[number17]

Hi all,

Recently moved from a EA6500 to WDR4900v1, both running DD-WRT R30880.

It's a rather old release but I'm still running it cause I use OpenVPN server on the router, and it's one of the last releases where DD-WRT is not broken. (plus, it runs stable and is good enough for me)

However, since I moved to the new router, I just can't get OpenVPN server to work. The same OVPN server setting that worked fine on EA6500 don't seem to work on the new router.

Specifically, this is the strangest. Under Status -> OpenVPN ->

State
Server: CONNECTED SUCCESS
Local Address: 192.168.1.1
Remote Address:

The remote address is blank. The router itself is connected to WAN, it works perfectly fine for connectivity to WAN, but someone OpenVPN doesn't get remote address.

When I try to connect using remote client on laptop and Android phone, the client actually authenticates and connects fine to the VPN. However, I have no Internet access. When I try to ping local address (both local server and VPN server) the ping time is VERY long ... like over 1000ms ... but it pings.

Is this a bad release? Or bad config?

Here're my OVPN configs:

====

Services -> OpenVPN

OpenVPN : Enabled
Start Type: System
Config as : Server
Server mode : TUN
Network : 192.168.1.0
Mask : 255.255.255.0
Port : 443
Tun protocol : UDP
Encrypt Cipher : AES-256-CBC
Hash Algorithm : SHA1
TLS Cipher : None
LZO Comp : Adaptive
Redirect default Gateway : Enabled
Allow Client to Client : Enabled
Allow duplicate cn : Disabled
Tunnel MTU : 1500
Tunnel MDU MSS fix : Enabled

Additional Config:
push "route 192.168.0.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
push "redirect-gateway def1"
server 192.168.1.0 255.255.255.0

dev tun0

keepalive 10 120

=====

And Services -> Services

Additional DNSMasq Options:

domain-needed
bogus-priv

interface=tun0
listen-address=127.0.0.1

server=192.168.0.1
server=8.8.8.8

=====

Finally, firewall:

iptables -I INPUT 1 -p udp --dport 443 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

=====

I won't post anything on the client side, because the client actually connects to the VPN server no problem. I get assigned an IP address in the 192.168.1.0/24 range, and i can also see my client connected from the router side.

I just can't access Internet (which makes sense, when I don't even get a remote IP address ... ? ) and the ping time to 192.168.1.1 and 192.168.0.1 is painfully long.


Any help is appreciated .... I can't figure out what went wrong, may be it's a release thing?

[egc]

It is a rather old build, I would research to upgrade.

For help with settings see: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795

I would use another network for your OVPN server then 192.168.1.0, I would not use MSS fix (maybe necessary if you are using PPPoE)

I would not use dev tun0 and get rid of all the firewall rules except a NAT rule to NAT traffic out to the internet see the guide

When using a new build you probably have to redo your certificates. A lot has changed

[nufan1121]

Hi,

Hope you don't think i'm hijacking - i'm having the exact same issue on Firmware: DD-WRT v3.0-r37305 std (10/10/1. I work in I.T so i like to think i've got a fairly good grasp of what the settings should be (similar to yours other than i use a different virtual IP for openvpn).

I've followed multiple tutorials both on viscosity website and on here and i'm unable to progress any further.

Just registering my interest in this thread and happy to try and work this out with others who are impacted if it's a settings issue and not firmware related.

Cheers,

Leigh

[egc]

I am working on a troubleshooting guide but it will take some time.
OVPN server is one of the things which is not easy to setup.

One of the more common mistakes is following multiple sources and throwing everything at the router.

To get a basic OVPN configuration you do not need anything in the additional config (if you enable redirect default gateway in the GUI) and you do only need one firewall rule and this is only necessary if you want to have internet access, for connecting and browsing the local network that is not even necessary.

Of course firewall rules are necessary but DDWRT takes care of that (in recent builds). Less is more!

@nufan1121, your build is known to have issues not necessary with OVPN but consider upgrading, research the build threads.
Take a look at the guide I pointed to

[egc]

I am working on a troubleshooting guide but it will take some time.
OVPN server is one of the things which is not easy to setup.

One of the more common mistakes is following multiple sources and throwing everything at the router.

To get a basic OVPN configuration you do not need anything in the additional config (if you enable redirect default gateway in the GUI) and you do only need one firewall rule and this is only necessary if you want to have internet access, for connecting and browsing the local network that is not even necessary.

Of course firewall rules are necessary but DDWRT takes care of that (in recent builds). Less is more!

@nufan1121, your build is known to have issues not necessary with OVPN but consider upgrading, research the build threads.
Take a look at the guide I pointed to

[nufan1121]

Thank you egc, i will do just that and report back with any improvements!

Cheers,

Leigh

[nufan1121]

Thank you egc, i will do just that and report back with any improvements!

Cheers,

Leigh

[nufan1121]

Thanks egc, with your previous response tips of removing the additional config i've managed to get the remote address to show now

I'm not able to see your attachments on your other thread, are you able to provide me with a direct link to them please?

The current issue i'm facing right now is although i can connect from an external network now, there is no internet access once i'm connected, but that may be beyond the scope of this original request (which i don't wish to direct attention from.) I will continue searching the forum for my new issue.

Thanks again for your help.

[egc]

You have to log in to see the attachments but at the moment the forum seems not to work correctly, I will see If I can PM you.

In the mean time try the following firewall rule:

[nufan1121]

Hi ecg,

Still not working unfortunately, i will try to locate your PM'd guide.

In the mean time, i'm struggling to understand why port 1194 remains blocked on my router despite me opening it up. My guess is that it thinks there's no device listening on 1194 in order for the tests to resolve true, which makes me question which IP should i be forwarding to 1194, is it the router IP or the virtual IP of openvpn? I've tried a combination already and nothing works.

However, i can successfully connect on my laptop through my phones tethered Wifi to the openvpn server but without internet access - which is confusing me slightly. I assume i need to make the router aware of the openvpn clients request to access the internet but i'm unsure how to do this, have you any articles?

Cheers again.

[egc]

[number17]

Thanks, not that I don't try to use newer builds, but it seems like OpenVPN server (not client) is broken in most new releases?

If anyone has success in running OVPN server in any recent releases please let me know which one.

For most releases in 2017 or after I can't even get the OVPN server started, never mind client connection or authentication.

[egc]

I am running recent releases on a linksys E2000 and on a Netgear R6400 without a problem.
You have to regenerate your certificates when using a recent release.
If the OVPN server does not start it is mostly due to certificate problems

[Per Yngve Berg]

[nufan1121]

Thanks Per Yngve Berg, ecg,

I have finally got this working with internet access and all (and backed up the working config!). Your documents and statements were correct ecg in that you don't need additional openvpn config and minimal firewall rules. My persistant issue came from having LZO comp set to 'no' instead of 'disabled', once disabled it let my config connect with full internet access and the correct expected IP.

I eventually tested the connection with nmap rather than an external TCP test on port 1194 which helped me move forward with the troubleshooting and eventually identify the LZO comp issue.

Thanks again all.