I followed the idiots guide from DD-WRT and the download was perfectly executed which i was most pleased about.
I followed ExpressVPN instructions on their website for all VPN settings etc yet their instructions did not 100% match reality as my DD-WRT settings had things which ExpressVPN seemed unaware of such as (CVE-2019-14899 Mitigation)(in the on position)for example, anyway from here = https://www.expressvpn.tv/no/support/vpn-setup/manual-config-for-dd-wrt-router-with-openvpn/
and i think all that went well, however i have got lost and confused with many settings and after countless days searching on here and online i just dont seem to be able to get the answers i need.
The issue is that the VPN/OpenVPN doesnt work and its down to me not understanding basic stuff or the firmware settings and how they should be etc.
1. Is there any full and complete idiots guide showing each setting, what its for and if i should apply said setting or not for example as i would love to understand all the settings on DD-WRT and if i should use or not?
2. If no for the above then would someone be kind enough to help me figure out how to get out this mess im in and get up and running please.
I jacked in via wire direct to VPN router, then VPN Router connected direct to ISP Router via a CAT6a and ISP internet works, so i found a script online and inserted it into DD-WRT to act as a kill switch and it worked, so now im jacked into the DD-WRT GUI page yet with no internet.
I seem to be confused especially with the bridge or unbridged option, i did selet unbridged as i have tried to set up a guest as WLAN1.1 which i intend to keep isolated from WLAN1 as i intend to use WLAN1.1 for all my wifi cctv stuff and WLAN1 for all my more sensitive computer stuff yet not sure any of that would cause me to not have any VPN action.
p.s. I know less than nothing about DNS, DDNS, IP etc so i feel it could be something there missing, i did follow YT guides in all the videos i could find and copied accordingly yet still im confused.
VPN = Linksys Router = 192.168.1.1
I did also manually input a Gateway somewhere of 255.255.255.0
I have no idea if i should be inserting any of my existing ISP Fibre IP, DNS, DDNS or indeed anything from them as i only intend to use the said VPN Router with express vpn, thus i want my existing ISP Router to just be in bridge mode which i intend to do once i get DD-WRT set up correctly.
P.P.S. I have had a Netgear VPN router for some years on Tomato and now the ExpressVPN App firmware so i do know the odd thing but i am a newbie. _________________ Thanks, Sue
You know what I see here? Someone trying to do TOO MUCH all at once! Esp. if you're a newb to dd-wrt. Solve *one* problem at a time! Do NOT proceed further until something works as expected. And once it does work, make a backup before proceeding w/ any additional changes. Put aside trivial matters like DDNS, kill switches, etc. Otherwise you will remain overwhelmed.
Thanks for your kind reply, resetting however still present the same issues and questions i initially raised as i still cant figure it out.
In any event i made a list of my settings for easy read as im sure im just getting IP,Gateway,DNS,DDNS etc all wrong as i know that idk what to put where for sure which i hope helps.
I think that my existing NighthawkVPN Router IP is the same as my new LinksysVPN Router yet when new Linksys Router has been fully setup then i unplug existing or do i need to resolve now to set up the new due to conflict or something? for now i have been disconnecting 1 router to try the ned router as i dont know if or where or how to change new IP VPN Router mainly.
Here is a log of how my DD-WRT Looks on a page where im sure the setting will be wrong, hopefully someone can see easy how i messed up i hope.
WAN SETUP
Connection Type = Auto Config DHCP
Ignore WAN DNS = UNCHECKED
Use VLAN Priority = UNCHECKED
--------------------------------------------------------------------
OPTIONAL SETTINGS
Router Name = DD-WRT
Hostname = EMPTY
Domain Name = EMPTY
MTU = AUTO 1500
Shortcut Forwarding Engine = DISABLED
STP = DISABLED
--------------------------------------------------------------------
NETWORK SETUP
Local IP Address = 192.168.1.1 (this is the IP of the LinksysVPN Router Hub where i access it from a browser)
Gateway = 255.255.255.0 (this was a guess)
Local DNS = 0.0.0.0 (idk if i should be using expressvpn or ISP DNS here or nothing)(i checked online for what DNS the ISP use and its 194.168.400 apparently but confused as i want VPN only and if i insert ISP DNS then does that not cancel out the VPN tunnel with ExpressVPN im thinking.
--------------------------------------------------------------------
NETWORK ADDRESS SERVER SETTINGS (DHCP)
DHCP Type = DHCP Server
DHCP Server = Enabled _________________ Thanks, Sue
how do i soft reset all settings to default and do i need to know any ISP details at all for the DD-WRT Router such as its gateway or such like? _________________ Thanks, Sue
Posted: Thu Apr 08, 2021 20:26 Post subject: I feel stupid and dumb
Well firstly can i start with giving a massive thanks for all the help here, i am so glad you stuck with me and further persisted in directly forcing me to serve the objective as i presented mess, then started to get lost and confused and even with my long story i didn't take anyone off at a tangent here as you was correct, and you were more so correct to frankly speak out as my ego seemed to be holding me back from following your extremely simple instructions, however when i did manage to set aside my ego and blindly follow your basic instructions of simply starting all over and dont play around etc, well all fired up good, thanks is too undervalued for me to show you my appreciation, but thank you.
However, even though i am up and running and checked for leaks and all good, well i must say that i have come across a few concerning settings and confused about what to do here.
SERVICES - VPN - CVE-2019-14899 Mitigation = is on but i think it should be off for best safety?
TLS Key choice = TLS Crypt or TLS Auth ?
SETUP - BASIC SET UP - Optional Settings =
Shortcut Forwarding Engine = Enable or Disable?
STP = Enable or Disable?
Network Address Server Settings (DHCP) =
Use DNSMasq for DNS ?
DHCP-Authoritative ?
Recursive DNS Resolving (Unbound) ?
Forced DNS Redirection ?
802.1x = Enable or Disable ?
VPN Passthrough = Enable or Disable ?
IPSec Passthrough = Enable or Disable ?
PPTP Passthrough = Enable or Disable ?
L2TP Passthrough = Enable or Disable ?
WIRELESS - BASIC SETTINGS
TurboQAM (QAM256) support = Enable or Disable ?
Allow Channel Overlapping = Enable OR Disable ?
Multicast To Unicast = Enable or Disable ?
Network Configuration = Unbridged or Bridged ?
Radio Time Restrictions =
Radio Scheduling = Enable or Disable ?
My next move as you kindly suggested is to set up only x1 SSID (2.4ghz) Broadcast on WLAN1
and then set up WLAN1.1 (2.4ghz)(as a guest isolated completely from WLAN1 SSID Broadcast)
and add a kill switch. _________________ Thanks, Sue
Most of the time, the default settings are what they are for a good reason, since they represent what will work best for most ppl under most situations. That doesn't mean there won't be exceptions. But for the most part, leave well enough alone until you run into a problem which can only be resolved by making a change to those defaults. Once everything is up and running, then you can consider changing some of those defaults for the purposes of "fine tuning".
Personally, I tend to turn off the mitigations since most are protections against rather obscure and difficult to exploit vulnerabilities. At the very least, do NOT enable them during initial configuration because they often tend to break things (if they didn't, they wouldn't be exposed in the GUI in the first place, they'd simply be implemented under the covers). They're usually enabled by default because the router is trying to error on the side of caution, no matter how unlikely it is the vulnerability can be exploited. But once things are working, if you then decide to enable them, and something breaks, then at least you know what broke it!
P.S. Here's my personal dd-wrt OpenVPN config w/ ExpressVPN. Obviously I've obscured the username/password. And I'm using the Salt Lake City server, but use whatever you prefer.
Thanks for that screen shot, very interesting as if you go onto ExpressVPN website and follow their instructions for installing ExpressVPN on DD-WRT they state one should use settings and your screen-shots dont represent their instructions, is this because you know better than them or missed the video, i dont understand?
Here is the said Video = https://www.expressvpn.com/support/vpn-setup/manual-config-for-dd-wrt-router-with-openvpn/
My published setting as above posted directly follow ExpressVPN for your quick reference.
In particular to your settings im pointing out =
first, second & third data Cipher the Express dont cover that and my DD-WRT came pre-config on those 3 points as =
First = 128 CBC
Second = 256-GCM
Third = 128-CBC
as there 3 were like this then i left them but yours looks second and third box empty which confuse me, maybe all three should be empty i really dont get that section nor why your config is different to mine and we both on Express.
Tunnel UDP Fragment on your settings is not as Express state it should be, as should be 1450 so does that mean that your network is someway now more vulnerable as you not have what they state you should have or can we just put anything in there, again i dont get it.
Same thing regarding your Tunnel UDP MISSfix setting.
In any event, i am fully up and running as said above with VPN but still i need to set up VPS correctly isolated and understand those above listed settings i posted to know if i need to re-adjust any. _________________ Thanks, Sue
I've also created a script for these same purposes (see my signature). It has the advantage of working both w/ and w/o PBR (policy based routing) in the OpenVPN client. But for the simple case of having everything routed over the VPN, the two line script above is sufficient.
Would it not make more sense to save backup only thereafter the script had been inserted, hence to save said script if issue later?
Also i notice br0 talk in script yet i was planing to set up a VPS i.e. a guest and isolate said guest from the none guest network, i think its called unbridging or something, so i thought one may need to do that pre-kill switch command as br0 for me may well end up WLAN1.1 from what i see or have i thought wrong on that?
Lastly, and regardless to the chronological necessary approach being achieved then would it also not be best to set up guest, kill switch etc then Back-up, if not why? _________________ Thanks, Sue
Most of the time, the default settings are what they are for a good reason, since they represent what will work best for most ppl under most situations. That doesn't mean there won't be exceptions. But for the most part, leave well enough alone until you run into a problem which can only be resolved by making a change to those defaults. Once everything is up and running, then you can consider changing some of those defaults for the purposes of "fine tuning".
Personally, I tend to turn off the mitigations since most are protections against rather obscure and difficult to exploit vulnerabilities. At the very least, do NOT enable them during initial configuration because they often tend to break things (if they didn't, they wouldn't be exposed in the GUI in the first place, they'd simply be implemented under the covers). They're usually enabled by default because the router is trying to error on the side of caution, no matter how unlikely it is the vulnerability can be exploited. But once things are working, if you then decide to enable them, and something breaks, then at least you know what broke it!
As of the moment, if the router is providing basic connectivity, I suggest you create a backup, then get the OpenVPN client working, if for no other reason than I also use ExpressVPN and I can tell you exactly what is needed to configure it.
How does one learn every setting on DD-WRT, i mean, is there not a specific key reference idiots guide where it states the option, explains what the option is for and further lists situations when one should use it and why etc? _________________ Thanks, Sue
I here have updated my current settings to how they are currently and everything working VPN and checked =
WAN SETUP
Connection Type = Auto Config DHCP
Ignore WAN DNS = UNCHECKED
Use VLAN Priority = UNCHECKED
-----------------------------------------------------
OPTIONAL SETTINGS
Router Name = DD-WRT
Hostname = EMPTY
Domain Name = EMPTY
MTU = AUTO 1500
Shortcut Forwarding Engine = ENABLED
STP = DISABLED
-----------------------------------------------------
NETWORK SETUP
Local IP Address = 192.168.2.1/24 (this is the IP of the LinksysVPN Router Hub where i access it from a browser)
Gateway = 0.0.0.0
Local DNS = 0.0.0.0
-----------------------------------------------------
NETWORK ADDRESS SERVER SETTINGS (DHCP)
DHCP Type = DHCP Server
DHCP Server = Enabled
Start Ip Address = 192.168.2.100
Use DNSMasq for DNS = ON
DHCP-Authoritative = ON
Recursive DNS Resolving (Unbound) = OFF
Forced DNS Redirection = OFF
NTP Client = ON _________________ Thanks, Sue
Joined: 16 Nov 2015 Posts: 6435 Location: UK, London, just across the river..
Posted: Fri Apr 09, 2021 13:47 Post subject:
sue wrote:
How does one learn every setting on DD-WRT, i mean, is there not a specific key reference idiots guide where it states the option, explains what the option is for and further lists situations when one should use it and why etc?
hmmm i learned them hard way, bit by bit, one bit at the time, google, forums, self-education...
im may case there was no "pour all da juice in ma brain at once, situation" it takes patience, time and understanding...plus effort.. _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55779 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Last edited by Alozaros on Sat Apr 10, 2021 17:34; edited 1 time in total
