OpenVPN config docs for v24 SP1?

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3 ... , 22, 23, 24  Next
Author Message
McKayCR
DD-WRT Novice


Joined: 05 Sep 2009
Posts: 36
Location: Maryland

PostPosted: Mon Jan 24, 2011 12:03    Post subject: Reply with quote
I have the latest firmware (DD-WRT v24-sp2 (08/07/10) vpn - build 14896) as well running, and I have a similair Gui, but yours clearly has more options then mine. I have to compensate by adding the commands to my server configs
_________________
WRT54G v3
WRT300N v1


Last edited by McKayCR on Mon Jan 24, 2011 22:08; edited 1 time in total
Sponsor
khael
DD-WRT User


Joined: 13 Mar 2008
Posts: 101

PostPosted: Mon Jan 24, 2011 12:03    Post subject: Reply with quote
McKayCR wrote:
khael wrote:
thanks for your guide :)

i used a part of it for configure my router Smile
thank you!


If you aren't having the route issues I'm having, I sure would like a peak at your configs, to compare notes

i used this on startup:
Code:
cd /tmp
openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up


this is my server conf:
Code:
port 1194
proto udp
dev tap0
mode server
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
client-to-client
keepalive 10 120
tls-server
tls-auth /tmp/openvpn/ta.key 0
comp-lzo
persist-key
persist-tun
verb 3

i use tap not tun
gynel
DD-WRT Novice


Joined: 28 Jan 2010
Posts: 7

PostPosted: Thu Jan 27, 2011 5:18    Post subject: Reply with quote
Finally got it working!!
This is the configuration:

Server:

mode server
dev tap0
tls-server
tls-auth /tmp/openvpn/ta.key 0
server-bridge 192.168.2.2 255.255.255.0 192.168.2.200 192.168.2.201
max-clients 2
proto udp
port 1194
daemon
keepalive 10 120
verb 3
client-to-client
comp-lzo
cipher AES-256-CBC
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
management localhost 5001

client

client
tls-client
tls-auth ta.key 1
ns-cert-type server
dev tap
proto udp
remote xxxx.dyndns.org 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
cipher AES-256-CBC
verb 3
float
ca ca.crt
cert Work.crt
key Work.key

Startup script

openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up

Firewall script

iptables -A INPUT -i tap0 -j ACCEPT
iptables -I INPUT -p udp --dport 1194 -j ACCEPT


Security/Firewall - enabled
Security/VPN pass-trough - all disabled
NAT/QoS/DMZ - disabled - (immediately after I disabled DMZ started to work)

Thank you all for help, info.

P.S. I use a converted 610Nv2 to E3000 with dd-wrt.v24-14929_NEWD-2_K2.6_big-e3000
McKayCR
DD-WRT Novice


Joined: 05 Sep 2009
Posts: 36
Location: Maryland

PostPosted: Sun Mar 06, 2011 23:15    Post subject: Reply with quote
Quote:
UPDATE:

I added some routes through the gui on both the server router and the client router. Now computers behind the server can ping the internal 192.168.2.1 of the client router, but they still can't ping any computers connected to it. However, everyone connected to the client router was able to fully communicate to computers behind the server router.

So close...


Still no changes, I have been stumped by this.. any input would be awesome

_________________
WRT54G v3
WRT300N v1
Gektor
DD-WRT Novice


Joined: 10 Mar 2011
Posts: 6

PostPosted: Thu Mar 10, 2011 21:16    Post subject: Reply with quote
Hi all
Some questions here
Have 1 local LAN (something like 192.168.1.0)
And started:
PPTP Server (192.168.0.0)
OpenVPN Server (192.168.100.0)
Some clients connect to PPTP server and some clients connect to OpenVPN server.
How i can allow clients in the server side local LAN (192.168.1.0) to access clients in the clients LAN (OpenVPN - 192.168.100.0 and PPTP - 192.168.0.0) and PPTP clients can access OpenVPN clients? Router ASUS RT-N16, DD-WRT ver. 14929.
Any ideas?
donphillipe
DD-WRT User


Joined: 18 Jun 2008
Posts: 166

PostPosted: Fri Nov 04, 2011 16:31    Post subject: OpenVPN works unless SPI Firewall enabled Reply with quote
I have been working on this for years, always giving up trying to get OpenVPN working and never being successful. I know just enough to be dangerous, so I finally bought a used Asus 500gp v2 that supports the dd-wrt mega version and decided to try again. Good news is after 3 days I got it working via TCP and all was OK, then changed it to UDP and all was OK. THen as a final step, I switched my Spi Firelwall back "ON" and it now no longer works.

The documentation in the wiki OpenVPN the easy way http://www.dd-wrt.com/wiki/index.php/VPN_%28the_easy_way%29_v24%2B says to debug this by using the command
iptables -L -v -n --line-numbers

Code:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            63.251.179.13       
2        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            8.15.7.117         
3      899 85624 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
4        0     0 invalid    0    --  vlan1  *       0.0.0.0/0            0.0.0.0/0           state INVALID
5        0     0 ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0           
6        0     0 DROP       udp  --  br0    *       0.0.0.0/0            0.0.0.0/0           udp dpt:520
7      120  6804 ACCEPT     0    --  br0    *       0.0.0.0/0            0.0.0.0/0           
8        0     0 DROP       udp  --  vlan1  *       0.0.0.0/0            0.0.0.0/0           udp dpt:520
9        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:520
10       0     0 logdrop    icmp --  vlan1  *       0.0.0.0/0            0.0.0.0/0           
11       0     0 logdrop    2    --  *      *       0.0.0.0/0            0.0.0.0/0           
12       0     0 ACCEPT     udp  --  vlan1  *       0.0.0.0/0            0.0.0.0/0           udp dpt:5060
13       0     0 DROP       udp  --  vlan1  *       0.0.0.0/0            239.255.255.0/24    udp dpt:1900
14      38  7483 logdrop    0    --  *      *       0.0.0.0/0            0.0.0.0/0           
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1       32  1656 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU
2     1359  320K ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
3        0     0 invalid    0    --  vlan1  *       0.0.0.0/0            0.0.0.0/0           state INVALID
4        0     0 ACCEPT     0    --  br0    br0     0.0.0.0/0            0.0.0.0/0           
5        0     0 ACCEPT     0    --  tun0   br0     0.0.0.0/0            0.0.0.0/0           
6        0     0 ACCEPT     0    --  br0    tun0    0.0.0.0/0            0.0.0.0/0           
7        0     0 ACCEPT     47   --  *      vlan1   192.168.158.0/24     0.0.0.0/0           
8        0     0 ACCEPT     tcp  --  *      vlan1   192.168.158.0/24     0.0.0.0/0           tcp dpt:1723
9       17   977 ACCEPT     0    --  br0    *       0.0.0.0/0            0.0.0.0/0           
10       0     0 logdrop    0    --  *      *       0.0.0.0/0            0.0.0.0/0   

<<<<<<< continues >>>>>>>>>>


I have no idea what to look for here, nor what to make of the info I see from logging in the router at /var/log/messages. Any ideas? I hate to paste the long system log files here, consuming this sites resource space.

Any ideas where to start?

dd-wrt router firewall script:
Code:
iptables -I INPUT 1 -p udp –dport 1194 -j ACCEPT
iptables -I FORWARD 1 –source 192.168.158.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT


Notes:
*removed line iptables -I FORWARD 1 –source 192.168.158.0/24 -j ACCEPT which did not help
*router ip address is 192.168.158.1

Client config:
Code:
client
dev tun
proto udp
remote 192.168.0.160 1194
resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server

comp-lzo
verb 4


Server config:
Code:
push "route 192.168.158.0 255.255.255.0"
server 10.8.0.0 255.255.255.0

dev tun0
proto udp
keepalive 10 120

comp-lzo

dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem

verb 5

management localhost 5001


Again, this setup works fine with the SPI firewall off. What would I do to debug to allow to turn the SPI firewall back on and continue to use OpenVPN?
James2k
DD-WRT Guru


Joined: 23 Oct 2011
Posts: 549

PostPosted: Fri Nov 04, 2011 18:35    Post subject: Reply with quote
I'm no expert, but I've been playing around with OpenVPN the past few days and finally managed to get it working.

My only suggestion would be the firewall rule. Here's a snippet of my OpenVPN firewall stuff.

Code:

iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.66.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT


I have my OpenVPN server running over tcp because udp is really unstable at my workplace but that shouldn't any issue in regards to your situation. My config is:

192.168.1.0 (Private Network I want to VPN to)
192.168.66.0 (OpenVPN Clients Network)

Code:

push "route 192.168.1.0 255.255.255.0"
server 192.168.66.0 255.255.255.0


Also with your firewall rules, make sure the dport and source bits have a double dash i.e -- before them (see my IPTABLES entry above). I noticed a few websites with tutorials regarding OpenVPN often turned the double dash into one dash (due to the CMS or a bad copy and paste job) which isn't the correct syntax.
Code:


Apart from that your server and config files look fine.

Good luck!
bmatthewshea
DD-WRT User


Joined: 31 Jul 2008
Posts: 53

PostPosted: Sun Nov 06, 2011 18:13    Post subject: Re: OpenVPN works unless SPI Firewall enabled Reply with quote
donphillipe wrote:
I have been working on this for years, always giving up trying to get OpenVPN working and never being successful. I know just enough to be dangerous, so I finally bought a used Asus 500gp v2 that supports the dd-wrt mega version and decided to try again. Good news is after 3 days I got it working via TCP ...


Yes, this is always something to keep in mind (getting a 'bigger' router). I tended to find that the Linksys/broadcom with limited ram (4mb models) to be very unstable and sometimes run out of space when running ovpn (default location) - even when running a limited build.

I run a mega build on an Asus RT-N16 now, but I still put all OpenVPN files on jffs area even then. Pretty stable now. If you have limited nvram (especially if running something more than just OpenVPN) use /jffs. There is plenty of documentation on how to create jffs area and your router nvram will thank you.


Last edited by bmatthewshea on Mon Nov 07, 2011 14:04; edited 2 times in total
James2k
DD-WRT Guru


Joined: 23 Oct 2011
Posts: 549

PostPosted: Sun Nov 06, 2011 18:47    Post subject: Reply with quote
I run OpenVPN on a WNR3500L running the big build and have just over 3000 bytes of NVRAM left after all the certificates and such (via GUI) which isn't too bad.
bmatthewshea
DD-WRT User


Joined: 31 Jul 2008
Posts: 53

PostPosted: Mon Nov 07, 2011 13:59    Post subject: Reply with quote
James2k wrote:
I run OpenVPN on a WNR3500L running the big build and have just over 3000 bytes of NVRAM left after all the certificates and such (via GUI) which isn't too bad.


I should have noted I wasn't writing that directly at you but you brought up a good point (and yes you have plenty of breathing room re: nvram) Wink.

My point was that even if you get firewall rules and ovpn configs correct, if you don't have enough nvram, ovpn will not work (or at very least router will be very unstable). Just something to keep in mind for all users of openvpn.
sefs
DD-WRT User


Joined: 01 Oct 2008
Posts: 130

PostPosted: Mon Sep 17, 2012 13:44    Post subject: Reply with quote
I have two questions about unnecessary commands in the setup of bridged openvpn.

1/
openvpn --mktun --dev tap0 (in start up script)

2/
iptables -A -i tap0 -j ACCEPT (in firewall)

Are the above two commands actually necessary. I noticed that if I remove them the bridged openvpn seems to work as expected.

What functionality do these two commands add to getting bridged openvpn working?


EDIT: I just realized I posted this to the wrong thread. It was meant for the related howto for bridged openvpn.


Last edited by sefs on Mon Sep 17, 2012 15:47; edited 1 time in total
James2k
DD-WRT Guru


Joined: 23 Oct 2011
Posts: 549

PostPosted: Mon Sep 17, 2012 13:49    Post subject: Reply with quote
They are both necessary depending on the way you configure OpenVPN.

1. mktun is for persistence see OpenVPN man:

http://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html

2. This firewall rule allows traffic on the tap0 interface through.

For newer builds you can use the GUI config method which does remove the need for these commands.

For the config file method they are required.

_________________
James

Main router:

Netgear R7000 overclocked to 1.2GHz - DD-WRT v3.0-r35965M kongac

IPv6 6in4 (HE.net), OpenVPN (with PBR and split tunnelling), Entware, dnsmasq with ipset

Easy ipset support for the R7000

VPN speed: Download: 77.96 Mbps Upload: 5.00 Mbps (AES-128-CBC HMAC-SHA1)

Yes you can get 50 Mbps+ with OpenVPN on a R7000 if you configure it properly!

Previous routers:

ASUS RT-N66U - The Dark Knight
WNR2000v3 - Bought on the cheap for someone else, neutered crap
WNR3500Lv1 - First venture into the DD-WRT world
sefs
DD-WRT User


Joined: 01 Oct 2008
Posts: 130

PostPosted: Mon Sep 17, 2012 14:59    Post subject: Reply with quote
James2k wrote:
They are both necessary depending on the way you configure OpenVPN.

1. mktun is for persistence see OpenVPN man:

http://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html

2. This firewall rule allows traffic on the tap0 interface through.

For newer builds you can use the GUI config method which does remove the need for these commands.

For the config file method they are required.


Thanks James. Makes sense now.


Last edited by sefs on Mon Sep 17, 2012 22:01; edited 2 times in total
sefs
DD-WRT User


Joined: 01 Oct 2008
Posts: 130

PostPosted: Mon Sep 17, 2012 21:58    Post subject: No status info of connected client on openvpn status tab Reply with quote
Hi there,

So I set this thing up and enabled the:
management localhost 5001

When I check the tab with a client connected,

I only see
1/
State info

2/
Log info

...but no status info for the client....

See attached image....



nostatus1.png
 Description:
 Filesize:  43.65 KB
 Viewed:  12869 Time(s)

nostatus1.png


James2k
DD-WRT Guru


Joined: 23 Oct 2011
Posts: 549

PostPosted: Mon Sep 17, 2012 22:05    Post subject: Reply with quote
What's the log output on the client side?
_________________
James

Main router:

Netgear R7000 overclocked to 1.2GHz - DD-WRT v3.0-r35965M kongac

IPv6 6in4 (HE.net), OpenVPN (with PBR and split tunnelling), Entware, dnsmasq with ipset

Easy ipset support for the R7000

VPN speed: Download: 77.96 Mbps Upload: 5.00 Mbps (AES-128-CBC HMAC-SHA1)

Yes you can get 50 Mbps+ with OpenVPN on a R7000 if you configure it properly!

Previous routers:

ASUS RT-N66U - The Dark Knight
WNR2000v3 - Bought on the cheap for someone else, neutered crap
WNR3500Lv1 - First venture into the DD-WRT world
Goto page Previous  1, 2, 3 ... , 22, 23, 24  Next Display posts from previous:    Page 23 of 24
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum