Continue to have openvpn cyberghost issues.

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
spikey1973
DD-WRT Novice


Joined: 20 Feb 2017
Posts: 29

PostPosted: Mon May 27, 2019 21:02    Post subject: Continue to have openvpn cyberghost issues. Reply with quote
to follow on my issues that i posted in thread:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1119381&sid=4be8d6b860097789898f41b3fc44ed37

currently running:
Firmware: DD-WRT v3.0-r39855 std (05/25/19)
on tp-link tl-wr1043nd v3.

manually configured the route following the posts in the thread mentioned above.

which now gave me the following outputs on these commands.

ping 8.8.8.8:

PING 8.8.8.8 (8.8.8.Cool: 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=58 time=215.131 ms
64 bytes from 8.8.8.8: seq=1 ttl=58 time=82.224 ms
64 bytes from 8.8.8.8: seq=2 ttl=58 time=98.765 ms

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 82.224/132.040/215.131 ms

ping cnn.com:

PING cnn.com (151.101.129.67): 56 data bytes
64 bytes from 151.101.129.67: seq=0 ttl=59 time=82.219 ms
64 bytes from 151.101.129.67: seq=1 ttl=59 time=81.780 ms
64 bytes from 151.101.129.67: seq=2 ttl=59 time=81.885 ms

--- cnn.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 81.780/81.961/82.219 ms

Route:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.252.204.69 128.0.0.0 UG 0 0 0 tun1
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
10.252.204.1 10.252.204.69 255.255.255.255 UGH 0 0 0 tun1
10.252.204.69 * 255.255.255.255 UH 0 0 0 tun1
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
128.0.0.0 10.252.204.69 128.0.0.0 UG 0 0 0 tun1
192.168.0.0 * 255.255.255.0 U 0 0 0 br0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
193.148.18.148 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0

Although this now seems to be functional to the laymens eye, internet is blocked when the openvpn is activated to all machines connected to the router by utp and wireless.

as 10.252.204.69 is not my isp's ip adres i feel like the vpn is indeed up and running but that something blocks the net to my attached machines.

i tried checking with iplocation.net but that only returns the isp adres even though i entered the 10.252.204.69 in the lookup box.

the policy based field is empty.

it seems like a major step forward though.

kind regards

Matt.

ps: syslog gives some security warnings. i have posted the log here below.


Last edited by spikey1973 on Mon May 27, 2019 21:50; edited 1 time in total
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Mon May 27, 2019 21:45    Post subject: Reply with quote
You need to enable NAT.
_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
spikey1973
DD-WRT Novice


Joined: 20 Feb 2017
Posts: 29

PostPosted: Mon May 27, 2019 21:48    Post subject: Reply with quote
May 27 21:42:51 r39855 user.info : pptpd : daemon successfully stopped
May 27 21:42:52 r39855 user.info : openvpn : OpenVPN daemon (Client) starting/restarting...
May 27 21:42:52 r39855 daemon.warn openvpn[5286]: WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
May 27 21:42:52 r39855 daemon.warn openvpn[5286]: WARNING: file '/tmp/openvpncl/client.key' is group or others accessible
May 27 21:42:52 r39855 daemon.warn openvpn[5286]: WARNING: file '/tmp/openvpncl/credentials' is group or others accessible
May 27 21:42:52 r39855 daemon.notice openvpn[5286]: OpenVPN 2.4.7 mips-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 25 2019
May 27 21:42:52 r39855 daemon.notice openvpn[5286]: library versions: OpenSSL 1.1.1b 26 Feb 2019, LZO 2.09
May 27 21:42:52 r39855 daemon.notice openvpn[5288]: MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
May 27 21:42:52 r39855 daemon.warn openvpn[5288]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
May 27 21:42:52 r39855 daemon.warn openvpn[5288]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 27 21:42:52 r39855 daemon.notice openvpn[5288]: TCP/UDP: Preserving recently used remote address: [AF_INET]193.148.18.149:443
May 27 21:42:52 r39855 daemon.notice openvpn[5288]: Socket Buffers: R=[87380->87380] S=[16384->16384]
May 27 21:42:52 r39855 daemon.notice openvpn[5288]: Attempting to establish TCP connection with [AF_INET]193.148.18.149:443 [nonblock]
May 27 21:42:53 r39855 daemon.notice openvpn[5288]: TCP connection established with [AF_INET]193.148.18.149:443
May 27 21:42:53 r39855 daemon.notice openvpn[5288]: TCPv4_CLIENT link local: (not bound)
May 27 21:42:53 r39855 daemon.notice openvpn[5288]: TCPv4_CLIENT link remote: [AF_INET]193.148.18.149:443
May 27 21:42:53 r39855 daemon.notice openvpn[5288]: TLS: Initial packet from [AF_INET]193.148.18.149:443, sid=15df7d41 4703ad55
May 27 21:42:53 r39855 daemon.warn openvpn[5288]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
May 27 21:42:53 r39855 daemon.notice openvpn[5288]: VERIFY OK: depth=1, C=RO, L=Bucharest, O=CyberGhost S.A., CN=CyberGhost Root CA, emailAddress=info@cyberghost.ro
May 27 21:42:53 r39855 daemon.notice openvpn[5288]: VERIFY OK: depth=0, C=RO, L=Bucharest, O=CyberGhost S.A., CN=CyberGhost VPN Server Node newyork-s13, emailAddress=info@cyberghost.ro
May 27 21:42:54 r39855 daemon.notice openvpn[5288]: Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
May 27 21:42:54 r39855 daemon.notice openvpn[5288]: [CyberGhost VPN Server Node newyork-s13] Peer Connection Initiated with [AF_INET]193.148.18.149:443
May 27 21:42:55 r39855 daemon.notice openvpn[5288]: SENT CONTROL [CyberGhost VPN Server Node newyork-s13]: 'PUSH_REQUEST' (status=1)
May 27 21:42:56 r39855 daemon.notice openvpn[5288]: PUSH: Received control message: 'PUSH_REPLY,sndbuf 393216,rcvbuf 393216,comp-lzo no,redirect-gateway def1,dhcp-option DNS 38.132.106.139,dhcp-option DNS 194.187.251.67,dhcp-option DNS 185.93.180.131,route 10.251.204.1,to
May 27 21:42:56 r39855 daemon.notice openvpn[5288]: OPTIONS IMPORT: timers and/or timeouts modified
May 27 21:42:56 r39855 daemon.notice openvpn[5288]: NOTE: --mute triggered...
May 27 21:42:56 r39855 daemon.notice openvpn[5288]: 2 variation(s) on previous 3 message(s) suppressed by --mute
May 27 21:42:56 r39855 daemon.notice openvpn[5288]: Socket Buffers: R=[331520->344064] S=[45440->344064]
May 27 21:42:56 r39855 daemon.notice openvpn[5288]: OPTIONS IMPORT: --ifconfig/up options modified
May 27 21:42:56 r39855 daemon.notice openvpn[5288]: OPTIONS IMPORT: route options modified
May 27 21:42:56 r39855 daemon.notice openvpn[5288]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
May 27 21:42:56 r39855 daemon.notice openvpn[5288]: NOTE: --mute triggered...
May 27 21:42:56 r39855 daemon.notice openvpn[5288]: 3 variation(s) on previous 3 message(s) suppressed by --mute
May 27 21:42:56 r39855 daemon.notice openvpn[5288]: Data Channel: using negotiated cipher 'AES-256-GCM'
May 27 21:42:56 r39855 daemon.notice openvpn[5288]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
May 27 21:42:56 r39855 daemon.notice openvpn[5288]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
May 27 21:42:56 r39855 daemon.notice openvpn[5288]: TUN/TAP device tun1 opened
spikey1973
DD-WRT Novice


Joined: 20 Feb 2017
Posts: 29

PostPosted: Mon May 27, 2019 22:47    Post subject: Reply with quote
eibgrad wrote:
You need to enable NAT.


darn i should've seen that one, completely missed that... and working. Smile thank you very much!

i really appreciate your help.

about that, you mentioned a script that would block network activity if the vpn connection would drop, how is that called? so i can search for it?

Kind greats, Matt
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Mon May 27, 2019 23:12    Post subject: Reply with quote
Add the following to the firewall script.

Code:
# block all access to WAN by clients behind router
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -o $WAN_IF -j REJECT

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
spikey1973
DD-WRT Novice


Joined: 20 Feb 2017
Posts: 29

PostPosted: Tue May 28, 2019 15:15    Post subject: Reply with quote
Thank you so much!

can i ask additionally if, to your knowledge, there is any way to store multiple vpn profiles in dd-wrt so one (me in this case, but i doubt that i would be the only one interested) could swith easily between the profiles?
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Tue May 28, 2019 15:30    Post subject: Reply with quote
spikey1973 wrote:
can i ask additionally if, to your knowledge, there is any way to store multiple vpn profiles in dd-wrt so one (me in this case, but i doubt that i would be the only one interested) could swith easily between the profiles?


If you mean by profile an entire configuration, as in .ovpn file, no. dd-wrt only manages one config (.ovpn) file, it's own, through the GUI. But you can specify multiple remote directives.

The following is what I have in my Additional Config field.

Code:
server-poll-timeout 10
remote 91.227.222.7 5353 # United Kingdom, Cambridge
remote 91.227.222.7 5000 # United Kingdom, Cambridge
remote 69.175.85.2 5353 # United States, Chicago
remote 69.175.85.2 5000 # United States, Chicago
remote 78.46.254.48 5353 # Germany, Nuremberg
remote 78.46.254.48 5000 # Germany, Nuremberg
remote 217.147.94.149 5353 # United Kingdom, Maidenhead
remote 217.147.94.149 5000 # United Kingdom, Maidenhead
remote 178.63.171.106 5353 # Germany, Nuremberg
remote 178.63.171.106 5000 # Germany, Nuremberg
remote 178.32.250.32 5353 # United Kingdom, London
remote 178.32.250.32 5000 # United Kingdom, London
remote 173.212.205.240 5353 # Germany, Munich
remote 173.212.205.240 5000 # Germany, Munich
remote 195.154.232.143 5353 # France, Paris
remote 195.154.232.143 5000 # France, Paris
remote 51.38.95.51 5353 # United Kingdom, Gosport
remote 51.38.95.51 5000 # United Kingdom, Gosport
remote 51.38.95.36 5353 # United Kingdom, Portsmouth
remote 51.38.95.36 5000 # United Kingdom, Portsmouth
#remote 23.19.73.147 5353 # United States, Los Angeles
remote 23.19.73.147 5000 # United States, Los Angeles


I use a free OpenVPN called SecurityKISS for testing purposes. This represents all the free public servers they make available. The one commented out is the one I have specified in the Server IP/Name field of the OpenVPN client GUI.

I also use the server-poll-timeout directive to limit how long I'm willing to wait for any given server to respond. If you don't, it could be a very slow process, as it could take up to a minute before each failed attempt times out.

Of course, if you want to manage the openvpn client on the command line via scripting rather than via the GUI, anything is possible, including using multiple configuration files (.ovpn).

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
spikey1973
DD-WRT Novice


Joined: 20 Feb 2017
Posts: 29

PostPosted: Tue May 28, 2019 16:08    Post subject: Reply with quote
oke i don't feel like i understand what you are saying completely. i will need to dive in the topic, but that will be for a later stage.

now it is exam time, all seems to be running thanks to you guys.

thank you again!

i will be back Wink

Matt
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Tue May 28, 2019 16:47    Post subject: Reply with quote
The Server IP/Name field in the OpenVPN client GUI maps down the OpenVPN "remote" directive in the config file. It defines the server you intend to access. It also takes the protocol and port as optional arguments.

When you configure the OpenVPN GUI, you obviously only get to define one remote directive (indirectly via the GUI). But you can (and probably should) have additional remote directives in the Additional Config field so you have more server options than the only and only defined in the GUI.

From the OpenVPN documentation:

Quote:
--remote host [port] [proto]
Remote host name or IP address. On the client, multiple --remote options may be specified for redundancy, each referring to a different OpenVPN server. Specifying multiple --remote options for this purpose is a special case of the more general connection-profile feature. See the <connection> documentation below.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum