dd-wrt and openvpn cert authentication

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
techguy34
DD-WRT Novice


Joined: 28 Sep 2010
Posts: 2

PostPosted: Tue Sep 28, 2010 20:38    Post subject: dd-wrt and openvpn cert authentication Reply with quote
Hi,

I have been trying to get certificate based authentication working on my openvpn server for quite awhile now. I was finally able to generate the 3 certificates I need. I have been trying to get my test client to access the vpn but so far I have no luck. What I need is for 3 clients to access the vpn at the same time. Each client will have a static IP so there is no need for DHCP. There is no need for a WINS server as the clients will access 1 server via IP.

My test setup is my windows 7 64bit PC with an IP of 10.100.159.10 trying to vpn into 10.100.159.9 public (192.168.1.1 private) and access a server 192.168.1.55 on the vpn segment. The firewall is setup to allow port 1194 in.

The router is a Linksys WRT300N running dd-wrt build 13525 as that seems to be the recommended firmware version per http://www.dd-wrt.com/phpBB2/viewtopic.php?t=52043

What am I doing wrong?

This is the client config
client
dev tun
proto udp
remote 10.100.159.9 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
verb 3
ifconfig 192.168.1.2 192.168.1.1

This is the server config
mode server
proto udp
port 1194
dev tun0
keepalive 10 120
verb 3
tls-server
ifconfig 192.168.1.1 192.168.1.2
ca /tmp/ca.crt
cert /tmp/cert.pem
key /tmp/key.pem
dh /tmp/dh1024.pem

This is from the client connects to the server:
Thu Sep 23 10:53:25 2010 OpenVPN 2.1.3 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Aug 20 2010
Thu Sep 23 10:53:25 2010 WARNING: using --pull/--client and --ifconfig together is probably not what you want
Thu Sep 23 10:53:25 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Sep 23 10:53:26 2010 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Sep 23 10:53:26 2010 Socket Buffers: R=[8192->8192] S=[8192->8192]
Thu Sep 23 10:53:26 2010 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0EL:0 ]
Thu Sep 23 10:53:26 2010 Local Options hash (VER=V4): '3514370b'
Thu Sep 23 10:53:26 2010 Expected Remote Options hash (VER=V4): '239669a8'
Thu Sep 23 10:53:26 2010 UDPv4 link local: [undef]
Thu Sep 23 10:53:26 2010 UDPv4 link remote: 10.100.159.9:1194
Thu Sep 23 10:53:26 2010 TLS: Initial packet from 10.100.159.9:1194, sid=ee5ac20d 37e78461
Thu Sep 23 10:53:26 2010 VERIFY OK: depth=1, cert info removed
Thu Sep 23 10:53:26 2010 VERIFY OK: nsCertType=SERVER
Thu Sep 23 10:53:26 2010 VERIFY OK: depth=0, cert info removed
Thu Sep 23 10:53:26 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Sep 23 10:53:26 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Sep 23 10:53:26 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Sep 23 10:53:26 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Sep 23 10:53:26 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Sep 23 10:53:26 2010 [server] Peer Connection Initiated with 10.100.159.9:1194
Thu Sep 23 10:53:28 2010 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Sep 23 10:53:28 2010 PUSH: Received control message: 'PUSH_REPLY,ping 10,ping-restart 120'
Thu Sep 23 10:53:28 2010 OPTIONS IMPORT: timers and/or timeouts modified
Thu Sep 23 10:53:28 2010 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{526052F7-972B-4E3F-9929-6D12839B40B9}.tap
Thu Sep 23 10:53:28 2010 TAP-Win32 Driver Version 9.7
Thu Sep 23 10:53:29 2010 TAP-Win32 MTU=1500
Thu Sep 23 10:53:29 2010 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.1.2/255.255.255.252 on interface {526052F7-972B-4E3F-9929-6D12839B40B9} [DHCP-serv: 192.168.1.1, lease-time: 31536000]
Thu Sep 23 10:53:29 2010 Successful ARP Flush on interface [16] {526052F7-972B-4E3F-9929-6D12839B40B9}
Thu Sep 23 10:53:34 2010 TEST ROUTES: 0/0 succeeded len=-1 ret=1 a=0 u/d=up
Thu Sep 23 10:53:34 2010 Initialization Sequence Completed


From the servers log:
Sep 23 10:38:41 dd-wrt daemon.notice openvpn[6006]: MULTI: multi_create_instance called
Sep 23 10:38:41 dd-wrt daemon.notice openvpn[6006]: 10.100.159.10:51538 Re-using SSL/TLS context
Sep 23 10:38:41 dd-wrt daemon.notice openvpn[6006]: 10.100.159.10:51538 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sep 23 10:38:41 dd-wrt daemon.notice openvpn[6006]: 10.100.159.10:51538 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Sep 23 10:38:41 dd-wrt daemon.notice openvpn[6006]: 10.100.159.10:51538 TLS: Initial packet from 10.100.159.10:51538, sid=767b5896 850803e7
Sep 23 10:38:41 dd-wrt daemon.notice openvpn[6006]: 10.100.159.10:51538 VERIFY OK: depth=1, cert info removed
Sep 23 10:38:41 dd-wrt daemon.notice openvpn[6006]: 10.100.159.10:51538 VERIFY OK: depth=0, cert info removed
Sep 23 10:38:42 dd-wrt daemon.notice openvpn[6006]: 10.100.159.10:51538 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sep 23 10:38:42 dd-wrt daemon.notice openvpn[6006]: 10.100.159.10:51538 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sep 23 10:38:42 dd-wrt daemon.notice openvpn[6006]: 10.100.159.10:51538 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sep 23 10:38:42 dd-wrt daemon.notice openvpn[6006]: 10.100.159.10:51538 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sep 23 10:38:42 dd-wrt daemon.notice openvpn[6006]: 10.100.159.10:51538 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sep 23 10:38:42 dd-wrt daemon.notice openvpn[6006]: 10.100.159.10:51538 [test-pc1] Peer Connection Initiated with 10.100.159.10:51538
Sep 23 10:38:42 dd-wrt daemon.err openvpn[6006]: test-pc1/10.100.159.10:51538 MULTI: no dynamic or static remote --ifconfig address is available for test-pc1/10.100.159.10:51538
Sep 23 10:38:44 dd-wrt daemon.notice openvpn[6006]: test-pc1/10.100.159.10:51538 PUSH: Received control message: 'PUSH_REQUEST'
Sep 23 10:38:44 dd-wrt daemon.notice openvpn[6006]: test-pc1/10.100.159.10:51538 SENT CONTROL [test-pc1]: 'PUSH_REPLY,ping 10,ping-restart 120' (status=1)
Sponsor
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17619
Location: Hesse/Germany

PostPosted: Wed Sep 29, 2010 12:46    Post subject: Reply with quote
have u checked the open.net faq/handbook?
_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
techguy34
DD-WRT Novice


Joined: 28 Sep 2010
Posts: 2

PostPosted: Fri Oct 01, 2010 1:21    Post subject: Reply with quote
Sash wrote:
have u checked the open.net faq/handbook?


If you mean http://openvpn.net/index.php/open-source/faq then yes I have. It was how I was able to get so far.

Thanks,
vpritiskovic
DD-WRT User


Joined: 28 Aug 2009
Posts: 248
Location: Dalmatia, Croatia

PostPosted: Fri Oct 01, 2010 18:11    Post subject: Reply with quote
Tray this!

SERVER:
*****************************************
*****************************************
port 1194
proto udp
dev tun
ca /tmp/ca.crt
cert /tmp/server.crt
key /tmp/server.key
dh /tmp/dh1024.pem
server 10.10.10.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
client-to-client
keepalive 10 120
management localhost 5001
*****************************************
*****************************************

CLIENT:
*****************************************
*****************************************
client
dev tun
proto udp
remote myvpn.server.domain 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
***********************************
*****************************************

_________________
DD-WRT v24-sp2 (01/21/12) std - build 18613 @SX763
DD-WRT v24-sp2 (10/12/12) std - build 20119 @WZR-HP-G300NH (b0 b0)
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum