Posted: Thu Jan 06, 2011 17:19 Post subject: WNDR3700 build issue? OpenVPN disconnecting
Hello team,
I have been working with dd-wrt for over two years, with different routers, always linksys. wrt320n mainly, some wrt160s, etc. I normally use BIG or MEGA, or custom builds for openvpn when ram is 4 meg. Never had any issues. Have my own openvpn servers running on different locations (Colocated Servers).
WNDR3700 is a new animal for me. I decided to make the shift when I found that it had the new Atheros 680mhz processor. Speed is an issue for a client of mine, so due to the cpu usage in encryption, 680mhz gives me a much higher throughput (ca. 11mbps), versus the 320n with 354mhz, ca. 7mbps.
Anyway, the point:
For some strange reason, wndr3700 severs the connection (it completely stops routing traffic), when an upload occurs. I noticed this during the upload tests on various pages such as speedtest.net / speakeasy.net/speedtest / and some text and java versions as well.
otherwise, the tunnel is stable. Whenever an upload occurs, everything stops routing. As soon as I kill the openvpn process through terminal, everything resumes promptly.
I have NEVER had this happen to me on any of the other routers, and the config for openvpn is the same. I have another E2000, E3000, and wrt320n, and they don't have this issue. it's only WNDR3700.
Syslog does not show anything (/var/log/messages). I tried to check if it was an iptables issue, i flushed the nat, and routed traffic again normally, as well as through tun0. Nothing.
I can still access 192.168.1.1 however, when this happens.
I have no idea why this is. I've upgraded to new firmware (the new 01/03/2011 .6.98 stock), then gone to dd-wrt, webflashed, a whole number of things, and no joy.
Is this a quirk? I have been googling for the better
part of three days and haven't found anything similar.
It ONLY happens with Openvpn active. Without OpenVPN, everything works peachy keen. upload through speedtest, and everything.
I tried to reproduce the error with any other things that would hang the router up, and the only thing that did so was my trying to access the internal ip's through the tun0 IP from another location.
Example:
tun0 established with IP 10.8.5.10 . I go to another location, and access http://10.8.5.10 (and on all my other routers it works just fine, by forwarding port 80 and/or disabling firewall), and with this one, it hangs.
The weird part is that the connection REMAINS ACTIVE to the openvpn server. just no traffic whatsoever.
Posted: Thu Jan 06, 2011 17:40 Post subject: Configs
I'll include a few configs that I use, they work perfectly with all other builds i've ever used on dd-wrt, wrt320n's, wrt160n's, wrt54g, even some x86 custom boxes.
This one is the only quirky one I've ever come across, and it ONLY happens when doing an upload through speedtest. I've tried modifying QoS. Bit stumped, really :(
This is my basic SH script so I can avoid the pesky "easy way" and all that that turns out not to be easy at all. It works perfectly for all dd-wrt builds I have ever built.
Code:
#/bin/sh
for i in `nvram show|grep openvpn|cut -d '=' -f1`; do nvram unset $i; done
nvram set rc_startup='mkdir /tmp/ovpn
cd /tmp/ovpn
nvram get ovpn_up>up
nvram get ovpn_dn>dn
chmod +x up dn
nvram get ovpn_cfg>ovpn.conf
mkdir -p /tmp/etc/config
echo -e "#!/bin/sh\nkillall openvpn\nping -c10 localhost\nkillall openvpn\nopenvpn --daemon --config /tmp/ovpn/ovpn.conf">/tmp/etc/config/ovpn.wanup
chmod +x /tmp/etc/config/ovpn.wanup'
nvram set ovpn_cfg='remote IP_ADDRESS PORT
proto udp
tls-auth ta.key 1
client
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
verb 2
mute 20
cipher BF-CBC
keepalive 10 120
route-up "/tmp/ovpn/up"
down "/tmp/ovpn/dn"
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
*cut for security purposes*
-----END OpenVPN Static key V1-----
</tls-auth>
<ca>
-----BEGIN CERTIFICATE-----
*cut*
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
*CUT*
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
*cut*
-----END RSA PRIVATE KEY-----
</key>
<dh>
-----BEGIN DH PARAMETERS-----
*cut*
-----END DH PARAMETERS-----
</dh>
'
nvram set ovpn_up='iptables -t nat -A POSTROUTING -o $dev -j MASQUERADE
for R in /tmp/resolv.conf /tmp/resolv.dnsmasq; do
mv $R $R~
for O in "$foreign_option_1" "$foreign_option_2"; do
P="$O"
p1=$(echo "$P" | cut -d " " -f1)
if [ "$p1" == "dhcp-option" ]; then
p2=$(echo "$P" | cut -d " " -f2)
p3=$(echo "$P" | cut -d " " -f3)
if [ "$p2" == "DNS" ] ; then
echo "nameserver $p3">>$R
fi
fi
done
done
'
nvram set ovpn_dn='iptables -t nat -D POSTROUTING -o $dev -j MASQUERADE
for R in /tmp/resolv.conf /tmp/resolv.dnsmasq; do
mv $R~ $R
done
killall -HUP dnsmasq'
nvram commit
Posted: Thu Jan 06, 2011 17:44 Post subject: /var/log/messages and Build
Hey, so just a few more data:
Code:
Warning: Permanently added '10.8.0.86' (RSA) to the list of known hosts.
DD-WRT v24-sp2 std (c) 2010 NewMedia-NET GmbH
BUILD 15962 (12/24/2010)
Code:
Jan 6 09:53:55 TRONIXWRTIX daemon.notice openvpn[1884]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jan 6 09:53:55 TRONIXWRTIX daemon.notice openvpn[1884]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 6 09:53:55 TRONIXWRTIX daemon.notice openvpn[1884]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jan 6 09:53:55 TRONIXWRTIX daemon.notice openvpn[1884]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 6 09:53:55 TRONIXWRTIX daemon.notice openvpn[1884]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Jan 6 09:53:55 TRONIXWRTIX daemon.notice openvpn[1884]: [server] Peer Connection Initiated with ******
Jan 6 09:53:57 TRONIXWRTIX daemon.notice openvpn[1884]: TUN/TAP device tun0 opened
Jan 6 09:53:57 TRONIXWRTIX daemon.notice openvpn[1884]: /sbin/ifconfig tun0 10.8.0.86 pointopoint 10.8.0.85 mtu 1500
Jan 6 09:53:57 TRONIXWRTIX daemon.notice openvpn[1884]: Initialization Sequence Completed
Thanks, I actually tried going
mssfix 1200, 1300, 1100 (various settings), all the way down to 1000, to no avail.
mtu is set at default 1500, (haven't specified an option), and i don't use fragment.
No other routers have issues, so I don't know why this one would, through the same ISP, same line, same everything.
Is that possible that this one would?
I wouldn't like to touch mtu and fragment on the server cause i have to fix all the others connected to it remotely, and they are working fine...
Many thanks for your input. Thoughts?
My thoughts on this would be: is it possible that because this one has a 680mhz processor and thus routes traffic faster, it is more saturated than the 354mhz broadcom on the wrt320n? That one routes 7 mbps no problem...
But this one that gets all the way up to 12, does have issues. would that even have anything to do with it?
Because also by the way, software connected (openvpn-network-manager) package in Ubuntu routes my full speed with no issue, same config. (core i3, so obviously it wouldn't be). but if it were mtu wouldn't the disconnect also happen on software?)
Been fooling around with tun-mtu, mssfix and fragment for the better part of the. afternoon and evening. lowered tun mtu to 1450, to 1400, fragment and mssfix always lower of course, sometimes only tun mtu, etcetera etcetera. No luck.
Same issue. router goes kaput with upload *it doesnt even start to upload*.
weird thing is though, I can still ping the openvpn server. that's the only route still active once it goes kaput.
is there another WNDR that you can test with ...? Answer is probably 'no', but I wanted to ask. _________________ ===================================
1 * DIR-866L - 29193 Mega (Main Gateway)
1 * EA4200 - 29193 Mega (Main Gateway)
1 * EA6500 - 29193 Mega (Repeater Bridge)
1 * EA6500v2 - 29193 Mega (Repeater Bridge)
1 * WRT610N - 29193 Mega (Repeater Bridge)
===================================
SOLVED!! oh how I do enjoy solving these. Three sleepless nights and a few headaches later, it turned out that after I tried all tun-mtu, mssfix and fragment settings KNOWN TO MAN to no avail,
i decided to enable LZO compression, even though on my other routers I never have.
as soon as I added
comp-lzo
it worked like a CHARM, no disconnects. no Nothing.
Leaving this so that anyone who comes across this in the future can benefit.
Sadly, i thought it had been fixed (it doesn't disconnect automatically at upload with comp-lzo on), and now, it selectively stops routing traffic, 4 or 5 minutes pass and it starts up again through the vpn. Very frustrated with this.
I have absolutely no issue with 11 deployed linksys wrt320n's, all connecting to the same openvpn server..
This pos is the only one I can't seem to get to work properly.
Could this be a build issue? i've tried reflashing to almost all the revisions, going back to stock first. no joy.
could be a hardware problem too .. make sure you have sufficient ventilation and airflow.
See if you can get your hands on another WNDR, or better, since you have a gooed experience with linksys, stick with it, get another one. _________________ ===================================
1 * DIR-866L - 29193 Mega (Main Gateway)
1 * EA4200 - 29193 Mega (Main Gateway)
1 * EA6500 - 29193 Mega (Repeater Bridge)
1 * EA6500v2 - 29193 Mega (Repeater Bridge)
1 * WRT610N - 29193 Mega (Repeater Bridge)
===================================
I have three WNDR3700 routers. Two are v2, one is v1. If I understand correctly, you'd like to setup a WNDR3700 as an OpenVPN server? Either way, server or client, PM me and maybe I can squeeze in some time over the weekend to help you. I haven't bothered with OpenVPN (currently using PPTP), because I ended up temp bricking my WNR3500L when the certs overflowed the nvram config space. I'm willing to give it a try again, though. GMT-8