unintentional.
VLAN2 is OK for a normal setup , so that is not the problem.
When you save changes (depending on what) the router rebuilds things like firewall and routing, so yes it "dies" momentarily that is normal behaviour.
For some things (OpenVPN among one of them) and on some routers you have to apply twice (probably a timing issue).
If you are connected locally it is not a problem (you do not need the routing function to connect locally when you are already connected) but if you are setting up a router from remote, then that can get you into trouble. _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399 Install guide R7800/XR500:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614 Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Oh, when I meant it "died" it was dead. Not just momentarily. I had to go home and power-cycle it hours later to get it back up. The wife was not impressed not having WiFi for the day.
I've tried re-applying several times and rebooting as well and I'm still stuck at the "TLS Error: TLS key negotiation failed to occur within 60 seconds" error. I got to this step using another guide I found online that was somewhat similar to yours, but I'm still stumped on this step and everything I read online says it's my router (firewall or some setting blocking traffic) but I don't think I have anything that would be doing that. The other guide had different firewall rules then you recommended (shown here), but they didn't seem to make any difference for me:
Just out of curiosity (thinking that maybe my IT department at my work was blocking VPN traffic), I tried to connect using my phone going over the cellular network and it still failed.
So the issue is definitely with the router blocking VPN traffic. I just have no idea how.
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Fri Sep 27, 2019 16:33 Post subject:
The OpenVPN server is by default on tun2, and takes care of the necessary firewall rules so the rules from the other guide will not be helping.
(From the guide: "A lot of existing guides are obsolete or wrong" (but this guide is also not perfect )).
From your firewall rules I get the impression that you are also running a VPN client, when you are using Policy Based Routing ((which you probably are, seeing your rules,) that is not a problem.
But you can not use a VPN server and client on the same router without PBR.
the TLS error you are seeing indicates you have a network problem, your phone/client can not reach your server.
Be sure to do a reboot and if you still have the error check if you can reach your network.
From the troubleshooting document:
Quote:
Make sure to reboot the router after changing!
TLS Error: TLS key negotiation failed to occur within 60 seconds
Server is not reachable:
• Check server address/DDNS
• Check DDNS,
• Check port,
• Check Port Forward if server is not on the primary router.
• Check /disable firewall
• Sometimes an ISP blocks often used ports, Check with your ISP and/or use TCP port 443, this is not blocked.
• Older DDWRT version block UDP ports when SFE is enabled
No, I haven't set up a VPN client on this router, but I was planning on it (to obfuscate my traffic from my ISP) in the future. I didn't know that I couldn't run OpenVPN server on this router AND connect to a third-party VPN service and run a client as well. That's good to know. What is PBR so that I could investigate a way to do is (as I would like to go down that path, but getting a remote VPN connection to my home is the more important task for me right now).
Which rules indicate that I was running a VPN client/policy base routing? I have the rule that you recommended in the guide, two rules to block my Hikvision cameras from sending any data to the internet (don't want anything going back to China that shouldn't) and one that drops all traffic from an IP that kept hammering my router trying to find a vulnerability.
So, I turned on logging and checked out the messages log and tried to connect again and got this:
Dec 31 21:25:04 <SERVER_NAME> daemon.notice openvpn[7233]: <CLIENT_WAN_IP>:60766 TLS: Initial packet from [AF_INET]<CLIENT_WAN_IP>:60766, sid=30cd9bd2 8243b63c
Dec 31 21:25:04 <SERVER_NAME> daemon.err openvpn[7233]: <CLIENT_WAN_IP>:60766 VERIFY ERROR: depth=1, error=certificate is not yet valid: C=CA, ST=<MYPROVINCE>, L=<MYCITY>, O=REMOTECorp, OU=REMOTENet, CN=REMOTEVPNCA, name=REMOTEVPN, emailAddress=<MY_EMAIL@ADDRESS.COM>
Dec 31 21:25:04 <SERVER_NAME> daemon.err openvpn[7233]: <CLIENT_WAN_IP>:60766 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Dec 31 21:25:04 <SERVER_NAME> daemon.err openvpn[7233]: <CLIENT_WAN_IP>:60766 TLS_ERROR: BIO read tls_read_plaintext error
Dec 31 21:25:04 <SERVER_NAME> daemon.notice openvpn[7233]: <CLIENT_WAN_IP>:60766 NOTE: --mute triggered...
Dec 31 21:25:04 <SERVER_NAME> daemon.notice openvpn[7233]: <CLIENT_WAN_IP>:60766 2 variation(s) on previous 3 message(s) suppressed by --mute
Dec 31 21:25:04 <SERVER_NAME> daemon.notice openvpn[7233]: <CLIENT_WAN_IP>:60766 SIGUSR1[soft,tls-error] received, client-instance restarting
I removed any identifying data, but it looks like it's able to connect to the router, but has an issue with the certificate? I'm also not sure why the date is showing December as I updated my NTP settings. Could the incorrect date be why it may not think the certificate is YET valid?