I just wanted to thank everyone in this thread. The help has been great. Still, I have a few questions.
I recently upgraded to SP1 (10108M). I previously had my router acting as a bridged openVPN server.
I liked the GUI interface and thought I'd give that a shot. Unfortunately, all the instructions here seem to be for a routed server.
I adapted my Config for the new file names and pasted everything in. The good news is that the OpenVPN server is running and I CAN connect from remote. The bad news is that I'm not getting an IP address assigned and seem to lack other connectivity.
Is it possible to setup a bridged network using just the openVPN GUI settings? Do I still need a startup script?
This is my current config:
mode server
proto udp
port 1194
dev tun0
keepalive 15 60
daemon
verb 3
comp-lzo
cipher AES-256-CBC
client-to-client
tls-server
ca /tmp/openvpn/ca.crt
dh /tmp/openvpn/dh.pem
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
tls-auth /tmp/openvpn/ta.key 0
From OpenVPN site:
OpenVPN Site wrote:
Comment out the line which says dev tun and replace it instead with:
dev tap0
Comment out the line that begins with server and replace it with:
Posted: Wed Aug 06, 2008 22:00 Post subject: Re: Syslog for ping requests
bmatthewshea wrote:
BTW the interface part was actually lifted from client config. (OpenVPN on wiki).
Please clarify: are you using those lines in your client config (client1.conf or client1.ovpn) or are you using them in your DD-WRT server config?
(I think you said they are in your server config, but then I still don't understand why you needed them, but I did not.)
bmatthewshea wrote:
Update:
I rebooted router with just those firewall lines, and seems to be running smoothly. I turned off logging of dropped/rejected packets in process. I will see how long it runs stable...
That makes sense, because logging uses a lot of CPU and memory. The firewall logging (of dropped/rejected packets) logs a TON of stuff, so that may have caused problems.
Posted: Wed Aug 06, 2008 22:17 Post subject: Re: Syslog for ping requests
dereks wrote:
bmatthewshea wrote:
BTW the interface part was actually lifted from client config. (OpenVPN on wiki).
Please clarify: are you using those lines in your client config (client1.conf or client1.ovpn) or are you using them in your DD-WRT server config?
I meant the guy on wiki who wrote it. Well here...
Read:
Pete 14:29, 5 May 2007 (CEST) wrote:
After looking at some posts and WiKi, I have simplified the process of using openVPN as a client.
First, I enabled the openVPN client via the web interface and entered the 3 certificates/keys that are requested. Once I saved that, I disabled openVPN. This got the 3 certs/keys into nvram. I then ran the following 3 nvram commands in the command window at the same time:
nvram set openvpn_tls='
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
'
nvram set openvpn_cfg='
remote remote_server_ip_address
dev tun0
tun-mtu 1500
fragment 1300
mssfix
tls-client
ca /tmp/myvpn/ca.crt
cert /tmp/myvpn/client.crt
key /tmp/myvpn/client.key
ns-cert-type server
tls-auth /tmp/myvpn/tls.key
ping-restart 60
ping-timer-rem
persist-tun
persist-key
resolv-retry 86400
ping 10
comp-lzo
'
nvram commit
I then set the startup script to:
/usr/sbin/openvpn --mktun --dev tun0
ifconfig tun0 192.168.tunnel.2 netmask 255.255.255.252 promisc up
route add -net 192.168.rlan.0 netmask 255.255.255.0 gw 192.168.tunnel.1
sleep 20
mkdir /tmp/myvpn
nvram get openvpn_ca >/tmp/myvpn/ca.crt
nvram get openvpn_client >/tmp/myvpn/client.crt
nvram get openvpn_key >/tmp/myvpn/client.key
nvram get openvpn_tls >/tmp/myvpn/tls.key
nvram get openvpn_cfg >/tmp/myvpn/remote.ovpn
/usr/sbin/openvpn --daemon --config /tmp/myvpn/remote.ovpn
Explanations:
openvpn_tls is set to your TLS key.
remote_server_ip_address = IP address of remote openVPN running in server mode.
192.168.tunnel.2 = 192.168.x.x address of the local openVPN tunnel. Must be different subnet from remote and local LANs.
192.168.tunnel.1 = 192.168.x.x address of the remote end ofl openVPN tunnel. Must be different subnet from remote and local LANs.
192.168.rlan.0 = IP address range of remote LAN
sleep 20 = wait period to ensure /tmp has been created.
This disables the firewall and NAT on the VPN, uses TLS authentication, etc. Hope this helps some. It is easy to change nvram and was much easier for me to review than trying to put it all in startup scripts.
This is working on a Buffalo WHR-G54S running 2.3 SP2.
I've followed the instructions for the GUI setup, but the files that are supposed to be in /tmp/openvpn are not created. In fact, there isn't even a /tmp/openvpn directory. I tried adding a 'mkdir /tmp/openvpn' to the Startup Script section in Commands, but the files were still not created in the directory.
Also, whenever I enter something in "Public Server Cert", save it, navigate somewhere else and then come back, the field is empty. The other certificate and key fields retain their values, but not that one, for some reason.
I've followed the instructions for the GUI setup, but the files that are supposed to be in /tmp/openvpn are not created. In fact, there isn't even a /tmp/openvpn directory. I tried adding a 'mkdir /tmp/openvpn' to the Startup Script section in Commands, but the files were still not created in the directory.
When you upgraded, did you reload your config from backup or recreate manually? Sometimes a backup will screw up the firmware if using on diff version. Better to re-create your data manually. (I know it sucks.)You should DEFINITELY have a /tmp dir. I would flash the firmware again (make sure you SET reset/reboot to default.) Then when it comes back up, set up your network/ssh and check again for /tmp (root dir).
When you upgraded, did you reload your config from backup or recreate manually? Sometimes a backup will screw up the firmware if using on diff version. Better to re-create your data manually. (I know it sucks.)You should DEFINITELY have a /tmp dir. I would flash the firmware again (make sure you SET reset/reboot to default.) Then when it comes back up, set up your network/ssh and check again for /tmp (root dir).
I initially restored my backup config, but I also tried a fresh flash with the defaults. Same problem both times.
Sorry for the confusion, but I DO have a /tmp directory. What I don't have is the openvpn directory inside it (i.e. /tmp/openvpn). I also did a "find" for openvpn and all it found was the executable in /usr/sbin/openvpn.
Posted: Fri Aug 08, 2008 3:59 Post subject: no /tmp/openvpn/xxxx
nothsa wrote:
I initially restored my backup config, but I also tried a fresh flash with the defaults. Same problem both times.
Sorry for the confusion, but I DO have a /tmp directory. What I don't have is the openvpn directory inside it (i.e. /tmp/openvpn). I also did a "find" for openvpn and all it found was the executable in /usr/sbin/openvpn.
Still not sure what else I can try =(
Well, I think that is the bin/executable for the actual program. Sounds like you have the VPN version, at least. Not sure if 'openvpn' dir is there before you actual SAVE your keys. Are you 'saving' (not applying...) ? I got the keys to show up by placing them in correct places in web config (pg 1/post 1), and then saving.
So make sure you save first. Verify settings then 'apply'. Sometimes it's simply better to reboot...Your SSH session will be killed either way. Also, make sure you have syslog running and check log...especially right after you save and keys aren't were they are suppose to be.
Maybe that's the problem. I think I just kept hitting "apply" instead of saving first. I'll report back once I get home tonight and am able to run some tests.
I found out what was causing *some* web sites not to load (kotaku was one...) The thing that was causing it on my network was the line:
Code:
# Replace 192.168.66.0/24 with your OpenVPN server subnet:
iptables -I FORWARD 1 --source 192.168.66.0/24 -j ACCEPT
I had it removed, but added it before I went out of town. I got a call some web sites weren't loading.. so... I got on the VPN and checked, sure enough... specific sites wouldn't load. On any computer in my net. Could load them here at hotel. I played hit and miss for awhile, then found out that was the offending line. Don't know why my router has such a problem with it, but it seems to be working fine now. (I was also logging dropped packets when this line was in effect.) I could vpn in, though. Seemed alright on my end, but my network at home suffered.
Not sure why it works with yours the way it is, or mine. Nothing special about my router. Hardly anything is activated in firmware other then OpenVPN. My SPI FW:
That's all that's needed to allow access between LAN and VPN. Any additional stuff is likely to cause issues. _________________ Q: How do I do ...? A: Read the tutorials or Search forums
Sorry I had to leave for a few days ... I still can't get a bridged setup working. To repeat, I can connect to VPN from remote without issue. I cannot get a DHCP address though.
It was suggested that I try the server-bridge command below, but I don't think that's what I want. Prior to SP1, I had the router's DHCP server handing out VPN addresses. Server-bridge would seem to have openVPN do that.
Things work if I enter everything in as a command. Is there anyway to get the exact same behavior via the GUI interface?
mode server
proto udp
port 1194
dev tap0
keepalive 15 60
daemon
verb 3
comp-lzo
cipher AES-256-CBC
client-to-client
tls-server
ca /tmp/openvpn/ca.crt
dh /tmp/openvpn/dh.pem
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
tls-auth /tmp/openvpn/ta.key 0
To compare, entered as a command (with the single 1194 firewall rule), the following seems to do exactly what I want:
cd /tmp
openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
echo "
# Tunnel options
mode server # Set OpenVPN major mode
proto udp # Setup the protocol (server)
port 1194 # TCP/UDP port number
dev tap0 # TUN/TAP virtual network device
keepalive 15 60 # Simplify the expression of --ping
daemon # Become a daemon after all initialization
verb 3 # Set output verbosity to n
comp-lzo # Use fast LZO compression
cipher AES-256-CBC
# OpenVPN server mode options
client-to-client # tells OpenVPN to internally route client-to-client traffic
# TLS Mode Options
tls-server # Enable TLS and assume server role during TLS handshake
ca ca.crt # Certificate authority (CA) file
dh dh1024.pem # File containing Diffie Hellman parameters
cert server.crt # Local peer's signed certificate
key server.key # Local peer's private key
tls-auth ta.key 0
" > openvpn.conf
If you're using bridged mode then don't use firewall scripts like that! It's likely not to work.
You'll have to use brctl to add tap0 to the br0 bridging group. Also you'll have to manually bring up the tunnel using a 0.0.0.0 ip address. _________________ Q: How do I do ...? A: Read the tutorials or Search forums
The above code goes before any brctl or ifconfig commands on tap0.
Instead of looking for the GUI guides, check the older, reliable, startup script guides. You can easily figure out what's missing. _________________ Q: How do I do ...? A: Read the tutorials or Search forums