So, my first post got deleted, and with good grounds. I didn't read the sticky. Oh well
Now, I *hope* someone here can help me.
First and foremost what I'm attempting here is way ahead of me and my knowledge, but I would still like to resolve it, because it's quite an important issue, not only for fun or the sake of doing it.
I have a Linksys WRT320N router with latest firmware:
DD-WRT v24-sp2 (12/08/11) big - build 17990M NEWD-2 K2.6 Eko
I have a Giganews account, which is giving me access to OpenVPN (I tried PPTP, but it's abysmally slow compared to OpenVPN).
I tried setting it up in Windows, which works flawlessly, but I have 4 devices at home, of which some are also mobile devices, and I need everything under the VPN connection (security reasons).
There is no official support from Giganews, but I don't believe it's impossible to set up.
Now, since I've been trying this helplessly for last 2 days, I learned one thing or another, but still quite not enough to set it up correctly.
I would really appreciate if someone could explain it to me how I could set it up, or talk me through it - I ain't stupid, but I don't know networking all that well.
If this helps, this is the log in Windows, when OpenVPN connects:
Wed Apr 04 00:18:22 2012 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Wed Apr 04 00:18:22 2012 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
Wed Apr 04 00:18:22 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Apr 04 00:18:22 2012 LZO compression initialized
Wed Apr 04 00:18:22 2012 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Apr 04 00:18:22 2012 Socket Buffers: R=[8192->8192] S=[64512->64512]
Wed Apr 04 00:18:22 2012 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Apr 04 00:18:22 2012 Local Options hash (VER=V4): '41690919'
Wed Apr 04 00:18:22 2012 Expected Remote Options hash (VER=V4): '530fdded'
Wed Apr 04 00:18:22 2012 UDPv4 link local: [undef]
Wed Apr 04 00:18:22 2012 UDPv4 link remote: 138.199.67.147:1194
Wed Apr 04 00:18:22 2012 TLS: Initial packet from 138.199.67.147:1194, sid=efe25aba e3916111
Wed Apr 04 00:18:22 2012 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Apr 04 00:18:22 2012 VERIFY OK: depth=1, /C=KY/ST=GrandCayman/L=GeorgeTown/O=GoldenFrog-Inc/CN=GoldenFrog-Inc_CA/emailAddress=admin@goldenfrog.com
Wed Apr 04 00:18:22 2012 VERIFY X509NAME OK: /C=KY/ST=GrandCayman/L=GeorgeTown/O=GoldenFrog-Inc/CN=de1.vpn.giganews.com/emailAddress=admin@goldenfrog.com
Wed Apr 04 00:18:22 2012 VERIFY OK: depth=0, /C=KY/ST=GrandCayman/L=GeorgeTown/O=GoldenFrog-Inc/CN=de1.vpn.giganews.com/emailAddress=admin@goldenfrog.com
Wed Apr 04 00:18:23 2012 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Apr 04 00:18:23 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Apr 04 00:18:23 2012 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Apr 04 00:18:23 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Apr 04 00:18:23 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Wed Apr 04 00:18:23 2012 [de1.vpn.giganews.com] Peer Connection Initiated with 138.199.67.147:1194
Wed Apr 04 00:18:26 2012 SENT CONTROL [de1.vpn.giganews.com]: 'PUSH_REQUEST' (status=1)
Wed Apr 04 00:18:26 2012 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,explicit-exit-notify 5,rcvbuf 262144,route-gateway 10.25.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.25.0.24 255.255.0.0'
Wed Apr 04 00:18:26 2012 OPTIONS IMPORT: timers and/or timeouts modified
Wed Apr 04 00:18:26 2012 OPTIONS IMPORT: explicit notify parm(s) modified
Wed Apr 04 00:18:26 2012 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Wed Apr 04 00:18:26 2012 Socket Buffers: R=[8192->262144] S=[64512->64512]
Wed Apr 04 00:18:26 2012 OPTIONS IMPORT: --ifconfig/up options modified
Wed Apr 04 00:18:26 2012 OPTIONS IMPORT: route options modified
Wed Apr 04 00:18:26 2012 OPTIONS IMPORT: route-related options modified
Wed Apr 04 00:18:26 2012 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Apr 04 00:18:26 2012 ROUTE default_gateway=192.168.1.1
Wed Apr 04 00:18:26 2012 TAP-WIN32 device [Local Area Connection 3] opened: \\.\Global\{8EB876C6-A4CE-41DF-9809-D75BF74511F3}.tap
Wed Apr 04 00:18:26 2012 TAP-Win32 Driver Version 9.9
Wed Apr 04 00:18:26 2012 TAP-Win32 MTU=1500
Wed Apr 04 00:18:26 2012 Set TAP-Win32 TUN subnet mode network/local/netmask = 10.25.0.0/10.25.0.24/255.255.0.0 [SUCCEEDED]
Wed Apr 04 00:18:26 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.25.0.24/255.255.0.0 on interface {8EB876C6-A4CE-41DF-9809-D75BF74511F3} [DHCP-serv: 10.25.255.254, lease-time: 31536000]
Wed Apr 04 00:18:26 2012 Successful ARP Flush on interface [19] {8EB876C6-A4CE-41DF-9809-D75BF74511F3}
Wed Apr 04 00:18:31 2012 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
Wed Apr 04 00:18:31 2012 C:\WINDOWS\system32\route.exe ADD 138.199.67.147 MASK 255.255.255.255 192.168.1.1
Wed Apr 04 00:18:31 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=10 and dwForwardType=4
Wed Apr 04 00:18:31 2012 Route addition via IPAPI succeeded [adaptive]
Wed Apr 04 00:18:31 2012 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.25.0.1
Wed Apr 04 00:18:31 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Wed Apr 04 00:18:31 2012 Route addition via IPAPI succeeded [adaptive]
Wed Apr 04 00:18:31 2012 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.25.0.1
Wed Apr 04 00:18:31 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Wed Apr 04 00:18:31 2012 Route addition via IPAPI succeeded [adaptive]
Wed Apr 04 00:18:31 2012 Initialization Sequence Completed
And this is when I set up the router to connect to the VyprVPN, the resulting log:
State Server: : Local Address: Remote Address: Client: CONNECTED: SUCCESS Local Address: 10.25.0.19 Remote Address:
Serverlog Clientlog 20120404 00:28:11 MANAGEMENT: Client connected from 127.0.0.1:5001
20120404 00:28:11 D MANAGEMENT: CMD 'state'
20120404 00:28:11 VERIFY OK: depth=1 /C=KY/ST=GrandCayman/L=GeorgeTown/O=GoldenFrog-Inc/CN=GoldenFrog-Inc_CA/emailAddress=admin@goldenfrog.com
20120404 00:28:11 VERIFY OK: nsCertType=SERVER
20120404 00:28:11 VERIFY OK: depth=0 /C=KY/ST=GrandCayman/L=GeorgeTown/O=GoldenFrog-Inc/CN=de1.vpn.giganews.com/emailAddress=admin@goldenfrog.com
20120404 00:28:11 MANAGEMENT: Client disconnected
20120404 00:28:11 MANAGEMENT: Client connected from 127.0.0.1:5001
20120404 00:28:11 D MANAGEMENT: CMD 'state'
20120404 00:28:11 MANAGEMENT: Client disconnected
20120404 00:28:11 MANAGEMENT: Client connected from 127.0.0.1:5001
20120404 00:28:11 D MANAGEMENT: CMD 'state'
20120404 00:28:11 MANAGEMENT: Client disconnected
20120404 00:28:11 MANAGEMENT: Client connected from 127.0.0.1:5001
20120404 00:28:11 D MANAGEMENT: CMD 'log 500'
20120404 00:28:11 MANAGEMENT: Client disconnected
20120404 00:28:11 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
20120404 00:28:11 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
20120404 00:28:11 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
20120404 00:28:11 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
20120404 00:28:11 Control Channel: TLSv1 cipher TLSv1/SSLv3 AES256-SHA 2048 bit RSA
20120404 00:28:11 I [de1.vpn.giganews.com] Peer Connection Initiated with 138.199.67.147:1194
20120404 00:28:13 MANAGEMENT: Client connected from 127.0.0.1:5001
20120404 00:28:13 SENT CONTROL [de1.vpn.giganews.com]: 'PUSH_REQUEST' (status=1)
20120404 00:28:13 D MANAGEMENT: CMD 'state'
20120404 00:28:13 MANAGEMENT: Client disconnected
20120404 00:28:13 MANAGEMENT: Client connected from 127.0.0.1:5001
20120404 00:28:13 D MANAGEMENT: CMD 'state'
20120404 00:28:13 PUSH: Received control message: 'PUSH_REPLY redirect-gateway def1 bypass-dhcp dhcp-option DNS 208.67.222.222 dhcp-option DNS 208.67.220.220 explicit-exit-notify 5 rcvbuf 262144 route-gateway 10.25.0.1 topology subnet ping 10 ping-restart 60 ifconfig 10.25.0.19 255.255.0.0'
20120404 00:28:13 OPTIONS IMPORT: timers and/or timeouts modified
20120404 00:28:13 OPTIONS IMPORT: explicit notify parm(s) modified
20120404 00:28:13 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
20120404 00:28:13 Socket Buffers: R=[131072->229376] S=[131072->131072]
20120404 00:28:13 OPTIONS IMPORT: --ifconfig/up options modified
20120404 00:28:13 OPTIONS IMPORT: route options modified
20120404 00:28:13 OPTIONS IMPORT: route-related options modified
20120404 00:28:13 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
20120404 00:28:13 I TUN/TAP device tun1 opened
20120404 00:28:13 TUN/TAP TX queue length set to 100
20120404 00:28:13 I /sbin/ifconfig tun1 10.25.0.19 netmask 255.255.0.0 mtu 1500 broadcast 10.25.255.255
20120404 00:28:13 /sbin/route add -net 138.199.67.147 netmask 255.255.255.255 gw 213.47.72.1
20120404 00:28:13 W ERROR: Linux route add command failed: external program exited with error status: 255
20120404 00:28:13 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.25.0.1
20120404 00:28:13 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.25.0.1
20120404 00:28:13 I Initialization Sequence Completed
20120404 00:28:13 MANAGEMENT: Client disconnected
20120404 00:28:13 MANAGEMENT: Client connected from 127.0.0.1:5001
20120404 00:28:13 D MANAGEMENT: CMD 'state'
20120404 00:28:13 MANAGEMENT: Client disconnected
20120404 00:28:13 MANAGEMENT: Client connected from 127.0.0.1:5001
20120404 00:28:13 D MANAGEMENT: CMD 'log 500'
19700101 00:00:00
Speed is abysmal though. I have about 3800kb/s, but only getting 800kb/s.
Any ideas?
That is about what you can get with your hardware, you need a powerful cpu when doing software ciphering or a cpu with built-in crypto accelerator.
20120404 00:28:11 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
20120404 00:28:11 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
20120404 00:28:11 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
20120404 00:28:11 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
20120404 00:28:11 Control Channel: TLSv1 cipher TLSv1/SSLv3 AES256-SHA 2048 bit RSA _________________ Kernel panic: Aiee, killing interrupt handler!
Well, why don't you check?
Start a sustained transfer through the tunnel and do a cat /proc/loadavg. If the first numbers are close to or above 1 chances are you are CPU bound.
The first number is 1 minute period. Meaning, CPU is at 100%.
So how can I now know what CPU speed I need to handle the OpenVPN? I guess order the Asus and see what it's capable of?
Mine goes around 40-45% CPU usage when I stream HD video through the tunnel (~6mbps). The load depends on the cipher and hash algorithms you're using but I think you'll be fine too, for (more than) decent loads.
I can push 6mbps without a problem through the tunnel. 6mbps is around 750kbps, and I push with 100% around 850kbps.
But my giganews server is pushing without encryption around 3800kbps through my cable modem, and when connected through openvpn on the computer, I get around 3700-3800kbps, fluctuating.
And CPU is also being used quite a lot, around 15% on the task manager.
Calculating from that, I think it's safe to assume there is no router in the normal priceclass that can push 3800kbps through the tunnel on the openvpn protocol? My CPU being a 2600K@4.8Ghz.
Oh, I thought you were talking about kilo *bits* per second when you said "I have about 3800kb/s, but only getting 800kb/s". I'm not sure if you can get 3,800 kilo *BYTES* per second through OpenVPN on a consumer-grade wireless router. I'd be interested to test that for you on my router, but my internet connection has a mere 8mbps bandwidth (that's mega bits)... and that's "best effort"! Typically it runs between 2 and 4 mbps, so I can't possibly test that kind of load for you. If you need the tunnel just for the routing and you don't need confidentiality part you may want to turn off encryption altogether. Or choose the "lightest" encryption possible. Have a go with it, just to see if it is able to cope.
No way you can compare the performance of a multi-core 2600K@4.8Ghz with the single-core wimpy wireless router's CPU at 300-400 MHz, using a different architecture.
Yes, I might have been completely unclear on that. I was talking about bytes, not bits. My max speed is 35mbits.
It's just that authorities here decided to log all connections as of Monday, and I'm totally against my data being freely accessible to any kind of authority, thus VPN tunnel.
Encryption is not so important though, only lite maybe, but even if that.
How would I go about turning off encryption, just to test?
EDIT: tried cipher none in both windows-app and in dd-wrt, after that, there is no connection.
Wed Apr 04 18:32:59 2012 Replay-window backtrack occurred [1438368324]
Wed Apr 04 18:32:59 2012 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #2085995984 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning wi
