Posted: Thu Feb 16, 2012 21:15 Post subject: vpntunnel.se & DD-WRT v24-sp2 18024 Openvpn client probl
I have Netgear WNDR3700 router with DD-WRT v24-sp2 (18024) installed. It works just fine.
I would like to push all my outgoing traffic through vpntunnel.se openvpn service.
I have tried connecting there using their own howtos but the howto has a really old version of dd-wrt on it.
I managed to get some kind of connection with command line [openvpn --config /opt/openvpn.conf] with following conf-file, but it didn't transfer anything.
Code:
client
dev tap
proto udp
nobind
tls-client
ca /opt/ca.crt
ns-cert-type server
push "dhcp-option DNS 80.67.0.2"
push "dhcp-option DNS 91.213.246.2"
auth-user-pass /opt/passwd.txt
remote-random
remote melissa.vpntunnel.se 1194
remote melissa.vpntunnel.se 10010
remote melissa.vpntunnel.se 10020
persist-key
persist-tun
comp-lzo
verb 3
ca.crt and passwd.txt were properly set up so they weren't the problem.
I would like to know how can I get the connection to work from dd-wrt gui?
Can I use the OpenVPN Client option on the gui to get the connection to work?
Do I have to do something with iptables as is mentioned in vpntunnel's howto?
Hi,
It would say it is definitely not a stupid question at all. My guess is that there are not so many people who have both time and expertise to help you. I have more or less the same problems in setting openvpn up and, being an absolute newbie to dd-wrt, I can't be very useful. It seems you have first to pay tribute to the gurus (in a purely symbolic way of course... ) before getting actual help.
Wish you can get it sooner or later.
-----------
copy-paste the vpntunnel cert info in admin-website services/vpn/ca cert
use putty to connect to router and logon with "root"
Check, tmp/openvpn/ for the cert and the passwd.txt
Below is my working config for connecting to vpntunnel.se, tested using DD-WRT v24-sp2 (03/19/12) vpn-small - build 18777 on a Cisco M10 Valet router
This is all done as a startup script and does not use the GUI at all. I had problems getting the GUI to work properly.
Simply edit to add the necessary information for USERNAME, PASSWORD, CA_CRT. The script also allows the creation of iptables rules for setting up port forwarding to static ports from the tunnel. Simply set them up under PORT_FORWARDING (I left in some examples). I found it was necessary to do it this way, since port forwards added to the 'Nat / Qos' -> 'Port Forwarding' GUI were not applied to the correct interface to work over the VPN.
Paste the edited script in 'Administration'->'Commands' and press 'Save Startup' then reboot the router.
The script is setup to log to /tmp/vpntunnelse/log.txt, so if you have problems, ssh to the router and check here to see what might be happening.
This script can easily be applied to other VPN providers with some more editing (in fact I started from an example for another provider).
Code:
#!/bin/sh
USERNAME="YOUR_USERNAME"
PASSWORD="YOUR_PASSWORD" # Your USER_PASSWORD
PROTOCOL="udp" # udp / tcp MUST BE lower case
VPN_CONFIG="script-security 2
client
dev tap
proto $PROTOCOL
nobind
tls-client
ca /tmp/vpntunnelse/ca.crt
ns-cert-type server
push \"dhcp-option DNS 80.67.0.2\"
push \"dhcp-option DNS 91.213.246.2\"
auth-user-pass /tmp/vpntunnelse/userpass.conf
remote-random
$REMOTE_SERVERS
persist-key
persist-tun
comp-lzo
verb 3
log /tmp/vpntunnelse/log.txt"
OPVPNENABLE=`nvram get openvpncl_enable | awk '$1 == "0" {print $1}'`
if [ "$OPVPNENABLE" != 0 ]
then
nvram set openvpncl_enable=0
nvram commit
fi
My config stopped working. I was able to revive it by adding 'float' to the VPN_CONFIG options. This seems to be necessary now with vpntunnel.se, since some recent network changes. The 'float' option allow floating to a new address/port that passes authentication after establishing the connection using the remote commands in the script.
Edited script below.
heckheck wrote:
Code:
#!/bin/sh
USERNAME="YOUR_USERNAME"
PASSWORD="YOUR_PASSWORD" # Your USER_PASSWORD
PROTOCOL="udp" # udp / tcp MUST BE lower case
VPN_CONFIG="script-security 2
client
float
dev tap
proto $PROTOCOL
nobind
tls-client
ca /tmp/vpntunnelse/ca.crt
ns-cert-type server
push \"dhcp-option DNS 80.67.0.2\"
push \"dhcp-option DNS 91.213.246.2\"
auth-user-pass /tmp/vpntunnelse/userpass.conf
remote-random
$REMOTE_SERVERS
persist-key
persist-tun
comp-lzo
verb 3
log /tmp/vpntunnelse/log.txt"
OPVPNENABLE=`nvram get openvpncl_enable | awk '$1 == "0" {print $1}'`
if [ "$OPVPNENABLE" != 0 ]
then
nvram set openvpncl_enable=0
nvram commit
fi
Hi, I have problem with your script heckheck, do you know howto solve the following issue? I did on purpose XX some of the number from IP, tell me if you need them.
Code:
Mon May 14 00:31:39 2012 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS XX.XX.XX.XX,dhcp-option DNS XX.XXX.XXX.X,redirect-gateway def1,route XX.XX.1.1,topology net30,ping 10,ping-restart 160,ifconfig XX.XX.1.190 XX.XX.1.189'
Mon May 14 00:31:39 2012 OPTIONS IMPORT: timers and/or timeouts modified
Mon May 14 00:31:39 2012 OPTIONS IMPORT: --ifconfig/up options modified
Mon May 14 00:31:39 2012 OPTIONS IMPORT: route options modified
Mon May 14 00:31:39 2012 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon May 14 00:31:39 2012 WARNING: Since you are using --dev tap, the second argument to --ifconfig must be a netmask, for example something like 255.255.255.0. (silence this warning with --ifconfig-nowarn)
Mon May 14 00:31:39 2012 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
Mon May 14 00:31:39 2012 OpenVPN ROUTE: failed to parse/resolve route for host/network: XX.XX.1.1
Mon May 14 00:31:39 2012 TUN/TAP device tap0 opened
Mon May 14 00:31:39 2012 TUN/TAP TX queue length set to 100
Mon May 14 00:31:39 2012 /sbin/ifconfig tap0 10.99.1.190 netmask XX.XX.1.189 mtu 1500 broadcast 255.255.255.254
Mon May 14 00:31:39 2012 Linux ifconfig failed: external program exited with error status: 1
Mon May 14 00:31:39 2012 Exiting
My connection had been stable for weeks and then I had problems I noticed today. I was seeing very similar errors to the one you posted before I added the float earlier today. It could have been a coincidence that adding float fixed it. I can tell you that your problem is with what the dhcp line being sent to you by the server
control message: 'PUSH_REPLY,dhcp-option DNS XX.XX.XX.XX,dhcp-option DNS XX.XXX.XXX.X,redirect-gateway def1,route XX.XX.1.1,topology net30,ping 10,ping-restart 160,ifconfig XX.XX.1.190 XX.XX.1.189'
The first bolded portion above for route appears as 'route-gateway' not 'route' followed by the gateway IP address in the dhcp line returned to me from vpntunnel.se. The route command is not succeeding and that's causing the script to fail.
There is another problem too, which doesn't cause the script to fail, but is just as serious. The second bolded portion above should read 255.255.255.0 for (a netmask) and not XX.XX.1.189. I just checked my successful log from earlier today and I see the netmask of 255.255.255.0 in my dhcp line from the server (previously I was seeing something similar to what you are seeing). It could be that some of the servers over at vpntunnel.se are messed up currently and returning bad DHCP commands. Perhaps I just got lucky on a given reconnection. I'd offer to test that theory, but I don't want to scuttle my current connection, sorry.
My connection had been stable for weeks and then I had problems I noticed today. I was seeing very similar errors to the one you posted before I added the float earlier today. It could have been a coincidence that adding float fixed it. I can tell you that your problem is with what the dhcp line being sent to you by the server
control message: 'PUSH_REPLY,dhcp-option DNS XX.XX.XX.XX,dhcp-option DNS XX.XXX.XXX.X,redirect-gateway def1,route XX.XX.1.1,topology net30,ping 10,ping-restart 160,ifconfig XX.XX.1.190 XX.XX.1.189'
The first bolded portion above for route appears as 'route-gateway' not 'route' followed by the gateway IP address in the dhcp line returned to me from vpntunnel.se. The route command is not succeeding and that's causing the script to fail.
There is another problem too, which doesn't cause the script to fail, but is just as serious. The second bolded portion above should read 255.255.255.0 for (a netmask) and not XX.XX.1.189. I just checked my successful log from earlier today and I see the netmask of 255.255.255.0 in my dhcp line from the server (previously I was seeing something similar to what you are seeing). It could be that some of the servers over at vpntunnel.se are messed up currently and returning bad DHCP commands. Perhaps I just got lucky on a given reconnection. I'd offer to test that theory, but I don't want to scuttle my current connection, sorry.
Try a few more times and see how you fare.
Hi, yes im using float in my config file.
However, I got it working after all, but it's not smooth and lock me up with an active putty.
What I did was that I manual logged in to router thru SSH and just executed /usr/sbin/openvpn /tmp/vpntunnelse/openvpn.conf a four or five times and all of a sudden it just where connected and I did execute firewall.sh and route-up.sh.
I can see the PUSH_REPLY with DHCP option is different on the success try than the failure as you said before.
Success:
Code:
Mon May 14 09:45:08 2012 us=93651 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS XX.XX.0.2,dhcp-option DNS XX.XXX.246.2,redirect-gateway def1,route-gateway XXX.XX.XXX.X,ping 10,ping-restart 160'
Could we somehow add into the code that it retry to connect until it gets this proper reply on this dhcp-option, or some better ideas?
EDIT: Parhaps we can somehow restart the initialization of openvpn process when this issue appears: "external program exited with error status: 1"