[cfm56]

All,

I'm having trouble getting two identical DD-WRT routers connected together via OpenVPN. The web is awash with different guides, so I figured I'd ask for help from some of you experts out there. The guide I used to setup the routers is right below.

https://www.dd-wrt.com/phpBB2/viewtopic.php?t=284128&highlight=site+site

The EQUIPMENT:

(Server Side) Asus RT-AC68U running Firmware: DD-WRT v3.0-r35030M kongac (02/19/1
(192.168.1.0)

(Client Side) Asus RT-AC68U running Firmware: DD-WRT v3.0-r35030M kongac (02/19/1
(192.168.2.0)


______________________________

Server Side Settings:
OpenVPN Server\Daemon :Enable
Start Type: WAN Up
Config As: Daemon

Additional Config:

client-to-client
client-config-dir /tmp/openvpn/ccd
route 192.168.2.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
push "route 192.168.2.0 255.255.255.0"
server 192.168.66.0 255.255.255.0

dev tun0
proto udp
keepalive 10 120
comp-lzo
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
management localhost 5001
verb 5

Server Startup:

test -d /tmp/openvpn || mkdir /tmp/openvpn
test -d /tmp/openvpn/ccd || mkdir /tmp/openvpn/ccd
echo "iroute 192.168.2.0 255.255.255.0" >> /tmp/openvpn/ccd/DDWRTCLIENT
ln -s /tmp/var/log/messages /tmp/www/log.html


Client Firewall:
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT




The goal is to setup the server side and client side to be able to use LAN resources on both sides. We have two offices and both sites need to see each other. For example, the client LAN has VOIP phones that need to see the VOIP server on the server side.

I used this guide to create the OpenPVN certs:
https://advancedhomeserver.com/dd-wrt-and-openvpn-part-1/

The client side is showing "RECONNECTING tls-error"

and logs like this:

Clientlog:
20180410 14:44:13 Restart pause 5 second(s)
20180410 14:44:18 W WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
20180410 14:44:18 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20180410 14:44:18 I TCP/UDP: Preserving recently used remote address: [AF_INET]47.48.212.100:1194
20180410 14:44:18 Socket Buffers: R=[180224->180224] S=[180224->180224]
20180410 14:44:18 I UDPv4 link local: (not bound)
20180410 14:44:18 I UDPv4 link remote: [AF_INET]47.48.212.100:1194
20180410 14:44:46 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20180410 14:44:46 D MANAGEMENT: CMD 'state'
20180410 14:44:46 MANAGEMENT: Client disconnected
20180410 14:44:46 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20180410 14:44:46 D MANAGEMENT: CMD 'state'
20180410 14:44:46 MANAGEMENT: Client disconnected
20180410 14:44:46 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20180410 14:44:46 D MANAGEMENT: CMD 'state'
20180410 14:44:46 MANAGEMENT: Client disconnected
20180410 14:44:46 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20180410 14:44:46 D MANAGEMENT: CMD 'status 2'
20180410 14:44:46 MANAGEMENT: Client disconnected
20180410 14:44:46 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20180410 14:44:46 D MANAGEMENT: CMD 'log 500'
20180410 14:44:46 MANAGEMENT: Client disconnected
20180410 14:45:18 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20180410 14:45:18 N TLS Error: TLS handshake failed
20180410 14:45:18 I SIGUSR1[soft tls-error] received process restarting
20180410 14:45:18 Restart pause 10 second(s)
20180410 14:45:28 W WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
20180410 14:45:28 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20180410 14:45:28 I TCP/UDP: Preserving recently used remote address: [AF_INET]47.48.212.100:1194
20180410 14:45:28 Socket Buffers: R=[180224->180224] S=[180224->180224]
20180410 14:45:28 I UDPv4 link local: (not bound)
20180410 14:45:28 I UDPv4 link remote: [AF_INET]47.48.212.100:1194
20180410 14:46:28 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20180410 14:46:28 N TLS Error: TLS handshake failed
20180410 14:46:28 I SIGUSR1[soft tls-error] received process restarting
20180410 14:46:28 Restart pause 20 second(s)
20180410 14:46:48 W WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
20180410 14:46:48 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20180410 14:46:48 I TCP/UDP: Preserving recently used remote address: [AF_INET]47.48.212.100:1194
20180410 14:46:48 Socket Buffers: R=[180224->180224] S=[180224->180224]
20180410 14:46:48 I UDPv4 link local: (not bound)
20180410 14:46:48 I UDPv4 link remote: [AF_INET]47.48.212.100:1194
20180410 14:46:52 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20180410 14:46:52 D MANAGEMENT: CMD 'state'
20180410 14:46:52 MANAGEMENT: Client disconnected
20180410 14:46:52 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20180410 14:46:52 D MANAGEMENT: CMD 'state'
20180410 14:46:52 MANAGEMENT: Client disconnected
20180410 14:46:52 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20180410 14:46:52 D MANAGEMENT: CMD 'state'
20180410 14:46:52 MANAGEMENT: Client disconnected
20180410 14:46:52 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20180410 14:46:52 D MANAGEMENT: CMD 'status 2'
20180410 14:46:52 MANAGEMENT: Client disconnected
20180410 14:46:52 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20180410 14:46:52 D MANAGEMENT: CMD 'log 500'
20180410 14:46:52 MANAGEMENT: Client disconnected
20180410 14:46:54 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20180410 14:46:54 D MANAGEMENT: CMD 'state'
20180410 14:46:54 MANAGEMENT: Client disconnected
20180410 14:46:54 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20180410 14:46:54 D MANAGEMENT: CMD 'state'
20180410 14:46:54 MANAGEMENT: Client disconnected
20180410 14:46:54 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20180410 14:46:54 D MANAGEMENT: CMD 'state'
20180410 14:46:54 MANAGEMENT: Client disconnected
20180410 14:46:54 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20180410 14:46:54 D MANAGEMENT: CMD 'status 2'
20180410 14:46:54 MANAGEMENT: Client disconnected
20180410 14:46:54 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20180410 14:46:54 D MANAGEMENT: CMD 'log 500'
20180410 14:46:54 MANAGEMENT: Client disconnected
20180410 14:47:48 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20180410 14:47:48 N TLS Error: TLS handshake failed
20180410 14:47:48 I SIGUSR1[soft tls-error] received process restarting
20180410 14:47:48 Restart pause 40 second(s)
20180410 14:48:28 W WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
20180410 14:48:28 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20180410 14:48:28 I TCP/UDP: Preserving recently used remote address: [AF_INET]47.48.212.100:1194
20180410 14:48:28 Socket Buffers: R=[180224->180224] S=[180224->180224]
20180410 14:48:28 I UDPv4 link local: (not bound)
20180410 14:48:28 I UDPv4 link remote: [AF_INET]47.48.212.100:1194
20180410 14:49:28 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20180410 14:49:28 N TLS Error: TLS handshake failed
20180410 14:49:28 I SIGUSR1[soft tls-error] received process restarting
20180410 14:49:28 Restart pause 80 second(s)
20180410 14:50:07 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20180410 14:50:07 D MANAGEMENT: CMD 'state'
20180410 14:50:07 MANAGEMENT: Client disconnected
20180410 14:50:07 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20180410 14:50:07 D MANAGEMENT: CMD 'state'
20180410 14:50:07 MANAGEMENT: Client disconnected
20180410 14:50:08 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20180410 14:50:08 D MANAGEMENT: CMD 'state'
20180410 14:50:08 MANAGEMENT: Client disconnected
20180410 14:50:08 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20180410 14:50:08 D MANAGEMENT: CMD 'status 2'
20180410 14:50:08 MANAGEMENT: Client disconnected
20180410 14:50:08 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20180410 14:50:08 D MANAGEMENT: CMD 'log 500'
19691231 19:00:00

________________________

The first guide I used didn't supply any TLS configuration options. So maybe that's part of this. The TLS section of my Server side is blank.

Any help or direction tremendously appreciated.

[cfm56]

Thanks eibgrad....

Sorry, just now saw your reply. Are you saying I should just use the OpenVPN windows client to connect to the server side first to get that part working, then work on the other router?
Thanks Shane

[egc]

Consider using Server setup as @Eibgrad said and use the GUI to setup the server.
As you maybe want to have one big subnet you should consider a bridged OpenVPN aka Tap instead of a tunnelled Tun OpenVPN setup?

[cfm56]

Thanks EGC, I had basically thought I might use routed instead of bridged, as I think I need to have the remote location using the internet connection over there and basically functioning as it's own network there, and then to reach through the VPN for various things (file server access, VOIP server). That's why I had thought routed might be best. Any thoughts on that?

Also, now I'm questioning whether this DDWRT build 3.0-r35030M works with OpenVPN on this RT-AC68U mostly because I've tried about 3 different guides and I'm still yet to get anything to connect even once.

[egc]

Your reasoning makes sense.

I am on 35550M (Kong's latest test file) and running a simple openVPN server for android and windows clients to connect and it is working well and is stable.
I am also running an OpenVPN client on the same router (R6400) for connecting to Private Internet Access and that also works very well.

Attached my setup notes for a simple OpenVPN (TUN) server maybe they are helpfull.

As you want two way traffic you need extra configuration
e.g. client-to-client, and route and iroute commands

[cfm56]

egc, this guide is EXCELLENT! much thanks for that. Thinking if I do go with a TUN config this should get me close. Also great to know the kong build we have works. That's a huge confidence booster.

I was reading @eibgrad post over here:

https://www.dd-wrt.com/phpBB2/viewtopic.php?t=288982&sid=f6a5061b24017b521b84b81998ef964b

He also makes the strong case that if a company were expanding to two locations, (which we are) and that if trust were on both sides (which we have), then the bridged TAP was the way to go. I started thinking maybe I should do that instead?

I definitely need cross connectivity between sites, AD, VOIP, file server for example, so maybe this is the way to go, I just didn't want to route all the internet traffic through site1..... as I've got a 100Mb\200Mb site1\site2 connections and I figured my 2 RT-AC68U (dual core 800Mhz) routers couldn't handle that.

I had however plowed forward with a TAP attempt anyway and did get things connected....but I still can't see things on both sides, no ping, shares, etc.. so something is still amiss. see (servertatus). Says my cert isn't valid yet, but everythign was generated in UTC time.

Much obliged to both of you for your most generous assistance. Can either of you see where I'm going wrong? @egc have you a guide for the bridged config?

I've attached my setup screens here in a zip. Again thanks for the help

Thanks
Shane

[cfm56]

OK, so I generated the certs in Eastern Time, but the routers were in UTC. So I set the routers to Eastern time and now I don't think I'm getting the errors. Logs seem improved:
20180412 16:50:19 N 24.178.75.178:50076 write UDPv4: Network unreachable (code=101)
20180412 16:50:21 N 24.178.75.178:50076 write UDPv4: Network unreachable (code=101)
20180412 16:50:21 N 24.178.75.178:50076 write UDPv4: Network unreachable (code=101)
20180412 16:50:31 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20180412 16:50:31 D MANAGEMENT: CMD 'state'
20180412 16:50:31 MANAGEMENT: Client disconnected
20180412 16:50:31 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20180412 16:50:31 D MANAGEMENT: CMD 'state'
20180412 16:50:31 MANAGEMENT: Client disconnected
20180412 16:50:31 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20180412 16:50:31 MANAGEMENT: Client disconnected
20180412 16:50:31 NOTE: --mute triggered...
20180412 16:50:31 1 variation(s) on previous 3 message(s) suppressed by --mute
20180412 16:50:31 D MANAGEMENT: CMD 'status 2'
20180412 16:50:31 MANAGEMENT: Client disconnected
20180412 16:50:31 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20180412 16:50:31 D MANAGEMENT: CMD 'status 2'
20180412 16:50:31 MANAGEMENT: Client disconnected
20180412 16:50:31 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20180412 16:50:31 D MANAGEMENT: CMD 'log 500'
20180412 16:50:31 MANAGEMENT: Client disconnected
20180412 16:50:33 24.178.75.178:50076 VERIFY OK: depth=1 C=US ST=GA L=FloweryBranch O=Southeastern OU=Southeastern CN=Southeastern name=Southeastern emailAddress=info@southeastern.biz
20180412 16:50:33 24.178.75.178:50076 VERIFY OK: depth=0 C=US ST=GA L=FloweryBranch O=Southeastern OU=Southeastern CN=ddwrtclient name=ddwrtclient emailAddress=info@southeastern.biz
20180412 16:50:33 I 24.178.75.178:50076 peer info: IV_VER=2.4.4
20180412 16:50:33 I 24.178.75.178:50076 peer info: IV_PLAT=linux
20180412 16:50:33 I 24.178.75.178:50076 peer info: IV_PROTO=2
20180412 16:50:33 I 24.178.75.178:50076 peer info: IV_NCP=2
20180412 16:50:33 I 24.178.75.178:50076 peer info: IV_LZ4=1
20180412 16:50:33 I 24.178.75.178:50076 peer info: IV_LZ4v2=1
20180412 16:50:33 I 24.178.75.178:50076 peer info: IV_LZO=1
20180412 16:50:33 I 24.178.75.178:50076 peer info: IV_COMP_STUB=1
20180412 16:50:33 I 24.178.75.178:50076 peer info: IV_COMP_STUBv2=1
20180412 16:50:33 I 24.178.75.178:50076 peer info: IV_TCPNL=1
20180412 16:50:33 W 24.178.75.178:50076 WARNING: 'dev-type' is used inconsistently local='dev-type tap' remote='dev-type tun'
20180412 16:50:33 W 24.178.75.178:50076 WARNING: 'link-mtu' is used inconsistently local='link-mtu 1574' remote='link-mtu 1542'
20180412 16:50:33 W 24.178.75.178:50076 WARNING: 'tun-mtu' is used inconsistently local='tun-mtu 1532' remote='tun-mtu 1500'
20180412 16:50:33 24.178.75.178:50076 Control Channel: TLSv1.2 cipher SSLv3 DHE-RSA-AES128-SHA 2048 bit RSA
20180412 16:50:33 I 24.178.75.178:50076 [ddwrtclient] Peer Connection Initiated with [AF_INET]24.178.75.178:50076
20180412 16:50:33 I ddwrtclient/24.178.75.178:50076 MULTI_sva: pool returned IPv4=192.168.1.201 IPv6=(Not enabled)
20180412 16:50:33 ddwrtclient/24.178.75.178:50076 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_2c466c3025d05771.tmp
20180412 16:50:34 ddwrtclient/24.178.75.178:50076 PUSH: Received control message: 'PUSH_REQUEST'
20180412 16:50:34 ddwrtclient/24.178.75.178:50076 SENT CONTROL [ddwrtclient]: 'PUSH_REPLY route-gateway 192.168.1.100 ping 5 ping-restart 30 ifconfig 192.168.1.201 255.255.255.0 peer-id 0 cipher AES-256-GCM' (status=1)
20180412 16:50:34 ddwrtclient/24.178.75.178:50076 Data Channel: using negotiated cipher 'AES-256-GCM'
20180412 16:50:34 ddwrtclient/24.178.75.178:50076 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20180412 16:50:34 ddwrtclient/24.178.75.178:50076 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20180412 16:51:34 I ddwrtclient/24.178.75.178:50076 [ddwrtclient] Inactivity timeout (--ping-restart) restarting
20180412 16:51:34 ddwrtclient/24.178.75.178:50076 SIGUSR1[soft ping-restart] received client-instance restarting
20180412 16:54:03 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20180412 16:54:03 D MANAGEMENT: CMD 'state'
20180412 16:54:03 MANAGEMENT: Client disconnected
20180412 16:54:03 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20180412 16:54:03 D MANAGEMENT: CMD 'state'
20180412 16:54:03 MANAGEMENT: Client disconnected
20180412 16:54:03 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20180412 16:54:03 MANAGEMENT: Client disconnected
20180412 16:54:03 NOTE: --mute triggered...
20180412 16:54:03 1 variation(s) on previous 3 message(s) suppressed by --mute
20180412 16:54:03 D MANAGEMENT: CMD 'status 2'
20180412 16:54:03 MANAGEMENT: Client disconnected
20180412 16:54:03 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20180412 16:54:03 D MANAGEMENT: CMD 'status 2'
20180412 16:54:03 MANAGEMENT: Client disconnected
20180412 16:54:03 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20180412 16:54:03 D MANAGEMENT: CMD 'log 500'
19691231 19:00:00