Problem with getting an OpenVPN to work - help needed

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
View previous topic :: View next topic  
Author Message
telemach
DD-WRT Novice


Joined: 02 Feb 2007
Posts: 31
PostPosted: Sun Feb 04, 2007 22:02    Post subject: Problem with getting an OpenVPN to work - help needed Reply with quote
My configuration :
WRT54GS v.1 with DD-WRT v24 Beta (01/27/07) vpn

I've follwed instructions in Wiki HOWTO however it looks like entering command using web method seems to not work so I've logged by SSH and started entring commands manually.
I've also copied keys and openvpn.conf file to /tmp/openvpn.

I don't know what more can be done, service is not working, port 1194 is not opened and openvpn client reports that connection is 'reset by peer'

Can you tell me what should I see after typing this command

Code:
ps | grep openvpn


this is what it gives me

Code:
860 root        380 S   grep openvpn
Back to top View user's profile Send private message
Sponsor
placebo
DD-WRT User


Joined: 15 Sep 2006
Posts: 200
PostPosted: Mon Feb 05, 2007 13:46    Post subject: Re: Problem with getting an OpenVPN to work - help needed Reply with quote
telemach wrote:
I don't know what more can be done, service is not working, port 1194 is not opened and openvpn client reports that connection is 'reset by peer'

If port 1194 isn't open, how are you establishing a connection that eventually gets reset by the router?

Quote:
Can you tell me what should I see after typing this command

Code:
ps | grep openvpn

this is what it gives me

Code:
860 root        380 S   grep openvpn

Not only that. You should see a line with something like "openvpn --config openvpn.conf".
Back to top View user's profile Send private message
iduff
DD-WRT Novice


Joined: 23 Jan 2007
Posts: 7
PostPosted: Mon Feb 05, 2007 13:59    Post subject: Reply with quote
I had similar problems on v23 SP2 vpn, careful checking allowed me to realize I had a typo in my startup script.

Stating the obvious, and what probably only applies to me <grin>, check what you are entering via SSH carefully to ensure no fatfingers/braincramps.

HTH,

-Ian Duff.
Back to top View user's profile Send private message
telemach
DD-WRT Novice


Joined: 02 Feb 2007
Posts: 31
PostPosted: Mon Feb 05, 2007 18:33    Post subject: Reply with quote
I've followed instructions in Wiki but whatever I do port is not open.
OK, let's start from the top :

while being out I want to have access to computers in LAN and use my home broadband connection

I have all necessary certificates and keys

as I understand I need to create example.startup file and server.conf file

shall the content look like this ?

example.startup
Code:

#!/bin/sh
/usr/sbin/iptables -I INPUT -p udp --dport 1194 -j ACCEPT
ln -s /usr/sbin/openvpn /jffs/tmp/myvpn
cd /jffs/tmp
./openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
sleep 5
./myvpn --config server.conf --daemon



server.conf
Code:

mode server
tls-server
port 1194
proto udp-server
dev tap0

ca ca.crt
cert server.crt
key server.key
dh dh1024.pem

#These IP addresses need to be changed to be *your* ddwrt LAN addresses ...
push "route-gateway 192.168.3.1"
push "dhcp-option DNS 192.168.3.1"

client-to-client

keepalive 15 60

comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

daemon
duplicate-cn



now I need to create a folder /jffs/tmp and copy all these files there ?

in Wiki I've found that *.startup file placed in any of these locations will startup

* /etc/config
* /mmc/etc/config
* /jffs/etc/config

so can I copy my example.startup to /etc/config or /jffs/etc/config folder, reboot and have OpenVPN working and port opened ?

When I type commands manually this is what I get

Code:

~ # openvpn --mktun --dev tap0
Mon Feb  5 19:29:42 2007 TUN/TAP device tap0 opened
Mon Feb  5 19:29:42 2007 Persist state set to: ON
~ # brctl addif br0 tap0
device tap0 is already a member of a bridge; can't enslave it to bridge br0.


I don't use 'web method' because there is some sort of limitation how much code you can insert and so it creates .rc_startup in /tmp folder which ends in the middle of my dh file making this file not correct. I'm also unable to delete this code from file because clicking edit alllows you only to delete something, you can't delete everything nor add something more. I can copy to router .rc_startup file but after reboot it will be replaced with trash stored in 'web method'. This is I avoid web method. I have WRT54GS so I want to have my VPN on JFFS not in RAM.

I'm thinking about reflashing to v.23 SP2 or SP3

Last edited by telemach on Mon Feb 05, 2007 19:57; edited 2 times in total
Back to top View user's profile Send private message
cyberde
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 1488
Location: the Netherlands
PostPosted: Mon Feb 05, 2007 19:40    Post subject: Reply with quote
Looks like your script is executing since it says tap0 is already bridged.

Here's my config, I don't use certificates, just one connection (although I'm planning on changing my config so it allows simultaneous connections).

openvpn.conf:
Code:
proto tcp-server                     # Setup the protocol (server)
port 443                             # TCP/UDP port number
dev tap0                             # TUN/TAP virtual network device
keepalive 15 60                      # Simplify the expression of --ping
daemon                               # Become a daemon after all initialization
verb 3                               # Set output verbosity to n
comp-lzo                             # Use fast LZO compression
secret /mmc/etc/config/openvpn.key   # OpenVPN static key


My OpenVPN server is stored on a SD-CARD so I also need to load the libraries needed by OpenVPN.

openvpn.startup (located in /mmc/etc/config/):
Code:
/mmc/usr/sbin/openvpn --mktun --dev tap0

brctl addif br0 tap0

ifconfig tap0 0.0.0.0 promisc up

ln -s /mmc/usr/sbin/openvpn /tmp/myvpn

export LD_PRELOAD='/mmc/usr/lib/libcrypto.so.0.9.8:/mmc/usr/lib/liblzo2.so.2:/mmc/usr/lib/libssl.so.0.9.8'

/tmp/myvpn --config /mmc/etc/config/openvpn.conf
unset LD_PRELOAD


Maybe this helpes :)

Also, your certificates need to be exactly like they were generated, including linebreaks etc.
Also be sure you don't have extra linebreaks in comments etc.

[edit]
Another thing i noticed, try the full path to the config file as parameter, that could be the problem too.
_________________
Firmware: DD-WRT v24-sp2 (latest available) mega
WRT320N

Donater
Back to top View user's profile Send private message Visit poster's website
placebo
DD-WRT User


Joined: 15 Sep 2006
Posts: 200
PostPosted: Mon Feb 05, 2007 23:08    Post subject: Reply with quote
telemach wrote:
server.conf
Code:

mode server
tls-server
port 1194
proto udp-server
dev tap0

I think "proto udp-server" should be just "proto udp".

Quote:
I don't use 'web method' because there is some sort of limitation how much code you can insert and so it creates .rc_startup in /tmp folder which ends in the middle of my dh file making this file not correct.

That could also be a browser issue, or maybe you're running out of NVRAM.

Quote:
I'm also unable to delete this code from file because clicking edit allows you only to delete something; you can't delete everything nor add something more.

I don't understand what you mean. Why can't you delete everything?

Try ssh in and issue the command nvram unset rc_startup to get rid of the unwanted script.
Back to top View user's profile Send private message
telemach
DD-WRT Novice


Joined: 02 Feb 2007
Posts: 31
PostPosted: Mon Feb 05, 2007 23:35    Post subject: Reply with quote
placebo wrote:
maybe you're running out of NVRAM.


how to check it ?


placebo wrote:

I don't understand what you mean. Why can't you delete everything?


that's irrelevant right now as I solved this problem

Quote:
I think "proto udp-server" should be just "proto udp".


changed but didn't help

I think the real problem is this :

Code:
device tap0 is already a member of a bridge; can't enslave it to bridge br0.


script probably stops at this point and openvpn is not running
Back to top View user's profile Send private message
placebo
DD-WRT User


Joined: 15 Sep 2006
Posts: 200
PostPosted: Tue Feb 06, 2007 7:17    Post subject: Reply with quote
telemach wrote:
placebo wrote:
maybe you're running out of NVRAM.

how to check it ?

Use the command nvram show. At the end, it will tell you how much space is left.

Quote:
I think the real problem is this :

Code:
device tap0 is already a member of a bridge; can't enslave it to bridge br0.

script probably stops at this point and openvpn is not running

Scripts typically don't just stop in the middle because a step fails.
Back to top View user's profile Send private message
telemach
DD-WRT Novice


Joined: 02 Feb 2007
Posts: 31
PostPosted: Mon Feb 12, 2007 18:08    Post subject: Reply with quote
cyberde wrote:

Another thing i noticed, try the full path to the config file as parameter, that could be the problem too.


thanks, this was also a part of a problem, there is some mess in the Wiki, reading openvpn is crucial, now I have everything smooth working and installed in jffs, co rc_startup or rc_firewall is needed

one hint for ppl having problem with openvpn

add this to your server.conf

Code:

log-append openvpn.log
verb 5


this will create openvpn.log file with detailed information why openvpn is not working or exiting, by analyzing this file I was able to detect and fix my problems
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum