Posted: Tue Nov 08, 2022 2:38 Post subject: No access to GUI after upgrading to openVPN 2.5
Hello
This is my first post
I have been using DD-WRT for over 10 years and until now managed to find answers to any problems by reading the forums and guides.
I have main router running 2 instances of openVPN server, one is for connecting to client router on remote location and another for my iPhone.
It has been up and running for couple of years now with opneVPN 2.4.
Until last week had both routers running WRT r43266 and found out that this build has some bugs.
First upgraded the client router to r50551 and the upgrade went smooth. The client connected to the server right away (server openVPN still at 2.4).
Following day upgraded the main router to r50551 and did not notice any issues other that the warnings about adding data-ciphers in the config.
Data-ciphers have been added to the config( see below)
After the upgrades the VPN is working and I can see all remote devices, but I can't access the remote router GUI even when directly connected on LAN port.
I have tried downgrading back to 43266 and original backup but still the same, as soon as the VPN starts I lose the GUI. At this point I did not try to revert to r43266 on the main router/server.
As you can see I added the ncp-disable but it didn't help.
Any input or suggestion would be greatly appropriated.
Safet
Here is the current setup:
main router
Linksys WRT1900ACS
DD-WRT v3.0-r50551 std (10/19/22)
server 1 openvpn.conf (for remote router):
dh /jffs/etc/openvpn/dh2048.pem
ca /jffs/etc/openvpn/ca.crt
cert /jffs/etc/openvpn/server.crt
key /jffs/etc/openvpn/server.key
keepalive 10 120
verb 3
mute 3
syslog
topology subnet
script-security 2
port 1194
proto udp4
cipher aes-256-cbc
ncp-disable
auth sha1
data-ciphers aes-256-cbc:aes-192-cbc:aes-128-cbc
data-ciphers-fallback aes-256-cbc
client-connect /jffs/etc/openvpn/clcon1.sh
client-disconnect /jffs/etc/openvpn/cldiscon1.sh
client-config-dir /jffs/etc/openvpn/ccd
tls-server
ifconfig-pool-persist /tmp/openvpn/ip-pool1 86400
client-to-client
fast-io
tun-mtu 1500
mtu-disc yes
server-bridge 10.166.50.1 255.255.255.0 10.166.50.151 10.166.50.219
dev tap2
auth-user-pass-verify /jffs/scripts/verify.sh via-file
up route1-up.sh
down route1-down.sh
Joined: 16 Nov 2015 Posts: 6411 Location: UK, London, just across the river..
Posted: Tue Nov 08, 2022 7:37 Post subject:
Im not an VPN expert, nor i would expose something like GUI via VPN but ...
i guess something simple like that
iptables -I INPUT -i tun2 -j ACCEPT
or you can be more specific and specify clients IP's , mac's or ports and change the state of this rule too...
But overall, its not very safe, unless this is local VPN router to router...and its not exposed...!!
You can also tunnel via putty and forward the GUI port... but i don't do this too...i prefer to tweak things over ssh and use gui only for few things and this is it...
last thing: the last builds have important security updates (openssl for example), so better use those 50814 is the current (last) _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Thanks for the replies.
The current VPN setup is couple of years old. At the time was the only way to get 2 servers running based on my abilities at the time. But it worked until now.
When I try to access the router that runs the VPN client, I am connected to it on it's LAN and for whatever reasons it is not responding, I can't ping it's IP or get any response from it.
But the VPN tunnel is running and I have access to both side of the bridge, and from both sides of the tunnel. The only problem is the client router IP is not accessible.
Here are the steps I tried so far:
Factory reset, but loading NVRAM backup leads to automatic start-up and lock-up.
Factory reset and recreate all settings but leave VPN client disabled.
Everything works.
Enable VPN client with wrong remote address, VPN client starts with error about the remote but I have access the the router GUI.
When I fix the VPN remote address and reboot, the VPN and the entire network works but the router GUI disappears and I start all over again.
All this time I am connected to the client router directly over LAN.
This is same for r43266 and r50551 on client side.
I will follow your suggestion and use GUI for the first server and drop the second one for now to see if this fixes the client router locking up, and add WireGuard for the iPhone access.
Also I will continue reading the guides.
This will take some time since I go to second location only on the weekends.
Thank you all again.