OpenVPN - Server or Daemon??

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.)
Goto page Previous  1, 2, 3, 4  Next
Author Message
Seferex
DD-WRT Novice


Joined: 21 Apr 2017
Posts: 6

PostPosted: Fri Apr 21, 2017 16:43    Post subject: Reply with quote
Hello everybody and thank you all for all the tips you wrote.

I was able to connect my android phone to my openvpn and i am able to surf the internet.

The problem is the speed...
I have a 100mbps net and when i connect my phone to the openvpn, the client (my phone) will have a super slow speed of even less than 1mbps...

I use a WZR-HP-AG300H (buffalo's router) that has a 680 MHz cpu...

Am i missing something? I do attach the screenshots of my config..

and this is my opvn file

Code:
client
dev tun
proto tcp
remote myddnsip.org 1194
nobind
persist-key
persist-tun
verb 4
float
ca ca.crt
cert xxx.crt
key xxx.key
comp-lzo yes
tun-mtu 1400
auth SHA1
cipher AES-128-CBC


Please help me out Sad


Last edited by Seferex on Sat Apr 22, 2017 0:35; edited 1 time in total
Sponsor
d0ug
DD-WRT User


Joined: 31 Jul 2015
Posts: 403

PostPosted: Fri Apr 21, 2017 17:53    Post subject: Reply with quote
js1662 wrote:
You shouldn't ask people for the .ovpn file for security reason. The .ovpn file is like a key. Will you share your key with strangers? If you are using a VPN service provider, the service provider will provide you the .ovpn file. If you are using your own OpenVPN server, you should generate your own .ovpn file. Anyway, .ovpn files are not for sharing!


It all depends on how the user has setup their .ovpn file.

If the keys/certs are in separate files linked to the .ovpn it is relatively benign to share, though you may want to X out your server ip/host and port.

If you have your keys/certs in the .ovpn file itself then you should surely not share the full contents of the file.
d0ug
DD-WRT User


Joined: 31 Jul 2015
Posts: 403

PostPosted: Fri Apr 21, 2017 18:32    Post subject: Reply with quote
This is the config I ended up with after about a week of fussing with openvpn and giving up several times to come back with a fresh mind.

This is running on

DD-WRT v3.0-r31722 std (03/21/17) on a WRT1200AC

To explain some of it

10.10.10.x is my local lan ip range
10.10.11.x is a guest wifi network
10.10.12.x as my vpn ip range

Under additional config, this is my understanding of the options I have put

push "dhcp-option DNS 10.10.10.1" /////forces the VPN clients to use my router's DNS server
push "redirect-gateway def1" /////forces the VPN clients to route all traffic over the VPN
reneg-bytes 64000000 ///// forces the client/server to renegotiate the encryption keys after every 64MB of data transfer for extra security

For the firewall commands.

iptables -I FORWARD 1 -source 10.10.2.0/24 -j ACCEPT /////allows the VPN clients to communicate with the LAN clients
iptables -t nat -A POSTROUTING -s 10.10.12.0/24 -j MASQUERADE ///// allows the VPN clients to obtain an internet connection through the router.

I know for a fact that these firewall rules are required, without the 1st one I was unable to connect to local LAN clients and without the 2nd one I could not get internet connectivity once I was on the VPN.

for my .ovpn file I have the following

client
proto udp
remote xxxx.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert cert.crt
key key.key
ns-cert-type server
cipher AES-256-CBC
comp-lzo
verb 3
float

This is working great on my phone running Android 7.1.2 with the latest OpenVPN client from the play store

I see that some people in here have choosen to go with AES-128-CBC. You might as well bump it up to 256bit for some extra security, I cannot find any performance differences between 128 and 256 on my WRT1200AC which is in the lower end of this hardware series.
Seferex
DD-WRT Novice


Joined: 21 Apr 2017
Posts: 6

PostPosted: Sat Apr 22, 2017 1:09    Post subject: Reply with quote
Hello d0ug, thank you for the info you game me.

I did exactly what you did (did just change my gateway as you see in the pics)

My local lan: 192.168.1.1
VPN ip: 10.1.1.0
My opvn file:

client
proto udp
remote xxxxxxxxx.org 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert xxx.crt
key xxx.key
ns-cert-type server
cipher AES-256-CBC
comp-lzo
verb 3
float

But my phone starts with a message of "connecting" than stuck on it and after few seconds it says "waiting for server"

Did i miss something?
Seferex
DD-WRT Novice


Joined: 21 Apr 2017
Posts: 6

PostPosted: Sat Apr 22, 2017 2:53    Post subject: Reply with quote
UPDATE:

I did manage to fix my speed's problem with my configuration....

All i had to do was to update the firmware (i was using a 2013's build)...

So guys, if you have problems, try to first update your firmware's version to the last one.

Thank you all guys
isquaredr
DD-WRT Novice


Joined: 16 Dec 2014
Posts: 3

PostPosted: Wed May 03, 2017 21:47    Post subject: HappyDaddy, you are AMAZING Reply with quote
Thank you thank you thank you!
I've been trying to get this working for days (getting just close enough that I couldn't give up completely) and you got me up and running in less than 5 minutes. Is it possible to add your guide to the Wiki? If we ever meet in the wild, drinks are on me. Thanks again!
cby016
DD-WRT Novice


Joined: 18 May 2017
Posts: 1

PostPosted: Sat May 20, 2017 23:13    Post subject: Reply with quote
stanleycup wrote:


After years trying to get OpenVPN to work, after following HappyDaddy's (Thank you!) guide, I finally got it to work with a few modifications to get it working on Android.

I kept start type at System
Server
TUN
TCP

For Network, it's the subnet that you want your OpenVPN clients to be in. For example, if you use the 192.168.1.0 subnet for your LAN, then you might choose something say 192.168.10.0. This should be different than your LAN subnet. The last octet should be a 0.

Netmask: 255.255.255.0

All other settings according to HappyDaddy's post. It worked for me with either the Additional Config filled in or empty.

At this point, I could connect, but have no internet access. I had to add the following under the Administration -> Command Tab and save it to the firewall. The IP should be the same as the subnet you entered for the Network setting.

iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j MASQUERADE
iptables -I INPUT 1 -p tcp -–dport 1194 -j ACCEPT
iptables -I FORWARD 1 –-source 192.168.10.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

After adding this, I have full access to the LAN and WAN through the tunnel.


This information from stanleycup and the post from HappyDaddy is what helped me to finally get open vpn working on my router. Thanks guys!
ZARK
DD-WRT Novice


Joined: 19 Aug 2017
Posts: 1

PostPosted: Sun Aug 20, 2017 0:41    Post subject: Reply with quote
Thanks A Million ------> happy Daddy <----- finally got this working Very Happy
Boogalooz
DD-WRT Novice


Joined: 13 Oct 2017
Posts: 38

PostPosted: Thu Oct 26, 2017 19:16    Post subject: Reply with quote
edited to delete duplicate... sorry.

Last edited by Boogalooz on Thu Oct 26, 2017 22:15; edited 1 time in total
sarumans
DD-WRT Novice


Joined: 01 Dec 2013
Posts: 18

PostPosted: Thu Oct 26, 2017 20:02    Post subject: wdr3600 openVPN Reply with quote
hello somebody can help me with wdr3600? I'm trying everything but nothing to do
omega-3
DD-WRT Novice


Joined: 23 Feb 2009
Posts: 24

PostPosted: Thu Oct 26, 2017 20:06    Post subject: Reply with quote
@Boogalooz -- Answered in your other thread http://www.dd-wrt.com/phpBB2/viewtopic.php?p=1101243#1101243

Posting the same question in two forums fragments the replies and causes confusion.
Boogalooz
DD-WRT Novice


Joined: 13 Oct 2017
Posts: 38

PostPosted: Thu Oct 26, 2017 22:50    Post subject: Reply with quote
omega-3 wrote:
@Boogalooz -- Answered in your other thread http://www.dd-wrt.com/phpBB2/viewtopic.php?p=1101243#1101243

Posting the same question in two forums fragments the replies and causes confusion.


Copy that. I just deleted the post in this thread, and asked an additional question over in my thread.

In response to this thread, I did everything according to the quazi-guide listed here, and I can in fact now connect to the router through the tunnel, but I cannot connect to the internet from my client.

I have these exact settings in my Administration/Commands section:


iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j MASQUERADE
iptables -I INPUT 1 -p tcp -–dport 1194 -j ACCEPT
iptables -I FORWARD 1 –-source 192.168.10.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

Still no internet access while the tunnel is active.
Boogalooz
DD-WRT Novice


Joined: 13 Oct 2017
Posts: 38

PostPosted: Sun Oct 29, 2017 3:23    Post subject: MAJOR UPDATE Reply with quote
I finally succeeded in making this work by following this guide and reading every post in it to find the tidbits necessary for a successful set up.

After many failed attempts, what I learned was that I needed to hard reset my router and set it back to DD-WRT defaults and start from zero. That was the best thing I did in this whole process.

I also deleted my entire OpenVPN folder and every .ovpn file I had created in previous attempts so that I could start fresh all across the board. That was the second best thing I did.

Next, I followed the process outlined by HappyDaddy (thank you) and used the firewall code supplied by StanleyCup (thank you) and started out to get one client up and running with internet and lan access.

The fresh start approach was the key and it worked like a charm.

My set up:

(1) Linksys WRT-1900AC (v2) running build r33555 10/20/17 (std).
Behind a FIOS router with 150/150 speed.
(2) Windows 7 client (same machine I built the certs/keys on).

The system has been up and running stable for the last 8 hours now, with zero issues.

My WRT-1900ACv2 has the same processor speed as a 1900ACS (1600 mhz). Speed test results indicate I am losing right around 40 Mbps through the VPN with 2048 level encryption set up. I am getting anywhere between 113 and 108 Mbps results which is totally acceptable to me, considering that the PiVPN I was using could only chug out between 20-30 Mbps... The speed hit was enormous through the Pi.

I went back in and generated 5 more keys for the various devices in my LAN successfully, and as of this post, I have 5 devices connected to and routing traffic through the VPN. To say that I am ecstatic is the understatement of the year indeed.

I am using a slightly different process in my .ovpn files, in that I have the certs and key within each .ovpn file.

Here is an example:

Code:

client
dev tun
proto tcp
remote my.ip.myddns.org 11989
nobind
persist-key
persist-tun
remote-cert-tls server
auth-nocache
verb 4
float
comp-lzo yes
tun-mtu 1500
auth SHA256
cipher AES-256-CBC
<ca>
-----BEGIN CERTIFICATE-----
CA.CRT gobble-d-gook-here-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
CLIENT.CRT gobble-d-gook-here-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
CLIENT.KEY gobble-d-gook-here-----
-----END PRIVATE KEY-----
</key>


I also put the "auth-nocache" line in my client files because I have always hated the RED WARNING message that flashes by during connection, so I just added it, even though I know it is probably not an issue. Now the red warning message is no longer there...

Again, I did NOT have to put ANY additional "code" in the "Additional Config" section at all. My set up works perfectly without it.

I did however, use the following firewall settings provided by StanleyCup (modified the port # I am actually using):

iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j MASQUERADE
iptables -I INPUT 1 -p tcp -–dport 11989 -j ACCEPT
iptables -I FORWARD 1 –-source 192.168.10.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

Prior to starting fresh with clean everything, I was able to connect via lan only. I could not get internet access until I placed StanleyCup's code in the firewall and saved the firewall. I did not have to reboot the router for that setting to take, although it did take a minute or 2 of refreshing web pages to finally get a connection, but it happened and it was a beautiful thing.

Not sure what else I can share with everyone that may be helpful, but if you can think of anything let me know and I will post it up.

P.S. 3 of the devices I have connected using this set up are Android.


Last edited by Boogalooz on Tue Oct 31, 2017 3:22; edited 1 time in total
sarumans
DD-WRT Novice


Joined: 01 Dec 2013
Posts: 18

PostPosted: Sun Oct 29, 2017 19:04    Post subject: Reply with quote
Hello,
if you can and if you want can you help me please!!!!!!!!!!

I am so disperated.

I have a wdr3600 router i have installed the r33555 ddwrt firmware.
I have windows7 64bit and try to create certificate with openvpn 2.1.4 and 2.2.2.

But i cant connect from my ANDROID phone i have a lot of different error.

19:54 library versions: OpenSSL 1.1.0f 25 May 2017, LZO 2.10

19:54 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

19:54 MGMT: Got unrecognized command>FATAL:Cannot load inline certificate file

19:54 OpenSSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak

19:54 OpenSSL reproted a certificate with a weak hash, please the in app FAQ about weak hashes

19:54 Cannot load inline certificate file

19:54 Exiting due to fatal error

19:54 Process exited with exit value 1

My router ip 192.168.0.1

TypeWAN
asServer
(TUN)
192.168.0.1
255.255.255.0
1194
UDP
AES-128-CBC
SHA1
LZO
Redirect default Gateway Enable
Allow Client to Client Enable
Allow duplicate cn Disable
1400

Tunnel UDP MSS-Fix Enable




ADV OPT

push "route 192.168.0.1 255.255.255.0"
push "dhcp-option DNS 192.168.0.1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 208.67.222.222"
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"


FIREWALL

#!/bin/sh
OVPN_SERVER="10.8.0.0/24"
OVPN_DEV="tun0"
OVPN_DEV="tun2"
OVPN_PROTO="udp"
OVPN_PORT="1194"

WAN_IF="$(ip route | awk '/^default/{print $NF}')"

# open the OpenVPN server port
iptables -I INPUT -i $WAN_IF -p $OVPN_PROTO --dport $OVPN_PORT -j ACCEPT

# allow OpenVPN clients to access the OpenVPN server
iptables -I INPUT -i $OVPN_DEV -m state --state NEW -j ACCEPT

# allow OpenVPN clients to access ALL other devices on the LAN
iptables -I FORWARD -i $OVPN_DEV -o -m state --state NEW -j ACCEPT
# nat OpenVPN clients over the local internet gateway
iptables -t nat -A POSTROUTING -s $OVPN_SERVER -o $WAN_IF -j MASQUERADE

iptables -I INPUT -p udp --dport 443 -j ACCEPT
iptables -I INPUT -p udp --dport 1194 -j ACCEPT

iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

iptables -I FORWARD -i br0 -o tun2 -j ACCEPT
iptables -I FORWARD -i tun2 -o br0 -j ACCEPT



PLEASE...help me!!!!!!!!!!!


IF IS POSSIBLE....a link to correctly set all ddwrt router
sarumans
DD-WRT Novice


Joined: 01 Dec 2013
Posts: 18

PostPosted: Tue Oct 31, 2017 17:27    Post subject: Reply with quote
hello @Boogalooz can you help me please??
I am trying everything from months but no way.

I have a wdr3600 router lan 192.168.0.1 and i am trying to connect with my android phone.

Can you post your settings on the router?(image if is possible)

which version of openvpn are you using?
I have windows 7 64bit. how do you generate the keys?
Goto page Previous  1, 2, 3, 4  Next Display posts from previous:    Page 3 of 4
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.) All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum