1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VPN build with Web GUI

Discussion in 'Tomato Firmware' started by SgtPepperKSU, Oct 10, 2008.

  1. fyellin

    fyellin LI Guru Member

    When using tls-auth, you need to do one of the following:

    #1) In both the client and server, use "tls-auth <file>"

    #2) At one of the endpoints, use "tls-auth <file> 0", and at the other end point, use "tls-auth <file> 1". Traditionally, the server is 0 and the client is 1, but this is arbitrary.

    You can't make one bi-directional, and the other directional. #2 is a bit more secure.

    Getting DNS to work through VPN is painful if the client isn't Windoze. You need to add

    Code:
    push "dhcp-option DNS <your router's IP>"
    push "dhcp-option DOMAIN <your home domain>"
    
    to your server's configuration, and you also need some magic configurations in your client. Searching "OpenVPN linux DNS" should give you the information you need.
     
  2. ElZar

    ElZar Addicted to LI Member

    HI :>

    #1) there seems still a problem (from the log):

    Sun Jan 11 20:18:02 2009 us=861024 Initialization Sequence Completed
    Sun Jan 11 20:19:03 2009 us=30076 [server] Inactivity timeout (--ping-restart), restarting
    Sun Jan 11 20:19:03 2009 us=30452 TCP/UDP: Closing socket

    this happens every minute.. is the connection timing out, or is this just some ignorable log-output?

    *edit* a friend of mine tested the connection from outside, he can establish the connection and he is able to ping my windows PC and the router. he is also able to connect to my networkshares on my windowspc.
    On the otherside, I am only able to ping his PC (if he is connected), but not to connect to his shares.

    #2) tls-auth is working, thx.
     
  3. ElZar

    ElZar Addicted to LI Member

    ok I worked it out. everything is fine now.
    testing a vpn from the local LAN is not really a good idea.

    THX 4 your help :>
     
  4. gatorade

    gatorade Addicted to LI Member

    SgtPeppers, great work! I installed this on my Linksys router and it works great! Thanks for this. I have two questions though as I am new to OpenVPN. Can I setup a client and a server at the same time on the router? If the router is setup as a client and is accessing the internet through another OpenVPN server. Is is possible to connect to the server on the router from another client on some arbitrary network? Again, thanks!
     
  5. dvd-guy

    dvd-guy Guest

    Anyone with a simple TLS tutorial?
     
  6. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Okay, I'm back from vacation now, so I'll try to answer any outstanding questions. If I miss any, or if there was a separate thread (I don't see any relevant ones), let me know.

    And, thanks to fyellin and others who answered questions while I was gone.
     
  7. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Actually, you can have up to two servers and two clients all running on the router, though I wouldn't recommend that due to limited resources. You'll have to try to see if your router can handle your typical load with one client and one server, but I bet it will be fine.

    I haven't tried a situation where all internet traffic is being routed through a router-to-router connection (the redirect-gateway directive, probably), but there is not reason why it shouldn't work. And, chaining the two tunnels like you suggest shouldn't be a problem, either.
     
  8. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Here is the OpenVPN how-to on generating TLS keys.
     
  9. ElZar

    ElZar Addicted to LI Member

    and don't forget, the tls-auth key is named "server1-static.key" if you paste the tls-auth key to "static key" :>
     
  10. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    True, but unless you are just manually reading the files from the shell, you shouldn't need to care what the file names are.
     
  11. dvd-guy

    dvd-guy Guest

    More specifically, I need a client config since I've already generated the keys. All I did was plug them into the router.
     
  12. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Here is the OpenVPN how-to for the config files. Just start with the example client config and change as appropriate (there are lots of comments in the file explaining each option).
     
  13. 1001010

    1001010 Addicted to LI Member

    Witopia Setting - Help

    I am attempting to set up this VPN firmware (client) with Witopia VPN server. I have purchased the MAC package as recommended by Witopia to run on linux and I have setup these setting as per the following file on VPN build client.

    archive.pax

    dev tun
    proto udp
    remote 1194
    resolve-retry infinite
    nobind
    persist-key
    ns-cert-type server
    cipher bf-cbc
    comp=lzo
    verb 3
    mute 20

    Tomato Setting

    Interface Type= TUN
    Protocol=UDP
    Server address/Port= 38.119.98.200 1194
    Auth Mode=TLS
    Extra HMAC= Disabled
    Create NAT= check
    Encryption cipher = BF-CBC
    Compression=Enabled
    Connection Retry=20

    I have entered the keys included in the file and saved / started with no success. Any correction and or suggestions would be appreciated, thank you.

    Client starts but no connection am I missing something?
     
  14. ElZar

    ElZar Addicted to LI Member

    this: ns-cert-type server
    should be in the client config (not in the server.config), and you have to choose "server" for the Common Name while creating the server-certificate.
    and I think this: persist-key
    should also be in the cielnt-config if you are using it in the server config.

    besides this you should look in the tomato-firmware and the server log for any hints whats wrong with your config.
     
  15. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    First, am I correct in assuming that the file you list is the client config they tell you to use, and the settings you list are your attempt to match that in the GUI?

    Please check the router logs to see what OpenVPN errors occur. This could give a clue as to what is going wrong.
     
  16. fyellin

    fyellin LI Guru Member

    I'm wondering whether these are the complete configurations, or if there are more items being elided.

    For example, I note that he is using TLS mode, but the archiv.pax config doesn't mention the keys.
     
  17. 1001010

    1001010 Addicted to LI Member

    Yes the file does give the keys as stated "I have entered the keys included in the file" but I am not going to include them in my post for obvious reasons.

    But thanks for the suggestion to a solution.
     
  18. 1001010

    1001010 Addicted to LI Member

    Yes this is part of the file they gave me and I am trying to match it to GUI to start the VPN Client to connect to Witopia's VPN server. Hope I am on the rite track?

    Error Log shows a bad hand shake, will recheck keys / settings and try again.
     
  19. fyellin

    fyellin LI Guru Member

    Sorry. I was interpreting your "I have entered the keys" as referring to the tomato side, not to the archive.pax side.

    There are a few things that look suspicious:

    #1) "ns-cert-type server". This says "verify that the other side's certificate has the "server flag" set. Yet in your configuration, it's archive.pax that is the server. You should probably just leave this line out until everything else is fixed.

    #2) "remote 1194" looks totally broken. This says I'm talking to the remote host named "1194", which probably fails. I think you want "port 1194".

    #3) You probably want a "server ...." line on the server
     
  20. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I think there's still a misinterpretation. The archive.pax is a client config, not a server config (unless I'm the one misinterpreting) provided to 1001010 that the GUI needs to be compatible with. So, I don't think the .pax is being used at all.
    Yes, please do recheck the keys. That is the most likely culprit. If problems continue, please post the relevant portions of your router log.
     
  21. fyellin

    fyellin LI Guru Member

    In the original email, he's had under "Tomato Setting" the server's address and port. I think that's only available in the client tab.

    There seems to be some confusion (either me or him, I'm not sure) about which side is the server and which is the client. (Or perhaps he's using it P2P). I'd be happier if he showed us the complete configuration files for both machines--all the secret information is stored outside the configuration file--and the logs of both machines. That way we don't have to guess at what's being elided.
     
  22. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Exactly. Both the .pax and the tomato VPN settings are for client. The .pax is what is "supposed" to be used, and the tomato settings are an attempt to do that.
    I think the server belongs to a third party. That's why the given client config needs to be matched.
     
  23. necromanx

    necromanx Addicted to LI Member

    Hello, i am new to the world of tomato / custom wrt firmware.
    I have been playing with a few WRT54GL devices and i really really love the functionality of tomato. This openvpn mod is exactly what i needed, so SgtPepperKSU, thank you verry much :p
    anyway i have a little issue. I have one wrt running as a openvpn server (tap) and it works lovely. I can connect with my windows 7, Vista & XP obtaining a dhcp address.
    but i cant configure another wtr as a client and obtain a dhcp address like i can on windows clients.
    if i use ifconfig to set a static ip the vlan is reachable and i can connect to the devices in my vlan behind the remote wrt using my local clients behind the wrt local.
    I just want my local wrt's tab client a dhcp address instead of a static one.

    Any guesses what i am doing wrong? Do i need an up script? If i try the udhcpc client with -i tab11 it isnt working. I once saw the remote dhcp service broadcasting a lease for my local tab device mac address! but it didnt pick it up :s.
    both devices are connected to an ISP wich blocks all ports under 1024. but i guess that is not appropriate if the vpn connection is connected.

    thanks allot for your time!
     
  24. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I designed to specifically not change the IP address of the VPN client router. I would think that would cause problems for the LAN machines behind that router and that a router's LAN IP address should not change (unless restructuring a network).
    What is it you are hoping to gain by doing this? Do both ends of the tunnel share a subnet? If understood a use-case where chaning the LAN IP based on DHCP-over-VPN would be useful, I may consider offering it as an option.
     
  25. necromanx

    necromanx Addicted to LI Member

    I just want a point to point vpn connection that my client tap device on the router gets an IP by dhcp and all traffic from the local network can acces the servers / services on the other site of the connection.
    It works perfectly if i use ifconfig 192.168.10.x 255.255.255.0 in the custom settings textarea :). So i want the tap device (tap11) to get an ip from the dhcp server over the vpn connection? Thats not possible? It should i guess since my windows clients get ips from the remote vpn server.
     
  26. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You shouldn't need to have an ifconfig line at all. If you want the two LANs to share a subnet, just assign the two routers IP addresses on the same subnet and click the "share a subnet" box in the VPN client config. If you want the two LANs to be on different subnets, just assign the two routers IP addresses on different subnets and don't click that box. Either way, you should end up with a site-to-site connection.

    It sounds like you have the routers assigned IP addresses on different subnets (or identical addresses), and you want the VPN to "force" the client LAN onto the server LAN's subnet. This seems messy to me, and it could seriously confuse devices that are connected to the client LAN already.

    If I wanted to accomplish what I am assuming is your end desire, I would assign the server router an IP address of 192.168.0.1 and the client router an IP address of 192.168.0.2. Then I would select the "share a subnet" option and the site-to-site should be seemless.
     
  27. quinezhu

    quinezhu Addicted to LI Member

    hi,WRT54G V1.1 (Flash 4M, RAM 16M, cpu 125MHz) is OK to run this mod?
     
  28. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yes.
     
  29. gatorade

    gatorade Addicted to LI Member

    Client Not Working

    I have setup the server on my router and it has been working for quite some time. When I try to setup a client on the router (at the same time), I get an error ("invalid IP address" - even though the IP is correct). And it won't let me save the configuration. When I got back to the client setup screen, some of the fields have mysteriously changed. The port field is yellow and empty, and the encryption cipher changed back to "default".

    If I were to manually create the config file along with the keys and certificates (in the init script for instance) how do I run the the VPN service using this config file?

    Thanks for all the work!
     
  30. kulmegil

    kulmegil Network Guru Member

    I switched from roadkill's mod and currently using GUI to setup server (tun, tcp). While it works good initially after some time (2-3 days) servers stops responding and has to be restarted.

    I will try to setup using scripts later on see if anything changes.
     
  31. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It sounds like the GUI thinks that what you are entering isn't a valid IP address (saying nothing about it being the *right* IP - but that it isn't an IP address at all). Try changing the authentication to Static Key mode and see if the local or remote addresses are invalid (even though they aren't being used, they are checked for validity). It sounds like your NVRAM settings have been corrupted (The GUI shouldn't have been able to save any bad values).

    /usr/sbin/openvpn --config <config file>
     
  32. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Interesting. There seems to be a couple of issues with the version of OpenVPN included in the last version of this mod (the keepalive restarts and this). It has been two months since 2.1rc15 came out, and I keep thinking that 2.1 final or 2.1rc16 should be out any minute, and that I'd just wait and use that instead of downgrading. However, I may need to just bite the bullet and do it. I don't remember hearing about these issues with previous versions.

    If it is possible, you should use UDP rather than TCP. It is much more efficient, and I don't think TCP gets as much attention from the OpenVPN developers. You *should* be able to use TCP, but whatever bug you're running into may be TCP-specific.
     
  33. necromanx

    necromanx Addicted to LI Member

    Hi, thanks for the info. Both devices are on the same subnet now, 192.168.10.254 for the remote server and 192.168.10.250.

    Jan 19 23:07:59 ? daemon.notice openvpn[830]: VERIFY OK: depth=0, /C=BE/ST=WV/O=xxxxxxxxxxxxxxxxxxxxxt/Email=info@tokiogroup.com
    Jan 19 23:08:02 ? daemon.notice openvpn[830]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jan 19 23:08:02 ? daemon.notice openvpn[830]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jan 19 23:08:02 ? daemon.notice openvpn[830]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jan 19 23:08:02 ? daemon.notice openvpn[830]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jan 19 23:08:02 ? daemon.notice openvpn[830]: Control Channel: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx, 1024 bit RSA
    Jan 19 23:08:02 ? daemon.notice openvpn[830]: [xxxxxxxxxxxxxxxxx] Peer Connection Initiated with xxxxxxxx:1195
    Jan 19 23:08:03 ? daemon.notice openvpn[830]: TUN/TAP device tap11 opened
    Jan 19 23:08:03 ? daemon.notice openvpn[830]: Initialization Sequence Completed

    However i cant ping devices on the remote network (or acces them) . Am i missing something?
     
  34. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    could you provide the output of
    Code:
    ifconfig
    route -n
    ?
     
  35. necromanx

    necromanx Addicted to LI Member

    This is my ifconfig and route -n
    i notice there is no tap11 under ifconfig.
    thx for your time Sgt.

    # ifconfig
    br0 Link encap:Ethernet HWaddr 00:22:6B:81:3E:87
    inet addr:192.168.2.250 Bcast:192.168.2.255 Mask:255.255.255.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:118758 errors:0 dropped:0 overruns:0 frame:0
    TX packets:115218 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:11118523 (10.6 MiB) TX bytes:42857688 (40.8 MiB)

    eth0 Link encap:Ethernet HWaddr 00:22:6B:81:3E:87
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:226938 errors:1 dropped:0 overruns:1 frame:1
    TX packets:214844 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:60086619 (57.3 MiB) TX bytes:30936798 (29.5 MiB)
    Interrupt:4 Base address:0x1000

    eth1 Link encap:Ethernet HWaddr 00:22:6B:81:3E:89
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:56213 errors:0 dropped:0 overruns:0 frame:16841
    TX packets:75920 errors:34 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:7451138 (7.1 MiB) TX bytes:36924718 (35.2 MiB)
    Interrupt:2 Base address:0x5000

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1
    RX packets:67 errors:0 dropped:0 overruns:0 frame:0
    TX packets:67 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:15287 (14.9 KiB) TX bytes:15287 (14.9 KiB)

    vlan0 Link encap:Ethernet HWaddr 00:22:6B:81:3E:87
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:62229 errors:0 dropped:0 overruns:0 frame:0
    TX packets:66517 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:4677533 (4.4 MiB) TX bytes:14097751 (13.4 MiB)

    vlan1 Link encap:Ethernet HWaddr 00:22:6B:81:3E:88
    inet addr:78.20.191.39 Bcast:78.20.191.255 Mask:255.255.224.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:123126 errors:0 dropped:0 overruns:0 frame:0
    TX packets:107287 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:40160855 (38.2 MiB) TX bytes:9860749 (9.4 MiB)

    # route -n
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
    78.20.160.0 0.0.0.0 255.255.224.0 U 0 0 0 vlan1
    127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
    0.0.0.0 78.20.160.1 0.0.0.0 UG 0 0 0 vlan1
     
  36. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That is odd. Are you sure that the VPN is connected at the time you collected these? It shouldn't be able to connect without a tap/tun device, and if the device exists it should be listed under ifconfig...
     
  37. necromanx

    necromanx Addicted to LI Member

    ye i tought so :D. Yes the VPN is connected
    anyhow with the ifconfig line the device gets "up" and the vpn connection works.
     
  38. quinezhu

    quinezhu Addicted to LI Member

    I‘ve upgraded my wrt54gs v1 to 1.23vpn2.0005 (then clear nvram and make setting manually) with same vpn configuration as 2.0004. And then it fails to logon remotely and just stands at "UDPv4 link remote: xxx.xxx.xxx.xxx" after I replug the power to reboot router. But it works fine after click Reboot... in IE. :confused: Whatever replug power or click Reboot... in IE, VPN Tunneling in IE shows "Stop Now" normally. I've changed the scripts to "sleep 20" in IE but still same condition. :frown:
     
  39. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Are you using the router as a client? Is the problem that it works after rebooting from the Tomato GUI, but not on a cold boot (unplugging/replugging power)? What do you have in your init script?
     
  40. quinezhu

    quinezhu Addicted to LI Member

    as a openvpn server.

    It doesn't work after a cold boot but works fine after rebooting from the Tomato GUI. The previous version of vpn2.0004 works fine boot with a cold boot and GUI boot.

    My init script is copied from your readme file.
     
  41. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Could you try moving the
    Code:
    sleep 10
    /tmp/vpnup.sh server1
    to the WAN up script (and trying higher sleep values if needed)?
     
  42. quinezhu

    quinezhu Addicted to LI Member

    wow, it works, many thx :)
     
  43. nickgallis

    nickgallis Guest

    with a wrt use like client what I put on static key if I use a tls system ... the dh.pem?
     
  44. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    If you use TLS, then you should only see the Static Key field if you have chosen the "Additioninal HMAC authentication(tls-auth). If you do not know what that is, you should probably uncheck that box and not have anything in the Static Key field.
     
  45. necromanx

    necromanx Addicted to LI Member

    hey Sgt, i managed to get it working using an up script "ifconfig tap11 up"
    then both server and client create the bridge and i can connect to all devices behind both routers :). Can you give me an easy setup to add a route to route all internet traffic over the correct wan? and if i enable dhcp servers on both devices will that give issues? Oh and where do i save my up script and route scripts so that they wont be deleted after reset :p
     
  46. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That's really strange. My code performs that command automatically...
    Internet traffic should already being going over the local WAN (it takes extra setup to make internet-bound traffic go over the tunnel - or is that what you meant by "correct" WAN?).
    I think you may need to do a little extra iptables work to block the DHCP requests from crossing the tunnel. I haven't done this myself, so you may have better luck just googling it.
    you could try adding a
    Code:
    up /tmp/up.sh
    line to the Custom Configuration section and generate a /tmp/up.sh in your init script that will be called whenever the connection is made.
     
  47. necromanx

    necromanx Addicted to LI Member

    Ye it really need the up script or my tap device wont get listed under ifconfig and the tunnel wont work.
    Anyway i have both dhcp servers enabled and i will do some tests but i think it will always accept the nearest dhcp server thus setting the correct gateway. Because of this i dont need to change the route table offcourse :).
    When i run into a situation where a device gets an ip from the remote dhcp server, i will look into blocking dhcp from the remote server with iptable

    thanks for you help and nice mod :)
     
  48. necromanx

    necromanx Addicted to LI Member

    It appears that devices behind the routers do get DHCP traffic from the others routers. And setting up some iptables rules seems to be a huge issue on this matter. I googled a bit but only found other people with the same issue. Apparently the only easy method is using ebtables wich has been removed from tomato :x
     
  49. jvro

    jvro Addicted to LI Member

    Can you maybe specify how to configure the client (iptables) to make all internet-bound traffic pass through the server?

    Thanks and great job.
     
  50. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Again, that's a configuration I've never desired, so I can't give you steps with certainty. However, the (experimental) redirect-gateway directive appears to do all of the legwork for that. The OpenVPN Manual has some specifics, but a search or the OpenVPN how-to (same site) might give you a step-by-step tutorial.
     
  51. occamsrazor

    occamsrazor Network Guru Member

    Roadkill to this Mod

    Hi,

    I posted this a couple weeks ago but never got a reply... Wanting to switch from Roadkill mod v1.19.1464 on my Buffalo WHR-G54s, to the latest SgtPepper VPN with Web GUI build, as it seems this is being more actively developed. A couple questions before I do...

    1. Is this straightforward? Do I need to do anything in particular before switching (clear NVRAM?)
    2. Will all my router settings be carried over?
    3. Will I need to reconfigure my VPN settings?

    I'm currently using static-key VPN with these scripts:

    Firewall:

    iptables -I INPUT 1 -p udp --dport 444 -j ACCEPT

    WAN UP:

    cd /tmp
    openvpn --mktun --dev tap0
    brctl addif br0 tap0
    ifconfig tap0 0.0.0.0 promisc up
    echo "
    -----BEGIN OpenVPN Static key V1-----

    <deleted for forum post>

    -----END OpenVPN Static key V1-----

    " > /tmp/static.key

    sleep 5
    ln -s /usr/sbin/openvpn /tmp/myvpn
    /tmp/myvpn --dev tap0 --secret /tmp/static.key --comp-lzo --port 444 --cipher BF-CBC --proto udp --keepalive 10 300 --verb 3 --daemon

    Client config:

    dev tap0
    secret static.key
    proto udp
    remote <my ip address> 444
    keepalive 10 60
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    cipher BF-CBC
    comp-lzo
    verb 3
    float

    It was so long ago I set it all up that I've forgotten what it all does! Thanks in advance for any help you can give...

    Ben
     
  52. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You probably should clear NVRAM after the update, but it is not strictly required. You run a chance of having bizarre and hard to diagnose problem if you don't (this seems to be true of all Tomato-based upgrades).

    You should be able to continue to use those same scripts if you'd like. Or, you can use the GUI, and it will do virtually the same thing for you.
     
  53. occamsrazor

    occamsrazor Network Guru Member

    If I clear NVRAM that will wipe ALL my router settings right? Hmmm... that's a lot of work restoring.
    Is there any point to backup the config, erase NVRAM, then restore settings... or does that defeat the point of clearing NVRAM?
    Thanks for your help... Ben
     
  54. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yah, unfortunately, that does defeat the point. You can, however, try running without clearing NVRAM. It's just that if you start running into bizarre problems, it's the first thing you should try to fix it.
     
  55. occamsrazor

    occamsrazor Network Guru Member

    Well, I took the plunge without clearing NVRAM and all seems fine :)

    A couple questions though:

    1. I deleted the WAN UP script I had from the roadkill mod, I assume this is unnecessary now (it seems to work fine without). Correct?

    2. My old firewall script "iptables -I INPUT 1 -p udp --dport 444 -j ACCEPT" - can I delete this also, is it dynamically created?

    3. How can I add the option (I presume to client config, or can it be pushed?) to force ALL traffic from the client computer including normal internet traffic over the VPN?

    4. How can I force DNS requests from the client computer to be sent to the Internal Caching DNS Forwarder of the Tomato router?

    5. Finally, I'm seeing this in the router's logs every minute or so....

    Jan 27 03:24:34 Tomato daemon.warn openvpn[521]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: LZO compression initialized
    Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: TUN/TAP device tap21 opened
    Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: TUN/TAP TX queue length set to 100
    Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: Data Channel MTU parms [ L:1577 D:1450 EF:45 EB:135 ET:32 EL:0 AF:3/1 ]
    Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: Socket Buffers: R=[32767->65534] S=[32767->65534]
    Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: UDPv4 link local (bound): [undef]:444
    Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: UDPv4 link remote: [undef]
    Jan 27 03:25:34 Tomato daemon.notice openvpn[521]: Inactivity timeout (--ping-restart), restarting
    Jan 27 03:25:34 Tomato daemon.notice openvpn[521]: TCP/UDP: Closing socket
    Jan 27 03:25:34 Tomato daemon.notice openvpn[521]: Closing TUN/TAP interface
    Jan 27 03:25:34 Tomato daemon.notice openvpn[521]: SIGUSR1[soft,ping-restart] received, process restarting
    Jan 27 03:25:34 Tomato daemon.notice openvpn[521]: Restart pause, 2 second(s)


    Any idea what this means, is it normal?

    Thanks,

    Ben
     
  56. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Glad to hear it :smile: Keep a NVRAM in mind, though, in case weird stuff starts to happen.
    If you are using the GUI, then yes, you shouldn't need anything in any of the scripts.
    See above.
    I think this was answered in the post immediately before you're first in this exchange. In short, I've never done it, but you should look into the redirect-gateway OpenVPN directive for your Custom Config (or the client config, I'm not sure).
    Can't help you there. It may come along with the redirect-gateway, though. Once you're establishing a connection, there is nothing unique to the router setup. You may have more luck with these types of questions on the OpenVPN IRC channel.
    It is normal in that several people are seeing it, but not normal in that it should be happening. It seems to have shown up after I upgraded the firmware from OpenVPN 2.1rc13 to 2.1rc15. I keep meaning to make a new release downgrading it back to 2.1rc13, but just know that as soon as I do, 2.1rc16 will come out and fix it...
    On the plus side, it only seems to happen if the tunnel is inactive, and it reconnects automatically, so it should mostly go unnoticed aside from the log entries.
    I am sick at the moment, but if a new OpenVPN version doesn't come out soon, I will release a new version with a downgraded openvpn.
     
  57. occamsrazor

    occamsrazor Network Guru Member

    Super... thanks for all your helpful answers. It's a really nice mod.
    Hope you feel better soon.
    Regards, Ben
     
  58. occamsrazor

    occamsrazor Network Guru Member

    I found the answer to my own question on this page:

    http://manoftoday.wordpress.com/2006/12/03/openvpn-20-howto/

    It suggests a way to push this from the server, which I haven't tried yet. I prefer to set it from the client so I can choose whether to do this or not on a case by case basis. I just created one OpenVPN client config with it, and one without. That way I can connect with all traffic over VPN, or not, by simply choosing the different config files. This is using this OpenVPN client:

    http://openvpn.se/

    The key is to add this line to the client config:

    redirect-gateway def1

    I checked (well, as far as I can tell) and all traffic, and DNS, is being routed over the VPN when I have this line in the config. If you did want to push this to all clients from the server, you'd add this to the custom config on the server:

    push "redirect-gateway def1"

    Hope this helps. Let me know if I've got anything about this wrong.

    Ben
     
  59. jza80

    jza80 Network Guru Member

    I went about it the same way you did. Create 2 client config files.

    However I'm using different commands, route-gateway x.x.x.x and redirect-gateway. x.x.x.x. being the IP address of the router.

    I haven't tried redirect-gateway def1, but from the looks of it, it does the same thing.

    .
    .

    My client config file:

    client
    dev tap

    ifconfig 172.25.25.6 255.255.255.248

    ca ca.crt
    cert client1.crt
    key client1.key

    proto udp
    route-gateway 172.25.25.1
    remote x.x.x.x 60250
    keepalive 10 60
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ns-cert-type server
    cipher BF-CBC
    comp-lzo
    verb 3
    float
    redirect-gateway

    You could run wireshark to sniff the traffic and see where your DNS requests are going to.

    .
    .


    Theres a option to push DNS to clients, although from reading the description of what it does, I don't think its necessary.

    When redirect-gateway is used, OpenVPN clients will route DNS queries through the VPN, and the VPN server will need handle them.

    push "dhcp-option DNS 10.8.0.1"
     
  60. gregg098

    gregg098 LI Guru Member

    Anyone know how to add username/pass authentification with the gui version? I sort of read up on it at the open vpn website, but with the gui, Im not sure where to begin. Im still a linux noob.
     
  61. fyellin

    fyellin LI Guru Member

    If you're really a linux noob, you probably don't want to get into this. The basic instructions can be found here. You have to write your own script (on the router!) to decide if a username/password combination is legitimate or not.

    What security problem are you worried about?
     
  62. gregg098

    gregg098 LI Guru Member

    Well I leave my work laptop at work sometimes for night backups. I am allowed to have OpenVPN. Im just worried some IT guy might snoop around and with two clicks, he has access to my network. Just figured a password on top of the security key would help with that.


    Thanks
     
  63. fyellin

    fyellin LI Guru Member

    If you use TLS, one of the ways you can build client credentials is with "build-key-pass". This command creates an encrypted private key. Openvpn will ask you for a password each time it is run. This might solve part of your problem.
     
  64. jaya_pc87

    jaya_pc87 Guest

    SgtPepperKSU since roadkill is not interested to develop his version of mods
    can u integrate all the features together with your mods maybe as another line of firmware mods

    especially if your webui vpn mod based on Victeks modified firmware it will be one hell of a superb combo for sure
     
  65. quinezhu

    quinezhu Addicted to LI Member

    my vpn sever failed to connect again after PPPoE to WAN reconnected even if i moved the entire INIT script to WAN Up script. :frown: VPN tunneling in GUI displays "Stop Now" normally and no same problem with the previous vpn2.0004.

    Cold reboot or reboot in Tomato GUI is OK.
     
  66. gregg098

    gregg098 LI Guru Member

    I got this to work. Thanks. Does just what I need.
     
  67. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    How about this: Put the normal script back to the INIT script, but in the WAN UP script put
    Code:
    sleep 20
    service vpnclient1 restart
    (replace vpnclient1 as appropriate, and try different sleep values if it doesn't work).

    This will kill the running vpn instance upon WAN up and start it fresh.
     
  68. quinezhu

    quinezhu Addicted to LI Member

    I made a stupid mistake :redface: that I got a wrong dport number in firewall. Now everything is OK except for why cold reboot or reboot in GUI is OK previously. :confused:

    Anyway, THX a lot.
     
  69. quinezhu

    quinezhu Addicted to LI Member

    It seems that I've found the explanation for the whole strange phenomena with my WRT54GS v1. That is, reboot in GUI or start vpnserver in WAN Up script when cold reboot will bypass the Firewall script, and reconecting PPPoE to WAN will dismiss this bypass.

    This bypass can be observed in iptables chains as follows:
    Code:
    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    ...
    [COLOR="Red"]ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0[/COLOR]
    That is why reboot in GUI or start vpnserver in WAN Up script when cold reboot is OK even if a wrong dport number in Firewall script. And after reconecting PPPoE the wrong dport number prevents me from remote vpn logon.

    Now I've put vpnserver starting command line in Init script, and then avoid reboot in GUI as far as possible.
     
  70. matthiaz

    matthiaz Network Guru Member

    Thanks! Finally and Vegas AND OpenVPN Mod combined! :) The ND version is also a bonus. Keep up the work, very, very nice!
     
  71. occamsrazor

    occamsrazor Network Guru Member

    VPN on this build has stopped working for me, as the server doesn't seem to be giving DHCP addresses to the client, so it is often stuck using "automatic private address". Is DHCP something I need to manually push?

    I'm using this in the init script:

    Code:
    sleep 20
    service vpnserver1 start
    
    ## Start VPN init script
    #Generate vpnup.sh
    echo "#!/bin/sh
    killall -0 vpn\$1 2> /dev/null
    if [ \$? != 0 ]
    then
    logger \"\$0: Starting vpn\$1\"
    service vpn\$1 start
    else
    logger \"\$0: vpn\$1 already running: \$(pidof vpn\$1)\"
    fi
    " > /tmp/vpnup.sh
    # Make vpnup.sh executable
    chmod +x /tmp/vpnup.sh
    # Schedule vpnup.sh to run every 30 minutes
    cru a CheckVPNServer "*/30 * * * * /tmp/vpnup.sh server1"
    # Wait 10 seconds and run vpnup.sh once
    sleep 10
    /tmp/vpnup.sh server1
    ## End VPN init script
    
    This as the client config:

    Code:
    dev tap
    proto udp
    remote <myusername>.dyndns.org 444
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    secret static.key
    comp-lzo
    verb 3
    float
    
    and these settings in the VPN tunneling config:

    TAP
    UDP
    Port 444
    Static key
    Default encryption
    Adaptive compression

    I'm also using this hack for access to modem bridges in the Firewall script:

    Code:
    iptables -I POSTROUTING -t nat -o vlan1 -d 192.168.1.0/30 -j MASQUERADE
    ip addr add 192.168.1.2/30 dev vlan1 brd +
    
    Any ideas? Thanks...
     
  72. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Could you log into the router with ssh/telnet while the tunnel is running, and post the contents of /etc/openvpn/server1.ovpn?
     
  73. occamsrazor

    occamsrazor Network Guru Member

    I'm back at home now, and when I initiate the tunnel from within my local network, it seems I do get a DHCP address properly. I guess this situation probably doesn't help you much, but here are the server1.ovpn contents when in this state:

    Code:
    # cat /etc/openvpn/server1.ovpn
    # Automatically generated configuration
    daemon
    proto udp
    port 444
    dev tap21
    comp-lzo adaptive
    keepalive 15 60
    verb 3
    secret server1-static.key
    status-version 2
    status server1.status
    
     
  74. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    So, when you are connecting from within your network, you end up with two IP DHCP addresses (one for your ethernet/wireless device, one for the tunnel device), but when you connect from outside of your network, you don't have any (your ethernet/wireless device of course keeps its original address, and the tunnel device can't get one). Is that correct?

    I've used the same setup before and gotten an IP address fine. Have you tried it without your modem bridges "hack"?
     
  75. quinezhu

    quinezhu Addicted to LI Member

    It seems that
    Code:
    service vpnserver1 start
    is not necessory in the Init script. Cause
    Code:
    /tmp/vpnup.sh server1
    has the same function.
     
  76. quinezhu

    quinezhu Addicted to LI Member

    Pls replace the Firewall script as follows and try it again.
    Code:
    iptables -I INPUT 1 -p udp --dport 444 -j ACCEPT
    I've encountered the similar problem as you when I tried to define a client IP in my client config file. Maybe it will also fail in Firewall script.

    Some config samples in the following thread
    http://www.linksysinfo.org/forums/showthread.php?t=53233
    and I removed the client IP definition line like
    Code:
    ifconfig 192.168.0.102 255.255.255.0
    
     
  77. occamsrazor

    occamsrazor Network Guru Member

    Yes, exactly.

    Me too, it worked before.... I'll try playing around with taking various stuff out, including the hack, and get back to you...
     
  78. occamsrazor

    occamsrazor Network Guru Member

    Good news, it's working again. Seems you do have to have this entered manually in the firewall config:

    Code:
    iptables -I INPUT 1 -p udp --dport 444 -j ACCEPT
    
    Also, I seem to have the "force all traffic + DNS over the vpn" hack working better, using this in the client config, instead of just the second line:

    Code:
    route-gateway 192.168.0.1
    redirect-gateway def1
    ...which seems to have the added benefit of now allowing the hack for access to modem bridges, to work remotely over the VPN as well!

    Fingers crossed it stays this way ... Thanks for your help
     
  79. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    So did you replace your "hack" with this, or is it in addition to it? Without either, does the DHCP not work or just not accessing your modem bridges? Perhaps I'm showing my ignorance, but I just don't know what port 444 is being used for here. If it is needed to allow DHCP to work across the tunnel, then I need to add it as an option.
    Yah, I guess I only looked into doing that for TLS, which the firmware-generated server config automatically pushes out the "route-gateway" to all the clients. Out of curiosity, when you say it is working "better", what changed by adding the first line (ie what didn't work right without it)?

    Glad to hear everything is working for you :smile:
     
  80. occamsrazor

    occamsrazor Network Guru Member

    I wasn't very clear. I'm using Port 444 instead of the standard 1194 for OpenVPN, for whatever reason. So it's just a standard line to Open the VPN Port.

    As for the force-hack working better - well before (using only the redirect-gateway command) I could never get the modem-bridge hack to work remotely, whereas now it does.

    I'm sorry my testing isn't being very scientific, as there are many variables involved. It's hard to test from one state to another as I'm never sure if I need to fully reboot the router to effect a change in e.g. the firewall script etc. Also when playing with the OpenVPN force-hack, it seems some remnants of a session get left over and you need to close your browser, repair the connection (flush DNS caches etc), if you want to try it properly in the new state... I always seem to end up changing multiple variables at one :)
     
  81. occamsrazor

    occamsrazor Network Guru Member

    This is the log with both the route-gateway and redirect-gateway commands:

    Code:
    Tue Feb 03 19:49:47 2009 OpenVPN 2.1_rc7 Win32-MinGW [SSL] [LZO2] [PKCS11] built on Jan 29 2008
    Tue Feb 03 19:49:47 2009 Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Tue Feb 03 19:49:47 2009 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Tue Feb 03 19:49:47 2009 Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Tue Feb 03 19:49:47 2009 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Tue Feb 03 19:49:47 2009 LZO compression initialized
    Tue Feb 03 19:49:48 2009 TAP-WIN32 device [OpenVPN] opened: \\.\Global\{3122330E-EDEE-4609-B387-A4F6E33F8BF5}.tap
    Tue Feb 03 19:49:48 2009 TAP-Win32 Driver Version 9.4 
    Tue Feb 03 19:49:48 2009 TAP-Win32 MTU=1500
    Tue Feb 03 19:49:48 2009 Successful ARP Flush on interface [2] {3122330E-EDEE-4609-B387-A4F6E33F8BF5}
    Tue Feb 03 19:49:48 2009 Data Channel MTU parms [ L:1577 D:1450 EF:45 EB:135 ET:32 EL:0 AF:3/1 ]
    Tue Feb 03 19:49:48 2009 Local Options hash (VER=V4): '83c3b015'
    Tue Feb 03 19:49:48 2009 Expected Remote Options hash (VER=V4): '83c3b015'
    Tue Feb 03 19:49:48 2009 Socket Buffers: R=[8192->8192] S=[8192->8192]
    Tue Feb 03 19:49:48 2009 UDPv4 link local: [undef]
    Tue Feb 03 19:49:48 2009 UDPv4 link remote: <mypublicipaddress>:444
    Tue Feb 03 19:49:58 2009 Peer Connection Initiated with <mypublicipaddress>:444
    Tue Feb 03 19:50:04 2009 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
    Tue Feb 03 19:50:04 2009 route ADD <mypublicipaddress> MASK 255.255.255.255 10.11.55.1
    Tue Feb 03 19:50:04 2009 Route addition via IPAPI succeeded [adaptive]
    Tue Feb 03 19:50:04 2009 route ADD 0.0.0.0 MASK 128.0.0.0 192.168.0.1
    Tue Feb 03 19:50:04 2009 Route addition via IPAPI succeeded [adaptive]
    Tue Feb 03 19:50:04 2009 route ADD 128.0.0.0 MASK 128.0.0.0 192.168.0.1
    Tue Feb 03 19:50:04 2009 Route addition via IPAPI succeeded [adaptive]
    Tue Feb 03 19:50:04 2009 Initialization Sequence Completed
    And this is with just the redirect-gateway command:

    Code:
    Tue Feb 03 20:00:44 2009 OpenVPN 2.1_rc7 Win32-MinGW [SSL] [LZO2] [PKCS11] built on Jan 29 2008
    Tue Feb 03 20:00:44 2009 Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Tue Feb 03 20:00:44 2009 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Tue Feb 03 20:00:44 2009 Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Tue Feb 03 20:00:44 2009 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Tue Feb 03 20:00:44 2009 LZO compression initialized
    Tue Feb 03 20:00:44 2009 TAP-WIN32 device [OpenVPN] opened: \\.\Global\{3122330E-EDEE-4609-B387-A4F6E33F8BF5}.tap
    Tue Feb 03 20:00:44 2009 TAP-Win32 Driver Version 9.4 
    Tue Feb 03 20:00:44 2009 TAP-Win32 MTU=1500
    Tue Feb 03 20:00:44 2009 Successful ARP Flush on interface [2] {3122330E-EDEE-4609-B387-A4F6E33F8BF5}
    Tue Feb 03 20:00:44 2009 Data Channel MTU parms [ L:1577 D:1450 EF:45 EB:135 ET:32 EL:0 AF:3/1 ]
    Tue Feb 03 20:00:44 2009 Local Options hash (VER=V4): '83c3b015'
    Tue Feb 03 20:00:44 2009 Expected Remote Options hash (VER=V4): '83c3b015'
    Tue Feb 03 20:00:44 2009 Socket Buffers: R=[8192->8192] S=[8192->8192]
    Tue Feb 03 20:00:44 2009 UDPv4 link local: [undef]
    Tue Feb 03 20:00:44 2009 UDPv4 link remote: <mypublicipaddress>:444
    Tue Feb 03 20:00:54 2009 Peer Connection Initiated with <mypublicipaddress>:444
    Tue Feb 03 20:01:00 2009 TEST ROUTES: 0/0 succeeded len=0 ret=1 a=0 u/d=up
    Tue Feb 03 20:01:00 2009 NOTE: unable to redirect default gateway -- VPN gateway parameter (--route-gateway or --ifconfig) is missing
    Tue Feb 03 20:01:00 2009 Initialization Sequence Completed
    Note the error in the second last line....

    ...though frankly this is all starting to get a bit above me :)
     
  82. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    No, you were fine. I should have noticed you were using port 444 for the VPN from your config. Now, that iptables command should be automatically added without having to put anything in the firewall script. If you're having to add it manually, there is a bug.

    Could you post the result of
    Code:
    iptables -L
    with the server running both with and without the line in the firewall script? (or at least post what the differences, however small, there are)? And, also could you post the contents of /etc/openvpn/server1-fw.sh (with the server running)?

    Thanks!
     
  83. occamsrazor

    occamsrazor Network Guru Member

    The problem I have is that remotely I can only use my Win XP laptop, and I don't know how to ssh into the router and/or execute these commands via a terminal in XP.

    At home I have a Mac OS X desktop and know how to ssh in and use the terminal, but vpn'ing only across my home LAN isn't going to give you an accurate answer I think...
     
  84. occamsrazor

    occamsrazor Network Guru Member

    SgtPepper...

    I VPN'd remotely with XP laptop over cell connection and then ssh'd into router with the Mac. The "iptables -l" output was quite long but I could not tell any difference at all between using the two-line client config hack and the one-line hack. It's a bit too long to post here so I will PM the two logs to you.

    Regarding the ouput of /etc/openvpn/server1-fw.sh, it was also the same with both setups, and also with no force-hack lines in the client config:

    Code:
    iptables -I INPUT -p udp --dport 444 -j ACCEPT
    iptables -A INPUT -i tap21 -j ACCEPT
    iptables -A FORWARD -i tap21 -j ACCEPT 
    I then removed the (manual) firewall script line:

    Code:
    iptables -I INPUT 1 -p udp --dport 444 -j ACCEPT 
    rebooted the router, vpned in with the two line setup, which again resulted in me not getting a DHCP address for the OpenVPN client, only an "automatic private address" of 169.254.58.189.... and the /etc/openvpn/server1-fw.sh ouput was the same. However when I ran iptables -L again, there was a difference, this line was missing from the "CHAIN input":

    Code:
    ACCEPT     udp  --  anywhere             anywhere            udp dpt:snpp 
    I hope this all means something to you! Regards, Ben
     
  85. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yes, it means that either a) server1-fw.sh isn't being run or b) the rule isn't taking when it is run. That line that was different should have been there either way.

    Sorry to run you through so many hoops, but could you try (with the line removed from the firewall script) running /etc/openvpn/server1-fw.sh after the server is started (but before a client connects) via telnet/ssh.

    And, btw, telnet is built in to Windows (run from the command line) and PuTTY is a good free Windows ssh client you can download.
     
  86. occamsrazor

    occamsrazor Network Guru Member

    No need to be sorry, your help is much appreciated. I just hope there's not some weird setting I have somewhere that's causing this and wasting your time... (Not sure if you remember but it was me who didn't flash the NVRAM when I upgraded from roadkill mod, I hope it's nothing to do with that).

    I ran it as you suggested above, it's the same output as before...

    I'd forgotten about telnet in XP, thanks.... and maybe will re-install PuTTY, I had it on before...
     
  87. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Wow, so you ran /etc/openvpn/server1.ovpn (with the server running), and a subsequent iptables -L didn't show that line? Very strange. What if you run
    Code:
    iptables -I INPUT -p udp --dport 444 -j ACCEPT
    directly?
     
  88. quinezhu

    quinezhu Addicted to LI Member

    Is this relative to what I posted in #368 & #369? I found
    Code:
    iptables -I INPUT 1 -p udp --dport ???? -j ACCEPT
    essential for me too if I put vpnsever start command in Init script. Otherwise an error occured.
    Code:
    Wed Feb 04 20:11:35 2009 UDPv4 link remote: *.*.*.*:????
    Wed Feb 04 20:11:35 2009 MANAGEMENT: >STATE:1233749495,WAIT,,,
    Wed Feb 04 20:12:36 2009 [UNDEF] Inactivity timeout (--ping-restart), restarting
    If I reboot in GUI or put it in WAN Up script then cold reboot
    Code:
    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    . . .
    [COLOR="Red"]ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0[/COLOR]
    the last line will be automatically added in iptables chains (observed via telnet/ssh) that seems to be the automatic iptables command you mentioned. And it will disappear automatically when PPPoE to WAN reconnected or I put vpnsever start command back to Init script then cold reboot.

    And also I found the automatic iptables command will bypass the other iptables command inputted manually in Firewall script. That should be the reason why reboot in GUI or start vpnserver in Init script when cold reboot is OK on my router even if I got a wrong dport number in Firewall script, and why Occamsrazor found the force-hack working better after
    Code:
    iptables -I INPUT 1 -p udp --dport 444 -j ACCEPT
    added manually. So it should work too (except of the force-hack working better) if he reboot in GUI or put vpnserver start command in WAN Up script then cold reboot even if the above iptables command removed in Firewall script.

    I've encountered a similar problem as Occamsrazor when I tried a sample of "Configuring client-specific rules and access policies" in HOWTO. These access policies will be invalid when reboot in GUI or start vpnserver in WAN Up script within cold reboot, and furthermore, the router will Respond To ICMP Ping from my vpnclient of router mode even if unchecked in Advanced>Firewall of GUI.

    Now I have to put vpnserver start command in Init script, and then avoid reboot in GUI as far as possible.

    In one word, the automatic iptables command seems to be available only when reboot in GUI or start vpnserver in WAN Up script within cold reboot, and seems to bypass the Firewall script and the other Firewall setting in GUI.
     
  89. occamsrazor

    occamsrazor Network Guru Member

    I just read quinezhu's post... I should add that as per his earlier advice I'd removed the "start vpnserver ...." command from the init script - this was the case for all my above testing after post #376. My init script for all that testing reads:

    Code:
    sleep 10
    
    ## Start VPN init script
    #Generate vpnup.sh
    echo "#!/bin/sh
    killall -0 vpn\$1 2> /dev/null
    if [ \$? != 0 ]
    then
    logger \"\$0: Starting vpn\$1\"
    service vpn\$1 start
    else
    logger \"\$0: vpn\$1 already running: \$(pidof vpn\$1)\"
    fi
    " > /tmp/vpnup.sh
    # Make vpnup.sh executable
    chmod +x /tmp/vpnup.sh
    # Schedule vpnup.sh to run every 30 minutes
    cru a CheckVPNServer "*/30 * * * * /tmp/vpnup.sh server1"
    # Wait 10 seconds and run vpnup.sh once
    sleep 10
    /tmp/vpnup.sh server1
    ## End VPN init script
    
    Hmm... I might have to check that again (can't do right now, will have to wait until later), when I said in post #386 that the output was again the same, I meant the output of "/etc/openvpn/server1-fw.sh", not "iptables -L"

    Although it seems that quinezhu understands this all better than me and may be of more help to you....
     
  90. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yes, that command should be necessary as a nearly identical (it leaves out the "1", but that is the default value when none is given) is run every time a server is started. Further, any time the firewall script is run, it should reapply it. Obviously, there is something wrong.
    That would be one of them. Three rules are added each time (and can be seen in /etc/openvpn/server1-fw.sh).

    Could you try putting that command in WAN up instead (just the start command, if you are generating a script, that part needs to be done in init). I think that is a better place for it, and may fix things.

    Could you expound on that a little? What do you mean by bypassing the other commands?
    Could you try running
    Code:
    nvram set vpn_debug="1"
    nvram commit
    Then trying the different scenarios that you've described (both that work properly and those that need the extra iptables command)? Could you check the router logs after each and see if you find any "Running firewall script:" VPN debug messages?

    Obviously, there is a problem in getting the proper firewall rules in place automatically, but I'm not sure where the problem is.
     
  91. quinezhu

    quinezhu Addicted to LI Member

    Yeah, I found them, and these three rules seem not work when vpnserver start command in Init script within cold reboot.
    Code:
    #!/bin/sh
    iptables -I INPUT -p udp --dport ???? -j ACCEPT
    [COLOR="Red"]iptables -A INPUT -i tun21 -j ACCEPT
    iptables -A FORWARD -i tun21 -j ACCEPT[/COLOR]
    and furthermore, how to get the last two lines removed? They should be the reason why my own Firewall script bypassed on my router.


    I only moved the following lines to WAN Up script, and then did the test in post #388.
    Code:
    # Wait 10 seconds and run vpnup.sh once
    sleep 10
    /tmp/vpnup.sh server1

    Sorry english is not my mother tongue so I don't know how to make a clear explanation on it. :redface:

    Bypass means the command lines inputted manually in Firewall script doesn't apply, unchecked "Respond To ICMP" in Advanced>Firewall of GUI doesn't apply either. My vpnclients of router mode can access my private network without any access policies.

    As long as I put vpnserver start command in Init script and avoid reboot in GUI, both my own Firewall script and unchecked "Respond To ICMP" works fine.


     
  92. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    What were the results? Did it fix the problem (aside from the access restrictions, see below)?
    Oh, I see now. I have those rules specifically to give access to the network for the VPN clients. It didn't occur to me that someone would want to do differently. I guess I can make those lines an option in the next release.
    Yes.
     
  93. quinezhu

    quinezhu Addicted to LI Member

    Yes, vpnclient can logon remotely, and it works too after reboot in GUI aside from my own access restrictions.


    Looking forward to it. And is it possible to make those lines apply too when vpnserver start command in Init script within cold reboot or when PPPoE to WAN reconnected?


    thx. and then run the following to restore it after test?
    Code:
    nvram set vpn_debug="0"
    nvram commit
     
  94. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Okay, I know what is going on. Thanks for your help tracking it down.
    Once I make a change to make those last two lines optional, you will want to put the start command (actually, you should use the vpnup script, instead) in the WAN Up script, and it will work as you want.
    Yes, that would undo it, but I don't think you need to do anymore testing. The problem was that I didn't understand at first what you were saying didn't work. Once I got that, I realized there were two "problems":
    • Starting the VPN server in the init script was troublesome because it happened before routers firewall stuff is run.
      • The fix for this is for people to start the server in the WAN Up script (after the router's firewall initialization). This also means the vpnup.sh script in the README is more appropriate. (occamsrazor, this should fix your problem)
    • I didn't account for the fact that people might want to set up themselves the firewall rules that allow the tunnel access to the LAN.
      • I will add an option to set up this manually
     
  95. quinezhu

    quinezhu Addicted to LI Member

    I see. And I don't know why reconnecting PPPoE to WAN in GUI seems to make the default three firewall rules in server1-fw.sh invalid too even if I've moved vpnserver start command (only this command) into the WAN Up script, just like starting the VPN server in the Init script. :confused:
     
  96. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    In that case, could you set that debug flag, try your reconnect, and check the router log for debug messages?
     
  97. quinezhu

    quinezhu Addicted to LI Member

    My router log after cold reboot and then reconnecting PPPoE to WAN with debug flag set.
    Code:
    Feb  5 23:14:17 unknown user.notice root: /tmp/vpnup.sh: Starting vpnserver1
    Feb  5 23:14:18 unknown user.info kernel: Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
    Feb  5 23:14:19 unknown user.info kernel: device tun21 entered promiscuous mode
    Feb  5 23:14:20 unknown daemon.notice openvpn[471]: OpenVPN 2.1_rc15 mipsel-unknown-linux-gnu [SSL] [LZO2] built on Dec 14 2008
    Feb  5 23:14:20 unknown daemon.warn openvpn[471]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Feb  5 23:14:21 unknown daemon.notice openvpn[471]: Diffie-Hellman initialized with 1024 bit key
    Feb  5 23:14:21 unknown daemon.notice openvpn[471]: TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Feb  5 23:14:21 unknown daemon.notice openvpn[471]: TUN/TAP device tun21 opened
    Feb  5 23:14:21 unknown daemon.notice openvpn[471]: TUN/TAP TX queue length set to 100
    Feb  5 23:14:21 unknown daemon.notice openvpn[471]: /sbin/ifconfig tun21 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
    Feb  5 23:14:21 unknown daemon.notice openvpn[471]: /sbin/route add -net 10.8.1.0 netmask 255.255.255.0 gw 10.8.0.2
    Feb  5 23:14:21 unknown daemon.notice openvpn[471]: /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
    Feb  5 23:14:21 unknown daemon.notice openvpn[471]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Feb  5 23:14:21 unknown daemon.notice openvpn[478]: Socket Buffers: R=[65535->131070] S=[65535->131070]
    Feb  5 23:14:21 unknown daemon.notice openvpn[478]: UDPv4 link local (bound): [undef]:3329
    Feb  5 23:14:21 unknown daemon.notice openvpn[478]: UDPv4 link remote: [undef]
    Feb  5 23:14:21 unknown daemon.notice openvpn[478]: MULTI: multi_init called, r=256 v=256
    Feb  5 23:14:21 unknown daemon.notice openvpn[478]: IFCONFIG POOL: base=10.8.0.4 size=62
    Feb  5 23:14:21 unknown daemon.notice openvpn[478]: IFCONFIG POOL LIST
    Feb  5 23:14:21 unknown daemon.notice openvpn[478]: Initialization Sequence Completed
    Feb  5 23:14:48 unknown cron.err crond[130]: time disparity of 20564112 minutes detected
    Feb  5 23:16:24 unknown daemon.info dnsmasq[177]: exiting on receipt of SIGTERM
    [COLOR="Red"]Feb  5 23:16:24 unknown daemon.notice pppoe[167]: Disconnected.[/COLOR]
    Feb  5 23:16:24 unknown daemon.notice pppoe[167]: Connect time 2.6 minutes.
    Feb  5 23:16:24 unknown daemon.notice pppoe[167]: Sent 2547495 bytes, received 149626 bytes.
    Feb  5 23:16:26 unknown daemon.info dnsmasq[547]: started, version 2.46 cachesize 150
    Feb  5 23:16:26 unknown daemon.info dnsmasq[547]: compile time options: no-IPv6 GNU-getopt no-RTC no-DBus no-I18N no-TFTP
    Feb  5 23:16:26 unknown daemon.info dnsmasq[547]: DHCP, IP range 192.168.9.7 -- 192.168.9.15, lease time 1d
    Feb  5 23:16:26 unknown daemon.warn dnsmasq[547]: no servers found in /etc/resolv.dnsmasq, will retry
    Feb  5 23:16:26 unknown daemon.info dnsmasq[547]: read /etc/hosts - 0 addresses
    Feb  5 23:16:26 unknown daemon.info dnsmasq[547]: read /etc/hosts.dnsmasq - 7 addresses
    Feb  5 23:16:32 unknown daemon.info dnsmasq[547]: exiting on receipt of SIGTERM
    Feb  5 23:16:32 unknown daemon.info dnsmasq[554]: started, version 2.46 cachesize 150
    Feb  5 23:16:32 unknown daemon.info dnsmasq[554]: compile time options: no-IPv6 GNU-getopt no-RTC no-DBus no-I18N no-TFTP
    Feb  5 23:16:32 unknown daemon.info dnsmasq[554]: DHCP, IP range 192.168.9.7 -- 192.168.9.15, lease time 1d
    Feb  5 23:16:32 unknown daemon.warn dnsmasq[554]: no servers found in /etc/resolv.dnsmasq, will retry
    Feb  5 23:16:32 unknown daemon.info dnsmasq[554]: read /etc/hosts - 0 addresses
    Feb  5 23:16:32 unknown daemon.info dnsmasq[554]: read /etc/hosts.dnsmasq - 7 addresses
    Feb  5 23:16:32 unknown user.info redial[556]: Started. Time: 30
    [COLOR="Red"]Feb  5 23:16:35 unknown daemon.notice pppoe[557]: Connected.[/COLOR]
    Feb  5 23:16:35 unknown daemon.notice pppoe[557]: IP Address: *.*.*.*
    Feb  5 23:16:35 unknown daemon.notice pppoe[557]: DNS Address: 202.109.15.135, 202.96.209.6
    Feb  5 23:16:35 unknown daemon.info dnsmasq[554]: exiting on receipt of SIGTERM
    Feb  5 23:16:35 unknown daemon.info dnsmasq[565]: started, version 2.46 cachesize 150
    Feb  5 23:16:35 unknown daemon.info dnsmasq[565]: compile time options: no-IPv6 GNU-getopt no-RTC no-DBus no-I18N no-TFTP
    Feb  5 23:16:35 unknown daemon.info dnsmasq[565]: DHCP, IP range 192.168.9.7 -- 192.168.9.15, lease time 1d
    Feb  5 23:16:35 unknown daemon.info dnsmasq[565]: reading /etc/resolv.dnsmasq
    Feb  5 23:16:35 unknown daemon.info dnsmasq[565]: using nameserver 208.67.220.220#53
    Feb  5 23:16:35 unknown daemon.info dnsmasq[565]: using nameserver 208.67.222.222#53
    Feb  5 23:16:35 unknown daemon.info dnsmasq[565]: read /etc/hosts - 0 addresses
    Feb  5 23:16:35 unknown daemon.info dnsmasq[565]: read /etc/hosts.dnsmasq - 7 addresses
    [COLOR="Red"]Feb  5 23:16:39 unknown user.info ip-up[562]: VPN DEBUG: 595: Running firewall script:
    Feb  5 23:16:39 unknown user.info ip-up[562]: VPN DEBUG: 596: server1-fw.sh[/COLOR]
    Feb  5 23:16:57 unknown user.notice root: /tmp/vpnup.sh: vpnserver1 already running: 478
    

    After cold reboot the default firewall rules in server1-fw.sh was running
    Code:
    :/root # iptables -L -n
    Chain INPUT (policy DROP)
    target     prot opt source               destination
    [COLOR="Red"]ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:????[/COLOR]
    DROP       0    --  0.0.0.0/0            *.*.*.*
    DROP       0    --  0.0.0.0/0            0.0.0.0/0           state INVALID
    ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTAB                                             LISHED
    ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0
    ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0
    ACCEPT     tcp  --  0.0.0.0/0            192.168.9.1         tcp dpt:22
    [COLOR="Red"]ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0[/COLOR]
    . . .
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    . . .
    [COLOR="Red"]ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0[/COLOR]
    
    But after PPPoE to WAN reconnected, they disappeared.
     
  98. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Very odd, as it clearly shows that the server1-fw.sh file is being run upon reconnect. And, at that point (when the rules are not in place), if you run /etc/openvpn/server1-fw.sh manually, those rules don't show back up? What about if you run the iptables commands manually?
    Code:
    iptables -I INPUT -p udp --dport ???? -j ACCEPT
    iptables -A INPUT -i tun21 -j ACCEPT
    iptables -A FORWARD -i tun21 -j ACCEPT
    Of course, replacing your port number.
     
  99. quinezhu

    quinezhu Addicted to LI Member

    After I run /etc/openvpn/server1-fw.sh manually or run the iptables commands manually, those rules show back up. But they will still be killed if I reconnect PPPoE to WAN in GUI again. :frown:

    Maybe sleep command line is needed before server1-fw.sh loaded automatically during reconnecting PPPoE to WAN.
     
  100. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Okay, then it seems the server1-fw.sh script isn't actually being run when the debug statements show that it is at least attempting to run it.

    As I was typing that I took another look at the code, and I think I see why it's not actually being run. I will correct it in the next release. Sorry for the trouble.
     

Share This Page