Posted: Fri Oct 11, 2024 7:45 Post subject: Netgear R7000 OpenVPN connecting, but not working
I have a Netgear R7000 that I'm wanting to use as VPN router for devices that can't use a VPN, or I don't want to bother with installing a VPN on. I have Windscribe, and originally I wanted to use Wireguard, but DD-WRT doesn't have the option I guess, and FreshTomato Wireguard doesn't work, so I'm now trying OpenVPN.
My setup is a bit weird, I'm going from ISP modem to a WRT1900ACv2, then to the R7000. Mostly because I don't have a long enough cable, and due to some of the devices being wired, I also can't move it much. I also don't feel like buying whatever expensive long cable I'd need for this. The only way I've found to make this configuration work is to disable the WAN stuff, and configure both routers as DHCP Forwarders. Not sure if this has anything to do with the issue.
I did most of the configuration by importing the .ovpn file, but I made a few changes to better match their DD-WRT setup guide. I get Client: CONNECTED SUCCESS when looking at OpenVPN Status, so I can only assume it works. However I still see my IP when checking. I've attached a screenshot of my settings to the post. I'm not sure what all I should keep private or not, but I figured I would censor part of the Server IP URL in case someone is able to trace the specific server I'm connected to or something idk. Also all of my username/password because of course.
Here's the Client Log as well:
Code:
20241011 02:29:19 I Note: Treating option '--ncp-ciphers' as '--data-ciphers' (renamed in OpenVPN 2.5).
20241011 02:29:19 Note: cipher 'AES-256-CBC' in --data-ciphers is not supported by ovpn-dco disabling data channel offload.
20241011 02:29:19 W WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
20241011 02:29:19 W WARNING: file '/tmp/openvpncl/ta.key' is group or others accessible
20241011 02:29:19 W WARNING: file '/tmp/openvpncl/credentials' is group or others accessible
20241011 02:29:19 I OpenVPN 2.6.12 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH/PKTINFO] [AEAD] [DCO]
20241011 02:29:19 I library versions: OpenSSL 1.1.1w 11 Sep 2023 LZO 2.10
20241011 02:29:19 I DCO version: N/A
20241011 02:29:19 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
20241011 02:29:19 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20241011 02:29:19 I TCP/UDP: Preserving recently used remote address: [AF_INET]104.129.18.131:443
20241011 02:29:19 Socket Buffers: R=[262144->262144] S=[262144->262144]
20241011 02:29:19 I UDPv4 link local: (not bound)
20241011 02:29:19 I UDPv4 link remote: [AF_INET]104.129.18.131:443
20241011 02:29:19 TLS: Initial packet from [AF_INET]104.129.18.131:443 sid=503b6b7a 462a2684
20241011 02:29:19 W WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
20241011 02:29:19 VERIFY OK: depth=2 C=CA ST=ON L=Toronto O=Windscribe Limited OU=Systems CN=Windscribe Node CA X1
20241011 02:29:19 NOTE: --mute triggered...
20241011 02:29:19 8 variation(s) on previous 3 message(s) suppressed by --mute
20241011 02:29:19 I [atl-109.windscribe.com] Peer Connection Initiated with [AF_INET]104.129.18.131:443
20241011 02:29:19 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
20241011 02:29:19 NOTE: --mute triggered...
20241011 02:29:20 1 variation(s) on previous 3 message(s) suppressed by --mute
20241011 02:29:20 SENT CONTROL [atl-109.windscribe.com]: 'PUSH_REQUEST' (status=1)
20241011 02:29:20 NOTE: --mute triggered...
20241011 02:29:20 2 variation(s) on previous 3 message(s) suppressed by --mute
20241011 02:29:20 Socket Buffers: R=[262144->512000] S=[262144->512000]
20241011 02:29:20 OPTIONS IMPORT: --ifconfig/up options modified
20241011 02:29:20 NOTE: --mute triggered...
20241011 02:29:20 3 variation(s) on previous 3 message(s) suppressed by --mute
20241011 02:29:20 net_route_v4_best_gw query: dst 0.0.0.0
20241011 02:29:20 net_route_v4_best_gw result: via 192.168.0.1 dev br0
20241011 02:29:20 I TUN/TAP device tun1 opened
20241011 02:29:20 I net_iface_mtu_set: mtu 1500 for tun1
20241011 02:29:20 I net_iface_up: set tun1 up
20241011 02:29:20 I net_addr_v4_add: 10.114.206.46/23 dev tun1
20241011 02:29:20 net_route_v4_add: 104.129.18.131/32 via 192.168.0.1 dev [NULL] table 0 metric -1
20241011 02:29:20 net_route_v4_add: 0.0.0.0/1 via 10.114.206.1 dev [NULL] table 0 metric -1
20241011 02:29:20 net_route_v4_add: 128.0.0.0/1 via 10.114.206.1 dev [NULL] table 0 metric -1
20241011 02:29:20 I Initialization Sequence Completed
20241011 02:29:20 Data Channel: cipher 'AES-256-GCM' peer-id: 34
20241011 02:29:20 NOTE: --mute triggered...
20241011 02:32:30 1 variation(s) on previous 3 message(s) suppressed by --mute
20241011 02:32:30 N AEAD Decrypt error: cipher final failed
20241011 02:37:16 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:40588
20241011 02:37:16 D MANAGEMENT: CMD 'state'
20241011 02:37:16 MANAGEMENT: Client disconnected
20241011 02:37:16 NOTE: --mute triggered...
20241011 02:37:16 1 variation(s) on previous 3 message(s) suppressed by --mute
20241011 02:37:16 D MANAGEMENT: CMD 'state'
20241011 02:37:16 MANAGEMENT: Client disconnected
20241011 02:37:16 NOTE: --mute triggered...
20241011 02:37:16 1 variation(s) on previous 3 message(s) suppressed by --mute
20241011 02:37:16 D MANAGEMENT: CMD 'state'
20241011 02:37:16 MANAGEMENT: Client disconnected
20241011 02:37:16 NOTE: --mute triggered...
20241011 02:37:16 1 variation(s) on previous 3 message(s) suppressed by --mute
20241011 02:37:16 D MANAGEMENT: CMD 'status 2'
20241011 02:37:16 MANAGEMENT: Client disconnected
20241011 02:37:16 NOTE: --mute triggered...
20241011 02:37:16 1 variation(s) on previous 3 message(s) suppressed by --mute
20241011 02:37:16 D MANAGEMENT: CMD 'log 500'
20241011 02:37:16 MANAGEMENT: Client disconnected
20241011 02:39:29 NOTE: --mute triggered...
20241011 02:39:29 1 variation(s) on previous 3 message(s) suppressed by --mute
20241011 02:39:29 D MANAGEMENT: CMD 'state'
20241011 02:39:29 MANAGEMENT: Client disconnected
20241011 02:39:29 NOTE: --mute triggered...
20241011 02:39:29 1 variation(s) on previous 3 message(s) suppressed by --mute
20241011 02:39:29 D MANAGEMENT: CMD 'state'
20241011 02:39:29 MANAGEMENT: Client disconnected
20241011 02:39:29 NOTE: --mute triggered...
20241011 02:39:29 1 variation(s) on previous 3 message(s) suppressed by --mute
20241011 02:39:29 D MANAGEMENT: CMD 'state'
20241011 02:39:29 MANAGEMENT: Client disconnected
20241011 02:39:29 NOTE: --mute triggered...
20241011 02:39:29 1 variation(s) on previous 3 message(s) suppressed by --mute
20241011 02:39:29 D MANAGEMENT: CMD 'status 2'
20241011 02:39:29 MANAGEMENT: Client disconnected
20241011 02:39:29 NOTE: --mute triggered...
20241011 02:39:29 1 variation(s) on previous 3 message(s) suppressed by --mute
20241011 02:39:29 D MANAGEMENT: CMD 'log 500'
I did try looking this up, and the only relevant thing I could find was someone fixing it by adding redirect-gateway def1 to Additional Configuration. This did nothing for me, even after rebooting the router.
Joined: 18 Mar 2014 Posts: 13446 Location: Netherlands
Posted: Fri Oct 11, 2024 9:25 Post subject:
Please start with sharing your build number (it looks like a recent build so that should not be a porblem)
Of course DDWRT has WireGuard already a long time before FT even heard of it
It is under the Tunnels tab
WireGuard Guides (and OpenVPN) are stickies in the Advanced Networking forum to which I will transfer this thread
However your OpenVPN seems to function.
It seems you have setup your routers a Wireless Access Points connected LAN<>LAN on the same subnet although not correctly as you should never use DHCP Forwarder.
IF you setup a VPN client on a WAP then your clients traffic will just bypass the VPN.
Only when you setup a guest wifi on the WAP (VAP on a WAP) that will use the VPN. alternatively you can point your LAN client to the R7000 as gateway.
As stated OpenVPN and WG Client setup guides are stickies in the Advanced Forum.
For basic setup you need the Client setup guide.
For using WireGuard on a WAP see the WG Advanced setup guide