Posted: Tue Jan 15, 2019 19:24 Post subject: OpenVPN server setup on WRT1200AC [solved]
Hi,
I hate to create a new thread since this topic already has several similar threads actively running, but I'm unable to make my configuration work, and could use help finding what I've done wrong.
I have a home LAN that I'd like to be able to access remotely. Right now I use forwarded ports, which is messy to maintain in the GUI and doesn't model my usage well (my home services are exposed to the internet, but only I use them). So I'd like to set up a VPN; I've used openvpn as a client previously, and it was recommended over PPTP, so it became my choice for a server. And since I already have a relatively powerful WRT1200AC, I decided to try hosting the VPN from there.
The first step was to update dd-wrt. The router is now at version v3.0-r38155 std (12/31/18).
After following the easyrsa instructions I had a ca.crt, ca.key, server.cert, server.key, client.cert, client.key, dh.pem, and made a ta.key in the course of troubleshooting.
I used the dd-wrt gui to set up openvpn server, with this resulting config file (copied over ssh):
Code:
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
keepalive 10 120
verb 3
mute 3
syslog
writepid /var/run/openvpnd.pid
management 127.0.0.1 14
management-log-cache 100
topology subnet
script-security 2
port 1194
proto udp4
cipher aes-256-cbc
auth sha256
client-connect /tmp/openvpn/clcon.sh
client-disconnect /tmp/openvpn/cldiscon.sh
client-config-dir /tmp/openvpn/ccd
comp-lzo no
tls-server
ifconfig-pool-persist /tmp/openvpn/ip-pool 86400
client-to-client
fast-io
tun-mtu 1500
mtu-disc yes
server 10.10.31.0 255.255.255.0
dev tun2
openvpn runs successfully, and I can see it with `ps`.
Code:
Serverlog:
20190115 12:33:34 W WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
20190115 12:33:34 I OpenVPN 2.4.6 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 31 2018
20190115 12:33:34 I library versions: OpenSSL 1.1.1a 20 Nov 2018 LZO 2.09
20190115 12:33:34 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:14
20190115 12:33:34 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20190115 12:33:34 Diffie-Hellman initialized with 2048 bit key
20190115 12:33:34 I TUN/TAP device tun2 opened
20190115 12:33:34 TUN/TAP TX queue length set to 100
20190115 12:33:34 D do_ifconfig tt->did_ifconfig_ipv6_setup=0
20190115 12:33:34 I /sbin/ifconfig tun2 10.10.31.1 netmask 255.255.255.0 mtu 1500 broadcast 10.10.31.255
20190115 12:33:34 Socket Buffers: R=[180224->180224] S=[180224->180224]
20190115 12:33:34 I UDPv4 link local (bound): [AF_INET][undef]:1194
20190115 12:33:34 I UDPv4 link remote: [AF_UNSPEC]
20190115 12:33:34 MULTI: multi_init called r=256 v=256
20190115 12:33:34 IFCONFIG POOL: base=10.10.31.2 size=252 ipv6=0
20190115 12:33:34 IFCONFIG POOL LIST
20190115 12:33:34 I Initialization Sequence Completed
20190115 12:39:20 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20190115 12:39:20 D MANAGEMENT: CMD 'state'
20190115 12:39:20 MANAGEMENT: Client disconnected
20190115 12:39:20 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20190115 12:39:20 D MANAGEMENT: CMD 'state'
20190115 12:39:20 MANAGEMENT: Client disconnected
20190115 12:39:20 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20190115 12:39:20 D MANAGEMENT: CMD 'state'
20190115 12:39:20 MANAGEMENT: Client disconnected
20190115 12:39:20 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20190115 12:39:20 MANAGEMENT: Client disconnected
20190115 12:39:20 NOTE: --mute triggered...
20190115 12:39:20 1 variation(s) on previous 3 message(s) suppressed by --mute
20190115 12:39:20 D MANAGEMENT: CMD 'status 2'
20190115 12:39:20 MANAGEMENT: Client disconnected
20190115 12:39:20 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20190115 12:39:20 D MANAGEMENT: CMD 'status 2'
20190115 12:39:20 MANAGEMENT: Client disconnected
20190115 12:39:20 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20190115 12:39:20 D MANAGEMENT: CMD 'log 500'
20190115 12:39:20 MANAGEMENT: Client disconnected
20190115 13:14:21 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20190115 13:14:21 D MANAGEMENT: CMD 'state'
20190115 13:14:21 MANAGEMENT: Client disconnected
20190115 13:14:21 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20190115 13:14:21 D MANAGEMENT: CMD 'state'
20190115 13:14:21 MANAGEMENT: Client disconnected
20190115 13:14:21 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20190115 13:14:21 D MANAGEMENT: CMD 'state'
20190115 13:14:21 MANAGEMENT: Client disconnected
20190115 13:14:21 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20190115 13:14:21 MANAGEMENT: Client disconnected
20190115 13:14:21 NOTE: --mute triggered...
20190115 13:14:21 1 variation(s) on previous 3 message(s) suppressed by --mute
20190115 13:14:21 D MANAGEMENT: CMD 'status 2'
20190115 13:14:21 MANAGEMENT: Client disconnected
20190115 13:14:21 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20190115 13:14:21 D MANAGEMENT: CMD 'status 2'
20190115 13:14:21 MANAGEMENT: Client disconnected
20190115 13:14:21 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20190115 13:14:21 D MANAGEMENT: CMD 'log 500'
I have this client configuration:
Code:
$ cat ovpn.conf
client
verb 6
mute 3
float
remote 'me.com' 1194
ca '/etc/openvpn/client/ca.crt'
cert '/etc/openvpn/client/client.crt'
key '/etc/openvpn/client/client.key'
cipher AES-256-CBC
;comp-lzo adaptive
comp-lzo no
tun-mtu 1500
dev tun
proto udp4
auth sha256
remote-cert-tls server
;tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
;tls-auth '/etc/openvpn/client/ta.key' 1
;tls-client
nobind
auth-nocache
;script-security 2
persist-key
persist-tun
When I try to connect, I get TLS errors:
Code:
Tue Jan 15 12:34:00 2019 us=873613 WARNING: file '/etc/openvpn/client/client.key' is group or others accessible
Tue Jan 15 12:34:00 2019 us=873686 Current Parameter Settings:
Tue Jan 15 12:34:00 2019 us=873700 config = 'ovpn.conf'
Tue Jan 15 12:34:00 2019 us=873709 mode = 0
Tue Jan 15 12:34:00 2019 us=873718 NOTE: --mute triggered...
Tue Jan 15 12:34:00 2019 us=873742 278 variation(s) on previous 3 message(s) suppressed by --mute
Tue Jan 15 12:34:00 2019 us=873754 OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2018
Tue Jan 15 12:34:00 2019 us=873777 library versions: OpenSSL 1.1.1a 20 Nov 2018, LZO 2.10
Enter Private Key Password: ****************
Tue Jan 15 12:34:04 2019 us=351922 Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Tue Jan 15 12:34:04 2019 us=632228 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Tue Jan 15 12:34:04 2019 us=632351 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
Tue Jan 15 12:34:04 2019 us=632379 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
Tue Jan 15 12:34:04 2019 us=632412 TCP/UDP: Preserving recently used remote address: [AF_INET][ip]:1194
Tue Jan 15 12:34:04 2019 us=632467 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Jan 15 12:34:04 2019 us=632490 UDPv4 link local: (not bound)
Tue Jan 15 12:34:04 2019 us=632511 UDPv4 link remote: [AF_INET][ip]:1194
Tue Jan 15 12:34:04 2019 us=632590 UDPv4 WRITE [14] to [AF_INET][ip]:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Tue Jan 15 12:34:06 2019 us=795918 UDPv4 WRITE [14] to [AF_INET][ip]:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Tue Jan 15 12:34:10 2019 us=38958 UDPv4 WRITE [14] to [AF_INET][ip]:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Tue Jan 15 12:34:19 2019 us=34576 NOTE: --mute triggered...
Tue Jan 15 12:35:04 2019 us=816469 2 variation(s) on previous 3 message(s) suppressed by --mute
Tue Jan 15 12:35:04 2019 us=816553 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Jan 15 12:35:04 2019 us=816577 TLS Error: TLS handshake failed
Tue Jan 15 12:35:04 2019 us=816787 TCP/UDP: Closing socket
Tue Jan 15 12:35:04 2019 us=816872 SIGUSR1[soft,tls-error] received, process restarting
Tue Jan 15 12:35:04 2019 us=816933 Restart pause, 5 second(s)
The TLS error seems to indicate I cannot reach the router. I know that the URL resolves to the correct IP, because I am able to reach the forwarded ports. And I've read that the IPtables rules in the wiki are outdated, but that's the only thing I could think of that would keep the client from reaching the server.
I'd appreciate any help troubleshooting this. Please let me know if I've left pertinent information out.
Last edited by Szellem on Fri May 17, 2019 21:42; edited 1 time in total
Thanks, I gave that a shot but it didn't seem to work.
Changed "Tunnel MTU setting" on the dd-wrt gui to 1400, and hit save, then 'apply' to restart the service (is that right?). Then changed tun-mtu to 1400 on my client config.
Code:
$ sudo openvpn --config ovpn.conf
[sudo] password for user:
Tue Jan 15 14:27:38 2019 us=227267 WARNING: file '/etc/openvpn/client/client.key' is group or others accessible
Tue Jan 15 14:27:38 2019 us=227576 Current Parameter Settings:
Tue Jan 15 14:27:38 2019 us=227597 config = 'ovpn.conf'
Tue Jan 15 14:27:38 2019 us=227614 mode = 0
Tue Jan 15 14:27:38 2019 us=227634 NOTE: --mute triggered...
Tue Jan 15 14:27:38 2019 us=227665 278 variation(s) on previous 3 message(s) suppressed by --mute
Tue Jan 15 14:27:38 2019 us=227682 OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2018
Tue Jan 15 14:27:38 2019 us=227709 library versions: OpenSSL 1.1.1a 20 Nov 2018, LZO 2.10
Enter Private Key Password: ****************
Tue Jan 15 14:27:42 2019 us=368924 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
Tue Jan 15 14:27:42 2019 us=369070 Control Channel MTU parms [ L:1522 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Tue Jan 15 14:27:42 2019 us=460034 Data Channel MTU parms [ L:1522 D:1450 EF:122 EB:389 ET:0 EL:3 ]
Tue Jan 15 14:27:42 2019 us=460169 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1470,tun-mtu 1400,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
Tue Jan 15 14:27:42 2019 us=460196 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1470,tun-mtu 1400,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
Tue Jan 15 14:27:42 2019 us=460226 TCP/UDP: Preserving recently used remote address: [AF_INET]:1194
Tue Jan 15 14:27:42 2019 us=460283 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Jan 15 14:27:42 2019 us=460305 UDPv4 link local: (not bound)
Tue Jan 15 14:27:42 2019 us=460326 UDPv4 link remote: [AF_INET]:1194
Tue Jan 15 14:27:42 2019 us=460409 UDPv4 WRITE [14] to [AF_INET]:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Tue Jan 15 14:27:44 2019 us=567746 UDPv4 WRITE [14] to [AF_INET]:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Tue Jan 15 14:27:48 2019 us=784306 UDPv4 WRITE [14] to [AF_INET]:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Tue Jan 15 14:27:56 2019 us=389265 NOTE: --mute triggered...
Tue Jan 15 14:28:42 2019 us=803284 2 variation(s) on previous 3 message(s) suppressed by --mute
Tue Jan 15 14:28:42 2019 us=803368 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Jan 15 14:28:42 2019 us=803392 TLS Error: TLS handshake failed
Tue Jan 15 14:28:42 2019 us=803553 TCP/UDP: Closing socket
Tue Jan 15 14:28:42 2019 us=803618 SIGUSR1[soft,tls-error] received, process restarting
Tue Jan 15 14:28:42 2019 us=803668 Restart pause, 5 second(s)
^CTue Jan 15 14:28:44 2019 us=372177 SIGINT[hard,init_instance] received, process exiting
I don't quite know what you mean by 1400 being wrong. Should I change back to 1500?
And thanks for the heads up about compression. That thread doesn't seem to have a clear resolution though. I just checked and both my systems are using version 2.4.6, so that would mean I should use "--compress lz4"? The dd-wrt config's "--comp-lzo" was generated by the GUI, is there a way for me to change that?
Once you do get this to work, may I suggest using a more obscure port that will be less likely targeted by "script-kiddies" _________________ Location 1
R7800- DD-WRT v3.0-r53562 (10/03/23) Gateway
WNDR3400v1 DD-WRT v3.0-r35531_mega-nv64k (03/26/18 ) Access Point
WRT160Nv3 DD-WRT ?v3?.0-r35531 mini (03/26/18 ) Access Point
WRT54GSv5 DD-WRT v24-r33555_micro_generic (10/20/17) Repeater
Location 2
R7800- DD-WRT v3.0-r51855 (02/25/23) Gateway
R6300v2- DD-WRT v3.0-r50671 (10-26-22) Access Point
WNDR3700v2 DD-WRT v3.0-r35531 std (03/26/18 ) Access Point
E1200 v2 DD-WRT v3.0-r35531 mega-nv64k (03/26/18 ) Gateway(for trivial reasons)
RBWAPG-5HACT2HND-BE RouterOS-v6.46.4 (2/21/20) Outdoor Access Point
2x RBSXTG-5HPACD RouterOS-v6.46.4 (2/21/20) PTP Bridge 866.6Mbps-1GbpsLAN
Location 3
2x R7000- DD-WRT v3.0-r50671 (10/26/22) Access Points
2x RBWAPG-60AD RouterOS-v6.45.9 (04/30/20) PTP Bridge 2.3Gbps-1GbpsLAN
2x RBSXTsqG-5acD RouterOS-v6.49.7 (10/14/22) PTP Bridge 866.6Mbps-1GbpsLAN Thank You BrainSlayer for ALL that you do & have done, also to "most" everyone here that shares their knowledge
Thanks, I'll have to go back through and refresh on the iptables situation.
eibgrad wrote:
JMTC.
Make sure whenever you're establishing an OpenVPN configuration that you use the *simplest* config possible. Don't add things that are optional (e.g., tls-auth), because it just creates another point of failure. KEEP IT SIMPLE! Once you have a working connection, THEN you can fuss and tweak it all you like.
One thing I've noticed about these connection failures from the OpenVPN client is that we never see the OpenVPN server logs! At the very least, we can tell if the OpenVPN client is reaching the OpenVPN server (even if it ultimately fails). And hopefully it will tell us more.
On the OpenVPN server side, all you need beyond the basic GUI elements is to push the local network on which the OpenVPN server is running over to the OpenVPN client, by adding the following directive in Additional Config.
Code:
push "route 192.168.1.0 255.255.255.0"
Of course, I'm just using 192.168.1.x as an example. Use whatever network is on the server side.
If you're doing anything more than that, you're making a mistake. Less is more! Time and again I see ppl get into trouble because they *over* configure the OpenVPN server and/or client.
Also, when it comes to compression, if the two sides are mismatched, they usually get connected, but no traffic can cross the tunnel. But from the perspective of the OpenVPN client logs, it doesn't seem to be getting connected at all.
Thanks for the suggestions! What you said about the simplest config makes sense, so I gave that a try and was able to make a connection! It's with the static key though, so I still need to go back and do the PKI stuff again.
The configs provided in that page did not work for me, so I adjusted them:
Server:
Code:
# cat static.conf
dev tun
ifconfig 10.8.0.1 10.8.0.2
secret static.key
proto udp4
verb 3
Client:
Code:
$ cat static.conf
remote my.url
dev tun
ifconfig 10.8.0.2 10.8.0.1
secret static.key
proto udp4
float
And I can ping:
Code:
$ ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=292 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=237 ms
64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=244 ms
^C
--- 10.8.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 5ms
rtt min/avg/max/mdev = 236.894/257.685/292.153/24.551 ms
But the server still shows some errors while the connection is ongoing:
Code:
# openvpn --config static.conf
Fri May 17 08:51:21 2019 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Fri May 17 08:51:21 2019 OpenVPN 2.4.6 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 31 2018
Fri May 17 08:51:21 2019 library versions: OpenSSL 1.1.1a 20 Nov 2018, LZO 2.09
Fri May 17 08:51:21 2019 Outgoing Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Fri May 17 08:51:21 2019 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Fri May 17 08:51:21 2019 Outgoing Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 17 08:51:21 2019 Incoming Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Fri May 17 08:51:21 2019 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Fri May 17 08:51:21 2019 Incoming Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 17 08:51:21 2019 TUN/TAP device tun0 opened
Fri May 17 08:51:21 2019 TUN/TAP TX queue length set to 100
Fri May 17 08:51:21 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Fri May 17 08:51:21 2019 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Fri May 17 08:51:21 2019 Socket Buffers: R=[180224->180224] S=[180224->180224]
Fri May 17 08:51:21 2019 UDPv4 link local (bound): [AF_INET][undef]:1194
Fri May 17 08:51:21 2019 UDPv4 link remote: [AF_UNSPEC]
Fri May 17 08:51:24 2019 Peer Connection Initiated with [AF_INET]ip:55116
Fri May 17 08:51:24 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri May 17 08:51:24 2019 Initialization Sequence Completed
Fri May 17 08:54:04 2019 Authenticate/Decrypt packet error: packet HMAC authentication failed
Fri May 17 08:54:06 2019 Authenticate/Decrypt packet error: packet HMAC authentication failed
Fri May 17 08:54:07 2019 Authenticate/Decrypt packet error: packet HMAC authentication failed
Fri May 17 08:54:08 2019 Authenticate/Decrypt packet error: packet HMAC authentication failed
Fri May 17 08:54:14 2019 Authenticate/Decrypt packet error: packet HMAC authentication failed
Fri May 17 08:54:18 2019 Authenticate/Decrypt packet error: packet HMAC authentication failed
Fri May 17 08:54:19 2019 Authenticate/Decrypt packet error: packet HMAC authentication failed