OpenVPN config docs for v24 SP1?

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3, 4 ... 22, 23, 24  Next
Author Message
bmatthewshea
DD-WRT User


Joined: 31 Jul 2008
Posts: 53

PostPosted: Wed Aug 06, 2008 5:18    Post subject: Reply with quote
nemesisdb wrote:
I just wanted to thank everyone in this thread. The help has been great. Still, I have a few questions.

I recently upgraded to SP1 (10108M). I previously had my router acting as a bridged openVPN server.

I liked the GUI interface and thought I'd give that a shot. Unfortunately, all the instructions here seem to be for a routed server.

I adapted my Config for the new file names and pasted everything in. The good news is that the OpenVPN server is running and I CAN connect from remote. The bad news is that I'm not getting an IP address assigned and seem to lack other connectivity.

Is it possible to setup a bridged network using just the openVPN GUI settings? Do I still need a startup script?

This is my current config:

mode server
proto udp
port 1194
dev tun0
keepalive 15 60
daemon
verb 3
comp-lzo
cipher AES-256-CBC
client-to-client
tls-server
ca /tmp/openvpn/ca.crt
dh /tmp/openvpn/dh.pem
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
tls-auth /tmp/openvpn/ta.key 0


From OpenVPN site:
OpenVPN Site wrote:

Comment out the line which says dev tun and replace it instead with:

dev tap0

Comment out the line that begins with server and replace it with:

server-bridge 192.168.8.4 255.255.255.0 192.168.8.128 192.168.8.254

Now set up the Linux firewall to permit packets to flow freely over the newly created tap0 and br0 interfaces:

iptables -A INPUT -i tap0 -j ACCEPT
iptables -A INPUT -i br0 -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT


Reference: Here.
You may have to use the tun0 IF, I don't know. Play with it and see what happens.
Sponsor
Vincs
DD-WRT Novice


Joined: 16 Jan 2007
Posts: 40

PostPosted: Wed Aug 06, 2008 9:04    Post subject: Reply with quote
Sorry I miss this topic ! Embarassed

Thanks for your help
dereks
DD-WRT Novice


Joined: 30 Jul 2008
Posts: 14

PostPosted: Wed Aug 06, 2008 22:00    Post subject: Re: Syslog for ping requests Reply with quote
bmatthewshea wrote:
BTW the interface part was actually lifted from client config. (OpenVPN on wiki).


Please clarify: are you using those lines in your client config (client1.conf or client1.ovpn) or are you using them in your DD-WRT server config?

(I think you said they are in your server config, but then I still don't understand why you needed them, but I did not.)


bmatthewshea wrote:
Update:
I rebooted router with just those firewall lines, and seems to be running smoothly. I turned off logging of dropped/rejected packets in process. I will see how long it runs stable...


That makes sense, because logging uses a lot of CPU and memory. The firewall logging (of dropped/rejected packets) logs a TON of stuff, so that may have caused problems.
bmatthewshea
DD-WRT User


Joined: 31 Jul 2008
Posts: 53

PostPosted: Wed Aug 06, 2008 22:17    Post subject: Re: Syslog for ping requests Reply with quote
dereks wrote:
bmatthewshea wrote:
BTW the interface part was actually lifted from client config. (OpenVPN on wiki).


Please clarify: are you using those lines in your client config (client1.conf or client1.ovpn) or are you using them in your DD-WRT server config?


I meant the guy on wiki who wrote it. Well here...
Read:

Pete 14:29, 5 May 2007 (CEST) wrote:

After looking at some posts and WiKi, I have simplified the process of using openVPN as a client.

First, I enabled the openVPN client via the web interface and entered the 3 certificates/keys that are requested. Once I saved that, I disabled openVPN. This got the 3 certs/keys into nvram. I then ran the following 3 nvram commands in the command window at the same time:

nvram set openvpn_tls='
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
'
nvram set openvpn_cfg='
remote remote_server_ip_address
dev tun0
tun-mtu 1500
fragment 1300
mssfix
tls-client
ca /tmp/myvpn/ca.crt
cert /tmp/myvpn/client.crt
key /tmp/myvpn/client.key
ns-cert-type server
tls-auth /tmp/myvpn/tls.key
ping-restart 60
ping-timer-rem
persist-tun
persist-key
resolv-retry 86400
ping 10
comp-lzo
'
nvram commit

I then set the startup script to:

/usr/sbin/openvpn --mktun --dev tun0
ifconfig tun0 192.168.tunnel.2 netmask 255.255.255.252 promisc up
route add -net 192.168.rlan.0 netmask 255.255.255.0 gw 192.168.tunnel.1
sleep 20
mkdir /tmp/myvpn
nvram get openvpn_ca >/tmp/myvpn/ca.crt
nvram get openvpn_client >/tmp/myvpn/client.crt
nvram get openvpn_key >/tmp/myvpn/client.key
nvram get openvpn_tls >/tmp/myvpn/tls.key
nvram get openvpn_cfg >/tmp/myvpn/remote.ovpn
/usr/sbin/openvpn --daemon --config /tmp/myvpn/remote.ovpn

and firewall to:

iptables -I INPUT 2 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT


Explanations:
openvpn_tls is set to your TLS key.
remote_server_ip_address = IP address of remote openVPN running in server mode.
192.168.tunnel.2 = 192.168.x.x address of the local openVPN tunnel. Must be different subnet from remote and local LANs.
192.168.tunnel.1 = 192.168.x.x address of the remote end ofl openVPN tunnel. Must be different subnet from remote and local LANs.
192.168.rlan.0 = IP address range of remote LAN
sleep 20 = wait period to ensure /tmp has been created.

This disables the firewall and NAT on the VPN, uses TLS authentication, etc. Hope this helps some. It is easy to change nvram and was much easier for me to review than trying to put it all in startup scripts.

This is working on a Buffalo WHR-G54S running 2.3 SP2.

--Pete 14:29, 5 May 2007 (CEST)
nothsa
DD-WRT Novice


Joined: 07 Aug 2008
Posts: 3

PostPosted: Thu Aug 07, 2008 18:53    Post subject: Reply with quote
I've followed the instructions for the GUI setup, but the files that are supposed to be in /tmp/openvpn are not created. In fact, there isn't even a /tmp/openvpn directory. I tried adding a 'mkdir /tmp/openvpn' to the Startup Script section in Commands, but the files were still not created in the directory.

Also, whenever I enter something in "Public Server Cert", save it, navigate somewhere else and then come back, the field is empty. The other certificate and key fields retain their values, but not that one, for some reason.

Info:
Router - WRT54GL v1.1
Firmware - v24 SP1 VPN (upgraded from v23 SP2 standard)

OpenVPN Settings:
OpenVPN Server - Enabled
Start Type - WAN Up

Does anyone have any ideas? I'm up for trying anything at this point.
bmatthewshea
DD-WRT User


Joined: 31 Jul 2008
Posts: 53

PostPosted: Thu Aug 07, 2008 22:28    Post subject: Reply with quote
nothsa wrote:
I've followed the instructions for the GUI setup, but the files that are supposed to be in /tmp/openvpn are not created. In fact, there isn't even a /tmp/openvpn directory. I tried adding a 'mkdir /tmp/openvpn' to the Startup Script section in Commands, but the files were still not created in the directory.


When you upgraded, did you reload your config from backup or recreate manually? Sometimes a backup will screw up the firmware if using on diff version. Better to re-create your data manually. (I know it sucks.)You should DEFINITELY have a /tmp dir. I would flash the firmware again (make sure you SET reset/reboot to default.) Then when it comes back up, set up your network/ssh and check again for /tmp (root dir).
nothsa
DD-WRT Novice


Joined: 07 Aug 2008
Posts: 3

PostPosted: Thu Aug 07, 2008 22:47    Post subject: Reply with quote
bmatthewshea wrote:
When you upgraded, did you reload your config from backup or recreate manually? Sometimes a backup will screw up the firmware if using on diff version. Better to re-create your data manually. (I know it sucks.)You should DEFINITELY have a /tmp dir. I would flash the firmware again (make sure you SET reset/reboot to default.) Then when it comes back up, set up your network/ssh and check again for /tmp (root dir).


I initially restored my backup config, but I also tried a fresh flash with the defaults. Same problem both times.

Sorry for the confusion, but I DO have a /tmp directory. What I don't have is the openvpn directory inside it (i.e. /tmp/openvpn). I also did a "find" for openvpn and all it found was the executable in /usr/sbin/openvpn.

Still not sure what else I can try =(
bmatthewshea
DD-WRT User


Joined: 31 Jul 2008
Posts: 53

PostPosted: Fri Aug 08, 2008 3:59    Post subject: no /tmp/openvpn/xxxx Reply with quote
nothsa wrote:

I initially restored my backup config, but I also tried a fresh flash with the defaults. Same problem both times.

Sorry for the confusion, but I DO have a /tmp directory. What I don't have is the openvpn directory inside it (i.e. /tmp/openvpn). I also did a "find" for openvpn and all it found was the executable in /usr/sbin/openvpn.

Still not sure what else I can try =(


Well, I think that is the bin/executable for the actual program. Sounds like you have the VPN version, at least. Not sure if 'openvpn' dir is there before you actual SAVE your keys. Are you 'saving' (not applying...) ? I got the keys to show up by placing them in correct places in web config (pg 1/post 1), and then saving.
So make sure you save first. Verify settings then 'apply'. Sometimes it's simply better to reboot...Your SSH session will be killed either way. Also, make sure you have syslog running and check log...especially right after you save and keys aren't were they are suppose to be.
nothsa
DD-WRT Novice


Joined: 07 Aug 2008
Posts: 3

PostPosted: Fri Aug 08, 2008 22:02    Post subject: Reply with quote
Maybe that's the problem. I think I just kept hitting "apply" instead of saving first. I'll report back once I get home tonight and am able to run some tests.
bmatthewshea
DD-WRT User


Joined: 31 Jul 2008
Posts: 53

PostPosted: Mon Aug 11, 2008 3:03    Post subject: Reply with quote
I found out what was causing *some* web sites not to load (kotaku was one...) The thing that was causing it on my network was the line:

Code:
# Replace 192.168.66.0/24 with your OpenVPN server subnet:
iptables -I FORWARD 1 --source 192.168.66.0/24 -j ACCEPT


I had it removed, but added it before I went out of town. I got a call some web sites weren't loading.. so... I got on the VPN and checked, sure enough... specific sites wouldn't load. On any computer in my net. Could load them here at hotel. I played hit and miss for awhile, then found out that was the offending line. Don't know why my router has such a problem with it, but it seems to be working fine now. (I was also logging dropped packets when this line was in effect.) I could vpn in, though. Seemed alright on my end, but my network at home suffered.
Not sure why it works with yours the way it is, or mine. Nothing special about my router. Hardly anything is activated in firmware other then OpenVPN. My SPI FW:

Additional Filters
Filter Proxy [ ]
Filter Cookies [ ]
Filter Java Applets [ ]
Filter ActiveX [ ]

Block WAN Requests
Block Anonymous WAN Requests (ping) [X]
Filter Multicast [X]
Filter WAN NAT Redirection [ ]
Filter IDENT (Port 113) [X]

And my firewall openings:
Code:
iptables -I INPUT -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT


Seems stable...I am still out of town, I will test some more when home.
switch
DD-WRT Guru


Joined: 30 Apr 2008
Posts: 967
Location: Romania

PostPosted: Mon Aug 11, 2008 7:07    Post subject: Reply with quote
Code:
iptables -I INPUT -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT


That's all that's needed to allow access between LAN and VPN. Any additional stuff is likely to cause issues.

_________________
Q: How do I do ...? A: Read the tutorials or Search forums
nemesisdb
DD-WRT User


Joined: 10 Oct 2006
Posts: 197

PostPosted: Mon Aug 11, 2008 14:03    Post subject: Reply with quote
Sorry I had to leave for a few days ... I still can't get a bridged setup working. To repeat, I can connect to VPN from remote without issue. I cannot get a DHCP address though.

It was suggested that I try the server-bridge command below, but I don't think that's what I want. Prior to SP1, I had the router's DHCP server handing out VPN addresses. Server-bridge would seem to have openVPN do that.

Things work if I enter everything in as a command. Is there anyway to get the exact same behavior via the GUI interface?

Saved firewall rules are:
/usr/sbin/iptables -I INPUT -p udp --dport 1194 -j ACCEPT
/usr/sbin/iptables -I FORWARD -i br0 -o tap0 -j ACCEPT
/usr/sbin/iptables -I FORWARD -i tap0 -o br0 -j ACCEPT

OpenVPN GUI Config:

mode server
proto udp
port 1194
dev tap0
keepalive 15 60
daemon
verb 3
comp-lzo
cipher AES-256-CBC
client-to-client
tls-server
ca /tmp/openvpn/ca.crt
dh /tmp/openvpn/dh.pem
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
tls-auth /tmp/openvpn/ta.key 0


To compare, entered as a command (with the single 1194 firewall rule), the following seems to do exactly what I want:

cd /tmp
openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up

echo "
# Tunnel options
mode server # Set OpenVPN major mode
proto udp # Setup the protocol (server)
port 1194 # TCP/UDP port number
dev tap0 # TUN/TAP virtual network device
keepalive 15 60 # Simplify the expression of --ping
daemon # Become a daemon after all initialization
verb 3 # Set output verbosity to n
comp-lzo # Use fast LZO compression
cipher AES-256-CBC

# OpenVPN server mode options
client-to-client # tells OpenVPN to internally route client-to-client traffic

# TLS Mode Options
tls-server # Enable TLS and assume server role during TLS handshake
ca ca.crt # Certificate authority (CA) file
dh dh1024.pem # File containing Diffie Hellman parameters
cert server.crt # Local peer's signed certificate
key server.key # Local peer's private key
tls-auth ta.key 0
" > openvpn.conf

echo "
-----BEGIN CERTIFICATE-----
REDACTED
-----END CERTIFICATE-----
" > ca.crt
echo "
-----BEGIN RSA PRIVATE KEY-----
REDACTED
-----END RSA PRIVATE KEY-----
" > server.key
chmod 600 server.key
echo "

-----BEGIN CERTIFICATE-----
REDACTED
-----END CERTIFICATE-----
" > server.crt

echo "
-----BEGIN OpenVPN Static key V1-----
REDACTED
-----END OpenVPN Static key V1-----
" > ta.key
chmod 600 ta.key

echo "
-----BEGIN DH PARAMETERS-----
REDACTED
-----END DH PARAMETERS-----
" > dh1024.pem

sleep 5
ln -s /usr/sbin/openvpn /tmp/myvpn
/tmp/myvpn --config openvpn.conf
switch
DD-WRT Guru


Joined: 30 Apr 2008
Posts: 967
Location: Romania

PostPosted: Mon Aug 11, 2008 14:52    Post subject: Reply with quote
If you're using bridged mode then don't use firewall scripts like that! It's likely not to work.

You'll have to use brctl to add tap0 to the br0 bridging group. Also you'll have to manually bring up the tunnel using a 0.0.0.0 ip address.

_________________
Q: How do I do ...? A: Read the tutorials or Search forums
nemesisdb
DD-WRT User


Joined: 10 Oct 2006
Posts: 197

PostPosted: Mon Aug 11, 2008 15:05    Post subject: Reply with quote
switch wrote:
If you're using bridged mode then don't use firewall scripts like that! It's likely not to work.

You'll have to use brctl to add tap0 to the br0 bridging group. Also you'll have to manually bring up the tunnel using a 0.0.0.0 ip address.


I apologize if it sounds like I'm asking to have my hand held -- I'm just not that familiar with the commands I'm working with.

I tried those firewall rules because they were suggested and because nothing else I had tried worked. As you observed, they didn't work either.

My latest attempt (also a failure) is described below. Can you be more specific with what I need to change? I assume my startup script is not correct?

GUI Config (services | openvpn daemon)
mode server
proto udp
port 1194
dev tap0
keepalive 15 60
daemon
verb 3
comp-lzo
cipher AES-256-CBC
client-to-client
tls-server
ca /tmp/openvpn/ca.crt
dh /tmp/openvpn/dh.pem
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
tls-auth /tmp/openvpn/ta.key 0

The following is saved under command | firewall:
/usr/sbin/iptables -I INPUT -p udp --dport 1194 -j ACCEPT

The following is saved under command | startup
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
switch
DD-WRT Guru


Joined: 30 Apr 2008
Posts: 967
Location: Romania

PostPosted: Mon Aug 11, 2008 16:45    Post subject: Reply with quote
The startup is missing one command:

Code:
openvpn --mktun --dev tap0


The above code goes before any brctl or ifconfig commands on tap0.

Instead of looking for the GUI guides, check the older, reliable, startup script guides. You can easily figure out what's missing.

_________________
Q: How do I do ...? A: Read the tutorials or Search forums
Goto page Previous  1, 2, 3, 4 ... 22, 23, 24  Next Display posts from previous:    Page 3 of 24
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum