OpenVPN - no internet access (r18777)

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
Author Message
kansaiuser
DD-WRT Novice


Joined: 08 May 2012
Posts: 11

PostPosted: Tue Jun 05, 2012 7:28    Post subject: OpenVPN - no internet access (r18777) Reply with quote
I'm trying to setup openvpn server via web gui and course all traffic (including internet) from client to vpn. Here's the generated config file:

dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
keepalive 10 120
verb 4
mute 5
log-append /var/log/openvpn
writepid /var/log/openvpnd.pid
management 127.0.0.1 5002
management-log-cache 50
mtu-disc yes
topology subnet
client-config-dir /tmp/openvpn/ccd
script-security 2
port 8152
proto tcp-server
cipher bf-cbc
auth sha1
tls-server
ifconfig-pool-persist /tmp/openvpn/ip-pool 86400
comp-lzo adaptive
client-to-client
push "redirect-gateway def1"
tls-cipher AES256-SHA
tcp-nodelay
tun-mtu 1500
server 10.10.10.0 255.255.255.0
dev tun0
passtos

and the client config:
client
dev tun
proto tcp
remote my-vpn-server-site 8152
resolv-retry 1
nobind
persist-key
persist-tun
route-method exe
route-delay 2
#redirect-gateway def1
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
tls-cipher AES256-SHA
comp-lzo
verb 3

I can connect without a problem. browsing shared drive is not a problem too. Pinging other clients is ok as well. the only issue I have is no internet access. what am I doing wrong? I'm under the impression that in this version I don't have to touch firewall settings and do startup scripts. Am I wrong or I missed something? thank you in advance for the help!
Sponsor
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17619
Location: Hesse/Germany

PostPosted: Tue Jun 05, 2012 11:04    Post subject: Reply with quote
Code:
#redirect-gateway def1


is the problem

_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
kansaiuser
DD-WRT Novice


Joined: 08 May 2012
Posts: 11

PostPosted: Tue Jun 05, 2012 13:07    Post subject: Reply with quote
Code:
client
dev tun
proto tcp
remote my-vpn-server-site 8152
resolv-retry 1
nobind
persist-key
persist-tun
route-method exe
route-delay 2
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
tls-cipher AES256-SHA
comp-lzo
verb 3


thank you Sash for the input. however, I'm still getting the same, I still couldn't access the internet. Here's the client log:

Code:
Tue Jun 05 20:53:39 2012 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Tue Jun 05 20:53:39 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Jun 05 20:53:40 2012 LZO compression initialized
Tue Jun 05 20:53:40 2012 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Jun 05 20:53:40 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Jun 05 20:53:40 2012 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Jun 05 20:53:40 2012 Local Options hash (VER=V4): '69109d17'
Tue Jun 05 20:53:40 2012 Expected Remote Options hash (VER=V4): 'c0103fa8'
Tue Jun 05 20:53:40 2012 Attempting to establish TCP connection with my-vpn-server-site:8152
Tue Jun 05 20:53:40 2012 TCP connection established with my-vpn-server-site:8152
Tue Jun 05 20:53:40 2012 TCPv4_CLIENT link local: [undef]
Tue Jun 05 20:53:40 2012 TCPv4_CLIENT link remote: my-vpn-server-site:8152
Tue Jun 05 20:53:41 2012 TLS: Initial packet from my-vpn-server-site:8152, sid=25e1aca4 8bfbd408
Tue Jun 05 20:53:41 2012 VERIFY OK: depth=1, /C=PH/ST=Laguna/L=Binan/O=comCom/OU=orgOrg/CN=bahay/name=name_name/emailAddress=myemailadd@gmail.com
Tue Jun 05 20:53:41 2012 VERIFY OK: nsCertType=SERVER
Tue Jun 05 20:53:41 2012 VERIFY OK: depth=0, /C=PH/ST=Laguna/L=Binan/O=comCom/OU=orgOrg/CN=server/name=name_name/emailAddress=myemailadd@gmail.com
Tue Jun 05 20:53:41 2012 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Jun 05 20:53:41 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jun 05 20:53:41 2012 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Jun 05 20:53:41 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jun 05 20:53:41 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 AES256-SHA, 1024 bit RSA
Tue Jun 05 20:53:41 2012 [server] Peer Connection Initiated with my-vpn-server-site:8152
Tue Jun 05 20:53:44 2012 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Jun 05 20:53:44 2012 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,route-gateway 10.10.10.1,topology subnet,ping 10,ping-restart 120,socket-flags TCP_NODELAY,ifconfig 10.10.10.2 255.255.255.0'
Tue Jun 05 20:53:44 2012 OPTIONS IMPORT: timers and/or timeouts modified
Tue Jun 05 20:53:44 2012 OPTIONS IMPORT: --socket-flags option modified
Tue Jun 05 20:53:44 2012 Socket flags: TCP_NODELAY=1 succeeded
Tue Jun 05 20:53:44 2012 OPTIONS IMPORT: --ifconfig/up options modified
Tue Jun 05 20:53:44 2012 OPTIONS IMPORT: route options modified
Tue Jun 05 20:53:44 2012 OPTIONS IMPORT: route-related options modified
Tue Jun 05 20:53:44 2012 ROUTE default_gateway=192.168.1.254
Tue Jun 05 20:53:44 2012 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{EE4A5993-8F99-4119-B143-775DC671B6B1}.tap
Tue Jun 05 20:53:44 2012 TAP-Win32 Driver Version 9.9
Tue Jun 05 20:53:44 2012 TAP-Win32 MTU=1500
Tue Jun 05 20:53:44 2012 Set TAP-Win32 TUN subnet mode network/local/netmask = 10.10.10.0/10.10.10.2/255.255.255.0 [SUCCEEDED]
Tue Jun 05 20:53:44 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.10.10.2/255.255.255.0 on interface {EE4A5993-8F99-4119-B143-775DC671B6B1} [DHCP-serv: 10.10.10.254, lease-time: 31536000]
Tue Jun 05 20:53:44 2012 Successful ARP Flush on interface [23] {EE4A5993-8F99-4119-B143-775DC671B6B1}
Tue Jun 05 20:53:46 2012 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
Tue Jun 05 20:53:46 2012 C:\WINDOWS\system32\route.exe ADD my-vpn-server-site MASK 255.255.255.255 192.168.1.254
 OK!
Tue Jun 05 20:53:46 2012 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.10.10.1
 OK!
Tue Jun 05 20:53:46 2012 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.10.10.1
 OK!
Tue Jun 05 20:53:46 2012 Initialization Sequence Completed
Tue Jun 05 20:54:23 2012 TCP/UDP: Closing socket
Tue Jun 05 20:54:23 2012 C:\WINDOWS\system32\route.exe DELETE my-vpn-server-site MASK 255.255.255.255 192.168.1.254
 OK!
Tue Jun 05 20:54:23 2012 C:\WINDOWS\system32\route.exe DELETE 0.0.0.0 MASK 128.0.0.0 10.10.10.1
 OK!
Tue Jun 05 20:54:23 2012 C:\WINDOWS\system32\route.exe DELETE 128.0.0.0 MASK 128.0.0.0 10.10.10.1
 OK!
Tue Jun 05 20:54:24 2012 Closing TUN/TAP interface
Tue Jun 05 20:54:24 2012 SIGTERM[hard,] received, process exiting


appreciate anyone's help
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17619
Location: Hesse/Germany

PostPosted: Tue Jun 05, 2012 19:02    Post subject: Reply with quote
its a default route problem so check this.
_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
bigsteve101
DD-WRT Novice


Joined: 15 Nov 2012
Posts: 4

PostPosted: Thu Nov 15, 2012 22:01    Post subject: Reply with quote
try this change ip's to suit your network hope it works..

iptables -I input 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.11.0/24 -j ACCEPT
iptables -I FORWARD br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.108.0.0/24 -o ppp0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.11.0/24 -j MASQUERADE
iptables -i FORWARD -i tun0 -o ppp0 -s 10.108.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
kansaiuser
DD-WRT Novice


Joined: 08 May 2012
Posts: 11

PostPosted: Thu Nov 15, 2012 23:23    Post subject: Reply with quote
Thanks for that Steve!

but before I try that, just a couple of questions:

1. how do I undo those IP table changes?
2. do I put that in firewall script in gui (Administration -> Commands, -> Save Firewall)?
3. On the command that you posted, which IP do I change?
4. Do I need to change the ports in the command too? If so, what port should I put in?

Thanks in advance!
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum