Posted: Fri May 25, 2012 12:46 Post subject: OpenVPN tunnel not working :(
Hi,
I'm trying to get working the OpenVPN tunnel system as explained here in wiki http://www.dd-wrt.com/wiki/index.php/OpenVPN_-_Site-to-Site_Bridged_VPN_Between_Two_Routers I use WRT-54GL as explained in Wiki but it doesn't work, no connection
I noticed that if I try to telnet from outside to port 1194 of my server router, nothing answers, is it normal ?
Don't know how to diagnose the problem
If you are running a UDP VPN, you wont telnet as telnet uses TCP. Have a google on the difference, its useful to know
If you telnet to your router's console, you can tail -f /var/log/openvpn (server) and /var/log/openvpncl (client) which will tell you whats going on with the OpenVPN services in real time.
If you are running a UDP VPN, you wont telnet as telnet uses TCP. Have a google on the difference, its useful to know
oups didn't realise a VPN might be in UDP, I thought it was only TCP
MrFidget wrote:
If you telnet to your router's console, you can tail -f /var/log/openvpn (server) and /var/log/openvpncl (client) which will tell you whats going on with the OpenVPN services in real time.
Unhappy none openvpn log file anywhere in the router, either in /var/log or /tmp/var/log I tried to run all steps of script by hand in terminal and they all run silently without any errors so I'm completely lost here The only think that looks strange in my eyes is that openvpn is supposed to run as daemon but if I do a ps none openvpn process is listed
What version are you using. 14929, 15962, 18024 etc. You'll see this in the title bar?
I use v15962 broadcom K26 on Cisco E3000 routers and have commercial deployments of OpenVPN. I found that that particular version is stable and reliable for OpenVPN.
If you are running an earlier release of DD, upgarde to 15962. Its pretty reliable.
By the sounds of things you don't have syslog turned on. Its on the first page of the services tab, somewhere towards the bottom
Make sure thats on and try the tail commmand.
BTW, you are best to run your VPN over UDP, as you will be running TCP across the tunnel and you don't want double handelling of error retransmissions.
What version are you using. 14929, 15962, 18024 etc. You'll see this in the title bar?
Build 13064 (V24-sp2) which is supposed to be the most recent stable for my router ! There is a 14896 build but it's indicated beta
MrFidget wrote:
I use v15962 broadcom K26 on Cisco E3000 routers and have commercial deployments of OpenVPN. I found that that particular version is stable and reliable for OpenVPN.
UNhappy the most recent I can find for my linksys wrt54gl is 14896 ! isn't it too old ?
MrFidget wrote:
By the sounds of things you don't have syslog turned on. Its on the first page of the services tab, somewhere towards the bottom
Make sure thats on and try the tail commmand.
Got it, thanks and found these errors in log:
Code:
May 26 09:57:56 grenoble daemon.notice openvpn[1678]: OpenVPN 2.1_rc20 mipsel-unknown-linux-gnu [SSL] [LZO1] [EPOLL] built on Oct 10 2009
May 26 09:57:57 grenoble daemon.notice openvpn[1678]: Diffie-Hellman initialized with 1024 bit key
May 26 09:57:57 grenoble daemon.warn openvpn[1678]: Cannot load private key file server.key: error:0D0680A8:lib(13):func(104):reason(168): error:0D06C03A:lib(13):func(108):reason(58): error:0D08303A:lib(13):func(131):reason(58): error:0D09A00D:lib(13):func(154):reason(13)
May 26 09:57:57 grenoble daemon.err openvpn[1678]: Error: private key password verification failed
What is that password it's talking about ??
MrFidget wrote:
BTW, you are best to run your VPN over UDP, as you will be running TCP across the tunnel and you don't want double handelling of error retransmissions.
Thanks for explanation, understand better now use of UDP in that specific case
Something else I can check ? I'm just thinking that when I created the keys file openvpn asked me for a password, should I have filled an emtpy password instead of putting a string text ?
An update about the problem, I created a new complete set of keys just in case but I still have the same issue I'm thinking it might be something wrong I do when I create keys ???
Thanks,
Vincèn
Code:
May 28 09:43:39 grenoble daemon.notice openvpn[553]: OpenVPN 2.1_rc20 mipsel-unknown-linux-gnu [SSL] [LZO1] [EPOLL] built on Oct 10 2009
May 28 09:43:40 grenoble daemon.notice openvpn[553]: Diffie-Hellman initialized with 1024 bit key
May 28 09:43:40 grenoble daemon.warn openvpn[553]: Cannot load private key file server.key: error:0D0680A8:lib(13):func(104):reason(168): error:0D06C03A:lib(13):func(108):reason(58): error:0D08303A:lib(13):func(131):reason(58): error:0D09A00D:lib(13):func(154):reason(13):
May 28 09:43:40 grenoble daemon.err openvpn[553]: Error: private key password verification failed
May 28 09:43:40 grenoble daemon.notice openvpn[553]: Exiting
hum found a solution but it's weird ! Till now I created the keys with OpenVPN on Linux, now I tried with OpenVPN on Windows and it accepts them now, very strange... Just need to update keys now in remote linksys and check if link is going up
I'm trying to create an OpenVPN link between two WRT54GL/DD-WRT and this topic seems to be pretty close with my need.
At this time I get a successful connection between OpenVPN GUI on Windows 7 and my WRT54GL configured as a server (build 13064).
Here is the config file of the server :
Quote:
push "route 192.168.2.1 255.255.255.0"
server 192.168.66.0 255.255.255.0
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
dev tun0
port 1194
proto udp
comp-lzo
keepalive 10 120
reneg-sec 0
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
# Only use crl-verify if you are using the revoke list - otherwise leave it commented out
# crl-verify /tmp/openvpn/ca.crl
# management parameter allows DD-WRT\s OpenVPN Status web page to access the server\s management port
# port must be 5001 for scripts embedded in firmware to work
management localhost 5001
and here is the config file used with OpenVPN GUI :
Quote:
client
dev tun0
port 1194
proto udp
remote xxxx.dyndns.org 1194
resolv-retry infinite
nobind
persist-key
persist-tun
float
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
cipher BF-CBC
ping-restart 0
comp-lzo
verb 4
redirect-gateway def1 bypass-dhcp
My goal is now to replace the OpenVPN GUI with my second WRT54GL, acting as a client.
At the beginning I was using the build 13064 on both WRT54GL but I figured out that it was a build to avoid ; I had no log at all with the OpenVPN configured as client (even no /var/log/openvpncl directory).
So, I follow the adviced on this topic and switched to the build 15962 and in fact the command "tail -f /var/log/openvpn" give me somtehing :
Quote:
sid=e11443f4 76149d89
Tue May 29 23:00:45 2012 us=201648 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=OpenVPN/CN=ddwrt/emailAddress=mail@host.domain
Tue May 29 23:00:45 2012 us=210210 VERIFY OK: depth=0, /C=US/ST=CA/O=OpenVPN/CN=ddwrt/emailAddress=mail@host.domain
Tue May 29 23:00:46 2012 us=622511 Connection reset, restarting [0]
Tue May 29 23:00:46 2012 us=626068 TCP/UDP: Closing socket
Tue May 29 23:00:46 2012 us=627177 SIGUSR1[soft,connection-reset] received, process restarting
Tue May 29 23:00:46 2012 us=627768 Restart pause, 5 second(s)
Tue May 29 23:00:51 2012 us=676323 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue May 29 23:00:51 2012 us=676898 Re-using SSL/TLS context
Tue May 29 23:00:51 2012 us=677413 LZO compression initialized
Tue May 29 23:00:51 2012 us=679043 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue May 29 23:00:51 2012 us=679762 Socket Buffers: R=[43689->65534] S=[16384->65534]
Tue May 29 23:00:51 2012 us=682583 Data Channel MTU parms [ L:1544 D:1450 EF:44EB:135 ET:0 EL:0 AF:3/1 ]
Tue May 29 23:00:51 2012 us=683155 Attempting to establish TCP connection with xx.xx.xx.xx:1194 [nonblock]
Tue May 29 23:00:52 2012 us=686414 TCP connection established with xx.xx.xx.xx:1194
Tue May 29 23:00:52 2012 us=686948 TCPv4_CLIENT link local: [undef]
Tue May 29 23:00:52 2012 us=687470 TCPv4_CLIENT link remote: xx.xx.xx.xx:1194
Tue May 29 23:00:52 2012 us=741130 TLS: Initial packet from xx.xx.xx.xx:1194, sid=4848b481 0da9f9e0
Tue May 29 23:00:54 2012 us=2520 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=OpenVPN/CN=ddwrt/emailAddress=mail@host.domain
Tue May 29 23:00:54 2012 us=11068 VERIFY OK: depth=0, /C=US/ST=CA/O=OpenVPN/CN=ddwrt/emailAddress=mail@host.domain
Tue May 29 23:00:55 2012 us=602367 Connection reset, restarting [0]
Tue May 29 23:00:55 2012 us=605845 TCP/UDP: Closing socket
Tue May 29 23:00:55 2012 us=606869 SIGUSR1[soft,connection-reset] received, process restarting
Tue May 29 23:00:55 2012 us=607626 Restart pause, 5 second(s)
Tue May 29 23:01:00 2012 us=656304 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue May 29 23:01:00 2012 us=656877 Re-using SSL/TLS context
Tue May 29 23:01:00 2012 us=657392 LZO compression initialized
Tue May 29 23:01:00 2012 us=659016 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue May 29 23:01:00 2012 us=659737 Socket Buffers: R=[43689->65534] S=[16384->65534]
Tue May 29 23:01:00 2012 us=662547 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Tue May 29 23:01:00 2012 us=663118 Attempting to establish TCP connection with xx.xx.xx.xx:1194 [nonblock]
Tue May 29 23:01:01 2012 us=666425 TCP connection established with xx.xx.xx.xx:1194
Tue May 29 23:01:01 2012 us=666970 TCPv4_CLIENT link local: [undef]
Tue May 29 23:01:01 2012 us=667485 TCPv4_CLIENT link remote: xx.xx.xx.xx:1194
Tue May 29 23:01:01 2012 us=720484 TLS: Initial packet from xx.xx.xx.xx:1194, sid=a4d68d0e 492a11a1
Tue May 29 23:01:02 2012 us=776172 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=OpenVPN/CN=ddwrt/emailAddress=mail@host.domain
Tue May 29 23:01:02 2012 us=784610 VERIFY OK: depth=0, /C=US/ST=CA/O=OpenVPN/CN=ddwrt/emailAddress=mail@host.domain
Tue May 29 23:01:04 2012 us=328923 Connection reset, restarting [0]
Tue May 29 23:01:04 2012 us=332242 TCP/UDP: Closing socket
Tue May 29 23:01:04 2012 us=333205 SIGUSR1[soft,connection-reset] received, process restarting
Tue May 29 23:01:04 2012 us=333810 Restart pause, 5 second(s)
Tue May 29 23:01:09 2012 us=376306 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue May 29 23:01:09 2012 us=376987 Re-using SSL/TLS context
Tue May 29 23:01:09 2012 us=377523 LZO compression initialized
Tue May 29 23:01:09 2012 us=379139 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue May 29 23:01:09 2012 us=379864 Socket Buffers: R=[43689->65534] S=[16384->65534]
Tue May 29 23:01:09 2012 us=382864 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Tue May 29 23:01:09 2012 us=383433 Attempting to establish TCP connection with xx.xx.xx.xx:1194 [nonblock]
Tue May 29 23:01:10 2012 us=386436 TCP connection established with xx.xx.xx.xx:1194
Tue May 29 23:01:10 2012 us=386979 TCPv4_CLIENT link local: [undef]
Tue May 29 23:01:10 2012 us=387505 TCPv4_CLIENT link remote: xx.xx.xx.xx:1194
Tue May 29 23:01:10 2012 us=440645 TLS: Initial packet from xx.xx.xx.xx:1194, sid=6810f2f4 450741a8
Tue May 29 23:01:11 2012 us=600525 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=OpenVPN/CN=ddwrt/emailAddress=mail@host.domain
Tue May 29 23:01:11 2012 us=609424 VERIFY OK: depth=0, /C=US/ST=CA/O=OpenVPN/CN=ddwrt/emailAddress=mail@host.domain
Tue May 29 23:01:13 2012 us=192290 Connection reset, restarting [0]
Tue May 29 23:01:13 2012 us=195607 TCP/UDP: Closing socket
Tue May 29 23:01:13 2012 us=196616 SIGUSR1[soft,connection-reset] received, process restarting
Tue May 29 23:01:13 2012 us=197203 Restart pause, 5 second(s)
And I also have logs in the Web GUI status :
Quote:
Serverlog Clientlog 20120530 00:09:26 MANAGEMENT: Client disconnected
20120530 00:09:26 MANAGEMENT: Client connected from 127.0.0.1:5001
20120530 00:09:26 D MANAGEMENT: CMD 'state'
20120530 00:09:26 MANAGEMENT: Client disconnected
20120530 00:09:27 MANAGEMENT: Client connected from 127.0.0.1:5001
20120530 00:09:27 D MANAGEMENT: CMD 'state'
20120530 00:09:27 MANAGEMENT: Client disconnected
20120530 00:09:27 MANAGEMENT: Client connected from 127.0.0.1:5001
20120530 00:09:27 D MANAGEMENT: CMD 'state'
20120530 00:09:27 MANAGEMENT: Client disconnected
20120530 00:09:27 MANAGEMENT: Client connected from 127.0.0.1:5001
20120530 00:09:27 D MANAGEMENT: CMD 'state'
20120530 00:09:27 MANAGEMENT: Client disconnected
20120530 00:09:27 MANAGEMENT: Client connected from 127.0.0.1:5001
20120530 00:09:27 D MANAGEMENT: CMD 'log 500'
20120530 00:09:27 MANAGEMENT: Client disconnected
20120530 00:09:52 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20120530 00:09:52 N TLS Error: TLS handshake failed
20120530 00:09:52 TCP/UDP: Closing socket
20120530 00:09:52 I SIGUSR1[soft tls-error] received process restarting
20120530 00:09:52 Restart pause 2 second(s)
20120530 00:09:54 I Re-using SSL/TLS context
20120530 00:09:54 I LZO compression initialized
20120530 00:09:54 Control Channel MTU parms [ L:1546 D:138 EF:38 EB:0 ET:0 EL:0 ]
20120530 00:09:54 Socket Buffers: R=[32767->65534] S=[32767->65534]
20120530 00:09:54 Data Channel MTU parms [ L:1546 D:1450 EF:46 EB:135 ET:0 EL:0 AF:3/1 ]
20120530 00:09:54 Fragmentation MTU parms [ L:1546 D:1450 EF:45 EB:135 ET:1 EL:0 AF:3/1 ]
20120530 00:09:54 I UDPv4 link local: [undef]
20120530 00:09:54 I UDPv4 link remote: xx.xx.xx.xx:1194
20120530 00:09:54 TLS: Initial packet from xx.xx.xx.xx:1194 sid=8ea2664d 727f9914
20120530 00:09:54 VERIFY OK: depth=1 /C=US/ST=CA/L=SanFrancisco/O=OpenVPN/CN=ddwrt/emailAddress=mail@host.domain
20120530 00:09:54 VERIFY OK: nsCertType=SERVER
20120530 00:09:54 VERIFY OK: depth=0 /C=US/ST=CA/O=OpenVPN/CN=ddwrt/emailAddress=mail@host.domain
20120530 00:10:43 MANAGEMENT: Client connected from 127.0.0.1:5001
20120530 00:10:43 D MANAGEMENT: CMD 'state'
20120530 00:10:43 MANAGEMENT: Client disconnected
20120530 00:10:43 MANAGEMENT: Client connected from 127.0.0.1:5001
20120530 00:10:43 D MANAGEMENT: CMD 'state'
20120530 00:10:43 MANAGEMENT: Client disconnected
20120530 00:10:44 MANAGEMENT: Client connected from 127.0.0.1:5001
20120530 00:10:44 D MANAGEMENT: CMD 'state'
20120530 00:10:44 MANAGEMENT: Client disconnected
20120530 00:10:44 MANAGEMENT: Client connected from 127.0.0.1:5001
20120530 00:10:44 D MANAGEMENT: CMD 'state'
20120530 00:10:44 MANAGEMENT: Client disconnected
20120530 00:10:44 MANAGEMENT: Client connected from 127.0.0.1:5001
20120530 00:10:44 D MANAGEMENT: CMD 'state'
20120530 00:10:44 MANAGEMENT: Client disconnected
20120530 00:10:44 MANAGEMENT: Client connected from 127.0.0.1:5001
20120530 00:10:44 D MANAGEMENT: CMD 'log 500'
In red are lines which appears to be in error, but after hours of googling I found no solution... All I know is that the port 5001 is used to populate the OpenVPN status in the Web GUI, but its working since I have logs...
You fill find attached my WRT54GL client configuration.
I think that I'm close but at this stage I really don't know what to do...
For now, I would like to stick with the build 15962 which appears to be a good one for VPN.
I will go with the tutorial you give only if I can't find a solution for my current issue, I guess it's only a matter of a missing parameter somewhere...?
I will go with the tutorial you give only if I can't find a solution for my current issue, I guess it's only a matter of a missing parameter somewhere...?
Unhappy I won't be able to help you with your solution as it's different way to setup it Hopefully someone will be able to help you