Author
Message
kansaiuser DD-WRT Novice Joined: 08 May 2012 Posts: 11
Posted: Tue Jun 05, 2012 7:28 Post subject: OpenVPN - no internet access (r18777)
I'm trying to setup openvpn server via web gui and course all traffic (including internet) from client to vpn. Here's the generated config file:
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
keepalive 10 120
verb 4
mute 5
log-append /var/log/openvpn
writepid /var/log/openvpnd.pid
management 127.0.0.1 5002
management-log-cache 50
mtu-disc yes
topology subnet
client-config-dir /tmp/openvpn/ccd
script-security 2
port 8152
proto tcp-server
cipher bf-cbc
auth sha1
tls-server
ifconfig-pool-persist /tmp/openvpn/ip-pool 86400
comp-lzo adaptive
client-to-client
push "redirect-gateway def1"
tls-cipher AES256-SHA
tcp-nodelay
tun-mtu 1500
server 10.10.10.0 255.255.255.0
dev tun0
passtos
and the client config:
client
dev tun
proto tcp
remote my-vpn-server-site 8152
resolv-retry 1
nobind
persist-key
persist-tun
route-method exe
route-delay 2
#redirect-gateway def1
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
tls-cipher AES256-SHA
comp-lzo
verb 3
I can connect without a problem. browsing shared drive is not a problem too. Pinging other clients is ok as well. the only issue I have is no internet access. what am I doing wrong? I'm under the impression that in this version I don't have to touch firewall settings and do startup scripts. Am I wrong or I missed something? thank you in advance for the help!
Back to top
Sponsor
Sash DD-WRT Guru Joined: 20 Sep 2006 Posts: 17619 Location: Hesse/Germany
Back to top
kansaiuser DD-WRT Novice Joined: 08 May 2012 Posts: 11
Posted: Tue Jun 05, 2012 13:07 Post subject:
Code: client
dev tun
proto tcp
remote my-vpn-server-site 8152
resolv-retry 1
nobind
persist-key
persist-tun
route-method exe
route-delay 2
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
tls-cipher AES256-SHA
comp-lzo
verb 3
thank you Sash for the input. however, I'm still getting the same, I still couldn't access the internet. Here's the client log:
Code: Tue Jun 05 20:53:39 2012 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Tue Jun 05 20:53:39 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Jun 05 20:53:40 2012 LZO compression initialized
Tue Jun 05 20:53:40 2012 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Jun 05 20:53:40 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Jun 05 20:53:40 2012 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Jun 05 20:53:40 2012 Local Options hash (VER=V4): '69109d17'
Tue Jun 05 20:53:40 2012 Expected Remote Options hash (VER=V4): 'c0103fa8'
Tue Jun 05 20:53:40 2012 Attempting to establish TCP connection with my-vpn-server-site:8152
Tue Jun 05 20:53:40 2012 TCP connection established with my-vpn-server-site:8152
Tue Jun 05 20:53:40 2012 TCPv4_CLIENT link local: [undef]
Tue Jun 05 20:53:40 2012 TCPv4_CLIENT link remote: my-vpn-server-site:8152
Tue Jun 05 20:53:41 2012 TLS: Initial packet from my-vpn-server-site:8152, sid=25e1aca4 8bfbd408
Tue Jun 05 20:53:41 2012 VERIFY OK: depth=1, /C=PH/ST=Laguna/L=Binan/O=comCom/OU=orgOrg/CN=bahay/name=name_name/emailAddress=myemailadd@gmail.com
Tue Jun 05 20:53:41 2012 VERIFY OK: nsCertType=SERVER
Tue Jun 05 20:53:41 2012 VERIFY OK: depth=0, /C=PH/ST=Laguna/L=Binan/O=comCom/OU=orgOrg/CN=server/name=name_name/emailAddress=myemailadd@gmail.com
Tue Jun 05 20:53:41 2012 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Jun 05 20:53:41 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jun 05 20:53:41 2012 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Jun 05 20:53:41 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jun 05 20:53:41 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 AES256-SHA, 1024 bit RSA
Tue Jun 05 20:53:41 2012 [server] Peer Connection Initiated with my-vpn-server-site:8152
Tue Jun 05 20:53:44 2012 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Jun 05 20:53:44 2012 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,route-gateway 10.10.10.1,topology subnet,ping 10,ping-restart 120,socket-flags TCP_NODELAY,ifconfig 10.10.10.2 255.255.255.0'
Tue Jun 05 20:53:44 2012 OPTIONS IMPORT: timers and/or timeouts modified
Tue Jun 05 20:53:44 2012 OPTIONS IMPORT: --socket-flags option modified
Tue Jun 05 20:53:44 2012 Socket flags: TCP_NODELAY=1 succeeded
Tue Jun 05 20:53:44 2012 OPTIONS IMPORT: --ifconfig/up options modified
Tue Jun 05 20:53:44 2012 OPTIONS IMPORT: route options modified
Tue Jun 05 20:53:44 2012 OPTIONS IMPORT: route-related options modified
Tue Jun 05 20:53:44 2012 ROUTE default_gateway=192.168.1.254
Tue Jun 05 20:53:44 2012 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{EE4A5993-8F99-4119-B143-775DC671B6B1}.tap
Tue Jun 05 20:53:44 2012 TAP-Win32 Driver Version 9.9
Tue Jun 05 20:53:44 2012 TAP-Win32 MTU=1500
Tue Jun 05 20:53:44 2012 Set TAP-Win32 TUN subnet mode network/local/netmask = 10.10.10.0/10.10.10.2/255.255.255.0 [SUCCEEDED]
Tue Jun 05 20:53:44 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.10.10.2/255.255.255.0 on interface {EE4A5993-8F99-4119-B143-775DC671B6B1} [DHCP-serv: 10.10.10.254, lease-time: 31536000]
Tue Jun 05 20:53:44 2012 Successful ARP Flush on interface [23] {EE4A5993-8F99-4119-B143-775DC671B6B1}
Tue Jun 05 20:53:46 2012 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
Tue Jun 05 20:53:46 2012 C:\WINDOWS\system32\route.exe ADD my-vpn-server-site MASK 255.255.255.255 192.168.1.254
OK!
Tue Jun 05 20:53:46 2012 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.10.10.1
OK!
Tue Jun 05 20:53:46 2012 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.10.10.1
OK!
Tue Jun 05 20:53:46 2012 Initialization Sequence Completed
Tue Jun 05 20:54:23 2012 TCP/UDP: Closing socket
Tue Jun 05 20:54:23 2012 C:\WINDOWS\system32\route.exe DELETE my-vpn-server-site MASK 255.255.255.255 192.168.1.254
OK!
Tue Jun 05 20:54:23 2012 C:\WINDOWS\system32\route.exe DELETE 0.0.0.0 MASK 128.0.0.0 10.10.10.1
OK!
Tue Jun 05 20:54:23 2012 C:\WINDOWS\system32\route.exe DELETE 128.0.0.0 MASK 128.0.0.0 10.10.10.1
OK!
Tue Jun 05 20:54:24 2012 Closing TUN/TAP interface
Tue Jun 05 20:54:24 2012 SIGTERM[hard,] received, process exiting
appreciate anyone's help
Back to top
Sash DD-WRT Guru Joined: 20 Sep 2006 Posts: 17619 Location: Hesse/Germany
Back to top
bigsteve101 DD-WRT Novice Joined: 15 Nov 2012 Posts: 4
Posted: Thu Nov 15, 2012 22:01 Post subject:
try this change ip's to suit your network hope it works..
iptables -I input 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.11.0/24 -j ACCEPT
iptables -I FORWARD br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.108.0.0/24 -o ppp0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.11.0/24 -j MASQUERADE
iptables -i FORWARD -i tun0 -o ppp0 -s 10.108.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
Back to top
kansaiuser DD-WRT Novice Joined: 08 May 2012 Posts: 11
Posted: Thu Nov 15, 2012 23:23 Post subject:
Thanks for that Steve!
but before I try that, just a couple of questions:
1. how do I undo those IP table changes?
2. do I put that in firewall script in gui (Administration -> Commands, -> Save Firewall)?
3. On the command that you posted, which IP do I change?
4. Do I need to change the ports in the command too? If so, what port should I put in?
Thanks in advance!
Back to top