No access to GUI after upgrading to openVPN 2.5

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
safet
DD-WRT Novice


Joined: 07 Nov 2022
Posts: 2

PostPosted: Tue Nov 08, 2022 2:38    Post subject: No access to GUI after upgrading to openVPN 2.5 Reply with quote
Hello
This is my first post
I have been using DD-WRT for over 10 years and until now managed to find answers to any problems by reading the forums and guides.

I have main router running 2 instances of openVPN server, one is for connecting to client router on remote location and another for my iPhone.
It has been up and running for couple of years now with opneVPN 2.4.
Until last week had both routers running WRT r43266 and found out that this build has some bugs.
First upgraded the client router to r50551 and the upgrade went smooth. The client connected to the server right away (server openVPN still at 2.4).
Following day upgraded the main router to r50551 and did not notice any issues other that the warnings about adding data-ciphers in the config.
Data-ciphers have been added to the config( see below)
After the upgrades the VPN is working and I can see all remote devices, but I can't access the remote router GUI even when directly connected on LAN port.
I have tried downgrading back to 43266 and original backup but still the same, as soon as the VPN starts I lose the GUI. At this point I did not try to revert to r43266 on the main router/server.
As you can see I added the ncp-disable but it didn't help.
Any input or suggestion would be greatly appropriated.
Safet

Here is the current setup:


main router
Linksys WRT1900ACS
DD-WRT v3.0-r50551 std (10/19/22)

server 1 openvpn.conf (for remote router):
dh /jffs/etc/openvpn/dh2048.pem
ca /jffs/etc/openvpn/ca.crt
cert /jffs/etc/openvpn/server.crt
key /jffs/etc/openvpn/server.key
keepalive 10 120
verb 3
mute 3
syslog
topology subnet
script-security 2
port 1194
proto udp4
cipher aes-256-cbc
ncp-disable
auth sha1
data-ciphers aes-256-cbc:aes-192-cbc:aes-128-cbc
data-ciphers-fallback aes-256-cbc
client-connect /jffs/etc/openvpn/clcon1.sh
client-disconnect /jffs/etc/openvpn/cldiscon1.sh
client-config-dir /jffs/etc/openvpn/ccd
tls-server
ifconfig-pool-persist /tmp/openvpn/ip-pool1 86400
client-to-client
fast-io
tun-mtu 1500
mtu-disc yes
server-bridge 10.166.50.1 255.255.255.0 10.166.50.151 10.166.50.219
dev tap2
auth-user-pass-verify /jffs/scripts/verify.sh via-file
up route1-up.sh
down route1-down.sh

server 2 openvpn.conf (for iPhone connection):
dh /jffs/etc/openvpn/dh2048.pem
ca /jffs/etc/openvpn/ca.crt
cert /jffs/etc/openvpn/server.crt
key /jffs/etc/openvpn/server.key
keepalive 10 120
verb 3
mute 3
syslog
topology subnet
script-security 2
port 1195
proto udp4
cipher bf-cbc
auth sha1
client-connect /jffs/etc/openvpn/clcon2.sh
client-disconnect /jffs/etc/openvpn/cldiscon2.sh
client-config-dir /jffs/etc/openvpn/ccd
comp-lzo yes
tls-server
ifconfig-pool-persist /tmp/openvpn/ip-pool2 86400
client-to-client
fast-io
tun-mtu 1500
mtu-disc yes
server 10.8.0.0 255.255.255.0
dev tun2
auth-user-pass-verify /jffs/scripts/verify.sh via-file
push "route 10.166.50.0 255.255.255.0"
#push "dhcp-option DNS 10.166.50.1"
route 10.166.50.230 255.255.255.0 10.8.0.2

firewall script:
iptables -I INPUT 2 -p udp --dport 1194 -j ACCEPT
iptables -I INPUT 2 -p udp --dport 1195 -j ACCEPT
iptables -I FORWARD 1 --source 10.166.50.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun2 -j ACCEPT
iptables -I FORWARD -i tun2 -o br0 -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE

Remote router/client
Netgear R7000P
WRT r43266

openVPN config:

ca /tmp/openvpncl/ca.crt
cert /tmp/openvpncl/client.crt
key /tmp/openvpncl/client.key
management 127.0.0.1 16
management-log-cache 100
verb 3
mute 3
syslog
writepid /var/run/openvpncl.pid
resolv-retry infinite
script-security 2
nobind
client
dev tap1
proto udp
cipher aes-256-cbc
auth sha1
auth-user-pass /tmp/openvpncl/credentials
remote xxxxx.com 1194
tun-mtu 1500
mtu-disc yes
fast-io
route-up /tmp/openvpncl/route-up.sh
route-pre-down /tmp/openvpncl/route-down.sh
keepalive 10 120
push "dhcp-option DNS 10.166.50.1"
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6411
Location: UK, London, just across the river..

PostPosted: Tue Nov 08, 2022 7:37    Post subject: Reply with quote
Im not an VPN expert, nor i would expose something like GUI via VPN but ...

i guess something simple like that
iptables -I INPUT -i tun2 -j ACCEPT

or you can be more specific and specify clients IP's , mac's or ports and change the state of this rule too...

But overall, its not very safe, unless this is local VPN router to router...and its not exposed...!!

You can also tunnel via putty and forward the GUI port... but i don't do this too...i prefer to tweak things over ssh and use gui only for few things and this is it...

you better have a good read and look here as those guides are updated...
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398

last thing: the last builds have important security updates (openssl for example), so better use those 50814 is the current (last)

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12839
Location: Netherlands

PostPosted: Tue Nov 08, 2022 8:07    Post subject: Reply with quote
It is possible but not very easy as you have to setup one tunnel manually.

Instructions to run two VPN servers are available see the OpenVPN documentation which is a sticky in this forum and @Alozoros already linked.

Use the GUI to make the tap server.

But I would make it easy for yourself and instead of the second tun server setup a WireGuard server, also a sticky in this forum.
Very fast, very easy to setup and generates a QR code for your iphone Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Tue Nov 08, 2022 12:07    Post subject: Reply with quote
OpenVPN was updated to 2.5.8 in https://svn.dd-wrt.com/changeset/50816/7 so keep an eye out for those newer builds.
_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
safet
DD-WRT Novice


Joined: 07 Nov 2022
Posts: 2

PostPosted: Wed Nov 09, 2022 1:38    Post subject: Reply with quote
Thanks for the replies.
The current VPN setup is couple of years old. At the time was the only way to get 2 servers running based on my abilities at the time. But it worked until now.
When I try to access the router that runs the VPN client, I am connected to it on it's LAN and for whatever reasons it is not responding, I can't ping it's IP or get any response from it.
But the VPN tunnel is running and I have access to both side of the bridge, and from both sides of the tunnel. The only problem is the client router IP is not accessible.

Here are the steps I tried so far:
Factory reset, but loading NVRAM backup leads to automatic start-up and lock-up.

Factory reset and recreate all settings but leave VPN client disabled.
Everything works.
Enable VPN client with wrong remote address, VPN client starts with error about the remote but I have access the the router GUI.
When I fix the VPN remote address and reboot, the VPN and the entire network works but the router GUI disappears and I start all over again.
All this time I am connected to the client router directly over LAN.
This is same for r43266 and r50551 on client side.

I will follow your suggestion and use GUI for the first server and drop the second one for now to see if this fixes the client router locking up, and add WireGuard for the iPhone access.
Also I will continue reading the guides.
This will take some time since I go to second location only on the weekends.
Thank you all again.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12839
Location: Netherlands

PostPosted: Wed Nov 09, 2022 10:19    Post subject: Reply with quote
The Server setup guide has a paragraph about bridged/Tap setup.

Maybe first setup as Routed/Tun as that is easier.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum