Posted: Mon Aug 31, 2015 0:23 Post subject: OpenVPN client looks like it connects but then internet dies
I'm connecting to a friend's VPN server, and he gave me a config.ovpn file and ca.crt and {myname}.crt and {myname}.key files. When I connect through an openVPN client on my PC or Android phone and import the .ovpn file, it works fine. There doesn't seem to be a way to import the .ovpn file into DDTRT, so I copied the entire contents of the two .crt and one .key files into the text fields in the VPN tab under services. When I applied it and checked the OpenVPN tab under status, it looked like it connected. I get the following message:
Server: : Local Address: Remote Address: Client: GET_CONFIG: SUCCESS Local Address: 10.8.0.5 Remote Address: 10.8.0.5
However, my internet then stops working, so the VPN is basically useless. I'm guessing something is wrong. The log in the OpenVPN status tab is here: http://pastebin.com/Cqmd2VuX. I didn't see anything glaring in there, but then again I don't really know what to look for. I see a bunch of connect/disconnect messages, but the last one was connect, so I'm guessing that means it was still connected and should work.
Also, one thing to note is that NTP doesn't seem to be working properly, and the router's time is 4 hours ahead of the actual time in my time zone. Not sure if that makes a difference or not.
My router is a Linksys E2000, and I'm using this firmware version (which seems to be stable according to the wiki): DD-WRT v24-sp2 (06/23/14) mega - build 24461
Thanks for the reply. I actually tried pasting just the text from "-----BEGIN CERTIFICATE-----", but for some reason that didn't work. It only gave the "success" message after I pasted the entire contents of the file. It has some info about encryption type (RSA) and public key etc. before that, and I didn't see any other way of inputting that info, so I'm guessing that's why it needed that extra text?
As for the NAT, it's disabled by default in the advanced settings. Why would I need to enable NAT? I don't want it to go to a specific device. I want it to work with any device connected to the router.
I see. My only experience with NAT has been port forwarding to a specific machine in the network for a specific application. I assigned the machine a static internal IP and routed traffic on a specific incoming port to that machine. I guess it's clear that I'm not a network expert
I'm a bit confused on how to do it for VPN access though. I suppose I could assign static IPs to the machines that would be making use of the VPN, but I wouldn't want internet access to be cut off for everything else on the network. When I had it working through the OpenVPN software on my PC, I didn't have to do any NATing. The one machine's traffic went through the VPN and everything else stayed as normal.
I didn't see much about NAT on the guide for OpenVPN on the wiki, just that it was disabled by default; which makes me wonder why it's disabled if it's needed to get the client to work. In any case, I enabled advanced features in the dd-wrt OpenVPN config and turned on NAT, but that by itself didn't fix things. In fact, that actually disabled OpenVPN client access. Do I then need to go to the NAT port and set up port forwarding for every machine on the network? If so, which port would I need to do it on?
OK, you've convinced me. I'm totally on board with NATing and understand why I need it. I just don't know how to do it in the OpenVPN context since it wasn't covered in the wiki.
When I enabled NAT in the advanced settings, it resulted in a failed connection. Looking at the log from when it successfully connected before, I took a shot and filled in the ip address and subnet mask fields with the values I saw in the log, and also selected a TLS Cipher setting (left other advanced settings fields as-is), and it then "successfully" connected again. I put that in quotes because even though on the status page it gives me a "success" message, it's still not working. Internet traffic still doesn't get through.
I did that. It still says that it successfully connected in the OpenVPN log, but it still doesn't work (no internet access).
The log is a bit longer now, and I noticed a message in there about HMAC authentication failing that wasn't there before I entered those firewall commands. It's here in case you want to take a look (I replaced the previous log).
sleep 45;
tun_name=$(ifconfig | sed -n 's/.*\(tun[^ }\).*/\1/p');
tun_addr=$(ifconfig $tun_name | sed -nr 's/.*P-t-P:([^ ]+) .*/\1/p');
ip rule add from 192.168.1.0/24 table 200;
ip route add default via $tun_addr dev $tun_name table 200;
ip route flush cache;
If you use a different subnet, change the 5th line. Save startup. If you have other startup commands, put this last. Reboot, wait a minute or two, then try.
Your VPN doesn't automatically run at startup? The startup command only works if the VPN is already up. That is why it waits 45s, to give the VPN a chance to connect.
If you want the option to switch, add a new bridge. On it, you can put a vlan and/or a VAP. I did this last month for a friend. He has one SSID for his regular connection, and another for his VPN. All he has to do is switch WiFi networks.
Well when it was enabled it would try to connect at startup, so those startup commands would have a chance to work after rebooting. But it would never really "work" even though it said it was connecting successfully. The connection to the internet would just go down whenever I enabled the OpenVPN client.
This was with the firewall and startup commands you suggested both enabled.
Well when it was enabled it would try to connect at startup, so those startup commands would have a chance to work after rebooting. But it would never really "work" even though it said it was connecting successfully. The connection to the internet would just go down whenever I enabled the OpenVPN client.
This was with the firewall and startup commands you suggested both enabled.
I'm quite confused by what you're saying here. You mention that "it" (I'm assuming you mean the openVPN client on the router) is enabled at startup, but then you mention enabling the openVPN client. The only openVPN client is the router, but according to what you said, you're enabling something that is already enabled.
If the openVPN client is connecting, but no devices are being routed through it, its because the network is still using the WAN as its interface. The startup command I shared will take care of this, but only if the VPN client is already connected. It has to be present for the command to add it in the appropriate routing table.
OK I can see how that could have been confusing. What I meant was, when the OpenVPN service was enabled and the startup commands were present.
I put in the startup (and firewall) commands you suggested, saved, enabled the OpenVPN service, rebooted and waited but still nothing. I hope that's clearer.