r7000 Kong Can't get VPN Server to work

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
fatalhalt
DD-WRT Novice


Joined: 29 Oct 2015
Posts: 39

PostPosted: Thu Apr 27, 2017 4:54    Post subject: r7000 Kong Can't get VPN Server to work Reply with quote
Hello,

I cannot get the an OpenVPN client to connect to OpenVPN server on r7000 with Kong v3.0-r31870M (04/16/17) firmware.

I'm new to r7000 so I don't have a baseline. I don't know if it is the firmware or most likely issue on my end. I read the r31870M thread and it appears that some people have their VPN server functioning normally.

I'm trying to setup TAP (layer 2) VPN Server so I could VPN into my place. Problem that I have is that I get:
TLS Error: TLS handshake failed.



Here are my settings:





Code:
root@DD-WRT:~# cat /tmp/openvpn/openvpn.conf
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
keepalive 10 120
verb 3
mute 3
syslog
writepid /var/run/openvpnd.pid
management 127.0.0.1 14
management-log-cache 100
topology subnet
script-security 2
port 1194
proto udp
cipher aes-128-cbc
auth sha256
client-connect /tmp/openvpn/clcon.sh
client-disconnect /tmp/openvpn/cldiscon.sh
client-config-dir /jffs/etc/openvpn/ccd
comp-lzo adaptive
tls-server
ifconfig-pool-persist /tmp/openvpn/ip-pool 86400
client-to-client
fast-io
tun-mtu 1500
mtu-disc yes
server-bridge 192.168.1.1 255.255.255.0 192.168.1.50 192.168.1.59
dev tap2
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.1"
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
proto tcp4-server


Code:
root@DD-WRT:~# cat /var/log/messages
Apr 26 23:24:29 DD-WRT user.info : vpn modules : vpn modules successfully unloaded
Apr 26 23:24:29 DD-WRT user.info : vpn modules : nf_conntrack_proto_gre successfully loaded
Apr 26 23:24:29 DD-WRT user.info : vpn modules : nf_nat_proto_gre successfully loaded
Apr 26 23:24:29 DD-WRT user.info : vpn modules : nf_conntrack_pptp successfully loaded
Apr 26 23:24:29 DD-WRT user.info : vpn modules : nf_nat_pptp successfully loaded
Apr 26 23:24:29 DD-WRT user.info : openvpnserver : OpenVPN daemon (Server) successfully stopped
Apr 26 23:24:29 DD-WRT daemon.notice openvpn[1033]: /tmp/openvpn/route-down.sh tap2 1500 1656   init
Apr 26 23:24:29 DD-WRT user.info : syslogd : syslog daemon successfully stopped
Apr 26 23:24:29 DD-WRT syslog.info syslogd exiting
Apr 26 23:24:29 DD-WRT syslog.info syslogd started: BusyBox v1.26.2
Apr 26 23:24:29 DD-WRT daemon.notice openvpn[1033]: SIGTERM[hard,] received, process exiting
Apr 26 23:24:30 DD-WRT user.info : openvpn : OpenVPN daemon (Server) starting/restarting...
Apr 26 23:24:30 DD-WRT daemon.notice openvpn[3683]: OpenVPN 2.4.1 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 16 2017
Apr 26 23:24:30 DD-WRT daemon.notice openvpn[3683]: library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.09
Apr 26 23:24:30 DD-WRT daemon.notice openvpn[3686]: MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:14
Apr 26 23:24:30 DD-WRT daemon.warn openvpn[3686]: NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Apr 26 23:24:30 DD-WRT daemon.warn openvpn[3686]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 26 23:24:30 DD-WRT daemon.notice openvpn[3686]: NOTE: --fast-io is disabled since we are not using UDP
Apr 26 23:24:30 DD-WRT daemon.warn openvpn[3686]: Note: cannot open ipp.txt for READ/WRITE
Apr 26 23:24:30 DD-WRT daemon.notice openvpn[3686]: Diffie-Hellman initialized with 2048 bit key
Apr 26 23:24:30 DD-WRT daemon.notice openvpn[3686]: TUN/TAP device tap2 opened
Apr 26 23:24:30 DD-WRT daemon.notice openvpn[3686]: TUN/TAP TX queue length set to 100
Apr 26 23:24:30 DD-WRT daemon.notice openvpn[3686]: Socket Buffers: R=[87380->87380] S=[16384->16384]
Apr 26 23:24:30 DD-WRT daemon.notice openvpn[3686]: Listening for incoming TCP connection on [AF_INET][undef]:1194
Apr 26 23:24:30 DD-WRT daemon.notice openvpn[3686]: TCPv4_SERVER link local (bound): [AF_INET][undef]:1194
Apr 26 23:24:30 DD-WRT daemon.notice openvpn[3686]: TCPv4_SERVER link remote: [AF_UNSPEC]
Apr 26 23:24:30 DD-WRT daemon.notice openvpn[3686]: MULTI: multi_init called, r=256 v=256
Apr 26 23:24:30 DD-WRT daemon.notice openvpn[3686]: IFCONFIG POOL: base=192.168.1.50 size=10, ipv6=0
Apr 26 23:24:30 DD-WRT daemon.notice openvpn[3686]: IFCONFIG POOL LIST
Apr 26 23:24:30 DD-WRT daemon.notice openvpn[3686]: MULTI: TCP INIT maxclients=1024 max


Code:
root@DD-WRT:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         67.163.60.1     0.0.0.0         UG    0      0        0 vlan2
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 vlan7
67.163.60.0     0.0.0.0         255.255.252.0   U     0      0        0 vlan2
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 br0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
192.168.3.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1


OpenVPN client settings, trying with latest OpenVPN on Win7.
Code:

    client
    dev tap
    proto udp
    remote foo.bar 1194
    nobind
    persist-key
    persist-tun
    verb 4
    float
    ca 'C:\Program Files\OpenVPN\config\ca.crt'
    cert 'C:\Program Files\OpenVPN\config\kyle.crt'
    key 'C:\Program Files\OpenVPN\config\kyle.key'
    comp-lzo yes
    tun-mtu 1500
    auth SHA256
    cipher AES-128-CBC


Things I tried
- make sure NTP is enabled and time is synced, which wasn't...but enabling didn't fix issue for me
- generate all keys/certs with same Common Name (I googled and found a person that used once he used same CN for certs he solved his TLS handshake issue). Prior to that I would have a 'server' CN for server.{key,crt}, 'user' for client, etc. But either way it did not help.
- I have verified that I can telnet to my public IP on 1194 port, so the issue does not appear to be firewall related.

I have been looking into this in past 20 hours and I'm exhausted. Please help.
Sponsor
LiskoFINAL
DD-WRT Novice


Joined: 03 Jul 2016
Posts: 16

PostPosted: Tue May 02, 2017 8:15    Post subject: Reply with quote
Hi, I have an r7000 and your build too. Also my vpn server setup is very similar to your (except that I block DHCP across the tunnel and I use tcp) but for me works great on all my devices, so maybe the problem is on client side. I see TLS handshake related error but you shouldn't have any since TLS auth is disabled on server. Try looking carefully in client options...
fatalhalt
DD-WRT Novice


Joined: 29 Oct 2015
Posts: 39

PostPosted: Wed May 03, 2017 7:00    Post subject: Reply with quote
LiskoFINAL wrote:
Hi, I have an r7000 and your build too. Also my vpn server setup is very similar to your (except that I block DHCP across the tunnel and I use tcp) but for me works great on all my devices, so maybe the problem is on client side. I see TLS handshake related error but you shouldn't have any since TLS auth is disabled on server. Try looking carefully in client options...
Hello, I tried switching from UDP to TCP (both server&client) and it worked Shocked, however i would really like to use UDP due to better performance.
hubermania
DD-WRT User


Joined: 24 Aug 2012
Posts: 223

PostPosted: Wed May 03, 2017 18:19    Post subject: Reply with quote
LiskoFINAL wrote:
I see TLS handshake related error but you shouldn't have any since TLS auth is disabled on server.

There are two TLS (SSL) "things" used by OpenVPN. The first is an encrypted TLS connection between the client and server. The second is an optional TLS Authentication Key used to keytag each TLS packet, allowing the server to quickly drop unkeyed (DDOS) packets.

_________________
[Broadcom] Asus rt-ac66u r35531 ('66 should only be factory reset through the DD UI)
Fix RT-AC66U "wl1 [2.4 GHz TurboQAM]". DD-WRT failsafe UI @ http|https://169.254.255.1/
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum