Unable to connect to OpenVPN Server which is running DD-WRT

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
caledume
DD-WRT Novice


Joined: 14 Oct 2019
Posts: 3

PostPosted: Mon Oct 14, 2019 16:02    Post subject: Unable to connect to OpenVPN Server which is running DD-WRT Reply with quote
I am trying to connect to OpenVPN Server on netgear-r6400v2. Below is the server.conf and client.conf along with firewall config on dd-wrt. When i try to connect to VPN server i get error message "Bad LZO decompression header byte: 0"
As suggested ob older threads i have config comp-lzo yes on both server and client config which i have done that however the error still persist. Kindly let me know how to fix this issue.

Internal Network 192.168.2.0/24
VPN Network 192.168.4.0/24

server.conf
Code:
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
keepalive 10 120
verb 5
mute 3
syslog
writepid /var/run/openvpnd.pid
management 127.0.0.1 14
management-log-cache 100
topology subnet
script-security 2
port 1194
proto udp4
cipher aes-256-cbc
auth sha256
client-connect /tmp/openvpn/clcon.sh
client-disconnect /tmp/openvpn/cldiscon.sh
client-config-dir /tmp/openvpn/ccd
comp-lzo yes
tls-server
duplicate-cn
client-to-client
fast-io
tun-mtu 1500
fragment 1390
mssfix
server 192.168.4.0 255.255.255.0
dev tun2
tls-auth /tmp/openvpn/ta.key 0
mode server
push "redirect-gateway def1"
mtu-disc yes
max-clients 25
float

client.ovpn
Code:
client
key-direction 1
remote-cert-tls server
dev tun0
tun-mtu 1500
proto udp
resolv-retry infinite
persist-key
persist-tun
float
remote xxx.xxx.xxx.xxx 1194
verb 5
keepalive 10 120
cipher aes-256-cbc
auth sha256
comp-lzo yes
auth-nocache
script-security 2
dhcp-option DNS 8.8.8.8
dhcp-option DNS 9.9.9.9
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
<ca>--CA--</ca>
<cert>--CERT--</cert>
<key>--KEY--</key>
<tls-auth>--TLS--AUTH--</tls-auth>


And i connect using the below method
sudo openvpn --config client.ovpn

this is the error message i receive
us=303466 Bad LZO decompression header byte: 0

Below is the log message on the client.
https://pastebin.com/dJC9xrUi
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5780
Location: Netherlands

PostPosted: Mon Oct 14, 2019 16:56    Post subject: Reply with quote
I would not use LZO compression, disable it on the server and remove the line comp-lzo yes in the client.conf

Other things to try:

Start without using tls-auth key

Use TCP instead of UDP

See my signature at the bottom of this post for a link to an OVPN server setup guide.

Edit: Update your linux client to 2.4.7

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
caledume
DD-WRT Novice


Joined: 14 Oct 2019
Posts: 3

PostPosted: Tue Oct 15, 2019 6:51    Post subject: Reply with quote
egc wrote:
I would not use LZO compression, disable it on the server and remove the line comp-lzo yes in the client.conf

Other things to try:

Start without using tls-auth key

Use TCP instead of UDP

See my signature at the bottom of this post for a link to an OVPN server setup guide.

Edit: Update your linux client to 2.4.7


Thank You very much.
The link from your signature helped a lot. I am able to connect now.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5780
Location: Netherlands

PostPosted: Tue Oct 15, 2019 7:10    Post subject: Reply with quote
caledume wrote:
egc wrote:
I would not use LZO compression, disable it on the server and remove the line comp-lzo yes in the client.conf

Other things to try:

Start without using tls-auth key

Use TCP instead of UDP

See my signature at the bottom of this post for a link to an OVPN server setup guide.

Edit: Update your linux client to 2.4.7


Thank You very much.
The link from your signature helped a lot. I am able to connect now.


Can you share what caused your problem?

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
caledume
DD-WRT Novice


Joined: 14 Oct 2019
Posts: 3

PostPosted: Tue Oct 15, 2019 10:24    Post subject: Reply with quote
Additional Config Needed to be changed different from what has been suggested on the wiki link of dd-wrt.
LZO compression is set to 'adaptive' on server and on the client side just 'comp-lzo'

Below is the config of the server
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
keepalive 10 120
verb 3
mute 3
syslog
writepid /var/run/openvpnd.pid
management 127.0.0.1 14
management-log-cache 100
topology subnet
script-security 2
port 1194
proto udp4
cipher aes-256-cbc
auth sha256
client-connect /tmp/openvpn/clcon.sh
client-disconnect /tmp/openvpn/cldiscon.sh
client-config-dir /tmp/openvpn/ccd
comp-lzo adaptive
tls-server
duplicate-cn
client-to-client
push "redirect-gateway def1"
tls-cipher TLS-RSA-WITH-AES-256-GCM-SHA384
fast-io
tun-mtu 1500
mtu-disc yes
server 192.168.4.0 255.255.255.0
dev tun2
tls-auth /tmp/openvpn/ta.key 0
ncp-disable
script-security 2
push "route 192.168.1.0 255.255.255.0 vpn_gateway"
push "dhcp-option DNS 192.168.1.15"


Below is the config of the client
client
key-direction 1
dev tun
proto udp
remote xx.xx.xx.xx 1194
nobind
persist-key
persist-tun
remote-cert-tls server
auth-nocache
verb 4
float
tun-mtu 1500
auth SHA256
cipher AES-256-CBC
comp-lzo
resolv-retry infinite
<ca></ca>
<cert></cert>
<key></key>
<tls-auth></tls-auth>


Firewall config
WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"
iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -o $WAN_IF -j MASQUERADE
iptables -t nat -I POSTROUTING -s 192.168.4.0/24 -o $WAN_IF -j MASQUERADE
iptables -I INPUT 1 -p udp –dport 1194 -j ACCEPT
iptables -I FORWARD 1 –source 192.168.1.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

Additional Dnsmasq Options
interface=tun2

With above config, I am able to connect to LAN and WAN over VPN.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5780
Location: Netherlands

PostPosted: Tue Oct 15, 2019 12:16    Post subject: Reply with quote
Thanks for sharing.

For posterity some remarks:

The last four firewall rules are pointless/false

You only need the NAT rule, everything else is taken care of by DDWRT.

Compression is compromised (VORACLE crack) besides I have done some testing and although in theory you should get a higher throughput, that seems not to hold true for our SOHO routers. OpenVPN is CPU constraint and the compression/decompression steals away valuable CPU cycles so that the net result was 0, at least with my limited testing.

LZO Compression is on the list to be deprecated (but there is discussion about this),

So I would not use compression, but that is just my opinion Smile

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum