Joined: 04 Mar 2021 Posts: 65 Location: Manchester
Posted: Tue Mar 16, 2021 14:08 Post subject: Netgear R7000 VPN not working on DDWRT
I have the Netgear R7000 flashed with DD-WRT v3.0-r45993 std (03/12/21). I have set up VPN and my IP is shown when it is on. The stats show the VPN as connected and should work but does not. I have tried two VPNs and the same issue occurred.
The DDWRT router is set up as an access point and following the instructions here https://wiki.dd-wrt.com/wiki/index.php/Wireless_Access_Point which connects to the internet but real IP is shown.
I believe the reason my IP is exposed is because it is set up as an AP however am not expert and do not see why it should not work.
My VPN is PIA. _________________ Netgear R7000
DD-WRT DD-WRT v3.0-r50595 std (10/23/22)
Manchester
Enable dnsmasq- Yes
Encrypt DNS- NO
DNSCrypt Resolver- No Using Smart DNS
Cache DNSSEC Data- Yes
Validate DNS Replies (DNSSEC)- NO
Check Unsigned DNS Replies- NO
No DNS Rebind- Enable
Query DNS in Strict Order- Enable
Add Requestor MAC to DNS Query- Disable
RFC4039 Rapid Commit Support- Enable
Maximum Cached Entries- 1500
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Tue Mar 16, 2021 14:31 Post subject:
You did not show a screenshot of the OVPN/Status page (not more than 768 pixels width per forum rules!!). That can be helpful in troubleshooting
@blkt already steered you in the right direction to setup for PIA.
That should get you a good connection to PIA.
But as you have setup on a WAP only clients which have that WAP as gateway will use the VPN or if you make an unbridged VAP (radio) on the WAP. That will use the VPN by default.
Other clients will just bypass the WAP and thus bypass the VPN.
Take note setting up unbridged VAP's on a WAP need some special settings.
Joined: 04 Mar 2021 Posts: 65 Location: Manchester
Posted: Tue Mar 16, 2021 17:51 Post subject:
1. I tried the method by egc- I lost connection.
2. Logs are attached.
3. I did not quite understand this comment or what exactly to do But as you have setup on a WAP only clients which have that WAP as gateway will use the VPN or if you make an unbridged VAP (radio) on the WAP. That will use the VPN by default.
Other clients will just bypass the WAP and thus bypass the VPN.
Am not an expert so kindly give me clear direction on what to change so I can try.
I also do not understand why there are so many errors but the VPN is shown as connected.
Thank you. _________________ Netgear R7000
DD-WRT DD-WRT v3.0-r50595 std (10/23/22)
Manchester
Enable dnsmasq- Yes
Encrypt DNS- NO
DNSCrypt Resolver- No Using Smart DNS
Cache DNSSEC Data- Yes
Validate DNS Replies (DNSSEC)- NO
Check Unsigned DNS Replies- NO
No DNS Rebind- Enable
Query DNS in Strict Order- Enable
Add Requestor MAC to DNS Query- Disable
RFC4039 Rapid Commit Support- Enable
Maximum Cached Entries- 1500
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Tue Mar 16, 2021 18:29 Post subject:
you said you tried my method, not sure what you mean by that you have to elaborate on that
On first glance I see one ERROR that is about IPv6.
You do not have IPv6 running so you can discard that.
But if you use udp4 instead of udp under Tunnel protocol it should stop trying to connect with IPv6 (there can be still some warnings left).
The router is connected but your clients do not go through the router as it is a WAP (which is acting as a switch), so they are also not going through the VPN.
Your clients use your primary router and not the WAP.
Your clients have IP settings like their IP address DNS server and gateway.
In your client you set the gateway pointing to the WAP instead of the primary router. Then your clients will start using the WAP and are pushed through the VPN.
Later If that is working and your primary router supports DNSMasq you can automate this process.
Also like I said if you make an unbridged VAP on the WAP that will also use the VPN by default.
If this sounds really complicated than you might want to consider running the VPN on your primary router or instead of setting your router up as a WAP just use it as a normal router so daisy chaining the two routers, then everything attached to that router will go through the router and thus through the VPN, of course that has other drawbacks.
Joined: 04 Mar 2021 Posts: 65 Location: Manchester
Posted: Wed Mar 17, 2021 17:33 Post subject:
Tried what egc recommended as well as the guides for POA on here but I could not get it to work. I have also posted the logs. I would be able to use this DDWRT router as the main router but the settings required as below, am not sure where to insert them and would appreciate if someone can help with the VPN working on this router as a AP as well as where I should insert the settings below. I can then buy a modem and use it direct:
Username We use automated network authentication so there is no need for a username. You can leave this blank.
Password We use automated network authentication so there is no need for a password. You can leave this blank.
Transfer Mode/Loop Encaps PTM
VLAN ID 101
MTU 1500
DNS Set as automatic (or similar)
Priority 0
Authentication DHCP/IPoE _________________ Netgear R7000
DD-WRT DD-WRT v3.0-r50595 std (10/23/22)
Manchester
Enable dnsmasq- Yes
Encrypt DNS- NO
DNSCrypt Resolver- No Using Smart DNS
Cache DNSSEC Data- Yes
Validate DNS Replies (DNSSEC)- NO
Check Unsigned DNS Replies- NO
No DNS Rebind- Enable
Query DNS in Strict Order- Enable
Add Requestor MAC to DNS Query- Disable
RFC4039 Rapid Commit Support- Enable
Maximum Cached Entries- 1500
Joined: 04 Mar 2021 Posts: 65 Location: Manchester
Posted: Sat Apr 03, 2021 19:57 Post subject:
@egc, you are wrong.The gateway is set to the main router which is 192.168.1.1
The ddwrt router is 192.168.1.11 _________________ Netgear R7000
DD-WRT DD-WRT v3.0-r50595 std (10/23/22)
Manchester
Enable dnsmasq- Yes
Encrypt DNS- NO
DNSCrypt Resolver- No Using Smart DNS
Cache DNSSEC Data- Yes
Validate DNS Replies (DNSSEC)- NO
Check Unsigned DNS Replies- NO
No DNS Rebind- Enable
Query DNS in Strict Order- Enable
Add Requestor MAC to DNS Query- Disable
RFC4039 Rapid Commit Support- Enable
Maximum Cached Entries- 1500
As @egc suggests, if you want all or some of your LAN clients to be routed through the OpenVPN client when the router is configured as a WAP, those same clients have to be configured to have the WAP as their default gateway.
Putting that aside for the moment, it's NOT clear if you even have the OpenVPN client working. The references to IPv6 are troubling. The router is only capable of dealing w/ IPv4 when it comes to OpenVPN. For those reasons, add the following directives to the Additional Config field.
Code:
proto udp4
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"
Note, you only need the 'proto udp4' directive if that's otherwise not available in the Tunnel Protocol field of the GUI. I know some older builds only had udp/tcp.
Other than the above, I generally recommend you avoid any other directives in that field since more time than not, it's either unnecessary and will either be benign if you're lucky, or will override some other directive already being managed by the router and cause a conflict if you're unlucky.
That said, there's always the possibility there's an exception. But in general, less is more. And only consider more when less doesn't work!
From the syslog, despite these IPv6 issues, it looks like the OpenVPN client got connected anyway, and the IPv4 routes were set correctly. So the above directives should at least get rid of the warning messages.
However, one problem I see is there is no traffic across the tunnel (TUN/TAP read/writes is 0!). But I can't tell if that's because there's been no attempt to communicate across the tunnel, or there's an issue w/ compression.
A common problem is having the compression settings between the client and server mismatched, thus each is using a different language and can't communicate. From the syslog, it appears the server is pushing 'compl-lzo no' (which disables compression), but you have it set to Adaptive on the client. Try changing the client to No as well.
If the router is connected to the OpenVPN server and functioning normally, you should be able to login into the router using a shell (telnet/ssh) and see the public IP of the VPN using the following command.
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Sun Apr 04, 2021 15:08 Post subject:
eibgrad wrote:
If the router is connected to the OpenVPN server and functioning normally, you should be able to login into the router using a shell (telnet/ssh) and see the public IP of the VPN using the following command.
Code:
wget -qO - http://ipinfo.io/ip
Just a side note... Looks like ipinfo.io is blocked by my DNS-sinkhole adblocker, so someone out there in internetland -- I combine five block lists -- considers it a problem site. If that concerns you, here is an alternative:
This site gives several lines of output, of which the IP is one. (It doesn't seem to fly with http. No idea why.)
Edit: Quad9 DNS's malware filtering does not block ipinfo.io, and neither does Adguard DNS's ad-tech/malware filtering, so maybe one of my block-list sources is being a little overenthusiastic! _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Joined: 16 Nov 2015 Posts: 6440 Location: UK, London, just across the river..
Posted: Sun Apr 04, 2021 18:57 Post subject:
im on PIA and it works flawlessly...
egc settings work too... NextGen (lots of info there)
PIA guide is a mess....
I can expose my settings, but you have to follow the rule set...Im away from my router, but later or tomorrow ill post my set up...if you are still in troubles...
do notice im not running VPN on WAP...
last thing... do update that R7000 to a newer build, 46259 is running fine im on it at the moment... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 04 Mar 2021 Posts: 65 Location: Manchester
Posted: Tue Apr 13, 2021 21:26 Post subject:
I managed to fixed this issue. DHCP was off and as soon as I turned it on, everything worked. I had to of course add the VPN settings which I found on different forums and with support form the provider and a recent reboot of the router, everything works fine but cheers for the support. _________________ Netgear R7000
DD-WRT DD-WRT v3.0-r50595 std (10/23/22)
Manchester
Enable dnsmasq- Yes
Encrypt DNS- NO
DNSCrypt Resolver- No Using Smart DNS
Cache DNSSEC Data- Yes
Validate DNS Replies (DNSSEC)- NO
Check Unsigned DNS Replies- NO
No DNS Rebind- Enable
Query DNS in Strict Order- Enable
Add Requestor MAC to DNS Query- Disable
RFC4039 Rapid Commit Support- Enable
Maximum Cached Entries- 1500
