OpenVPN config docs for v24 SP1?

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3 ... 21, 22, 23, 24  Next
Author Message
McKayCR
DD-WRT Novice


Joined: 05 Sep 2009
Posts: 36
Location: Maryland

PostPosted: Tue Nov 30, 2010 11:57    Post subject: Reply with quote
Quote:
The above will set "read/write/no execute" access for the owner ("600"), and "no access whatsoever" for group members ("600") or anyone else ("600"). This will prevent additional warnings from hitting your logs.

I can't help with your other question because my OpenVPN config is done purely from the CLI, not the DD-WRT GUI.[/u]


Thanks for the input.

How will these permissions effect the three client users I have using the VPN?

I tried setting up the VPN through the CLI, but it was too much data, and my WRT300N didn't have enough memory to save it.

_________________
WRT54G v3
WRT300N v1
Sponsor
McKayCR
DD-WRT Novice


Joined: 05 Sep 2009
Posts: 36
Location: Maryland

PostPosted: Tue Nov 30, 2010 12:05    Post subject: Reply with quote
Quote:
Running DD-WRT v24-sp2 (11/21/10) std - build 15778 myself on a Dlink DIR-825 and trying to get things working using the "new Style" option any guide for that, it seems everything fails.

I'm not familiar with OpenVPN on DD-WRT so any help would be appreciated.


bl@d3runn3r, I'm not familiar with the "new Style" option.

You said you are running DD-WRT v24-sp2 (11/21/10) std. It doesn't look like DD-WRT has a flash that supports openVPN for your router. Not sure I can help you.

_________________
WRT54G v3
WRT300N v1
bl@d3runn3r
DD-WRT User


Joined: 10 Jan 2010
Posts: 210

PostPosted: Wed Dec 01, 2010 9:01    Post subject: Reply with quote
McKayCR wrote:
Quote:
Running DD-WRT v24-sp2 (11/21/10) std - build 15778 myself on a Dlink DIR-825 and trying to get things working using the "new Style" option any guide for that, it seems everything fails.

I'm not familiar with OpenVPN on DD-WRT so any help would be appreciated.


bl@d3runn3r, I'm not familiar with the "new Style" option.

You said you are running DD-WRT v24-sp2 (11/21/10) std. It doesn't look like DD-WRT has a flash that supports openVPN for your router. Not sure I can help you.
It seems i got it partially working on the old style method (can't get it to work now) I was capable to connect en take over desktop so i guess it worked i only couldn't see anything in the status/openvpn tab (empty), now i wanted to try out new style which almost worked, i could see some info and users connected in status/openvpn tab but not possible to take over desktop (some route missing?)
Anyway i'm going to check it again, thanks for your reply.

:update:
I got it working again using old Style method but still no information on OpenVPN information page (which worked in new style method) and performance problems which i hoped would be gone in new Style method.

Any ideas on how to get that part working?

Code:
State
Server: : SUCCESS Local Address: Remote Address: Client: CONNECTED: SUCCESS Local Address: Remote Address:

Status

Log
Serverlog Clientlog 20101201 10:09:23

Above info i see when i'm connected.
McKayCR
DD-WRT Novice


Joined: 05 Sep 2009
Posts: 36
Location: Maryland

PostPosted: Wed Dec 01, 2010 11:35    Post subject: Reply with quote
Quote:

update:
I got it working again using old Style method but still no information on OpenVPN information page (which worked in new style method) and performance problems which i hoped would be gone in new Style method.

Any ideas on how to get that part working?


You need to add the following to your server config to get your status page working:

Code:
management localhost 5001

_________________
WRT54G v3
WRT300N v1
star
DD-WRT Novice


Joined: 05 Mar 2007
Posts: 34

PostPosted: Wed Dec 01, 2010 17:02    Post subject: Reply with quote
McKayCR wrote:
Quote:
The above will set "read/write/no execute" access for the owner ("600"), and "no access whatsoever" for group members ("600") or anyone else ("600"). This will prevent additional warnings from hitting your logs.

I can't help with your other question because my OpenVPN config is done purely from the CLI, not the DD-WRT GUI.[/u]


Thanks for the input.

How will these permissions effect the three client users I have using the VPN?

They will be 100% unaffected. The warning is for filesystem permissions which affect local user account access on the OpenVPN host (i.e. your router), not external clients. The idea is that an unprivileged user account directly on the router should not have access to the contents of those sensitive files.

Quote:
I tried setting up the VPN through the CLI, but it was too much data, and my WRT300N didn't have enough memory to save it.

I ran into the same space issue too. In my experience the easiest way I could get CLI working on 4mb flash routers (self-contained, without depending on external storage like USB or CIFS mounts) was to use the Eko build "openvpn-jffs-small" then carve out a jffs2 partition, and store a script there which creates the openvpn config files, key/cert files, etc. on the fly at startup. I can go into further detail if you are interested, but be aware that it will require a reflash if you aren't using a build with both vpn and jffs support.

In my opinion, the benefit in CLI vs GUI is that OpenVPN is OpenVPN is OpenVPN, regardless of the host platform... there's really nothing "DD-WRT specific" about how to get the config to work (some weirdness about starting the actual binary aside). The router is just a Linux host, with the same requirements for route additions, iptables exceptions, etc. as any other. So as a result, I feel like my understanding of it has become much greater than if I had been abstracted by the "fill-in-the-blank" GUI. It's certainly not for everyone, though, so there's definitely value in the GUI method. I probably would have never delved deep if the GUI worked for me the first time I tried it :lol:

(sorry, edited out from underneath your reply)


Last edited by star on Wed Dec 01, 2010 17:12; edited 2 times in total
McKayCR
DD-WRT Novice


Joined: 05 Sep 2009
Posts: 36
Location: Maryland

PostPosted: Wed Dec 01, 2010 17:09    Post subject: Reply with quote
Quote:
They will be 100% unaffected. The warning is for filesystem permissions which affect local user account access on the OpenVPN host (i.e. your router), not external clients. The idea is that an unprivileged user account directly on the router should not have access to the contents of those sensitive files.

In my experience the easiest way I could get CLI working on 4mb flash routers (self-contained, without depending on external storage like USB or CIFS mounts) was to use the Eko build "openvpn-jffs-small" then carve out a jffs2 partition, and store a script there which creates the openvpn config files, key/cert files, etc. on the fly at startup. I can go into further detail if you are interested, but be aware that it will require a reflash if you aren't using a build with both vpn and jffs support.


Thanks for the info on the permissions, and the CLI VPN stuff. No need for details on the VPN. I really like the idea of doing it through CLI but since it's already up and running through the GUI, and I've already bricked one router by playing too much, I'll stick with what I have.

Thanks though, it's good to know that it does actually work.

_________________
WRT54G v3
WRT300N v1
McKayCR
DD-WRT Novice


Joined: 05 Sep 2009
Posts: 36
Location: Maryland

PostPosted: Wed Dec 01, 2010 22:53    Post subject: Reply with quote
so I added:

Code:
chmod 600 /tmp/openvpn/ta.key
chmod 600 /tmp/openvpn/pem.key


to my startup scripts, but it didn't resolve the issue. So I added it to the server configs, but openVPN wouldn't start after that.

_________________
WRT54G v3
WRT300N v1
McKayCR
DD-WRT Novice


Joined: 05 Sep 2009
Posts: 36
Location: Maryland

PostPosted: Fri Dec 31, 2010 20:08    Post subject: Almost there Reply with quote
Ok, I almost have success on running a VPN from router to router. The client router is successfully connected to the server router. From the CLI of each router I can ping the internal IP addresses assigned by the Server router.

Now I need to figure out get the clients behind the client router to talk to the clients behind the server router. I know its a simple route I need to input, but I can't figure it out.


Server Configs are:

Code:

mode server
tls-server
port 1194
proto udp
#proto tcp-server
dev tap0
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
dh /tmp/openvpn/dh.pem
server-bridge 192.168.1.1 255.255.255.0 192.168.1.200 192.168.1.250
#push "redirect-gateway def1"
push "dhcp-option DOMAIN me.dyndns.net"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 208.67.222.222"
client-to-client
daemon
keepalive 10 120
tls-auth /tmp/openvpn/ta.key 0
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
management localhost 5001
verb 0


Server Startup Commands:

Code:

openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up


Server Firewall Commands:

Code:

iptables -A INPUT -i tap0 -j ACCEPT
iptables -A INPUT -i br0 -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT
iptables -I INPUT -p tcp --dport 1194 -j ACCEPT
iptables -I INPUT -p udp --dport 1194 -j ACCEPT
iptables -I INPUT 3 -i tap0 -p icmp -j ACCEPT


For the Client,

I enabled OpenVPN Client, loaded the three certs, saved, applied, and then disabled OpenVPN Client, to get the certs loaded into the NVRAM.

then I wrote a startup command that writes the TA.key, and writes the openVPN.conf, and the restarts OpenVPN. the openVPN.conf looks like:

Code:

client
proto udp
#proto tcp-client
dev tap0

remote me.dyndns.net 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
tls-client
ca /tmp/openvpncl/ca.crt
cert /tmp/openvpncl/client.crt
key /tmp/openvpncl/client.key
ns-cert-type server
tls-auth /tmp/openvpncl/ta.key 1

cipher AES-256-CBC
comp-lzo
verb 4

route-gateway 192.168.1.1 # optional
redirect-gateway # optional
management localhost 5001
#up /etc/openvpn/update-resolv-conf
#down /etc/openvpn/update-resolv-conf



Again, both routers confirm a good connection, both through the status page, and through pings using the CLI

But none of the clients behind each router can talk.

by the way, the LAN subnet behind the client router is different from the server LAN

Server LAN: 192.168.1.0
Client LAN: 192.168.2.1

It's gotta be a simple command line for adding a route, I just too much of a newb to get the right command.

UPDATE:

I added some routes through the gui on both the server router and the client router. Now computers behind the server can ping the internal 192.168.2.1 of the client router, but they still can't ping any computers connected to it. However, everyone connected to the client router was able to fully communicate to computers behind the server router.

So close...

_________________
WRT54G v3
WRT300N v1
khael
DD-WRT User


Joined: 13 Mar 2008
Posts: 101

PostPosted: Mon Jan 24, 2011 0:25    Post subject: Reply with quote
thanks for your guide :)

i used a part of it for configure my router Smile
thank you!
McKayCR
DD-WRT Novice


Joined: 05 Sep 2009
Posts: 36
Location: Maryland

PostPosted: Mon Jan 24, 2011 11:10    Post subject: Reply with quote
khael wrote:
thanks for your guide :)

i used a part of it for configure my router Smile
thank you!


If you aren't having the route issues I'm having, I sure would like a peak at your configs, to compare notes

_________________
WRT54G v3
WRT300N v1
bl@d3runn3r
DD-WRT User


Joined: 10 Jan 2010
Posts: 210

PostPosted: Mon Jan 24, 2011 11:24    Post subject: Reply with quote
McKayCR wrote:
Quote:

update:
I got it working again using old Style method but still no information on OpenVPN information page (which worked in new style method) and performance problems which i hoped would be gone in new Style method.

Any ideas on how to get that part working?


You need to add the following to your server config to get your status page working:

Code:
management localhost 5001
Has no effect besides that i can connect but unable to generate trafic over tunnel or ping end point so i'll stick to old style method.
McKayCR
DD-WRT Novice


Joined: 05 Sep 2009
Posts: 36
Location: Maryland

PostPosted: Mon Jan 24, 2011 11:26    Post subject: Reply with quote
I'm confused on the new style versus the old style method. Do you have any links to these methods?
_________________
WRT54G v3
WRT300N v1
bl@d3runn3r
DD-WRT User


Joined: 10 Jan 2010
Posts: 210

PostPosted: Mon Jan 24, 2011 11:34    Post subject: Reply with quote
McKayCR wrote:
I'm confused on the new style versus the old style method. Do you have any links to these methods?


Old style


Uploaded with ImageShack.us

New style


Uploaded with ImageShack.us

As you can see, new style is just selecting stuff and you should be done (if it worked)
McKayCR
DD-WRT Novice


Joined: 05 Sep 2009
Posts: 36
Location: Maryland

PostPosted: Mon Jan 24, 2011 11:38    Post subject: Reply with quote
I don't have either of those methods available on my routers. What version Firmware are you running?
_________________
WRT54G v3
WRT300N v1
bl@d3runn3r
DD-WRT User


Joined: 10 Jan 2010
Posts: 210

PostPosted: Mon Jan 24, 2011 11:59    Post subject: Reply with quote
McKayCR wrote:
I don't have either of those methods available on my routers. What version Firmware are you running?

D-Link DIR-825 DD-WRT v24-sp2 (12/24/10) std
(SVN revision 15962)

I thought most of DD-WRT compatible routers would have this GUI.
Goto page Previous  1, 2, 3 ... 21, 22, 23, 24  Next Display posts from previous:    Page 22 of 24
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum