OpenVPN server can't start, blocking in ebtables

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
View previous topic :: View next topic  
Author Message
virtualprivatenotworking
DD-WRT Novice


Joined: 29 May 2017
Posts: 7
PostPosted: Mon May 29, 2017 20:16    Post subject: OpenVPN server can't start, blocking in ebtables Reply with quote
I'm running DD-WRT v3.0-r31924 std (05/02/17) on a TP-Link Archer C9.

I'm trying to set up the OpenVPN server on my router. However, the OpenVPN server does not even appear to be running:

Code:

root@DD-WRT:~# ps | grep openvpn
 1005 root      1148 S    {route-up.sh} /bin/sh /tmp/openvpn/route-up.sh


If I run `openvpn --config /tmp/openvpn/openvpn.cnf` it seems to start alright and I can at least use netcat to connect to the server from outside my network, even if I haven't tried using an OpenVPN client yet.

But I can't find any invocation of `startservice openvpn` etc. that would make the service run for me.



Here's the config file:

Code:

dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
keepalive 10 120
verb 3
mute 3
syslog
writepid /var/run/openvpnd.pid
management 127.0.0.1 14
management-log-cache 100
topology subnet
script-security 2
port 4911
proto tcp4-server
cipher aes-128-cbc
auth sha256
client-connect /tmp/openvpn/clcon.sh
client-disconnect /tmp/openvpn/cldiscon.sh
client-config-dir /tmp/openvpn/ccd
comp-lzo adaptive
tls-server
client-to-client
tcp-nodelay
tun-mtu 1500
mtu-disc yes
server-bridge nogw
dev tap2
push "route 10.0.1.0 255.255.255.0"
push "dhcp-option DNS 10.0.1.1"


Interestingly, trying to access the Status → OpenVPN page seems to hang httpd and require restarting that service.

Here's syslog after a reboot:

Code:

Jan 1 00:00:09 DD-WRT daemon.notice openvpn[925]: OpenVPN 2.4.1 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 2 2017
Jan 1 00:00:09 DD-WRT daemon.notice openvpn[925]: library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09
Jan 1 00:00:09 DD-WRT daemon.notice openvpn[980]: MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:14
Jan 1 00:00:09 DD-WRT daemon.warn openvpn[980]: NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Jan 1 00:00:09 DD-WRT daemon.warn openvpn[980]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 1 00:00:09 DD-WRT daemon.notice openvpn[980]: Diffie-Hellman initialized with 2048 bit key
Jan 1 00:00:09 DD-WRT daemon.warn openvpn[980]: WARNING: Your certificate is not yet valid!
Jan 1 00:00:09 DD-WRT daemon.notice openvpn[980]: TUN/TAP device tap2 opened
Jan 1 00:00:09 DD-WRT daemon.notice openvpn[980]: TUN/TAP TX queue length set to 100


And here's the service running after reboot:

Code:

root@DD-WRT:~# ps | grep openvpn
  980 root      2996 S    /tmp/openvpnserver --config /tmp/openvpn/openvpn.con
  998 root      1148 S    {route-up.sh} /bin/sh /tmp/openvpn/route-up.sh
 1229 root      1148 S    sh -c /etc/openvpnstate.sh > /tmp/.temp
 1230 root      1152 S    {openvpnstate.sh} /bin/sh /etc/openvpnstate.sh
 1235 root      1152 S    {openvpnstate.sh} /bin/sh /etc/openvpnstate.sh
 1373 root      1148 S    grep openvpn


but it doesn't actually seem to be listening for inbound connections:

Code:

root@DD-WRT:~# netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       
tcp        1      0 localhost:14            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:www             0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:domain          0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:telnet          0.0.0.0:*               LISTEN     
netstat: /proc/net/tcp6: No such file or directory
udp        0      0 0.0.0.0:domain          0.0.0.0:*                           
udp        0      0 localhost:34954         0.0.0.0:*                           
netstat: /proc/net/udp6: No such file or directory
netstat: /proc/net/raw6: No such file or directory
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node Path


Last edited by virtualprivatenotworking on Mon May 29, 2017 20:56; edited 1 time in total
Back to top View user's profile Send private message
Sponsor
virtualprivatenotworking
DD-WRT Novice


Joined: 29 May 2017
Posts: 7
PostPosted: Mon May 29, 2017 20:52    Post subject: Reply with quote
Ok, setting aside the fact that `openvpnserver` wasn't running at all before I rebooted, here's what I've determined.

The `openvpnserver` seems to be hanging during initialization. It does not respond at all on its management port. That explains why the Status → OpenVPN page was hanging, because it was waiting for it to respond on the management port. And it's probably hanging before it opens the VPN port.

But what it appears to be doing is executing the route-up.sh script:

Code:

root@DD-WRT:~# ps | grep openvpn
 2626 root      2996 S    /tmp/openvpnserver --config /tmp/openvpn/openvpn.conf --route-up /tmp/openvpn
 2628 root      1148 S    {route-up.sh} /bin/sh /tmp/openvpn/route-up.sh
 2643 root      1148 S    grep openvpn


And *that* script is what's hanging. We can see it just runs a handful of commands, so figuring out which one is stuck just involves grepping the process list a few times:

Code:

root@DD-WRT:~# ps | grep ebtables
 1016 root       768 R    ebtables -t nat -D POSTROUTING -o tap2 --pkttype-type multicast -j DROP
 2006 root       768 R    ebtables -t nat -D POSTROUTING -o tap2 --pkttype-type multicast -j DROP
 2171 root       768 R    ebtables -t nat -D POSTROUTING -o tap2 --pkttype-type multicast -j DROP
 2459 root      1148 S    sh -c /usr/sbin/ebtables -t nat -D POSTROUTING -o tap2 --pkttype-type multica
 2460 root       768 R    /usr/sbin/ebtables -t nat -D POSTROUTING -o tap2 --pkttype-type multicast -j
 2519 root       768 R    ebtables -t nat -D POSTROUTING -o tap2 --pkttype-type multicast -j DROP
 2637 root       768 R    ebtables -t nat -D POSTROUTING -o tap2 --pkttype-type multicast -j DROP
 2678 root      1148 S    grep ebtables


So that's what we're stuck on. And I can confirm by running that `ebtables -t nat -D POSTROUTING -o tap2 --pkttype-type multicast -j DROP` command myself that it doesn't exit, it just blocks.

The correct command to stop/start it is `stopservice openvpnserver`.
Back to top View user's profile Send private message
virtualprivatenotworking
DD-WRT Novice


Joined: 29 May 2017
Posts: 7
PostPosted: Mon May 29, 2017 21:11    Post subject: Reply with quote
I found that by setting the `block_multicast` NVRAM variable to 1, I could get DD-WRT to not emit the ebtables commands, which sidestepped the problem.

I've written the block_multicast issue up in a bug here: http://svn.dd-wrt.com/ticket/5846#ticket

And I don't know how to diagnose the ebtables problem, but that's here: http://svn.dd-wrt.com/ticket/5847#ticket
Back to top View user's profile Send private message
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6867
Location: Romerike, Norway
PostPosted: Tue May 30, 2017 5:18    Post subject: Reply with quote
Why do you start OpenVPN Server before the WAN is up?
Back to top View user's profile Send private message
diabolo
DD-WRT Novice


Joined: 28 Feb 2015
Posts: 12
PostPosted: Tue May 30, 2017 8:03    Post subject: Reply with quote
hello,

I have the same problem with Ebtables and openvpn since r30016 with asus RT-N18U
http://svn.dd-wrt.com/ticket/5807

Ebtables is buggy since this version what ever the command you want to launch.

My solution was to build my own start-up script and do not use the web-gui for openvpn configuration.


If you want to keep the multicast drop command, you should use iptables command.
Back to top View user's profile Send private message
JohnS@
DD-WRT User


Joined: 10 Jun 2006
Posts: 311
PostPosted: Fri Nov 17, 2017 5:57    Post subject: Reply with quote
The issue has been narrowed down to be caused by an improperly compiled ebtables binary.

A temporary workaround is described in the following thread including a jffs & startup script based implementation that survives reboot two posts down in the thread.

Trac ticket 5807 has been updated accordingly.
Back to top View user's profile Send private message
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6867
Location: Romerike, Norway
PostPosted: Fri Nov 17, 2017 7:52    Post subject: Reply with quote
Multicast should be configured in the igmpproxy.conf file, not with filtering in ebtables.
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum