[SOLVED] OpenVPN client, connected but no internet (2)

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
urasic
DD-WRT Novice


Joined: 01 May 2022
Posts: 8

PostPosted: Mon May 02, 2022 14:39    Post subject: [SOLVED] OpenVPN client, connected but no internet (2) Reply with quote
Recently there was a similar topic, but that solution did not help me, I beg you to help. For a very long time I have not been able to set up my openvpn server and DDWRT router.

Problem:
I set up my openvpn server using the script from https://github.com/angristan/openvpn-install
The server works - when you install the configuration file, for example, in a smartphone on the same network as the router - OpenVPN works as it should.

But as soon as I set up a router on the same network, it shows CONNECTED SUCCESS, but there is no Internet on the internal network.

I have tried every possible suggestion from the troubleshooting file from EGC - nothing helped.
what i tried to do
- I changed mtu
- added mssfix
- installed udp fragment
- switched to tcp protocol

When configured on the same router on the same network, public services (for example, ExpressVPN) - everything works.

my settings and configurations:
Asus RT-AC68U C1
DD-WRT v3.0-r47528 std (10/10/21)
Kernel VersionLinux 4.4.287 #4177 SMP Sun Oct 10 04:06:45 +07 2021 armv7l


OVPN log:
Code:

May  2 16:32:04 DD-WRT user.info : [openvpn] : OpenVPN daemon (Client) starting/restarting...
May  2 16:32:04 DD-WRT user.info : [openvpn] : General Killswitch for OpenVPN enabled from OpenVPN
May  2 16:32:04 DD-WRT daemon.warn openvpn[29696]: WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
May  2 16:32:04 DD-WRT daemon.warn openvpn[29696]: WARNING: file '/tmp/openvpncl/client.key' is group or others accessible
May  2 16:32:04 DD-WRT daemon.notice openvpn[29696]: OpenVPN 2.5.3 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Oct 10 2021
May  2 16:32:04 DD-WRT daemon.notice openvpn[29696]: library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.09
May  2 16:32:04 DD-WRT daemon.notice openvpn[29698]: MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
May  2 16:32:04 DD-WRT daemon.warn openvpn[29698]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May  2 16:32:04 DD-WRT daemon.notice openvpn[29698]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
May  2 16:32:04 DD-WRT daemon.notice openvpn[29698]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
May  2 16:32:04 DD-WRT daemon.notice openvpn[29698]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
May  2 16:32:04 DD-WRT daemon.notice openvpn[29698]: NOTE: --mute triggered...
May  2 16:32:04 DD-WRT daemon.notice openvpn[29698]: 1 variation(s) on previous 3 message(s) suppressed by --mute
May  2 16:32:04 DD-WRT daemon.notice openvpn[29698]: TCP/UDP: Preserving recently used remote address: [AF_INET]185.161.210.67:443
May  2 16:32:04 DD-WRT daemon.notice openvpn[29698]: Socket Buffers: R=[131072->131072] S=[131072->131072]
May  2 16:32:04 DD-WRT daemon.notice openvpn[29698]: Attempting to establish TCP connection with [AF_INET]185.161.210.67:443 [nonblock]
May  2 16:32:04 DD-WRT daemon.notice openvpn[29698]: TCP connection established with [AF_INET]185.161.210.67:443
May  2 16:32:04 DD-WRT daemon.warn openvpn[29698]: --mtu-disc is not supported on this OS
May  2 16:32:04 DD-WRT daemon.notice openvpn[29698]: TCP_CLIENT link local: (not bound)
May  2 16:32:04 DD-WRT daemon.notice openvpn[29698]: TCP_CLIENT link remote: [AF_INET]185.161.210.67:443
May  2 16:32:05 DD-WRT daemon.notice openvpn[29698]: TLS: Initial packet from [AF_INET]185.161.210.67:443, sid=f0b567d5 53b0a44d
May  2 16:32:05 DD-WRT daemon.notice openvpn[29698]: VERIFY OK: depth=1, CN=cn_YDWiPcaTj3aTKXJZ
May  2 16:32:05 DD-WRT daemon.notice openvpn[29698]: VERIFY KU OK
May  2 16:32:05 DD-WRT daemon.notice openvpn[29698]: NOTE: --mute triggered...
May  2 16:32:05 DD-WRT daemon.notice openvpn[29698]: 4 variation(s) on previous 3 message(s) suppressed by --mute
May  2 16:32:05 DD-WRT daemon.warn openvpn[29698]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1552', remote='link-mtu 1551'
May  2 16:32:05 DD-WRT daemon.warn openvpn[29698]: WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
May  2 16:32:05 DD-WRT daemon.notice openvpn[29698]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bit EC, curve prime256v1, signature: ecdsa-with-SHA256
May  2 16:32:05 DD-WRT daemon.notice openvpn[29698]: [server_p0zbZREyttHvkltj] Peer Connection Initiated with [AF_INET]185.161.210.67:443
May  2 16:32:06 DD-WRT daemon.notice openvpn[29698]: SENT CONTROL [server_p0zbZREyttHvkltj]: 'PUSH_REQUEST' (status=1)
May  2 16:32:06 DD-WRT daemon.notice openvpn[29698]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,redirect-gateway def1 bypass-dhcp,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0
May  2 16:32:06 DD-WRT daemon.notice openvpn[29698]: OPTIONS IMPORT: timers and/or timeouts modified
May  2 16:32:06 DD-WRT daemon.notice openvpn[29698]: NOTE: --mute triggered...
May  2 16:32:06 DD-WRT daemon.notice openvpn[29698]: 6 variation(s) on previous 3 message(s) suppressed by --mute
May  2 16:32:06 DD-WRT daemon.notice openvpn[29698]: Using peer cipher 'AES-256-GCM'
May  2 16:32:06 DD-WRT daemon.notice openvpn[29698]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
May  2 16:32:06 DD-WRT daemon.notice openvpn[29698]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
May  2 16:32:06 DD-WRT daemon.notice openvpn[29698]: net_route_v4_best_gw query: dst 0.0.0.0
May  2 16:32:06 DD-WRT daemon.notice openvpn[29698]: net_route_v4_best_gw result: via 192.168.100.1 dev vlan2
May  2 16:32:06 DD-WRT daemon.notice openvpn[29698]: TUN/TAP device tun1 opened
May  2 16:32:06 DD-WRT daemon.notice openvpn[29698]: net_iface_mtu_set: mtu 1500 for tun1
May  2 16:32:06 DD-WRT daemon.notice openvpn[29698]: net_iface_up: set tun1 up
May  2 16:32:06 DD-WRT daemon.notice openvpn[29698]: net_addr_v4_add: 10.8.0.2/24 dev tun1
May  2 16:32:06 DD-WRT daemon.notice openvpn[29698]: net_route_v4_add: 185.161.210.67/32 via 192.168.100.1 dev [NULL] table 0 metric -1
May  2 16:32:06 DD-WRT daemon.notice openvpn[29698]: net_route_v4_add: 0.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1
May  2 16:32:06 DD-WRT daemon.notice openvpn[29698]: net_route_v4_add: 128.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1
May  2 16:32:06 DD-WRT daemon.warn openvpn[29698]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
May  2 16:32:06 DD-WRT daemon.notice openvpn[29698]: Initialization Sequence Completed



OVPN configuration file on the server (server.conf):
Code:

port 443
proto tcp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_p0zbZREyttHvkltj.crt
key server_p0zbZREyttHvkltj.key
auth SHA256
cipher AES-256-GCM
ncp-ciphers AES-256-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3


Last edited by urasic on Tue May 03, 2022 14:02; edited 1 time in total
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 10318
Location: Netherlands

PostPosted: Mon May 02, 2022 15:17    Post subject: Reply with quote
Try
Compression: Disabled

_________________
Routers:Netgear R7800, R7000, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
urasic
DD-WRT Novice


Joined: 01 May 2022
Posts: 8

PostPosted: Mon May 02, 2022 17:50    Post subject: Reply with quote
egc wrote:
Try
Compression: Disabled


Brilliant! Works! Thanks a lot!
How long have I been looking for this simple solution Smile

For me, the difference between "no" and "disabled" is not obvious, unfortunately.


Please advise
, for reliable communication and maximum speed, which is better to use the TCP or UDP protocol?

And still use compression or better not?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 10318
Location: Netherlands

PostPosted: Mon May 02, 2022 18:32    Post subject: Reply with quote
Great to hear that it works Smile

Compression is a bit of a mess in OpenVPN there are two kinds the older LZO and the newer Compress (which also has two kinds) which are not very well compatible and compression is not very safe to use and as it does not give you extra throughput on soho routers it should always be Disabled in my opinion.

About the other settings on both sides:
Protocol UDP4
First data cipher: Chacha-Poly (this is the fastest)
Second data cipher: AES-128-GCM (for fall-back)
third data cipher: AES-128-GCM (for fall-back)

See picture with settings from my own server

Encryption cipher is deprecated and only for compatibility reasons but when using OpenVPN 2.5 on both sides it should not be necessary.

Newer ciphers like AES and Chacha-Poly have the message hash (SHA) for HMAC incorporated so it is not necessary to set it either

Note use "Not Set" and not "None" (None means no security)

Verify Server Cert.: Checked

Set MTU size on both sides to: 1400

In additional config only add this:
keepalive 10 120
resolv-retry infinite

Lots of information see:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398

You are not running the latest build not that you should but you are missing out on some goodies see the changelog in the link above (bottom of that page)

_________________
Routers:Netgear R7800, R7000, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
urasic
DD-WRT Novice


Joined: 01 May 2022
Posts: 8

PostPosted: Tue May 03, 2022 0:21    Post subject: Reply with quote
egc wrote:
You are not running the latest build not that you should but you are missing out on some goodies see the changelog in the link above (bottom of that page)


updated to latest build.

Do you write goodies there? I think it's just SUPER goodies! Smile
and multi server and Watchdog...
everything I previously did with scripts

You are doing a very useful Work!

But there is a small question, what is the minimum level for a watching dog so that the router does not go into a loop?

For my work, I need the router to switch to a different server as quickly as possible.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 10318
Location: Netherlands

PostPosted: Tue May 03, 2022 12:59    Post subject: Reply with quote
Glad you like it, DDWRT is constantly evolving Smile

I actually have set the minium to 10 sec.

But when the watchdog starts (e.g. after a reboot or after a restart of the tunnel) there is a wait time of 120 sec to prevent looping as the router/tunnel needs time to start.

The minimum time is the time the GUI forces upon you, manually you should be able to go lower then 10 sec.
(if you want to try it let me know and I will tell you how to set the time out lower than 10 sec)

Probably use a Domain name as ping address as outlined in the guide to use multiple IP addresses so that you are not blacklisted and have redundancy

_________________
Routers:Netgear R7800, R7000, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum