VPN build with Web GUI

wycf · Jul 10, 2010

VPN failed?

I was using WRT54GL with TomatoVPN GUI for quite a long time without any problem.

Then today I got my new Asus RT-N16 installed. I loaded Teddy_Bear's MOD:
Tomato Firmware v1.27.9047 MIPSR2-beta16 K26 USB vpn3.6

On the OpenVPN Client config, I just copy and paste all the settings from my WRT54GL to the new RT-N16. Everything is exactly the same, at least I believe.

Then I saw the OpenVPN connected to my office OpenVPN server. I can ping any IP on the remote side. BUT I just can't browse our internal web site using http. Samba connection also failed.

here is the log from Tomato:

Code:

Jul 10 15:31:13 TeddyBear user.info kernel: tun: Universal TUN/TAP device driver, 1.6
Jul 10 15:31:13 TeddyBear user.info kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
Jul 10 15:31:13 TeddyBear daemon.notice openvpn[1161]: OpenVPN 2.1.1 mipsel-unknown-linux-gnu [SSL] [LZO2] [EPOLL] built on Jun 11 2010
Jul 10 15:31:13 TeddyBear daemon.warn openvpn[1161]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Jul 10 15:31:13 TeddyBear daemon.warn openvpn[1161]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Jul 10 15:31:13 TeddyBear daemon.notice openvpn[1161]: LZO compression initialized
Jul 10 15:31:13 TeddyBear daemon.notice openvpn[1161]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Jul 10 15:31:13 TeddyBear daemon.notice openvpn[1161]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Jul 10 15:31:13 TeddyBear daemon.notice openvpn[1165]: Socket Buffers: R=[112640->131072] S=[112640->131072]
Jul 10 15:31:13 TeddyBear daemon.notice openvpn[1165]: UDPv4 link local: [undef]
Jul 10 15:31:13 TeddyBear daemon.notice openvpn[1165]: UDPv4 link remote: 24.xxx.xxx.xxx:1194
Jul 10 15:31:13 TeddyBear daemon.notice openvpn[1165]: TLS: Initial packet from 24.xxx.xx.xxx:1194, sid=92a72082 07a3e54f
Jul 10 15:31:13 TeddyBear daemon.notice openvpn[1165]: VERIFY OK: depth=1, /C=CA/ST=BC/L=DELTA/O=XXXXXXXXX/CN=openvpn-gateway2/Email=admin@XXXXXXXX.com
Jul 10 15:31:14 TeddyBear daemon.notice openvpn[1165]: VERIFY OK: depth=0, /C=CA/ST=BC/O=XXXXXXXXXXXXXX/CN=openvpn-gateway2/Email=admin@XXXXXXXXXX.com
Jul 10 15:31:16 TeddyBear daemon.notice openvpn[1165]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jul 10 15:31:16 TeddyBear daemon.notice openvpn[1165]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 10 15:31:16 TeddyBear daemon.notice openvpn[1165]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jul 10 15:31:16 TeddyBear daemon.notice openvpn[1165]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 10 15:31:16 TeddyBear daemon.notice openvpn[1165]: Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 2048 bit RSA
Jul 10 15:31:16 TeddyBear daemon.notice openvpn[1165]: [openvpn-gateway2] Peer Connection Initiated with 24.xxx.xxx.xxx:1194
Jul 10 15:31:18 TeddyBear daemon.notice openvpn[1165]: SENT CONTROL [openvpn-gateway2]: 'PUSH_REQUEST' (status=1)
Jul 10 15:31:18 TeddyBear daemon.notice openvpn[1165]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option WINS 192.168.123.30,route 192.168.123.0 255.255.255.0,route 192.168.25.0 255.255.255.0,route 10.66.77.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.66.77.6 10.66.77.5'
Jul 10 15:31:18 TeddyBear daemon.notice openvpn[1165]: OPTIONS IMPORT: timers and/or timeouts modified
Jul 10 15:31:18 TeddyBear daemon.notice openvpn[1165]: OPTIONS IMPORT: --ifconfig/up options modified
Jul 10 15:31:18 TeddyBear daemon.notice openvpn[1165]: OPTIONS IMPORT: route options modified
Jul 10 15:31:18 TeddyBear daemon.notice openvpn[1165]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jul 10 15:31:18 TeddyBear daemon.notice openvpn[1165]: TUN/TAP device tun11 opened
Jul 10 15:31:18 TeddyBear daemon.notice openvpn[1165]: TUN/TAP TX queue length set to 100
Jul 10 15:31:18 TeddyBear daemon.notice openvpn[1165]: /sbin/ifconfig tun11 10.66.77.6 pointopoint 10.66.77.5 mtu 1500
Jul 10 15:31:18 TeddyBear daemon.notice openvpn[1165]: /sbin/route add -net 192.168.123.0 netmask 255.255.255.0 gw 10.66.77.5
Jul 10 15:31:18 TeddyBear daemon.notice openvpn[1165]: /sbin/route add -net 192.168.25.0 netmask 255.255.255.0 gw 10.66.77.5
Jul 10 15:31:18 TeddyBear daemon.notice openvpn[1165]: /sbin/route add -net 10.66.77.0 netmask 255.255.255.0 gw 10.66.77.5
Jul 10 15:31:18 TeddyBear daemon.notice openvpn[1165]: Initialization Sequence Completed

How can I trouble shooting this problem? I tried ssh into the router and I found the crt and key files but I didn't find the client configration file.

Please help. Thanks a lot!

SgtPepperKSU · Jul 11, 2010

wycf said:

I was using WRT54GL with TomatoVPN GUI for quite a long time without any problem.

Then today I got my new Asus RT-N16 installed. I loaded Teddy_Bear's MOD:
Tomato Firmware v1.27.9047 MIPSR2-beta16 K26 USB vpn3.6

On the OpenVPN Client config, I just copy and paste all the settings from my WRT54GL to the new RT-N16. Everything is exactly the same, at least I believe.

Then I saw the OpenVPN connected to my office OpenVPN server. I can ping any IP on the remote side. BUT I just can't browse our internal web site using http. Samba connection also failed.

here is the log from Tomato:

Code:

Jul 10 15:31:13 TeddyBear user.info kernel: tun: Universal TUN/TAP device driver, 1.6
Jul 10 15:31:13 TeddyBear user.info kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
Jul 10 15:31:13 TeddyBear daemon.notice openvpn[1161]: OpenVPN 2.1.1 mipsel-unknown-linux-gnu [SSL] [LZO2] [EPOLL] built on Jun 11 2010
Jul 10 15:31:13 TeddyBear daemon.warn openvpn[1161]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Jul 10 15:31:13 TeddyBear daemon.warn openvpn[1161]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Jul 10 15:31:13 TeddyBear daemon.notice openvpn[1161]: LZO compression initialized
Jul 10 15:31:13 TeddyBear daemon.notice openvpn[1161]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Jul 10 15:31:13 TeddyBear daemon.notice openvpn[1161]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Jul 10 15:31:13 TeddyBear daemon.notice openvpn[1165]: Socket Buffers: R=[112640->131072] S=[112640->131072]
Jul 10 15:31:13 TeddyBear daemon.notice openvpn[1165]: UDPv4 link local: [undef]
Jul 10 15:31:13 TeddyBear daemon.notice openvpn[1165]: UDPv4 link remote: 24.xxx.xxx.xxx:1194
Jul 10 15:31:13 TeddyBear daemon.notice openvpn[1165]: TLS: Initial packet from 24.xxx.xx.xxx:1194, sid=92a72082 07a3e54f
Jul 10 15:31:13 TeddyBear daemon.notice openvpn[1165]: VERIFY OK: depth=1, /C=CA/ST=BC/L=DELTA/O=XXXXXXXXX/CN=openvpn-gateway2/Email=admin@XXXXXXXX.com
Jul 10 15:31:14 TeddyBear daemon.notice openvpn[1165]: VERIFY OK: depth=0, /C=CA/ST=BC/O=XXXXXXXXXXXXXX/CN=openvpn-gateway2/Email=admin@XXXXXXXXXX.com
Jul 10 15:31:16 TeddyBear daemon.notice openvpn[1165]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jul 10 15:31:16 TeddyBear daemon.notice openvpn[1165]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 10 15:31:16 TeddyBear daemon.notice openvpn[1165]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jul 10 15:31:16 TeddyBear daemon.notice openvpn[1165]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 10 15:31:16 TeddyBear daemon.notice openvpn[1165]: Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 2048 bit RSA
Jul 10 15:31:16 TeddyBear daemon.notice openvpn[1165]: [openvpn-gateway2] Peer Connection Initiated with 24.xxx.xxx.xxx:1194
Jul 10 15:31:18 TeddyBear daemon.notice openvpn[1165]: SENT CONTROL [openvpn-gateway2]: 'PUSH_REQUEST' (status=1)
Jul 10 15:31:18 TeddyBear daemon.notice openvpn[1165]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option WINS 192.168.123.30,route 192.168.123.0 255.255.255.0,route 192.168.25.0 255.255.255.0,route 10.66.77.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.66.77.6 10.66.77.5'
Jul 10 15:31:18 TeddyBear daemon.notice openvpn[1165]: OPTIONS IMPORT: timers and/or timeouts modified
Jul 10 15:31:18 TeddyBear daemon.notice openvpn[1165]: OPTIONS IMPORT: --ifconfig/up options modified
Jul 10 15:31:18 TeddyBear daemon.notice openvpn[1165]: OPTIONS IMPORT: route options modified
Jul 10 15:31:18 TeddyBear daemon.notice openvpn[1165]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jul 10 15:31:18 TeddyBear daemon.notice openvpn[1165]: TUN/TAP device tun11 opened
Jul 10 15:31:18 TeddyBear daemon.notice openvpn[1165]: TUN/TAP TX queue length set to 100
Jul 10 15:31:18 TeddyBear daemon.notice openvpn[1165]: /sbin/ifconfig tun11 10.66.77.6 pointopoint 10.66.77.5 mtu 1500
Jul 10 15:31:18 TeddyBear daemon.notice openvpn[1165]: /sbin/route add -net 192.168.123.0 netmask 255.255.255.0 gw 10.66.77.5
Jul 10 15:31:18 TeddyBear daemon.notice openvpn[1165]: /sbin/route add -net 192.168.25.0 netmask 255.255.255.0 gw 10.66.77.5
Jul 10 15:31:18 TeddyBear daemon.notice openvpn[1165]: /sbin/route add -net 10.66.77.0 netmask 255.255.255.0 gw 10.66.77.5
Jul 10 15:31:18 TeddyBear daemon.notice openvpn[1165]: Initialization Sequence Completed

How can I trouble shooting this problem? I tried ssh into the router and I found the crt and key files but I didn't find the client configration file.

Please help. Thanks a lot!

Just to double check: can you ping the server(s) that runs the website and samba server?

The client config file is at /etc/openvpn/client1/config.ovpn. You could compare that to the one on the old router to see if there are any differences.

Can you telnet to port 80 on the webserver? If you connect to the router and run

Code:

iptables -t filter -nvL; iptables -t nat -nvL; iptables -t mangle -nvL

, what does it show?

wycf · Jul 11, 2010

Thank you SgtPepperKSU for help.

I did those test following your instruction:
1. Yes I can ping the http/samba server. But telnet failed to connect.

Code:

telnet 192.168.123.39 80

2. Compared the config.ovpn file and find ther are the same except one line:
Old WRT54GL

Code:

dev tun12

RT-N16

Code:

dev tun11

3. iptables -t filter -nvL; iptables -t nat -nvL; iptables -t mangle -nvL

Code:

root@TeddyBear:/tmp/home/root# iptables -t filter -nvL; iptables -t nat -nvL; iptables -t mangle -nvL
Chain INPUT (policy DROP 222 packets, 115K bytes)
 pkts bytes target     prot opt in     out     source               destination
    1    52 ACCEPT     all  --  tun11  *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  br0    *       0.0.0.0/0            206.116.xxx.xxx
    1    44 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
 1492  315K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
  333 35276 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0
    1    60 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:33434:33534
   37  1184 ACCEPT     2    --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  tun11  *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
   21  1096 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 wanin      all  --  vlan2  *       0.0.0.0/0            0.0.0.0/0
   29  3094 wanout     all  --  *      vlan2   0.0.0.0/0            0.0.0.0/0
  255 98303 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0
    0     0 upnp       all  --  vlan2  *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 2166 packets, 1133K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain upnp (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain wanin (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.0/4         udp

Chain wanout (1 references)
 pkts bytes target     prot opt in     out     source               destination
Chain PREROUTING (policy ACCEPT 538 packets, 137K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  vlan2  *       0.0.0.0/0            10.11.22.0/24
    0     0 DNAT       icmp --  *      *       0.0.0.0/0            206.116.xxx.xxx     to:10.11.22.1
  222  115K upnp       all  --  *      *       0.0.0.0/0            206.116.xxx.xxx

Chain POSTROUTING (policy ACCEPT 15 packets, 3335 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      tun11   10.11.22.0/24        0.0.0.0/0
   63  4055 MASQUERADE  all  --  *      vlan2   0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 56 packets, 5888 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain upnp (1 references)
 pkts bytes target     prot opt in     out     source               destination
Chain PREROUTING (policy ACCEPT 2407 packets, 572K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 2114 packets, 470K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 255 packets, 98303 bytes)
 pkts bytes target     prot opt in     out     source               destination
   29  3094 QOSO       all  --  *      vlan2   0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 2168 packets, 1135K bytes)
 pkts bytes target     prot opt in     out     source               destination
  512  127K QOSO       all  --  *      vlan2   0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 2473 packets, 1238K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain QOSO (2 references)
 pkts bytes target     prot opt in     out     source               destination
  541  130K BCOUNT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
  541  130K CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           CONNMARK restore mask 0xff
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           CONNMARK match !0x0/0xff00
   23  1203 CONNMARK   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           mport dports 80,443 bcount --range 0:524287 CONNMARK set-return 0x2/0xff
    0     0 CONNMARK   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           mport dports 80,443 bcount --range 524288+ CONNMARK set-return 0x4/0xff
   37  2351 CONNMARK   udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53 bcount --range 0:2047 CONNMARK set-return 0x1/0xff
    0     0 CONNMARK   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53 bcount --range 0:2047 CONNMARK set-return 0x1/0xff
    0     0 CONNMARK   udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53 bcount --range 2048+ CONNMARK set-return 0x5/0xff
    0     0 CONNMARK   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53 bcount --range 2048+ CONNMARK set-return 0x5/0xff
  463  123K CONNMARK   udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:1024:65535 CONNMARK set-return 0x5/0xff
    0     0 CONNMARK   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:1024:65535 CONNMARK set-return 0x5/0xff
   18  4008 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           CONNMARK set-return 0x4

SgtPepperKSU · Jul 11, 2010

Hmmm, I don't see anything there that would cause your problem. Can you try the port 80 telnet from the router itself?
Note: when you connect it give any output until you type a command, such as

Code:

GET /index.html

wycf · Jul 11, 2010

I just did nvram clean again and re-config OpenVPN Client. It still the same.

I tried telnet again from the router:

Code:

root@TeddyBear:/tmp/home/root# telnet 192.168.123.39 80
GET /index
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /index was not found on this server.</p>
<hr>
<address>Apache/2.2.6 (Fedora) Server at 192.168.123.39 Port 80</address>
</body></html>
Connection closed by foreign host

I got this 404 which means telnet port 80 on our web server got connected. But browse from IE/Firefox still time out.

wycf · Jul 12, 2010

update:

It's Monday and I came to office and checked our OpenVPN server log and found lost of this:

Code:

Mon Jul 12 11:45:48 2010 us=575558 openvpn-sgi/206.116.xxx.xxx:42052 MULTI: bad source address from client [206.116.xxx.xxx], packet dropped

Last night I flashed Non-USB MOD (K26 build 47) from TeddyBear and OpenVPN still not working.

update @ 1:10PM PST
Here is the log from OpenVPN server when my router at home try to connect:

Code:

Mon Jul 12 13:05:31 2010 us=326899 MULTI: multi_create_instance called
Mon Jul 12 13:05:31 2010 us=326958 206.116.xxx.xxx:15688 Re-using SSL/TLS context
Mon Jul 12 13:05:31 2010 us=326977 206.116.xxx.xxx:15688 LZO compression initialized
Mon Jul 12 13:05:31 2010 us=327055 206.116.xxx.xxx:15688 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Jul 12 13:05:31 2010 us=327074 206.116.xxx.xxx:15688 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Jul 12 13:05:31 2010 us=327114 206.116.xxx.xxx:15688 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Mon Jul 12 13:05:31 2010 us=327128 206.116.xxx.xxx:15688 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Mon Jul 12 13:05:31 2010 us=327151 206.116.xxx.xxx:15688 Local Options hash (VER=V4): '530fdded'
Mon Jul 12 13:05:31 2010 us=327172 206.116.xxx.xxx:15688 Expected Remote Options hash (VER=V4): '41690919'
Mon Jul 12 13:05:31 2010 us=327236 206.116.xxx.xxx:15688 TLS: Initial packet from 206.116.xxx.xxx:15688, sid=93e2756d 19f5a1bf
Mon Jul 12 13:05:34 2010 us=98730 206.116.xxx.xxx:15688 CRL CHECK OK: /C=CA/ST=BC/L=DELTA/O=mycompany/CN=openvpn-gateway/emailAddress=admin@mycompany.com
Mon Jul 12 13:05:34 2010 us=98782 206.116.xxx.xxx:15688 VERIFY OK: depth=1, /C=CA/ST=BC/L=DELTA/O=mycompany/CN=openvpn-gateway2/emailAddress=admin@mycompany.com
Mon Jul 12 13:05:34 2010 us=99187 206.116.xxx.xxx:15688 CRL CHECK OK: /C=CA/ST=BC/O=mycompany/CN=openvpn-sgi/emailAddress=admin@mycompany.com
Mon Jul 12 13:05:34 2010 us=99227 206.116.xxx.xxx:15688 VERIFY OK: depth=0, /C=CA/ST=BC/O=mycompany/CN=openvpn-sgi/emailAddress=admin@mycompany.com
Mon Jul 12 13:05:34 2010 us=193195 206.116.xxx.xxx:15688 NOTE: Options consistency check may be skewed by version differences
Mon Jul 12 13:05:34 2010 us=193222 206.116.xxx.xxx:15688 WARNING: 'version' is used inconsistently, local='version V4', remote='version V0 UNDEF'
Mon Jul 12 13:05:34 2010 us=193241 206.116.xxx.xxx:15688 WARNING: 'dev-type' is present in local config but missing in remote config, local='dev-type tun'
Mon Jul 12 13:05:34 2010 us=193258 206.116.xxx.xxx:15688 WARNING: 'link-mtu' is present in local config but missing in remote config, local='link-mtu 1542'
Mon Jul 12 13:05:34 2010 us=193275 206.116.xxx.xxx:15688 WARNING: 'tun-mtu' is present in local config but missing in remote config, local='tun-mtu 1500'
Mon Jul 12 13:05:34 2010 us=193291 206.116.xxx.xxx:15688 WARNING: 'proto' is present in local config but missing in remote config, local='proto UDPv4'
Mon Jul 12 13:05:34 2010 us=193308 206.116.xxx.xxx:15688 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Mon Jul 12 13:05:34 2010 us=193324 206.116.xxx.xxx:15688 WARNING: 'cipher' is present in local config but missing in remote config, local='cipher BF-CBC'
Mon Jul 12 13:05:34 2010 us=193340 206.116.xxx.xxx:15688 WARNING: 'auth' is present in local config but missing in remote config, local='auth SHA1'
Mon Jul 12 13:05:34 2010 us=193356 206.116.xxx.xxx:15688 WARNING: 'keysize' is present in local config but missing in remote config, local='keysize 128'
Mon Jul 12 13:05:34 2010 us=193373 206.116.xxx.xxx:15688 WARNING: 'key-method' is present in local config but missing in remote config, local='key-method 2'
Mon Jul 12 13:05:34 2010 us=193389 206.116.xxx.xxx:15688 WARNING: 'tls-client' is present in local config but missing in remote config, local='tls-client'
Mon Jul 12 13:05:34 2010 us=193622 206.116.xxx.xxx:15688 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Jul 12 13:05:34 2010 us=193641 206.116.xxx.xxx:15688 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jul 12 13:05:34 2010 us=193725 206.116.xxx.xxx:15688 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Jul 12 13:05:34 2010 us=193741 206.116.xxx.xxx:15688 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jul 12 13:05:34 2010 us=225900 206.116.xxx.xxx:15688 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 2048 bit RSA
Mon Jul 12 13:05:34 2010 us=225930 206.116.xxx.xxx:15688 [openvpn-sgi] Peer Connection Initiated with 206.116.xxx.xxx:15688
Mon Jul 12 13:05:34 2010 us=226014 openvpn-sgi/206.116.xxx.xxx:15688 MULTI: Learn: 10.66.77.6 -> openvpn-sgi/206.116.xxx.xxx:15688
Mon Jul 12 13:05:34 2010 us=226033 openvpn-sgi/206.116.xxx.xxx:15688 MULTI: primary virtual IP for openvpn-sgi/206.116.xxx.xxx:15688: 10.66.77.6
Mon Jul 12 13:05:36 2010 us=270038 openvpn-sgi/206.116.xxx.xxx:15688 PUSH: Received control message: 'PUSH_REQUEST'
Mon Jul 12 13:05:36 2010 us=270109 openvpn-sgi/206.116.xxx.xxx:15688 SENT CONTROL [openvpn-sgi]: 'PUSH_REPLY,dhcp-option WINS 192.168.123.30,route 192.168.123.0 255.255.255.0,route 192.168.25.0 255.255.255.0,route 10.66.77.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.66.77.6 10.66.77.5' (status=1)
Mon Jul 12 13:05:36 2010 us=562332 openvpn-sgi/206.116.xxx.xxx:15688 MULTI: bad source address from client [10.11.22.92], packet dropped
Mon Jul 12 13:05:36 2010 us=710416 openvpn-sgi/206.116.xxx.xxx:15688 MULTI: bad source address from client [10.11.22.92], packet dropped
Mon Jul 12 13:05:40 2010 us=710702 openvpn-sgi/206.116.xxx.xxx:15688 MULTI: bad source address from client [10.11.22.92], packet dropped

SgtPepperKSU · Jul 12, 2010

wycf said:

update:

It's Monday and I came to office and checked our OpenVPN server log and found lost of this:

Code:

Mon Jul 12 11:45:48 2010 us=575558 openvpn-sgi/206.116.xxx.xxx:42052 MULTI: bad source address from client [206.116.xxx.xxx], packet dropped

Last night I flashed Non-USB MOD (K26 build 47) from TeddyBear and OpenVPN still not working.

update @ 1:10PM PST
Here is the log from OpenVPN server when my router at home try to connect:

Code:

Mon Jul 12 13:05:31 2010 us=326899 MULTI: multi_create_instance called
Mon Jul 12 13:05:31 2010 us=326958 206.116.xxx.xxx:15688 Re-using SSL/TLS context
Mon Jul 12 13:05:31 2010 us=326977 206.116.xxx.xxx:15688 LZO compression initialized
Mon Jul 12 13:05:31 2010 us=327055 206.116.xxx.xxx:15688 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Jul 12 13:05:31 2010 us=327074 206.116.xxx.xxx:15688 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Jul 12 13:05:31 2010 us=327114 206.116.xxx.xxx:15688 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Mon Jul 12 13:05:31 2010 us=327128 206.116.xxx.xxx:15688 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Mon Jul 12 13:05:31 2010 us=327151 206.116.xxx.xxx:15688 Local Options hash (VER=V4): '530fdded'
Mon Jul 12 13:05:31 2010 us=327172 206.116.xxx.xxx:15688 Expected Remote Options hash (VER=V4): '41690919'
Mon Jul 12 13:05:31 2010 us=327236 206.116.xxx.xxx:15688 TLS: Initial packet from 206.116.xxx.xxx:15688, sid=93e2756d 19f5a1bf
Mon Jul 12 13:05:34 2010 us=98730 206.116.xxx.xxx:15688 CRL CHECK OK: /C=CA/ST=BC/L=DELTA/O=mycompany/CN=openvpn-gateway/emailAddress=admin@mycompany.com
Mon Jul 12 13:05:34 2010 us=98782 206.116.xxx.xxx:15688 VERIFY OK: depth=1, /C=CA/ST=BC/L=DELTA/O=mycompany/CN=openvpn-gateway2/emailAddress=admin@mycompany.com
Mon Jul 12 13:05:34 2010 us=99187 206.116.xxx.xxx:15688 CRL CHECK OK: /C=CA/ST=BC/O=mycompany/CN=openvpn-sgi/emailAddress=admin@mycompany.com
Mon Jul 12 13:05:34 2010 us=99227 206.116.xxx.xxx:15688 VERIFY OK: depth=0, /C=CA/ST=BC/O=mycompany/CN=openvpn-sgi/emailAddress=admin@mycompany.com
Mon Jul 12 13:05:34 2010 us=193195 206.116.xxx.xxx:15688 NOTE: Options consistency check may be skewed by version differences
Mon Jul 12 13:05:34 2010 us=193222 206.116.xxx.xxx:15688 WARNING: 'version' is used inconsistently, local='version V4', remote='version V0 UNDEF'
Mon Jul 12 13:05:34 2010 us=193241 206.116.xxx.xxx:15688 WARNING: 'dev-type' is present in local config but missing in remote config, local='dev-type tun'
Mon Jul 12 13:05:34 2010 us=193258 206.116.xxx.xxx:15688 WARNING: 'link-mtu' is present in local config but missing in remote config, local='link-mtu 1542'
Mon Jul 12 13:05:34 2010 us=193275 206.116.xxx.xxx:15688 WARNING: 'tun-mtu' is present in local config but missing in remote config, local='tun-mtu 1500'
Mon Jul 12 13:05:34 2010 us=193291 206.116.xxx.xxx:15688 WARNING: 'proto' is present in local config but missing in remote config, local='proto UDPv4'
Mon Jul 12 13:05:34 2010 us=193308 206.116.xxx.xxx:15688 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Mon Jul 12 13:05:34 2010 us=193324 206.116.xxx.xxx:15688 WARNING: 'cipher' is present in local config but missing in remote config, local='cipher BF-CBC'
Mon Jul 12 13:05:34 2010 us=193340 206.116.xxx.xxx:15688 WARNING: 'auth' is present in local config but missing in remote config, local='auth SHA1'
Mon Jul 12 13:05:34 2010 us=193356 206.116.xxx.xxx:15688 WARNING: 'keysize' is present in local config but missing in remote config, local='keysize 128'
Mon Jul 12 13:05:34 2010 us=193373 206.116.xxx.xxx:15688 WARNING: 'key-method' is present in local config but missing in remote config, local='key-method 2'
Mon Jul 12 13:05:34 2010 us=193389 206.116.xxx.xxx:15688 WARNING: 'tls-client' is present in local config but missing in remote config, local='tls-client'
Mon Jul 12 13:05:34 2010 us=193622 206.116.xxx.xxx:15688 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Jul 12 13:05:34 2010 us=193641 206.116.xxx.xxx:15688 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jul 12 13:05:34 2010 us=193725 206.116.xxx.xxx:15688 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Jul 12 13:05:34 2010 us=193741 206.116.xxx.xxx:15688 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jul 12 13:05:34 2010 us=225900 206.116.xxx.xxx:15688 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 2048 bit RSA
Mon Jul 12 13:05:34 2010 us=225930 206.116.xxx.xxx:15688 [openvpn-sgi] Peer Connection Initiated with 206.116.xxx.xxx:15688
Mon Jul 12 13:05:34 2010 us=226014 openvpn-sgi/206.116.xxx.xxx:15688 MULTI: Learn: 10.66.77.6 -> openvpn-sgi/206.116.xxx.xxx:15688
Mon Jul 12 13:05:34 2010 us=226033 openvpn-sgi/206.116.xxx.xxx:15688 MULTI: primary virtual IP for openvpn-sgi/206.116.xxx.xxx:15688: 10.66.77.6
Mon Jul 12 13:05:36 2010 us=270038 openvpn-sgi/206.116.xxx.xxx:15688 PUSH: Received control message: 'PUSH_REQUEST'
Mon Jul 12 13:05:36 2010 us=270109 openvpn-sgi/206.116.xxx.xxx:15688 SENT CONTROL [openvpn-sgi]: 'PUSH_REPLY,dhcp-option WINS 192.168.123.30,route 192.168.123.0 255.255.255.0,route 192.168.25.0 255.255.255.0,route 10.66.77.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.66.77.6 10.66.77.5' (status=1)
Mon Jul 12 13:05:36 2010 us=562332 openvpn-sgi/206.116.xxx.xxx:15688 MULTI: bad source address from client [10.11.22.92], packet dropped
Mon Jul 12 13:05:36 2010 us=710416 openvpn-sgi/206.116.xxx.xxx:15688 MULTI: bad source address from client [10.11.22.92], packet dropped
Mon Jul 12 13:05:40 2010 us=710702 openvpn-sgi/206.116.xxx.xxx:15688 MULTI: bad source address from client [10.11.22.92], packet dropped

Your client is incorrectly using its LAN address instead of its VPN address as the source of the packets. The VPN server doesn't know anything about their LAN, so things fail.

I'm guessing it was a Windows client, as I've seen people report this bug before. If you know what the LAN looks like where this client connects from, you can fill out the client-specific options table for them. Otherwise, you'll need to find a solution to this Windows bug (not even a Windows OpenVPN bug, as far as I can tell), and I don't know what that is.

SgtPepperKSU · Jul 12, 2010

wycf said:
I just did nvram clean again and re-config OpenVPN Client. It still the same.

I tried telnet again from the router:

Code:

root@TeddyBear:/tmp/home/root# telnet 192.168.123.39 80 GET /index <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /index was not found on this server.</p> <hr> <address>Apache/2.2.6 (Fedora) Server at 192.168.123.39 Port 80</address> </body></html> Connection closed by foreign host

I got this 404 which means telnet port 80 on our web server got connected. But browse from IE/Firefox still time out.

Hmmmm, there's definitely a firewall problem, but I'm not seeing what it is. To help track it down, you can run the following on the router:

Code:

service firewall restart

then try to telnet from the PC to the web server. Then run the following on the router

Code:

iptables -t mangle -nvL; iptables -t nat -nvL; iptables -t filter -nvL

The counters should give us some idea of what rules are getting invoked.

wycf · Jul 12, 2010

Here is the result:

Code:

root@TeddyBear:/tmp/home/root# iptables -t mangle -nvL; iptables -t nat -nvL; iptables -t filter -nvL
Chain PREROUTING (policy ACCEPT 157 packets, 27459 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 160 packets, 23575 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 21 packets, 9399 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 122 packets, 15491 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 178 packets, 29269 bytes)
 pkts bytes target     prot opt in     out     source               destination         
Chain PREROUTING (policy ACCEPT 19 packets, 1702 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  vlan2  *       0.0.0.0/0            10.11.22.0/24       
    0     0 DNAT       icmp --  *      *       0.0.0.0/0            206.116.xxx.xxx     to:10.11.22.1 
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            206.116.xxx.xxx     tcp dpt:8080 to:10.11.22.1:80 
    2   160 DNAT       tcp  --  *      *       0.0.0.0/0            206.116.xxx.xxx     tcp dpt:2222 to:10.11.22.1:22 
    1    81 DNAT       udp  --  *      *       0.0.0.0/0            206.116.xxx.xxx     udp dpts:10000:20000 to:10.11.22.77 
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            206.116.xxx.xxx     udp dpt:5060 to:10.11.22.77 
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            206.116.xxx.xxx     tcp dpt:24700 to:10.11.22.77:22 
   11   462 upnp       all  --  *      *       0.0.0.0/0            206.116.xxx.xxx     

Chain POSTROUTING (policy ACCEPT 6 packets, 526 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      tun11   10.11.22.0/24        0.0.0.0/0           
    0     0 SNAT       udp  --  *      *       10.11.22.0/24        10.11.22.77         udp dpts:10000:20000 to:206.116.xxx.xxx 
    0     0 SNAT       udp  --  *      *       10.11.22.0/24        10.11.22.77         udp dpt:5060 to:206.116.xxx.xxx 
    0     0 SNAT       tcp  --  *      *       10.11.22.0/24        10.11.22.77         tcp dpt:22 to:206.116.xxx.xxx 
    7  1318 MASQUERADE  all  --  *      vlan2   0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 10 packets, 744 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain upnp (1 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain INPUT (policy DROP 20 packets, 5196 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  tun11  *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  br0    *       0.0.0.0/0            206.116.xxx.xxx     
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
  103 12791 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    7   253 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0           
    1    60 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:33434:33534 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.11.22.1          tcp dpt:80 
    2   160 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.11.22.1          tcp dpt:22 
    2    64 ACCEPT     2    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  tun11  *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
    0     0 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU 
   10  4955 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    1    81 wanin      all  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           
    5  2399 wanout     all  --  *      vlan2   0.0.0.0/0            0.0.0.0/0           
    9  3855 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0           
    0     0 upnp       all  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 126 packets, 18819 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain upnp (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain wanin (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.0/4         udp 
    1    81 ACCEPT     udp  --  *      *       0.0.0.0/0            10.11.22.77         udp dpts:10000:20000 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            10.11.22.77         udp dpt:5060 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.11.22.77         tcp dpt:22 

Chain wanout (1 references)
 pkts bytes target     prot opt in     out     source               destination         
root@TeddyBear:/tmp/home/root#

wycf · Jul 12, 2010

SgtPepperKSU said:
Your client is incorrectly using its LAN address instead of its VPN address as the source of the packets. The VPN server doesn't know anything about their LAN, so things fail.

I'm guessing it was a Windows client, as I've seen people report this bug before. If you know what the LAN looks like where this client connects from, you can fill out the client-specific options table for them. Otherwise, you'll need to find a solution to this Windows bug (not even a Windows OpenVPN bug, as far as I can tell), and I don't know what that is.

Well, that client you saw in the log file, IP 10.11.22.92, is a Linksys SPA941 VoIP phone. It keep sending registration request via OpenVPN tunnel to our office (we have a Asterisk server in the office subnet.) So it's not a Windows client.

Anyway, I see your point about that "client is incorrectly using its LAN address instead of its VPN address as the source of the packets". But I don't know what went wrong. All I did the put the same configuration on the RT-N16 router. Also why is the PING works? -- ICMP packets seems went through all the routes and come back correctly.

SgtPepperKSU · Jul 13, 2010

I just noticed something. In your logs, there is mention of dev type tun, but things appear as though the VPN subnet and the local subnet are the same.

Are you using TUN or TAP? If you're using TUN, are all segments (local, remote, and VPN) on unique subnets?

wycf · Jul 13, 2010

SgtPepperKSU said:
I just noticed something. In your logs, there is mention of dev type tun, but things appear as though the VPN subnet and the local subnet are the same.

Are you using TUN or TAP? If you're using TUN, are all segments (local, remote, and VPN) on unique subnets?

I am using TUN.
My home network is 10.11.22.0/24
Office Subnet: 192.168.123.0/24
VPN Subnet: 10.66.77.0/24

There is nothing changed. My WRT54GL running your OpenVPN GUI MOD works fine. We also have clients running on different OS.(WinXP, Vista,WIN7,Ubuntu, MAC OS X, DDWRT). If the TeddyBear MOD just include your VPN part then it should work.

SgtPepperKSU · Jul 13, 2010

wycf said:
I am using TUN.
My home network is 10.11.22.0/24
Office Subnet: 192.168.123.0/24
VPN Subnet: 10.66.77.0/24

There is nothing changed. My WRT54GL running your OpenVPN GUI MOD works fine. We also have clients running on different OS.(WinXP, Vista,WIN7,Ubuntu, MAC OS X, DDWRT). If the TeddyBear MOD just include your VPN part then it should work.

I had looked at the iptables output wrong earlier. I'm really not seeing what's wrong. However, if things were working, the following counter should have been incrementing

Code:

Chain INPUT (policy DROP 20 packets, 5196 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  tun11  *       0.0.0.0/0            0.0.0.0/0

The only other thing I can think to try is to place logging rules in the iptables tables to see where things go awry. You can do this by adding the following to the firewall script (replacing <dstaddr> with the IP address of the server you're trying to reach).

Code:

iptables -t mangle -I PREROUTING -d <dstaddr> -j LOG --prefix=MPI
iptables -t mangle -A PREROUTING -d <dstaddr> -j LOG --prefix=MPA
iptables -t nat -I PREROUTING -d <dstaddr> -j LOG --prefix=NPI
iptables -t nat -A PREROUTING -d <dstaddr> -j LOG --prefix=NPA
iptables -t filter -I FORWARD -d <dstaddr> -j LOG --prefix=FFI
iptables -t filter -I FORWARD -d <dstaddr> -j LOG --prefix=FFA
iptables -t nat -I POSTROUTING -d <dstaddr> -j LOG --prefix=NOI
iptables -t nat -A POSTROUTING -d <dstaddr> -j LOG --prefix=NOA
iptables -t mangle -I POSTROUTING -d <dstaddr> -j LOG --prefix=MOI
iptables -t mangle -A POSTROUTING -d <dstaddr> -j LOG --prefix=MOA

This will place messages in the router's log at the beginning and end of each of the tables that we'd expect the packets to traverse.

wycf · Jul 13, 2010

Just report back that I tried to log the iptables with the above instruction, replaced <dstaddr> with 192.168.123.39 -- a web server in our office subnet , then after VPN connected, I start browser to access http://192.168.123.39. The router reboot instantly!

I repeat the above test again with a fresh installation of new firmware and openvpn. Same result.

SgtPepperKSU · Jul 13, 2010

wycf said:
Just report back that I tried to log the iptables with the above instruction, replaced <dstaddr> with 192.168.123.39 -- a web server in our office subnet , then after VPN connected, I start browser to access http://192.168.123.39. The router reboot instantly!

I repeat the above test again with a fresh installation of new firmware and openvpn. Same result.

Terribly sorry. I mistyped. They should be
--log-prefix label
not
--prefix=label

wycf · Jul 13, 2010

I took my RT-N16 with me to the office and test it again. Something must be wrong!

Here is the setup:

Code:

notebook (WinXP) <--->RT-N16(TeddyBearVPN)<--->SonicWall Router<--->INTERNET<--->WRT54GL(TomatoVPN GUI, VPN Server)<--->SPA941 Phone (IP 10.11.22.92, web server on port 80)

IP address:
notebook: 192.168.1.138
RT-N16 LAN: 192.168.1.1
RT-N16 WAN: 192.168.123.186
SonicWall LAN:192.168.123.254
SonicWall WAN:24.207.xxx.xxx
WRT54GL WAN: 206.116.xxx.xxx
WRT54GL LAN: 10.11.22.1
SPA941: 10.11.22.92

Some observation:
1. OpenVPN connected. I can see that from RT-N16 tomato log.

2. From my notebook (XP), ping 10.11.22.92 works.

3. From my notebook (XP), tract route 10.11.22.92 shows:

Code:

Tracing route to 10.11.22.92 over a maximum of 30 hops
  1    <1 ms    <1 ms    <1 ms  unknown [192.168.1.1]
  2    39 ms    38 ms    38 ms  10.88.0.1
  3    42 ms    43 ms    42 ms  10.11.22.92
Trace complete.

4. From my notebook (XP), use IE/Firefox to access http://10.11.22.92, in about 10 seconds, router RT-N16 rebooted! The PWR LED went off for about 1 sec and turn on again. The tomato log shows it just restarted.

5. I put the following in the firewall script:

Code:

iptables -t mangle -I PREROUTING -d 10.11.22.92 -j LOG --log-prefix MPI
iptables -t mangle -A PREROUTING -d 10.11.22.92 -j LOG --log-prefix MPA
iptables -t nat -I PREROUTING -d 10.11.22.92 -j LOG --log-prefix NPI
iptables -t nat -A PREROUTING -d 10.11.22.92 -j LOG --log-prefix NPA
iptables -t filter -I FORWARD -d 10.11.22.92 -j LOG --log-prefix FFI
iptables -t filter -I FORWARD -d 10.11.22.92 -j LOG --log-prefix FFA
iptables -t nat -I POSTROUTING -d 10.11.22.92 -j LOG --log-prefix NOI
iptables -t nat -A POSTROUTING -d 10.11.22.92 -j LOG --log-prefix NOA
iptables -t mangle -I POSTROUTING -d 10.11.22.92 -j LOG --log-prefix MOI
iptables -t mangle -A POSTROUTING -d 10.11.22.92 -j LOG --log-prefix MOA

when I ping 10.11.22.92, the log shows:

Code:

Jul 13 14:00:23 unknown user.warn kernel: MPIIN=br0 OUT= MAC=48:5b:39:39:cd:b9:e0:cb:4e:87:10:cc:08:00 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=4602 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28416 
Jul 13 14:00:23 unknown user.warn kernel: MPAIN=br0 OUT= MAC=48:5b:39:39:cd:b9:e0:cb:4e:87:10:cc:08:00 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=4602 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28416 
Jul 13 14:00:23 unknown user.warn kernel: NPIIN=br0 OUT= MAC=48:5b:39:39:cd:b9:e0:cb:4e:87:10:cc:08:00 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=4602 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28416 
Jul 13 14:00:23 unknown user.warn kernel: NPAIN=br0 OUT= MAC=48:5b:39:39:cd:b9:e0:cb:4e:87:10:cc:08:00 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=4602 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28416 
Jul 13 14:00:23 unknown user.warn kernel: FFAIN=br0 OUT=tun11 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=4602 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28416 
Jul 13 14:00:23 unknown user.warn kernel: FFIIN=br0 OUT=tun11 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=4602 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28416 
Jul 13 14:00:23 unknown user.warn kernel: MOIIN= OUT=tun11 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=4602 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28416 
Jul 13 14:00:23 unknown user.warn kernel: MOAIN= OUT=tun11 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=4602 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28416 
Jul 13 14:00:24 unknown user.warn kernel: MPIIN=br0 OUT= MAC=48:5b:39:39:cd:b9:e0:cb:4e:87:10:cc:08:00 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=4603 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28672 
Jul 13 14:00:24 unknown user.warn kernel: MPAIN=br0 OUT= MAC=48:5b:39:39:cd:b9:e0:cb:4e:87:10:cc:08:00 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=4603 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28672 
Jul 13 14:00:24 unknown user.warn kernel: NPIIN=br0 OUT= MAC=48:5b:39:39:cd:b9:e0:cb:4e:87:10:cc:08:00 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=4603 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28672 
Jul 13 14:00:24 unknown user.warn kernel: NPAIN=br0 OUT= MAC=48:5b:39:39:cd:b9:e0:cb:4e:87:10:cc:08:00 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=4603 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28672 
Jul 13 14:00:24 unknown user.warn kernel: FFAIN=br0 OUT=tun11 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=4603 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28672 
Jul 13 14:00:24 unknown user.warn kernel: FFIIN=br0 OUT=tun11 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=4603 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28672 
Jul 13 14:00:24 unknown user.warn kernel: MOIIN= OUT=tun11 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=4603 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28672 
Jul 13 14:00:24 unknown user.warn kernel: MOAIN= OUT=tun11 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=4603 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28672 
Jul 13 14:00:25 unknown user.warn kernel: MPIIN=br0 OUT= MAC=48:5b:39:39:cd:b9:e0:cb:4e:87:10:cc:08:00 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=4604 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28928 
Jul 13 14:00:25 unknown user.warn kernel: MPAIN=br0 OUT= MAC=48:5b:39:39:cd:b9:e0:cb:4e:87:10:cc:08:00 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=4604 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28928 
Jul 13 14:00:25 unknown user.warn kernel: NPIIN=br0 OUT= MAC=48:5b:39:39:cd:b9:e0:cb:4e:87:10:cc:08:00 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=4604 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28928 
Jul 13 14:00:25 unknown user.warn kernel: NPAIN=br0 OUT= MAC=48:5b:39:39:cd:b9:e0:cb:4e:87:10:cc:08:00 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=4604 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28928 
Jul 13 14:00:25 unknown user.warn kernel: FFAIN=br0 OUT=tun11 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=4604 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28928 
Jul 13 14:00:25 unknown user.warn kernel: FFIIN=br0 OUT=tun11 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=4604 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28928 
Jul 13 14:00:25 unknown user.warn kernel: MOIIN= OUT=tun11 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=4604 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28928 
Jul 13 14:00:25 unknown user.warn kernel: MOAIN= OUT=tun11 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=4604 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28928 
Jul 13 14:00:26 unknown user.warn kernel: MPIIN=br0 OUT= MAC=48:5b:39:39:cd:b9:e0:cb:4e:87:10:cc:08:00 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=4605 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=29184 
Jul 13 14:00:26 unknown user.warn kernel: MPAIN=br0 OUT= MAC=48:5b:39:39:cd:b9:e0:cb:4e:87:10:cc:08:00 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=4605 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=29184 
Jul 13 14:00:26 unknown user.warn kernel: NPIIN=br0 OUT= MAC=48:5b:39:39:cd:b9:e0:cb:4e:87:10:cc:08:00 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=4605 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=29184 
Jul 13 14:00:26 unknown user.warn kernel: NPAIN=br0 OUT= MAC=48:5b:39:39:cd:b9:e0:cb:4e:87:10:cc:08:00 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=4605 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=29184 
Jul 13 14:00:26 unknown user.warn kernel: FFAIN=br0 OUT=tun11 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=4605 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=29184 
Jul 13 14:00:26 unknown user.warn kernel: FFIIN=br0 OUT=tun11 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=4605 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=29184 
Jul 13 14:00:26 unknown user.warn kernel: MOIIN= OUT=tun11 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=4605 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=29184 
Jul 13 14:00:26 unknown user.warn kernel: MOAIN= OUT=tun11 SRC=192.168.1.138 DST=10.11.22.92 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=4605 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=29184

I can not get the log for the http request since the router keep rebooting.

With the same setup, use my desktop PC(Ubuntu) connected to our office LAN directly (No RT-N16), and fire up OpenVPN client to connect back to my home, everything works.

I am not sure this is a OpenVPN/Firewall problem, or the firmware problem. I didn't notice the automatic reboot until last night. In my previous post I report as "timed out" but actually it was the router rebooted.

SgtPepperKSU, thanks for all the help. if you need me to further test, I'll do it and report back. (BTW, am I the only one report this knid of problem?)

I may try to setup DDWRT VPN on this to see how it works. But I really LIKED tomato!

wycf · Jul 13, 2010

Quick update:

Don't take me wrong I like Tomato. But this time I flashed DDWRT(DD-WRT v24-sp2 (04/23/10) mega - build 14311 ) and it seems working fine, including VPN.

I'll further test it when I get home to see if my router can connect back to my office.

So I'll close watch and wait TeddyBear release next version.

SgtPepperKSU · Jul 14, 2010

wycf said:
Quick update:

Don't take me wrong I like Tomato. But this time I flashed DDWRT(DD-WRT v24-sp2 (04/23/10) mega - build 14311 ) and it seems working fine, including VPN.

I'll further test it when I get home to see if my router can connect back to my office.

So I'll close watch and wait TeddyBear release next version.

Very strange! The reboots definitely put a different spin on it. I really have no idea what would be causing that. No wonder I couldn't see anything wrong with the firewall rules. I haven't heard of any other reports of such a thing. You might mention in it one of the teddy_bear threads, though, to see if anyone else has heard of it. It likely specific to the K26 builds.

wycf · Jul 15, 2010

SgtPepperKSU said:
Very strange! The reboots definitely put a different spin on it. I really have no idea what would be causing that. No wonder I couldn't see anything wrong with the firewall rules. I haven't heard of any other reports of such a thing. You might mention in it one of the teddy_bear threads, though, to see if anyone else has heard of it. It likely specific to the K26 builds.

I am using DDWRT for now. Hope we can see a new release of TB soon.

And I just found someone already reported the bug:
http://tomatousb.org/forum/t-249586/openvpn-chrashes-router

Thank you SgtPepperKSU for all your great work and help. Cheers!

Elanzer · Jul 16, 2010

I've recently setup a VPN with 2 ASUS RT-N16 routers that connects 2 offices together from city to city. The goal was simply to get them all on the same workgroup for easy file sharing and such between both offices as if they were local. The VPN is setup as TAP over UDP, nothing too special for configuration - basically followed a simple guide on a blog (http://blog.johnso.org/2009/08/how-to-setup-openvpn-in-tomato.html)

There's a configuration problem somewhere though, ever since I've put in the 2 routers with the VPN setup both office's internet connections bog down to snailpace intermittently. Judging by speed tests on the remote VPN client out of town, it seems that sometimes (but not always?) the VPN client might actually be using the VPN server as an internet gateway - sometimes the upload and download bandwidth speed test for the client router results are almost identically to the VPN server's upload bandwidth. It doesn't seem to ALWAYS happen though, as in I can sometimes get full speed on the VPN client side without any performance issues.

It's my second time setting up a VPN with Tomato, the first with a site to site with 2 routers so I've probably missed a crucial setting somewhere that's utterly facepalm-worthy.

Any tips?

VPN build with Web GUI

Forum Guru

Forum Guru

Forum Guru

Forum Guru

Forum Guru

Forum Guru

Forum Guru

Forum Guru

Forum Guru

Forum Guru

Forum Guru

Forum Guru

Forum Guru

Forum Guru

Forum Guru

Forum Guru

Forum Guru

Forum Guru

Forum Guru

Network Guru

We value your privacy