OpenVPN Server using port 443

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
scorpio_oz
DD-WRT Novice


Joined: 30 Oct 2014
Posts: 2

PostPosted: Thu Oct 30, 2014 22:14    Post subject: OpenVPN Server using port 443 Reply with quote
I am having difficulty getting OpenVPN Server going on my ASUS Nighthawk router running DD-WRT v24 sp2 Kong build when using port 443. OpenVPN is running as a daemon using port 1194 just fine. But as soon as I change it to tcp 443 the OpenVPN client logs show that the connection is refused.

Thu Oct 30 22:09:58 2014 us=442688 TCP: connect to [AF_INET]X.X.X.X:443 failed, will try again in 5 seconds: Connection refused (WSAECONNREFUSED)
Thu Oct 30 22:10:03 2014 us=456299 MANAGEMENT: >STATE:1414667403,RESOLVE,,,
Thu Oct 30 22:10:03 2014 us=456299 MANAGEMENT: >STATE:1414667403,TCP_CONNECT,,,
Thu Oct 30 22:10:04 2014 us=581859 TCP: connect to [AF_INET]X.X.X.X:443 failed, will try again in 5 seconds: Connection refused (WSAECONNREFUSED)
Thu Oct 30 22:10:09 2014 us=629940 MANAGEMENT: >STATE:1414667409,RESOLVE,,,

I have added in the additional iptables rule into the commands tab under administration. Confirmed input rule is in place using iptables -vnL. Confirmed OpenVPN is listening on tcp 443 by running netstat. I see https listening for tcp traffic. DD-WRT web admin is only using port 80, no port 443 either.

Anyone have any ideas?
Sponsor
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Sat Nov 01, 2014 13:47    Post subject: Reply with quote
Use UDP for OpenVPN, not TCP. You will have reduced throughput due to double end to end control.
scorpio_oz
DD-WRT Novice


Joined: 30 Oct 2014
Posts: 2

PostPosted: Sun Nov 02, 2014 2:41    Post subject: Reply with quote
So I changed to udp as suggested and immediately the client connected to the server. I understood the overhead but didn't think to try udp. I figured it was a iptables issue. Thanks for the suggestion! Often the simple things that fix problems eh.
A340
DD-WRT Novice


Joined: 23 Oct 2007
Posts: 41

PostPosted: Mon Jan 26, 2015 8:52    Post subject: DD-WRT Kong built OpenVPN server Reply with quote
Hi also need help setting this up. I use a E1200 with Kong 22000++ built but cannot get it to run got life.

Made all the certificates and keys, in setup as UDP, main open VPN Port on ISP main router, set it as server not daemon.
I am not sure if under Network i put the VPN ip address it will hand out to the clients, or another iP address.

And i made the iptsbles but not able to get it going. Any help i would appreciate thanks.
A340
DD-WRT Novice


Joined: 23 Oct 2007
Posts: 41

PostPosted: Thu Feb 05, 2015 10:38    Post subject: Reply with quote
Well after one week racking my head still cannot get the VPN Server to give internet.

I can connect to the server fine, when I am on 3G or at a cafe getting some drop out and time out happening.

But the server is not giving any internet.

here are the settings:

Under "aditional config"

#OpenVPN Server conf

keepalive 10 60
push "dhcp-option DOMAIN fair.homeip.net"
push "route 10.107.237.1 255.255.255.0"
max-clients 100
persist-tun
persist-key
verb 3

This is what happening when I connect with the client:


Thu Feb 05 14:12:28 2015 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Feb 05 14:12:28 2015 Local Options hash (VER=V4): '41690919'
Thu Feb 05 14:12:28 2015 Expected Remote Options hash (VER=V4): '530fdded'
Thu Feb 05 14:12:28 2015 Socket Buffers: R=[8192->8192] S=[64512->64512]
Thu Feb 05 14:12:28 2015 UDPv4 link local: [undef]
Thu Feb 05 14:12:28 2015 UDPv4 link remote: 180.44.181.133:1194
Thu Feb 05 14:12:28 2015 TLS: Initial packet from 180.44.181.133:1194, sid=c02c77b5 9225c357
Thu Feb 05 14:12:29 2015 VERIFY OK: depth=1, /C=US/ST=NY/L=NY/O=NY/OU=NY/CN=NY_VPN/emailAddress=jp@gmail.com
Thu Feb 05 14:12:29 2015 VERIFY OK: nsCertType=SERVER
Thu Feb 05 14:12:29 2015 VERIFY OK: depth=0, /C=US/ST=NY/O=NY/OU=NY/CN=server/emailAddress=jp@gmail.com
Thu Feb 05 14:12:31 2015 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1558'
Thu Feb 05 14:12:31 2015 WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC'
Thu Feb 05 14:12:31 2015 WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
Thu Feb 05 14:12:31 2015 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Feb 05 14:12:31 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb 05 14:12:31 2015 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Feb 05 14:12:31 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb 05 14:12:31 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 AES128-SHA, 1024 bit RSA
Thu Feb 05 14:12:31 2015 [server] Peer Connection Initiated with 180.44.181.133:1194
Thu Feb 05 14:12:34 2015 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Feb 05 14:12:34 2015 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DOMAIN fair.home.net,route 10.107.237.1 255.255.255.0,route-gateway 10.107.237.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.107.237.2 255.255.255.0'
Thu Feb 05 14:12:34 2015 OPTIONS IMPORT: timers and/or timeouts modified
Thu Feb 05 14:12:34 2015 OPTIONS IMPORT: --ifconfig/up options modified
Thu Feb 05 14:12:34 2015 OPTIONS IMPORT: route options modified
Thu Feb 05 14:12:34 2015 OPTIONS IMPORT: route-related options modified
Thu Feb 05 14:12:34 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Feb 05 14:12:34 2015 ROUTE default_gateway=192.168.2.1
Thu Feb 05 14:12:34 2015 TAP-WIN32 device [Local Area Connection 12] opened: \\.\Global\{4231C476-3FA6-4A42-9C39-D2E98D1BFDDF}.tap
Thu Feb 05 14:12:34 2015 TAP-Win32 Driver Version 9.6
Thu Feb 05 14:12:34 2015 TAP-Win32 MTU=1500
Thu Feb 05 14:12:34 2015 Set TAP-Win32 TUN subnet mode network/local/netmask = 10.107.237.0/10.107.237.2/255.255.255.0 [SUCCEEDED]
Thu Feb 05 14:12:34 2015 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.107.237.2/255.255.255.0 on interface {4231C476-3FA6-4A42-9C39-D2E98D1BFDDF} [DHCP-serv: 10.107.237.254, lease-time: 31536000]
Thu Feb 05 14:12:34 2015 Successful ARP Flush on interface [5] {4231C476-3FA6-4A42-9C39-D2E98D1BFDDF}
Thu Feb 05 14:12:39 2015 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Thu Feb 05 14:12:39 2015 C:\WINDOWS\system32\route.exe ADD 180.44.181.133 MASK 255.255.255.255 192.168.2.1
Thu Feb 05 14:12:39 2015 Route addition via IPAPI succeeded [adaptive]
Thu Feb 05 14:12:39 2015 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.107.237.1
Thu Feb 05 14:12:39 2015 Route addition via IPAPI succeeded [adaptive]
Thu Feb 05 14:12:39 2015 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.107.237.1
Thu Feb 05 14:12:39 2015 Route addition via IPAPI succeeded [adaptive]
Thu Feb 05 14:12:39 2015 C:\WINDOWS\system32\route.exe ADD 10.107.237.1 MASK 255.255.255.0 10.107.237.1
Thu Feb 05 14:12:39 2015 Warning: address 10.107.237.1 is not a network address in relation to netmask 255.255.255.0
Thu Feb 05 14:12:39 2015 ROUTE: route addition failed using CreateIpForwardEntry: The parameter is incorrect. [status=87 if_index=5]
Thu Feb 05 14:12:39 2015 Route addition via IPAPI failed [adaptive]
Thu Feb 05 14:12:39 2015 Route addition fallback to route.exe
Thu Feb 05 14:12:39 2015 Initialization Sequence Completed
Thu Feb 05 14:12:44 2015 Authenticate/Decrypt packet error: cipher final failed
Thu Feb 05 14:12:54 2015 Authenticate/Decrypt packet error: cipher final failed
Thu Feb 05 14:13:04 2015 Authenticate/Decrypt packet error: cipher final failed
Thu Feb 05 14:13:14 2015 Authenticate/Decrypt packet error: cipher final failed
Thu Feb 05 14:13:24 2015 Authenticate/Decrypt packet error: cipher final failed
Thu Feb 05 14:13:33 2015 Authenticate/Decrypt packet error: cipher final failed
Thu Feb 05 14:13:34 2015 [server] Inactivity timeout (--ping-restart), restarting
Thu Feb 05 14:13:34 2015 TCP/UDP: Closing socket
Thu Feb 05 14:13:34 2015 C:\WINDOWS\system32\route.exe DELETE 10.107.237.1 MASK 255.255.255.0 10.107.237.1
Thu Feb 05 14:13:34 2015 ROUTE: route deletion failed using DeleteIpForwardEntry: The parameter is incorrect.
Thu Feb 05 14:13:34 2015 Route deletion via IPAPI failed [adaptive]
Thu Feb 05 14:13:34 2015 Route deletion fallback to route.exe
Thu Feb 05 14:13:34 2015 C:\WINDOWS\system32\route.exe DELETE 180.44.181.133 MASK 255.255.255.255 192.168.2.1
Thu Feb 05 14:13:34 2015 Route deletion via IPAPI succeeded [adaptive]
Thu Feb 05 14:13:34 2015 C:\WINDOWS\system32\route.exe DELETE 0.0.0.0 MASK 128.0.0.0 10.107.237.1
Thu Feb 05 14:13:34 2015 Route deletion via IPAPI succeeded [adaptive]
Thu Feb 05 14:13:34 2015 C:\WINDOWS\system32\route.exe DELETE 128.0.0.0 MASK 128.0.0.0 10.107.237.1
Thu Feb 05 14:13:34 2015 Route deletion via IPAPI succeeded [adaptive]
Thu Feb 05 14:13:34 2015 Closing TUN/TAP interface
Thu Feb 05 14:13:51 2015 Authenticate/Decrypt packet error: cipher final failed


eibgrad

Hope you can assist with getting this running. I have no iptable rule set. Thanks
A340
DD-WRT Novice


Joined: 23 Oct 2007
Posts: 41

PostPosted: Thu Feb 05, 2015 20:40    Post subject: Server Page settings Reply with quote
Here are the server page settings

[/img]
A340
DD-WRT Novice


Joined: 23 Oct 2007
Posts: 41

PostPosted: Thu Feb 05, 2015 23:45    Post subject: Reply with quote
Yes that is correct i used easy-rsa to generate the certificates and keys.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum