The above will set "read/write/no execute" access for the owner ("600"), and "no access whatsoever" for group members ("600") or anyone else ("600"). This will prevent additional warnings from hitting your logs.
I can't help with your other question because my OpenVPN config is done purely from the CLI, not the DD-WRT GUI.[/u]
Thanks for the input.
How will these permissions effect the three client users I have using the VPN?
I tried setting up the VPN through the CLI, but it was too much data, and my WRT300N didn't have enough memory to save it. _________________ WRT54G v3
WRT300N v1
Running DD-WRT v24-sp2 (11/21/10) std - build 15778 myself on a Dlink DIR-825 and trying to get things working using the "new Style" option any guide for that, it seems everything fails.
I'm not familiar with OpenVPN on DD-WRT so any help would be appreciated.
bl@d3runn3r, I'm not familiar with the "new Style" option.
You said you are running DD-WRT v24-sp2 (11/21/10) std. It doesn't look like DD-WRT has a flash that supports openVPN for your router. Not sure I can help you. _________________ WRT54G v3
WRT300N v1
Running DD-WRT v24-sp2 (11/21/10) std - build 15778 myself on a Dlink DIR-825 and trying to get things working using the "new Style" option any guide for that, it seems everything fails.
I'm not familiar with OpenVPN on DD-WRT so any help would be appreciated.
bl@d3runn3r, I'm not familiar with the "new Style" option.
You said you are running DD-WRT v24-sp2 (11/21/10) std. It doesn't look like DD-WRT has a flash that supports openVPN for your router. Not sure I can help you.
It seems i got it partially working on the old style method (can't get it to work now) I was capable to connect en take over desktop so i guess it worked i only couldn't see anything in the status/openvpn tab (empty), now i wanted to try out new style which almost worked, i could see some info and users connected in status/openvpn tab but not possible to take over desktop (some route missing?)
Anyway i'm going to check it again, thanks for your reply.
:update:
I got it working again using old Style method but still no information on OpenVPN information page (which worked in new style method) and performance problems which i hoped would be gone in new Style method.
Any ideas on how to get that part working?
Code:
State
Server: : SUCCESS Local Address: Remote Address: Client: CONNECTED: SUCCESS Local Address: Remote Address:
update:
I got it working again using old Style method but still no information on OpenVPN information page (which worked in new style method) and performance problems which i hoped would be gone in new Style method.
Any ideas on how to get that part working?
You need to add the following to your server config to get your status page working:
The above will set "read/write/no execute" access for the owner ("600"), and "no access whatsoever" for group members ("600") or anyone else ("600"). This will prevent additional warnings from hitting your logs.
I can't help with your other question because my OpenVPN config is done purely from the CLI, not the DD-WRT GUI.[/u]
Thanks for the input.
How will these permissions effect the three client users I have using the VPN?
They will be 100% unaffected. The warning is for filesystem permissions which affect local user account access on the OpenVPN host (i.e. your router), not external clients. The idea is that an unprivileged user account directly on the router should not have access to the contents of those sensitive files.
Quote:
I tried setting up the VPN through the CLI, but it was too much data, and my WRT300N didn't have enough memory to save it.
I ran into the same space issue too. In my experience the easiest way I could get CLI working on 4mb flash routers (self-contained, without depending on external storage like USB or CIFS mounts) was to use the Eko build "openvpn-jffs-small" then carve out a jffs2 partition, and store a script there which creates the openvpn config files, key/cert files, etc. on the fly at startup. I can go into further detail if you are interested, but be aware that it will require a reflash if you aren't using a build with both vpn and jffs support.
In my opinion, the benefit in CLI vs GUI is that OpenVPN is OpenVPN is OpenVPN, regardless of the host platform... there's really nothing "DD-WRT specific" about how to get the config to work (some weirdness about starting the actual binary aside). The router is just a Linux host, with the same requirements for route additions, iptables exceptions, etc. as any other. So as a result, I feel like my understanding of it has become much greater than if I had been abstracted by the "fill-in-the-blank" GUI. It's certainly not for everyone, though, so there's definitely value in the GUI method. I probably would have never delved deep if the GUI worked for me the first time I tried it :lol:
(sorry, edited out from underneath your reply)
Last edited by star on Wed Dec 01, 2010 17:12; edited 2 times in total
They will be 100% unaffected. The warning is for filesystem permissions which affect local user account access on the OpenVPN host (i.e. your router), not external clients. The idea is that an unprivileged user account directly on the router should not have access to the contents of those sensitive files.
In my experience the easiest way I could get CLI working on 4mb flash routers (self-contained, without depending on external storage like USB or CIFS mounts) was to use the Eko build "openvpn-jffs-small" then carve out a jffs2 partition, and store a script there which creates the openvpn config files, key/cert files, etc. on the fly at startup. I can go into further detail if you are interested, but be aware that it will require a reflash if you aren't using a build with both vpn and jffs support.
Thanks for the info on the permissions, and the CLI VPN stuff. No need for details on the VPN. I really like the idea of doing it through CLI but since it's already up and running through the GUI, and I've already bricked one router by playing too much, I'll stick with what I have.
Thanks though, it's good to know that it does actually work. _________________ WRT54G v3
WRT300N v1
to my startup scripts, but it didn't resolve the issue. So I added it to the server configs, but openVPN wouldn't start after that. _________________ WRT54G v3
WRT300N v1
Posted: Fri Dec 31, 2010 20:08 Post subject: Almost there
Ok, I almost have success on running a VPN from router to router. The client router is successfully connected to the server router. From the CLI of each router I can ping the internal IP addresses assigned by the Server router.
Now I need to figure out get the clients behind the client router to talk to the clients behind the server router. I know its a simple route I need to input, but I can't figure it out.
Server Configs are:
Code:
mode server
tls-server
port 1194
proto udp
#proto tcp-server
dev tap0
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
dh /tmp/openvpn/dh.pem
server-bridge 192.168.1.1 255.255.255.0 192.168.1.200 192.168.1.250
#push "redirect-gateway def1"
push "dhcp-option DOMAIN me.dyndns.net"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 208.67.222.222"
client-to-client
daemon
keepalive 10 120
tls-auth /tmp/openvpn/ta.key 0
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
management localhost 5001
verb 0
Again, both routers confirm a good connection, both through the status page, and through pings using the CLI
But none of the clients behind each router can talk.
by the way, the LAN subnet behind the client router is different from the server LAN
Server LAN: 192.168.1.0
Client LAN: 192.168.2.1
It's gotta be a simple command line for adding a route, I just too much of a newb to get the right command.
UPDATE:
I added some routes through the gui on both the server router and the client router. Now computers behind the server can ping the internal 192.168.2.1 of the client router, but they still can't ping any computers connected to it. However, everyone connected to the client router was able to fully communicate to computers behind the server router.
So close... _________________ WRT54G v3
WRT300N v1
update:
I got it working again using old Style method but still no information on OpenVPN information page (which worked in new style method) and performance problems which i hoped would be gone in new Style method.
Any ideas on how to get that part working?
You need to add the following to your server config to get your status page working:
Code:
management localhost 5001
Has no effect besides that i can connect but unable to generate trafic over tunnel or ping end point so i'll stick to old style method.