[dr.tech]

Apologies if posted in the wrong spot. I have a Netgear R7000 that I used a few years back to act as a vpn router with Windscribe. I recently tried to hook it up again, by following the directions on the Windscribe site but it fails to allow devices to pass through. One thing that is different this time around, is that my cable provider only provided a modem with 1 ethernet output and I am using an EERO device as the main router. So the Netgear R7000 is hooked to a hub that is connected to the EERO.

Looking to see if there is any tweak I am missing.

I have tried with NSCertType verification check on, and then with it unchecked and the remote-cert-tls server command added. Both with the same result. Also tried by adding firewall settings on the R7000 but that was even worse. I am not sure there the 10.112.82.37 is coming from, as the Eero is generating 192.168.4.x addresses and the R7000 is generating 192.168.0.x addresses.

Details on the DD-WRTsetup are as follows:
Firmware: DD-WRT v3.0-r33675M kongac (11/03/17)
Time: 11:40:35 up 8:39, load average: 0.02, 0.03, 0.00
WAN IP: 192.168.4.59

The OpenVPN status is as follows:
State
Client: CONNECTED SUCCESS
Local Address: 10.112.82.37
Remote Address: 10.112.82.37

Status
VPN Client Stats
TUN/TAP read bytes 2078
TUN/TAP write bytes 0
TCP/UDP read bytes 5441
TCP/UDP write bytes 4586
Auth read bytes 0
pre-compress bytes 0
post-compress bytes 0
pre-decompress bytes 0
post-decompress bytes 0

Log
Clientlog:
20250427 11:38:00 W WARNING: file '/tmp/openvpncl/ta.key' is group or others accessible
20250427 11:38:00 W WARNING: file '/tmp/openvpncl/credentials' is group or others accessible
20250427 11:38:00 I OpenVPN 2.4.4 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 3 2017
20250427 11:38:00 I library versions: OpenSSL 1.1.0f 25 May 2017 LZO 2.09
20250427 11:38:00 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
20250427 11:38:00 W WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
20250427 11:38:00 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20250427 11:38:00 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
20250427 11:38:00 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
20250427 11:38:03 I TCP/UDP: Preserving recently used remote address: [AF_INET]185.232.22.194:1194
20250427 11:38:03 Socket Buffers: R=[180224->180224] S=[180224->180224]
20250427 11:38:03 I UDPv4 link local: (not bound)
20250427 11:38:03 I UDPv4 link remote: [AF_INET]185.232.22.194:1194
20250427 11:38:03 TLS: Initial packet from [AF_INET]185.232.22.194:1194 sid=ea255e67 18be1769
20250427 11:38:03 W WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
20250427 11:38:03 VERIFY OK: depth=2 C=CA ST=ON L=Toronto O=Windscribe Limited OU=Systems CN=Windscribe Node CA X1
20250427 11:38:03 VERIFY OK: depth=1 C=CA ST=ON L=Toronto O=Windscribe Limited OU=Systems CN=Windscribe Node CA X2
20250427 11:38:03 VERIFY OK: nsCertType=SERVER
20250427 11:38:03 NOTE: --mute triggered...
20250427 11:38:03 5 variation(s) on previous 3 message(s) suppressed by --mute
20250427 11:38:03 W WARNING: 'link-mtu' is used inconsistently local='link-mtu 1602' remote='link-mtu 1549'
20250427 11:38:03 W WARNING: 'comp-lzo' is present in local config but missing in remote config local='comp-lzo'
20250427 11:38:03 W WARNING: 'cipher' is used inconsistently local='cipher AES-256-CBC' remote='cipher AES-256-GCM'
20250427 11:38:03 W WARNING: 'auth' is used inconsistently local='auth SHA512' remote='auth [null-digest]'
20250427 11:38:03 Control Channel: TLSv1.2 cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 4096 bit RSA
20250427 11:38:03 I [jfk-106.windscribe.com] Peer Connection Initiated with [AF_INET]185.232.22.194:1194
20250427 11:38:04 SENT CONTROL [jfk-106.windscribe.com]: 'PUSH_REQUEST' (status=1)
20250427 11:38:04 PUSH: Received control message: 'PUSH_REPLY redirect-gateway def1 rcvbuf 512000 sndbuf 512000 route-gateway 10.112.82.1 topology subnet ping 25 ping-restart 120 dhcp-option DNS 10.255.255.3 ifconfig 10.112.82.37 255.255.254.0 peer-id 32 cipher AES-256-GCM'
20250427 11:38:04 OPTIONS IMPORT: timers and/or timeouts modified
20250427 11:38:04 NOTE: --mute triggered...
20250427 11:38:04 1 variation(s) on previous 3 message(s) suppressed by --mute
20250427 11:38:04 Socket Buffers: R=[180224->360448] S=[180224->360448]
20250427 11:38:04 OPTIONS IMPORT: --ifconfig/up options modified
20250427 11:38:04 OPTIONS IMPORT: route options modified
20250427 11:38:04 OPTIONS IMPORT: route-related options modified
20250427 11:38:04 NOTE: --mute triggered...
20250427 11:38:04 4 variation(s) on previous 3 message(s) suppressed by --mute
20250427 11:38:04 Data Channel: using negotiated cipher 'AES-256-GCM'
20250427 11:38:04 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20250427 11:38:04 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20250427 11:38:04 I TUN/TAP device tun1 opened
20250427 11:38:04 TUN/TAP TX queue length set to 100
20250427 11:38:04 D do_ifconfig tt->did_ifconfig_ipv6_setup=0
20250427 11:38:04 I /sbin/ifconfig tun1 10.112.82.37 netmask 255.255.254.0 mtu 1500 broadcast 10.112.83.255
20250427 11:38:04 /sbin/route add -net 185.232.22.194 netmask 255.255.255.255 gw 192.168.4.1
20250427 11:38:04 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.112.82.1
20250427 11:38:04 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.112.82.1
20250427 11:38:06 I Initialization Sequence Completed
20250427 11:38:10 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20250427 11:38:10 D MANAGEMENT: CMD 'state'
20250427 11:38:10 MANAGEMENT: Client disconnected
20250427 11:38:10 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20250427 11:38:10 D MANAGEMENT: CMD 'state'
20250427 11:38:10 MANAGEMENT: Client disconnected
20250427 11:38:10 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20250427 11:38:10 D MANAGEMENT: CMD 'state'
20250427 11:38:10 MANAGEMENT: Client disconnected
20250427 11:38:10 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20250427 11:38:10 D MANAGEMENT: CMD 'status 2'
20250427 11:38:10 MANAGEMENT: Client disconnected
20250427 11:38:10 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20250427 11:38:10 D MANAGEMENT: CMD 'log 500'
19691231 20:00:00

[kernel-panic69]

Moved to Advanced Networking because, VPN. You will most likely need to upgrade your firmware due to changes in DD-WRT, vulnerabilities patched since 2017 and VPN providers' updates to VPN servers.

Sticky: OpenVPN guides and documentation

https://download1.dd-wrt.com/dd-wrtv2/downloads/betas/2025/

[dr.tech]

Thanks. Will try a firmware upgrade tomorrow using the latest update.

[foz111]

Normally, if it's connecting and no traffic moving lower MTU check out egc's PDF
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398

[egc]

You really should upgrade to a recent build.

Reset to defaults after upgrade and rebuild from scratch, do not restore from an old backup, so make screenshots of your settings before hand.

You can simply import a windscribe openvpn config no need to setup manually

You do seem to be connected though at this moment, when you have a connection but no traffic compression and MTU can be the culprit.

Compression is deprecated as it is unsafe so try with compression disabled and MTU 1400 but with your old build all bets are off

[dr.tech]

Thanks for all the help. I did update the dd-wrt firmware to today's beta for the R7000. Then installed the Wiregard script for Windscribe. Slick as sn.t! Much easier than messing around with the old openvpn build that this 73 year old had!!