Posted: Wed May 30, 2018 10:01 Post subject: OpenVpn Server no bytes received
Hi everyone!
I have been at this problem two times already, starting completly anew each time.
Basically i followed the DDWRT OpenVpn guide on how to enable & configure the OpenVPN Server on my Netgear R7000 with kong DDWRT most current version from the 24th of May. [https://wiki.dd-wrt.com/wiki/index.php/OpenVPN]
I actually got pretty far, certifcates, keys etc. all Setup. OpenVPN runs fine in the DDWRT's status page and my phone can successfully estabilsh a connection to the server. But that is it. I cannot access any webpages on my phone from that moment on. I did try that connection via mobile internet not the same wifi the router is on.
I tried to put the VPN net on different subnets, added firewall exceptions so that the VPN subnet may communicate with the rest of the subnet, told the VPN client to router all traffic through the tunnel.
Still nothing seems to work. I feel myself slowly going mad.
Anybody got any ideas?
EDIT:
Serverlog added + DDWRT Status Webpage
Code:
Serverlog:
20180530 12:06:33 W WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
20180530 12:06:33 W WARNING: file '/tmp/openvpn/ta.key' is group or others accessible
20180530 12:06:33 I OpenVPN 2.4.6 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 24 2018
20180530 12:06:33 I library versions: OpenSSL 1.1.0h 27 Mar 2018 LZO 2.09
20180530 12:06:33 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:14
20180530 12:06:33 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20180530 12:06:33 Diffie-Hellman initialized with 2048 bit key
20180530 12:06:33 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
20180530 12:06:33 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
20180530 12:06:33 W WARNING: normally if you use --mssfix and/or --fragment you should also set --tun-mtu 1500 (currently it is 1380)
20180530 12:06:33 I TUN/TAP device tun2 opened
20180530 12:06:33 TUN/TAP TX queue length set to 100
20180530 12:06:33 D do_ifconfig tt->did_ifconfig_ipv6_setup=0
20180530 12:06:33 I /sbin/ifconfig tun2 6.6.6.1 netmask 255.255.255.0 mtu 1380 broadcast 6.6.6.255
20180530 12:06:33 Socket Buffers: R=[180224->180224] S=[180224->180224]
20180530 12:06:33 I UDPv4 link local (bound): [AF_INET][undef]:1194
20180530 12:06:33 I UDPv4 link remote: [AF_UNSPEC]
20180530 12:06:33 MULTI: multi_init called r=256 v=256
20180530 12:06:33 IFCONFIG POOL: base=6.6.6.2 size=252 ipv6=0
20180530 12:06:33 I ifconfig_pool_read() in='mobile1 6.6.6.2' TODO: IPv6
20180530 12:06:33 I succeeded -> ifconfig_pool_set()
20180530 12:06:33 IFCONFIG POOL LIST
20180530 12:06:33 mobile1 6.6.6.2
20180530 12:06:33 I Initialization Sequence Completed
20180530 12:06:39 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20180530 12:06:39 D MANAGEMENT: CMD 'state'
20180530 12:06:39 MANAGEMENT: Client disconnected
20180530 12:06:39 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20180530 12:06:39 D MANAGEMENT: CMD 'state'
20180530 12:06:39 MANAGEMENT: Client disconnected
20180530 12:06:39 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20180530 12:06:39 D MANAGEMENT: CMD 'state'
20180530 12:06:39 MANAGEMENT: Client disconnected
20180530 12:06:39 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20180530 12:06:39 MANAGEMENT: Client disconnected
20180530 12:06:39 NOTE: --mute triggered...
20180530 12:06:39 1 variation(s) on previous 3 message(s) suppressed by --mute
20180530 12:06:39 D MANAGEMENT: CMD 'status 2'
20180530 12:06:39 MANAGEMENT: Client disconnected
20180530 12:06:40 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20180530 12:06:40 D MANAGEMENT: CMD 'status 2'
20180530 12:06:40 MANAGEMENT: Client disconnected
20180530 12:06:40 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20180530 12:06:40 D MANAGEMENT: CMD 'log 500'
20180530 12:06:40 MANAGEMENT: Client disconnected
20180530 12:46:00 W XXX:29633 WARNING: normally if you use --mssfix and/or --fragment you should also set --tun-mtu 1500 (currently it is 1380)
20180530 12:46:00 XXX:29633 TLS: Initial packet from [AF_INET]XXX:29633 sid=2db1206b b1c130cf
20180530 12:46:01 XXX:29633 VERIFY OK: depth=1 CN=XXX
20180530 12:46:01 XXX:29633 VERIFY OK: depth=0 CN=mobile1
20180530 12:46:01 I XXX:29633 peer info: IV_GUI_VER=de.blinkt.openvpn_0.7.5
20180530 12:46:01 I XXX:29633 peer info: IV_VER=3.git:master
20180530 12:46:01 I XXX:29633 peer info: IV_PLAT=android
20180530 12:46:01 I XXX:29633 peer info: IV_NCP=2
20180530 12:46:01 I XXX:29633 peer info: IV_TCPNL=1
20180530 12:46:01 I XXX:29633 peer info: IV_PROTO=2
20180530 12:46:01 I XXX:29633 peer info: IV_LZO=1
20180530 12:46:01 I XXX:29633 peer info: IV_AUTO_SESS=1
20180530 12:46:01 W XXX:29633 WARNING: 'link-mtu' is used inconsistently local='link-mtu 1450' remote='link-mtu 1570'
20180530 12:46:01 W XXX:29633 WARNING: 'tun-mtu' is used inconsistently local='tun-mtu 1380' remote='tun-mtu 1500'
20180530 12:46:02 XXX:29633 Control Channel: TLSv1.2 cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 2048 bit RSA
20180530 12:46:02 I XXX:29633 [mobile1] Peer Connection Initiated with [AF_INET]XXX:29633
20180530 12:46:02 I mobile1/XXX:29633 MULTI_sva: pool returned IPv4=6.6.6.2 IPv6=(Not enabled)
20180530 12:46:02 mobile1/XXX:29633 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_7def1b5d6db0de84.tmp
20180530 12:46:02 mobile1/XXX:29633 MULTI: Learn: 6.6.6.2 -> mobile1/XXX:29633
20180530 12:46:02 mobile1/XXX:29633 MULTI: primary virtual IP for mobile1/XXX:29633: 6.6.6.2
20180530 12:46:02 mobile1/XXX:29633 PUSH: Received control message: 'PUSH_REQUEST'
20180530 12:46:02 mobile1/XXX:29633 SENT CONTROL [mobile1]: 'PUSH_REPLY route 9.9.9.0 255.255.255.0 dhcp-option DNS 6.6.6.1 route-gateway 6.6.6.1 topology subnet ping 10 ping-restart 120 ifconfig 6.6.6.2 255.255.255.0 peer-id 0 cipher AES-256-GCM' (status=1)
20180530 12:46:02 mobile1/XXX:29633 Data Channel: using negotiated cipher 'AES-256-GCM'
20180530 12:46:02 mobile1/XXX:29633 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20180530 12:46:02 mobile1/XXX:29633 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20180530 12:46:06 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20180530 12:46:06 D MANAGEMENT: CMD 'state'
20180530 12:46:06 MANAGEMENT: Client disconnected
20180530 12:46:06 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20180530 12:46:06 D MANAGEMENT: CMD 'state'
20180530 12:46:06 MANAGEMENT: Client disconnected
20180530 12:46:06 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20180530 12:46:06 D MANAGEMENT: CMD 'state'
20180530 12:46:06 MANAGEMENT: Client disconnected
20180530 12:46:06 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20180530 12:46:06 MANAGEMENT: Client disconnected
20180530 12:46:06 NOTE: --mute triggered...
20180530 12:46:06 1 variation(s) on previous 3 message(s) suppressed by --mute
20180530 12:46:06 D MANAGEMENT: CMD 'status 2'
20180530 12:46:06 MANAGEMENT: Client disconnected
20180530 12:46:06 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20180530 12:46:06 D MANAGEMENT: CMD 'status 2'
20180530 12:46:06 MANAGEMENT: Client disconnected
20180530 12:46:06 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20180530 12:46:06 D MANAGEMENT: CMD 'log 500'
19700101 01:00:00
I have the same router and just upgraded to the same kong firmware and my openvpn is working... I did have to change my proto udp to proto udp4 after doing this.
This could be a dns issue; I see you have dhcp-option DNS 6.6.6.1... Try changing that to something like google's 8.8.8.8 or cloudflare's 1.1.1.1 to see if that does it... I've never been able to get my openvpn clients to resolve my local hostnames...
I have the same router and just upgraded to the same kong firmware and my openvpn is working... I did have to change my proto udp to proto udp4 after doing this.
This could be a dns issue; I see you have dhcp-option DNS 6.6.6.1... Try changing that to something like google's 8.8.8.8 or cloudflare's 1.1.1.1 to see if that does it... I've never been able to get my openvpn clients to resolve my local hostnames...
Well, tbh i was hoping to establish a connection and that my device pc or smartphone would act as if it was part of the local network. As in that i could access the router or transfer data from my samba server.
i tried to push 1.1.1.1 as a dns option but it still does not work. Current config is attached.
Appreantly the problem is that no data can be routed back to the openvpn client. I think there is no route for the flowback. Any clue how i can try to adress that?
6.6.6.X is a valid subnet btw. Does OpenVPN need its own unused subnet?
Joined: 18 Mar 2014 Posts: 12923 Location: Netherlands
Posted: Wed May 30, 2018 22:15 Post subject:
As you did not enable Redirect Default Gateway, you should push the route of your local network.
From my notes :
If you do want to connect to the OpenVPN servers local subnet (which is often done) then you have to push that route to your client e.g.:
push "route 192.168.1.0 255.255.255.0 vpn_gateway"
I don't recommend daemon mode. That's the equivalent of expert mode. Use server mode.
The reason most ppl get into trouble w/ the OpenVPN server config is that they *over* configure it, and that's usually because they're relying on outdated information from tutorials and even dd-wrt wikis. Just fill out the basic GUI elements. Keep it simple! You can always tweak it later.
When it comes to the Additional Config field, all you typically need are push directives (e.g., the local IP network behind the OpenVPN server, and perhaps a DNS server). If you find yourself adding anything else, DON'T. Less is more!
You also don't need any firewall rules, except for one case. If you want your OpenVPN clients to use your OpenVPN server as a gateway for internet access, you need to NAT the tunnel's network over the WAN.
Notice I used 10.8.0.0/24 rather than your 6.6.6.0/24. There's no good reason to use anything other than a private network (192.168.x.x, 10.x.x.x, 172.16.x.x) for the tunnel. I always use 10.8.0.0/24 because it's private, and used in the OpenVPN documentation by convention.
So if i do not NAT the tunnle's network over the WAN, the client will keep using its own internet connection? Is that a similar option to "redirect default gateway"?
egc wrote:
As you did not enable Redirect Default Gateway, you should push the route of your local network.
From my notes :
If you do want to connect to the OpenVPN servers local subnet (which is often done) then you have to push that route to your client e.g.:
push "route 192.168.1.0 255.255.255.0 vpn_gateway"
That is assuming 192.168.1.0 is your local subnet from the router where the OpenVPN server resides.
Is there a prefered setting if one compares the push command and the "redirect default gateway" or are they both the same?
This will result in all traffic from the client to use the VPN also when the client wants to use the internet. But for that you have to use the NAT rule otherwise the traffic from the VPN tunnel destined for internet will not reach it.
If you do not want to use internet via the VPN tunnel then only push the local route per my instructions. You can then reach the local subnet of the VPN server but as you do not use the VPN for internet. The NAT rule is not necessary.
Why the NAT rules throws an error is eluding me. MASQUERADE is like snatting to the ip of the out interface.
Is this router in default gateway mode and attached to the internet?
@Eibgrad will probably know the answer het is our leading expert
I have attached my notes for setting up a OpenVPN server, maybe they can be of some use
This will result in all traffic from the client to use the VPN also when the client wants to use the internet. But for that you have to use the NAT rule otherwise the traffic from the VPN tunnel destined for internet will not reach it.
If you do not want to use internet via the VPN tunnel then only push the local route per my instructions. You can then reach the local subnet of the VPN server but as you do not use the VPN for internet. The NAT rule is not necessary.
Why the NAT rules throws an error is eluding me. MASQUERADE is like snatting to the ip of the out interface.
Is this router in default gateway mode and attached to the internet?
@Eibgrad will probably know the answer het is our leading expert
I have attached my notes for setting up a OpenVPN server, maybe they can be of some use
First thank you very much for that document. I was unable to find anything as current as this one and it did feel like a lot of the guides out there where not up to date.
Now, i already had a look at the advanced part of the guide and noticed that as i am using my DDWRT Router as a DNS Server i would need to tell DNSMasq to listen on the OpenVPN interface. Just that ... there is none? In your guide it states that it should be listed under "Setup” > “Advanced Routing” > “Routing Table.” But the Routing Table simply does not exist for me? Any clue why that is?
And yes i wanted to use the VPN for Internet aswell, even thou i want to leave the choice to the client at some point. At least in the android client you can select to use the VPN's internet.
The command was not wrong but instead of "MASQUERADE" one has to type "MASQ". Now it is working.
EDIT:
One internal website of another router acutally loaded via VPN, the rest still runs either insanly slow or doesnt load at all. Especially external websites fail to load completly.
Joined: 18 Mar 2014 Posts: 12923 Location: Netherlands
Posted: Fri Jun 01, 2018 14:49 Post subject:
About the MASQUERADE / MASQ, you have to place the rules in the the Firewall, you can not run them from Administration/Command/Run Commands (yes you can run them from from telnet but not from Administration/Commands), problem is you have to escape the special characters.
So just go to Administration/Commands and save to firewall (or edit if you already have something there)
If you only want to push a public DNS server (e.g. Google's ):
Code:
push “dhcp-option DNS 8.8.8.8”
If you are pushing your own router (the OpenVPN server) then you have to tell DNSMASQ to listen on the openVPN interface. To see that interface (usually tun2) you have to display the routing table, the routers GUI has a Setup tab, under this tab are Basic Setup (where you place IP address etc) but also a tab Advanced Routing, there is a button "Show Routing Table" just click on it and you will see your routing table.
Alternatively, telnet to your router ande do: route -n
About the MASQUERADE / MASQ, you have to place the rules in the the Firewall, you can not run them from Administration/Command/Run Commands (yes you can run them from from telnet but not from Administration/Commands), problem is you have to escape the special characters.
So just go to Administration/Commands and save to firewall (or edit if you already have something there)
If you only want to push a public DNS server (e.g. Google's ):
Code:
push “dhcp-option DNS 8.8.8.8”
If you are pushing your own router (the OpenVPN server) then you have to tell DNSMASQ to listen on the openVPN interface. To see that interface (usually tun2) you have to display the routing table, the routers GUI has a Setup tab, under this tab are Basic Setup (where you place IP address etc) but also a tab Advanced Routing, there is a button "Show Routing Table" just click on it and you will see your routing table.
Alternatively, telnet to your router ande do: route -n
If you know your interface then head over to the Services/Services tab of your routers GUI and add the interface under "Additional DNSMasq Options": interface = tun2
So, everything is setup now. I am using the 10.8.0.0 subnet for openVPN, set it to redirect the default gateway, pushed the routes, told dnsMasq to listen on the tun2 interface and set the firewall commands. It seems to be kind of working, just insanly slow. Like, it only loads very very small websites and the rest just seems to nerver finish. Once i disconnect the VPN Firefox just shows what it was able to load in the meantime. I am able to access my samba share by now. Just insanly slow.
The openVPN Status page of DDWRT still states the following:
Code:
VPN Server Stats: nclients=1, bytesin=249372, bytesout=1305606
Client Remote IP:Port Bytes Received Bytes Sent Connected Since
pc1 XXX:16851 0 249372 1305606
VPN Server Routing Table
Client Virtual Address Real Address Last Ref
pc1 10.8.0.3 XXX:16851 Sat Jun 2 12:10:47 2018
where XXX is the censored ip of my devices. As you can see the client still seems to not receive any bytes. Why i wonder, cause it is somewhat working.
I tried it with a windows vpn client now aswell and it has the exact same symptoms as the android client.
Could it be that the compression or encryption slows down the traffic that much? I am just suprised that it is *that* slow.
EDIT1:
After i found the "verb 4" command i found out that the packages of my android phone where sent to the openVPN server via the internal ip adress of the phone. OpenVPN then complained that it did not know where to route them. After i added the specific adress as an "iroute" in the ccd field of the openVPN ddwrt setup page it did work. I aswell had to set "UDP Fragment 1400","Tunnel UDP MSS-Fix" to yes and "mssfix 1400" because it then complained about LZO compression header byte to be faulty. I can now flawlessly access the internal devices. Just that i still cannot access any external internet websites.
A friend of mine who has been setting up OpenVPN on linux machines indipendent of ddwrt routers asked me if i had bridged or passed the traffic on from the tun 2 adapter to the wan adapter. Is that what needs to be done?
Also does one really need to always tell the server what internal adress any client that connects to the openVPN server is using? Does that not make it impossible to let anyone unkown connect to a public VPN server?
Joined: 18 Mar 2014 Posts: 12923 Location: Netherlands
Posted: Sun Jun 03, 2018 14:56 Post subject:
For a VPN to work there have to be 3 different subnets.
The local subnet of the router/server, the VPN subnet (i.e. 10.8.0.0) and the subnet/IP address of the client.
If your client is on the same subnet as the router it will not work (ubnless adding specific routes). So that is your problem.
Therefore test VPN with your phone when using cellular, you can not test it when connected to your local network.
was not working for me cause of the "MASQERADE". Well i was a fool, cause of course i checked the commands by letting it execute as commands and not just set it to the firewall commands.
Now that i took these commands and saved them "as is", everything is working now!
:
