1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tomato 1.21 + OpenVPN connection problems

Discussion in 'Tomato Firmware' started by SplendiD, Oct 17, 2008.

  1. SplendiD

    SplendiD Addicted to LI Member

    I have some trouble connecting to my home router from work via VPN. I have tried lots of different combinations and used DD-WRT firmware as well as Tomato vith different OpenVPN mods, but I still get the same problem. Now I use the firmware with OpenVPN web GUI interface by SgtPepperKSU (Build 1.21vpn0087), but i made this new thread because I don´t think its related to the firmware.

    I tried the VPN at home on the local 192.168.1.1 adress and it works fine, so it's not related to the certificates or the configuration files on neither the client nor the server.

    I can connect to the router by SSH, so the home IP is accessible from my work IP -- and I tried lots of different ports too.

    The firewall script just contains the line "iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT" but i don't know if its working since the line "service start vpnserver1" in the init script doesn't automatically start the VPN server when the router reboots..

    When i set the verbosity level to 5 or 6 i get the following error from the client side of OpenVPN "UDPv4 WRITE [14] to xxx.xxx.xxx.xxx:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0"

    Anyone had a similar problem and know what to do next? :help:
     
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Have you tried putting a delay before the "service start vpnserver1" in your init script (eg, sleep 5)? What happens if you try to start the server manually when the router is already up?
     
  3. SplendiD

    SplendiD Addicted to LI Member

    The server seem to start fine when I start it manually, but I still get the same error when i'm tying to connect. Putting sleep in the init script didn't help.
     
  4. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    First, I just noticed you mentioned "service start vpnserver1". It should be "service vpnserver1 start". That was a typo in the post in my thread. Sorry about that. That explains it not starting up automatically.

    But since, as you say, everything connects from the LAN side, there must be something blocking it along the way. With the iptables entry you mentioned, I assume you are using UDP on port 1194. If not, then there's your problem. If so, then perhaps your ISP or Work is blocking port 1194. You may try a different, non-standard port (updating the iptables command as well).
     
  5. SplendiD

    SplendiD Addicted to LI Member

    More testing

    I now got SSH working on a randomly generated port above 1024 and got remote desktop working over SSH-2 RSA encryption without any trouble, but I still want to get the VPN working too..

    I tried changing the port number from 1194 to another randomly generated port above 1024 and changed the firewall script accordingly. I got this working locally (to 192.168.1.1), but I get the same error when trying to connect from remote.

    Now I tried two remote locations, from a friends home network (with a dedicated IP-adress) and from my workplace. SSH is working from both these locations but not VPN. I can't figure out what I'm doing wrong here..

    I checked with 'iptables -L' that the firewall part of the script is working and accepts udp from aywhere to anywhere on the port I specified.

    I can also see (with the 'ps' command) that that the process is running;
    My current server configuration is the default;

    and the client configuration is;

    Can you see anything out of the ordinary?
     
  6. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Only the "tap21" in the client config. Unless you explicitly created your tap device as such, the chances of it having that name are pretty small. On a normal PC client config, I think it's normal to just put "tap". But, since you got it connect on a local machine, that probably isn't the problem.

    I've done another round of searching for this error, and it seems it is more indicative of authorization failure than a firewall problem. Could you check and re-check the ca, cert, and key files on both ends?
     
  7. SplendiD

    SplendiD Addicted to LI Member

    Ok, I can try to recreate them one more time. But shouldn't that be a problem when connecting locally too?
     
  8. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Unless something was copied incorrectly at some point, I would think so. But, the rest looks fine at first glance and web searches point to an authorization problem. However, since I'm getting that second-hand, it could be way off.

    Does anything at all show up on the server logs when you try to connect?
     
  9. sunjon

    sunjon Network Guru Member

    re: The VPN server not starting automatically. It's failing to start using the init scripts for me too.

    On a reboot on the router, once the VPN server has failed to start, I SHH into the router and try starting the service:
    Code:
    # service vpnserver1 start
    ***********************
    
    Service never starts, /etc/openvpn/ directory does not exist at this point.
    Starting the service through the GUI creates this directory and starts the service.
     
  10. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That is odd. The '*'s mean that it is waiting for another service action to complete before running this one (they would be '.'s if this service was running). If you could run
    Code:
    nvram get action_service
    before running the vpnserver1 service command, we could figure out what is holding things up.

    EDIT: Also, try putting a larger delay before the command in the init script. I just added it to mine. Five seconds didn't work, but 20 did. Probably doesn't need to be that high, though.
     
  11. SplendiD

    SplendiD Addicted to LI Member

    I have now tried to recreate and recopy all the keys with the same result. I also tried using the static key mode and get a different result, but it's not working either. So I don't think the keys is the problem.

    How do I check the server log? I'm quite new to unix in general and completely new to ash.

    I'm really thankful for all the help! I could just give up since I got the SSH working, but I'm quite stubborn :) Learning by doing I guess.
     
  12. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Okay, it was worth checking, though. Beats spending endless time banging our heads on a wall due to something silly.
    No need for unix knowledge. In the tomato GUI, goto Status->Logs. The relevant lines will contain "openvpn".
    I'm the same way. Even if I find something that works, if there is a more "elegant" solution that should work, my brain won't rest until I understand why it isn't.
     
  13. SplendiD

    SplendiD Addicted to LI Member

    The only thing written in the log is the startup of the VPN service

    There is nothing written in the log when im trying to connect. Changing the verbosity level on the server to "verb 6" didn't help.. Still nothing.

    I renamed the VPN network interface in windows from "Local area connecction ##" to "VPN" but i guess that can't have anything to do with this?
     
  14. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    If there's nothing in the server logs, I have to think it's probably a firewall problem.
    II usually do the same, so renaming the interface isn't a problem. However, you mentioned before that you had tap21 in the client config. You have tried just saying "dev tap", right?

    Since I'm don't know what could cause that HARD_RESET error to show up, you may try asking in the OpenVPN IRC channel, #openvpn on freenode. They seem to be nice, helpful folks. I'm afraid I'm out of ideas, but be sure to let me know how things go getting help there.
     
  15. SplendiD

    SplendiD Addicted to LI Member

    Yeah I've triad alot of combinations "dev tap" and even "dev VPN" but same result. Actuallt the "dev tap21" was just a desperate attempt to try the same setting as the server side.

    I will try the IRC channel you mentioned and post my findings here. I'm also thinking it might be a firewall issue.. Thanks for all the help!
     
  16. baldrickturnip

    baldrickturnip LI Guru Member

    I think I am having a similar issue here

    I have a 54GL running 1.23vpn2.0005 and it was working without an issue before when I had the WAN port connected to a linksys ADSL modem running in bridge mode and the 54GL handling the PPPoE connection.

    now I have changed to a Huawei e960 HSDPA modem which I cannot put in bridge mode so I have connected the WAN port to the LAN on the e960 and given the 54GL a static IP and then forwarded 1194 to the static IP of the 54GL WAN.

    in the open VPN client logs it seems to show me that the request to connect has made it to the WAN of the 54GL - 192.168.222.10 is the static IP of the WAN
    Code:
    Mon Jan 05 08:34:15 2009 UDPv4 link remote: 192.168.222.10:1194
    and iptables shows it should accept the request
    Code:
    # iptables -L
    Chain INPUT (policy DROP)
    target     prot opt source               destination
    ACCEPT     udp  --  anywhere             anywhere            udp dpt:1194
    but it just times out ?

    I even tried to forward 1194 in the 54GL to the LAN address of the 54GL but that did not work either.

    edit:
    I configured a openvpn client machine on the LAN side of the e960 modem/router and successfully connected to the VPN server on the 54GL with its WAN address.
    Do modems require a VPN "pass though" as well as the 1194 port forwarded - I thought I have seen in the specs of some modems something about VPN "pass through".

    edit:
    tried placing the 54GL WAN IP in the modem DMZ , but no joy.
    time to trawl through the Huawei forms :)


    any ideas ?
    thanks

    edit:
    ok I know I am going to look very silly :D , but it might help somebody down the line :D

    my problem was the DDNS , it was still on on the 54GL and faithfully reporting its WAN address which was now static :D
    so I moved the DDNS to the e960 ( though I may move it back to the 54GL and disable the e960 DDNS ) and now everything works fine

    I was looking for a complex problem to account for my own stupidity - I have done it before and I will probably do it again :D , just hopefully not as often :D
     

Share This Page