Posted: Mon Nov 05, 2012 21:47 Post subject: OpenVPN server trouble
I am running build 20119 on a Netgear WNDR3700v1 and am trying to set up an OpenVPN server to connect to my network from my Android phone (Galaxy Nexus running stock android 4.1.2 un-rooted).
On my LAN the rooter is 192.168.2.1 and the normal clients are in the range 192.168.2.100-140.
I have set up OpenVPN server following the various tutorial posts and read the various pages on the wiki. Using the GUI I have set up the OpenVPN server in TUN mode with network set as 192.168.10.0 with netmask 255.255.255.0 and UDP on port 1194. I have generated certificates and keys (Server, CA) and DH PEM parameters.
From my phone I am using OpenVPN for Android. I can connect to my OpenVPN server which tells me that all the certificates and keys are set up correctly.
My problem is that apparently I can not get any traffic to flow through the VPN. In OpenVPN for Android I also get a warning that no DNS servers are pushed through the VPN.
So I am thinking that the SPI firewall is blocking my traffic or that the traffic is not routed correctly, but all my attemps to set up the rc_firewall parameters have not solved my problem.
# Log window is better readable this way
suppress-timestamps
client
verb 2
connect-retry-max 5
resolv-retry 5
dev tun
remote XX.XX.XX 1194 udp
ca /storage/sdcard0/ca.crt
key /storage/sdcard0/client1.key
cert /storage/sdcard0/client1.crt
comp-lzo
route-ipv6 ::/0
route 0.0.0.0 0.0.0.0
nobind
persist-tun
# persist-tun also sets persist-remote-ip to avoid DNS resolve problem
persist-remote-ip
Code:
Log:
Running on Galaxy Nexus (tuna) google, Android API 16
Building configuration…
P:OpenVPN 2.3_beta1 android-14-armeabi-v7a [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Oct 10 2012
Network Status: CONNECTED to WIFI
P:WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
P:WARNING: file '/storage/sdcard0/client1.key' is group or others accessible
P:Protecting socket fd 4
P:UDPv4 link local: [undef]
P:UDPv4 link remote: [AF_INET]XX.XX.XX.XX:1194
P:VERIFY OK: depth=1, C=XX, ST=XX, L=XX, O=OpenVPN, OU=MyUnit, CN=OpenVPN-CA, name=XX, emailAddress=xx@xx.xx
P:VERIFY OK: depth=0, C=XX, ST=XX, L=XX, O=OpenVPN, OU=MyUnit, CN=server, name=XX, emailAddress=xx@xx.xx
P:WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1554'
P:WARNING: 'auth' is used inconsistently, local='auth SHA1', remote='auth SHA256'
P:Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
P:Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
P:Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
P:Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
P:Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
P:[server] Peer Connection Initiated with [AF_INET]XX.XX.XX.XX:1194
P:OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
P:OpenVPN ROUTE: failed to parse/resolve route for host/network: ::/0
P:do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
No DNS servers being used. Name resolution may not work. Consider setting custom DNS Servers
P:Initialization Sequence Completed
If you need log-files from the server (dd-wrt) please tell me which ones and where to find them.
I am now running dd-wrt build 19519 (downgraded from 20119-testing because the PPTP server did not work in 20119).
# Log window is better readable this way
suppress-timestamps
client
verb 2
connect-retry-max 5
resolv-retry 5
dev tun
remote XX.XX.XX 1194 udp
ca /storage/sdcard0/ca.crt
key /storage/sdcard0/client1.key
cert /storage/sdcard0/client1.crt
comp-lzo
route-ipv6 ::/0
route 0.0.0.0 0.0.0.0
nobind
persist-tun
# persist-tun also sets persist-remote-ip to avoid DNS resolve problem
persist-remote-ip
# Custom configuration options
# You are on your on own here :)
auth SHA256
Code:
Client Log:
Running on Galaxy Nexus (tuna) google, Android API 16
Log cleared.
Building configuration…
P:OpenVPN 2.3_beta1 android-14-armeabi-v7a [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Oct 10 2012
Network Status: CONNECTED to WIFI
P:WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
P:WARNING: file '/storage/sdcard0/client1.key' is group or others accessible
P:Protecting socket fd 4
P:UDPv4 link local: [undef]
P:UDPv4 link remote: [AF_INET]XX.XX.XX.XX:1194
P:VERIFY OK: depth=1, C=XX, ST=XX, L=XX, O=OpenVPN, OU=MyUnit, CN=OpenVPN-CA, name=XX, emailAddress=XX@XX.XX
P:VERIFY OK: depth=0, C=XX, ST=XX, L=XX, O=OpenVPN, OU=MyUnit, CN=server, name=XX, emailAddress=XX@XX.XX2
P:Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
P:Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
P:Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
P:Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
P:Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
P:[server] Peer Connection Initiated with [AF_INET]XX.XX.XX.XX:1194
P:OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
P:OpenVPN ROUTE: failed to parse/resolve route for host/network: ::/0
P:do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
No DNS servers being used. Name resolution may not work. Consider setting custom DNS Servers
P:Initialization Sequence Completed
I can fix the DNS issue, by adding DNS to the client or by pushing DNS.
I can access my router interface (on 192.168.2.1), but I cannot access the internet (I tried by IP address, since I forgot to add DNS).
The OpenVPN subnet is 192.168.10.0/24.
So what am I missing to be able to access the internet through the OpenVPN connection? Some route statement(s) or some firewall rule(s), or??