OpenVPN config docs for v24 SP1?

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3 ... 22, 23, 24
Author Message
sefs
DD-WRT User


Joined: 01 Oct 2008
Posts: 130

PostPosted: Mon Sep 17, 2012 22:46    Post subject: Reply with quote
James2k wrote:
What's the log output on the client side?


Here it is...

Code:

Mon Sep 17 18:32:33 2012 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Mon Sep 17 18:32:33 2012 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Sep 17 18:32:33 2012 NOTE: --script-security method='system' is deprecated due to the fact that passed parameters will be subject to shell expansion
Mon Sep 17 18:32:33 2012 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Mon Sep 17 18:32:33 2012 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Sep 17 18:32:33 2012 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Sep 17 18:32:33 2012 LZO compression initialized
Mon Sep 17 18:32:33 2012 Control Channel MTU parms [ L:1590 D:166 EF:66 EB:0 ET:0 EL:0 ]
Mon Sep 17 18:32:33 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Sep 17 18:32:34 2012 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Mon Sep 17 18:32:34 2012 Local Options hash (VER=V4): 'fb60370b'
Mon Sep 17 18:32:34 2012 Expected Remote Options hash (VER=V4): '5ecdb6ce'
Mon Sep 17 18:32:34 2012 UDPv4 link local: [undef]
Mon Sep 17 18:32:34 2012 UDPv4 link remote: 208.192.253.4:1194
Mon Sep 17 18:32:34 2012 TLS: Initial packet from 208.192.253.4:1194, sid=c8755a48 cb2e6c2f
Mon Sep 17 18:32:34 2012 VERIFY OK: depth=1, /C=AU/ST=St._ALS/L=GORBY/O=MINX/OU=MINX/CN=FSH/emailAddress=tipid@home.com
Mon Sep 17 18:32:34 2012 VERIFY OK: nsCertType=SERVER
Mon Sep 17 18:32:34 2012 VERIFY OK: depth=0, /C=AU/ST=St._ALS/L=GORBY/O=MINX/OU=MINX/CN=lucid/emailAddress=tipid@home.com
Mon Sep 17 18:32:35 2012 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Mon Sep 17 18:32:36 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Sep 17 18:32:36 2012 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Mon Sep 17 18:32:36 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Sep 17 18:32:36 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Mon Sep 17 18:32:36 2012 [lucid] Peer Connection Initiated with 208.192.253.4:1194
Mon Sep 17 18:32:38 2012 SENT CONTROL [lucid]: 'PUSH_REQUEST' (status=1)
Mon Sep 17 18:32:38 2012 PUSH: Received control message: 'PUSH_REPLY,route 172.25.26.0 255.255.255.0,route 172.25.90.0 255.255.255.0,topology net30,ping 10,ping-restart 60,ifconfig 172.25.90.6 172.25.90.5'
Mon Sep 17 18:32:38 2012 OPTIONS IMPORT: timers and/or timeouts modified
Mon Sep 17 18:32:38 2012 OPTIONS IMPORT: --ifconfig/up options modified
Mon Sep 17 18:32:38 2012 OPTIONS IMPORT: route options modified
Mon Sep 17 18:32:38 2012 ROUTE default_gateway=172.25.25.1
Mon Sep 17 18:32:38 2012 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{4A70AADE-65B9-420F-8D33-45AEEC1BE350}.tap
Mon Sep 17 18:32:38 2012 TAP-Win32 Driver Version 9.9
Mon Sep 17 18:32:38 2012 TAP-Win32 MTU=1500
Mon Sep 17 18:32:38 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 172.25.90.6/255.255.255.252 on interface {4A70AADE-65B9-420F-8D33-45AEEC1BE350} [DHCP-serv: 172.25.90.5, lease-time: 31536000]
Mon Sep 17 18:32:38 2012 Successful ARP Flush on interface [16] {4A70AADE-65B9-420F-8D33-45AEEC1BE350}
Mon Sep 17 18:32:43 2012 TEST ROUTES: 3/3 succeeded len=2 ret=1 a=0 u/d=up
Mon Sep 17 18:32:43 2012 C:\WINDOWS\system32\route.exe ADD 208.192.253.4 MASK 255.255.255.255 172.25.25.1
Mon Sep 17 18:32:43 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=10 and dwForwardType=4
Mon Sep 17 18:32:44 2012 Route addition via IPAPI succeeded [adaptive]
Mon Sep 17 18:32:44 2012 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 172.25.90.5
Mon Sep 17 18:32:44 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Mon Sep 17 18:32:44 2012 Route addition via IPAPI succeeded [adaptive]
Mon Sep 17 18:32:44 2012 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 172.25.90.5
Mon Sep 17 18:32:44 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Mon Sep 17 18:32:44 2012 Route addition via IPAPI succeeded [adaptive]
Mon Sep 17 18:32:44 2012 C:\WINDOWS\system32\route.exe ADD 172.25.26.0 MASK 255.255.255.0 172.25.90.5
Mon Sep 17 18:32:44 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Mon Sep 17 18:32:44 2012 Route addition via IPAPI succeeded [adaptive]
Mon Sep 17 18:32:44 2012 C:\WINDOWS\system32\route.exe ADD 172.25.90.0 MASK 255.255.255.0 172.25.90.5
Mon Sep 17 18:32:44 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Mon Sep 17 18:32:44 2012 Route addition via IPAPI succeeded [adaptive]
Mon Sep 17 18:32:44 2012 Initialization Sequence Completed
Sponsor
James2k
DD-WRT Guru


Joined: 23 Oct 2011
Posts: 549

PostPosted: Tue Sep 18, 2012 7:48    Post subject: Reply with quote
So the client makes a successful connection.

I guess the only thing it could be is the verbosity setting of logging on the server side.

Adding a specific logging setting:

Code:
verb 3


Should work. The default is 1, which isn't much. 3-5 are usually good enough. Verb 6 and above is for debug purposes and outputs a lot of info.

_________________
James

Main router:

Netgear R7000 overclocked to 1.2GHz - DD-WRT v3.0-r35965M kongac

IPv6 6in4 (HE.net), OpenVPN (with PBR and split tunnelling), Entware, dnsmasq with ipset

Easy ipset support for the R7000

VPN speed: Download: 77.96 Mbps Upload: 5.00 Mbps (AES-128-CBC HMAC-SHA1)

Yes you can get 50 Mbps+ with OpenVPN on a R7000 if you configure it properly!

Previous routers:

ASUS RT-N66U - The Dark Knight
WNR2000v3 - Bought on the cheap for someone else, neutered crap
WNR3500Lv1 - First venture into the DD-WRT world
sefs
DD-WRT User


Joined: 01 Oct 2008
Posts: 130

PostPosted: Tue Sep 18, 2012 10:19    Post subject: Reply with quote
James2k wrote:
So the client makes a successful connection.

I guess the only thing it could be is the verbosity setting of logging on the server side.

Adding a specific logging setting:

Code:
verb 3


Should work. The default is 1, which isn't much. 3-5 are usually good enough. Verb 6 and above is for debug purposes and outputs a lot of info.


Yes the vpn clients are able to access the internet, ping the LAN clients and the LAN clients are able to ping the vpn clients or see each others shares.

The verb clause is already set to 5.

I wonder if it is the version that I am using that simply does not have this feature. I was looking at another dd-wrt vpn server I have and this is how it looks without a client connected. Can you see in the status area the headings just waiting there to receive information on connected clients, unlike the first ones which does not have those headings at all?



vpnwithworkingstatus.png
 Description:
 Filesize:  27.76 KB
 Viewed:  10665 Time(s)

vpnwithworkingstatus.png


James2k
DD-WRT Guru


Joined: 23 Oct 2011
Posts: 549

PostPosted: Tue Sep 18, 2012 11:20    Post subject: Reply with quote
Interesting now that you showed me this I went and checked my own OpenVPN setup and found that I no longer have client logs in the status section either. My laptop is currently connected from my workplace so it should be there.

I remember it being present on 14929 but haven't really noticed it disappearing. The server log which is cut off still lists connections with client keys so its fine really.



openvpn_status.jpg
 Description:
 Filesize:  84.04 KB
 Viewed:  10651 Time(s)

openvpn_status.jpg



_________________
James

Main router:

Netgear R7000 overclocked to 1.2GHz - DD-WRT v3.0-r35965M kongac

IPv6 6in4 (HE.net), OpenVPN (with PBR and split tunnelling), Entware, dnsmasq with ipset

Easy ipset support for the R7000

VPN speed: Download: 77.96 Mbps Upload: 5.00 Mbps (AES-128-CBC HMAC-SHA1)

Yes you can get 50 Mbps+ with OpenVPN on a R7000 if you configure it properly!

Previous routers:

ASUS RT-N66U - The Dark Knight
WNR2000v3 - Bought on the cheap for someone else, neutered crap
WNR3500Lv1 - First venture into the DD-WRT world
sefs
DD-WRT User


Joined: 01 Oct 2008
Posts: 130

PostPosted: Tue Sep 18, 2012 11:31    Post subject: Reply with quote
James2k wrote:
Interesting now that you showed me this I went and checked my own OpenVPN setup and found that I no longer have client logs in the status section either. My laptop is currently connected from my workplace so it should be there.

I remember it being present on 14929 but haven't really noticed it disappearing. The server log which is cut off still lists connections with client keys so its fine really.


Thanks. I was just pondering on going back to 14929. What version are you currently running? I am on 17201. Can't remember why I had selected this version but at the time it was important.

The ones with the headings I posted last hails back before 14929. It is a v12548 NEWD from eko.
James2k
DD-WRT Guru


Joined: 23 Oct 2011
Posts: 549

PostPosted: Tue Sep 18, 2012 11:34    Post subject: Reply with quote
I'm running 18730 this is special build for certain routers. (Kong Builds).

I found 14929 was very solid and worked great. Only downside was for me uPnP didn't seem work very well, QoS is broken but apart from that everything else is golden.

14929 is the recommended, so might be a good idea. I don't exactly know whats happened with the logs, but I might investigate further when I'm back at home later.

_________________
James

Main router:

Netgear R7000 overclocked to 1.2GHz - DD-WRT v3.0-r35965M kongac

IPv6 6in4 (HE.net), OpenVPN (with PBR and split tunnelling), Entware, dnsmasq with ipset

Easy ipset support for the R7000

VPN speed: Download: 77.96 Mbps Upload: 5.00 Mbps (AES-128-CBC HMAC-SHA1)

Yes you can get 50 Mbps+ with OpenVPN on a R7000 if you configure it properly!

Previous routers:

ASUS RT-N66U - The Dark Knight
WNR2000v3 - Bought on the cheap for someone else, neutered crap
WNR3500Lv1 - First venture into the DD-WRT world
sefs
DD-WRT User


Joined: 01 Oct 2008
Posts: 130

PostPosted: Tue Sep 18, 2012 18:54    Post subject: Reply with quote
James2k wrote:
I'm running 18730 this is special build for certain routers. (Kong Builds).


Just an informational update. I downgraded to 14929 and the missing client status from 17201 and your build it seems as well is there in 14929 as you remembered. So someone tweaked it after 14929. My only remorse is that 17201 was running openvpn 2.2.0 while this is stuck on 2.1.1



14929.png
 Description:
 Filesize:  32.58 KB
 Viewed:  10606 Time(s)

14929.png


sefs
DD-WRT User


Joined: 01 Oct 2008
Posts: 130

PostPosted: Sun Sep 23, 2012 19:30    Post subject: Reply with quote
Connection tracking (I hope I have the right term)

-m conntrack --ctstate and -m state --state is broken and will not work at all in 14929.

That's another thing that is not working in this build.
the up script for openvpn also forcefully injects an iptable rule for tun0 and leaves it wide open which in my opinion does not make sense. It uses -I so it overrides any INPUT rule you put in the firewall commands window since openvpn starts after those rules have been added to the iptables. The only way to get rid of it is to delete it in the startup window where those commands seem to run only after all services have been started.
James2k
DD-WRT Guru


Joined: 23 Oct 2011
Posts: 549

PostPosted: Sun Sep 23, 2012 20:51    Post subject: Reply with quote
Maybe submit a ticket to trac:

svn.dd-wrt.com

OpenVPN is broken in the new builds, so might be able to get it addressed.

_________________
James

Main router:

Netgear R7000 overclocked to 1.2GHz - DD-WRT v3.0-r35965M kongac

IPv6 6in4 (HE.net), OpenVPN (with PBR and split tunnelling), Entware, dnsmasq with ipset

Easy ipset support for the R7000

VPN speed: Download: 77.96 Mbps Upload: 5.00 Mbps (AES-128-CBC HMAC-SHA1)

Yes you can get 50 Mbps+ with OpenVPN on a R7000 if you configure it properly!

Previous routers:

ASUS RT-N66U - The Dark Knight
WNR2000v3 - Bought on the cheap for someone else, neutered crap
WNR3500Lv1 - First venture into the DD-WRT world
sefs
DD-WRT User


Joined: 01 Oct 2008
Posts: 130

PostPosted: Wed Sep 26, 2012 20:55    Post subject: Reply with quote
James2k wrote:
Interesting now that you showed me this I went and checked my own OpenVPN setup and found that I no longer have client logs in the status section either.


James you may be interested in this. I am here mucking about in the filesystem to see where they are hard-coding the firewall and port for openvpn in earlier version before 17201.

I came across this file:

/etc/openvpnlog.sh
Code:

#!/bin/sh
/bin/echo -e "Serverlog \n"
/bin/echo "log 500" | /usr/bin/nc 127.0.0.1 5002 | /bin/grep -v "^>" | /usr/bin/awk -F "," '{
   printf strftime("%Y%m%d %H:%M:%S ",$1);
   for (i=2;i<=NF;i++)
      printf $i" "
   printf "<br>\n";
   }'

/bin/echo -e "\n"
/bin/echo -e "\n"
/bin/echo -e "\n"

/bin/echo -e "Clientlog \n"
/bin/echo "log 500" | /usr/bin/nc 127.0.0.1 5001 | /bin/grep -v "^>" | /usr/bin/awk -F "," '{
   printf strftime("%Y%m%d %H:%M:%S ",$1);
   for (i=2;i<=NF;i++)
      printf $i" "
   printf "<br>\n";
   }'


That means in your server.conf if you want the server log it would be:

[code]
management localhost 5002
[code/]

That will bring back the proper server log when you go to status->openvpn

otherwise...
if you are using dd-wrt as the client then in the client.conf
[code]
management localhost 5001
[code/]
James2k
DD-WRT Guru


Joined: 23 Oct 2011
Posts: 549

PostPosted: Wed Sep 26, 2012 22:21    Post subject: Reply with quote
Excellent catch! Just changed the port to 5002 in my server.conf and the status section came back again!

Great find! This should be noted on the OpenVPN Wiki because before I remember it working with management on 5001. While only a cosmetic issue, its still note worthy for anyone using newer builds.

_________________
James

Main router:

Netgear R7000 overclocked to 1.2GHz - DD-WRT v3.0-r35965M kongac

IPv6 6in4 (HE.net), OpenVPN (with PBR and split tunnelling), Entware, dnsmasq with ipset

Easy ipset support for the R7000

VPN speed: Download: 77.96 Mbps Upload: 5.00 Mbps (AES-128-CBC HMAC-SHA1)

Yes you can get 50 Mbps+ with OpenVPN on a R7000 if you configure it properly!

Previous routers:

ASUS RT-N66U - The Dark Knight
WNR2000v3 - Bought on the cheap for someone else, neutered crap
WNR3500Lv1 - First venture into the DD-WRT world
newnews
DD-WRT User


Joined: 14 Feb 2010
Posts: 86

PostPosted: Thu Sep 27, 2012 0:18    Post subject: Enable OpenVPN cause my 2.4Hz WLAN stop working Reply with quote
I am using 14929 on WRT610N V2 router. Everytime I apply OpenVPN, my 2.4 GHz wireless channel stop working. Simply disable OpenVPN won't recover 2.4Ghz wireless. I have to restore the previous backup settings(before OpenVPN enabled), but 5Ghz is ok. What should I do for trouble-shooting? I also have PPTP Server enabled, can they co-exist?
Goto page Previous  1, 2, 3 ... 22, 23, 24 Display posts from previous:    Page 24 of 24
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum