1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VPN build with Web GUI

Discussion in 'Tomato Firmware' started by SgtPepperKSU, Oct 10, 2008.

  1. Thux

    Thux Addicted to LI Member

    I've just tried to connect from internet to the webserver and I notice that the packets are dropped according to the router's log:

    Feb 11 19:35:02 router user.warn kernel: DROP IN=ppp0 OUT= MAC= SRC=217.64.166.3 DST=10.30.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=25879 DF PROTO=TCP SPT=52188 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A6573D16B0000000001030302)
    Feb 11 19:35:05 router user.warn kernel: DROP IN=ppp0 OUT= MAC= SRC=217.64.166.3 DST=10.30.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=25881 DF PROTO=TCP SPT=52188 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A6573DD230000000001030302)
    Feb 11 19:35:11 router user.warn kernel: DROP IN=ppp0 OUT= MAC= SRC=217.64.166.3 DST=10.30.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=25883 DF PROTO=TCP SPT=52188 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A6573F4930000000001030302)

    As you can see, I've forwarded the port 80 to 10.30.0.1 which is the vpn server.
    Could I be more specific and forward it directly to the webserver which is connected trough vpn (10.30.0.6)?
     
  2. pendetim

    pendetim Addicted to LI Member

    Please ignore. I tried it again with static key from server 1 into TLS server 2 and TLS client and NOW it seems to work. ????

    Thanks Tim
     
  3. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yes, you must forward it to the webserver. Otherwise, it has no idea where you want it to go. Right now you're forwarding it from the router to itself (that's where the VPN server is after all).
     
  4. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Sorry, I missed your earlier reply. Weird behavior like that is often caused by corrupt NVRAM. It is recommended to clear (throrough) the NVRAM after any Tomato upgrade.
     
  5. Thux

    Thux Addicted to LI Member

    Well, I've finally achieved what I have wanted! Thank you once again for your quick answers and patience! Keep up the good work with this VPN build for Tomato! :thumbups:
     
  6. jabberwock

    jabberwock Addicted to LI Member

  7. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You can't edit any files in Tomato and expect them to stay that way. If you want custom firewall entries, you'll need to either place them in the firewall script (Administration->Scripts) or create an up script. If you want the rules on all the time, use the former. If you want to rules to only be in effect when your tunnel is connected, use the latter (add them with an up script, remove them with a down script - see the OpenVPN documentation for specifics on how to write those).
     
  8. jabberwock

    jabberwock Addicted to LI Member

    SgtPepperKSU,

    Thanks again for your inputs.
    That make sense. I assumed everyone on this thread connects via ssh to configure their router.

    /r
    -Jackson
     
  9. Ruzzian

    Ruzzian Addicted to LI Member

    I just wanted to Thank SgtPepper for all the work you have put into this. I have a friend who needed a simple VPN between 2 offices and this worked our perfectly. It was easy to setup and has been working great. So far I have only had to reconnect it once and I believe you a script to do that automatically in this thread.

    Again great job!

    Scott
     
  10. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Actually, in the latest release, it's built into the GUI. You can specify any interval for checking that the client/server is up.
     
  11. gawd0wns

    gawd0wns LI Guru Member

    Jabberwock, while you cannot make changes to files via SSH, you CAN access the router GUI via SSH. The trick is, to create an SSH proxy, and connect with Firefox(with the Multiproxy Switch plugin).

    You can do this with OpenSSH and Putty. I have a public/private key setup to access my server, from a usb key, so keep that in mind when reading the following. I will keep the following explanation basic, so you can add whatever options you like later on.

    You can connect to the server and create a tunnel with the following syntax:

    ssh -i pubkey -D 443 -o GlobalKnownHostsFile=hosts -o UserKnownHostsFile=uhosts root@ipaddress-of-ssh-host -p 35000

    -i pubkey :points to the location of the public keyfile on my usb drive

    -D 443 : opens port 443 on your local computer and forwards all connections from here to the router over the SSH tunnel

    -o GlobalKnownHostsFile= :A file to be used for the global host key database

    -o UserKnownHostsFile= :A file to use for the user host key database

    root@ipaddress -p 35000 : the username@ipaddress of your router, -p 35000 is the remote port of my ssh server

    Ok, so now you have connected via ssh and you have firefox open. Type about:config in the address bar and hit enter. Type in network.proxy.socks_remote_dns and double click on it so the value goes to true.

    You don't need the Multiproxy Switch plugin, though it makes switching between proxy settings easy. Install the Multiproxy Switch plugin and place it somewhere convenient in your browser, and create an SSH profile. In my case it looks like the attached images.

    Now you are all set, just type in your router's LAN ip address in the address bar. The connection request and DNS request will go through the SSH tunnel, and you will be greeted with your router's login screen.

    EDIT: You can also use this configuration as a secure proxy for remote web-browsing and the like.
     

    Attached Files:

    • mps.jpg
      mps.jpg
      File size:
      59.8 KB
      Views:
      32
    • mps1.jpg
      mps1.jpg
      File size:
      17.6 KB
      Views:
      30
  12. Paul

    Paul Addicted to LI Member

    Re Username/Passwords


    I noticed the interest on the blog which is why I reposted it and I remember you telling me about the "--" - I removed them, although actually it worked anyway. I think the security script line was necessary to get it working or at least to get rid of an error.

    The interest is probably due to those of use who use VPN services which always require a username/password. That part of it worked for me - it was TLS authentication I had trouble with. We are probably the ones also interested in being sure privacy isn't blown when the server drops a connection and then allows everything to go out in the clear.

    One of the wrt's bricked my linksys (I've tried everything except jtag) so I have to decide whether to gamble on buying another to see if the latest TomatoVPN release works with perfect-privacy - or else, if anyone on this thread has had any success with public vpn services, I'd like to know.
     
  13. sknnyftn

    sknnyftn Addicted to LI Member

    How do I set route for client 1

    Here is part of my server logs. I can connect to the vpn and ping the computers on my home network and the router and windows recognizes that I am on my home network, but I can not ping the client computer from anything on my home network incuding the router or actually share files on the network. I think this line in the log is the problem, but I'm not sure how to fix it. I have tried figuring it out on my own reading this thread, but after two days of reading I am more confused than when I started. So now I am giving up and begging for any help anyone can give.



    Feb 19 20:44:11 deena-wsncvkn8a daemon.notice openvpn[10989]: 71.52.92.208:24286 [client1] Peer Connection Initiated with 71.52.92.208:24286
    Feb 19 20:44:11 deena-wsncvkn8a daemon.notice openvpn[10989]: MULTI: new connection by client 'client1' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username
    Feb 19 20:44:11 deena-wsncvkn8a daemon.err openvpn[10989]: MULTI: no dynamic or static remote --ifconfig address is available for client1/71.52.92.208:24286
    Feb 19 20:44:13 deena-wsncvkn8a daemon.notice openvpn[10989]: client1/71.52.92.208:24286 PUSH: Received control message: 'PUSH_REQUEST'
    Feb 19 20:44:13 deena-wsncvkn8a daemon.notice openvpn[10989]: client1/71.52.92.208:24286 SENT CONTROL [client1]: 'PUSH_REPLY,route-gateway 10.69.21.1,redirect-gateway def1,route-gateway dhcp,ping 15,ping-restart 60' (status=1)
    Feb 19 20:44:13 deena-wsncvkn8a daemon.notice openvpn[10989]: client1/71.52.92.208:24286 MULTI: Learn: 00:ff:3e:d0:dd:e5 -> client1/71.52.92.208:24286
    Feb 19 20:44:13 deena-wsncvkn8a daemon.info dnsmasq-dhcp[94]: DHCPREQUEST(br0) 10.69.21.125 00:ff:3e:d0:dd:e5
    Feb 19 20:44:13 deena-wsncvkn8a daemon.info dnsmasq-dhcp[94]: DHCPACK(br0) 10.69.21.125 00:ff:3e:d0:dd:e5 deena-PC
    Feb 19 20:44:47 deena-wsncvkn8a daemon.info dnsmasq-dhcp[94]: DHCPINFORM(br0) 10.69.21.125 00:ff:3e:d0:dd:e5
    Feb 19 20:44:47 deena-wsncvkn8a daemon.info dnsmasq-dhcp[94]: DHCPACK(br0) 10.69.21.125 00:ff:3e:d0:dd:e5 deena-PC
     
  14. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Have you tried this?
    http://tomatovpn.keithmoyer.com/2009/03/client-specific-options.html
     
  15. sknnyftn

    sknnyftn Addicted to LI Member

  16. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Are you trying to ping the VPN address of the client or the LAN address of the client? Using TAP or TUN? What does the routing table of your server look like (Advanced->Routing)?
     
  17. dougisfunny

    dougisfunny LI Guru Member

    I know when I've set up the client specific configurations, I had issues a few times because I put in the full router address, 192.168.10.1, and the 255.255.255.0 subnet mask, where 192.168.10.0 would be required. That got me recently, because I switched one of my routers to a 255.255.0.0 subnet mask, but forgot to truncate the subnet address. Perhaps he set his up the same way.
     
  18. MiBz

    MiBz Network Guru Member

    Just upgraded to 1.27 today...i think I was on 1.23 before this :)

    Noticed some new GUI settings and check boxes

    1. Poll Interval (in minutes, 0 to disable):

    2. Push LAN to clients

    3. Direct clients to
    redirect Internet traffic

    4. Respond to DNS

    Is it possible to know a brief explanation of what each setting does?

    Also previously in my Init script I had ;
    cru a CheckVPNServer "*/30 * * * * service vpnserver1 start"

    I'm not sure, but is it a safe guess that I don't need this anymore, if I set the value of #1 above to 30, it accomplishes the same ?

    Last point, I guess I also won't need anything more in the Shutdown, Firewall & WanUp scripts either when using latest v1.27 ?

    SgtPepper, thanks again for your great work on this !
     
  19. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    At periodic intervals, it will check that the service is running and start it if it isn't.
    This pushes a route to the clients that will allow them to contact the computers on the server LAN (there were requests from people who only use VPN for internet access and don't want the server LAN route advertised).
    This pushes commands to the clients to send all their internet-bound traffic over the VPN (the similar setting on the client does the same thing, but just for that client)
    This configures dnsmasq to respond to DNS request from the VPN interface. If you select this, another option will appear to advertise the DNS server to the clients. A typical VPN client would accept this and start using the server router as their DNS.

    Yes, exactly.

    Most likely you won't need anything. If you have your WAN disabled and you want the service to start with the router, you'll need to do so in the Init script. This is due to a not fully thought out change that I made in the last version (the option changed from "Start with router" to "Start with WAN"). It's a lot better for those that have the WAN enabled, but never auto-starts for those that don't. This is already fixed in my code and will be in the next release.
     
  20. MiBz

    MiBz Network Guru Member

    Keith, as usual, incredibly helpful reply.
    Thank you again both for your support to all of us here and for your hard work on the VPN GUI.

    Is there a client or server side option I can set so that all the local lan and local servers/clients appear in the network browser of connected clients ? or this not possible over a routed tun connection ?
     
  21. darv

    darv Addicted to LI Member

    Need help with firewall settings (and routing?)

    Hi,

    I've been trying to get openvpn working and have made progress but am currently stuck. I'm using the Tomato_RAF_1.25.8515 ND USB .8_snmp_vpn_v3.trx (thor mod) on my home router (as tls server). I have made tls certificates and gotten a connection with my computer at work where I have a static IP address that is not behind a firewall (running ubuntu hardy).

    I think that I have the routing mostly sorted out (using resolveconf) and have a dynDNS address for the router. One thing that I don't understand is that I seem to get two tunnels, the router's routing table has a tunnel from 10.8.1.1 to 10.8.1.2, the routing table for the box at work has a tunnel from 10.8.1.6 to 10.8.1.5. Why don't they have the same numbers? Is it normal to get two tunnels like this?

    ip r (work box)
    10.8.1.5 dev tun21 proto kernel scope link src 10.8.1.6
    10.8.1.1 via 10.8.1.5 dev tun21
    192.168.1.0/24 via 10.8.1.5 dev tun21
    12.8.0.0/13 dev eth0 proto kernel scope link src x.x.x.x
    default via x.x.x.x dev eth0 (last two lines are routing table with tunnel off)

    ip r (home router)
    10.8.1.2 dev tun21 proto kernel scope link src 10.8.1.1
    192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
    10.8.1.0/24 via 10.8.1.2 dev tun21
    98.250.176.0/21 dev vlan1 proto kernel scope link src 98.250.x.x (changed routers ip to x's)
    127.0.0.0/8 dev lo scope link
    default via 98.250.176.1 dev vlan1

    Earlier today I was able to ping from the work computer to 10.8.1.6 (fast ping times = work computer) and 10.8.1.1 (slower = router). I was also able to do the same from the router (with the times switched, faster for 10.8.1.1). I was also able to ping from work to the boxes on my lan behind the home router. The problem is that is all that I could do. I was not able to ssh through the tunnel in either direction.

    Later in the day I messed up the routing somewhere and rebooted the router to try to start over. Now when I ping in either direction I get "ping: sendmsg: Operation not permitted". I've been playing with different firewall settings but don't have a good understanding of what I'm doing, I think that before I rebooted the router I somehow had things configured to allow the pings to go through but now I don't remember what the settings were.

    Should I flash with your tomatovpn-ND-1.27vpn3.6? Or can I stick with the thor mod? Are there additional firewall settings needed beyond the automatic settings?

    /tmp/etc/openvpn/fw# cat server1-fw.sh
    iptables -t nat -I PREROUTING -p udp --dport 1194 -j ACCEPT
    iptables -I INPUT -p udp --dport 1194 -j ACCEPT
    iptables -I INPUT -i tun21 -j ACCEPT
    iptables -I FORWARD -i tun21 -j ACCEPT

    Thank you kindly,

    Dennis
     
  22. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You shouldn't need anything else on the router. What does your client config look like?
     
  23. ific

    ific Addicted to LI Member

    Hi guys,
    I'm tryin to start openvpn server on tomato 1.27 with TLS an I get this message:

    Mar 4 16:02:46 unknown daemon.warn openvpn[21900]: NOTE: OpenVPN 2.1 requires '
    --script-security 2' or higher to call user-defined scripts or executables
    Mar 4 16:02:46 unknown daemon.notice openvpn[21900]: Diffie-Hellman initialized
    with 1024 bit key
    Mar 4 16:02:46 unknown daemon.err openvpn[21900]: Cannot load CA certificate fi
    le ca.crt path (null) (SSL_CTX_load_verify_locations) (OpenSSL)
    Mar 4 16:02:46 unknown daemon.notice openvpn[21900]: Exiting
    Mar 4 16:02:46 unknown user.info init[1]: VPN_LOG_ERROR: 822: Starting VPN inst
    ance failed...

    I stack on this for days and I can't figure out what is wrong with my ca.key.

    Anyone?
     
  24. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The CA needs to start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----. Does it?
     
  25. darv

    darv Addicted to LI Member

    You shouldn't need anything else on the router. What does your client config look like?

    client
    dev tun21
    proto udp
    remote [dynDNSname.ath.cx] 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca /etc/openvpn/ca.crt
    cert /etc/openvpn/bongo.crt
    key /etc/openvpn/[client_common_name].key
    ns-cert-type server
    tls-auth /etc/openvpn/ta.key 1
    comp-lzo
    verb 3
    up /etc/openvpn/update-resolv-conf
    down /etc/openvpn/update-resolv-conf
     
  26. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Assuming everything else matches (incoming tls-auth selected on server), the only thing I see there is that the comp-lzo line may not match. If you have "Disabled" selected on the server, remove the line from your client config. If you have "None" selected on the server, change it to "comp-lzo no" on the client. If you have "Enabled" selected on the server, change it to "comp-lzo yes" on the client. If you have "Adaptive" selected on the server, change it to "comp-lzo adaptive" on the client. I believe "comp-lzo" by itself is equivalent to "adaptive", but it's best to be explicit.
     
  27. ific

    ific Addicted to LI Member

    Yes I did.
    Server was starting fine with static key.
    Is there a way to get more detailed debuging log?
     
  28. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I don't think there's a need for a more detailed log. OpenVPN is already telling you that it can't find or parse your certificate authority file. I'd try recreating your certificates and ensuring that all the certificate data, including the start and end lines, is pasted into the certificate authority box.
     
  29. rseiler

    rseiler LI Guru Member

    With an Asus WL-520GU already on DD-WRT, is it OK to use tomato.trx? I ask, because the original Tomato mentions using tomato-ND.trx with this model, and it's not included in the VPN zip.
     
  30. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    TomatoVPN supports everything Tomato does. If you want the ND binaries, download the ND archive (tomatovpn-ND-1.27vpn3.6.7z).
     
  31. rseiler

    rseiler LI Guru Member

    Ah yes, thanks, inexplicably I missed that separate link. ND apparently stands for "new driver," as in new wireless driver, I'm assuming. For whatever reason, this is what Tomato mainline recommends for this model, so I'll do the same with TomatoVPN.
     
  32. WrtFan

    WrtFan Addicted to LI Member

    MAC changes on VPN server start on Kernel 2.6

    On every start of the VPN Server the LAN-MAC of the router changes to a randomly value. So Vista and Win7 clients detects a new network location.
    I searched for the reason and found this:
    On creation the vpn adapter tap21 gets this randomly MAC, when it is added to the bridge br0, then the bridge gets this MAC.

    This seems to be a problem with Kernel 2.6.
    I have tested it with Kernel 2.4. On adding the tap-adapter to the bridge with brtctl, the old MAC remains, with Kernel 2.6 it changes.
    I have also found an workaround for that problem:
    Before i start the service vpnserver1 i create the tap adapter tap21 and change its MAC adress (ifconfig tap21 hw ether xx:xx:xx:xx:xx:xx). So i have always the same MAC, because i start the vpn on startup of the router.
    It would be nice, if this functionality would be added to this Mod.

    I already reported this issue in Tomato ND USB Mod with kernel 2.6 thread, but teddy_bear told me, to report this to SgtPepperKSU in this thread:
    Thanks
     
  33. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Thank you very much for the report, especially for including a potential fix. I've never seen this because I don't use a 2.6 kernel, but the change necessary would be harmless for the 2.4 kernel, so I will implement it in the next release.
     
  34. azertyx

    azertyx Addicted to LI Member

    openvpn and routing

    Hi, for my first post on this forum, even tho i use tomato for years now, i have a problem with the openvpn and the routing i think.
    I'm using a private vpn service provider for privacy purposes to tunnel all my web traffic, my router is connected with my isp box thru dhcp.
    when the vpn is connected,I can ping the computers on my local network, but none have access to the net,I can ping 80.254.79.87 as well
    Thats why i think of a problem of routing.
    I'm struggling on it for a while now and can't figure out what to do.
    If you guys have any ideas to where i'm wrong, i would really appreciate it.


    before vpn connection
    Code:
    # route -n
    
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    78.229.8.0      0.0.0.0         255.255.255.0   U     0      0        0 vlan1
    192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
    127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
    0.0.0.0         78.229.8.254    0.0.0.0         UG    0      0        0 vlan1
    
    after vpn connection
    Code:
    # route -n
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    80.254.79.87    78.229.8.254    255.255.255.255 UGH   0      0        0 vlan1
    80.254.76.128   0.0.0.0         255.255.255.128 U     0      0        0 tun11
    78.229.8.0      0.0.0.0         255.255.255.0   U     0      0        0 vlan1
    192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
    127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
    0.0.0.0         80.254.76.129   128.0.0.0       UG    0      0        0 tun11
    128.0.0.0       80.254.76.129   128.0.0.0       UG    0      0        0 tun11
    0.0.0.0         78.229.8.254    0.0.0.0         UG    0      0        0 vlan1
    
    my config
    WAN
    Code:
    WAN
    MAC Address	00:14:BF:26:76:AA
    Connection Type	DHCP
    IP Address	78.229.8.62
    Subnet Mask	255.255.255.0
    Gateway	78.229.8.254
    DNS	212.27.40.241:53, 212.27.40.240:53
    MTU	1500
     
    LAN
    Code:
    LAN
    Router MAC Address	00:14:BF:26:76:A9
    Router IP Address	192.168.0.1
    Subnet Mask	255.255.255.0
    DHCP	192.168.0.2 - 192.168.0.149
     
  35. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Do you have the "NAT" option selected on the client? Can you ping 80.254.76.129 from the router? From a LAN computer?
     
  36. azertyx

    azertyx Addicted to LI Member

    yes, i have the NAT option enabled, i can't ping 80.254.76.129 from the router nor LAN computers
     
  37. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I just took another look back at your logs, and they do not at all match what you provided for the routing table. Were these really collected on the same connection?
    • Routing table:
      • VPN server = 80.254.79.87
      • tunnel subnet = 80.254.76.128/25
      • tunnel gateway = 80.254.76.129
    • logs:
      • VPN server = 80.254.79.101
      • tunnel subnet = 93.94.245.0/25
      • tunnel gateway = 93.94.245.1

    Assuming those came from two different attempts at connecting to two different servers with different setups, the routing table by itself looks good. It's probably a firewall-type problem. Do you have the firewall setting set to automatic?

    If those really do come from the same connection attempt, then I'm at a loss as to what is going on. That'd just be bizarre.
     
  38. azertyx

    azertyx Addicted to LI Member

    thats true the logs were from a previous connection, those were just posted to imply the connection with the vpn provider was working
    I'll get a new set of fresh datas
     
  39. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    No need. I did a lookup on the IP to determine the VPN provider you are using, and downloaded their recommended client config.

    It does not use LZO compression. You have your router configured to do so. You need to change the compression option to Disabled.

    That would fully account for what we're seeing in your logs (everything connects fine and sets up the tunnel without any trouble, but nothing works going across the tunnel).
     
  40. azertyx

    azertyx Addicted to LI Member

    WAN
    Code:
    MAC Address	00:14:BF:26:76:AA
    Connection Type	DHCP
    IP Address	78.229.8.62
    Subnet Mask	255.255.255.0
    Gateway	78.229.8.254
    DNS	212.27.40.241:53, 212.27.40.240:53
    MTU	1500
     
    Status	Connected
    Connection Uptime	0 days, 05:22:20
    Remaining Lease Time	6 days, 18:37:40
     
    LAN
    Code:
    Router MAC Address	00:14:BF:26:76:A9
    Router IP Address	192.168.0.1
    Subnet Mask	255.255.255.0
    DHCP	192.168.0.2 - 192.168.0.149
    before vpn
    Code:
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    78.229.8.0      0.0.0.0         255.255.255.0   U     0      0        0 vlan1
    192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
    127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
    0.0.0.0         78.229.8.254    0.0.0.0         UG    0      0        0 vlan1
    
    
    after vpn
    Code:
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    80.254.79.101   78.229.8.254    255.255.255.255 UGH   0      0        0 vlan1
    93.94.245.0     0.0.0.0         255.255.255.128 U     0      0        0 tun11
    78.229.8.0      0.0.0.0         255.255.255.0   U     0      0        0 vlan1
    192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
    127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
    0.0.0.0         93.94.245.1     128.0.0.0       UG    0      0        0 tun11
    128.0.0.0       93.94.245.1     128.0.0.0       UG    0      0        0 tun11
    0.0.0.0         78.229.8.254    0.0.0.0         UG    0      0        0 vlan1
    
    logs from same connection
    Code:
    Mar 10 00:58:33 unknown user.info kernel: Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
    Mar 10 00:58:34 unknown daemon.notice openvpn[656]: OpenVPN 2.1.1 mipsel-unknown-linux-gnu [SSL] [LZO2] built on Feb  1 2010
    Mar 10 00:58:34 unknown daemon.warn openvpn[656]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Mar 10 00:58:34 unknown daemon.notice openvpn[656]: LZO compression initialized
    Mar 10 00:58:34 unknown daemon.notice openvpn[656]: Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
    Mar 10 00:58:34 unknown daemon.err openvpn[656]: RESOLVE: NOTE: connect-openvpn.swissvpn.net resolves to 2 addresses, choosing one by random
    Mar 10 00:58:34 unknown daemon.notice openvpn[656]: Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
    Mar 10 00:58:34 unknown daemon.notice openvpn[660]: Attempting to establish TCP connection with 80.254.79.101:443 [nonblock]
    Mar 10 00:58:38 unknown daemon.notice openvpn[660]: TCP connection established with 80.254.79.101:443
    Mar 10 00:58:38 unknown daemon.notice openvpn[660]: Socket Buffers: R=[43689->65534] S=[16384->65534]
    Mar 10 00:58:38 unknown daemon.notice openvpn[660]: TCPv4_CLIENT link local: [undef]
    Mar 10 00:58:38 unknown daemon.notice openvpn[660]: TCPv4_CLIENT link remote: 80.254.79.101:443
    Mar 10 00:58:38 unknown daemon.notice openvpn[660]: TLS: Initial packet from 80.254.79.101:443, sid=87a48199 b2edd8e2
    Mar 10 00:58:38 unknown daemon.warn openvpn[660]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Mar 10 00:58:40 unknown daemon.notice openvpn[660]: VERIFY OK: depth=1, /C=CH/ST=ZH/L=Regensdorf/O=Monzoon_Networks_AG/OU=OpenVPN_CA/CN=OpenVPN-CA/Email=operations@monzoon.net
    Mar 10 00:58:40 unknown daemon.notice openvpn[660]: VERIFY OK: nsCertType=SERVER
    Mar 10 00:58:40 unknown daemon.notice openvpn[660]: VERIFY OK: depth=0, /C=CH/ST=ZH/O=Monzoon_Networks_AG/OU=OpenVPN_server/CN=server/Email=operations@monzoon.net
    Mar 10 00:58:43 unknown daemon.notice openvpn[660]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mar 10 00:58:43 unknown daemon.notice openvpn[660]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mar 10 00:58:43 unknown daemon.notice openvpn[660]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mar 10 00:58:43 unknown daemon.notice openvpn[660]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mar 10 00:58:43 unknown daemon.notice openvpn[660]: Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Mar 10 00:58:43 unknown daemon.notice openvpn[660]: [server] Peer Connection Initiated with 80.254.79.101:443
    Mar 10 00:58:45 unknown daemon.notice openvpn[660]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Mar 10 00:58:45 unknown daemon.notice openvpn[660]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 80.254.79.157,dhcp-option DNS 80.254.77.39,route-gateway 93.94.245.1,topology subnet,ping 10,ping-restart 60,socket-flags TCP_N
    Mar 10 00:58:45 unknown daemon.notice openvpn[660]: OPTIONS IMPORT: timers and/or timeouts modified
    Mar 10 00:58:45 unknown daemon.notice openvpn[660]: OPTIONS IMPORT: --socket-flags option modified
    Mar 10 00:58:45 unknown daemon.notice openvpn[660]: OPTIONS IMPORT: --ifconfig/up options modified
    Mar 10 00:58:45 unknown daemon.notice openvpn[660]: OPTIONS IMPORT: route options modified
    Mar 10 00:58:45 unknown daemon.notice openvpn[660]: OPTIONS IMPORT: route-related options modified
    Mar 10 00:58:45 unknown daemon.notice openvpn[660]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Mar 10 00:58:45 unknown daemon.notice openvpn[660]: TUN/TAP device tun11 opened
    Mar 10 00:58:45 unknown daemon.notice openvpn[660]: TUN/TAP TX queue length set to 100
    Mar 10 00:58:45 unknown daemon.notice openvpn[660]: /sbin/ifconfig tun11 93.94.245.20 netmask 255.255.255.128 mtu 1500 broadcast 93.94.245.127
    Mar 10 00:58:45 unknown daemon.notice openvpn[660]: updown.sh tun11 1500 1544 93.94.245.20 255.255.255.128 init
    Mar 10 00:58:46 unknown daemon.info dnsmasq[100]: exiting on receipt of SIGTERM
    Mar 10 00:58:47 unknown daemon.info dnsmasq[727]: started, version 2.51 cachesize 150
    Mar 10 00:58:47 unknown daemon.info dnsmasq[727]: compile time options: no-IPv6 GNU-getopt no-RTC no-DBus no-I18N DHCP no-scripts no-TFTP
    Mar 10 00:58:47 unknown daemon.info dnsmasq-dhcp[727]: DHCP, IP range 192.168.0.2 -- 192.168.0.149, lease time 1d
    Mar 10 00:58:47 unknown daemon.info dnsmasq[727]: reading /etc/resolv.dnsmasq
    Mar 10 00:58:47 unknown daemon.info dnsmasq[727]: using nameserver 212.27.40.240#53
    Mar 10 00:58:47 unknown daemon.info dnsmasq[727]: using nameserver 212.27.40.241#53
    Mar 10 00:58:47 unknown daemon.info dnsmasq[727]: using nameserver 80.254.77.39#53
    Mar 10 00:58:47 unknown daemon.info dnsmasq[727]: using nameserver 80.254.79.157#53
    Mar 10 00:58:47 unknown daemon.info dnsmasq[727]: read /etc/hosts - 0 addresses
    Mar 10 00:58:47 unknown daemon.info dnsmasq[727]: read /etc/hosts.dnsmasq - 9 addresses
    Mar 10 00:58:48 unknown daemon.notice openvpn[660]: /sbin/route add -net 80.254.79.101 netmask 255.255.255.255 gw 78.229.8.254
    Mar 10 00:58:48 unknown daemon.notice openvpn[660]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 93.94.245.1
    Mar 10 00:58:48 unknown daemon.notice openvpn[660]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 93.94.245.1
    Mar 10 00:58:48 unknown daemon.notice openvpn[660]: Initialization Sequence Completed
     
  41. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Just in case you're expecting a reply after your last post, be sure to see my last reply.

    Code:
    Mar 10 00:58:34 unknown daemon.notice openvpn[656]: LZO compression initialized
    shows that you have the router configured to use compression. However, the server is not configured that way. I think your fix is as simple as changing this one option. :smile:
     
  42. azertyx

    azertyx Addicted to LI Member

    Thank you very very much!
    works like a charm now!!
    :thumbup:
     
  43. mferrigno

    mferrigno LI Guru Member

    VPN Client Connection drops

    I recently changed my Tomato openVPN from TAP to TUN and have noticed that my client openVPN after a period of time will drop. The connection starts up fine and I can web browse, search folders on the remote network etc. If I leave the connection and come back later I notice that the connection is no longer active (the toolbar openVPN icon goes from green to yellow) and I need to reconnect. Below is a summary of my configuration. Is there a way to prevent my connection from droping?

    thank you

    Running Tomato Version 1.27
    VPN GUI mod

    Server settings
    Start with WAN: enabled
    Interface TYp: TUN
    Protocol: UDP
    Port: 1194
    Firewall: Automatic
    Auth Model: TLS
    Extra HMAC: disabled
    VPN subnet 10.8.0.0 255.255.255.0
    Poll Interval: 3
    Push Lan: enabled
    Direct clients to redirect Int traffic: enabled
    Respond to DNS: disable
    Encryption: use default
    compression: Adaptive
    TLS Renegotiation Time: -1


    Client
    dev tun
    proto udp
    remote xxx.net 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca.crt
    cert client.crt
    key client.key
    ns-cert-type server
    comp-lzo
    verb 3
    mute 20
     
  44. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Try changing the renegotiation time to 0 to disable that (in GUI on server, reneg-sec 0 in client config).
     
  45. mferrigno

    mferrigno LI Guru Member

    Changes were applied.

    On Server changed
    TLS Renegotiation Time: 0

    On Client added
    reneg-sec 0

    Timeouts still occured. Included below is the client log. @13:26 connected, @13:50 timeout occurs and never reconnects unless I do a manual disconnect/connect.

    Thu Mar 11 13:26:37 2010 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
    Thu Mar 11 13:26:37 2010 Route addition via IPAPI succeeded [adaptive]
    Thu Mar 11 13:26:37 2010 Initialization Sequence Completed
    Thu Mar 11 13:50:25 2010 [server] Inactivity timeout (--ping-restart), restarting
    Thu Mar 11 13:50:25 2010 TCP/UDP: Closing socket
    Thu Mar 11 13:50:25 2010 SIGUSR1[soft,ping-restart] received, process restarting
    Thu Mar 11 13:50:25 2010 Restart pause, 2 second(s)
    Thu Mar 11 13:50:27 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Thu Mar 11 13:50:27 2010 Re-using SSL/TLS context
    Thu Mar 11 13:50:27 2010 LZO compression initialized
    Thu Mar 11 13:50:27 2010 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Thu Mar 11 13:50:27 2010 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Thu Mar 11 13:50:27 2010 Local Options hash (VER=V4): '41690919'
    Thu Mar 11 13:50:27 2010 Expected Remote Options hash (VER=V4): '530fdded'
    Thu Mar 11 13:50:27 2010 Socket Buffers: R=[8192->8192] S=[8192->8192]
    Thu Mar 11 13:50:27 2010 UDPv4 link local: [undef]
    Thu Mar 11 13:50:27 2010 UDPv4 link remote: xxxxxxxx:1194
    Thu Mar 11 13:51:27 2010 [UNDEF] Inactivity timeout (--ping-restart), restarting
    Thu Mar 11 13:51:27 2010 TCP/UDP: Closing socket
    Thu Mar 11 13:51:27 2010 SIGUSR1[soft,ping-restart] received, process restarting
    Thu Mar 11 13:51:27 2010 Restart pause, 2 second(s)
     
  46. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Okay, I didn't realize you were seeing inactivity timeouts. That is usually caused by a flaky connection between the client and server. Try adding
    Code:
    keepalive 10 600
    to the server config to make it more tolerant of this.
     
  47. mferrigno

    mferrigno LI Guru Member

    Unfortunately the keepalive 10 600 had no impact.
    After about 15 minutes I get the Inactivity timeout.
     
  48. mferrigno

    mferrigno LI Guru Member

    Another piece of info, I run a series of pings from the client to my local network (local to the VPN server) so to keep activity going and I still get the timeout/disconnect.
     
  49. mferrigno

    mferrigno LI Guru Member

    I rolled back some of the default settings and it seems to be working better, been connected for 90 minutes. The settings that I rolled back are:

    Server
    Poll Interval: from 3 to 0
    Direct clients to redirect Int traffic: from enabled to disabled
    TLS Renegotiation Time: From 0 to -1

    Client
    removed reneg-sec 0

    thanks for the support.
     
  50. ific

    ific Addicted to LI Member

    Yes you were right. There was something wrong with my certificates! Now the server starts fine, but I'm still not capable to establish a connection. Client log:

    ri Mar 12 18:43:04 2010 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
    Fri Mar 12 18:43:04 2010 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
    Fri Mar 12 18:43:04 2010 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Fri Mar 12 18:43:04 2010 LZO compression initialized
    Fri Mar 12 18:43:04 2010 TAP-WIN32 device [Local Area Connection 3] opened: \\.\Global\{D0522806-3FE8-4440-B224-AC2A7DE08CEB}.tap
    Fri Mar 12 18:43:04 2010 Successful ARP Flush on interface [4] {D0522806-3FE8-4440-B224-AC2A7DE08CEB}
    Fri Mar 12 18:43:04 2010 UDPv4 link local (bound): [undef]:1194
    Fri Mar 12 18:43:04 2010 UDPv4 link remote: 194.249.198.87:1194
    Fri Mar 12 18:43:05 2010 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=SI/ST=LJ/L=Ljubljana/O=Induktio/CN=Induktio_CA/emailAddress=info@induktio.si
    Fri Mar 12 18:43:05 2010 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    Fri Mar 12 18:43:05 2010 TLS Error: TLS object -> incoming plaintext read error
    Fri Mar 12 18:43:05 2010 TLS Error: TLS handshake failed
    Fri Mar 12 18:43:05 2010 SIGUSR1[soft,tls-error] received, process restarting
    Fri Mar 12 18:43:07 2010 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
    Fri Mar 12 18:43:07 2010 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Fri Mar 12 18:43:07 2010 LZO compression initialized
    Fri Mar 12 18:43:07 2010 TAP-WIN32 device [Local Area Connection 3] opened: \\.\Global\{D0522806-3FE8-4440-B224-AC2A7DE08CEB}.tap
    Fri Mar 12 18:43:07 2010 Successful ARP Flush on interface [4] {D0522806-3FE8-4440-B224-AC2A7DE08CEB}
    Fri Mar 12 18:43:07 2010 UDPv4 link local (bound): [undef]:1194
    Fri Mar 12 18:43:07 2010 UDPv4 link remote: 194.249.198.87:1194
    Fri Mar 12 18:43:07 2010 TLS Error: Unroutable control packet received from 194.249.198.87:1194 (si=3 op=P_CONTROL_V1)
     
  51. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    There is still a problem with your certificates. When you recreated your server certificates, did you recreate your client certificates as well using the same CA?
     
  52. mferrigno

    mferrigno LI Guru Member

    Now that my OpenVPN connection is solid I went back and enabled some of the selections that I changed. The setting that is causing my VPN connection to drop is the following.

    server
    Direct clients to redirect Int traffic:

    Whenever I enable this the connection drops within 15 minutes.

    Is something required in my client config to support this?

    I am running the latest 1.27, v1.27vpn3.6.4b664ba6

    thanks

    client
    dev tun
    proto udp
    remote xxxxx 1194
    keepalive 10 600
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca.crt
    cert client1.crt
    key client1.key
    ns-cert-type server
    comp-lzo
    verb 3
    mute 20
     
  53. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I suspected that might be the option that made the problem go away. The only thing needed in the client config to support that is "client". Whatever the problem may be, it is certainly on the client-side, so I'm afraid I can't offer much assistance.
    What version of OpenVPN are you using as your client? If it isn't 2.1.1, you should upgrade and try it again.
     
  54. TheParadox

    TheParadox Addicted to LI Member

    The website is down :( Where can I find a download link for the ND version?
     
  55. zurk

    zurk Addicted to LI Member

    how do i set this up ?
    office openvpn server running on 1.1.1.1 with 192.68.0.x as the subnet using TAP (tested with standalone client, works fine)
    my network tomatovpn running tomatovpn server 2.2.2.2 with 192.168.100.x as the subnet using TAP (tested with standalone client, works fine)

    i would like to set up my tomatovpn as a client as well connected to the office allowing me to browse the office subnet but NOT allow the machines on the office subnet to connect to my machines on my subnet.

    if i just set up a client with the same config i use for the standalone i get :
    Jan 1 14:33:01 test daemon.notice openvpn[458]: /sbin/route add -net xx.xx.xx.xx netmask 255.255.255.255 gw xxx.xxx.xxx.xxx
    Jan 1 14:33:01 test daemon.notice openvpn[458]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 192.168.0.1
    Jan 1 14:33:01 test daemon.warn openvpn[458]: ERROR: Linux route add command failed: external program exited with error status: 1
    Jan 1 14:33:01 test daemon.notice openvpn[458]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 192.168.0.1
    Jan 1 14:33:01 test daemon.warn openvpn[458]: ERROR: Linux route add command failed: external program exited with error status: 1
    Jan 1 14:33:01 test daemon.notice openvpn[458]: Initialization Sequence Completed
    Jan 1 14:35:42 test daemon.notice openvpn[458]: TCP/UDP: Closing socket
    Jan 1 14:35:42 test daemon.notice openvpn[458]: /sbin/route del -net xx.xx.xx.xx netmask 255.255.255.255
    Jan 1 14:35:42 test daemon.notice openvpn[458]: /sbin/route del -net 0.0.0.0 netmask 128.0.0.0
    Jan 1 14:35:42 test daemon.warn openvpn[458]: ERROR: Linux route delete command failed: external program exited with error status: 1
    Jan 1 14:35:42 test daemon.notice openvpn[458]: /sbin/route del -net 128.0.0.0 netmask 128.0.0.0
    Jan 1 14:35:42 test daemon.warn openvpn[458]: ERROR: Linux route delete command failed: external program exited with error status: 1
    Jan 1 14:35:42 test daemon.notice openvpn[458]: Closing TUN/TAP interface
    Jan 1 14:35:42 test daemon.notice openvpn[458]: SIGTERM[hard,] received, process exiting
    Jan 1 14:35:42 test user.info kernel: br0: port 4(tap11) entering disabled state
    Jan 1 14:35:42 test user.info kernel: br0: port 4(tap11) entering disabled state
     
  56. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Just checked the site, and everything seems okay. Try it again.
     
  57. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The key to keeping your work subnet from contacting your home subnet is to have the NAT option selected on the TomatoVPN client.

    Are you using TLS or Static key? Could you clarify some what the LAN subnets and VPN subnets look like? Do you get those errors if the client is the only VPN running on the router, or if the server is also running?
     
  58. kulmegil

    kulmegil Network Guru Member

    help

    Please help.
    I want to connection from my work to home HTPC/server. Since (as usually) there are some restrictions on outgoing traffic on my office I chose to run server on 443 (default https port) and using TCP proto.
    Tomato's VPN Server goes down after some time and must login to router to manually restart VPN service :/

    HARD&SOFT
    Tomato Firmware v1.27vpn3.6.4b6645f6(ND) running on WRT54GL 1.1

    SERVER CONFIG
    CLIENT CONFIG


    SERVER LOG
    CLIENT LOG
     
  59. kulmegil

    kulmegil Network Guru Member

    help

    double post :/
     
  60. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It looks like, for some reason, your connection is being blocked when it tries to reconnect. Try setting the "TLS Renegotiation Time" to zero in the server config (and add "reneg-sec 0" to your client config) to eliminate the reconnection altogether.
     
  61. ific

    ific Addicted to LI Member

    Yes you were right again! I probably forgot to change the CA.

    Many thanks
     
  62. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Just to clarify, you need to use the same CA when generating server and client certificates. That's how they authenticate each other.
     
  63. WrtFan

    WrtFan Addicted to LI Member

    MAC changes on bridging

    Now i have determined, that the MAC only changes, if the randomly generated MAC of the tap adapter is LOWER than the current MAC of the lan adapter.

    If the MAC of the tap can be definied in future version, then the MAC of the router doesn't change, if you choose a MAC higher than the current one.
     
  64. kulmegil

    kulmegil Network Guru Member

    Here are some observations:
    - when no client is connected server is running fine
    - server went down after (alomst exactly) 6h runtime since I connected this morning (8:20 ~ 14:20)
    - Yes, client is periodically disconnected after 1h of activity .. probably that's how things work in the office. I'm automatically reconnected at around ~9:20, ~10.20, ~11.20, ~12.20, ~13.20 and finally fails around ~14:20...
    - I'm 99% sure all http(s) traffic is routed through corporate proxy (in the past I had to type it manually to connect anywhere). I'm only allowed to connect to servers on ports 80 and 443.
    - as much as I wanted to post entire, interesting log from 8:00 but I'm unable because of post length req. :)
    - yep, there is some moron/bot/whatever (188.105.27.151) trying to connect to server (fortunately fails) at 10:38 and that's why I included this part in the log. But could it have anything to do with crashing it at ~14:20?


    Unfortunately tips didn't help.
    Why does the server go down anyway.. Yes I'm periodically disconnected but it's not a strong reason for openvpn damon to crash, is it?
    SERVER LOG
    CLIENT LOG
     
  65. gijs73

    gijs73 LI Guru Member

    Hello. I am using 2 remote routers set-up in bridge mode via internet. Both of them are DHCP servers since I use them at home. Problem is that when I connect to one router sometimes the default gateway assigned to my computer is the gateway of the Remote Router.

    Does anyone know a way on how to prevent this within the Web GUI so that only the local router will be the gateway. It does slow down my internet since it routes traffic to the other router.
     
  66. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    My guess is that the work firewall/proxy is preventing you from reconnecting this last time somehow. If possible, try connecting from a non-proxied location to confirm if it has a problem then or not. If it doesn't have a problem elsewhere you can try either decreasing the renegotiation time (could make it look more like normal SSL traffic if there are more, shorter-lived connections) or increasing/eliminating the renegotiation time (don't know what's triggering your firewall, so I can't say for sure if this would do any good).
     
  67. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    This is a problem inherent in using TAP. DHCP requests are broadcast messages, which are forwarded with TAP, so it's just a matter of which server responds first.

    You have two options:
    1. Add firewall rules that block broadcast traffic over the tunnel (or, I suppose the response).
      • I don't know what those rules would be off-hand
    2. Use TUN instead of TAP (and have the two routers configured with different subnets).
     
  68. darv

    darv Addicted to LI Member

    Hello again,

    I had lots of trouble getting openvpn working. The tunnel seemed to be created. When I pinged from the server (the tomato thor router) I could see the pings on the clients openvpn output:
    Thu Mar 11 18:02:38 2010 us=305837 UDPv4 READ [125] from tomato.router:1194: P_DATA_V1 kid=0 DATA len=124
    Thu Mar 11 18:02:38 2010 us=306009 TUN WRITE [84]

    but there was no ping response to the server:
    7 packets transmitted, 0 packets received, 100% packet loss

    When I pinged from the client to the server I got
    ping: sendmsg: Operation not permitted

    This is from the client logfile
    Options consistency check may be skewed by version differences
    WARNING: 'version' is used inconsistently, local='version V4', remote='version V0 UNDEF'
    WARNING: 'dev-type' is present in local config but missing in remote config, local='dev-type tun'
    WARNING: 'link-mtu' is present in local config but missing in remote config, local='link-mtu 1542'
    WARNING: 'tun-mtu' is present in local config but missing in remote config, local='tun-mtu 1500'
    WARNING: 'proto' is present in local config but missing in remote config, local='proto UDPv4'
    WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
    WARNING: 'keydir' is present in local config but missing in remote config, local='keydir 0'
    WARNING: 'cipher' is present in local config but missing in remote config, local='cipher BF-CBC'
    WARNING: 'auth' is present in local config but missing in remote config, local='auth SHA1'
    WARNING: 'keysize' is present in local config but missing in remote config, local='keysize 128'
    WARNING: 'tls-auth' is present in local config but missing in remote config, local='tls-auth'
    WARNING: 'key-method' is present in local config but missing in remote config, local='key-method 2'
    WARNING: 'tls-server' is present in local config but missing in remote config, local='tls-server'

    OpenVPN 2.1_rc7 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on May 8 2009
    Thu Mar 11 16:55:05 2010 us=764387 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>

    Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
    Thu Mar 11 16:55:06 2010 us=222632 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'

    Initialization Sequence Completed
    Thu Mar 11 16:55:10 2010 us=333465 UDPv4 WRITE [50] to tomato.router:1194: P_ACK_V1 kid=0 pid=[ #57 ] [ 30 ]


    This is from the server logfile
    Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Peer Connection Initiated with work.computer:56024

    This is the openvpn version on the tomato thor router
    #openvpn --version
    OpenVPN 2.1_rc15 mipsel-unknown-linux-gnu [SSL] [LZO2] built on Jul 28 2009
    Developed by James Yonan

    Hardy Heron is using 2.1_rc7 with EPOLL.

    I was worried that the versions were not compatible. But they must be, as I have it working now.
    I am using WDS along with openvpn and wondered if this could be a problem. Again, as it is now working, it was OK.

    I though that firewalls would not affect pings directly across the tunnel. But that was not the case. I am using firestarter on my work computer and it was causing the trouble. It is explained here.

    http://www.fs-security.com/docs/vpn.php

    I got it working by editing the client's firewall:
    iptables -I INPUT -p udp --dport 1194 -s router.external.address -j ACCEPT

    iptables -A INPUT -i tun+ -j ACCEPT

    iptables -I OUTPUT -o tun+ -j ACCEPT

    Hope this helps someone else.

    Dennis
     
  69. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yes, you definitely can't have a firewall actively blocking the communication for it to work.

    For what it's worth, only the last two should be needed. The first is only needed for the server (and my firmware does it automatically).
     
  70. sander815

    sander815 Network Guru Member

    is there a fairly simple howto get started with openvpn in this firmware?
     
  71. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Follow the link on the "Keys" tab for instructions on generating keys and certificates (must be done on a separate computer with OpenVPN installed). After that, you just need to enter those certificates in the GUI and put the server's address in the client configuration.

    That should be enough to get started. Of course, there are more settings that can be changed, but the defaults are as close to working solution as possible.
     
  72. Letschi

    Letschi LI Guru Member

    hi!

    i have a linux-pc with an openvpn-server running. if several clients (WRT54GL with this openvpn-software) are connecting to this server, must each client-router have a different subnet?

    Server: VPN-Adress: 10.8.0.1 / 24
    LAN-Adress: 10.10.10.10 /24


    Client1: VPN-Adress: 10.8.0.2 / 24
    LAN-Subnet: 192.168.1.0 /24

    Client2: VPN-Adress: 10.8.0.3 / 24
    LAN-Subnet: 192.168.1.0 /24

    Client3: VPN-Adress: 10.8.0.4 / 24
    LAN-Subnet: 192.168.1.0 /24

    Would this make a problem? The clients can't "see" each other: "client-to-client" in the server configuration file is comment out.

    thanks!
     
  73. sander815

    sander815 Network Guru Member

    ok, i have done that, and generated the correct keys i hope:
    3.695 01.pem
    3.592 02.pem
    1.269 ca.crt
    887 ca.key
    3.592 client1.crt
    692 client1.csr
    887 client1.key
    245 dh1024.pem
    212 index.txt
    21 index.txt.attr
    3 serial
    3.695 server.crt
    692 server.csr
    887 server.key

    i want the linksys as server, and a pc on another WAN as client
    on therouter, what keys do i need for:
    -Certificate Authority -> ca.key or ca.cert?
    -Server Certificate -> server.crt, server.csr|?
    -Server key -> server.key
    Diffie Hellman parameters: ->dh1024.pem i assume?

    what do i need for the clientpc?
    where do i get the config file from?
     
  74. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I don't think it would be necessary to have the LANs on different subnets as long as you have the NAT option selected on the clients. If you want the server subnet to be able to reach individual computers on the client subnets, then it will be necessary to have them on separate subnets so that OpenVPN will know which client is desired when an IP address is provided.
     
  75. Letschi

    Letschi LI Guru Member

    thanks! i will try it! :)
     
  76. sander815

    sander815 Network Guru Member

    after a little trying i think i got some results, but i get a handshake error:
    Code:
    Jan  1 01:01:35 unknown daemon.notice openvpn[134]: MULTI: multi_create_instance called
    Jan  1 01:01:35 unknown daemon.notice openvpn[134]: 192.168.1.136:1431 Re-using SSL/TLS context
    Jan  1 01:01:35 unknown daemon.notice openvpn[134]: 192.168.1.136:1431 LZO compression initialized
    Jan  1 01:01:35 unknown daemon.notice openvpn[134]: 192.168.1.136:1431 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Jan  1 01:01:35 unknown daemon.notice openvpn[134]: 192.168.1.136:1431 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Jan  1 01:01:35 unknown daemon.notice openvpn[134]: 192.168.1.136:1431 TLS: Initial packet from 192.168.1.136:1431, sid=a21a9b16 3583880d
    Jan  1 01:01:36 unknown daemon.err openvpn[134]: 192.168.1.136:1431 VERIFY ERROR: depth=1, error=certificate is not yet valid: /C=NL/ST=xx/L=xx/O=xx/OU=xx/CN=xx/Email=xx@xxx.com
    Jan  1 01:01:36 unknown daemon.err openvpn[134]: 192.168.1.136:1431 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
    Jan  1 01:01:36 unknown daemon.err openvpn[134]: 192.168.1.136:1431 TLS Error: TLS object -> incoming plaintext read error
    Jan  1 01:01:36 unknown daemon.err openvpn[134]: 192.168.1.136:1431 TLS Error: TLS handshake failed
    Jan  1 01:01:36 unknown daemon.notice openvpn[134]: 192.168.1.136:1431 SIGUSR1[soft,tls-error] received, client-instance restarting
    what am i doing wrong here?
     
  77. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    What does you setup look like? Are you controlling both the client and server? Or just the client and connecting to a VPN service?

    All certificates and keys fields need to be filled and should include "----BEGIN...---" and "----END...---" lines. Also, they need to be compatible with the certificates on the server, so that brings me back to my first questions.
     
  78. sander815

    sander815 Network Guru Member

    i run openvpn as server on the wrt54gs, and openvpn as client on a winpc at my office
    how do i know i put the right key in the right boxes at the wrt54gs?

    i now have this on the wrt, but theres something wrong, as the server doesn't start
    Code:
    certicifate authority: -----BEGIN CERTIFICATE-----
    MIIDezCCAuSgAwIBAgIJA
    
    Server Certificate
    -----BEGIN CERTIFICATE REQUEST-----
    MIIBxzCCATACAQAwgYYxC
    
    server key: -----BEGIN RSA PRIVATE KEY-----
    MIICXAIBAAKBgQClS
    
    Diffie Hellman parameters:-----BEGIN DH PARAMETERS-----
    MIGHAoGBAJsMTrZC4TnN
    
    
     
  79. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    First, I'll assume you cut off those keys/certs for privacy. If that's entirety of what you entered, then you need to go back and put the whole thing in.

    However, the problem appears to be that you put a "CERTIFICATE REQUEST" in the server certificate field rather than a certificate. Try it again using the contents of the crt file, not the csr file.
     
  80. Letschi

    Letschi LI Guru Member

    Is it possible to make a script which turns on the LED in the "SecureEasySetup-Button" when the VPN-connection is established? The router (WRT54GL) works as VPN-Client.

    Thanks!
     
  81. GavinP

    GavinP Network Guru Member

    Hi

    I have setup the latest version of TomatoVPN on a dedicated Buffalo WHR-G54S to be used solely as a VPN server to get around geographical IP limitations when accessing some video streaming Internet sites from another country.

    The link would be established from the clients on an "ad hoc" basis only when needed to access specific sites (the rest of the time, web access would be direct from their local internet connection) and would serve a maximum of two concurrent clients.

    I have setup the server with TUN using CA certificates and used push "redirect-gateway local def1" to divert all traffic down the VPN when connected.

    It is all working, I have reduced the maximum sessions to 1024 and turned the wireless off.

    A few questions if anyone can help:

    1. Is it possible to make the connected VPN client perform all DNS lookups locally without sending the request over the VPN ? I am using a combination of Google and OpenDNS at both ends so it would be more efficient to send the DNS requests direct.

    2. Are there any tips for maximising the performance of this type of setup ?

    3. Which combination of encryption has the lightest load on the server ? Static vs CA ? Blowfish vs AES ?

    4. Does TLS-Auth add a large overhead ?

    Thanks

    Gavin
     
  82. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Where you aware of the option in the GUI to accomplish this? Also, I don't think "local" is appropriate in your setup.

    You'll need to create a static route on the clients for the DNS servers to tell it to not use the tunnel.

    If performance is a major consideration, I would recommend using an OpenVPN server separate from the router. However, if you just want to get the best performance you can out of the router (even if that isn't very good), I'm afraid your best best is trial and error. Please post your findings, though!

    Static key versus TLS will have no affect. That is only used in establishing the connection, not in the encryption of the data once connected. Blowfish is more efficient than AES (at the cost of slightly less security) for that.

    tls-auth is also only used in establishing the connection. If you think you'll be getting a fair number of rogue devices trying to connect to your VPN server, then tls-auth will decrease the amount of work for the router (it can tell they are fake before doing anything that takes much work).
    [/QUOTE]
     
  83. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Interesting idea. Probably the simplest way would be to, in a loop, ping the VPN server and set the LED according to the result. You could probably also do it by refreshing and parsing the status file, but that'd probably more work than it is worth to avoid a few pings.
     
  84. rhester72

    rhester72 Network Guru Member

    Would it be very difficult to allow the "nogw" parameter to be passed in server-bridge mode (a checkbox in the GUI, I assume)? It's basically a must for me on a corporate network with a VPN connection into my home network.

    Rodney
     
  85. thegewp

    thegewp Guest

    would like to run more than 2 servers

    I dont know much about how this stuff works, but i would love to have more servers available. I'm trying to convert from OpenWRT where i have 5 servers running for 5 different family members and i would love to be able to use Tomato instead. Would it be possible to store the configs in the jffs2 partition instead of nvram?
     
  86. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yes, but not using the GUI. I made the decision a bit back not to rely on the fact that the user has configured JFFS.

    Do you really need 5 servers? Have you considered just using one server and TLS?
     
  87. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I should be able to add that.

    Could you explain the necessity of it in your situation? I'm curious as I would think the gateway info would still be necessary in that situation (unless there are other factors I'm not imagining).
     
  88. rhester72

    rhester72 Network Guru Member

    On a Windows client, the route is built automatically - the gateway as advertised actually ends up becoming the _default_ gateway, which is a bit problematic when doing a tap bridge and expecting a valid DHCP reply on the local tap without disrupting the local network. ;)

    Rodney
     
  89. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That would, indeed, be problematic! The problem there is the client incorrectly setting the default gateway, but I'll put in this option so you can work around it.
     
  90. TheGIZ

    TheGIZ Network Guru Member

    I just tried updating to 1.27 from 1.23 again. And once again, my VPN is not working. I have confirmed that I have the new version on OpenVPN.

    When i put my config in the scripts I get nothing.

    When i check the status of the VPN in the GUI it reads
    Server is not running or status could not be read.

    If I just leave my old config in scripts I get Connection reset by Peer


    Here is what my config looked like in Scrpits by tabs...

    If someone could tell me how to add this to the gui I would be very happy.

    ___________________________________
    TAB INIT:
    sleep 5
    insmod tun.o

    TAB FIREWALL:
    iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT

    TAB WAN UP:
    insmod tun.o
    cd /tmp
    openvpn --mktun --dev tap0
    brctl addif br0 tap0
    ifconfig tap0 0.0.0.0 promisc up

    echo "
    # Tunnel options
    mode server
    proto udp
    port 1194
    dev tap0
    keepalive 15 60
    daemon
    verb 3
    comp-lzo
    # OpenVPN server mode options
    client-to-client
    # TLS Mode Options
    tls-server
    ca ca.crt
    dh dh1024.pem
    cert server.crt
    key server.key
    " > openvpn.conf

    echo "
    -----BEGIN CERTIFICATE-----
    (Removed)
    -----END CERTIFICATE-----

    " > ca.crt
    echo "
    -----BEGIN RSA PRIVATE KEY-----
    (Removed)
    -----END RSA PRIVATE KEY-----

    " > server.key
    chmod 600 server.key
    echo "

    -----BEGIN CERTIFICATE-----
    (Removed)
    -----END CERTIFICATE-----

    " > server.crt
    echo "
    -----BEGIN DH PARAMETERS-----
    (Removed)
    -----END DH PARAMETERS-----

    " > dh1024.pem

    sleep 5
    ln -s /usr/sbin/openvpn /tmp/myvpn
    /tmp/myvpn --config openvpn.conf
    ___________________________________
     
  91. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Select TAP, enter your certs/keys, and select "Allow Client<->Client". That should be it.
     
  92. TheGIZ

    TheGIZ Network Guru Member

    Where is Allow Client<->Client?

    And should I take it out of the Scripts section?
     
  93. free2share

    free2share Networkin' Nut Member

    SgtPepperKSU Great work on the VPN mod!

    Flashed WRT54G-TM with tomato-1.27-ND-9044MIPSR1-beta07-vpn3.6.rar. I have 2 questions.

    1. Under GUI of OpenVPN Server1, after clicking "Stop Now", the button does not refresh and remains "Stop Now". Can't start Server1 from GUI once stopped. Possible bug?

    2. What kind of throughput is everyone getting over OpenVPN? I'm only able to get 300-400KB/s. My download source is 10Mb/s Metro ethernet (from work). Home is 16/3Mb cable. I'm able to get 6-8Mb/s downloading without vpn, but I only see 3-4Mb/s at most over vpn. Any thought? QoS turned off/on, but didn't make any difference.
     
  94. teddy_bear

    teddy_bear Network Guru Member

    Does it actually stop the server? What does "ps" command show after you use "Stop Now" button?
     
  95. GavinP

    GavinP Network Guru Member

    Thanks for the feedback. I have done some experimentation and I am now using a Buffalo WHR-G54S as a dedicated VPN server (only uses 3 watts of power when on) with the following settings:

    AES-128-CBC encryption
    LZO Compression off
    wireless and any other unused services switched off

    push "redirect-gateway def1 bypass-dhcp bypass-dns"
    group nobody
    user nobody
    mssfix 1300
    persist-tun
    persist-key
    script-security 2
    keepalive 60 600
    fast-io
    mlock
    duplicate-cn
    chroot /tmp

    I used version 1.25vpn3.4 in the end as there seemed to be some issues with the VPN server task starting on the later versions (with just the WAN port connected). I have used the script supplied to run a scheduled task to check the VPN server is running every 30 minutes and it seems to be working fine.

    Thanks

    Gavin
     
  96. free2share

    free2share Networkin' Nut Member

    I'm new to this and do not know all the commands, but the vpn does not work as soon as I click on it. I assume that it stopped.

    I ssh in and type in ps and I see this.
    658 root 0 Z [vpnserver1]
     
  97. teddy_bear

    teddy_bear Network Guru Member

    That is the reason - the zombie process is still there. Probably because something works differently with kernel 2.6 and newer uClibc... I'll need to take a look. SgtPepper - do you have any idea about this?
     
  98. free2share

    free2share Networkin' Nut Member

    If I reboot the router it the openvpn server comes back.
    What command would I be able to issue to get the openvpn server running again without a reboot?
     
  99. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Hmmmm, not really. The backend calls
    Code:
    killall(&buffer[0], SIGTERM);
    and for good measure also later calls
    Code:
    killall(&buffer[0], SIGKILL);
    when the stop button is hit, so I'm not sure how it's sticking around.

    free2share,

    Could you ssh/telnet to the router and run
    Code:
    nvram set vpn_debug=2
    and try it again? Then could you post the router logs from that time period?
     
  100. free2share

    free2share Networkin' Nut Member

    From the start the GUI Stop Now and Start Now work, but later it doesn't.

    Server Running
    Code:
      827 root         0 Z    [vpnserver1]
      828 root      3020 S    /etc/openvpn/vpnserver1 --cd /etc/openvpn/server1 --c
    
    Code:
    Mar 30 15:26:05 OpenVPN1 user.info init[1]: VPN_LOG_INFO: 891: VPN GUI server backend complete.
    Mar 30 15:26:13 OpenVPN1 user.info init[1]: VPN_LOG_INFO: 900: Stopping VPN GUI server backend.
    Mar 30 15:26:13 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 903: Removing cron job
    Mar 30 15:26:13 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 910: Done removing cron job
    Mar 30 15:26:13 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 913: Removing firewall rules.
    Mar 30 15:26:13 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 926: Done removing firewall rules.
    Mar 30 15:26:13 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 929: Stopping OpenVPN server.
    Mar 30 15:26:13 OpenVPN1 daemon.notice openvpn[771]: TCP/UDP: Closing socket
    Mar 30 15:26:13 OpenVPN1 daemon.notice openvpn[771]: /sbin/route del -net 10.8.1.0 netmask 255.255.255.0
    Mar 30 15:26:13 OpenVPN1 daemon.notice openvpn[771]: /sbin/route del -net 192.168.10.0 netmask 255.255.255.0
    Mar 30 15:26:13 OpenVPN1 daemon.notice openvpn[771]: /sbin/route del -net 192.168.5.0 netmask 255.255.255.0
    Mar 30 15:26:13 OpenVPN1 daemon.notice openvpn[771]: Closing TUN/TAP interface
    Mar 30 15:26:13 OpenVPN1 daemon.notice openvpn[771]: /sbin/ifconfig tun21 0.0.0.0
    Mar 30 15:26:13 OpenVPN1 daemon.notice openvpn[771]: SIGTERM[hard,] received, process exiting
    Mar 30 15:26:13 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 932: OpenVPN server stopped.
    Mar 30 15:26:13 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 935: Removing VPN device.
    Mar 30 15:26:14 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 943: VPN device removed.
    Mar 30 15:26:14 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 949: Removing generated files.
    Mar 30 15:26:14 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 958: Done removing generated files.
    Mar 30 15:26:14 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 964: Killing OpenVPN client.
    Mar 30 15:26:14 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 967: OpenVPN server killed.
    Mar 30 15:26:14 OpenVPN1 user.info init[1]: VPN_LOG_INFO: 969: VPN GUI server backend stopped.
    Mar 30 15:26:21 OpenVPN1 user.info init[1]: VPN_LOG_INFO: 463: VPN GUI server backend starting...
    Mar 30 15:26:21 OpenVPN1 user.info kernel: tun: Universal TUN/TAP device driver, 1.6
    Mar 30 15:26:21 OpenVPN1 user.info kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
    Mar 30 15:26:21 OpenVPN1 user.info kernel: device tun21 entered promiscuous mode
    Mar 30 15:26:21 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 558: Writing config file
    Mar 30 15:26:21 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 651: CCD: enabled: 1
    Mar 30 15:26:21 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 662: CCD: Common name: VPN-01
    Mar 30 15:26:21 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 674: CCD: Route: 192.168.5.0 255.255.255.0
    Mar 30 15:26:21 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 689: CCD: Push: 1
    Mar 30 15:26:21 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 697: CCD leftover: 0
    Mar 30 15:26:21 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 651: CCD: enabled: 1
    Mar 30 15:26:21 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 662: CCD: Common name: VPN-02
    Mar 30 15:26:21 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 674: CCD: Route: 192.168.10.0 255.255.255.0
    Mar 30 15:26:21 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 689: CCD: Push: 1
    Mar 30 15:26:21 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 697: CCD leftover: 0
    Mar 30 15:26:21 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 702: CCD processing complete
    Mar 30 15:26:21 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 759: Done writing config file
    Mar 30 15:26:21 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 762: Writing certs/keys
    Mar 30 15:26:21 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 823: Done writing certs/keys
    Mar 30 15:26:21 OpenVPN1 user.info init[1]: VPN_LOG_INFO: 826: Starting OpenVPN: /etc/openvpn/vpnserver1 --cd /etc/openvpn/server1 --config config.ovpn
    Mar 30 15:26:21 OpenVPN1 daemon.notice openvpn[822]: OpenVPN 2.1.1 mipsel-unknown-linux-gnu [SSL] [LZO2] built on Mar  3 2010
    Mar 30 15:26:21 OpenVPN1 daemon.warn openvpn[822]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Mar 30 15:26:22 OpenVPN1 daemon.notice openvpn[822]: Diffie-Hellman initialized with 1024 bit key
    Mar 30 15:26:22 OpenVPN1 daemon.notice openvpn[822]: TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Mar 30 15:26:22 OpenVPN1 daemon.notice openvpn[822]: TUN/TAP device tun21 opened
    Mar 30 15:26:22 OpenVPN1 daemon.notice openvpn[822]: TUN/TAP TX queue length set to 100
    Mar 30 15:26:22 OpenVPN1 daemon.notice openvpn[822]: /sbin/ifconfig tun21 10.8.1.1 pointopoint 10.8.1.2 mtu 1500
    Mar 30 15:26:22 OpenVPN1 daemon.notice openvpn[822]: /sbin/route add -net 192.168.5.0 netmask 255.255.255.0 gw 10.8.1.2
    Mar 30 15:26:22 OpenVPN1 daemon.notice openvpn[822]: /sbin/route add -net 192.168.10.0 netmask 255.255.255.0 gw 10.8.1.2
    Mar 30 15:26:22 OpenVPN1 daemon.notice openvpn[822]: /sbin/route add -net 10.8.1.0 netmask 255.255.255.0 gw 10.8.1.2
    Mar 30 15:26:22 OpenVPN1 daemon.notice openvpn[822]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Mar 30 15:26:22 OpenVPN1 daemon.notice openvpn[828]: Socket Buffers: R=[110592->131072] S=[110592->131072]
    Mar 30 15:26:22 OpenVPN1 daemon.notice openvpn[828]: UDPv4 link local (bound): [undef]:1194
    Mar 30 15:26:22 OpenVPN1 daemon.notice openvpn[828]: UDPv4 link remote: [undef]
    Mar 30 15:26:22 OpenVPN1 daemon.notice openvpn[828]: MULTI: multi_init called, r=256 v=256
    Mar 30 15:26:22 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 834: Done starting openvpn
    Mar 30 15:26:22 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 841: Creating firewall rules
    Mar 30 15:26:22 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 864: Done creating firewall rules
    Mar 30 15:26:22 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 867: Running firewall rules
    Mar 30 15:26:22 OpenVPN1 daemon.notice openvpn[828]: IFCONFIG POOL: base=10.8.1.4 size=62
    Mar 30 15:26:22 OpenVPN1 daemon.notice openvpn[828]: IFCONFIG POOL LIST
    Mar 30 15:26:22 OpenVPN1 daemon.notice openvpn[828]: Initialization Sequence Completed
    Mar 30 15:26:22 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 872: Done running firewall rules
    Mar 30 15:26:22 OpenVPN1 user.info init[1]: VPN_LOG_INFO: 891: VPN GUI server backend complete.
    Mar 30 15:26:43 OpenVPN1 daemon.notice openvpn[828]: MULTI: multi_create_instance called
    Mar 30 15:26:43 OpenVPN1 daemon.notice openvpn[828]: 66.104.x.xxx:14003 Re-using SSL/TLS context
    Mar 30 15:26:43 OpenVPN1 daemon.notice openvpn[828]: 66.104.x.xxx:14003 LZO compression initialized
    Mar 30 15:26:43 OpenVPN1 daemon.notice openvpn[828]: 66.104.x.xxx:14003 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Mar 30 15:26:43 OpenVPN1 daemon.notice openvpn[828]: 66.104.x.xxx:14003 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Mar 30 15:26:43 OpenVPN1 daemon.notice openvpn[828]: 66.104.x.xxx:14003 TLS: Initial packet from 66.104.x.xxx:14003, sid=1ee3cf28 ecd16e9f
    Mar 30 15:26:43 OpenVPN1 daemon.notice openvpn[828]: MULTI: multi_create_instance called
    Mar 30 15:26:43 OpenVPN1 daemon.notice openvpn[828]: 65.78.xx.xxx:1255 Re-using SSL/TLS context
    Mar 30 15:26:43 OpenVPN1 daemon.notice openvpn[828]: 65.78.xx.xxx:1255 LZO compression initialized
    Mar 30 15:26:43 OpenVPN1 daemon.notice openvpn[828]: 65.78.xx.xxx:1255 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Mar 30 15:26:43 OpenVPN1 daemon.notice openvpn[828]: 65.78.xx.xxx:1255 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Mar 30 15:26:43 OpenVPN1 daemon.notice openvpn[828]: 65.78.xx.xxx:1255 TLS: Initial packet from 65.78.xx.xxx:1255, sid=9568f6ea 6c172d5c
    Mar 30 15:26:44 OpenVPN1 daemon.notice openvpn[828]: MULTI: multi_create_instance called
    Mar 30 15:26:44 OpenVPN1 daemon.notice openvpn[828]: 98.141.190.198:1046 Re-using SSL/TLS context
    Mar 30 15:26:44 OpenVPN1 daemon.notice openvpn[828]: 98.141.190.198:1046 LZO compression initialized
    Mar 30 15:26:44 OpenVPN1 daemon.notice openvpn[828]: 98.141.190.198:1046 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Mar 30 15:26:44 OpenVPN1 daemon.notice openvpn[828]: 98.141.190.198:1046 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Mar 30 15:26:44 OpenVPN1 daemon.notice openvpn[828]: 98.141.190.198:1046 TLS: Initial packet from 98.141.190.198:1046, sid=0b65b08a efed81e0
    Mar 30 15:26:44 OpenVPN1 daemon.notice openvpn[828]: 66.104.x.xxx:14003 VERIFY OK: depth=1, /C=US/ST=PA/L=phl/O=MOFOs/CN=Administrator/Email=xxx@gmail.com
    Mar 30 15:26:44 OpenVPN1 daemon.notice openvpn[828]: 66.104.x.xxx:14003 VERIFY OK: depth=0, /C=US/ST=PA/O=MOFOs/CN=VPN-03/Email=xxx@gmail.com
    Mar 30 15:26:46 OpenVPN1 daemon.notice openvpn[828]: 66.104.x.xxx:14003 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mar 30 15:26:46 OpenVPN1 daemon.notice openvpn[828]: 66.104.x.xxx:14003 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mar 30 15:26:46 OpenVPN1 daemon.notice openvpn[828]: 66.104.x.xxx:14003 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mar 30 15:26:46 OpenVPN1 daemon.notice openvpn[828]: 66.104.x.xxx:14003 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mar 30 15:26:46 OpenVPN1 daemon.notice openvpn[828]: 66.104.x.xxx:14003 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Mar 30 15:26:46 OpenVPN1 daemon.notice openvpn[828]: 66.104.x.xxx:14003 [VPN-03] Peer Connection Initiated with 66.104.x.xxx:14003
    Mar 30 15:26:46 OpenVPN1 daemon.notice openvpn[828]: VPN-03/66.104.x.xxx:14003 MULTI: Learn: 10.8.1.6 -> VPN-03/66.104.x.xxx:14003
    Mar 30 15:26:46 OpenVPN1 daemon.notice openvpn[828]: VPN-03/66.104.x.xxx:14003 MULTI: primary virtual IP for VPN-03/66.104.x.xxx:14003: 10.8.1.6
    Mar 30 15:26:46 OpenVPN1 daemon.notice openvpn[828]: 65.78.xx.xxx:1255 VERIFY OK: depth=1, /C=US/ST=PA/L=phl/O=MOFOs/CN=Administrator/Email=xxx@gmail.com
    Mar 30 15:26:46 OpenVPN1 daemon.notice openvpn[828]: 65.78.xx.xxx:1255 VERIFY OK: depth=0, /C=US/ST=PA/O=MOFOs/CN=VPN-01/Email=xxx@gmail.com
    Mar 30 15:26:46 OpenVPN1 daemon.notice openvpn[828]: 65.78.xx.xxx:1255 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mar 30 15:26:46 OpenVPN1 daemon.notice openvpn[828]: 65.78.xx.xxx:1255 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mar 30 15:26:46 OpenVPN1 daemon.notice openvpn[828]: 65.78.xx.xxx:1255 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mar 30 15:26:46 OpenVPN1 daemon.notice openvpn[828]: 65.78.xx.xxx:1255 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    After about 10 mins GUI button doesn't work

    Code:
      827 root         0 Z    [vpnserver1]
      828 root         0 Z    [vpnserver1]
    
    Code:
    Mar 30 15:26:22 OpenVPN1 daemon.notice openvpn[822]: /sbin/route add -net 192.168.5.0 netmask 255.255.255.0 gw 10.8.1.2
    Mar 30 15:26:22 OpenVPN1 daemon.notice openvpn[822]: /sbin/route add -net 192.168.10.0 netmask 255.255.255.0 gw 10.8.1.2
    Mar 30 15:26:22 OpenVPN1 daemon.notice openvpn[822]: /sbin/route add -net 10.8.1.0 netmask 255.255.255.0 gw 10.8.1.2
    Mar 30 15:26:22 OpenVPN1 daemon.notice openvpn[822]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Mar 30 15:26:22 OpenVPN1 daemon.notice openvpn[828]: Socket Buffers: R=[110592->131072] S=[110592->131072]
    Mar 30 15:26:22 OpenVPN1 daemon.notice openvpn[828]: UDPv4 link local (bound): [undef]:1194
    Mar 30 15:26:22 OpenVPN1 daemon.notice openvpn[828]: UDPv4 link remote: [undef]
    Mar 30 15:26:22 OpenVPN1 daemon.notice openvpn[828]: MULTI: multi_init called, r=256 v=256
    Mar 30 15:26:22 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 834: Done starting openvpn
    Mar 30 15:26:22 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 841: Creating firewall rules
    Mar 30 15:26:22 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 864: Done creating firewall rules
    Mar 30 15:26:22 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 867: Running firewall rules
    Mar 30 15:26:22 OpenVPN1 daemon.notice openvpn[828]: IFCONFIG POOL: base=10.8.1.4 size=62
    Mar 30 15:26:22 OpenVPN1 daemon.notice openvpn[828]: IFCONFIG POOL LIST
    Mar 30 15:26:22 OpenVPN1 daemon.notice openvpn[828]: Initialization Sequence Completed
    Mar 30 15:26:22 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 872: Done running firewall rules
    Mar 30 15:26:22 OpenVPN1 user.info init[1]: VPN_LOG_INFO: 891: VPN GUI server backend complete.
    Mar 30 15:26:43 OpenVPN1 daemon.notice openvpn[828]: MULTI: multi_create_instance called
    Mar 30 15:26:43 OpenVPN1 daemon.notice openvpn[828]: 66.104.x.xxx:14003 Re-using SSL/TLS context
    Mar 30 15:26:43 OpenVPN1 daemon.notice openvpn[828]: 66.104.x.xxx:14003 LZO compression initialized
    Mar 30 15:26:43 OpenVPN1 daemon.notice openvpn[828]: 66.104.x.xxx:14003 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Mar 30 15:26:43 OpenVPN1 daemon.notice openvpn[828]: 66.104.x.xxx:14003 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Mar 30 15:26:43 OpenVPN1 daemon.notice openvpn[828]: 66.104.x.xxx:14003 TLS: Initial packet from 66.104.x.xxx:14003, sid=1ee3cf28 ecd16e9f
    Mar 30 15:26:43 OpenVPN1 daemon.notice openvpn[828]: MULTI: multi_create_instance called
    Mar 30 15:26:43 OpenVPN1 daemon.notice openvpn[828]: 65.78.xx.xxx:1255 Re-using SSL/TLS context
    Mar 30 15:26:43 OpenVPN1 daemon.notice openvpn[828]: 65.78.xx.xxx:1255 LZO compression initialized
    Mar 30 15:26:43 OpenVPN1 daemon.notice openvpn[828]: 65.78.xx.xxx:1255 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Mar 30 15:26:43 OpenVPN1 daemon.notice openvpn[828]: 65.78.xx.xxx:1255 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Mar 30 15:26:43 OpenVPN1 daemon.notice openvpn[828]: 65.78.xx.xxx:1255 TLS: Initial packet from 65.78.xx.xxx:1255, sid=9568f6ea 6c172d5c
    Mar 30 15:26:44 OpenVPN1 daemon.notice openvpn[828]: MULTI: multi_create_instance called
    Mar 30 15:26:44 OpenVPN1 daemon.notice openvpn[828]: 98.141.xxx.xxx:1046 Re-using SSL/TLS context
    Mar 30 15:26:44 OpenVPN1 daemon.notice openvpn[828]: 98.141.xxx.xxx:1046 LZO compression initialized
    Mar 30 15:26:44 OpenVPN1 daemon.notice openvpn[828]: 98.141.xxx.xxx:1046 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Mar 30 15:26:44 OpenVPN1 daemon.notice openvpn[828]: 98.141.xxx.xxx:1046 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Mar 30 15:26:44 OpenVPN1 daemon.notice openvpn[828]: 98.141.xxx.xxx:1046 TLS: Initial packet from 98.141.xxx.xxx:1046, sid=0b65b08a efed81e0
    Mar 30 15:26:44 OpenVPN1 daemon.notice openvpn[828]: 66.104.x.xxx:14003 VERIFY OK: depth=1, /C=US/ST=PA/L=Philadelphia/O=MOFOs/CN=Administrator/Email=xxx@gmail.com
    Mar 30 15:26:44 OpenVPN1 daemon.notice openvpn[828]: 66.104.x.xxx:14003 VERIFY OK: depth=0, /C=US/ST=PA/O=MOFOs/CN=VPN-03/Email=xxx@gmail.com
    Mar 30 15:26:46 OpenVPN1 daemon.notice openvpn[828]: 66.104.x.xxx:14003 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mar 30 15:26:46 OpenVPN1 daemon.notice openvpn[828]: 66.104.x.xxx:14003 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mar 30 15:26:46 OpenVPN1 daemon.notice openvpn[828]: 66.104.x.xxx:14003 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mar 30 15:26:46 OpenVPN1 daemon.notice openvpn[828]: 66.104.x.xxx:14003 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mar 30 15:26:46 OpenVPN1 daemon.notice openvpn[828]: 66.104.x.xxx:14003 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Mar 30 15:26:46 OpenVPN1 daemon.notice openvpn[828]: 66.104.x.xxx:14003 [VPN-03] Peer Connection Initiated with 66.104.x.xxx:14003
    Mar 30 15:26:46 OpenVPN1 daemon.notice openvpn[828]: VPN-03/66.104.x.xxx:14003 MULTI: Learn: 10.8.1.6 -> VPN-03/66.104.x.xxx:14003
    Mar 30 15:26:46 OpenVPN1 daemon.notice openvpn[828]: VPN-03/66.104.x.xxx:14003 MULTI: primary virtual IP for VPN-03/66.104.x.xxx:14003: 10.8.1.6
    Mar 30 15:26:46 OpenVPN1 daemon.notice openvpn[828]: 65.78.xx.xxx:1255 VERIFY OK: depth=1, /C=US/ST=PA/L=Philadelphia/O=MOFOs/CN=Administrator/Email=xxx@gmail.com
    Mar 30 15:26:46 OpenVPN1 daemon.notice openvpn[828]: 65.78.xx.xxx:1255 VERIFY OK: depth=0, /C=US/ST=PA/O=MOFOs/CN=VPN-01/Email=xxx@gmail.com
    Mar 30 15:26:46 OpenVPN1 daemon.notice openvpn[828]: 65.78.xx.xxx:1255 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mar 30 15:26:46 OpenVPN1 daemon.notice openvpn[828]: 65.78.xx.xxx:1255 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mar 30 15:26:46 OpenVPN1 daemon.notice openvpn[828]: 65.78.xx.xxx:1255 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mar 30 15:26:46 OpenVPN1 daemon.notice openvpn[828]: 65.78.xx.xxx:1255 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mar 30 15:26:46 OpenVPN1 daemon.notice openvpn[828]: 65.78.xx.xxx:1255 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Mar 30 15:26:46 OpenVPN1 daemon.notice openvpn[828]: 65.78.xx.xxx:1255 [VPN-01] Peer Connection Initiated with 65.78.xx.xxx:1255
    Mar 30 15:26:46 OpenVPN1 daemon.notice openvpn[828]: VPN-01/65.78.xx.xxx:1255 OPTIONS IMPORT: reading client specific options from: ccd/VPN-01
    Mar 30 15:26:46 OpenVPN1 daemon.notice openvpn[828]: VPN-01/65.78.xx.xxx:1255 MULTI: Learn: 10.8.1.10 -> VPN-01/65.78.xx.xxx:1255
    Mar 30 15:26:46 OpenVPN1 daemon.notice openvpn[828]: VPN-01/65.78.xx.xxx:1255 MULTI: primary virtual IP for VPN-01/65.78.xx.xxx:1255: 10.8.1.10
    Mar 30 15:26:46 OpenVPN1 daemon.notice openvpn[828]: VPN-01/65.78.xx.xxx:1255 MULTI: internal route 192.168.5.0/24 -> VPN-01/65.78.xx.xxx:1255
    Mar 30 15:26:46 OpenVPN1 daemon.notice openvpn[828]: VPN-01/65.78.xx.xxx:1255 MULTI: Learn: 192.168.5.0/24 -> VPN-01/65.78.xx.xxx:1255
    Mar 30 15:26:46 OpenVPN1 daemon.notice openvpn[828]: VPN-01/65.78.xx.xxx:1255 REMOVE PUSH ROUTE: 'route 192.168.5.0 255.255.255.0'
    Mar 30 15:26:47 OpenVPN1 daemon.notice openvpn[828]: VPN-03/66.104.x.xxx:14003 PUSH: Received control message: 'PUSH_REQUEST'
    Mar 30 15:26:47 OpenVPN1 daemon.notice openvpn[828]: VPN-03/66.104.x.xxx:14003 SENT CONTROL [VPN-03]: 'PUSH_REPLY,route 10.10.10.0 255.255.255.0,route 192.168.5.0 255.255.255.0,route 192.168.10.0 255.255.255.0,route 10.8.1.0 255.255.255.0,topology net30,ping 15,ping
    Mar 30 15:26:49 OpenVPN1 daemon.notice openvpn[828]: 98.141.xxx.xxx:1046 VERIFY OK: depth=1, /C=US/ST=PA/L=Phil/O=MOFOs/CN=Administrator/Email=xxx@gmail.com
    Mar 30 15:26:49 OpenVPN1 daemon.notice openvpn[828]: 98.141.xxx.xxx:1046 VERIFY OK: depth=0, /C=US/ST=PA/O=MOFOs/CN=VPN-02/Email=xxx@gmail.com
    Mar 30 15:26:49 OpenVPN1 daemon.notice openvpn[828]: VPN-01/65.78.xx.xxx:1255 PUSH: Received control message: 'PUSH_REQUEST'
    Mar 30 15:26:49 OpenVPN1 daemon.notice openvpn[828]: VPN-01/65.78.xx.xxx:1255 SENT CONTROL [VPN-01]: 'PUSH_REPLY,route 10.10.10.0 255.255.255.0,route 192.168.10.0 255.255.255.0,route 10.8.1.0 255.255.255.0,topology net30,ping 15,ping-restart 60,ifconfig 10.8.1.10 10.8.1
    Mar 30 15:26:49 OpenVPN1 daemon.notice openvpn[828]: 98.141.xxx.xxx:1046 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mar 30 15:26:49 OpenVPN1 daemon.notice openvpn[828]: 98.141.xxx.xxx:1046 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mar 30 15:26:49 OpenVPN1 daemon.notice openvpn[828]: 98.141.xxx.xxx:1046 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mar 30 15:26:49 OpenVPN1 daemon.notice openvpn[828]: 98.141.xxx.xxx:1046 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mar 30 15:26:49 OpenVPN1 daemon.notice openvpn[828]: 98.141.xxx.xxx:1046 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Mar 30 15:26:49 OpenVPN1 daemon.notice openvpn[828]: 98.141.xxx.xxx:1046 [VPN-02] Peer Connection Initiated with 98.141.xxx.xxx:1046
    Mar 30 15:26:49 OpenVPN1 daemon.notice openvpn[828]: VPN-02/98.141.xxx.xxx:1046 OPTIONS IMPORT: reading client specific options from: ccd/VPN-02
    Mar 30 15:26:49 OpenVPN1 daemon.notice openvpn[828]: VPN-02/98.141.xxx.xxx:1046 MULTI: Learn: 10.8.1.14 -> VPN-02/98.141.xxx.xxx:1046
    Mar 30 15:26:49 OpenVPN1 daemon.notice openvpn[828]: VPN-02/98.141.xxx.xxx:1046 MULTI: primary virtual IP for VPN-02/98.141.xxx.xxx:1046: 10.8.1.14
    Mar 30 15:26:49 OpenVPN1 daemon.notice openvpn[828]: VPN-02/98.141.xxx.xxx:1046 MULTI: internal route 192.168.10.0/24 -> VPN-02/98.141.xxx.xxx:1046
    Mar 30 15:26:49 OpenVPN1 daemon.notice openvpn[828]: VPN-02/98.141.xxx.xxx:1046 MULTI: Learn: 192.168.10.0/24 -> VPN-02/98.141.xxx.xxx:1046
    Mar 30 15:26:49 OpenVPN1 daemon.notice openvpn[828]: VPN-02/98.141.xxx.xxx:1046 REMOVE PUSH ROUTE: 'route 192.168.10.0 255.255.255.0'
    Mar 30 15:26:52 OpenVPN1 daemon.notice openvpn[828]: VPN-02/98.141.xxx.xxx:1046 PUSH: Received control message: 'PUSH_REQUEST'
    Mar 30 15:26:52 OpenVPN1 daemon.notice openvpn[828]: VPN-02/98.141.xxx.xxx:1046 SENT CONTROL [VPN-02]: 'PUSH_REPLY,route 10.10.10.0 255.255.255.0,route 192.168.5.0 255.255.255.0,route 10.8.1.0 255.255.255.0,topology net30,ping 15,ping-restart 60,ifconfig 10.8.1.14 10.8.1.
    Mar 30 15:39:05 OpenVPN1 user.info init[1]: VPN_LOG_INFO: 900: Stopping VPN GUI server backend.
    Mar 30 15:39:05 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 903: Removing cron job
    Mar 30 15:39:06 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 910: Done removing cron job
    Mar 30 15:39:06 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 913: Removing firewall rules.
    Mar 30 15:39:06 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 926: Done removing firewall rules.
    Mar 30 15:39:06 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 929: Stopping OpenVPN server.
    Mar 30 15:39:06 OpenVPN1 daemon.notice openvpn[828]: TCP/UDP: Closing socket
    Mar 30 15:39:06 OpenVPN1 daemon.notice openvpn[828]: /sbin/route del -net 10.8.1.0 netmask 255.255.255.0
    Mar 30 15:39:06 OpenVPN1 daemon.notice openvpn[828]: /sbin/route del -net 192.168.10.0 netmask 255.255.255.0
    Mar 30 15:39:06 OpenVPN1 daemon.notice openvpn[828]: /sbin/route del -net 192.168.5.0 netmask 255.255.255.0
    Mar 30 15:39:06 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 932: OpenVPN server stopped.
    Mar 30 15:39:06 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 935: Removing VPN device.
    Mar 30 15:39:06 OpenVPN1 daemon.notice openvpn[828]: Closing TUN/TAP interface
    Mar 30 15:39:06 OpenVPN1 daemon.notice openvpn[828]: /sbin/ifconfig tun21 0.0.0.0
    Mar 30 15:39:06 OpenVPN1 daemon.notice openvpn[828]: SIGTERM[hard,] received, process exiting
    Mar 30 15:39:06 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 943: VPN device removed.
    Mar 30 15:39:06 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 949: Removing generated files.
    Mar 30 15:39:06 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 958: Done removing generated files.
    Mar 30 15:39:06 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 964: Killing OpenVPN client.
    Mar 30 15:39:06 OpenVPN1 user.info init[1]: VPN_LOG_EXTRA: 967: OpenVPN server killed.
    Mar 30 15:39:06 OpenVPN1 user.info init[1]: VPN_LOG_INFO: 969: VPN GUI server backend stopped.
    
     

Share This Page