OpenVPN tunnel not working :(

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3  Next
Author Message
Worthatry
DD-WRT Novice


Joined: 06 Jan 2012
Posts: 29

PostPosted: Sun Jun 03, 2012 13:47    Post subject: Reply with quote
Finally, I upgraded my WRT54GL acting as a router to the build 15962, and I'm now able to establish a successful connection Smile

By the way, the log file on the server display this when the connection is established :

Quote:
20120603 15:41:58 WRTT54GL/xx.xx.xx.xx:2048 MULTI: bad source address from client [192.168.0.1] packet dropped
20120603 15:42:00 WRTT54GL/xx.xx.xx.xx:2048 MULTI: bad source address from client [192.168.0.1] packet dropped
20120603 15:42:00 WRTT54GL/xx.xx.xx.xx:2048 MULTI: bad source address from client [192.168.0.1] packet dropped
20120603 15:42:01 WRTT54GL/xx.xx.xx.xx:2048 MULTI: bad source address from client [192.168.0.1] packet dropped
20120603 15:42:01 WRTT54GL/xx.xx.xx.xx:2048 MULTI: bad source address from client [192.168.0.1] packet dropped
20120603 15:42:07 WRTT54GL/xx.xx.xx.xx:2048 NOTE: --mute triggered...
20120603 15:43:56 23 variation(s) on previous 5 message(s) suppressed by --mute


This error is happening every ~1 minute approximately, even if I'm not using the VPN tunnel.

I tried a lot of things to understand what is going on, but with no success...

Someone can help me ?

Thanks
Sponsor
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17619
Location: Hesse/Germany

PostPosted: Sun Jun 03, 2012 16:39    Post subject: Reply with quote
upgrade
_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
Worthatry
DD-WRT Novice


Joined: 06 Jan 2012
Posts: 29

PostPosted: Sun Jun 03, 2012 17:06    Post subject: Reply with quote
You mean, it's a known bug of the build 15962...? Confused

And what build would you recommend for a stable OpenVPN ?
MrFidget
DD-WRT User


Joined: 15 Jul 2010
Posts: 378

PostPosted: Mon Jun 04, 2012 2:03    Post subject: Reply with quote
iroute files

As per a previous post somewhere else.....

Re the iroute files:
These tell the server the routes for the client routers

In your openvpn.conf put the following line
Code:

client-config-dir /tmp/openvpn/clients


This set the directory for the iroute files

In your startup script under Administration -> Commands put the following
Code:

#
# OpenVPN internal routes
#
mkdir -p /tmp/openvpn/
mkdir -p /tmp/openvpn/clients
# Brisbane
echo "iroute 192.168.2.0 255.255.255.0" > /tmp/openvpn/clients/brisbane

For each client name, the commonn name you used when you created your certificate. You also need to put the appropriate IP range. You can also >> append a second line if you have more than one subnet at the remote location. For example

Code:

#
# OpenVPN internal routes
#
mkdir -p /tmp/openvpn/
mkdir -p /tmp/openvpn/clients
# Brisbane
# Data VLAN
echo "iroute 192.168.2.0 255.255.255.0" > /tmp/openvpn/clients/brisbane
# Voice VLAN
echo "iroute 192.168.22.0 255.255.255.0" >> /tmp/openvpn/clients/brisbane


These files allow the server network to see the clients. Also means that client Internet traffic does not travel through the server's connection.

#'s are comments and ignored by the parser.

More info here
http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing (first page on searching "OpenVPN iroute" in Google)

Hope this helps

/C
Worthatry
DD-WRT Novice


Joined: 06 Jan 2012
Posts: 29

PostPosted: Mon Jun 04, 2012 9:28    Post subject: Reply with quote
Hi,

I already tried iroute, bu thanks to your post I just realized I made a mistake when using it ; for the client name I didn't payed attention to the common-name used when creating certificate...

I will try it again, it should work better Smile

MrFidget wrote:

These files allow the server network to see the clients. Also means that client Internet traffic does not travel through the server's connection.


My goal is to redirect the client internet traffic through the VPN ; so I'm going to have a new issue, even if I still using the "redirect gateway" option ?

Thank you !

Baptiste
Worthatry
DD-WRT Novice


Joined: 06 Jan 2012
Posts: 29

PostPosted: Mon Jun 04, 2012 19:38    Post subject: Reply with quote
I added an iroute, with no success...

Startup script on the server :

Quote:

# OpenVPN internal routes
#
mkdir -p /tmp/openvpn/
mkdir -p /tmp/openvpn/clients

echo "iroute 192.168.3.0 255.255.255.0" > /tmp/openvpn/clients/my_common_name


My client router local IP adress is 192.168.3.1

And I added this line in the openvpn server conf :

client-config-dir /tmp/openvpn/clients

I really can't see what I'm doing wrong... Sad
MrFidget
DD-WRT User


Joined: 15 Jul 2010
Posts: 378

PostPosted: Mon Jun 04, 2012 21:11    Post subject: Reply with quote
Look at your openvpn.conf files

This is what I have for one customers client and server

root@bris-tpg1:~# cat /tmp/openvpn/openvpn.conf
Code:

dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
keepalive 10 120
verb 4
mute 5
log-append /var/log/openvpn
tls-server
port 11195
proto udp
cipher bf-cbc
auth sha256
management 127.0.0.1 5002
management-log-cache 50
mtu-disc yes
topology subnet
ifconfig-pool-persist /tmp/openvpn/ip-pool 86400
comp-lzo yes
client-to-client
tls-cipher AES128-SHA
fast-io
tun-mtu 1500
mssfix 1450
fragment 1450
server 172.22.66.64 255.255.255.192
dev tun0
# OpenVPN.conf Routes
# Brisbane Routing Table
client-config-dir /tmp/openvpn/clients
# Internal LAN Subnet
push "route 172.17.2.0 255.255.255.0"
push "route 10.0.2.0 255.255.255.0"
push "route 172.17.102.0 255.255.255.0"
#
# Client Routes
#
# Sunshine Coast
push "route 172.17.7.0 255.255.255.0  172.22.66.65 1"
route 172.17.7.0 255.255.255.0 172.22.66.65 1
# Gold Coast
push "route 172.17.3.0 255.255.255.0  172.22.66.65 1"
route 172.17.3.0 255.255.255.0 172.22.66.65 1


root@sun-tel:~# cat /tmp/openvpncl/openvpn.conf
Code:

ca /tmp/openvpncl/ca.crt
cert /tmp/openvpncl/client.crt
key /tmp/openvpncl/client.key
management 127.0.0.1 5001
management-log-cache 50
verb 4
mute 5
log-append /var/log/openvpncl
client
tls-client
dev tun1
proto udp
cipher bf-cbc
auth sha256
resolv-retry infinite
nobind
persist-key
persist-tun
mtu-disc yes
remote vpn.server.company.net 11195
tun-mtu 1500
mssfix 1450
fragment 1450
ns-cert-type server
comp-lzo yes
fast-io
tls-cipher AES128-SHA
management 127.0.0.1 5002
management-log-cache 50
script-security 3


The server network has 3 VLANs for Voice, Data and a Guest VLAN which has no access outside of the 172.17.102.0/24. The other networks can see resources, such as printers in this subnet.

The client site has a single VLAN with 2 phones, 2 PCs and a printer or two. No need to split.

Each site has local Internet, however I am sending windows AD dns queries to the server network's Windows servers. Split DNS.

Have a look through these and compare them with what you have

Good luck and report back
/C
Worthatry
DD-WRT Novice


Joined: 06 Jan 2012
Posts: 29

PostPosted: Mon Jun 04, 2012 21:57    Post subject: Reply with quote
Thank you for your help, very much appreciated here...

So, my client file is nearly identical :

Quote:

root@DD-WRT:~# cat /tmp/openvpncl/openvpn.conf
ca /tmp/openvpncl/ca.crt
cert /tmp/openvpncl/client.crt
key /tmp/openvpncl/client.key
management 127.0.0.1 5001
management-log-cache 50
verb 4
mute 5
log-append /var/log/openvpncl
client
tls-client
dev tun1
proto udp
cipher bf-cbc
auth sha1
resolv-retry infinite
nobind
persist-key
persist-tun
mtu-disc yes
remote mydomain.dyndns.org 1194
ns-cert-type server
comp-lzo yes
fast-io


Missing parameters are only about Udp parameters (tun-mtu, mssfix, fragment) and these :

tls-cipher AES128-SHA
management 127.0.0.1 5002
management-log-cache 50
script-security 3

Since my TLS cipher is OFF, my config file miss only "management 127.0.0.1 5002" -> it could explained these errors in my logs (both on server and client side) :

Quote:

20120604 23:41:22 MANAGEMENT: Client connected from 127.0.0.1:5001
20120604 23:41:22 D MANAGEMENT: CMD 'state'
20120604 23:41:22 MANAGEMENT: Client disconnected
20120604 23:41:22 MANAGEMENT: Client connected from 127.0.0.1:5001
20120604 23:41:22 D MANAGEMENT: CMD 'log 500'


Ok, now my server config :

Quote:

root@DD-WRT:~# cat /tmp/openvpn/openvpn.conf
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
keepalive 10 120
verb 4
mute 5
log-append /var/log/openvpn
tls-server
port 1194
proto udp
cipher bf-cbc
auth sha1
management 127.0.0.1 5002
management-log-cache 50
mtu-disc yes
topology subnet
ifconfig-pool-persist /tmp/openvpn/ip-pool 86400
comp-lzo yes
client-to-client
push "redirect-gateway def1"
fast-io
server 192.168.66.0 255.255.255.0
dev tun0
push "route 192.168.66.0 255.255.255.0"
push "route 192.168.2.0 255.255.255.0"

client-config-dir /tmp/openvpn/clients

route 192.168.3.0 255.255.255.0

# push "dhcp-option DNS 208.67.222.222"
# push "dhcp-option DNS 208.67.220.220"

keepalive 1 5
persist-tun
persist-key
push "persist-key"
push "persist-tun"


There are a lot of differences and the logic seems to be different on some points. What I do is :

- Pushing routes for the server local LAN and the server VPN LAN :

push "route 192.168.66.0 255.255.255.0" (VPN LAN)
push "route 192.168.2.0 255.255.255.0" (Server local LAN)

- Create a route for the client LAN :
route 192.168.3.0 255.255.255.0

I hope it will help to find what si going on...

Baptiste
Worthatry
DD-WRT Novice


Joined: 06 Jan 2012
Posts: 29

PostPosted: Mon Jun 04, 2012 22:25    Post subject: Reply with quote
One more thing :

If I reboot my VPN server, the client is unable to reconnect :

N RESOLVE: Cannot resolve host address: mydomain.dyndns.org: [HOST_NOT_FOUND] The specified host is unknown.

Confused
Worthatry
DD-WRT Novice


Joined: 06 Jan 2012
Posts: 29

PostPosted: Wed Jun 06, 2012 11:58    Post subject: Reply with quote
Worthatry wrote:
One more thing :

If I reboot my VPN server, the client is unable to reconnect :

N RESOLVE: Cannot resolve host address: myserverdomain.dyndns.org: [HOST_NOT_FOUND] The specified host is unknown.

Confused


It's very strange, if I put the ip adress of the server name instead of the domain name, the error doesnt occurs anymore... Apparently, I'm not the only one to have this issue... is it a bug ?


I have another strange behavior ; if I disable openVPN on the client router I can connect to the web GUI from anywhere (using the client domain name, port 8080), but once openVPN is setup and connected it's not working anymore (even with telnet), after a few minutes I have this error in my browser :

Quote:

The system cannot communicate with the external server ( myclientdomain.dyndns.org ). The Internet server may be busy, may be permanently down, or may be unreachable because of network problems.

Please check the spelling of the Internet address entered. If it is correct, try this request later.

If you have questions, or feel this is an error, please contact your corporate network administrator and provide the codes shown below.
Notification codes: (1, GATEWAY_TIMEOUT, myclientdomain.dyndns.org)


And this behavior only happen on the client side... The openVPN server remain accessible from anywhere at anytime...
Worthatry
DD-WRT Novice


Joined: 06 Jan 2012
Posts: 29

PostPosted: Fri Jun 08, 2012 10:22    Post subject: Reply with quote
mayday, mayday, mayday...
MrFidget
DD-WRT User


Joined: 15 Jul 2010
Posts: 378

PostPosted: Mon Jun 11, 2012 2:09    Post subject: Reply with quote
Quote:
mayday, mayday, mayday...

But its June.

Shocked
/C
MrFidget
DD-WRT User


Joined: 15 Jul 2010
Posts: 378

PostPosted: Mon Jun 11, 2012 2:16    Post subject: Reply with quote
Seriously though,

I got caught with a misspelled common name in the client certificate. Did sort of what you are describing, kiilled LAN access. Had nme screwed. Some sleep and I made it work. Maybe the same for you Wink ?

There is / has been an issue with DynDNS.

If you are stuck with dynamic DNSs, it makes life a little harder. All of my deployments are static.

I've been flat out at the moment on an Asterisk, OpenVPN & SER (milkfish maybe or even a compiled Kamailio) project to connect a commercial IP PBX system securely to a public SIP switch.
Ill have a closer look when I get a moment, btu I am on a deadline and working during a public holiday here in au.
Crying or Very sad

Keep the faiith, youll get there

Cheers
Chris
Worthatry
DD-WRT Novice


Joined: 06 Jan 2012
Posts: 29

PostPosted: Wed Jun 13, 2012 9:35    Post subject: Reply with quote
Thanks for your support Smile I tried to sleep, and sleep again, and again, but no results. Maybe that the way to go is to try mushrooms. I *have to* be able to see in the matrix.

Good luck on your side !

Bests

Baptiste
kennsington
DD-WRT Novice


Joined: 08 Jun 2012
Posts: 11
Location: Fayetteville, TN

PostPosted: Wed Jun 13, 2012 15:11    Post subject: Reply with quote
First, it isn't necessary to push the route of the vpn subnet. OpenVPN will create that route automatically.

You posted:
Quote:
20120603 15:41:58 WRTT54GL/xx.xx.xx.xx:2048 MULTI: bad source address from client [192.168.0.1] packet dropped
20120603 15:42:00 WRTT54GL/xx.xx.xx.xx:2048 MULTI: bad source address from client [192.168.0.1] packet dropped
20120603 15:42:00 WRTT54GL/xx.xx.xx.xx:2048 MULTI: bad source address from client [192.168.0.1] packet dropped
20120603 15:42:01 WRTT54GL/xx.xx.xx.xx:2048 MULTI: bad source address from client [192.168.0.1] packet dropped
20120603 15:42:01 WRTT54GL/xx.xx.xx.xx:2048 MULTI: bad source address from client [192.168.0.1] packet dropped
20120603 15:42:07 WRTT54GL/xx.xx.xx.xx:2048 NOTE: --mute triggered...
20120603 15:43:56 23 variation(s) on previous 5 message(s) suppressed by --mute


which is saying that something is coming from 192.168.0.1 however you stated later:
Quote:
My client router local IP adress is 192.168.3.1


Which is it?

I had the same issue with losing all connection to the client after connecting to the VPN server. This was iroute issue for me. Once I added the correct iroute it worked.

Make sure you are using the exact same common-name for the filename in /tmp/openvpn/clients/ as your client's common name.
Goto page Previous  1, 2, 3  Next Display posts from previous:    Page 2 of 3
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum