Open VPN Client headache.

Discussion in 'Tomato Firmware' started by Denarius, Dec 24, 2017.

  1. Denarius

    Denarius New Member Member

    Hi there,

    Really sorry as I'm sure this is completely obvious to somebody more knowledgable on the subject than I, but I'm having trouble setting up a connection with my VPN provider MyExpatNetwork.

    They provided an automated ovpn file that I seem to have got working with it as I click start and the tunnel starts up successfully. My problem from there is that nothing actually seems to go through the tunnel from any of the client machines.

    [​IMG]
    [​IMG]
    [​IMG]
    [​IMG]


    Finally, I tried ping and traceroute both from the router itself via SSH and from my client computer.

    Code:
    Tomato v1.28.0000 MIPSR2-132 K26 USB VPN
     ========================================================
     Welcome to the Netgear WNR3500L v2 [TomatoUSB]
     Uptime:  12:27:07 up 2 days,  9:25
     Load average: 0.08, 0.03, 0.00
     Mem usage: 9.1% (used 11.27 of 123.93 MB)
     WAN : 192.168.1.20/24 @ 9C:3D:CF:7E:E0:77
     LAN : 192.168.2.1/24 @ DHCP: 192.168.2.10 - 192.168.2.51
     WL0 : Payten-VPN @ channel: FR10 @ 9C:3D:CF:7E:E0:78
     ========================================================
    
    root@unknown:/tmp/home/root# ping -c 1 8.8.8.8
    PING 8.8.8.8 (8.8.8.8): 56 data bytes
    
    --- 8.8.8.8 ping statistics ---
    1 packets transmitted, 0 packets received, 100% packet loss
    
    root@unknown:/tmp/home/root# traceroute 8.8.8.8
    traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 38 byte packets
     1  10.9.0.1 (10.9.0.1)  30.858 ms  29.703 ms  29.688 ms
     2  *  *  *
     3
    root@unknown:/tmp/home/root# quit
    -sh: quit: not found
    root@unknown:/tmp/home/root# exit
    Connection to 192.168.2.1 closed.
    adams-macbook-pro-3:~ adam$ ping -c 1 www.google.co.uk
    PING www.google.co.uk (216.58.204.227): 56 data bytes
    ^C
    --- www.google.co.uk ping statistics ---
    1 packets transmitted, 0 packets received, 100.0% packet loss
    adams-macbook-pro-3:~ adam$ traceroute www.google.co.uk
    traceroute to www.google.co.uk (216.58.204.227), 64 hops max, 52 byte packets
     1  unknown (192.168.2.1)  15.202 ms  1.077 ms  0.961 ms
     2  * * *
     3  *^C
    adams-macbook-pro-3:~ adam$
    
    I also have the log from the router which will be following shortly.

    IP address of the router is 192.168.2.1 and it's connected to another router, and I've added the Tomato router to the DMZ of the main router.

    Thanks in advance for your thoughts on this.
     
  2. Denarius

    Denarius New Member Member

    Also a chunk of the log from the router as the VPN was being started.

    Code:
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   config = 'config.ovpn'
    
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   tls_auth_file = '[UNDEF]'
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   server_network = 0.0.0.0
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   server_netmask = 0.0.0.0
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   server_network_ipv6 = ::
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   server_netbits_ipv6 = 0
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   server_bridge_ip = 0.0.0.0
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   server_bridge_netmask = 0.0.0.0
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   server_bridge_pool_start = 0.0.0.0
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   server_bridge_pool_end = 0.0.0.0
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   ifconfig_pool_defined = DISABLED
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   ifconfig_pool_start = 0.0.0.0
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   ifconfig_pool_end = 0.0.0.0
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   ifconfig_pool_netmask = 0.0.0.0
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   ifconfig_pool_persist_filename = '[UNDEF]'
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   ifconfig_pool_persist_refresh_freq = 600
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   ifconfig_ipv6_pool_defined = DISABLED
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   ifconfig_ipv6_pool_base = ::
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   ifconfig_ipv6_pool_netbits = 0
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   n_bcast_buf = 256
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   tcp_queue_limit = 64
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   real_hash_size = 256
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   virtual_hash_size = 256
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   client_connect_script = '[UNDEF]'
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   learn_address_script = '[UNDEF]'
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   client_disconnect_script = '[UNDEF]'
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   client_config_dir = '[UNDEF]'
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   ccd_exclusive = DISABLED
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   tmp_dir = '/tmp'
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   push_ifconfig_defined = DISABLED
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   push_ifconfig_local = 0.0.0.0
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   push_ifconfig_remote_netmask = 0.0.0.0
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   push_ifconfig_ipv6_defined = DISABLED
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   push_ifconfig_ipv6_local = ::/0
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   push_ifconfig_ipv6_remote = ::
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   enable_c2c = DISABLED
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   duplicate_cn = DISABLED
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   cf_max = 0
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   cf_per = 0
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   max_clients = 1024
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   max_routes_per_client = 256
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   auth_user_pass_verify_script = '[UNDEF]'
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   auth_user_pass_verify_script_via_file = DISABLED
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   port_share_host = '[UNDEF]'
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   port_share_port = 0
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   client = ENABLED
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   pull = ENABLED
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]:   auth_user_pass_file = 'up'
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]: OpenVPN 2.3.7 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Oct  9 2015
    Dec 24 12:18:31 unknown daemon.notice openvpn[6285]: library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.09
    Dec 24 12:18:31 unknown daemon.warn openvpn[6294]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Dec 24 12:18:31 unknown daemon.notice openvpn[6294]: LZO compression initialized
    Dec 24 12:18:31 unknown daemon.notice openvpn[6294]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:3 ]
    Dec 24 12:18:31 unknown daemon.notice openvpn[6294]: Socket Buffers: R=[112640->131072] S=[112640->131072]
    Dec 24 12:18:31 unknown daemon.notice openvpn[6294]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:143 ET:0 EL:3 AF:3/1 ]
    Dec 24 12:18:31 unknown daemon.notice openvpn[6294]: Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 56,key-method 2,tls-client'
    Dec 24 12:18:31 unknown daemon.notice openvpn[6294]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 56,key-method 2,tls-server'
    Dec 24 12:18:31 unknown daemon.notice openvpn[6294]: Local Options hash (VER=V4): '60fb92ce'
    Dec 24 12:18:31 unknown daemon.notice openvpn[6294]: Expected Remote Options hash (VER=V4): '4d2ea920'
    Dec 24 12:18:31 unknown daemon.notice openvpn[6294]: UDPv4 link local: [undef]
    Dec 24 12:18:31 unknown daemon.notice openvpn[6294]: UDPv4 link remote: [AF_INET]88.150.177.24:1194
    Dec 24 12:18:31 unknown daemon.notice openvpn[6294]: TLS: Initial packet from [AF_INET]88.150.177.24:1194, sid=acefcd2c 2eed9362
    Dec 24 12:18:31 unknown daemon.warn openvpn[6294]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Dec 24 12:18:31 unknown daemon.notice openvpn[6294]: VERIFY OK: depth=1, C=GB, ST=LN, L=LONDON, O=m7VPN, CN=m7VPN-CA, emailAddress=info@m7sys.com
    Dec 24 12:18:31 unknown daemon.notice openvpn[6294]: VERIFY OK: nsCertType=SERVER
    Dec 24 12:18:31 unknown daemon.notice openvpn[6294]: VERIFY OK: depth=0, C=GB, ST=LN, O=m7VPN, CN=server, emailAddress=info@m7sys.com
    Dec 24 12:18:32 unknown daemon.notice openvpn[6294]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 56 bit key
    Dec 24 12:18:32 unknown daemon.notice openvpn[6294]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Dec 24 12:18:32 unknown daemon.notice openvpn[6294]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 56 bit key
    Dec 24 12:18:32 unknown daemon.notice openvpn[6294]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Dec 24 12:18:32 unknown daemon.notice openvpn[6294]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
    Dec 24 12:18:32 unknown daemon.notice openvpn[6294]: [server] Peer Connection Initiated with [AF_INET]88.150.177.24:1194
    Dec 24 12:18:32 unknown user.notice root: vpnrouting: clean-up
    Dec 24 12:18:34 unknown daemon.notice openvpn[6294]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Dec 24 12:18:34 unknown daemon.notice openvpn[6294]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway,dhcp-option DNS 109.74.196.47,dhcp-option DNS 109.74.193.49,block-outside-dns,route 10.9.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.9.0.22 10.9.0.21'
    Dec 24 12:18:34 unknown daemon.err openvpn[6294]: Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:4: block-outside-dns (2.3.7)
    Dec 24 12:18:34 unknown daemon.notice openvpn[6294]: OPTIONS IMPORT: timers and/or timeouts modified
    Dec 24 12:18:34 unknown daemon.notice openvpn[6294]: OPTIONS IMPORT: --ifconfig/up options modified
    Dec 24 12:18:34 unknown daemon.notice openvpn[6294]: OPTIONS IMPORT: route options modified
    Dec 24 12:18:34 unknown daemon.notice openvpn[6294]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Dec 24 12:18:34 unknown daemon.notice openvpn[6294]: TUN/TAP device tun0 opened
    Dec 24 12:18:34 unknown daemon.notice openvpn[6294]: TUN/TAP TX queue length set to 100
    Dec 24 12:18:34 unknown daemon.notice openvpn[6294]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Dec 24 12:18:34 unknown daemon.notice openvpn[6294]: /sbin/ifconfig tun0 10.9.0.22 pointopoint 10.9.0.21 mtu 1500
    Dec 24 12:18:34 unknown daemon.notice openvpn[6294]: updown.sh tun0 1500 1542 10.9.0.22 10.9.0.21 init
    Dec 24 12:18:34 unknown daemon.info dnsmasq[5864]: exiting on receipt of SIGTERM
    Dec 24 12:18:34 unknown user.debug init[1]: 182: pptp peerdns disabled
    Dec 24 12:18:34 unknown daemon.info dnsmasq[6411]: started, version 2.73 cachesize 1500
    Dec 24 12:18:34 unknown daemon.info dnsmasq[6411]: compile time options: IPv6 GNU-getopt no-RTC no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset Tomato-helper auth no-DNSSEC loop-detect no-inotify
    Dec 24 12:18:34 unknown daemon.info dnsmasq[6411]: asynchronous logging enabled, queue limit is 5 messages
    Dec 24 12:18:34 unknown daemon.info dnsmasq-dhcp[6411]: DHCP, IP range 192.168.2.10 -- 192.168.2.51, lease time 1d
    Dec 24 12:18:34 unknown daemon.info dnsmasq[6411]: reading /etc/resolv.dnsmasq
    Dec 24 12:18:34 unknown daemon.info dnsmasq[6411]: using nameserver 192.168.1.1#53
    Dec 24 12:18:34 unknown daemon.info dnsmasq[6411]: read /etc/hosts - 2 addresses
    Dec 24 12:18:34 unknown daemon.info dnsmasq[6411]: read /etc/dnsmasq/hosts/hosts - 3 addresses
    Dec 24 12:18:34 unknown daemon.info dnsmasq-dhcp[6411]: read /etc/dnsmasq/dhcp/dhcp-hosts
    Dec 24 12:18:34 unknown daemon.notice openvpn[6294]: /sbin/route add -net 88.150.177.24 netmask 255.255.255.255 gw 192.168.1.1
    Dec 24 12:18:34 unknown daemon.notice openvpn[6294]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.9.0.21
    Dec 24 12:18:34 unknown daemon.notice openvpn[6294]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.9.0.21
    Dec 24 12:18:34 unknown daemon.notice openvpn[6294]: /sbin/route add -net 10.9.0.1 netmask 255.255.255.255 gw 10.9.0.21
    Dec 24 12:18:34 unknown daemon.notice openvpn[6294]: Initialization Sequence Completed
    Dec 24 12:18:35 unknown daemon.err openvpn[6294]: event_wait : Interrupted system call (code=4)
    Dec 24 12:18:35 unknown daemon.notice openvpn[6294]: OpenVPN STATISTICS
    Dec 24 12:18:35 unknown daemon.notice openvpn[6294]: Updated,Sun Dec 24 12:18:35 2017
    Dec 24 12:18:35 unknown daemon.notice openvpn[6294]: TUN/TAP read bytes,0
    Dec 24 12:18:35 unknown daemon.notice openvpn[6294]: TUN/TAP write bytes,0
    Dec 24 12:18:35 unknown daemon.notice openvpn[6294]: TCP/UDP read bytes,3458
    Dec 24 12:18:35 unknown daemon.notice openvpn[6294]: TCP/UDP write bytes,2922
    Dec 24 12:18:35 unknown daemon.notice openvpn[6294]: Auth read bytes,0
    Dec 24 12:18:35 unknown daemon.notice openvpn[6294]: pre-compress bytes,0
    Dec 24 12:18:35 unknown daemon.notice openvpn[6294]: post-compress bytes,0
    Dec 24 12:18:35 unknown daemon.notice openvpn[6294]: pre-decompress bytes,0
    Dec 24 12:18:35 unknown daemon.notice openvpn[6294]: post-decompress bytes,0
    Dec 24 12:18:35 unknown daemon.notice openvpn[6294]: END
    Dec 24 12:19:44 unknown daemon.err openvpn[6294]: event_wait : Interrupted system call (code=4)
    Dec 24 12:19:44 unknown daemon.notice openvpn[6294]: OpenVPN STATISTICS
    Dec 24 12:19:44 unknown daemon.notice openvpn[6294]: Updated,Sun Dec 24 12:19:44 2017
    Dec 24 12:19:44 unknown daemon.notice openvpn[6294]: TUN/TAP read bytes,7648
    Dec 24 12:19:44 unknown daemon.notice openvpn[6294]: TUN/TAP write bytes,0
    Dec 24 12:19:44 unknown daemon.notice openvpn[6294]: TCP/UDP read bytes,3776
    Dec 24 12:19:44 unknown daemon.notice openvpn[6294]: TCP/UDP write bytes,11419
    Dec 24 12:19:44 unknown daemon.notice openvpn[6294]: Auth read bytes,96
    Dec 24 12:19:44 unknown daemon.notice openvpn[6294]: pre-compress bytes,5481
    Dec 24 12:19:44 unknown daemon.notice openvpn[6294]: post-compress bytes,5541
    
     
  3. Sean B.

    Sean B. LI Guru Member

    That part is asking for issues. Describe your situation for using this configuration? If we label the router you're using the OpenVPN client on and has IP 192.168.2.1 as Router#2, and label the router it's connected to that has IP 192.168.1.1 as Router#1.. how are they connected? IE: LAN port of Router#1 to WAN port of Router#2? Or Router#1 LAN to Router#2 LAN etc.
     
  4. Denarius

    Denarius New Member Member

    Hi there,

    thank you for replying! The ADSL modem that this router is connected to has IP address 192.168.1.1.

    The Tomato router that I've connected behind it has WAN IP 192.168.1.20 and LAN IP 192.168.1.1 (connected to the modem via the WAN port, not the LAN ports). 192.168.1.20 is specified as DMZ in the modem that is giving the internet connection.

    Essentially the reason for doing that was so that I'd have two separate subnets that could be accessed separately, one for VPN and one the normal ISP router/modem for normal traffic.
     
  5. Denarius

    Denarius New Member Member

    [​IMG]

    From the Tomato router's overview page. As I said, if the VPN tunnel is down, you can access the internet through the router connected this way with no issues.
     
  6. Denarius

    Denarius New Member Member

    And this is where I've set this router as DMZ in the router from the ISP.

    [​IMG]
     
  7. eibgrad

    eibgrad Network Guru Member

    One of the potential problems here is that you're mixing the GUI and what it publishes to the underlying config file w/ whatever you added to the Custom Configuration section. And given how much you added, there's a good chance that you've effectively overridden the GUI w/ some items it's already providing by default.

    For example, there's no need to specify the following in Custom Configuration:

    Code:
    dev tun
    By having filled out the Interface Type field w/ TUN, the GUI has already generated that directive *and* given it a name.

    Code:
    dev tun11
    That name (tun11) is used w/ the automatically generated firewall rules. But when you specify "dev tun" (with no #), that tells OpenVPN to generate a random name (e.g., tun1). And now the firewall rules don't work anymore!

    That's why you don't want to add any directives the GUI is already specifying. Those act as overrides, and then things get out of sync.

    If you want to see what the GUI is already generating, leave the Custom Config field empty, and once the OpenVPN client attempts to connect, go to Tools->System Commands and execute the following:

    Code:
    cat /tmp/etc/openvpn/client1/config.ovpn
     
  8. Sean B.

    Sean B. LI Guru Member

    While segregating subnets/VLANs + VPN can be done on the Tomato router alone, your current configuration should work, but I must say I'd be eyeballing it if random connection drops or weird issues pop up. I believe @eibgrad is going the right direction. If you just dump in a bunch of custom config options, for any services the router runs, without knowing/understanding what's already been set by the system you're bound to cause conflicts. Backing down your additions and setting only what's needed would be a good start for diagnostics.
     
    Last edited: Dec 25, 2017
  9. Denarius

    Denarius New Member Member

    eibgrad, you absolutely nailed it. Initially I removed all of the custom rules and it didn't establish the tunnel. I put them all back with the exception of 'dev tun' and it's working a treat. Thank you ever so much and merry Christmas. :)

    Update: I've now actually removed all the duplicate commands in the custom that are already generated by the GUI.

    Incidentally, is there any difference between comp-lzo and comp-lzo adaptive?
     
    Last edited: Dec 25, 2017
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice