invisible OpenVPN client setup

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
hilavitkutin
DD-WRT Novice


Joined: 27 Sep 2024
Posts: 2

PostPosted: Fri Sep 27, 2024 19:11    Post subject: invisible OpenVPN client setup Reply with quote
I have a temporary setup on my Asus RT-AC68U C1, running DD-WRT v3.0-r55779 std (04/12/24), where I share Iphone tethered network. My brother is running second router (Netgear) running OpenVPN server. Our Netflix Household is tied to that Netgear router. I managed to get the ASUS router connected trough the VPN and get correct public IP address, but there appears to be some additional checks other than the public IP. Possibly the MAC is checked against the MAC of the NETGEAR router.

What would be the correct setup for this scenario? I think I would like the TV to think it is speaking directly to the Netgear router, unaware that there is a VPN connection happening. I have managed to get it working with TAP mode, but would it be better to use TUN mode? I was able to get it working with ASUS merlin a while back, but I switched to dd-wrt, to get the Iphone tethering support, I remember having some problems also then, but got it working in the end.

One problem I have is that both routers are serving 192.168.1.0/24 networks. 192.168.1.1 is the Netgear router and 192.168.1.2 is the ASUS router. One problem is that I cannot connect to the ASUS management webui (192.168.1.2) while VPN connection is up, but I can access Netgear management webui (192.168.1.1). Additionally it would be nice to dedicate a single LAN port that would use the VPN only.
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 13423
Location: Netherlands

PostPosted: Fri Sep 27, 2024 20:00    Post subject: Reply with quote
OpenVPN guides are a sticky in this forum.

Consider reading those.

Or use WireGuard also a sticky in this forum.

Make sure you do not have a DNS leak

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
hilavitkutin
DD-WRT Novice


Joined: 27 Sep 2024
Posts: 2

PostPosted: Fri Sep 27, 2024 20:53    Post subject: Reply with quote
Thank you for your reply. I have read at least most of the OpenVPN guides. What I missed was some information about the other settings I should configure when setting up the VPN. For example should I use gateway or router mode? I guess I should use different IP-ranges for both of the devices, but I only managed to get it working when setting ASUS router in same IP range.

The VPN server is Netgear (Don't remember model) running stock firmware, so running wireguard probably not an option.

Thank you for the hint about DNS. Should "block-outside-dns" be enought? Is there some easy way to verify it is working?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 13423
Location: Netherlands

PostPosted: Sat Sep 28, 2024 5:31    Post subject: Reply with quote
This forum is about DDWRT for Netgear better ask at their forum.

Note that bridged TAP is completely different from routed TUN setup.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9353

PostPosted: Sun Sep 29, 2024 0:53    Post subject: Reply with quote
hilavitkutin wrote:
Additionally it would be nice to dedicate a single LAN port that would use the VPN only.


I also have the ASUS RT-AC68U and know the following will work.

1. Reset the router to factory defaults (do NOT simply try to reconfigure from the current state).

2. Setup->Basic Setup: Configure the default/local IP network (br0) to something other than that used by the remote IP network of the OpenVPN server (e.g., 10.0.0.1/24). This is important in order to avoid routing issues!

Hit Save.

Wireless->Wireless Security: Configure your wireless security settings.

Hit Save, then Administration->Reboot

3. Setup->Switch Config: Enable VLANs.

Hit Save, then Administration->Reboot

4. Setup->Switch Config: Configure a new VLAN (e.g., vlan3) and move port #4 (or more ports if you want) from the default VLAN (vlan1) over to the new VLAN.

Hit Save, then Administration->Reboot

Note: Upon reboot, Do NOT configure the new VLAN any further on the Setup->Networking page; leave it at Default (bridged).

5. (Optional) Wireless->Basic Settings: If you'd like to include wireless support, then you can add one or more VAPs (e.g., wl0.1, wl1.1) to the configuration.

Hit Save.

Wireless->Wireless Security: Configure your wireless security settings.

Hit Save, then Administration->Reboot

Note: Upon reboot, Do NOT configure the new VAP(s) any further on the Setup->Networking page; leave them at Default (bridged).

6. Setup->Networking: Create a new bridge (e.g., br1).

Hit Save, then Administration->Reboot

7. Setup->Networking: Disable ALL features on br1. Do NOT configure IP on the new bridge either.

Hit Save, then Administration->Reboot

8. Setup->Networking: Assign the new VLAN and any VAPs to the new bridge (by default, they've probably been assigned to br0).

Hit Save, then Administration->Reboot

9. Configure the OpenVPN client. Under Advanced Options, do NOT "Bridge TAP to br0".

When you establish the bridged OpenVPN client connection, you'll want the tunnel (tap1) assigned to the new bridge (br1). You can use a route-up script for that purpose.

Code:
SCRIPT_DIR='/jffs'
SCRIPT="$SCRIPT_DIR/route-up.sh"

cat << 'EOF' > $SCRIPT
#!/bin/sh
#DEBUG=; set -x # uncomment/comment to enable/disable debug mode
{
[ -f /tmp/openvpncl/route-up.sh ] && /tmp/openvpncl/route-up.sh
#ifconfig $dev 0.0.0.0
brctl addif br1 $dev
ip route flush cache
echo "info: openvpn network interface ($dev) assigned to bridge (br1)"
exit 0
} 2>&1 | logger -t "$(basename $0 | grep -Eo '^.{0,23}')[$$]"
EOF
chmod +x $SCRIPT


Enable JFFS and copy/paste the above into the terminal window of an SSH session on the router. It will create the necessary route-up.sh script for the OpenVPN client. You'll need to add the following to the Additional Config field as well.

Code:
script-security 2
route-up /jffs/route-up.sh


Hit Save, then Administration->Reboot

Upon reboot, and assuming the OpenVPN client connects successfully, you'll now have two separate IP networks, br0 and br1. You access the remote IP network of the VPN over the port(s) you assigned to vlan3 and the VAPs (if applicable). You can bypass the VPN and manage the router from the br0 network on ports #1 thru #3 (or whatever you did NOT move to vlan3) and the APs. Beware, devices on br0 and br1 have total network isolation from each other. Even the router itself can only manage br1. It can't access its IP network for routing purposes.

Why all the Save and Reboots? Because DD-WRT can be very finicky and error-prone when it comes to dealing w/ VLANs, VAPs, bridges, etc. The router will automatically reboot itself w/ certain changes when using Apply Settings. I purposely avoid that option and only use Save. Time and again I've seen the router mess up these kinds of configurations unless you reboot after *every* change! And I'd rather control exactly when the reboot occurs by using Save rather than Apply Settings. You'll avoid a LOT of frustration if you do the same.

Even then, don't be surprised if it refuses to boot at least once during a complex configuration such as this (if so, do a hard reset), esp. if you make too many changes all at once. Just happened to me when I enabled the VLANs page and failed to Save and Reboot before continuing w/ the new VLAN configuration!

_________________
ddwrt-bind-static-routes-to-wan.sh (UPDATED! 11/12/24) * ddwrt-blacklist-domains.sh * ddwrt-dns-monitor.sh * ddwrt-ovpn-client-backup.sh * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-server-watchdog.sh * ddwrt-ovpn-split-advanced.sh * ddwrt-ovpn-split-basic.sh * ddwrt-mount-usb-drives.sh * ddwrt-wol-port-forward.sh
Sp1derman
DD-WRT User


Joined: 16 Jun 2006
Posts: 221
Location: Germany, BW

PostPosted: Sun Sep 29, 2024 12:23    Post subject: Reply with quote
I also use OpenVpn Site-to-site Bridge (TAP).
My purpose is to share DLNA, but all other services like Prime or Netflix are also working but is not needed as my Kids have their own.

@egc did a very good OVPN-Server Guide with a TAP Part at the end.

I have a different config to keep it simple and to put all TVs and other stuff (IoT) in a separated Subnet.
On all sites I have an own Internet-Router (also providing the "normal" Subnet), after that the DD-WRT-Box with the IoT-Subnet.
The main reason to separate TVs and some other stuff by an own Subnet is that especially Samsung-TVs are scanning the network and search for other Samsung stuff.
You can see that under the Active IP-Connections, each Samsung-TV sends dozens of requests on Port 15600, you can search for that on internet. I blocked that with
iptables -I INPUT -p udp --match multiport --dport 15600,33969 -j DROP
but about 2 seconds later the TV uses another Port and after the seventh Port I gave up. The list of blocked Ports will become longer that the chinese wall I think.


1. You MUST use TAP mode, otherwise Netflix and Co. see you using VPN. You need to have all non IP-related communication like Broadcasts, Bonjour-blabla and so on on both sides.

2. The networks on both sides MUST be the same subnet in TAP-Mode (otherwise the config is screwed). The goal is to appear as one network.

3. Disable Compression.

4. I disabled DHCP on Client-side, (read @egc Guide)

5. On Server-side I activated "Default Gateway" and removed on Server-side additional Config " route-Gateway..".

6. Use on Server-Side in additional Setting "disable-dco".
OVPN does not support DCO for TAP-Mode. Normally OVPN disables DCO by itself when TAP is used, but there was at least one DD-WRT-Build where this wasn't the case and my VPN was blocked.

7. I disabled SFE.

I remember doing some OVPN-posts, maybe you can find some helpful infos.

Would be helpful if you can provide the server-settings too.


Last edited by Sp1derman on Sun Sep 29, 2024 13:00; edited 1 time in total
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 13423
Location: Netherlands

PostPosted: Sun Sep 29, 2024 12:45    Post subject: Reply with quote
Sp1derman wrote:

1. You MUST use TAP mode, otherwise Netflix and Co. see you using VPN. You need to have all non IP-related communication like Broadcasts, Bonjour-blabla and so on on both sides.


I do not think that is necessary for Netflix.
The Netflix app is running on the client and what Netflix checks is the Public IP address and DNS origin (they might check more like webRTC etc)

I can perfectly fine use American Netflix (much more content) when connected via WireGuard with my American based VPS from the Netherlands.

So I think for Netflix using a routed tun setup will be fine
Note if you use PBR you have to use Split DNS as outlined in the guide.

You do need a bridged setup (either OpenVPN TAP or using Eoip or VXLAN layer 2 tunnel over WireGuard) when you need Network discovery e.g. SSDP and/or mDNS but that should not be necessary for Netflix Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Sp1derman
DD-WRT User


Joined: 16 Jun 2006
Posts: 221
Location: Germany, BW

PostPosted: Sun Sep 29, 2024 13:40    Post subject: Reply with quote
egc wrote:
I do not think that is necessary for Netflix.
The Netflix app is running on the client and what Netflix checks is the Public IP address and DNS origin (they might check more like webRTC etc)

I can perfectly fine use American Netflix (much more content) when connected via WireGuard with my American based VPS from the Netherlands.

Netflix allows you to use VPN (--> Netflix VPN <--) but they don't allow you to share your account over different locations.

I'm not an expert in this but I think that e.g. a simple traceroute should look the same from all VPN sites and afaik with TUN it's not the same, with TAP it is.

A short Internet search shows me that folks trying Account-Sharing via TUN get a note on TV to activate something like "Guest-Account".

But at least I'm not 100% sure ( but 99% ) as I didn't tried this.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 13423
Location: Netherlands

PostPosted: Sun Sep 29, 2024 14:13    Post subject: Reply with quote
Sp1derman wrote:

Netflix allows you to use VPN (--> Netflix VPN <--) but they don't allow you to share your account over different locations.


Exactly and that is why they need the VPN so that all Netflix clients come from the same location.
Household A has the Netflix subscription and household B connects with the VPN to household A.
But you do not need a bridged VPN to do this.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9353

PostPosted: Sun Sep 29, 2024 17:42    Post subject: Reply with quote
FYI.

I found a way to permit routing from the default IP network (br0) to the new bridge (br1). This is completely optional.

1. Disable the CVE-2019-14899 Mitigation on the OpenVPN client GUI.

2. Replace the directives I gave you previously for Additional Config w/ the following.

Code:
script-security 2
route-up /jffs/route-updn.sh
route-pre-down /jffs/route-updn.sh


3. Add the following to the firewall script.

Code:
iptables -t nat -A POSTROUTING -o br1 -j MASQUERADE


4. Use this new OpenVPN script (/jffs/route-updn.sh) instead of the prior script. As before, just copy/paste it into an SSH terminal window on the router to create and install it.

Code:
SCRIPT_DIR='/jffs'
SCRIPT="$SCRIPT_DIR/route-updn.sh"

cat << 'EOF' > $SCRIPT
#!/bin/sh
DEBUG=; set -x # uncomment/comment to enable/disable debug mode
{
args="$@"

up() {
    [ -f /tmp/openvpncl/route-up.sh ] && /tmp/openvpncl/route-up.sh $args
    ifconfig $dev 0.0.0.0
    ifconfig br1 $ifconfig_local netmask $ifconfig_netmask
    brctl addif br1 $dev
    ip route flush cache
    echo "info: openvpn network interface ($dev) added to bridge (br1)"
}

down() {
    [ -f /tmp/openvpncl/route-down.sh ] && /tmp/openvpncl/route-down.sh $args
    brctl delif br1 $dev
    ifconfig br1 0.0.0.0
    ifconfig $dev $ifconfig_local netmask $ifconfig_netmask
    ip route flush cache
    echo "info: openvpn network interface ($dev) removed from bridge (br1)"
}

case "$script_type" in
          route-up) up;;
    route-pre-down) down;;
                 *) echo "warning: unexpected invocation: $script_type";;
esac

exit 0
} 2>&1 | logger -t "$(basename $0 | grep -Eo '^.{0,23}')[$$]"
EOF
chmod +x $SCRIPT


I left the script w/ debug mode enabled in case any problems pop up, but for the long hual, that can be disabled once it's working satisfactorily.

5. Beware, you can NOT use the Watchdog option on the OpenVPN client GUI when using a bridged tunnel if that tunnel is assigned to one of the router's bridges (e.g., br1)! That's because the built-in watchdog pings the tunnel's network interface (tap1). But when that gets assigned to (in my example) br1, you LOSE access to that network interface! You can only access tap1 indirectly, via br1.

I'm presently working on a solution for this situation w/ my own OpenVPN client watchdog script on PasteBin. It will either involve detecting the bridge assignment of tap1 and moving the ping check to the bridge (br1), or else abandoning ping checks entirely (which can be done today) and only checking for failure/stoppage of the OpenVPN client (my script does BOTH types of checks). See my signature for the link.

Yes, this is a bit of a bug in the GUI, at least if you assign the tunnel's network interface to one of the router's own bridges, which I suspect is very common. I'm less sure how common it is to need a watchdog in that situation anyway.

In summary ...

This makes it particularly convenient for administrative purposes, but it may also prove useful simply for the ability to route to the remote network as if you had configured an OpenVPN routed (TUN) tunnel.

All of this was accomplished using a T-Mobile TM-AC1900 (aka ASUS RT-AC68U) router. Since it involves VLANs, and VLANs have always been tricky w/ DD-WRT using the GUI, I can't speak to other routers.

BTW, I know the OP might NOT have any interest in these changes, but I'm using this opportunity to demonstrate how to fully exploit a bridged OpenVPN client on DD-WRT. I've done this many times before w/ FreshTomato, but the GUI in that case makes it significantly easier. I just wanted to prove (if only to myself!) it could be done w/ DD-WRT too, even if it's a bit more of a struggle to bring it all together.

_________________
ddwrt-bind-static-routes-to-wan.sh (UPDATED! 11/12/24) * ddwrt-blacklist-domains.sh * ddwrt-dns-monitor.sh * ddwrt-ovpn-client-backup.sh * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-server-watchdog.sh * ddwrt-ovpn-split-advanced.sh * ddwrt-ovpn-split-basic.sh * ddwrt-mount-usb-drives.sh * ddwrt-wol-port-forward.sh


Last edited by eibgrad on Fri Oct 04, 2024 7:10; edited 1 time in total
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 13423
Location: Netherlands

PostPosted: Sun Sep 29, 2024 19:39    Post subject: Reply with quote
Nice work, thanks for sharing!
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum