vpntunnel.se & DD-WRT v24-sp2 18024 Openvpn client probl

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
chevychase
DD-WRT Novice


Joined: 04 Nov 2010
Posts: 2

PostPosted: Thu Feb 16, 2012 21:15    Post subject: vpntunnel.se & DD-WRT v24-sp2 18024 Openvpn client probl Reply with quote
I have Netgear WNDR3700 router with DD-WRT v24-sp2 (18024) installed. It works just fine.

I would like to push all my outgoing traffic through vpntunnel.se openvpn service.

I have tried connecting there using their own howtos but the howto has a really old version of dd-wrt on it.

I managed to get some kind of connection with command line [openvpn --config /opt/openvpn.conf] with following conf-file, but it didn't transfer anything.
Code:
client
dev tap
proto udp
nobind
tls-client
ca /opt/ca.crt
ns-cert-type server
push "dhcp-option DNS 80.67.0.2"
push "dhcp-option DNS 91.213.246.2"
auth-user-pass /opt/passwd.txt
remote-random
remote melissa.vpntunnel.se 1194
remote melissa.vpntunnel.se 10010
remote melissa.vpntunnel.se 10020
persist-key
persist-tun
comp-lzo
verb 3


ca.crt and passwd.txt were properly set up so they weren't the problem.

    I would like to know how can I get the connection to work from dd-wrt gui?

    Can I use the OpenVPN Client option on the gui to get the connection to work?

    Do I have to do something with iptables as is mentioned in vpntunnel's howto?

Code:
iptables -I FORWARD -i br0 -o tap0 -j ACCEPT
iptables -I FORWARD -i tap0 -o br0 -j ACCEPT
iptables -I INPUT -i tap0 -j REJECT
iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE


I will gladly provide more information if necessary to solve my problem.

Thank you in advance!
Sponsor
chevychase
DD-WRT Novice


Joined: 04 Nov 2010
Posts: 2

PostPosted: Sun Feb 19, 2012 20:19    Post subject: Reply with quote
Is the lack of replies caused by the fact that this is a stupid question or that no one doesn't know how to help me?
pbgarcol
DD-WRT Novice


Joined: 20 Feb 2012
Posts: 27

PostPosted: Tue Feb 21, 2012 20:34    Post subject: Reply with quote
Hi,
It would say it is definitely not a stupid question at all. My guess is that there are not so many people who have both time and expertise to help you. I have more or less the same problems in setting openvpn up and, being an absolute newbie to dd-wrt, I can't be very useful. It seems you have first to pay tribute to the gurus (in a purely symbolic way of course... Wink ) before getting actual help.
Wish you can get it sooner or later.
jahuu
DD-WRT Novice


Joined: 21 Feb 2012
Posts: 6

PostPosted: Wed Feb 22, 2012 12:05    Post subject: Wzr-hp-g300nh2 only works with tcp tunnel Reply with quote
Udp tunnel is not working, no idea why...
jeroen567
DD-WRT Novice


Joined: 24 Feb 2012
Posts: 2

PostPosted: Fri Feb 24, 2012 19:34    Post subject: DD-WRT v24-sp2 (12/08/11) big - build 17990M NEWD-2 K2.6 Eko Reply with quote
Here's my config, it should work.
I connect well to vpntunnel.se

--------
script-security 2
client
dev tap
proto udp
nobind
tls-client
ca /tmp/openvpn/ca.crt
ns-cert-type server
push "dhcp-option DNS 80.67.0.2"
push "dhcp-option DNS 91.213.246.2"
auth-user-pass /tmp/openvpn/passwd.txt
remote-random
remote melissa.vpntunnel.se 10010
remote melissa.vpntunnel.se 1194
remote melissa.vpntunnel.se 10020
remote 178.73.212.232 10020
persist-key
persist-tun
comp-lzo
verb 3
--------------
administration/commands/firewall

iptables -I FORWARD -i br0 -o tap0 -j ACCEPT
iptables -I FORWARD -i tap0 -o br0 -j ACCEPT
iptables -I INPUT -i tap0 -j REJECT
iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE
---------------

administration/commands/startup

echo "userxx" >> /tmp/openvpn/passwd.txt
echo "passwordxx" >> /tmp/openvpn/passwd.txt

-----------
copy-paste the vpntunnel cert info in admin-website services/vpn/ca cert
use putty to connect to router and logon with "root"
Check, tmp/openvpn/ for the cert and the passwd.txt

All should work.
regards J.
jeroen567
DD-WRT Novice


Joined: 24 Feb 2012
Posts: 2

PostPosted: Fri Feb 24, 2012 19:42    Post subject: Reply with quote
Use "OpenVPN Server/Daemon" not the "OpenVPN Client"
antoniosk7
DD-WRT Novice


Joined: 28 Jun 2011
Posts: 8

PostPosted: Tue Feb 28, 2012 6:50    Post subject: Reply with quote
not work for me... any ideas?
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17442
Location: Hesse/Germany

PostPosted: Tue Feb 28, 2012 9:59    Post subject: Reply with quote
their instruction should work. enable logging and give us the logs.
_________________
GEGEN die EEG-UMLAGE auf EIGENVERBRAUCH!
_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
antoniosk7
DD-WRT Novice


Joined: 28 Jun 2011
Posts: 8

PostPosted: Wed Feb 29, 2012 3:27    Post subject: Reply with quote
I noticed that the file is deleted from the system passwd.txt to restart the router, because this happens?


Firmware: DD-WRT v24SP2-MULTI (05/27/11) std

Feb 28 21:19:30 nitdx user.info syslog: cron : cron daemon successfully stopped
Feb 28 21:19:31 nitdx daemon.debug process_monitor[1487]: Restarting cron (time sync change)
Feb 28 21:19:31 nitdx daemon.debug process_monitor[1487]: We need to re-update after 3600 seconds
Feb 28 21:19:31 nitdx cron.info cron[1502]: (CRON) STARTUP (fork ok)
Feb 28 21:19:31 nitdx cron.info cron[1502]: (crontabs) ORPHAN (no passwd entry)
Feb 28 21:19:31 nitdx user.info syslog: cron : cron daemon successfully started
Feb 28 21:19:35 nitdx user.info syslog: vpn modules : vpn modules successfully unloaded
Feb 28 21:19:36 nitdx user.info syslog: wland : WLAN daemon successfully stopped
Feb 28 21:19:36 nitdx user.info syslog: vpn modules : vpn modules successfully unloaded
Feb 28 21:19:36 nitdx user.info syslog: wland : WLAN daemon successfully started
Feb 28 21:19:36 nitdx user.info syslog: WAN is up. IP: 192.168.1.102
Feb 28 21:19:37 nitdx daemon.notice openvpn[1851]: OpenVPN 2.2.0 mips-linux [SSL] [LZO2] built on May 27 2011
Feb 28 21:19:37 nitdx daemon.warn openvpn[1851]: WARNING: cannot stat file '/tmp/openvpn/passwd.txt': No such file or directory (errno=2)
Feb 28 21:19:37 nitdx daemon.err openvpn[1851]: Error opening 'Auth' auth file: /tmp/www/passwd.txt: No such file or directory (errno=2)
Feb 28 21:19:37 nitdx daemon.notice openvpn[1851]: Exiting
Feb 28 21:19:40 nitdx user.debug syslog: ttraff: data collection started
Feb 28 21:19:43 nitdx authpriv.notice dropbear[1853]: password auth succeeded for 'root' from 192.168.11.52:52517
Feb 28 21:19:52 nitdx authpriv.notice dropbear[1856]: password auth succeeded for 'root' from 192.168.11.52:52518
antoniosk7
DD-WRT Novice


Joined: 28 Jun 2011
Posts: 8

PostPosted: Wed Feb 29, 2012 17:13    Post subject: Reply with quote
any idea?
heckheck
DD-WRT Novice


Joined: 07 Apr 2012
Posts: 5

PostPosted: Sat Apr 07, 2012 17:10    Post subject: Reply with quote
antoniosk7 wrote:
any idea?


Below is my working config for connecting to vpntunnel.se, tested using DD-WRT v24-sp2 (03/19/12) vpn-small - build 18777 on a Cisco M10 Valet router

This is all done as a startup script and does not use the GUI at all. I had problems getting the GUI to work properly.

Simply edit to add the necessary information for USERNAME, PASSWORD, CA_CRT. The script also allows the creation of iptables rules for setting up port forwarding to static ports from the tunnel. Simply set them up under PORT_FORWARDING (I left in some examples). I found it was necessary to do it this way, since port forwards added to the 'Nat / Qos' -> 'Port Forwarding' GUI were not applied to the correct interface to work over the VPN.

Paste the edited script in 'Administration'->'Commands' and press 'Save Startup' then reboot the router.

The script is setup to log to /tmp/vpntunnelse/log.txt, so if you have problems, ssh to the router and check here to see what might be happening.

This script can easily be applied to other VPN providers with some more editing (in fact I started from an example for another provider).


Code:

#!/bin/sh

USERNAME="YOUR_USERNAME"
PASSWORD="YOUR_PASSWORD" # Your USER_PASSWORD
PROTOCOL="udp" # udp / tcp MUST BE lower case

# Add - delete - edit servers
REMOTE_SERVERS="
remote melissa.vpntunnel.se 10010
remote melissa.vpntunnel.se 1194
remote melissa.vpntunnel.se 10020
"
# Static port forwarding rules
# protocol from_port local_ip:to_port
PORT_FORWARDING="
tcp 20000 10.1.1.100:20000
udp 20000 10.1.1.100:20000
tcp 30000 10.1.1.100:30000
tcp 30001 10.1.1.101:30001
"
CA_CRT='-----BEGIN CERTIFICATE-----
<SNIP -- get from your account paste here>
-----END CERTIFICATE-----'

#### DO NOT CHANGE below this line ####

CLIENT_CRT=''

CLIENT_KEY=''

VPN_BRIDGING="#!/bin/sh
iptables -I FORWARD -i br0 -o tap0 -j ACCEPT
iptables -I FORWARD -i tap0 -o br0 -j ACCEPT
iptables -I INPUT -i tap0 -j REJECT
iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE"

VPN_CONFIG="script-security 2
client
dev tap
proto $PROTOCOL
nobind
tls-client
ca /tmp/vpntunnelse/ca.crt
ns-cert-type server
push \"dhcp-option DNS 80.67.0.2\"
push \"dhcp-option DNS 91.213.246.2\"
auth-user-pass /tmp/vpntunnelse/userpass.conf
remote-random
$REMOTE_SERVERS
persist-key
persist-tun
comp-lzo
verb 3
log /tmp/vpntunnelse/log.txt"


OPVPNENABLE=`nvram get openvpncl_enable | awk '$1 == "0" {print $1}'`

if [ "$OPVPNENABLE" != 0 ]
then
    nvram set openvpncl_enable=0
    nvram commit
fi

sleep 10
mkdir /tmp/vpntunnelse; cd /tmp/vpntunnelse
echo -e "$USERNAME\n$PASSWORD" > userpass.conf
echo "$CA_CRT" > ca.crt; echo "$CLIENT_CRT" > client.crt
echo "$CLIENT_KEY" > client.key
echo -e "#!/bin/sh\nstartservice set_routes" > route-up.sh
echo -e "#!/bin/sh\nsleep 2" > route-down.sh
echo "$VPN_BRIDGING" > /tmp/vpntunnelse/firewall.sh
echo "$PORT_FORWARDING" | awk '{c=split($0, s); \
    if (c==3) print "iptables -t nat -A PREROUTING -i tap0 -p " \
    s[1] " --dport " s[2] " -j DNAT --to " s[3]}' \
    >> /tmp/vpntunnelse/firewall.sh
chmod 644 ca.crt client.crt
chmod 600 client.key userpass.conf
chmod 700 route-up.sh route-down.sh
chmod 700 /tmp/vpntunnelse/firewall.sh
(/tmp/vpntunnelse/firewall.sh) &
sleep 10
echo "$VPN_CONFIG" > openvpn.conf
(killall openvpn; openvpn --config /tmp/vpntunnelse/openvpn.conf \
    --route-up /tmp/vpntunnelse/route-up.sh \
    --down-pre /tmp/vpntunnelse/route-down.sh) &
exit 0

heckheck
DD-WRT Novice


Joined: 07 Apr 2012
Posts: 5

PostPosted: Sun May 13, 2012 18:26    Post subject: Reply with quote
My config stopped working. I was able to revive it by adding 'float' to the VPN_CONFIG options. This seems to be necessary now with vpntunnel.se, since some recent network changes. The 'float' option allow floating to a new address/port that passes authentication after establishing the connection using the remote commands in the script.

Edited script below.

heckheck wrote:


Code:

#!/bin/sh

USERNAME="YOUR_USERNAME"
PASSWORD="YOUR_PASSWORD" # Your USER_PASSWORD
PROTOCOL="udp" # udp / tcp MUST BE lower case

# Add - delete - edit servers
REMOTE_SERVERS="
remote melissa.vpntunnel.se 10010
remote melissa.vpntunnel.se 1194
remote melissa.vpntunnel.se 10020
"
# Static port forwarding rules
# protocol from_port local_ip:to_port
#
# EXAMPLE
#PORT_FORWARDING="
#tcp 20000 10.1.1.100:20000
#udp 20000 10.1.1.100:20000
#tcp 30000 10.1.1.100:30000
#tcp 30001 10.1.1.101:30001
#"
#
PORT_FORWARDING=""

CA_CRT='-----BEGIN CERTIFICATE-----
<SNIP -- get from your account paste here>
-----END CERTIFICATE-----'

#### DO NOT CHANGE below this line ####

CLIENT_CRT=''

CLIENT_KEY=''

VPN_BRIDGING="#!/bin/sh
iptables -I FORWARD -i br0 -o tap0 -j ACCEPT
iptables -I FORWARD -i tap0 -o br0 -j ACCEPT
iptables -I INPUT -i tap0 -j REJECT
iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE"

VPN_CONFIG="script-security 2
client
float
dev tap
proto $PROTOCOL
nobind
tls-client
ca /tmp/vpntunnelse/ca.crt
ns-cert-type server
push \"dhcp-option DNS 80.67.0.2\"
push \"dhcp-option DNS 91.213.246.2\"
auth-user-pass /tmp/vpntunnelse/userpass.conf
remote-random
$REMOTE_SERVERS
persist-key
persist-tun
comp-lzo
verb 3
log /tmp/vpntunnelse/log.txt"


OPVPNENABLE=`nvram get openvpncl_enable | awk '$1 == "0" {print $1}'`

if [ "$OPVPNENABLE" != 0 ]
then
    nvram set openvpncl_enable=0
    nvram commit
fi

sleep 10
mkdir /tmp/vpntunnelse; cd /tmp/vpntunnelse
echo -e "$USERNAME\n$PASSWORD" > userpass.conf
echo "$CA_CRT" > ca.crt; echo "$CLIENT_CRT" > client.crt
echo "$CLIENT_KEY" > client.key
echo -e "#!/bin/sh\nstartservice set_routes" > route-up.sh
echo -e "#!/bin/sh\nsleep 2" > route-down.sh
echo "$VPN_BRIDGING" > /tmp/vpntunnelse/firewall.sh
echo "$PORT_FORWARDING" | awk '{c=split($0, s); \
    if (c==3) print "iptables -t nat -A PREROUTING -i tap0 -p " \
    s[1] " --dport " s[2] " -j DNAT --to " s[3]}' \
    >> /tmp/vpntunnelse/firewall.sh
chmod 644 ca.crt client.crt
chmod 600 client.key userpass.conf
chmod 700 route-up.sh route-down.sh
chmod 700 /tmp/vpntunnelse/firewall.sh
(/tmp/vpntunnelse/firewall.sh) &
sleep 10
echo "$VPN_CONFIG" > openvpn.conf
(killall openvpn; openvpn --config /tmp/vpntunnelse/openvpn.conf \
    --route-up /tmp/vpntunnelse/route-up.sh \
    --down-pre /tmp/vpntunnelse/route-down.sh) &
exit 0

nucce
DD-WRT Novice


Joined: 13 May 2012
Posts: 3

PostPosted: Sun May 13, 2012 22:39    Post subject: Reply with quote
Hi, I have problem with your script heckheck, do you know howto solve the following issue? I did on purpose XX some of the number from IP, tell me if you need them.

Code:
Mon May 14 00:31:39 2012 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS XX.XX.XX.XX,dhcp-option DNS XX.XXX.XXX.X,redirect-gateway def1,route XX.XX.1.1,topology net30,ping 10,ping-restart 160,ifconfig XX.XX.1.190 XX.XX.1.189'
Mon May 14 00:31:39 2012 OPTIONS IMPORT: timers and/or timeouts modified
Mon May 14 00:31:39 2012 OPTIONS IMPORT: --ifconfig/up options modified
Mon May 14 00:31:39 2012 OPTIONS IMPORT: route options modified
Mon May 14 00:31:39 2012 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon May 14 00:31:39 2012 WARNING: Since you are using --dev tap, the second argument to --ifconfig must be a netmask, for example something like 255.255.255.0. (silence this warning with --ifconfig-nowarn)
Mon May 14 00:31:39 2012 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
Mon May 14 00:31:39 2012 OpenVPN ROUTE: failed to parse/resolve route for host/network: XX.XX.1.1
Mon May 14 00:31:39 2012 TUN/TAP device tap0 opened
Mon May 14 00:31:39 2012 TUN/TAP TX queue length set to 100
Mon May 14 00:31:39 2012 /sbin/ifconfig tap0 10.99.1.190 netmask XX.XX.1.189 mtu 1500 broadcast 255.255.255.254
Mon May 14 00:31:39 2012 Linux ifconfig failed: external program exited with error status: 1
Mon May 14 00:31:39 2012 Exiting
heckheck
DD-WRT Novice


Joined: 07 Apr 2012
Posts: 5

PostPosted: Mon May 14, 2012 0:15    Post subject: Reply with quote
Do you have the float option in the config?

My connection had been stable for weeks and then I had problems I noticed today. I was seeing very similar errors to the one you posted before I added the float earlier today. It could have been a coincidence that adding float fixed it. I can tell you that your problem is with what the dhcp line being sent to you by the server

control message: 'PUSH_REPLY,dhcp-option DNS XX.XX.XX.XX,dhcp-option DNS XX.XXX.XXX.X,redirect-gateway def1,route XX.XX.1.1,topology net30,ping 10,ping-restart 160,ifconfig XX.XX.1.190 XX.XX.1.189'

The first bolded portion above for route appears as 'route-gateway' not 'route' followed by the gateway IP address in the dhcp line returned to me from vpntunnel.se. The route command is not succeeding and that's causing the script to fail.

There is another problem too, which doesn't cause the script to fail, but is just as serious. The second bolded portion above should read 255.255.255.0 for (a netmask) and not XX.XX.1.189. I just checked my successful log from earlier today and I see the netmask of 255.255.255.0 in my dhcp line from the server (previously I was seeing something similar to what you are seeing). It could be that some of the servers over at vpntunnel.se are messed up currently and returning bad DHCP commands. Perhaps I just got lucky on a given reconnection. I'd offer to test that theory, but I don't want to scuttle my current connection, sorry.

Try a few more times and see how you fare.
nucce
DD-WRT Novice


Joined: 13 May 2012
Posts: 3

PostPosted: Mon May 14, 2012 8:02    Post subject: Reply with quote
heckheck wrote:
Do you have the float option in the config?

My connection had been stable for weeks and then I had problems I noticed today. I was seeing very similar errors to the one you posted before I added the float earlier today. It could have been a coincidence that adding float fixed it. I can tell you that your problem is with what the dhcp line being sent to you by the server

control message: 'PUSH_REPLY,dhcp-option DNS XX.XX.XX.XX,dhcp-option DNS XX.XXX.XXX.X,redirect-gateway def1,route XX.XX.1.1,topology net30,ping 10,ping-restart 160,ifconfig XX.XX.1.190 XX.XX.1.189'

The first bolded portion above for route appears as 'route-gateway' not 'route' followed by the gateway IP address in the dhcp line returned to me from vpntunnel.se. The route command is not succeeding and that's causing the script to fail.

There is another problem too, which doesn't cause the script to fail, but is just as serious. The second bolded portion above should read 255.255.255.0 for (a netmask) and not XX.XX.1.189. I just checked my successful log from earlier today and I see the netmask of 255.255.255.0 in my dhcp line from the server (previously I was seeing something similar to what you are seeing). It could be that some of the servers over at vpntunnel.se are messed up currently and returning bad DHCP commands. Perhaps I just got lucky on a given reconnection. I'd offer to test that theory, but I don't want to scuttle my current connection, sorry.

Try a few more times and see how you fare.


Hi, yes im using float in my config file.

However, I got it working after all, but it's not smooth and lock me up with an active putty.
What I did was that I manual logged in to router thru SSH and just executed /usr/sbin/openvpn /tmp/vpntunnelse/openvpn.conf a four or five times and all of a sudden it just where connected and I did execute firewall.sh and route-up.sh.
I can see the PUSH_REPLY with DHCP option is different on the success try than the failure as you said before.
Success:
Code:
Mon May 14 09:45:08 2012 us=93651 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS XX.XX.0.2,dhcp-option DNS XX.XXX.246.2,redirect-gateway def1,route-gateway XXX.XX.XXX.X,ping 10,ping-restart 160'


Could we somehow add into the code that it retry to connect until it gets this proper reply on this dhcp-option, or some better ideas?

EDIT: Parhaps we can somehow restart the initialization of openvpn process when this issue appears: "external program exited with error status: 1"

Or trigger on when process is dead start it?

All ideas are welcome. Smile
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum