[DIY] Configure OpenVPN on newer releases DD-WRT (GUI Style)

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3
Author Message
can't flash

Joined: 14 Jan 2010
Posts: 70
Location: Michigan, USA

PostPosted: Mon Aug 19, 2013 21:19    Post subject: dd-wrt openvpn not resolving remote DNS [updated] Reply with quote
UPDATE: Seem to have found success by adding the following rule to iptables with the address changed to match my vpn subnet settings
iptables -t nat -A POSTROUTING -s -j MASQUERADE

Sorry for jumping the gun on a forum post w/o first exhausting options. As I mention below though, this command was not necessary with my previous EKO build (17084) and I'm not savy enough to see what may have changed in how dd-wrt handles firewall commands.

I recently upgraded to a kongmod with VPN. After restoring my settings, I am running into an old error whereby DNS queries from VPN clients will not resolve through the VPN server. Before I simply had the following in my dnsmasq options:

Now it seems that newer firmware is using tun2; however, when changing the above code to reflect that, I am still not able to resolve resolve DNS queries. Has anyone run into this problem? What changed between newer and older firmware that would cause resolution issue to crop up again? Several forum postings suggest adding rules to iptables but this was never necessary for me...only the dnsmasq option listed above. Any suggestions here?
Linksys E3000
DD-WRT v3.0-r31277 mega
Release: 02/17/2017 (SVN revision: 31277)

Netgear R7000
DD-WRT v3.0-r29300M kongac
Release: 03/30/2016 (SVN revision: 29300)
DD-WRT Novice

Joined: 19 Nov 2014
Posts: 2

PostPosted: Wed Nov 19, 2014 17:37    Post subject: Reply with quote
Hi. First time poster and pretty new to dd-wrt, and I was hoping I could get a bit of a hand with OpenVPN. I got dd-wrt onto my router just fine, and tried all sorts of different configurations with my OpenVPN and firewall settings. I narrowed down the problem to that my port (1194) seems to be blocked.

The router is a Netgear AC1450 running a DD-WRT v24-sp2 (10/08/14) kongac.

I'm trying to set this up as a bridge, per the guide. My router is, and it assigns addresses .2 to .50 to ethernet and WiFi users.

My Firewall is saved with:
iptables -A INPUT -i tap0 -j ACCEPT
iptables -I INPUT -p udp --dport 1194 -j ACCEPT

My Additional config reads:
mode server
proto udp
port 1194
dev tap0
 # Gateway (VPN Server)   Subnetmask   Start-IP   End-IP
keepalive 10 120
verb 5
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem

So after I OpenVPN would fail without giving me any info, I tried a telnet test and it failed. I tried other ports (such as the one forwarded for SSH) and that succeeded just fine. I considered the possibility that my ISP blocked 1194 and tried a different port, but that failed all the same (and, when I forwarded 1194 to the SSH server, that succeeded). So it's not the ISP and it's definitely something in the router configuration for that specific port.

I'd appreciate any help that someone can lend me, because with those lines, I can't think of anything else that might cause telnet to just miss the port.

(Obviously, if I can provide any info that might help solve the problem, I'd be glad to do so.)

Joined: 28 Oct 2012
Posts: 132

PostPosted: Fri Nov 21, 2014 14:35    Post subject: Reply with quote
Hi idv, this is what I have configured on mine (Buffalo WZR-D1800H) and it works great. See screenshots.

This is my config file (client):

remote-cert-tls server
remote "<your hostname/ip here>" 443
dev tun2
proto tcp
resolv-retry infinite
verb 3
ca ca.crt
cert client.crt
key client.key
cipher AES-256-CBC

 Filesize:  34.85 KB
 Viewed:  3310 Time(s)


 Filesize:  62.81 KB
 Viewed:  3310 Time(s)


DD-WRT Novice

Joined: 19 Nov 2014
Posts: 2

PostPosted: Wed Dec 03, 2014 12:38    Post subject: Reply with quote

That solution worked almost perfectly. Immediately after inputting this (with my own keys, of course), I could resolve a connection and got an address in the 192.168.44.x range and was considered in-network for most purposes. Unfortunately, I couldn't connect to the internet at this point, but all I had to do after was change the server mode from "TUN" to "TAP" and the config line from "dev tun2" to "dev tap 2" and everything worked.

Thank you very much. This ended a lot of frustration.

Now my only issue is with my rather lackluster "broadband" speeds.
Goto page Previous  1, 2, 3 Display posts from previous:    Page 3 of 3
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT


Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum