OpenVPN Bridge wont stay UP!

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
pwhalley
DD-WRT User


Joined: 24 Oct 2006
Posts: 56

PostPosted: Sat Mar 24, 2007 16:36    Post subject: OpenVPN Bridge wont stay UP! Reply with quote
Greetings all:

I am working to get openvpn working in bridge mode according to http://www.dd-wrt.com/wiki/index.php/OpenVPN_-_Site-to-Site_Bridged_VPN_Between_Two_Routers. I have also studied the bridging info here http://openvpn.net/faq.html#bridge1.

I haven't been able to figure out how this works. The directions say to use the SAME dhcp IP range on both sides of the bridge! What happens when both wrt's hand out the same IP addres? I also don't want to end up with inaccessible DNS server info being handed out etc. Comments?

Thanks so much for any help offered.

I seem to have most working right since I can get the remote router's internal (192.168.x.x) IP and a really dumb device connected to it to respond to pings over the web right after router startup. I also have been able to browse shares and transfer a few files (both directions) when bridge is up. If I keep pinging, the VPN bridge stays up. However if I stop pinging, the connection eventually shuts down thusly:

<29>openvpn[557]: dd-wrt-22/75.88.129.19:1028 [dd-wrt-22] inactivity timeout (--ping-restart), restarting
<29>openvpn[557]: dd-wrt-22/75.88.129.19:1028 sigusr1[soft,ping-restart] received, client-instance restarting
The remote end of the bridge does not reconnect. Reboot of router will restore connection. Connection will restart spontaneously on occasion also. These spontaneous re-starts are not caused by PCs on the remote net (there aren't any at that time). Perhaps DNS update due to IP address change? I am using dynamic DNS and it seems to be working fine. How do I fix this?

This is the only message I have found during startup that seems like it might indicate a problem.
<27>openvpn[557]: dd-wrt-22/75.88.129.19:1028 multi: no dynamic or static remote --ifconfig address is available for dd-wrt-22/75.88.129.19:1028 . How do I fix this?

I assigned a different port for openVPN to use (unused 22xxx) but don't see that port in use in logs such as segment shown above. If I understand it correctly, 1028 (a deprecated port number according to IANA) is being used. What gives here? Update: changed port to default 1194 now logs show 1027 (also not used)!!

Of course I have removed the "naughty bits" from the config files below.

Firewall config on home wrt:
/usr/sbin/iptables -I INPUT -p udp --dport 1194 -j ACCEPT

Startup config on home wrt:
cd /tmp
openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up

echo "
# Tunnel options
mode server # Set OpenVPN major mode
proto udp # Setup the protocol (server)
port 1194 # TCP/UDP port number
dev tap0 # TUN/TAP virtual network device
keepalive 15 60 # Simplify the expression of --ping
daemon # Become a daemon after all initialization
verb 8 # Set output verbosity to n
comp-lzo # Use fast LZO compression

# OpenVPN server mode options
client-to-client # tells OpenVPN to internally route client-to-client traffic
#duplicate-cn # Allow multiple clients with the same common name

# TLS Mode Options
tls-server # Enable TLS and assume server role during TLS handshake
ca ca.crt # Certificate authority (CA) file
dh dh1024.pem # File containing Diffie Hellman parameters
cert server.crt # Local peer's signed certificate
key server.key # Local peer's private key
" > openvpn.conf

echo "
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
" > ca.crt
echo "
-----BEGIN RSA PRIVATE KEY-----
" > server.key
chmod 600 server.key
echo "
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
" > server.crt
echo "
-----BEGIN DH PARAMETERS-----
-----END DH PARAMETERS-----
" > dh1024.pem

sleep 5
ln -s /usr/sbin/openvpn /tmp/myvpn
/tmp/myvpn --config openvpn.conf

config on remote wrt:
cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn
./myvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
sleep 5

echo "
tls-client
dev tap0
proto udp
remote mydomainname.mooo.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 8
" > /tmp/client.conf

echo "
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
" > /tmp/ca.crt

echo "
-----BEGIN RSA PRIVATE KEY-----

-----END RSA PRIVATE KEY-----
" > /tmp/client.key
chmod 600 /tmp/client.key

echo "
Certificate:

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
" > /tmp/client.crt

./myvpn --config client.conf
Sponsor
placebo
DD-WRT User


Joined: 15 Sep 2006
Posts: 200

PostPosted: Sat Mar 24, 2007 19:43    Post subject: Reply with quote
In your client configuration file, change the first line from "tls-client" to just "client".
pwhalley
DD-WRT User


Joined: 24 Oct 2006
Posts: 56

PostPosted: Tue Mar 27, 2007 2:13    Post subject: Reply with quote
Thanks!

This seems to have worked. Should some kind of remarks be added to the WIKI to deal with this? Perhaps change is trivial but I never would have figured it out on my own! I would like to save someone else the trouble of having to search/ask.

I am seeing some misbehavior regarding DHCP with the present config. Computers at home configured for DHCP are getting addresses issued from the remote router (they are showing up on the network status page of the remote router).

Placebo, (or anyone else of course) are you willing /able to suggest a proper DHCP config?

This is probably obvious but I am hoping to have each router hand out DNS information allowing internet traffic 'directly' through the ISP's connection local to each router. Am using dynamic DNS on each end if that matters. Do want to keep samba share capability etc.

Thanks again for the help.

Peter
placebo
DD-WRT User


Joined: 15 Sep 2006
Posts: 200

PostPosted: Tue Mar 27, 2007 6:11    Post subject: Reply with quote
I'm not clear on what problem you're having regarding IP addresses. Your system will typically have two IP addresses assigned to it, one from the local router and a second one on the TAP interface from the remote router running the VPN server. What network traffic goes through which interface depends on what routes you set up on your computer.
Cyberian
DD-WRT User


Joined: 07 Jun 2006
Posts: 198
Location: Oregon, US

PostPosted: Tue Mar 27, 2007 6:19    Post subject: Reply with quote
pwhalley wrote:
Placebo, (or anyone else of course) are you willing /able to suggest a proper DHCP config?

I think you need...
Code:
push "dhcp-option DNS local-nat-ip"
push "route-gateway router-ip"

...in your server config.

_________________
Michael
WRT54GS v1.1 with Eko JFFS + OpenVPN
placebo
DD-WRT User


Joined: 15 Sep 2006
Posts: 200

PostPosted: Tue Mar 27, 2007 11:21    Post subject: Reply with quote
Ignore my last post. I didn't read back earlier and see that you were connecting two routers. I guess your problem is that you want to make sure that the computers use the local internet connection when appropriate instead of routing all traffic through the VPN, which is what will happen when the remote router responds to a DHCP request. Is this correct? The assigned IP addresses shouldn't be a problem since everything's on the same network, but you'd want a different gateway depending on the location of a system.
pwhalley
DD-WRT User


Joined: 24 Oct 2006
Posts: 56

PostPosted: Wed Mar 28, 2007 2:10    Post subject: Reply with quote
You have it exactly (almost) placebo.

The only point of confusion here is that the directions (link in original post) say use same DHCP range on both routers! So what happens when the respective DHCP servers hand out the same address from the same range? This part is easy to fix. I just can't believe the directions say (and meant to say) that! I am more inclined to think I am missing something!

Assuming I need to set up separate ranges on each router, that leaves this message :
<27>openvpn[557]: dd-wrt-22/75.88.129.19:1028 multi: no dynamic or static remote --ifconfig address is available for dd-wrt-22/75.88.129.19:1028 . How do I fix this?
and the general question of optimum DNS settings for each router.

Do I understand that in bridge mode makes IP addresses for VPN interfaces makes no sense because the bridge is invisible and no routing per se takes place (all broadcast traffic is passed and any for IPs on the other side)?

Thanks again to all.

Peter
placebo
DD-WRT User


Joined: 15 Sep 2006
Posts: 200

PostPosted: Wed Mar 28, 2007 8:22    Post subject: Reply with quote
pwhalley wrote:
The only point of confusion here is that the directions (link in original post) say use same DHCP range on both routers! So what happens when the respective DHCP servers hand out the same address from the same range? This part is easy to fix. I just can't believe the directions say (and meant to say) that! I am more inclined to think I am missing something!

I noticed that too. I'm fairly certain it's a mistake, but I could be wrong.

Anyway, here's the man page for dnsmasq. There are some options that might solve your problem.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum