1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VPN build with Web GUI

Discussion in 'Tomato Firmware' started by SgtPepperKSU, Oct 10, 2008.

  1. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Well, those logs show the "Stop" code running to completion (including the SIGKILL call), so I'm not sure what's causing your issue. Though, since it appears to be specific to teddy_bear's build (as he said, there must be something different with the upgraded kernel or uClibc), I'm afraid I can't be of much more help.
     
  2. free2share

    free2share Networkin' Nut Member

    I just got a RT-N16 and flashed it with tomato-1.27-NDUSB-9044MIPSR2-beta07-vpn3.6. I'm able to stop and start the OpenVPN server without a problem. I think it's spicific to the tomato-1.27-ND-9044MIPSR1-beta07-vpn3.6 firmware on the WRT54G-TM.

    Hope this helps.
     
  3. teddy_bear

    teddy_bear Network Guru Member

    Ok, I was able to reproduce the issue with MIPSR2 K26 builds as well. Here's what's happening...

    Immediately after start_vpnserver() is called from the web GUI, there are 2 vpnserverN processes in the list, one of them being zombie:
    Code:
      827 root         0 Z    [vpnserver1]
      828 root      3020 S    /etc/openvpn/vpnserver1 --cd /etc/openvpn/server1 --c
    
    Then, after stop_vpnserver() call, the normal vpnserver process dies but the zombie stays. The issue only affects vpn processes started from the web GUI (in httpd process context) - when server is started with WAN from init, no zombies appear. Killing and restarting httpd removes zombies.

    Changing the _eval() call to pass &pid parameter instead of NULL (indicating no wait) takes care of the first zombie - there's only one server process after using "Start Now" button from GUI. However, this process becomes zombie after trying to kill it via "Stop Now" button. Reaping zombies via waitpid() call after killing it takes care of that too.

    The situation with client is exactly the same.

    Attached is the proposed patch - it fixes the problem with K26 builds, and should have no negative effect on K24 builds either. In addition to the above tricks, it simplifies the stop_vpnserver/vpnclient methods a bit by using Tomato' killall_tk() function that calls killall() twice - with SIGTERM, and then with SIGKILL.

    SgtPepper, unless you tell me that there's something fundamentally wrong with this patch, I'm going to use it in my next build. Maybe you can apply some variation of it to your mainstream code, so I won't clash with your future changes.
     

    Attached Files:

  4. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Looks good to me. I'll also incorporate your patch.

    Thanks!
     
  5. free2share

    free2share Networkin' Nut Member

    Great team work guys! As always you both do outstanding work!
     
  6. landa

    landa LI Guru Member

    I installed the latest version of Tomato + VPN and fail to configure. At work I created a VPN server on a Windows XP. I want to connect my router via VPN, to the server, and entire local network that can access the network at my work. Authentication on the work server is via username and password. How to configure VPN client on Tomato?

    Please help me!
     
  7. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Just to be sure: the server you created is an OpenVPN server, correct?

    If so, please be more specific on where you're having trouble.
     
  8. landa

    landa LI Guru Member

    No, on win XP is a windows VPN. Now I understand, i have to install OpenVPN server on win XP and try again.

    Thank you!
     
  9. landa

    landa LI Guru Member

    We managed to create the VPN connection, but the problem is that the router fails to access resources from work, through the VPN server.

    Here are the settings that I've done:

    Code:
    ;local 10.1.2.1 # This is the IP address of the real network interface on the server connected to the router
    
    port 1194 # This is the port OpenVPN is running on - make sure the router is port forwarding this port to the above IP
    
    proto udp # UDP tends to perform better than TCP for VPN
    
    mssfix 1400 # This setting fixed problems I was having with apps like Remote Desktop
    
    push "dhcp-option DNS 193.231.x.x"  # Replace the Xs with the IP address of the DNS for your home network (usually your ISP's DNS)
    
    push "dhcp-option DNS 193.231.x.x"  # A second DNS server if you have one
    
    dev tap
    
    #dev-node MyTAP  #If you renamed your TAP interface or have more than one TAP interface then remove the # at the beginning and change "MyTAP" to its name
    
    ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"  
    
    cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.crt"
    
    key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.key"  # This file should be kept secret
    
    dh "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\dh1024.pem"
    
    ;server 10.1.2.0 255.255.255.0  # This assigns the virtual IP address and subent to the server's OpenVPN connection.  Make sure the Routing Table entry matches this.
    
    server-bridge 10.1.1.5 255.255.255.0 10.1.1.6 10.1.1.14
    
    ifconfig-pool-persist ipp.txt
    
    push "redirect-gateway def1"  # This will force the clients to use the home network's internet connection
    
    keepalive 10 120
    
    cipher BF-CBC        # Blowfish (default) encryption
    
    comp-lzo
    
    max-clients 100 # Assign the maximum number of clients here
    
    persist-key
    
    persist-tun
    
    status openvpn-status.log
    
    verb 1 # This sets how detailed the log file will be.  0 causes problems and higher numbers can give you more detail for troubleshooting
    
    
    # lines starting with # or ; will not be read by OpenVPN
    
    Please, help me with this!
     

    Attached Files:

  10. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Could you show what your router's routing table looks like when connected (Advanced->Routing)?
     
  11. FidgetyRat

    FidgetyRat LI Guru Member

    I'm having an issue I can't quite pinpoint.

    I recently updated to your mod from a .14 version of roadkills. (Clean update, redid all the settings etc). and everything worked out well. I adapted the OpenVPN settings and my machines all connect perfectly fine.

    What I've been experiencing is dropped VPN connections when there is alot of activity on the line, such as downloading a large PDF file. My VPN client does a "ping timeout" and re-establishes the connection all over again.

    There are no errors client or server side to indicate why the link was dropped, and this only seems to happen when the line is stressed.

    The only change I can figure is that now (besides using this mod) the only setting I am doing differently is using the AES-128-CBC encryption.

    I have this strange feeling the CPU is being pegged, (maybe from the AES?) and the connection becomes unstable.


    Any suggestions? without any errors in the log this is hard to diagnose and it causes the link to drop several times a day.
     
  12. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I have saturated my tunnels without problems before, but I use the default BF-CBC encryption, not AES. You could try changing that just to narrow down where the problem is.
     
  13. FidgetyRat

    FidgetyRat LI Guru Member

    I'll definitely try that out tonight if my current idea fails. I think it *may* be related to the TLS renegotiation which is defaulted to 1 hour. I wonder if I notice the disconnects, but fail to realize they occur every hour.

    I just set the renegotiation time to 0 to disable it and i'll see if I still get disconnected or not.
     
  14. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That could be. Note, though, that you have to disable that on both ends (either can trigger a renegotiation).
     
  15. FidgetyRat

    FidgetyRat LI Guru Member

    Just as an update, so far I haven't seen my disconnect issues since I turned off the renegotiation on the server.

    The log no longer has its "passive renegotiation" notices, but the key still expires every hour, but I don't seem to be getting disconnected anymore.

    I was actually under the impression that key negotiation was done transparently to the data line, but I guess maybe there is a bug in OpenVPN or an incompatibility with my client (Viscosity).

    I'll post again if I see any further issues, but for now I'm considering this one working.



    Edit: Also, thanks for working on this mod. I used to use Roadkill's but started getting turned off by the tons of unnecessary additions. It got to the point I didn't want to update because of all the effort, so I was really behind in tomato version.
     
  16. rhester72

    rhester72 Network Guru Member

    I renegotiate all the time in real-time (I think it's currently once every 5 minutes) on OpenVPN 2.1 and never see any effect on my actual connection - I suspect this may indeed be a client issue.

    Rodney
     
  17. FidgetyRat

    FidgetyRat LI Guru Member

    Well, I was wrong. It's still happening. This was my log:

    Apr 15 10:26:52 keralis daemon.notice openvpn[3727]: client1/20.137.216.64:37985 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Apr 15 11:07:14 keralis daemon.notice openvpn[3727]: MULTI: multi_create_instance called
    Apr 15 11:07:14 keralis daemon.notice openvpn[3727]: Re-using SSL/TLS context
    Apr 15 11:07:14 keralis daemon.notice openvpn[3727]: LZO compression initialized

    As you can see, the last message is 10:26, and then at 11:07 it reconnects. So whatever happened around 11:07 to cause the line to totally drop and then re-establish a connection is beyond me. I see no errors in the server log. Must have something to do with the client.

    So in the end, passive renegotiation is not to blame at least.


    Edit: Looks like this is all I get from the client:
    Apr 15 11:07:07 ecr-dh-36 openvpn[902]: [server] Inactivity timeout (--ping-restart), restarting

    So something is causing the link to terminate. Who knows, could even have something to do with the network I'm on.. Just strange that I've never had it happen before, and only seems to happen when there's a lot of activity on the line like loading an image-heavy website, or downloading a file..
     
  18. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Have you tried it with the default encryption cipher, or are you still using AES?
    I definitely want to work with you to get to the bottom of this, as you're not the first to run into such issues.
     
  19. FidgetyRat

    FidgetyRat LI Guru Member

    Today I switched the cyphers back to BF-CBC. I won't know until after Monday if it was successful, so I'll post back then. Thanks for the concern. I'm hoping its just something with AES.
     
  20. occamsrazor

    occamsrazor Network Guru Member

    Hi,

    I recently switched from Thors' mod to Teddybear's K26 with VPN mod. Somewhere along the line (actually it might have been before the switch), I've encountered a problem:

    I can remotely connect to my home LAN fine, and access LAN devices, but when I am connected this way I am unable to access the internet. Before, when I was remotely-connected it would tunnel internet traffic via my home router but this doesn't seem to be working. I'm using Viscosity on Mac OS X as remote client. Tomato server config is as follows:

    Start with WAN - Yes
    TAP
    UDP
    1194
    Firewall - Automatic
    Auth Mode TLS
    Extra HMAC - disabled
    Client address pool - DHCP

    Poll Interval - 0
    Direct clients to
    redirect Internet traffic YES
    Respond to DNS YES
    Advertise DNS to clients YES
    Encryption cipher DEFAULT
    Compression ADAPTIVE
    TLS Renegotiation Time -1
    Manage Client-Specific Options YES
    Allow Client<->Client YES
    Allow Only These Clients NO
    Custom Configuration - BLANK

    To be honest it has worked so solidly the last year or two I've forgotten how to set it up properly... Could it be something with "redirect-gateway" I seem to remember?

    Here is the log when a remote client connects:

    Code:
    Apr 25 15:33:08 Tomato daemon.notice openvpn[15989]: MULTI: multi_create_instance called
    Apr 25 15:33:08 Tomato daemon.notice openvpn[15989]: [I]<IPADDRESS>[/I]:61961 Re-using SSL/TLS context
    Apr 25 15:33:08 Tomato daemon.notice openvpn[15989]: [I]<IPADDRESS>[/I]:61961 LZO compression initialized
    Apr 25 15:33:08 Tomato daemon.notice openvpn[15989]: [I]<IPADDRESS>[/I]:61961 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Apr 25 15:33:08 Tomato daemon.notice openvpn[15989]: [I]<IPADDRESS>[/I]:61961 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
    Apr 25 15:33:08 Tomato daemon.notice openvpn[15989]: [I]<IPADDRESS>[/I]:61961 TLS: Initial packet from [I]<IPADDRESS>[/I]:61961, sid=02589ac6 a4f8e3b9
    Apr 25 15:33:09 Tomato daemon.notice openvpn[15989]: [I]<IPADDRESS>[/I]:61961 VERIFY OK: [I]<REMOVED-CERTIFICATE-DETAILS>[/I]
    Apr 25 15:33:09 Tomato daemon.notice openvpn[15989]: [I]<IPADDRESS>[/I]:61961 VERIFY OK: [I]<REMOVED-CERTIFICATE-DETAILS>[/I]
    Apr 25 15:33:10 Tomato daemon.notice openvpn[15989]: [I]<IPADDRESS>[/I]:61961 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Apr 25 15:33:10 Tomato daemon.notice openvpn[15989]: [I]<IPADDRESS>[/I]:61961 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Apr 25 15:33:10 Tomato daemon.notice openvpn[15989]: [I]<IPADDRESS>[/I]:61961 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Apr 25 15:33:10 Tomato daemon.notice openvpn[15989]: [I]<IPADDRESS>[/I]:61961 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Apr 25 15:33:10 Tomato daemon.notice openvpn[15989]: [I]<IPADDRESS>[/I]:61961 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Apr 25 15:33:10 Tomato daemon.notice openvpn[15989]: [I]<IPADDRESS>[/I]:61961 [laptop] Peer Connection Initiated with [I]<IPADDRESS>[/I]:61961
    Apr 25 15:33:10 Tomato daemon.err openvpn[15989]: laptop/[I]<IPADDRESS>[/I]:61961 MULTI: no dynamic or static remote --ifconfig address is available for laptop/[I]<IPADDRESS>[/I]:61961
    Apr 25 15:33:12 Tomato daemon.notice openvpn[15989]: laptop/[I]<IPADDRESS>[/I]:61961 PUSH: Received control message: 'PUSH_REQUEST'
    Apr 25 15:33:12 Tomato daemon.notice openvpn[15989]: laptop/[I]<IPADDRESS>[/I]:61961 SENT CONTROL [laptop]: 'PUSH_REPLY,dhcp-option DOMAIN ben,dhcp-option DNS 192.168.0.1,route-gateway 192.168.0.1,redirect-gateway def1,route-gateway dhcp,ping 15,ping-restart 60' (status=1)
    Apr 25 15:33:13 Tomato daemon.notice openvpn[15989]: laptop/[I]<IPADDRESS>[/I]:61961 MULTI: Learn: 6a:35:81:e2:f7:ce -> laptop/[I]<IPADDRESS>[/I]:61961
    
    From what I can tell... here is the remote client config:

    Code:
    #viscosity startonopen false
    #viscosity dhcp true
    #viscosity dnssupport true
    #viscosity name HomeVPN
    route-gateway 192.168.0.1
    remote xxxxxxxxx.dyndns.org 1194
    pull
    tls-client
    persist-key
    ca ca.crt
    proto udp
    redirect-gateway def1
    nobind
    persist-tun
    cert cert.crt
    comp-lzo
    dev tap
    key key.key
    resolv-retry infinite
    
    When connected, I want ALL internet traffic (ideally including DNS) to get pushed via the tunnel to my home router, then out to the internet.
     
  21. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Please provide the routing table on the router and on your client when the tunnel is connected.
     
  22. occamsrazor

    occamsrazor Network Guru Member

    The Tomato routing looks like this before AND after the VPN connection is made:

    Code:
    Destination	Gateway	Subnet Mask	Metric	Interface
    163.121.170.154	*	255.255.255.255	0	ppp0
    163.121.128.135	163.121.170.154	255.255.255.255	0	ppp0
    163.121.128.134	163.121.170.154	255.255.255.255	0	ppp0
    192.168.1.0	*	255.255.255.252	0	vlan1 (WAN)
    192.168.0.0	*	255.255.255.0	0	br0 (LAN)
    127.0.0.0	*	255.0.0.0	0	lo
    default	163.121.170.154	0.0.0.0	0	ppp0
    
    ...i.e it doesn't seem to change. Is there a system comand that would give you better info? I'm just taking this from Menu > Advanced > Routing...

    Sorry I'm not sure how to show the table on the Mac OS X client running Viscosity...

    BTW the vlan1 is from this in the WAN script:

    Code:
    ## Hack to allow route to modem
    iptables -I POSTROUTING -t nat -o vlan1 -d 192.168.1.0/30 -j MASQUERADE
    ip addr add 192.168.1.2/30 dev vlan1 brd +
    
     
  23. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    For TAP, the client-side routing table is what is really the most interesting:
    Code:
    netstat -nr
     
  24. occamsrazor

    occamsrazor Network Guru Member

    SgtPepper - Have PM'd you client-side routing tables just in case they indicate something... though I am beginning to suspect the problem is caused by some kind of faulty client installation as I'm seeing the following in the client log, sometimes...

    Code:
    Mon Apr 26 10:04:24 2010: write to TUN/TAP : Input/output error (code=5)
    
    I'll take it up in the Viscosity forums too...
     
  25. occamsrazor

    occamsrazor Network Guru Member

    SgtPepper - ignore previous messages, I've fixed the problem. I don't really understand why, but it seems to have been solved by disabling "use alternate DNS support" in the Viscosity prefs, and adding "route-delay 20" to the client config. Whatever, it's all working now, sorry for the trouble....

    On another note, it's a testament to this great software that I've never had to delve into the technicalities of it for well over a year, it's just worked!
     
  26. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    No need to apologize; Glad you got it working!
     
  27. FidgetyRat

    FidgetyRat LI Guru Member

    Just wanted to update that I think my issues are unrelated to the VPN build. I lost internet access at work which is where I used the VPN the most so I haven't been able to test thoroughly, but I also noticed a side issue the other day where my cable modem is screwing up if I upload data quickly.

    If I were to upload a 20M zip file of pictures to an email, my modem hard-resets itself. That could explain the VPN delay since all my traffic then needed to go through the upload stream causing the modem to reset resulting in a 1-2 minute gap and a VPN disconnect.

    Comcast :mad:

    Thanks anyway for the concern. If I still see the issue after comcast attempts to fix the problem I'll let you know.
     
  28. i1135t

    i1135t Network Guru Member

    Reposting here since it would make more sense, hehe. :)

    Sorry to bring up an old thread, but SgtPepper and I tried working on a solution in the past by trying to setup an OpenVPN TUN connection through DNS port 53 (UDP) since that is ALWAYS open. The thread is located here. Now that I think about it, can IPTABLES be used to redirect outbound through port 53 since we could redirect inbound packets to a different port that the VPN server is running on, say 1194? It would look something like this:

    Incoming connection(53-UDP) ==> WAN-in (iptable PREROUTING for DNAT or REDIRECT to OpenVPN 1194-UDP) ==> OpenVPN handshake says TLS happens at port 1194 ==> WAN-out (iptable POSTROUTING for ?? redirecting outbound packets destined for 1194-UDP to redirect to port 53-UDP outbound) ==> Outbound handshake back to source at port 53-UDP

    Can this be done with a few iptable rules? I'd like to test this but unsure on how to create the iptable rules as I am no expert in it. The purpose of this was to try and bypass hotspot authentication, purely for educational purposes. Chime in if this makes any sense.
     
  29. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That parts easy, as you're aware.
    That was speculation on my part, as it was the only way I could explain what was going on.
    But, the packets won't be destined for 1194. They'll be heading for a random port chosen by the client (the port that the client sent the request from. Now that can be chosen by using lport in the openvpn config.
    However, if my previous assumption about the handshake is correct (I'm not fully convinced it is), the "use port 1194" is in the packet data itself and wouldn't be changeable with iptables.
    If the above is true, then this wouldn't be possible.

    However, I'm not convinced that my "handshake" assumption is correct. When we tried it before, did we just use a DNAT rule, or did we use both DNAT and SNAT?
     
  30. i1135t

    i1135t Network Guru Member

    It looks like we DNAT'd it only, see here. I didn't think down to the packet level, but if the packet is encoded with port 1194, then the client wouldn't be able to get back to the the server since it would try to handshake at that port on the next sequence or drop it completely.

    Would it make a difference if we tried SNAT instead?
     
  31. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Exactly. Before, that's what I thought must've been happening.
    If anything we should try SNAT as well, not instead.

    Give the following a try:
    Code:
    iptables -t nat -I PREROUTING -p `nvram get vpn_server1_proto | sed 's/-.*$//'` -i `nvram get wan_ifname` --dport 53 -j DNAT --to-destination `nvram get lan_ipaddr`:`nvram get vpn_server1_port`
    iptables -t nat -I POSTROUTING -p `nvram get vpn_server1_proto | sed 's/-.*$//'` -o `nvram get wan_ifname`  --sport 1194 -j SNAT --to-source `nvram get wan_ipaddr`:53
    iptables -I INPUT -p udp --dport `nvram get vpn_server1_port` -j ACCEPT
    iptables -I INPUT -i `nvram get vpn_server1_if`21 -j ACCEPT
    iptables -I FORWARD -i `nvram get vpn_server1_if`21 -j ACCEPT
    
    Note, that's completely untested. You may want to try adding them from SSH/telnet first and check that they show up in the table as expected (to be sure I haven't made any typos).
     
  32. i1135t

    i1135t Network Guru Member

    Well, I entered the iptables and see that DNAT packet count increase once, per connection, but the SNAT packet count increases repeatedly, about the rate of 1/sec., during that same connection. So it seems like it's trying to handshake, but then OpenVPN client connection times-out and ends the conversation. Funny though, I was monitoring through Wireshark on the client and didn't see any packets return from my server, so I'm not even sure if it's even getting back out to the client. Hmm...
     
  33. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Interesting. Try adding the following rules (need to be run after the other iptables commands, so it shows up before them in the table) to log what the packets look like:
    Code:
    iptables -t nat -I PREROUTING -p `nvram get vpn_server1_proto | sed 's/-.*$//'` -i `nvram get wan_ifname` --dport 53 -j LOG --log-prefix="DNAT: "
    iptables -t nat -I POSTROUTING -p `nvram get vpn_server1_proto | sed 's/-.*$//'` -o `nvram get wan_ifname`  --sport 1194 -j LOG --log-prefix="SNAT: "
    
     
  34. i1135t

    i1135t Network Guru Member

    This is what was logged:
    Code:
    Apr 30 16:37:26 T1 user.warn kernel: DNAT: IN=vlan1 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=173.xx.xx.xx DST=72.xxx.xxx.xxx LEN=70 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=1194 DPT=53 LEN=50 
    Apr 30 16:37:26 T1 daemon.notice openvpn[346]: MULTI: multi_create_instance called
    Apr 30 16:37:26 T1 daemon.notice openvpn[346]: 173.xx.xx.xx:1194 Re-using SSL/TLS context
    Apr 30 16:37:26 T1 daemon.notice openvpn[346]: 173.xx.xx.xx:1194 LZO compression initialized
    Apr 30 16:37:26 T1 daemon.notice openvpn[346]: 173.xx.xx.xx:1194 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
    Apr 30 16:37:26 T1 daemon.notice openvpn[346]: 173.xx.xx.xx:1194 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
    Apr 30 16:37:26 T1 daemon.notice openvpn[346]: 173.xx.xx.xx:1194 TLS: Initial packet from 173.xx.xx.xx:1194, sid=b5c960be 7d4a2cf8
    Apr 30 16:37:26 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:37:26 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=82 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=62 
    Apr 30 16:37:28 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:37:28 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=82 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=62 
    Apr 30 16:37:30 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:37:30 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=50 
    Apr 30 16:37:31 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:37:31 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=58 
    Apr 30 16:37:32 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:37:32 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=50 
    Apr 30 16:37:33 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=58 
    Apr 30 16:37:33 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:37:34 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=50 
    Apr 30 16:37:34 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:37:35 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=58 
    Apr 30 16:37:35 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:37:36 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=50 
    Apr 30 16:37:36 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:37:37 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=58 
    Apr 30 16:37:37 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:37:38 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=50 
    Apr 30 16:37:38 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:37:40 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=50 
    Apr 30 16:37:40 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:37:40 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=58 
    Apr 30 16:37:40 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:37:43 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=50 
    Apr 30 16:37:43 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:37:43 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=58 
    Apr 30 16:37:43 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:37:45 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=50 
    Apr 30 16:37:45 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:37:45 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=58 
    Apr 30 16:37:45 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:37:47 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=50 
    Apr 30 16:37:47 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:37:48 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=58 
    Apr 30 16:37:48 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:37:49 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=50 
    Apr 30 16:37:49 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:37:50 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=58 
    Apr 30 16:37:50 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:37:52 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=50 
    Apr 30 16:37:52 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:37:53 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=58 
    Apr 30 16:37:53 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:37:54 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=50 
    Apr 30 16:37:54 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:37:55 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=58 
    Apr 30 16:37:55 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:37:56 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=50 
    Apr 30 16:37:56 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:37:58 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=50 
    Apr 30 16:37:58 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:37:59 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=58 
    Apr 30 16:37:59 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:38:00 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=50 
    Apr 30 16:38:00 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:38:02 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=82 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=62 
    Apr 30 16:38:02 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:38:04 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=82 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=62 
    Apr 30 16:38:04 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:38:06 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=50 
    Apr 30 16:38:06 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:38:07 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=58 
    Apr 30 16:38:07 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:38:08 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=50 
    Apr 30 16:38:08 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:38:09 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=58 
    Apr 30 16:38:09 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:38:10 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=50 
    Apr 30 16:38:10 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:38:11 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=58 
    Apr 30 16:38:11 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:38:12 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:38:12 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=50 
    Apr 30 16:38:13 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:38:13 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=58 
    Apr 30 16:38:14 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:38:14 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=50 
    Apr 30 16:38:16 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:38:16 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=82 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=62 
    Apr 30 16:38:18 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:38:18 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=82 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=62 
    Apr 30 16:38:20 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:38:20 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=50 
    Apr 30 16:38:20 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:38:20 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=58 
    Apr 30 16:38:22 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:38:22 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=50 
    Apr 30 16:38:24 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:38:24 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=50 
    Apr 30 16:38:25 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 write UDPv4 []: Operation not permitted (code=1)
    Apr 30 16:38:25 T1 user.warn kernel: SNAT: IN= OUT=vlan1 SRC=72.xxx.xxx.xxx DST=173.xx.xx.xx LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=58 
    Apr 30 16:38:26 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Apr 30 16:38:26 T1 daemon.err openvpn[346]: 173.xx.xx.xx:1194 TLS Error: TLS handshake failed
    Apr 30 16:38:26 T1 daemon.notice openvpn[346]: 173.xx.xx.xx:1194 SIGUSR1[soft,tls-error] received, client-instance restarting
    
     
  35. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    A shot in the dark here, but try adding this to your server config:
    Code:
    local <your server router LAN IP>
     
  36. Aquafire

    Aquafire LI Guru Member

    Hello All,

    Trying to connect to my home router(WRTSL54GS) running this firmware through my office proxy server. The server and client are configured for static key access, without any cipher.

    First I tried without the proxy server (direct connection) and it was fine and able to connect on the default port 1194.

    But when I try going through the office proxy, I get the following messages in the log

    Looks like even the VPN access is blocked via the proxy server. Any ideas how to make it work and bypass it, afterall that was the whole objective of the exercise. :confused:

    Thanks in advance
     
  37. Aquafire

    Aquafire LI Guru Member

    Hello All,

    Trying to connect to my home router(WRTSL54GS) running this firmware through my office proxy server. The server and client are configured for static key access, without any cipher.

    First I tried without the proxy server (direct connection) and it was fine and able to connect on the default port 1194.

    But when I try going through the office proxy, I get the following messages in the log

    Looks like even the VPN access is blocked via the proxy server. Any ideas how to make it work and bypass it, afterall that was the whole objective of the exercise. :confused:

    Thanks in advance
     
  38. GavinP

    GavinP Network Guru Member

    Try setting up your VPN over tcp/443 which is https...
     
  39. i1135t

    i1135t Network Guru Member

    This is all I am getting on the client side:
    Code:
    Mon May 10 13:09:31 2010 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
    Mon May 10 13:09:33 2010 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
    Mon May 10 13:09:35 2010 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
    Mon May 10 13:09:37 2010 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
    Mon May 10 13:09:39 2010 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
    Mon May 10 13:09:41 2010 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
    Mon May 10 13:09:43 2010 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
    Mon May 10 13:09:45 2010 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
    Mon May 10 13:09:48 2010 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
    Mon May 10 13:09:50 2010 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
    Mon May 10 13:09:52 2010 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
    Mon May 10 13:09:54 2010 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
    Mon May 10 13:09:57 2010 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
    Mon May 10 13:09:59 2010 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
    Mon May 10 13:10:01 2010 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
    Mon May 10 13:10:04 2010 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
    Mon May 10 13:10:06 2010 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
    Mon May 10 13:10:08 2010 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
    Mon May 10 13:10:10 2010 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
    Mon May 10 13:10:12 2010 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
    Mon May 10 13:10:15 2010 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
    Mon May 10 13:10:16 2010 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
    Mon May 10 13:10:18 2010 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
    Mon May 10 13:10:20 2010 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
    Mon May 10 13:10:22 2010 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
    Mon May 10 13:10:24 2010 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
    Mon May 10 13:10:26 2010 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
    Mon May 10 13:10:28 2010 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
    Mon May 10 13:10:30 2010 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
    Mon May 10 13:10:31 2010 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Mon May 10 13:10:31 2010 TLS Error: TLS handshake failed
    Mon May 10 13:10:31 2010 SIGUSR1[soft,tls-error] received, process restarting
    and this only shows up once in the router log:
    Code:
    May 10 13:09:32 T1 user.warn kernel: DNAT: IN=vlan1 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=173.xx.xx.xx DST=72.xxx.xxx.xxx LEN=70 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=1194 DPT=53 LEN=50
    and no packets hitting the POSTROUTING chain. Only one packet hit on PREROUTING chain as before.
     
  40. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I guess when NATing it from the WAN IP to the LAN IP, it still looks as it is coming from the WAN interface, so we can't get away with limiting it to the LAN interface.

    It sounds like the firewall is blocking the response packet for some reason. Try
    Code:
    service firewall restart
    <Attempt connection here>
    iptables -t mangle -nvL; iptables -t nat -nvL; iptables -t filter -nvL
    
    We'll hopefully see one of the DROP lines incrementing, so we'll know where the problem is.
     
  41. i1135t

    i1135t Network Guru Member

    Actually when I set the "local MY ROUTER LAN IP" into my server config, I put in my WAN IP. Misread it, so I retested with same results of no POSTROUTING packet hits, but the error output shows more than a single line from previous attempt:
    Code:
    May 10 16:01:41 T1 user.warn kernel: DNAT: IN=vlan1 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=173.xx.xx.xx DST=72.xxx.xxx.xxx LEN=70 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=1194 DPT=53 LEN=50 
    May 10 16:01:41 T1 daemon.notice openvpn[15955]: MULTI: multi_create_instance called
    May 10 16:01:41 T1 daemon.notice openvpn[15955]: 173.xx.xx.xx:1194 Re-using SSL/TLS context
    May 10 16:01:41 T1 daemon.notice openvpn[15955]: 173.xx.xx.xx:1194 LZO compression initialized
    May 10 16:01:41 T1 daemon.notice openvpn[15955]: 173.xx.xx.xx:1194 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
    May 10 16:01:41 T1 daemon.notice openvpn[15955]: 173.xx.xx.xx:1194 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
    May 10 16:01:41 T1 daemon.notice openvpn[15955]: 173.xx.xx.xx:1194 TLS: Initial packet from 173.xx.xx.xx:1194, sid=e437d2be c27d53ec
    May 10 16:02:41 T1 daemon.err openvpn[15955]: 173.xx.xx.xx:1194 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    May 10 16:02:41 T1 daemon.err openvpn[15955]: 173.xx.xx.xx:1194 TLS Error: TLS handshake failed
    May 10 16:02:41 T1 daemon.notice openvpn[15955]: 173.xx.xx.xx:1194 SIGUSR1[soft,tls-error] received, client-instance restarting
    Here are the results after restarting firewall service, then trying connection attempt and output here:
    Code:
    root@T1:/tmp/home/root# iptables -t mangle -nvL; iptables -t nat -nvL; iptables 
    -t filter -nvL
    Chain PREROUTING (policy ACCEPT 915 packets, 430K bytes)
     pkts bytes target     prot opt in     out     source               destination         
      468  331K CONNMARK   all  --  vlan1  *       0.0.0.0/0            0.0.0.0/0           CONNMARK restore mask 0xff
    
    Chain INPUT (policy ACCEPT 387K packets, 115M bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain FORWARD (policy ACCEPT 16M packets, 9629M bytes)
     pkts bytes target     prot opt in     out     source               destination         
      352 67030 QOSO       all  --  *      vlan1   0.0.0.0/0            0.0.0.0/0           
    
    Chain OUTPUT (policy ACCEPT 46 packets, 9893 bytes)
     pkts bytes target     prot opt in     out     source               destination         
       25  3209 QOSO       all  --  *      vlan1   0.0.0.0/0            0.0.0.0/0           
    
    Chain POSTROUTING (policy ACCEPT 16M packets, 9662M bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain QOSO (2 references)
     pkts bytes target     prot opt in     out     source               destination         
      377 70239 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           CONNMARK restore mask 0xff
      226 35415 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           CONNMARK match !0x0/0xff00 
       15   999 CONNMARK   udp  --  *      *       0.0.0.0/0            0.0.0.0/0           mport ports 53 CONNMARK set-return 0x101/0xff 
        1    76 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC xx:xx:xx:xx:xx:xx CONNMARK set-return 0x106/0xff 
        1   309 CONNMARK   udp  --  *      *       0.0.0.0/0            0.0.0.0/0           mport ports 80,443,1194 CONNMARK set-return 0x102/0xff 
       18   864 CONNMARK   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           mport ports 80,443,1194 CONNMARK set-return 0x102/0xff 
        0     0 CONNMARK   udp  --  *      *       0.0.0.0/0            0.0.0.0/0           LAYER7 l7proto httpvideo CONNMARK set-return 0x102/0xff 
        0     0 CONNMARK   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           LAYER7 l7proto httpvideo CONNMARK set-return 0x102/0xff 
        0     0 CONNMARK   udp  --  *      *       0.0.0.0/0            0.0.0.0/0           mport ports 33333,28000:28100 CONNMARK set-return 0x7/0xff 
        0     0 CONNMARK   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           mport ports 33333,28000:28100 CONNMARK set-return 0x7/0xff 
        0     0 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC xx:xx:xx:xx:xx:xx CONNMARK set-return 0x3/0xff 
      116 32576 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           CONNMARK set-return 0x9 
    Chain PREROUTING (policy ACCEPT 104 packets, 21373 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 
        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1194 
        0     0 DROP       all  --  vlan1  *       0.0.0.0/0            10.1.1.0/24         
        0     0 DNAT       udp  --  *      *       10.1.1.0/24         !10.1.1.0/24         udp dpt:53 to:10.1.1.1 
        0     0 DNAT       icmp --  *      *       0.0.0.0/0            72.xxx.xxx.xxx      to:10.1.1.1 
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            72.xxx.xxx.xxx      tcp dpt:30000 to:10.1.1.5 
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            72.xxx.xxx.xxx      tcp dpt:33333 to:10.1.1.5 
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            72.xxx.xxx.xxx      tcp dpts:28000:28100 to:10.1.1.5 
      127 14959 upnp       all  --  *      *       0.0.0.0/0            72.xxx.xxx.xxx      
    
    Chain POSTROUTING (policy ACCEPT 101 packets, 13571 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 SNAT       tcp  --  *      *       10.1.1.0/24          10.1.1.5            tcp dpt:30000 to:72.xxx.xxx.xxx 
        0     0 SNAT       tcp  --  *      *       10.1.1.0/24          10.1.1.5            tcp dpt:33333 to:72.xxx.xxx.xxx 
        0     0 SNAT       tcp  --  *      *       10.1.1.0/24          10.1.1.5            tcp dpts:28000:28100 to:72.xxx.xxx.xxx 
       34  1939 MASQUERADE  all  --  *      vlan1   0.0.0.0/0            0.0.0.0/0           
    
    Chain OUTPUT (policy ACCEPT 17 packets, 1571 bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain upnp (1 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:57474 to:10.1.1.6:57474 
        0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:57474 to:10.1.1.6:57474 
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:30000 to:10.1.1.5:30000 
       99 12999 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:30000 to:10.1.1.5:30000 
    Chain INPUT (policy DROP 35 packets, 4042 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     all  --  tun21  *       0.0.0.0/0            0.0.0.0/0           
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 
        0     0 ACCEPT     all  --  tun22  *       0.0.0.0/0            0.0.0.0/0           
        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1194 
        0     0 DROP       all  --  br0    *       0.0.0.0/0            72.xxx.xxx.xxx      
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
       28  4604 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
        0     0 shlimit    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 state NEW 
        0     0 shlimit    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:23 state NEW 
       95 32449 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0           
        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     all  --  tun21  *       0.0.0.0/0            0.0.0.0/0           
        0     0 ACCEPT     all  --  tun22  *       0.0.0.0/0            0.0.0.0/0           
        0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0           
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
        0     0 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 tcpmss match 1461:65535 TCPMSS set 1460 
      352 67030 restrict   all  --  *      vlan1   0.0.0.0/0            0.0.0.0/0           
      413  323K L7in       all  --  vlan1  *       0.0.0.0/0            0.0.0.0/0           
      647  376K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
       99 12999 wanin      all  --  vlan1  *       0.0.0.0/0            0.0.0.0/0           
       19   940 wanout     all  --  *      vlan1   0.0.0.0/0            0.0.0.0/0           
       19   940 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0           
       99 12999 upnp       all  --  vlan1  *       0.0.0.0/0            0.0.0.0/0           
    
    Chain OUTPUT (policy ACCEPT 63 packets, 16521 bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain L7in (1 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           LAYER7 l7proto httpvideo 
    
    Chain rdev01 (0 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC xx:xx:xx:xx:xx:xx 
    
    Chain rdev02 (1 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC xx:xx:xx:xx:xx:xx 
    
    Chain rdev03 (0 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC xx:xx:xx:xx:xx:xx
    
    Chain rdev04 (0 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC xx:xx:xx:xx:xx:xx
    
    Chain restrict (1 references)
     pkts bytes target     prot opt in     out     source               destination         
      352 67030 rdev02     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    
    Chain shlimit (2 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0           recent: SET name: shlimit side: source 
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           recent: UPDATE seconds: 60 hit_count: 3 name: shlimit side: source 
    
    Chain upnp (1 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.1.6            tcp dpt:57474 
        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            10.1.1.6            udp dpt:57474 
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.1.5            tcp dpt:30000 
       99 12999 ACCEPT     udp  --  *      *       0.0.0.0/0            10.1.1.5            udp dpt:30000 
    
    Chain wanin (1 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.1.5            tcp dpt:30000 
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.1.5            tcp dpt:33333 
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.1.5            tcp dpts:28000:28100 
    
    Chain wanout (1 references)
     pkts bytes target     prot opt in     out     source               destination 
    EDIT

    And here is the output with iptables in effect if needed, after connection attempt:
    Code:
    root@T1:/tmp/home/root# iptables -t mangle -nvL; iptables -t nat -nvL; iptables 
    -t filter -nvL
    Chain PREROUTING (policy ACCEPT 5151 packets, 4296K bytes)
     pkts bytes target     prot opt in     out     source               destination         
     3094 4070K CONNMARK   all  --  vlan1  *       0.0.0.0/0            0.0.0.0/0           CONNMARK restore mask 0xff
    
    Chain INPUT (policy ACCEPT 391K packets, 116M bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain FORWARD (policy ACCEPT 16M packets, 9665M bytes)
     pkts bytes target     prot opt in     out     source               destination         
     1952  195K QOSO       all  --  *      vlan1   0.0.0.0/0            0.0.0.0/0           
    
    Chain OUTPUT (policy ACCEPT 169 packets, 24256 bytes)
     pkts bytes target     prot opt in     out     source               destination         
      142 16687 QOSO       all  --  *      vlan1   0.0.0.0/0            0.0.0.0/0           
    
    Chain POSTROUTING (policy ACCEPT 16M packets, 9699M bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain QOSO (2 references)
     pkts bytes target     prot opt in     out     source               destination         
     2094  211K CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           CONNMARK restore mask 0xff
     1900  175K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           CONNMARK match !0x0/0xff00 
       54  3456 CONNMARK   udp  --  *      *       0.0.0.0/0            0.0.0.0/0           mport ports 53 CONNMARK set-return 0x101/0xff 
        1    76 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC xx:xx:xx:xx:xx:xx CONNMARK set-return 0x106/0xff 
        1    82 CONNMARK   udp  --  *      *       0.0.0.0/0            0.0.0.0/0           mport ports 80,443,1194 CONNMARK set-return 0x102/0xff 
       28  1344 CONNMARK   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           mport ports 80,443,1194 CONNMARK set-return 0x102/0xff 
        0     0 CONNMARK   udp  --  *      *       0.0.0.0/0            0.0.0.0/0           LAYER7 l7proto httpvideo CONNMARK set-return 0x102/0xff 
        0     0 CONNMARK   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           LAYER7 l7proto httpvideo CONNMARK set-return 0x102/0xff 
        0     0 CONNMARK   udp  --  *      *       0.0.0.0/0            0.0.0.0/0           mport ports 33333,28000:28100 CONNMARK set-return 0x7/0xff 
        0     0 CONNMARK   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           mport ports 33333,28000:28100 CONNMARK set-return 0x7/0xff 
        0     0 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC xx:xx:xx:xx:xx:xx CONNMARK set-return 0x3/0xff 
      110 31213 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           CONNMARK set-return 0x9 
    Chain PREROUTING (policy ACCEPT 103 packets, 21773 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        1    70 LOG        udp  --  vlan1  *       0.0.0.0/0            0.0.0.0/0           udp dpt:53 LOG flags 0 level 4 prefix `DNAT: ' 
        1    70 DNAT       udp  --  vlan1  *       0.0.0.0/0            0.0.0.0/0           udp dpt:53 to:10.1.1.1:1194 
        1    48 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 
        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1194 
        0     0 DROP       all  --  vlan1  *       0.0.0.0/0            10.1.1.0/24         
        0     0 DNAT       udp  --  *      *       10.1.1.0/24         !10.1.1.0/24         udp dpt:53 to:10.1.1.1 
        0     0 DNAT       icmp --  *      *       0.0.0.0/0            72.xxx.xxx.xxx      to:10.1.1.1 
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            72.xxx.xxx.xxx      tcp dpt:30000 to:10.1.1.5 
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            72.xxx.xxx.xxx      tcp dpt:33333 to:10.1.1.5 
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            72.xxx.xxx.xxx      tcp dpts:28000:28100 to:10.1.1.5 
       86 11190 upnp       all  --  *      *       0.0.0.0/0            72.xxx.xxx.xxx      
    
    Chain POSTROUTING (policy ACCEPT 86 packets, 11345 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 LOG        udp  --  *      vlan1   0.0.0.0/0            0.0.0.0/0           udp spt:1194 LOG flags 0 level 4 prefix `SNAT: ' 
        0     0 SNAT       udp  --  *      vlan1   0.0.0.0/0            0.0.0.0/0           udp spt:1194 to:72.xxx.xxx.xxx:53 
        0     0 SNAT       tcp  --  *      *       10.1.1.0/24          10.1.1.5            tcp dpt:30000 to:72.xxx.xxx.xxx 
        0     0 SNAT       tcp  --  *      *       10.1.1.0/24          10.1.1.5            tcp dpt:33333 to:72.xxx.xxx.xxx 
        0     0 SNAT       tcp  --  *      *       10.1.1.0/24          10.1.1.5            tcp dpts:28000:28100 to:72.xxx.xxx.xxx 
       83  4876 MASQUERADE  all  --  *      vlan1   0.0.0.0/0            0.0.0.0/0           
    
    Chain OUTPUT (policy ACCEPT 55 packets, 3742 bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain upnp (1 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:57474 to:10.1.1.6:57474 
        0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:57474 to:10.1.1.6:57474 
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:30000 to:10.1.1.5:30000 
       85 11059 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:30000 to:10.1.1.5:30000 
    Chain INPUT (policy DROP 12 packets, 3787 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     all  --  tun21  *       0.0.0.0/0            0.0.0.0/0           
       28  1960 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1194 
        0     0 ACCEPT     all  --  tun21  *       0.0.0.0/0            0.0.0.0/0           
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 
        0     0 ACCEPT     all  --  tun22  *       0.0.0.0/0            0.0.0.0/0           
        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1194 
        0     0 DROP       all  --  br0    *       0.0.0.0/0            72.xxx.xxx.xxx      
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
       94 16873 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
        0     0 shlimit    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 state NEW 
        0     0 shlimit    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:23 state NEW 
      105 31753 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0           
        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     all  --  tun21  *       0.0.0.0/0            0.0.0.0/0           
        0     0 ACCEPT     all  --  tun21  *       0.0.0.0/0            0.0.0.0/0           
        0     0 ACCEPT     all  --  tun22  *       0.0.0.0/0            0.0.0.0/0           
        0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0           
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
        0     0 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 tcpmss match 1461:65535 TCPMSS set 1460 
     1953  195K restrict   all  --  *      vlan1   0.0.0.0/0            0.0.0.0/0           
     2977 4048K L7in       all  --  vlan1  *       0.0.0.0/0            0.0.0.0/0           
     4815 4230K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
       86 11188 wanin      all  --  vlan1  *       0.0.0.0/0            0.0.0.0/0           
       29  1420 wanout     all  --  *      vlan1   0.0.0.0/0            0.0.0.0/0           
       29  1420 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0           
       86 11188 upnp       all  --  vlan1  *       0.0.0.0/0            0.0.0.0/0           
    
    Chain OUTPUT (policy ACCEPT 188 packets, 33660 bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain L7in (1 references)
     pkts bytes target     prot opt in     out     source               destination         
     2256 3368K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           LAYER7 l7proto httpvideo 
    
    Chain rdev01 (0 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC xx:xx:xx:xx:xx:xx
    
    Chain rdev02 (1 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC xx:xx:xx:xx:xx:xx
    
    Chain rdev03 (0 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC xx:xx:xx:xx:xx:xx
    
    Chain rdev04 (0 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC xx:xx:xx:xx:xx:xx
    
    Chain restrict (1 references)
     pkts bytes target     prot opt in     out     source               destination         
     1953  195K rdev02     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    
    Chain shlimit (2 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0           recent: SET name: shlimit side: source 
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           recent: UPDATE seconds: 60 hit_count: 3 name: shlimit side: source 
    
    Chain upnp (1 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.1.6            tcp dpt:57474 
        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            10.1.1.6            udp dpt:57474 
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.1.5            tcp dpt:30000 
       86 11188 ACCEPT     udp  --  *      *       0.0.0.0/0            10.1.1.5            udp dpt:30000 
    
    Chain wanin (1 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.1.5            tcp dpt:30000 
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.1.5            tcp dpt:33333 
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.1.5            tcp dpts:28000:28100 
    
    Chain wanout (1 references)
     pkts bytes target     prot opt in     out     source               destination 
     
  42. i1135t

    i1135t Network Guru Member

    And here is the output with the setting of "local MY ROUTER LAN IP" in my server config removed:
    Code:
    root@T1:/tmp/home/root# service firewall restart
    ..
    Done.
    root@T1:/tmp/home/root# iptables -t mangle -nvL; iptables -t nat -nvL; iptables 
    -t filter -nvL
    Chain PREROUTING (policy ACCEPT 380 packets, 310K bytes)
     pkts bytes target     prot opt in     out     source               destination         
      234  299K CONNMARK   all  --  vlan1  *       0.0.0.0/0            0.0.0.0/0           CONNMARK restore mask 0xff
    
    Chain INPUT (policy ACCEPT 393K packets, 116M bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain FORWARD (policy ACCEPT 16M packets, 9690M bytes)
     pkts bytes target     prot opt in     out     source               destination         
      146 11666 QOSO       all  --  *      vlan1   0.0.0.0/0            0.0.0.0/0           
    
    Chain OUTPUT (policy ACCEPT 7 packets, 1868 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        7  1868 QOSO       all  --  *      vlan1   0.0.0.0/0            0.0.0.0/0           
    
    Chain POSTROUTING (policy ACCEPT 16M packets, 9725M bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain QOSO (2 references)
     pkts bytes target     prot opt in     out     source               destination         
      153 13534 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           CONNMARK restore mask 0xff
      141 10587 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           CONNMARK match !0x0/0xff00 
        0     0 CONNMARK   udp  --  *      *       0.0.0.0/0            0.0.0.0/0           mport ports 53 CONNMARK set-return 0x101/0xff 
        0     0 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC xx:xx:xx:xx:xx:xx CONNMARK set-return 0x106/0xff 
        0     0 CONNMARK   udp  --  *      *       0.0.0.0/0            0.0.0.0/0           mport ports 80,443,1194 CONNMARK set-return 0x102/0xff 
        2    96 CONNMARK   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           mport ports 80,443,1194 CONNMARK set-return 0x102/0xff 
        0     0 CONNMARK   udp  --  *      *       0.0.0.0/0            0.0.0.0/0           LAYER7 l7proto httpvideo CONNMARK set-return 0x102/0xff 
        0     0 CONNMARK   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           LAYER7 l7proto httpvideo CONNMARK set-return 0x102/0xff 
        0     0 CONNMARK   udp  --  *      *       0.0.0.0/0            0.0.0.0/0           mport ports 33333,28000:28100 CONNMARK set-return 0x7/0xff 
        0     0 CONNMARK   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           mport ports 33333,28000:28100 CONNMARK set-return 0x7/0xff 
        0     0 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC xx:xx:xx:xx:xx:xx CONNMARK set-return 0x3/0xff 
       10  2851 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           CONNMARK set-return 0x9 
    Chain PREROUTING (policy ACCEPT 2 packets, 96 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 
        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1194 
        0     0 DROP       all  --  vlan1  *       0.0.0.0/0            10.1.1.0/24         
        0     0 DNAT       udp  --  *      *       10.1.1.0/24         !10.1.1.0/24         udp dpt:53 to:10.1.1.1 
        0     0 DNAT       icmp --  *      *       0.0.0.0/0            72.xxx.xxx.xxx      to:10.1.1.1 
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            72.xxx.xxx.xxx      tcp dpt:30000 to:10.1.1.5 
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            72.xxx.xxx.xxx      tcp dpt:33333 to:10.1.1.5 
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            72.xxx.xxx.xxx      tcp dpts:28000:28100 to:10.1.1.5 
        3   389 upnp       all  --  *      *       0.0.0.0/0            72.xxx.xxx.xxx      
    
    Chain POSTROUTING (policy ACCEPT 3 packets, 389 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 SNAT       tcp  --  *      *       10.1.1.0/24          10.1.1.5            tcp dpt:30000 to:72.xxx.xxx.xxx 
        0     0 SNAT       tcp  --  *      *       10.1.1.0/24          10.1.1.5            tcp dpt:33333 to:72.xxx.xxx.xxx 
        0     0 SNAT       tcp  --  *      *       10.1.1.0/24          10.1.1.5            tcp dpts:28000:28100 to:72.xxx.xxx.xxx 
        2    96 MASQUERADE  all  --  *      vlan1   0.0.0.0/0            0.0.0.0/0           
    
    Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain upnp (1 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:57474 to:10.1.1.6:57474 
        0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:57474 to:10.1.1.6:57474 
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:30000 to:10.1.1.5:30000 
        3   389 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:30000 to:10.1.1.5:30000 
    Chain INPUT (policy DROP 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     all  --  tun21  *       0.0.0.0/0            0.0.0.0/0           
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 
        0     0 ACCEPT     all  --  tun22  *       0.0.0.0/0            0.0.0.0/0           
        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1194 
        0     0 DROP       all  --  br0    *       0.0.0.0/0            72.xxx.xxx.xxx      
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
       21  1332 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
        0     0 shlimit    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 state NEW 
        0     0 shlimit    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:23 state NEW 
        0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0           
        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     all  --  tun21  *       0.0.0.0/0            0.0.0.0/0           
        0     0 ACCEPT     all  --  tun22  *       0.0.0.0/0            0.0.0.0/0           
        0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0           
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
        0     0 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 tcpmss match 1461:65535 TCPMSS set 1460 
      147 11706 restrict   all  --  *      vlan1   0.0.0.0/0            0.0.0.0/0           
      223  298K L7in       all  --  vlan1  *       0.0.0.0/0            0.0.0.0/0           
      365  309K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
        3   389 wanin      all  --  vlan1  *       0.0.0.0/0            0.0.0.0/0           
        2    96 wanout     all  --  *      vlan1   0.0.0.0/0            0.0.0.0/0           
        2    96 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0           
        3   389 upnp       all  --  vlan1  *       0.0.0.0/0            0.0.0.0/0           
    
    Chain OUTPUT (policy ACCEPT 21 packets, 9132 bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain L7in (1 references)
     pkts bytes target     prot opt in     out     source               destination         
      180  269K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           LAYER7 l7proto httpvideo 
    
    Chain rdev01 (0 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC xx:xx:xx:xx:xx:xx
    
    Chain rdev02 (1 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC xx:xx:xx:xx:xx:xx
    
    Chain rdev03 (0 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC xx:xx:xx:xx:xx:xx
    
    Chain rdev04 (0 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC xx:xx:xx:xx:xx:xx
    
    Chain restrict (1 references)
     pkts bytes target     prot opt in     out     source               destination         
      146 11666 rdev02     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    
    Chain shlimit (2 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0           recent: SET name: shlimit side: source 
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           recent: UPDATE seconds: 60 hit_count: 3 name: shlimit side: source 
    
    Chain upnp (1 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.1.6            tcp dpt:57474 
        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            10.1.1.6            udp dpt:57474 
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.1.5            tcp dpt:30000 
        3   389 ACCEPT     udp  --  *      *       0.0.0.0/0            10.1.1.5            udp dpt:30000 
    
    Chain wanin (1 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.1.5            tcp dpt:30000 
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.1.5            tcp dpt:33333 
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.1.5            tcp dpts:28000:28100 
    
    Chain wanout (1 references)
     pkts bytes target     prot opt in     out     source               destination         
    root@T1:/tmp/home/root# iptables -t nat -I PREROUTING -p `nvram get vpn_server2_
    proto | sed 's/-.*$//'` -i `nvram get wan_ifname` --dport 53 -j DNAT --to-destin
    ation `nvram get lan_ipaddr`:`nvram get vpn_server2_port`; iptables -t nat -I PO
    STROUTING -p `nvram get vpn_server2_proto | sed 's/-.*$//'` -o `nvram get wan_if
    name`  --sport 1194 -j SNAT --to-source `nvram get wan_ipaddr`:53; iptables -I I
    NPUT -p udp --dport `nvram get vpn_server2_port` -j ACCEPT; iptables -I INPUT -i
     `nvram get vpn_server2_if`21 -j ACCEPT; iptables -I FORWARD -i `nvram get vpn_s
    erver2_if`21 -j ACCEPT; iptables -t nat -I PREROUTING -p `nvram get vpn_server2_
    proto | sed 's/-.*$//'` -i `nvram get wan_ifname` --dport 53 -j LOG --log-prefix
    ="DNAT: "; iptables -t nat -I POSTROUTING -p `nvram get vpn_server2_proto | sed 
    's/-.*$//'` -o `nvram get wan_ifname`  --sport 1194 -j LOG --log-prefix="SNAT: "
    
    RAN CONNECTION TEST HERE, THEN OUTPUTTED RESULTS
    
    root@T1:/tmp/home/root# iptables -t mangle -nvL; iptables -t nat -nvL; iptables 
    -t filter -nvL
    Chain PREROUTING (policy ACCEPT 5597 packets, 4703K bytes)
     pkts bytes target     prot opt in     out     source               destination         
     3392 4510K CONNMARK   all  --  vlan1  *       0.0.0.0/0            0.0.0.0/0           CONNMARK restore mask 0xff
    
    Chain INPUT (policy ACCEPT 393K packets, 116M bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain FORWARD (policy ACCEPT 16M packets, 9694M bytes)
     pkts bytes target     prot opt in     out     source               destination         
     2139  170K QOSO       all  --  *      vlan1   0.0.0.0/0            0.0.0.0/0           
    
    Chain OUTPUT (policy ACCEPT 106 packets, 29518 bytes)
     pkts bytes target     prot opt in     out     source               destination         
       98 26772 QOSO       all  --  *      vlan1   0.0.0.0/0            0.0.0.0/0           
    
    Chain POSTROUTING (policy ACCEPT 16M packets, 9729M bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain QOSO (2 references)
     pkts bytes target     prot opt in     out     source               destination         
     2237  197K CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           CONNMARK restore mask 0xff
     2032  139K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           CONNMARK match !0x0/0xff00 
        0     0 CONNMARK   udp  --  *      *       0.0.0.0/0            0.0.0.0/0           mport ports 53 CONNMARK set-return 0x101/0xff 
        1    76 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC xx:xx:xx:xx:xx:xx CONNMARK set-return 0x106/0xff 
       48  3612 CONNMARK   udp  --  *      *       0.0.0.0/0            0.0.0.0/0           mport ports 80,443,1194 CONNMARK set-return 0x102/0xff 
        3   144 CONNMARK   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           mport ports 80,443,1194 CONNMARK set-return 0x102/0xff 
        0     0 CONNMARK   udp  --  *      *       0.0.0.0/0            0.0.0.0/0           LAYER7 l7proto httpvideo CONNMARK set-return 0x102/0xff 
        0     0 CONNMARK   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           LAYER7 l7proto httpvideo CONNMARK set-return 0x102/0xff 
        0     0 CONNMARK   udp  --  *      *       0.0.0.0/0            0.0.0.0/0           mport ports 33333,28000:28100 CONNMARK set-return 0x7/0xff 
        0     0 CONNMARK   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           mport ports 33333,28000:28100 CONNMARK set-return 0x7/0xff 
        0     0 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC xx:xx:xx:xx:xx:xx CONNMARK set-return 0x3/0xff 
      153 53915 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           CONNMARK set-return 0x9 
    Chain PREROUTING (policy ACCEPT 57 packets, 18161 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        1    70 LOG        udp  --  vlan1  *       0.0.0.0/0            0.0.0.0/0           udp dpt:53 LOG flags 0 level 4 prefix `DNAT: ' 
        1    70 DNAT       udp  --  vlan1  *       0.0.0.0/0            0.0.0.0/0           udp dpt:53 to:10.1.1.1:1194 
        1    48 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 
        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1194 
        0     0 DROP       all  --  vlan1  *       0.0.0.0/0            10.1.1.0/24         
        0     0 DNAT       udp  --  *      *       10.1.1.0/24         !10.1.1.0/24         udp dpt:53 to:10.1.1.1 
        0     0 DNAT       icmp --  *      *       0.0.0.0/0            72.xxx.xxx.xxx      to:10.1.1.1 
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            72.xxx.xxx.xxx      tcp dpt:30000 to:10.1.1.5 
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            72.xxx.xxx.xxx      tcp dpt:33333 to:10.1.1.5 
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            72.xxx.xxx.xxx      tcp dpts:28000:28100 to:10.1.1.5 
       99 12767 upnp       all  --  *      *       0.0.0.0/0            72.xxx.xxx.xxx      
    
    Chain POSTROUTING (policy ACCEPT 99 packets, 12990 bytes)
     pkts bytes target     prot opt in     out     source               destination         
       48  3612 LOG        udp  --  *      vlan1   0.0.0.0/0            0.0.0.0/0           udp spt:1194 LOG flags 0 level 4 prefix `SNAT: ' 
       48  3612 SNAT       udp  --  *      vlan1   0.0.0.0/0            0.0.0.0/0           udp spt:1194 to:72.xxx.xxx.xxx:53 
        0     0 SNAT       tcp  --  *      *       10.1.1.0/24          10.1.1.5            tcp dpt:30000 to:72.xxx.xxx.xxx 
        0     0 SNAT       tcp  --  *      *       10.1.1.0/24          10.1.1.5            tcp dpt:33333 to:72.xxx.xxx.xxx 
        0     0 SNAT       tcp  --  *      *       10.1.1.0/24          10.1.1.5            tcp dpts:28000:28100 to:72.xxx.xxx.xxx 
        4   220 MASQUERADE  all  --  *      vlan1   0.0.0.0/0            0.0.0.0/0           
    
    Chain OUTPUT (policy ACCEPT 49 packets, 3898 bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain upnp (1 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:57474 to:10.1.1.6:57474 
        0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:57474 to:10.1.1.6:57474 
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:30000 to:10.1.1.5:30000 
       98 12704 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:30000 to:10.1.1.5:30000 
    Chain INPUT (policy DROP 21 packets, 6241 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     all  --  tun21  *       0.0.0.0/0            0.0.0.0/0           
       27  1890 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1194 
        0     0 ACCEPT     all  --  tun21  *       0.0.0.0/0            0.0.0.0/0           
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 
        0     0 ACCEPT     all  --  tun22  *       0.0.0.0/0            0.0.0.0/0           
        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1194 
        0     0 DROP       all  --  br0    *       0.0.0.0/0            72.xxx.xxx.xxx      
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
       67  4108 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
        0     0 shlimit    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 state NEW 
        0     0 shlimit    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:23 state NEW 
       66 23496 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0           
        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     all  --  tun21  *       0.0.0.0/0            0.0.0.0/0           
        0     0 ACCEPT     all  --  tun21  *       0.0.0.0/0            0.0.0.0/0           
        0     0 ACCEPT     all  --  tun22  *       0.0.0.0/0            0.0.0.0/0           
        0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0           
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
        0     0 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 tcpmss match 1461:65535 TCPMSS set 1460 
     2144  170K restrict   all  --  *      vlan1   0.0.0.0/0            0.0.0.0/0           
     3302 4511K L7in       all  --  vlan1  *       0.0.0.0/0            0.0.0.0/0           
     5344 4668K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
       98 12704 wanin      all  --  vlan1  *       0.0.0.0/0            0.0.0.0/0           
        4   220 wanout     all  --  *      vlan1   0.0.0.0/0            0.0.0.0/0           
        4   220 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0           
       98 12704 upnp       all  --  vlan1  *       0.0.0.0/0            0.0.0.0/0           
    
    Chain OUTPUT (policy ACCEPT 126 packets, 38974 bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain L7in (1 references)
     pkts bytes target     prot opt in     out     source               destination         
     2794 4181K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           LAYER7 l7proto httpvideo 
    
    Chain rdev01 (0 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC xx:xx:xx:xx:xx:xx
    
    Chain rdev02 (1 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC xx:xx:xx:xx:xx:xx
    
    Chain rdev03 (0 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC xx:xx:xx:xx:xx:xx
    
    Chain rdev04 (0 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC xx:xx:xx:xx:xx:xx
    
    Chain restrict (1 references)
     pkts bytes target     prot opt in     out     source               destination         
     2143  170K rdev02     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    
    Chain shlimit (2 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0           recent: SET name: shlimit side: source 
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           recent: UPDATE seconds: 60 hit_count: 3 name: shlimit side: source 
    
    Chain upnp (1 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.1.6            tcp dpt:57474 
        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            10.1.1.6            udp dpt:57474 
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.1.5            tcp dpt:30000 
       98 12704 ACCEPT     udp  --  *      *       0.0.0.0/0            10.1.1.5            udp dpt:30000 
    
    Chain wanin (1 references)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.1.5            tcp dpt:30000 
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.1.5            tcp dpt:33333 
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.1.5            tcp dpts:28000:28100 
    
    Chain wanout (1 references)
     pkts bytes target     prot opt in     out     source               destination 
     
  43. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I'm afraid I'm out of ideas :frown:
     
  44. i1135t

    i1135t Network Guru Member

    OK, well, thanks for trying. I will keep at it and if I figure it out or have some questions, I will re-post it here. Thanks anyways.
     
  45. Guzel

    Guzel Network Guru Member

  46. kamatschka

    kamatschka Network Guru Member

    I want to connect 2 Networks over OpenVPN through WAN.
    I have a WRT54GS and my buddy also. We have OpenVPN Builds.

    The szenario we want to set up:

    LocalNetwork-ME <-> Router (192.168.50.20 OVPN-Server) <-> (DynDNS) WAN (DynDNS) <-> (192.168.50.25 OVPN-Client) Router <-> LocalNetwork-BUDDY.

    We want to join over Local networks together but the Surfing and Internet needs to stay as it is. So we dont want to surf through each others Internet Connection like a proxy only browse shared folders and play LAN games together...

    Is it possible ? And can someone give me a tutorial or hints how to configure this? Do we need only one Server and one client set up on the routers or do we need set up a Server and Client on each router?
     
  47. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Very possible. Just don't select "Redirect Internet Traffic" (defaults to disabled).

    If your games give the option to enter an IP address, use TUN. If they only work by discovering via broadcast messages, use TAP (causes some other complications, so only use this if necessary).

    You only need one server and one client.

    If you have questions about specific options, go ahead and post them.
     
  48. kamatschka

    kamatschka Network Guru Member

    So you suggest to use TUN insted of TAP?

    So I configured it to use a static Key and TAP. I can connect locally to the OpenVPN Server running on the WRT54 .

    Now I changed it to TUN and there are showing up two Ip Adsresses (Local/remote endpoint addresses) . What are they representing? Is this the Adressrange-Pool the OpenVPN is giving the Client(s) ? What do I need to put in these fields in ? can I leave the fields how they are?

    Amd do I need to Enable or disable "Create NAT on tunnel" on the Client?

    Here a Pic of what I mean regarding the endpoint addresses:
    [​IMG]
     
  49. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Unless you need broadcast messages to go across the tunnel, I strongly suggest it.
    Those are the addresses of the VPN endpoints. They should be on a subnet different from both the server and client LAN (which should be different from each other). They should be in the opposite order on the client router than on the server router (since which is "local" and "remote" is swapped).
    Adding the NAT option will make it so the server doesn't need to know about the client LAN. However, it also means that, while the client LAN computers could initiate connections with the server LAN, it would not work in reverse. If you leave it unchecked, you need to "teach" each side about the other with directives in the "Custom Config" section.

    HOWEVER, you can avoid everything above (endpoint addresses, NAT, custom config), if you were to use TLS instead of static key. TLS takes a couple more minutes to generate keys, but it is immensely easier to set up and manage for site-to-site situations.
     
  50. kamatschka

    kamatschka Network Guru Member

    Okay... I will go with TLS.

    I didnt manage to get the client Router from my buddy connecting with static key configuration to my router with the OpenVPN Server...

    My WRT54GS is not directly hooked up to the internet. It is connected through LAN to my WiFi Router (NetGear WNDR3700) which is connected through its WAN Port to the internet.So my Configuration actually looks like this:

    [​IMG]

    Is it possible to establish such a OpenVPN Connection if my WRT54GS with the OpenVPN Server isnt the Gateway?

    Thank you for your help!

    I really appreciate it!
     
  51. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Good choice. :wink:

    Since you can connect locally, be sure you have ports forwarded correctly on your 192.168.50.1 router.

    Absolutely, you'll just need to add a route to your 192.168.50.1 router stating to use your VPN router as a gateway to the 192.168.1.0/24 subnet.

    By the way, since you're already using different subnets on each side, it's a no-brainer to use TUN. You would have gained nothing from using TAP (other than additional overhead).
     
  52. kamatschka

    kamatschka Network Guru Member

    Thank you really much for your help. I am a real noob regarding OpenVPN configs. And I am really glad that someone helps me with my questions no matter how stupid they seem! :D ..

    First to be sure: With 192.168.50.1 Router you mean the Router connected directly to the WAN and not the tomatoOpenVPN server ?!

    Ive Forwarded the 1094 Port to the Router running the OpenVPN-Server and it didnt work with the static-key configs. Also I tried it with DMZ configured for the Tomato Router and it didn't work either. From Ubuntu using the DDNS Address to connect to the OpenVPN Server the connection can be established. So the port must be open to the WAN?

    Here a little log after connection "locally" with the DDNS Address from my Ubuntu-NB to the tomatoOpenVPN Server :
    Code:
    Wed May 12 23:57:09 2010: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    
    Wed May 12 23:57:09 2010: /usr/sbin/openvpn-vulnkey -q static.key
    
    Wed May 12 23:57:09 2010: WARNING: file 'static.key' is group or others accessible
    
    Wed May 12 23:57:09 2010: LZO compression initialized
    
    Wed May 12 23:57:09 2010: TUN/TAP device tun0 opened
    
    Wed May 12 23:57:09 2010: UDPv4 link local (bound): [undef]
    
    Wed May 12 23:57:09 2010: UDPv4 link remote: [AF_INET]85.176.xxx.xxx:1194
    
    Wed May 12 23:57:24 2010: Peer Connection Initiated with [AF_INET]85.176.xxx.xxx:1194
    
    Wed May 12 23:57:25 2010: Initialization Sequence Completed
    So I generated now the key and certificate files locally on my Ubuntu notebook.
    I got these files after following this "tutorial" : http://openvpn.net/index.php/open-source/documentation/howto.html#pki from the openvpn site:

    Code:
    01.pem
    02.pem
    ca.crt
    ca.key
    client.crt
    client.csr
    client.key
    dh1024.pem
    index.txt
    index.txt.attr
    index.txt.attr.old
    index.txt.old
    serial
    serial.old
    server.crt
    server.csr
    server.key
    The OpenVPN Gui on tomato is offering 4 fields (Server) and 3 fields (client) to be filled with key and certificate parameters from following files?:

    Server:
    1.Certificate Authority: ca.key or ca.crt ?
    2.Server Certificate: server.crt
    3.Server Key: server.key
    4.DH-Parameters: dh1024.pem

    Client:
    1.Certificate Authority: ca.key or ca.crt ?
    2.Client Certificate: client.crt
    3.Client Key: client.key


    I only dont know if its the ca.key or ca.crt to chose for the field "Certificate Authority" . I think its the ca.crt ! ..

    So after filling the fields with the content of the files on the Server and client I only need to configure a route on the Netgear Router to use the TomatoOpenVPN Router as a Gateway to the Subnet (192.168.1.0) of the network from my buddy.?!


    I would configure the static route like this (Is this correct?) :

    Destination IP Address : Ip adress from the Subnet-IP (192.168.1.0) from my buddy or from the Router itself (192.168.1.1) ?
    IP Subnet Mask: 255.255.255.0
    Gateway IP Address: 192.168.50.21 (IP from tomato Router Running OpenVPN)
    Metric: 2 because these are 2 routers in my LAN..
    [​IMG]


    Thank you very much and greetings from germany :D
     
  53. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yep.
    If it works from inside your WAN-facing router, but not from outside it, I would think problem would be with that router. Does anything show up on your Tomato router when you try to connect from the WAN?
    You're correct.

    That will tell your LAN to use the VPN server to reach your buddy's LAN. You'll also need to tell the VPN server about that fact. However, with TLS, it's easy. Select "Manage client-specific options" and enter his LAN info into the table that pops up. Since you're using TLS, his LAN will automatically know about yours.
    Looks good. :smile:
    However, it's not because there are 2 routers on your LAN. It's because it takes 2 hops to get there.
     
  54. kamatschka

    kamatschka Network Guru Member

    Hi there... we managed to connect to eachothers router.

    We have issues to ping eachothers Local PCs. It doesent work and we cannot access eachothers smb shares.

    The configuration looks like this:

    VPN-Server-Basic
    [​IMG]

    VPN-Server-Advanced
    [​IMG]

    VPN-Server-Status
    [​IMG]

    Routing (I didnt configure it manually)
    [​IMG]

    Is there something configured wrong? So the main issue is that we cannot ping eachothers local computers. Ive enabled responding to WAN ping on both my routers. it doesent work. And shares dont show up . We are in the same WORKGROUP! :D ...

    Thank you for your help getting my OpenVPN Configuration so far.. now I think its only a minor configuration problem to get the remaining thing (pinging and smb shares) working. Manually accessing the shares through local IP doesent work either...


    Thank you in advance... I think I will write a "noob" - Proof tutorial for router - to router OpenVPN configuration.



    Greetings from cloudy germany...

    kama
     
  55. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You can get rid of the Custom Config entry. The "Client-specific options" table entry takes care of that.

    Other than that, everything there looks fine. The OpenVPN routing table even shows your buddy's computer (192.168.1.135).

    Can you ping 192.168.1.135 from the VPN server router?

    Because of the way windows file sharing works, being on different subnets means that your buddy's computers won't show up in "Network Neighborhood". However, once things are working, you should be able to connect to his shares via IP address.
     
  56. kamatschka

    kamatschka Network Guru Member

    So I can ping 192.168.1.1 from the Router with the VPN-Server but cannot ping it from my Laptop (Win7 & Ubuntu). I cannot ping 192.168.1.135 neither from the OpenVPN-Server-Router nor from my laptop.

    Sooo the pingresults looks like this:

    Ping Results from my Network to my buddys:
    PING OpenVPN-Server -> 192.168.1.1 (Router from buddy) : ca. 75-80ms
    PING MY-LAPTOP -> 192.168.1.1 (Router from buddy) : ca. 75-80 ms
    PING OpenVPN-Server -> 192.168.1.135 (client PC from buddy) : no response , packet loss 100%
    PING MY-LAPTOP -> 192.168.1.135 (client PC from buddy) : no response , packet loss 100%

    Ping results from my buddys PC to my network:
    PING CLIENT-BUDDY (192.168.1.135) -> 192.168.50.11 (My Router conected to WAN): works with ca. 75-80ms
    PING CLIENT-BUDDY (192.168.1.135) -> 192.168.50.12 (My Router with OpenVPN Server): works with ca. 75-80ms
    PING CLIENT-BUDDY (192.168.1.135) -> 192.168.50.149 (My laptop): no response , packet loss 100%

    Ping results from my buddys Tomato Router (VPN-Client) to my network:
    PING Router(OVPN-Client)-BUDDY (192.168.1.1) -> 192.168.50.11 (My Router conected to WAN): works with ca. 75-80ms
    PING Router(OVPN-Client)-BUDDY (192.168.1.1) -> 192.168.50.12 (My Router with OpenVPN Server): works with ca. 75-80ms
    PING Router(OVPN-Client)-BUDDY (192.168.1.1) -> 192.168.50.149 (My laptop): no response , packet loss 100%


    SO the Problem seems to be that behind the routers no client can be pinged nor can shares be accessed. I have a Harddisk directly plugged to my Router which is connected to the WAN and the smb shares from the router directly can be accessed from my buddy. He can write and read on the Harddisk. It seems that all clients behind the routers cannot be accessed but the content of a HDD which is directly plugged to my router can be accessed..

    Also gaming doesent work. A hosted Game doesent show up on the other network...

    I think thats a routing problem... I think there need to be made some entries in the Routing table on both sides (on my network and on the network from my buddy).


    Oh man.. I am really glad that i got so far.. now its only a itzibitzi... :D

    Greetings from Germany..
    ---------------------------------_____________________-----------------------------------______________________________-----------------------------------

    EDIT
    So I played with the static routes section of my netgear router (192.168.50.11) which is connected directly to the WAN and I put the following static route in. It is the second entry (Entry No. 2 : openVPNstuff2) which made it possible to Ping my clients (e.g. my laptop) behind the router.


    [​IMG]


    After my buddy said that he could ping me now I was like "holy sh**" :D ...
    After some loical thinking I said him then to put the following in the static route of his Router which is running the OpenVPN client:

    [​IMG]
    (Dont mind the 213.xxx.xxx.xxx IP. This is the DNS of his DSL-Provider. I dont know why its in the Routing table there.)

    This didnt work. Also with this entry I cannot ping his clients behind his router?
    What entry should he take on his router so I can ping his computers behind the Router. Do I need to use 127.0.0.1 or the "normal" local IP 192.168.1.1 of his router?

    Thank you very much....

    ---------------------------------_____________________-----------------------------------______________________________-----------------------------------

    EDIT2


    Now I can ping all his clients connected to his router and he can ping my clients connected to the router.
    The main Issue now is that we cannot access our shares on our computers.. neither from linux nor from Win7 .. What could be the problem here.?
    I disabled the Windowsfirewall to see if this is the issue but still he cannot map my network shares.
    Accessing the smd shares on my Router does indeed work but not accessing the clients network shares behind the router...


    ---------------------------------_____________________-----------------------------------______________________________-----------------------------------

    EDIT3

    I read that TUN doesent use NetBios so Games where you arent able to put the ServerIP directly in or Network shares wont be possible. SO I decided to use TAP instead of TUN but when my buddy wants to save his client configuration following error shows up.

    Invlid IP Address
    [​IMG]
    We tried it with the DNS address and with the direct IP which I got from the Provider.

    I read that this issue has something to do with unfilled textfields on the Client 2 configuration. The Save process is also checking the fields of Client2 instead checking only the fields of client1 ...
    Do you know any solution to this?

    Thank you

    greetings from germany

    kama


    Greetings from Germany..
    ---------------------------------_____________________-----------------------------------______________________________-----------------------------------

    EDIT4

    Oh damn.. he also cannot save the TUN configurations anymore... I think he needs to do a NVRAM Reset?!

    Greetz kama
     
  57. karog

    karog Networkin' Nut Member

    OpenVPN using port 53

    I had this same question a few months ago using DD-WRT on a WHR-HP-G54. I found the solution in their threads. Last week I got an ASUS RT-N16 and installed Teddy Bear's Tomato VPN mod. I tried the same solution and it works like a charm. I don't think it matters but I use bridged (TAP) but I don't see why TUN shouldn't be the same in this regard.

    It takes this single iptables rule added to Administration>Scripts>Firewall

    iptables -t nat -I PREROUTING -p udp -i vlan2 --dst myhost.dyndns.org --dport 53 -j REDIRECT --to-ports 1194

    assuming you set your VPN server to use port 1194. It will then respond to clients using either 1194 or 53.

    Yoy need to check that the proper interface (-i arg) for your setup is vlan2 which should be the WAN interface. You can check by looking under Advanced>Routiing in the Interface column of the Current Routing Table. If for some reason your WAN is on a different VLAN, adjust the rule accordingly. Or I suppose you could use an NVRAM lookup command.

    Also, the --dst arg should be adjusted to the host name you provide your DDNS for your router. This will be looked up and replaced with its current WAN IP address. Again, you might be able to use an NVRAM command to get this.

    I hope this works for you. - karog
     
  58. kamatschka

    kamatschka Network Guru Member

    The "Wrong IP Address" - issue was an NVRAM Corruption.. erasing the NVRAM solved this

    So I managed that my buddy can connect to my VPN-Server using the TAP Interface Type.

    I am using on my Local LAN this Subnet: 192.168.50.0 and my buddy 192.168.1.0

    So this is how the configuration looks like on the Server:
    VPN SERVER BASIC:
    [​IMG]

    VPN SERVER ADVANCED:
    [​IMG]

    VPN SERVER STATUS:
    [​IMG]

    VPN SERVER ROUTING:
    [​IMG]

    And on the client it looks like this:

    VPN CLIENT BASIC:
    [​IMG]

    VPN CLIENT ADVANCED:
    [​IMG]

    VPN CLIENT STATUS:
    [​IMG]

    VPN CLIENT
    [​IMG]



    So my proble is that we cannot ping eachothers local IP, cannot access shares and cannot play games which are not using IP addresses for discovering gaming Servers. And Ive configured on the VPN Server that the Adressrange for the VPN clients comes from the DHCP Server. Does the VPN Server give the Local PCs behind the VPNServer of my buddy an IP from my local DHCP-IP-Address-Pool ? I read on SgtPepperKSU's first post in this thread where he describes the VPN Options and there he says that the DHCP on the VPN gives other Addresses than the DHCP server which is configured for LAN .? but how can I determine which addresses are used for the PCs behind the VPNClient of my buddy?

    Thank you very much for your help. I learned a lot but I cannot determine the issue here. The server Status shows that the VPN Client is connected and on the Client side the Status shows also some bytes sent and received..

    It would be nice if someone could give me a hint so I can solve this problem...

    Tank you very much SgtPepperKSU. Greetings from the sunny but cold germany.

    kama
     
  59. i1135t

    i1135t Network Guru Member

    Thanks for the reply. I am running tomato on K24 and it looks like the built in iptables do not have a REDIRECT table and does not understand the --to-ports option.
     
  60. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    First, since you're using separate subnets on the server and client LANs, you gain nothing but inefficiency by using TAP. I suggest you use TUN. It is a much simpler mechanism.

    The DHCP mentioned there is for what addresses are given the the VPN clients' VPN interface. In your case, that is just the client router, not the computers behind it (it's still up to the client router to assign them addresses). Using TUN will make that irrelevant anyway, though (you'll notice the option go away completely). If you stick with TAP (I don't recommend it, unless you specifically need it), DHCP is fine.

    Since you filled out the "Client Specific Options" table, you can remove the "create NAT on tunnel" option on the client. That is only necessary if you need the client to look like a single computer. Since, by filling out that table, you taught it what the client LAN looks like, you don't need to do that any more.
     
  61. karog

    karog Networkin' Nut Member

    Well I am running K26. Can you upgrade?

    In the rule:

    iptables -t nat -I PREROUTING -p udp -i vlan2 --dst myhost.dyndns.org --dport 53 -j REDIRECT --to-ports 1194

    nat is the table, PREROUTING is the chain, REDIRECT is the target ie the action like ACCEPT or DROP, and --to-ports is a parameter of the REDIRECT so it just rewrites the destination port from 53 to 1194.

    Looking at iptables I find the following injected (my WAN IP obscured as the destination):
    Code:
    Chain PREROUTING (policy ACCEPT 38 packets, 4537 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 REDIRECT   udp  --  vlan2  *       0.0.0.0/0            xxx.xxx.xxx.xxx      udp dpt:53 redir ports 1194
    
     
  62. i1135t

    i1135t Network Guru Member

    Sorry, no can do since it's compiled into the firmware. SgtPepper and I have tried other things with no luck. It feels like I am so close and can almost get it to work, but fall short at the end. I might throw in the towel until I move to the new Asus that supports the 2.6 kernel if that's the case.

    One last thing I cannot explain is why the built in dnsmasq binds to vlan1, even though I tell it not to in the config file. If I can get past that roadblock, then I can do further testing, but so far, no luck... I do appreciate everyone who has helped so far, unfortunately, I'm stuck for the moment.
     
  63. karog

    karog Networkin' Nut Member

    As SgtPepperKSU notes, TUN (routed) is more efficient than TAP (bridged).

    But notice that though you specified TAP, you actually got TUN anyway!

    If you look near the bottom of the VPN Client Configuration Basic, you will see a Warning in red next to the checkbox labeled "Server is on the same subnet" which is unchecked as it should be since the subnets are indeed different. It states: "Warning: Cannot bridge distinct subnets. Defaulting to routed mode." which means TUN.

    Also, if you look under Current Routing Table for VPN SERVER ROUTING, you will see 3 lines with the interface tun22. You will also notice that the VPN has the new subnet 10.8.0.0/24 with 10.8.0.1 assigned to the client and 10.8.0.2 assigned to the server.

    Packets on the server LAN subnet 192.168.50.0/24 destined for the client LAN subnet 192.168.1.0/24 are sent to 10.8.0.2, the server router, which is the gateway bound to the tun22 interface which forwards the packets over the VPN tun22 interface to the client.

    As previously noted, TUN is more efficient than TAP and should be used unless you need capabilities only TAP can provide like broadcast packets reaching all hosts on both LANs.

    You might be able to achieve TAP if one of the LANs is willing to adopt the subnet of the other and if the two LANs coordinate IPs so that there is no overlap. You might allocate hosts 1-127 to one LAN and 128-254 to the other in their respective DHCPs. The router in the latter group would have to have a host number in the proper range ie not 1 but say 128. You would also need to check the checkbox mentioned above to note that the subnets are now the same. I believe you would also want to uncheck "Create Nat on tunnel" on the client Basic tab. I haven't tried this so it is just an educated guess.
     
  64. rs232

    rs232 Network Guru Member

    SgtPepperKSU would you consider adding the wireless auto-channel function to your already excellent mod?
    That would really help, thanks!
     
  65. ehunt123

    ehunt123 Networkin' Nut Member

    Could a script be included on the webinterface to check against your specific rss feed for releases? it might be a handy thing for admins when you login
     
  66. snicker

    snicker Guest

    client-to-client mode in tomato.

    Hey! Trying to get OpenVPN's client-to-client mode working properly.

    If I add client-to-client to my custom configuration, OpenVPN complains about not having mode server, and then complains about tls-server. Then it says I can only have one of tls-server, secret, or tls-client in the config.

    How can I get this configured to have client-to-client mode?
     
  67. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Client to client mode is only possible in a TLS server config. Where are you trying to put it?
     
  68. colecaz

    colecaz Guest

    Many thanks for TomatoVPN

    Sgt Pepper, I can't say thanks enough. I've been fighting DD-WRT on three different routers for over two weeks trying to get either OpenVPN or PPTP to work and all I have had is problems... Documentation (?) that sucks big time... I even bought a second IP address from Cox cable for home to be able to test and troubleshoot. :mad:

    And today I found your edition of Tomato and within 30 minutes IT WORKS!!

    Fortunately I had previously set up an OpenVPN server and clients using forwarding to a pc on the net for VPN, so I had all the certificates and keys that were proven to work.

    I just copied the PC server keys into Tomato, used the previous configs on my laptop that worked with the PC server and off we go...

    I knew it didn't have to be so hard.

    Good work...

    Cole
    Retired Electrical/Software Engr :biggrin:​
     
  69. kenyloveg

    kenyloveg LI Guru Member

    What about mixing DD-WRT and Tomato through OpenVPN tunneling?
     
  70. mclovin50

    mclovin50 Networkin' Nut Member

    With this firmware, do you still need another server to VPN into your home network? Or is the router now the VPN server?
     
  71. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The router can work as either a VPN server or VPN client. You do not need another server on your home network.
     
  72. mclovin50

    mclovin50 Networkin' Nut Member

    Thanks

    Are there exact instructions how to configure the VPN server on the router? I have looked at the OpenVPN website, but it is a little confusing.

    There will be only one client connecting to the VPN.
     
  73. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The default settings are probably sufficient, aside from generating certificates, which the GUI provides a link to instructions.
     
  74. mclovin50

    mclovin50 Networkin' Nut Member

    I have generated the certs. How do I add the cert to the router? If possible, can you post example screenshots of what you have for your router?
     
  75. Frittenschmied

    Frittenschmied Addicted to LI Member

    Is it possible to add "IP/MAC Bandwidth Limiter" to your mod?
     
  76. mclovin50

    mclovin50 Networkin' Nut Member

    After being up all night lol, I managed to get the VPN going. Thanks
     
  77. mclovin50

    mclovin50 Networkin' Nut Member

    Instead of using certificates, is there a way to just use username/ passwords for authentication on the router/client?
     
  78. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Possible for someone to add it and make a release? Sure.

    Will I add it to my releases? Nope.
     
  79. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It's currently not incorporated in the GUI (plan to add it for the next version), but it is possible. You'd have to add auth-user-pass-verify and client-cert-not-required (see the OpenVPN manpage) to the custom config and generate a password verification script in the Init script.
     
  80. cgm8

    cgm8 Guest

    I am having same problem with TUN that will connect but unable to ping any pc on other side of the network. It works with TAP, so it seems something is not routing right with TUN.....



     
  81. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    What is your setup? Do you have a TomatoVPN router as the VPN server, the VPN client, or both? Can you ping from the VPN server to the client's VPN address? Visa versa? Can you ping to a "pc on other side of the network" from the VPN node (I don't know whether you're talking about the client or server here)?
     
  82. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Hmmm, I responded to this, but my post doesn't seem to be showing up in this thread. On the chance that it never does, and somehow this reply does... Here's the post:

    What is your setup? Do you have a TomatoVPN router as the VPN server, the VPN client, or both? Can you ping from the VPN server to the client's VPN address? Visa versa? Can you ping to a "pc on other side of the network" from the VPN node (I don't know whether you're talking about the client or server here)?
     
  83. ElZar

    ElZar Addicted to LI Member

    Bug?

    Hi SgtPepperKSU.

    I probably found a Bug in your Tomatoversion. Or probably it's an original Tomatobug, and has nothing to do with your OVPN implementation.

    My WRT54GL with Tomato OpenVPN Gui Mod (newest Version) is working in Clientmode. The Subnet behind this Client is also available for all Machines in the Serversubnet (Backroute).
    If you now want to allow access to the TomatoClient-Subnet to other VPN-Clients, you have to push the Subnet behind the WRT-Router with the VPN-Server to all VPN-Clients (including the Tomatoclient).

    In this case, you are pushing its own Subnet to the Client, which leads to a freeze of the Tomatofirmware. The Firmware doesn't Brick, but it hangs until you reboot.
     
  84. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Odd. It doesn't cause any such problem for me. Are you using the "Client-specific options" table to accomplish this or are you trying to do it yourself?
     
  85. ElZar

    ElZar Addicted to LI Member

    Yes I'm using the Client-specific options in the server-config (for example the "ccd dir" option and the server is running on a real machine, not on a router) and the Client-Config-Tab in the Tomato VPN-GUI (if you meant that). On the Client-side you don't have to configure anything else (except the usual things). The Router is now at our branch office, so I can't reproduce the Error until our Admin is there to restart the Router. But as soon as I deleted the line "push [TomatoClient Subnet]" from the Serverconfig, Tomato didn't freeze anymore.
     
  86. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I meant using the Client-specific options table to push the clients' subnet to all the other clients (that's what the "Push" column does). Sounds like you're doing it manually in the custom configuration. I would recommend using the GUI option instead (you aren't by chance trying to use both at the same time, are you?).

    You say "push [TomatoClient Subnet]", but did you mean
    Code:
    push "route [TomatoClient Subnet]"
    ? The quotes and the "route" keyword are important.
     
  87. ElZar

    ElZar Addicted to LI Member

    Hehe, yes I used the proper command. But the push option is in the Serverconfig, not in the Client-Config, because the Client isn't able to push his Subnet to other Clients, I think.

    I followed This FAQ (Including multiple machines on the client side when using a routed VPN (dev tun)):
    http://www.openvpn.net/index.php/open-source/documentation/howto.html#scope

    *edit* this part didn't work:

    "Next, ask yourself if you would like to allow network traffic between client2's subnet (192.168.4.0/24) and other clients of the OpenVPN server. If so, add the following to the server config file.
    client-to-client
    push "route 192.168.4.0 255.255.255.0"

    This will cause the OpenVPN server to advertise client2's subnet to other connecting clients."
     
  88. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I missed before that your server is not running on a TomatoVPN router.

    This issue is in your server setup. When I use my TomatoVPN router as a server and have a TomatoVPN client setup to do what you want (push its route to everyone else), I see the following when that client connects:
    Code:
    Jun 11 13:39:10 router daemon.notice openvpn[14668]: <CommonName>/<IP>:1245 MULTI: Learn: 192.168.2.0/24 -> <CommonName>/<IP>:1245
    Jun 11 13:39:10 router daemon.notice openvpn[14668]: <CommonName>/<IP>:1245 REMOVE PUSH ROUTE: 'route 192.168.2.0 255.255.255.0'
    Jun 11 13:39:11 router daemon.notice openvpn[14668]: <CommonName>/<IP>:1245 PUSH: Received control message: 'PUSH_REQUEST'
    Notice the "REMOVE PUSH ROUTE". This happens because I've properly configured an iroute in the server config (well, in the client's ccd entry). Have you done this?
     
  89. ElZar

    ElZar Addicted to LI Member

    There was indeed a Problem with the iroute-file, the Name of the Clientfile in the CCD Directory was wrong. It was client10.txt instead of Client10, but I don't think this was the Reason for the Tomato-Crash, or was it?
     
  90. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yes, that was the issue. The Tomato router didn't crash, it just had been given routing directions to send its LAN traffic over the tunnel (including return traffic to people trying to connect via the LAN).

    Without the iroute being associated correctly with that client. Your server had no idea it shouldn't push the route to it.
     
  91. ElZar

    ElZar Addicted to LI Member

    Hehe OK, sorry for any trouble, I'm stupid :)
    And THX for your good work on the Tomato-Firmware!
     
  92. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Don't worry about it. These types of issues can be hard to root cause. I only figured it out because I tried it on my working systems and noticed the "REMOVE PUSH ROUTE" that followed the "learn" for the client route.
     
  93. Guzel

    Guzel Network Guru Member

    Hi SdtPepperSKU
    I have wnr3500l beta16 vpn
    I have problem whit my VPN client connection TUN
    I can connect to the vpn server whit no problem but I cant surf (80)http and (443)https
    I can access all other port 21, 23, 22 etc through my (wnr3500l) vpn client
    I think is the Firewall are DNS problem.
     
  94. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Well, first try to determine if it is a firewall or DNS problem. Can you connect to port 80 or 443 using IP addresses?
     
  95. Guzel

    Guzel Network Guru Member

    It dosent work I have tryd that allready m8.
    I have tryd to add in adv-routing the sta-routing-tb it didnt work
    Thanks
     
  96. pendetim

    pendetim Addicted to LI Member

    Restore CFG file to different router

    Hi,
    I have several Tomato 1.25 VPN enabled routers in the field and am about to deploy another one to a summer house.

    I thought I would be REALLY clever and restore a CFG file from one that is working to the new one, make a few tweaks and get on with things. So In installed Tomato 1.25 VPN ( August 2009 release ) and pointed the restore feature to the CFG file I had backed up from another WRT54. It said I could not restore a configuration file from a different router, good by, rebooting.....

    While I could rebuild the configuration from scratch, this could be a real pain if the router I have a backup from burns and I need to replace it.

    To Recap:
    1. I backed up a Linksys WRT54G/GS/GL VPN router with 14.2 MB memory running Tomato Firmware v1.25vpn3.4.4a8380cb to a CFG file.
    2. Flashed a brand new WRT54GL with the same firmware.
    3. Attempted to restore that config file to the new WRT54GL.
    4 Received and error message that cont restore to a different router.

    Is there a workaround?

    Tim


    Am I doing something wrong?
     
  97. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Then it's probably a firewall problem on the VPN server. Do you have access to it?
     
  98. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Nope, that's not possible.
     
  99. Guzel

    Guzel Network Guru Member

    Hi sgtpeppersku
    No I dont have access to the vpn server. the have send my the config fils.
    For ddwr(TUN) and linux(TAP)

    ddwrt.vpn.client (TUN)
    sleep 30 echo "USERNAME
    PASSWORD" > /tmp/openvpncl/user.conf
    sleep 10
    echo "client
    dev tun
    proto udp
    hand-window 30
    port 1195
    remote 95.xxx.xx.xx
    resolv-retry
    infinite
    nobind
    persist-key
    persist-tun
    ns-cert-type server
    cipher BF-CBC
    comp-lzo
    verb 3
    reneg-sec 0
    ca /tmp/openvpncl/ca.crt auth-user-pass /tmp/openvpncl/user.conf" > /tmp/openvpncl/vpn.conf ( sleep 10 ; killall openvpn ; /usr/sbin/openvpn --config /tmp/openvpncl/vpn.conf --auth-user-pass /tmp/openvpncl/user.conf --route-up /tmp/openvpncl/route-up.sh --down /tmp/openvpncl/route-down.sh --daemon ) &

    Linux vpn.client (TAP)
    float
    client
    dev tap
    proto udp

    ; Cert
    ca /etc/openvpn/keys/ca.crt
    ns-cert-type server
    cipher BF-CBC #Blowfish

    ;Vpn server

    remote-random
    remote mxxx.xxxx.xx 1194
    remote mxxx.xxxx.xx 10010
    remote mxxx.xxxx.xx 10020


    ;Auth
    auth-user-pass #passwd

    persist-key
    persist-tun

    ; Logging
    comp-lzo
    verb 1

    I havent tryd the TAB config in tomato
     
  100. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Seems like a pretty standard TUN config. If it's working for some ports and not others, then it is a firewall issue. Unless you've done something strange with firewall rules on your router, then it's an issue on the server side. I can't help you with that.

    One last test, though. Can you ssh/telnet to your router and run:
    Code:
    nc 74.125.67.106 80
    After running this (before it times out; during this time, it will not provide any output), enter a single '.' character and press enter. If you get a response, then you're talking to google just fine over port 80.
     

Share This Page