Posted: Sun Oct 08, 2017 22:01 Post subject: DDWRT Open VPN No Internet - Willing to pay tutor
So I have certs and everything handshaking correctly, but I cannot for the life of me get internet to pass through to the VPN or access to my DDWRT GUI.
client
dev tun
proto udp
remote [MYEXTERNALIP] 1194
nobind
persist-key
persist-tun
verb 4
float
tun-mtu 1500
auth SHA1
cipher AES-128-CBC
I was trying to follow multiple forum posts but nothing is working. Some even suggested that I should not need to edit iptables, that the new openvpn in ddwrt does it automatically.
I am honestly unsure what to do at the moment.
If someone can help me understand what is going on and where my mistake is in addition to helping fix it, I would definitely be willing to pay something.
I generally catch on pretty quickly, there is just so much conflicting information based on build changes that I have spent over 100 hours off and on trying to get this to work
Last edited by ngkrich on Mon Oct 09, 2017 0:28; edited 2 times in total
Joined: 05 Apr 2017 Posts: 981 Location: Louisiana, USA
Posted: Sun Oct 08, 2017 22:41 Post subject:
I don’t have too much experience with OpenVPN Server so I probably wouldn’t be much help, however, there are plenty of Forum Members who I’m sure can & will help you.
I would encourage you not to offer money though. This Forum is a great place to get help and to pass on knowledge, but the second money gets involved - I’m afraid it would all go to $hit.
FIRMWARE:OpenWrt SNAPSHOT r8217-2cc821e / LuCI Master (git-18.276.41146-280dd33) MODEM:ARRIS SURFBoard SB8200 ROUTER:Linksys WRT32X USB NAS:Western Digital BLACK 1 TB Hardrive + Startech USB 3.0 External SATA III Enclosure
Joined: 05 Apr 2017 Posts: 981 Location: Louisiana, USA
Posted: Sun Oct 08, 2017 23:00 Post subject:
ngkrich wrote:
Previously I haven't been able to get anyone to reply, trying to give the incentive somehow.
That’s what I figured! Sorry you haven’t been able to get help yet.
Setting up OpenVPN Server is one of those things that has been on my 'to do' list for awhile. The best I can offer is all the relevant info I’ve saved for when I finally get to it.
FIRMWARE:OpenWrt SNAPSHOT r8217-2cc821e / LuCI Master (git-18.276.41146-280dd33) MODEM:ARRIS SURFBoard SB8200 ROUTER:Linksys WRT32X USB NAS:Western Digital BLACK 1 TB Hardrive + Startech USB 3.0 External SATA III Enclosure
Previously I haven't been able to get anyone to reply, trying to give the incentive somehow.
That’s what I figured! Sorry you haven’t been able to get help yet.
Setting up OpenVPN Server is one of those things that has been on my 'to do' list for awhile. The best I can offer is all the relevant info I’ve saved for when I finally get to it.
I don't have a Marvell device but I'll assume the ovpn server should work .... I know lots that run the ovpn client on them.
Be helpful to know what build you are running.
Also be much to your advantage if using, at least as recent, dd-wrt build of last few months.
If using build newer than r33006 openSSL was updated and no longer supports key certs made using md5.
All certs must be made using RSA security.
Does this router have a public WAN connection?
If NO --- is the 1194 port opened to this device from whatever device holds public WAN?
If this device is setup as a WAP with WAN disabled --- need to know that. Still work but some things are different.
From your pic I see you do not have Recursive DNS Resolving enabled ... that's good. Is just a little bit different if using that.
So I'm going to make suggestions by what your pics show.
It is possible 1194 is blocked by your ISP.
You can try using something else if you want ... I'm partial to using UDP ports up higher than 40,000.
But then again they could be blocked -
You can set the ovpn server to use TCP 443, which should get you around anything being blocked.
Should have in correct place:
Public Server Cert only information between and including BEGIN CERTIFICATE & END CERTIFICATE example:
-----BEGIN CERTIFICATE-----
0pSNvZAvcf/dMLxUEeQI6kFQtalh16Evc0hYW0u2/GK9feposT/iCOhTsPDZLlx8
DPXgVn0h2LECAwEAAaOCAWgwggFkMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQD
this is my cert and obiously left a bunch out
BIHEMIHBgBSKf3EYatvOtmTpCkXQP8nFyIp9yaGBnaSBmjCBlzELMAkGA1UEBhMC
gAI65eM9ZiM6AxCfcEbaq47zZGC1ypxsINwBF48wL8UlqQDJ8xiLMeZshs44
-----END CERTIFICATE-----
Same for:
CA Cert
Private Server Key
DH PEM
Recommend using: (these will be common on whatever client you want to use)
Encryption Cipher = AES-256-CBC
don't use AES-512-CBC --- it don't work w/dd-wrt since new openSSL ... yea it shouldn't even show
Hash Algorithm = SHA256
Redirect default Gateway = Enabled
Tunnel UDP MSS-Fix = Enabled
In below suggestions I'm using info from pics in your first post
ovpn server page in Additional Config:
push "route 10.217.64.0 255.255.255.0"
push "dhcp-option DNS 10.217.64.186"
----
Is the ovpn server running? ..meaning does it even start?
In ...Status/OpenVPN top of page should say:
State
Server: CONNECTED SUCCESS
Local Address: 10.217.16.1
Remote Address: 10.217.16.1
If not running the log below that should give reason why.
using a recent build should not need all that mess in the firewall.
Only need:
iptables -t nat -A POSTROUTING -s 10.217.16.0/24 -j MASQUERADE
Services page in Additional DNSMasq Options need to put:
interface=tun2
This is so DNSMasq will recognize the new interface and it can be routed...(added to the routing table)
If server is running and all looks correct --
Another concern is what type client you are using to connect with?
Are you outside of your network trying to connect?
Are you using the router's WAN IP or is DDNS configured and working?
Are you using another router as an ovpn client?
Actually routers in general are very odd birds to use as ovpn clients ... nothing like a single client device
I don't have a Marvell device but I'll assume the ovpn server should work .... I know lots that run the ovpn client on them.
Be helpful to know what build you are running.
Also be much to your advantage if using, at least as recent, dd-wrt build of last few months.
If using build newer than r33006 openSSL was updated and no longer supports key certs made using md5.
All certs must be made using RSA security.
I am using Firmware: DD-WRT v3.0-r33413 std (09/27/17)
I think I figured it out, LZO compression was disabled, which caused a strange log when the user connected to the server. Even with LZO not being mentioned in the client. So I set it to no instead and now things seems to be working!
Any tips for NAS? No matter what I do I cannot get read/write access. It refuses to let me have permission no matter how many times I edit the NAS settings or reset firmware fresh.
Edit: Apologies mrjcd I realized I PM'd you my NAS issue after replying here. It for some reason didn't click in my head.
Copy of the message here in case anyone else has the same issue.
Have you run into this NAS issue? I am on Firmware: DD-WRT v3.0-r33413 std (09/27/17).
Samba
USB
Permission
It is driving me absolutely mad. I have tried factory resetting multiple times, starting from scratch.
FIRMWARE:OpenWrt SNAPSHOT r8217-2cc821e / LuCI Master (git-18.276.41146-280dd33) MODEM:ARRIS SURFBoard SB8200 ROUTER:Linksys WRT32X USB NAS:Western Digital BLACK 1 TB Hardrive + Startech USB 3.0 External SATA III Enclosure
I don't have a Marvell device but I'll assume the ovpn server should work .... I know lots that run the ovpn client on them.
Be helpful to know what build you are running.
Also be much to your advantage if using, at least as recent, dd-wrt build of last few months.
If using build newer than r33006 openSSL was updated and no longer supports key certs made using md5.
All certs must be made using RSA security.
I am using Firmware: DD-WRT v3.0-r33413 std (09/27/17)
I think I figured it out, LZO compression was disabled, which caused a strange log when the user connected to the server. Even with LZO not being mentioned in the client. So I set it to no instead and now things seems to be working!
Any tips for NAS? No matter what I do I cannot get read/write access. It refuses to let me have permission no matter how many times I edit the NAS settings or reset firmware fresh.
compression should usually always be left on adaptive
An attached drive on router shouldn't be a problem. If you can access it locally should be able to across the TUN.
I've never had any issue connecting to USB drive across tunnel...same as I would locally.
This does not mean seeing windows shares....that doesn't work same.
But yea you can access windows shared directory or drives by IP or name if using local DNS and a good client.
If you want to connect thru the routed tunnel to .... example - a windows device you will have to put the ovpn server's network in the windows firewall to allow it's access.
10.217.16.0/24 would have to be allowed access
Ok just now seen your pics.
No I never had a problem with that build on the EA8500.
ovpn server and SAMBA share all very good.... only difference I see I using FAT32 and you look like NTFS.....but that shouldn't be an issue.
All my ovpn clients are Android phones or tablet using various client apps.
Looks like your on a winders client .... probably something in the FW. You'll have to dig for the answers probably.
My workgroup is all same on my windows devices and all routers share devices .... and NO it ain't the default winders workgroup
Edit: before you get frustrated reboot the client computer
I'm not a big winders user and don't know how to tell you more....but yea you can access the NAS across a TUN.
Needs to be regular SMB connection. I do it all time with the android Total Commander app w/LAN plugin.
To clarify, I cannot get NAS and SMB to work locally. It wont mount the drive R/W. The default linksys firmware works with it just fine if I reboot to the original firmware.
I realize I should be able to see it through OVPN, sorry for the confusion I should have clarified this better.
The partitions seem to be the master boot record as windows does not display them. It is worth noting the drive is GPT. I reformatted it just in case by deleting the partition and remaking it.
Last edited by ngkrich on Mon Oct 09, 2017 13:29; edited 1 time in total
To clarify, I cannot get NAS and SMB to work locally. It wont mount the drive R/W. The default linksys firmware works with it just fine if I reboot to the original firmware.
I realize I should be able to see it through OVPN, sorry for the confusion I should have clarified this better.
There were some USB issues with some routers concerning auto mount in last couple builds.
Not sure that applied to you.
Have to check your routers forum new build thread for more info on that.
To clarify, I cannot get NAS and SMB to work locally. It wont mount the drive R/W. The default linksys firmware works with it just fine if I reboot to the original firmware.
I realize I should be able to see it through OVPN, sorry for the confusion I should have clarified this better.
There were some USB issues with some routers concerning auto mount in last couple builds.
Not sure that applied to you.
Have to check your routers forum new build thread for more info on that.
Brainslayer said it should work, and others have reported NAS working in this build. I tried re-flashing DDWRT as well with no luck. Past validating that my settings seemed right Brainslayer was busy/moved on.
Edit: For some reason it works now after the refomat. I am super happy but unsatisfied lol. It seems more random issue than something I can learn from.