vpntunnel.se & DD-WRT v24-sp2 18024 Openvpn client probl

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2
Author Message
heckheck
DD-WRT Novice


Joined: 07 Apr 2012
Posts: 5

PostPosted: Mon May 14, 2012 11:44    Post subject: Reply with quote
Quote:
However, I got it working after all, but it's not smooth and lock me up with an active putty.

I can see the PUSH_REPLY with DHCP option is different on the success try than the failure as you said before.


I had rebooted my router dozens of times over the last few months and yesterday was the first time I ran into the bad DHCP line. I think they have some misconfiguration on some servers. I think I'll send an e-mail to support.

Quote:
Could we somehow add into the code that it retry to connect until it gets this proper reply on this dhcp-option, or some better ideas?


It should be fairly straightforward to parse the output of the call to openvpn in the subshell and retry from within the script. This would be a good addition as you say to get the connection up the first time. The script, is not however designed to monitor (it exits).

Quote:
Or trigger on when process is dead start it?

This is harder since what is needed here is a keepalive process monitor. I'm not sure if ddwrt has such a facility currently. Actually I'm not sure the openvpn process even dies when the connection dies (I've never bothered to check), so it could be harder still. This is arguably much more valuable, since the connection does go down occasionally and nothing is there to restart it. This leaves you open to establishing connections that are not in the VPN (something most people want to avoid). I get around that problem by using MAC based access restrictions on the traffic from this secondary router that is behind my main router (allowing only VPN traffic out from the VPN router's MAC), but I still have to restart the VPN router to get the tunnel back up and working.
Sponsor
nucce
DD-WRT Novice


Joined: 13 May 2012
Posts: 3

PostPosted: Sun May 27, 2012 11:32    Post subject: Reply with quote
Hi, now there is now longer any issues to connect to the VPN, but as fast OpenVPN is established with the server I cant browse the web anymore, so now it seems to be a problem with my routing table and I don't know howto tweak it to get fixed.

Just to be clear i've got these lines in my firewall config.
Code:
iptables -I FORWARD -i br0 -o tap0 -j ACCEPT
iptables -I FORWARD -i tap0 -o br0 -j ACCEPT
iptables -I INPUT -i tap0 -j REJECT
iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE


This is from my log.txt file with an successful connection to server:
Code:
Sun May 27 13:04:08 2012 us=57669 [server] Peer Connection Initiated with 178.73.212.230:1194
Sun May 27 13:04:10 2012 us=542056 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sun May 27 13:04:10 2012 us=554597 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 80.67.0.2,dhcp-option DNS 91.213.246.2,redirect-gateway def1,route 10.99.0.1,topology net30,ping 10,ping-restart 160,ifconfig 10.99.0.162 10.99.0.161'
Sun May 27 13:04:10 2012 us=555081 OPTIONS IMPORT: timers and/or timeouts modified
Sun May 27 13:04:10 2012 us=555162 OPTIONS IMPORT: --ifconfig/up options modified
Sun May 27 13:04:10 2012 us=555212 OPTIONS IMPORT: route options modified
Sun May 27 13:04:10 2012 us=555263 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun May 27 13:04:10 2012 us=556822 TUN/TAP device tun0 opened
Sun May 27 13:04:10 2012 us=556965 TUN/TAP TX queue length set to 100
Sun May 27 13:04:10 2012 us=557187 /sbin/ifconfig tun0 10.99.0.162 pointopoint 10.99.0.161 mtu 1500
Sun May 27 13:04:10 2012 us=563435 /sbin/route add -net 178.73.212.230 netmask 255.255.255.255 gw 46.59.34.1
Sun May 27 13:04:10 2012 us=571427 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.99.0.161
Sun May 27 13:04:10 2012 us=582158 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.99.0.161
Sun May 27 13:04:10 2012 us=586253 /sbin/route add -net 10.99.0.1 netmask 255.255.255.255 gw 10.99.0.161
Sun May 27 13:04:10 2012 us=589627 Initialization Sequence Completed


And here is an print from my routing table:
Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.99.0.161     128.0.0.0       UG    0      0        0 tun0
default         gw7.a236.priv.b 0.0.0.0         UG    0      0        0 eth1
10.99.0.1       10.99.0.161     255.255.255.255 UGH   0      0        0 tun0
10.99.0.161     *               255.255.255.255 UH    0      0        0 tun0
46.59.34.0      *               255.255.254.0   U     0      0        0 eth1
46.59.34.1      *               255.255.255.255 UH    0      0        0 eth1
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
128.0.0.0       10.99.0.161     128.0.0.0       UG    0      0        0 tun0
169.254.0.0     *               255.255.0.0     U     0      0        0 br0
178.73.212.230  gw7.a236.priv.b 255.255.255.255 UGH   0      0        0 eth1
192.168.0.0     *               255.255.255.0   U     0      0        0 br0



May someone see what my issue are?

Full regards.
chrono280
DD-WRT Novice


Joined: 17 Jan 2013
Posts: 2

PostPosted: Thu Jan 17, 2013 13:19    Post subject: Reply with quote
Quote:
Hi, now there is now longer any issues to connect to the VPN, but as fast OpenVPN is established with the server I cant browse the web anymore, so now it seems to be a problem with my routing table and I don't know howto tweak it to get fixed.

Just to be clear i've got these lines in my firewall config.
Code:
iptables -I FORWARD -i br0 -o tap0 -j ACCEPT
iptables -I FORWARD -i tap0 -o br0 -j ACCEPT
iptables -I INPUT -i tap0 -j REJECT
iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE


This is from my log.txt file with an successful connection to server:
Code:
Sun May 27 13:04:08 2012 us=57669 [server] Peer Connection Initiated with 178.73.212.230:1194
Sun May 27 13:04:10 2012 us=542056 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sun May 27 13:04:10 2012 us=554597 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 80.67.0.2,dhcp-option DNS 91.213.246.2,redirect-gateway def1,route 10.99.0.1,topology net30,ping 10,ping-restart 160,ifconfig 10.99.0.162 10.99.0.161'
Sun May 27 13:04:10 2012 us=555081 OPTIONS IMPORT: timers and/or timeouts modified
Sun May 27 13:04:10 2012 us=555162 OPTIONS IMPORT: --ifconfig/up options modified
Sun May 27 13:04:10 2012 us=555212 OPTIONS IMPORT: route options modified
Sun May 27 13:04:10 2012 us=555263 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun May 27 13:04:10 2012 us=556822 TUN/TAP device tun0 opened
Sun May 27 13:04:10 2012 us=556965 TUN/TAP TX queue length set to 100
Sun May 27 13:04:10 2012 us=557187 /sbin/ifconfig tun0 10.99.0.162 pointopoint 10.99.0.161 mtu 1500
Sun May 27 13:04:10 2012 us=563435 /sbin/route add -net 178.73.212.230 netmask 255.255.255.255 gw 46.59.34.1
Sun May 27 13:04:10 2012 us=571427 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.99.0.161
Sun May 27 13:04:10 2012 us=582158 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.99.0.161
Sun May 27 13:04:10 2012 us=586253 /sbin/route add -net 10.99.0.1 netmask 255.255.255.255 gw 10.99.0.161
Sun May 27 13:04:10 2012 us=589627 Initialization Sequence Completed


And here is an print from my routing table:
Code:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.99.0.161 128.0.0.0 UG 0 0 0 tun0
default gw7.a236.priv.b 0.0.0.0 UG 0 0 0 eth1
10.99.0.1 10.99.0.161 255.255.255.255 UGH 0 0 0 tun0
10.99.0.161 * 255.255.255.255 UH 0 0 0 tun0
46.59.34.0 * 255.255.254.0 U 0 0 0 eth1
46.59.34.1 * 255.255.255.255 UH 0 0 0 eth1
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
128.0.0.0 10.99.0.161 128.0.0.0 UG 0 0 0 tun0
169.254.0.0 * 255.255.0.0 U 0 0 0 br0
178.73.212.230 gw7.a236.priv.b 255.255.255.255 UGH 0 0 0 eth1
192.168.0.0 * 255.255.255.0 U 0 0 0 br0



May someone see what my issue are?

Full regards.


Having the same issue as above. I am able to connect to vpntunnel.se using my USER/PASS/CERT and going to a slightly different server than the script:

Code:
#!/bin/sh

USERNAME="YOUR_USERNAME"
PASSWORD="YOUR_PASSWORD" # Your USER_PASSWORD
PROTOCOL="udp" # udp / tcp MUST BE lower case

# Add - delete - edit servers
REMOTE_SERVERS="
remote melissa.vpntunnel.se 10010
remote melissa.vpntunnel.se 1194
remote melissa.vpntunnel.se 10020
"
# Static port forwarding rules
# protocol from_port local_ip:to_port
#
# EXAMPLE
#PORT_FORWARDING="
#tcp 20000 10.1.1.100:20000
#udp 20000 10.1.1.100:20000
#tcp 30000 10.1.1.100:30000
#tcp 30001 10.1.1.101:30001
#"
#
PORT_FORWARDING=""

CA_CRT='-----BEGIN CERTIFICATE-----
<SNIP -- get from your account paste here>
-----END CERTIFICATE-----'

#### DO NOT CHANGE below this line ####

CLIENT_CRT=''

CLIENT_KEY=''

VPN_BRIDGING="#!/bin/sh
iptables -I FORWARD -i br0 -o tap0 -j ACCEPT
iptables -I FORWARD -i tap0 -o br0 -j ACCEPT
iptables -I INPUT -i tap0 -j REJECT
iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE"

VPN_CONFIG="script-security 2
client
float
dev tap
proto $PROTOCOL
nobind
tls-client
ca /tmp/vpntunnelse/ca.crt
ns-cert-type server
push \"dhcp-option DNS 80.67.0.2\"
push \"dhcp-option DNS 91.213.246.2\"
auth-user-pass /tmp/vpntunnelse/userpass.conf
remote-random
$REMOTE_SERVERS
persist-key
persist-tun
comp-lzo
verb 3
log /tmp/vpntunnelse/log.txt"


OPVPNENABLE=`nvram get openvpncl_enable | awk '$1 == "0" {print $1}'`

if [ "$OPVPNENABLE" != 0 ]
then
    nvram set openvpncl_enable=0
    nvram commit
fi

sleep 10
mkdir /tmp/vpntunnelse; cd /tmp/vpntunnelse
echo -e "$USERNAME\n$PASSWORD" > userpass.conf
echo "$CA_CRT" > ca.crt; echo "$CLIENT_CRT" > client.crt
echo "$CLIENT_KEY" > client.key
echo -e "#!/bin/sh\nstartservice set_routes" > route-up.sh
echo -e "#!/bin/sh\nsleep 2" > route-down.sh
echo "$VPN_BRIDGING" > /tmp/vpntunnelse/firewall.sh
echo "$PORT_FORWARDING" | awk '{c=split($0, s); \
    if (c==3) print "iptables -t nat -A PREROUTING -i tap0 -p " \
    s[1] " --dport " s[2] " -j DNAT --to " s[3]}' \
    >> /tmp/vpntunnelse/firewall.sh
chmod 644 ca.crt client.crt
chmod 600 client.key userpass.conf
chmod 700 route-up.sh route-down.sh
chmod 700 /tmp/vpntunnelse/firewall.sh
(/tmp/vpntunnelse/firewall.sh) &
sleep 10
echo "$VPN_CONFIG" > openvpn.conf
(killall openvpn; openvpn --config /tmp/vpntunnelse/openvpn.conf \
    --route-up /tmp/vpntunnelse/route-up.sh \
    --down-pre /tmp/vpntunnelse/route-down.sh) &
exit 0
[/code]

I get the Initialization Sequence Completed message but I cannot browse at all.

Is it a problem with the routing table / firewall script? I'm a DDWRT noob and am new to routing table jargon as well.

Thanks in advance.
tkaub
DD-WRT Novice


Joined: 22 Mar 2013
Posts: 1

PostPosted: Fri Mar 22, 2013 9:59    Post subject: Reply with quote
chrono280 wrote:
Quote:
Hi, now there is now longer any issues to connect to the VPN, but as fast OpenVPN is established with the server I cant browse the web anymore, so now it seems to be a problem with my routing table and I don't know howto tweak it to get fixed.

Just to be clear i've got these lines in my firewall config.
Code:
iptables -I FORWARD -i br0 -o tap0 -j ACCEPT
iptables -I FORWARD -i tap0 -o br0 -j ACCEPT
iptables -I INPUT -i tap0 -j REJECT
iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE


This is from my log.txt file with an successful connection to server:
Code:
Sun May 27 13:04:08 2012 us=57669 [server] Peer Connection Initiated with 178.73.212.230:1194
Sun May 27 13:04:10 2012 us=542056 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sun May 27 13:04:10 2012 us=554597 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 80.67.0.2,dhcp-option DNS 91.213.246.2,redirect-gateway def1,route 10.99.0.1,topology net30,ping 10,ping-restart 160,ifconfig 10.99.0.162 10.99.0.161'
Sun May 27 13:04:10 2012 us=555081 OPTIONS IMPORT: timers and/or timeouts modified
Sun May 27 13:04:10 2012 us=555162 OPTIONS IMPORT: --ifconfig/up options modified
Sun May 27 13:04:10 2012 us=555212 OPTIONS IMPORT: route options modified
Sun May 27 13:04:10 2012 us=555263 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun May 27 13:04:10 2012 us=556822 TUN/TAP device tun0 opened
Sun May 27 13:04:10 2012 us=556965 TUN/TAP TX queue length set to 100
Sun May 27 13:04:10 2012 us=557187 /sbin/ifconfig tun0 10.99.0.162 pointopoint 10.99.0.161 mtu 1500
Sun May 27 13:04:10 2012 us=563435 /sbin/route add -net 178.73.212.230 netmask 255.255.255.255 gw 46.59.34.1
Sun May 27 13:04:10 2012 us=571427 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.99.0.161
Sun May 27 13:04:10 2012 us=582158 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.99.0.161
Sun May 27 13:04:10 2012 us=586253 /sbin/route add -net 10.99.0.1 netmask 255.255.255.255 gw 10.99.0.161
Sun May 27 13:04:10 2012 us=589627 Initialization Sequence Completed


And here is an print from my routing table:
Code:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.99.0.161 128.0.0.0 UG 0 0 0 tun0
default gw7.a236.priv.b 0.0.0.0 UG 0 0 0 eth1
10.99.0.1 10.99.0.161 255.255.255.255 UGH 0 0 0 tun0
10.99.0.161 * 255.255.255.255 UH 0 0 0 tun0
46.59.34.0 * 255.255.254.0 U 0 0 0 eth1
46.59.34.1 * 255.255.255.255 UH 0 0 0 eth1
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
128.0.0.0 10.99.0.161 128.0.0.0 UG 0 0 0 tun0
169.254.0.0 * 255.255.0.0 U 0 0 0 br0
178.73.212.230 gw7.a236.priv.b 255.255.255.255 UGH 0 0 0 eth1
192.168.0.0 * 255.255.255.0 U 0 0 0 br0



May someone see what my issue are?

Full regards.


Having the same issue as above. I am able to connect to vpntunnel.se using my USER/PASS/CERT and going to a slightly different server than the script:

Code:
#!/bin/sh

USERNAME="YOUR_USERNAME"
PASSWORD="YOUR_PASSWORD" # Your USER_PASSWORD
PROTOCOL="udp" # udp / tcp MUST BE lower case

# Add - delete - edit servers
REMOTE_SERVERS="
remote melissa.vpntunnel.se 10010
remote melissa.vpntunnel.se 1194
remote melissa.vpntunnel.se 10020
"
# Static port forwarding rules
# protocol from_port local_ip:to_port
#
# EXAMPLE
#PORT_FORWARDING="
#tcp 20000 10.1.1.100:20000
#udp 20000 10.1.1.100:20000
#tcp 30000 10.1.1.100:30000
#tcp 30001 10.1.1.101:30001
#"
#
PORT_FORWARDING=""

CA_CRT='-----BEGIN CERTIFICATE-----
<SNIP -- get from your account paste here>
-----END CERTIFICATE-----'

#### DO NOT CHANGE below this line ####

CLIENT_CRT=''

CLIENT_KEY=''

VPN_BRIDGING="#!/bin/sh
iptables -I FORWARD -i br0 -o tap0 -j ACCEPT
iptables -I FORWARD -i tap0 -o br0 -j ACCEPT
iptables -I INPUT -i tap0 -j REJECT
iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE"

VPN_CONFIG="script-security 2
client
float
dev tap
proto $PROTOCOL
nobind
tls-client
ca /tmp/vpntunnelse/ca.crt
ns-cert-type server
push \"dhcp-option DNS 80.67.0.2\"
push \"dhcp-option DNS 91.213.246.2\"
auth-user-pass /tmp/vpntunnelse/userpass.conf
remote-random
$REMOTE_SERVERS
persist-key
persist-tun
comp-lzo
verb 3
log /tmp/vpntunnelse/log.txt"


OPVPNENABLE=`nvram get openvpncl_enable | awk '$1 == "0" {print $1}'`

if [ "$OPVPNENABLE" != 0 ]
then
    nvram set openvpncl_enable=0
    nvram commit
fi

sleep 10
mkdir /tmp/vpntunnelse; cd /tmp/vpntunnelse
echo -e "$USERNAME\n$PASSWORD" > userpass.conf
echo "$CA_CRT" > ca.crt; echo "$CLIENT_CRT" > client.crt
echo "$CLIENT_KEY" > client.key
echo -e "#!/bin/sh\nstartservice set_routes" > route-up.sh
echo -e "#!/bin/sh\nsleep 2" > route-down.sh
echo "$VPN_BRIDGING" > /tmp/vpntunnelse/firewall.sh
echo "$PORT_FORWARDING" | awk '{c=split($0, s); \
    if (c==3) print "iptables -t nat -A PREROUTING -i tap0 -p " \
    s[1] " --dport " s[2] " -j DNAT --to " s[3]}' \
    >> /tmp/vpntunnelse/firewall.sh
chmod 644 ca.crt client.crt
chmod 600 client.key userpass.conf
chmod 700 route-up.sh route-down.sh
chmod 700 /tmp/vpntunnelse/firewall.sh
(/tmp/vpntunnelse/firewall.sh) &
sleep 10
echo "$VPN_CONFIG" > openvpn.conf
(killall openvpn; openvpn --config /tmp/vpntunnelse/openvpn.conf \
    --route-up /tmp/vpntunnelse/route-up.sh \
    --down-pre /tmp/vpntunnelse/route-down.sh) &
exit 0
[/code]

I get the Initialization Sequence Completed message but I cannot browse at all.

Is it a problem with the routing table / firewall script? I'm a DDWRT noob and am new to routing table jargon as well.

Thanks in advance.


Hi Guys,
I'm having the same problem, I'm using the same code posted above (with the "float") and have no web activity. Did it work with anyone else?
Kind Regards
T.
frahir
DD-WRT Novice


Joined: 08 Apr 2013
Posts: 1

PostPosted: Tue Apr 09, 2013 0:12    Post subject: Reply with quote
Hi guys,
if it can help someone


I had the same problem (VPN was connected but can't browse the web ) now resolved with this settings by changing tap by tun:

VPN_CONFIG :

"dev tun"

FIREWALL_CONFIG
Code:
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

immediately after changing these settings, network worked very well !

Regards,
frahir
Goto page Previous  1, 2 Display posts from previous:    Page 2 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum