VPN build with Web GUI

When using tls-auth, you need to do one of the following:

#1) In both the client and server, use "tls-auth <file>"

#2) At one of the endpoints, use "tls-auth <file> 0", and at the other end point, use "tls-auth <file> 1". Traditionally, the server is 0 and the client is 1, but this is arbitrary.

You can't make one bi-directional, and the other directional. #2 is a bit more secure.

Getting DNS to work through VPN is painful if the client isn't Windoze. You need to add

Code:

push "dhcp-option DNS <your router's IP>"
push "dhcp-option DOMAIN <your home domain>"

to your server's configuration, and you also need some magic configurations in your client. Searching "OpenVPN linux DNS" should give you the information you need.

HI :>

#1) there seems still a problem (from the log):

Sun Jan 11 20:18:02 2009 us=861024 Initialization Sequence Completed
Sun Jan 11 20:19:03 2009 us=30076 [server] Inactivity timeout (--ping-restart), restarting
Sun Jan 11 20:19:03 2009 us=30452 TCP/UDP: Closing socket

this happens every minute.. is the connection timing out, or is this just some ignorable log-output?

*edit* a friend of mine tested the connection from outside, he can establish the connection and he is able to ping my windows PC and the router. he is also able to connect to my networkshares on my windowspc.
On the otherside, I am only able to ping his PC (if he is connected), but not to connect to his shares.

#2) tls-auth is working, thx.

ok I worked it out. everything is fine now.
testing a vpn from the local LAN is not really a good idea.

THX 4 your help :>

SgtPeppers, great work! I installed this on my Linksys router and it works great! Thanks for this. I have two questions though as I am new to OpenVPN. Can I setup a client and a server at the same time on the router? If the router is setup as a client and is accessing the internet through another OpenVPN server. Is is possible to connect to the server on the router from another client on some arbitrary network? Again, thanks!

Anyone with a simple TLS tutorial?

Okay, I'm back from vacation now, so I'll try to answer any outstanding questions. If I miss any, or if there was a separate thread (I don't see any relevant ones), let me know.

And, thanks to fyellin and others who answered questions while I was gone.

Actually, you can have up to two servers and two clients all running on the router, though I wouldn't recommend that due to limited resources. You'll have to try to see if your router can handle your typical load with one client and one server, but I bet it will be fine.

I haven't tried a situation where all internet traffic is being routed through a router-to-router connection (the redirect-gateway directive, probably), but there is not reason why it shouldn't work. And, chaining the two tunnels like you suggest shouldn't be a problem, either.

Here is the OpenVPN how-to on generating TLS keys.

and don't forget, the tls-auth key is named "server1-static.key" if you paste the tls-auth key to "static key" :>

True, but unless you are just manually reading the files from the shell, you shouldn't need to care what the file names are.

More specifically, I need a client config since I've already generated the keys. All I did was plug them into the router.

Here is the OpenVPN how-to for the config files. Just start with the example client config and change as appropriate (there are lots of comments in the file explaining each option).

Witopia Setting - Help

I am attempting to set up this VPN firmware (client) with Witopia VPN server. I have purchased the MAC package as recommended by Witopia to run on linux and I have setup these setting as per the following file on VPN build client.

archive.pax

dev tun
proto udp
remote 1194
resolve-retry infinite
nobind
persist-key
ns-cert-type server
cipher bf-cbc
comp=lzo
verb 3
mute 20

Tomato Setting

Interface Type= TUN
Protocol=UDP
Server address/Port= 38.119.98.200 1194
Auth Mode=TLS
Extra HMAC= Disabled
Create NAT= check
Encryption cipher = BF-CBC
Compression=Enabled
Connection Retry=20

I have entered the keys included in the file and saved / started with no success. Any correction and or suggestions would be appreciated, thank you.

Client starts but no connection am I missing something?

this: ns-cert-type server
should be in the client config (not in the server.config), and you have to choose "server" for the Common Name while creating the server-certificate.
and I think this: persist-key
should also be in the cielnt-config if you are using it in the server config.

besides this you should look in the tomato-firmware and the server log for any hints whats wrong with your config.

First, am I correct in assuming that the file you list is the client config they tell you to use, and the settings you list are your attempt to match that in the GUI?

Please check the router logs to see what OpenVPN errors occur. This could give a clue as to what is going wrong.

I'm wondering whether these are the complete configurations, or if there are more items being elided.

For example, I note that he is using TLS mode, but the archiv.pax config doesn't mention the keys.

Yes the file does give the keys as stated "I have entered the keys included in the file" but I am not going to include them in my post for obvious reasons.

But thanks for the suggestion to a solution.

Yes this is part of the file they gave me and I am trying to match it to GUI to start the VPN Client to connect to Witopia's VPN server. Hope I am on the rite track?

Error Log shows a bad hand shake, will recheck keys / settings and try again.

Sorry. I was interpreting your "I have entered the keys" as referring to the tomato side, not to the archive.pax side.

There are a few things that look suspicious:

#1) "ns-cert-type server". This says "verify that the other side's certificate has the "server flag" set. Yet in your configuration, it's archive.pax that is the server. You should probably just leave this line out until everything else is fixed.

#2) "remote 1194" looks totally broken. This says I'm talking to the remote host named "1194", which probably fails. I think you want "port 1194".

#3) You probably want a "server ...." line on the server

I think there's still a misinterpretation. The archive.pax is a client config, not a server config (unless I'm the one misinterpreting) provided to 1001010 that the GUI needs to be compatible with. So, I don't think the .pax is being used at all.

Yes, please do recheck the keys. That is the most likely culprit. If problems continue, please post the relevant portions of your router log.

In the original email, he's had under "Tomato Setting" the server's address and port. I think that's only available in the client tab.

There seems to be some confusion (either me or him, I'm not sure) about which side is the server and which is the client. (Or perhaps he's using it P2P). I'd be happier if he showed us the complete configuration files for both machines--all the secret information is stored outside the configuration file--and the logs of both machines. That way we don't have to guess at what's being elided.

Exactly. Both the .pax and the tomato VPN settings are for client. The .pax is what is "supposed" to be used, and the tomato settings are an attempt to do that.

I think the server belongs to a third party. That's why the given client config needs to be matched.

Hello, i am new to the world of tomato / custom wrt firmware.
I have been playing with a few wrt54gl devices and i really really love the functionality of tomato. This openvpn mod is exactly what i needed, so SgtPepperKSU, thank you verry much
anyway i have a little issue. I have one wrt running as a openvpn server (tap) and it works lovely. I can connect with my windows 7, Vista & XP obtaining a dhcp address.
but i cant configure another wtr as a client and obtain a dhcp address like i can on windows clients.
if i use ifconfig to set a static ip the vlan is reachable and i can connect to the devices in my vlan behind the remote wrt using my local clients behind the wrt local.
I just want my local wrt's tab client a dhcp address instead of a static one.

Any guesses what i am doing wrong? Do i need an up script? If i try the udhcpc client with -i tab11 it isnt working. I once saw the remote dhcp service broadcasting a lease for my local tab device mac address! but it didnt pick it up :s.
both devices are connected to an ISP wich blocks all ports under 1024. but i guess that is not appropriate if the vpn connection is connected.

thanks allot for your time!

I designed to specifically not change the IP address of the VPN client router. I would think that would cause problems for the LAN machines behind that router and that a router's LAN IP address should not change (unless restructuring a network).
What is it you are hoping to gain by doing this? Do both ends of the tunnel share a subnet? If understood a use-case where chaning the LAN IP based on DHCP-over-VPN would be useful, I may consider offering it as an option.

I just want a point to point vpn connection that my client tap device on the router gets an IP by dhcp and all traffic from the local network can acces the servers / services on the other site of the connection.
It works perfectly if i use ifconfig 192.168.10.x 255.255.255.0 in the custom settings textarea . So i want the tap device (tap11) to get an ip from the dhcp server over the vpn connection? Thats not possible? It should i guess since my windows clients get ips from the remote vpn server.

You shouldn't need to have an ifconfig line at all. If you want the two LANs to share a subnet, just assign the two routers IP addresses on the same subnet and click the "share a subnet" box in the VPN client config. If you want the two LANs to be on different subnets, just assign the two routers IP addresses on different subnets and don't click that box. Either way, you should end up with a site-to-site connection.

It sounds like you have the routers assigned IP addresses on different subnets (or identical addresses), and you want the VPN to "force" the client LAN onto the server LAN's subnet. This seems messy to me, and it could seriously confuse devices that are connected to the client LAN already.

If I wanted to accomplish what I am assuming is your end desire, I would assign the server router an IP address of 192.168.0.1 and the client router an IP address of 192.168.0.2. Then I would select the "share a subnet" option and the site-to-site should be seemless.

hi，WRT54G V1.1 (Flash 4M, RAM 16M, cpu 125MHz) is OK to run this mod?

Yes.

Client Not Working

I have setup the server on my router and it has been working for quite some time. When I try to setup a client on the router (at the same time), I get an error ("invalid IP address" - even though the IP is correct). And it won't let me save the configuration. When I got back to the client setup screen, some of the fields have mysteriously changed. The port field is yellow and empty, and the encryption cipher changed back to "default".

If I were to manually create the config file along with the keys and certificates (in the init script for instance) how do I run the the VPN service using this config file?

Thanks for all the work!

I switched from roadkill's mod and currently using GUI to setup server (tun, tcp). While it works good initially after some time (2-3 days) servers stops responding and has to be restarted.

I will try to setup using scripts later on see if anything changes.

It sounds like the GUI thinks that what you are entering isn't a valid IP address (saying nothing about it being the *right* IP - but that it isn't an IP address at all). Try changing the authentication to Static Key mode and see if the local or remote addresses are invalid (even though they aren't being used, they are checked for validity). It sounds like your NVRAM settings have been corrupted (The GUI shouldn't have been able to save any bad values).

/usr/sbin/openvpn --config <config file>

Interesting. There seems to be a couple of issues with the version of OpenVPN included in the last version of this mod (the keepalive restarts and this). It has been two months since 2.1rc15 came out, and I keep thinking that 2.1 final or 2.1rc16 should be out any minute, and that I'd just wait and use that instead of downgrading. However, I may need to just bite the bullet and do it. I don't remember hearing about these issues with previous versions.

If it is possible, you should use UDP rather than TCP. It is much more efficient, and I don't think TCP gets as much attention from the OpenVPN developers. You *should* be able to use TCP, but whatever bug you're running into may be TCP-specific.

Hi, thanks for the info. Both devices are on the same subnet now, 192.168.10.254 for the remote server and 192.168.10.250.

Jan 19 23:07:59 ? daemon.notice openvpn[830]: VERIFY OK: depth=0, /C=BE/ST=WV/O=xxxxxxxxxxxxxxxxxxxxxt/Email=info@tokiogroup.com
Jan 19 23:08:02 ? daemon.notice openvpn[830]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jan 19 23:08:02 ? daemon.notice openvpn[830]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 19 23:08:02 ? daemon.notice openvpn[830]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jan 19 23:08:02 ? daemon.notice openvpn[830]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 19 23:08:02 ? daemon.notice openvpn[830]: Control Channel: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx, 1024 bit RSA
Jan 19 23:08:02 ? daemon.notice openvpn[830]: [xxxxxxxxxxxxxxxxx] Peer Connection Initiated with xxxxxxxx:1195
Jan 19 23:08:03 ? daemon.notice openvpn[830]: TUN/TAP device tap11 opened
Jan 19 23:08:03 ? daemon.notice openvpn[830]: Initialization Sequence Completed

However i cant ping devices on the remote network (or acces them) . Am i missing something?

could you provide the output of

Code:

ifconfig
route -n

?

This is my ifconfig and route -n
i notice there is no tap11 under ifconfig.
thx for your time Sgt.

# ifconfig
br0 Link encap:Ethernet HWaddr 00:22:6B:81:3E:87
inet addr:192.168.2.250 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:118758 errors:0 dropped:0 overruns:0 frame:0
TX packets:115218 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:11118523 (10.6 MiB) TX bytes:42857688 (40.8 MiB)

eth0 Link encap:Ethernet HWaddr 00:22:6B:81:3E:87
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:226938 errors:1 dropped:0 overruns:1 frame:1
TX packets:214844 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:60086619 (57.3 MiB) TX bytes:30936798 (29.5 MiB)
Interrupt:4 Base address:0x1000

eth1 Link encap:Ethernet HWaddr 00:22:6B:81:3E:89
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:56213 errors:0 dropped:0 overruns:0 frame:16841
TX packets:75920 errors:34 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:7451138 (7.1 MiB) TX bytes:36924718 (35.2 MiB)
Interrupt:2 Base address:0x5000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1
RX packets:67 errors:0 dropped:0 overruns:0 frame:0
TX packets:67 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:15287 (14.9 KiB) TX bytes:15287 (14.9 KiB)

vlan0 Link encap:Ethernet HWaddr 00:22:6B:81:3E:87
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:62229 errors:0 dropped:0 overruns:0 frame:0
TX packets:66517 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4677533 (4.4 MiB) TX bytes:14097751 (13.4 MiB)

vlan1 Link encap:Ethernet HWaddr 00:22:6B:81:3E:88
inet addr:78.20.191.39 Bcast:78.20.191.255 Mask:255.255.224.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:123126 errors:0 dropped:0 overruns:0 frame:0
TX packets:107287 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:40160855 (38.2 MiB) TX bytes:9860749 (9.4 MiB)

# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
78.20.160.0 0.0.0.0 255.255.224.0 U 0 0 0 vlan1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 78.20.160.1 0.0.0.0 UG 0 0 0 vlan1

That is odd. Are you sure that the VPN is connected at the time you collected these? It shouldn't be able to connect without a tap/tun device, and if the device exists it should be listed under ifconfig...

ye i tought so . Yes the VPN is connected
anyhow with the ifconfig line the device gets "up" and the vpn connection works.

I‘ve upgraded my wrt54gs v1 to 1.23vpn2.0005 (then clear nvram and make setting manually) with same vpn configuration as 2.0004. And then it fails to logon remotely and just stands at "UDPv4 link remote: xxx.xxx.xxx.xxx" after I replug the power to reboot router. But it works fine after click Reboot... in IE. Whatever replug power or click Reboot... in IE, VPN Tunneling in IE shows "Stop Now" normally. I've changed the scripts to "sleep 20" in IE but still same condition. :frown:

Are you using the router as a client? Is the problem that it works after rebooting from the Tomato GUI, but not on a cold boot (unplugging/replugging power)? What do you have in your init script?

as a openvpn server.

It doesn't work after a cold boot but works fine after rebooting from the Tomato GUI. The previous version of vpn2.0004 works fine boot with a cold boot and GUI boot.

My init script is copied from your readme file.

Could you try moving the

Code:

sleep 10
/tmp/vpnup.sh server1

to the WAN up script (and trying higher sleep values if needed)?

wow， it works， many thx

with a wrt use like client what I put on static key if I use a tls system ... the dh.pem?

If you use TLS, then you should only see the Static Key field if you have chosen the "Additioninal HMAC authentication(tls-auth). If you do not know what that is, you should probably uncheck that box and not have anything in the Static Key field.

hey Sgt, i managed to get it working using an up script "ifconfig tap11 up"
then both server and client create the bridge and i can connect to all devices behind both routers . Can you give me an easy setup to add a route to route all internet traffic over the correct wan? and if i enable dhcp servers on both devices will that give issues? Oh and where do i save my up script and route scripts so that they wont be deleted after reset

That's really strange. My code performs that command automatically...

Internet traffic should already being going over the local WAN (it takes extra setup to make internet-bound traffic go over the tunnel - or is that what you meant by "correct" WAN?).

I think you may need to do a little extra iptables work to block the DHCP requests from crossing the tunnel. I haven't done this myself, so you may have better luck just googling it.

you could try adding a

Code:

up /tmp/up.sh

line to the Custom Configuration section and generate a /tmp/up.sh in your init script that will be called whenever the connection is made.

Ye it really need the up script or my tap device wont get listed under ifconfig and the tunnel wont work.
Anyway i have both dhcp servers enabled and i will do some tests but i think it will always accept the nearest dhcp server thus setting the correct gateway. Because of this i dont need to change the route table offcourse .
When i run into a situation where a device gets an ip from the remote dhcp server, i will look into blocking dhcp from the remote server with iptable

thanks for you help and nice mod

It appears that devices behind the routers do get DHCP traffic from the others routers. And setting up some iptables rules seems to be a huge issue on this matter. I googled a bit but only found other people with the same issue. Apparently the only easy method is using ebtables wich has been removed from tomato :x

Can you maybe specify how to configure the client (iptables) to make all internet-bound traffic pass through the server?

Thanks and great job.

Again, that's a configuration I've never desired, so I can't give you steps with certainty. However, the (experimental) redirect-gateway directive appears to do all of the legwork for that. The OpenVPN Manual has some specifics, but a search or the OpenVPN how-to (same site) might give you a step-by-step tutorial.

Roadkill to this Mod

Hi,

I posted this a couple weeks ago but never got a reply... Wanting to switch from Roadkill mod v1.19.1464 on my Buffalo WHR-G54s, to the latest SgtPepper VPN with Web GUI build, as it seems this is being more actively developed. A couple questions before I do...

1. Is this straightforward? Do I need to do anything in particular before switching (clear NVRAM?)
2. Will all my router settings be carried over?
3. Will I need to reconfigure my VPN settings?

I'm currently using static-key VPN with these scripts:

Firewall:

iptables -I INPUT 1 -p udp --dport 444 -j ACCEPT

WAN UP:

cd /tmp
openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
echo "
-----BEGIN OpenVPN Static key V1-----

<deleted for forum post>

-----END OpenVPN Static key V1-----

" > /tmp/static.key

sleep 5
ln -s /usr/sbin/openvpn /tmp/myvpn
/tmp/myvpn --dev tap0 --secret /tmp/static.key --comp-lzo --port 444 --cipher BF-CBC --proto udp --keepalive 10 300 --verb 3 --daemon

Client config:

dev tap0
secret static.key
proto udp
remote <my ip address> 444
keepalive 10 60
resolv-retry infinite
nobind
persist-key
persist-tun
cipher BF-CBC
comp-lzo
verb 3
float

It was so long ago I set it all up that I've forgotten what it all does! Thanks in advance for any help you can give...

Ben

You probably should clear NVRAM after the update, but it is not strictly required. You run a chance of having bizarre and hard to diagnose problem if you don't (this seems to be true of all Tomato-based upgrades).

You should be able to continue to use those same scripts if you'd like. Or, you can use the GUI, and it will do virtually the same thing for you.

If I clear NVRAM that will wipe ALL my router settings right? Hmmm... that's a lot of work restoring.
Is there any point to backup the config, erase NVRAM, then restore settings... or does that defeat the point of clearing NVRAM?
Thanks for your help... Ben

Yah, unfortunately, that does defeat the point. You can, however, try running without clearing NVRAM. It's just that if you start running into bizarre problems, it's the first thing you should try to fix it.

Well, I took the plunge without clearing NVRAM and all seems fine

A couple questions though:

1. I deleted the WAN UP script I had from the roadkill mod, I assume this is unnecessary now (it seems to work fine without). Correct?

2. My old firewall script "iptables -I INPUT 1 -p udp --dport 444 -j ACCEPT" - can I delete this also, is it dynamically created?

3. How can I add the option (I presume to client config, or can it be pushed?) to force ALL traffic from the client computer including normal internet traffic over the VPN?

4. How can I force DNS requests from the client computer to be sent to the Internal Caching DNS Forwarder of the Tomato router?

5. Finally, I'm seeing this in the router's logs every minute or so....

Jan 27 03:24:34 Tomato daemon.warn openvpn[521]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: LZO compression initialized
Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: TUN/TAP device tap21 opened
Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: TUN/TAP TX queue length set to 100
Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: Data Channel MTU parms [ L:1577 D:1450 EF:45 EB:135 ET:32 EL:0 AF:3/1 ]
Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: Socket Buffers: R=[32767->65534] S=[32767->65534]
Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: UDPv4 link local (bound): [undef]:444
Jan 27 03:24:34 Tomato daemon.notice openvpn[521]: UDPv4 link remote: [undef]
Jan 27 03:25:34 Tomato daemon.notice openvpn[521]: Inactivity timeout (--ping-restart), restarting
Jan 27 03:25:34 Tomato daemon.notice openvpn[521]: TCP/UDP: Closing socket
Jan 27 03:25:34 Tomato daemon.notice openvpn[521]: Closing TUN/TAP interface
Jan 27 03:25:34 Tomato daemon.notice openvpn[521]: SIGUSR1[soft,ping-restart] received, process restarting
Jan 27 03:25:34 Tomato daemon.notice openvpn[521]: Restart pause, 2 second(s)

Any idea what this means, is it normal?

Thanks,

Ben

Glad to hear it :smile: Keep a NVRAM in mind, though, in case weird stuff starts to happen.

If you are using the GUI, then yes, you shouldn't need anything in any of the scripts.

See above.

I think this was answered in the post immediately before you're first in this exchange. In short, I've never done it, but you should look into the redirect-gateway OpenVPN directive for your Custom Config (or the client config, I'm not sure).

Can't help you there. It may come along with the redirect-gateway, though. Once you're establishing a connection, there is nothing unique to the router setup. You may have more luck with these types of questions on the OpenVPN IRC channel.

It is normal in that several people are seeing it, but not normal in that it should be happening. It seems to have shown up after I upgraded the firmware from OpenVPN 2.1rc13 to 2.1rc15. I keep meaning to make a new release downgrading it back to 2.1rc13, but just know that as soon as I do, 2.1rc16 will come out and fix it...
On the plus side, it only seems to happen if the tunnel is inactive, and it reconnects automatically, so it should mostly go unnoticed aside from the log entries.
I am sick at the moment, but if a new OpenVPN version doesn't come out soon, I will release a new version with a downgraded openvpn.

Super... thanks for all your helpful answers. It's a really nice mod.
Hope you feel better soon.
Regards, Ben

I found the answer to my own question on this page:

http://manoftoday.wordpress.com/2006/12/03/openvpn-20-howto/

It suggests a way to push this from the server, which I haven't tried yet. I prefer to set it from the client so I can choose whether to do this or not on a case by case basis. I just created one OpenVPN client config with it, and one without. That way I can connect with all traffic over VPN, or not, by simply choosing the different config files. This is using this OpenVPN client:

http://openvpn.se/

The key is to add this line to the client config:

redirect-gateway def1

I checked (well, as far as I can tell) and all traffic, and DNS, is being routed over the VPN when I have this line in the config. If you did want to push this to all clients from the server, you'd add this to the custom config on the server:

push "redirect-gateway def1"

Hope this helps. Let me know if I've got anything about this wrong.

Ben

I went about it the same way you did. Create 2 client config files.

However I'm using different commands, route-gateway x.x.x.x and redirect-gateway. x.x.x.x. being the IP address of the router.

I haven't tried redirect-gateway def1, but from the looks of it, it does the same thing.

.
.

My client config file:

client
dev tap

ifconfig 172.25.25.6 255.255.255.248

ca ca.crt
cert client1.crt
key client1.key

proto udp
route-gateway 172.25.25.1
remote x.x.x.x 60250
keepalive 10 60
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
cipher BF-CBC
comp-lzo
verb 3
float
redirect-gateway

You could run wireshark to sniff the traffic and see where your DNS requests are going to.

.
.


Theres a option to push DNS to clients, although from reading the description of what it does, I don't think its necessary.

When redirect-gateway is used, OpenVPN clients will route DNS queries through the VPN, and the VPN server will need handle them.

push "dhcp-option DNS 10.8.0.1"

Anyone know how to add username/pass authentification with the gui version? I sort of read up on it at the open vpn website, but with the gui, Im not sure where to begin. Im still a linux noob.

If you're really a linux noob, you probably don't want to get into this. The basic instructions can be found here. You have to write your own script (on the router!) to decide if a username/password combination is legitimate or not.

What security problem are you worried about?

Well I leave my work laptop at work sometimes for night backups. I am allowed to have OpenVPN. Im just worried some IT guy might snoop around and with two clicks, he has access to my network. Just figured a password on top of the security key would help with that.


Thanks

If you use TLS, one of the ways you can build client credentials is with "build-key-pass". This command creates an encrypted private key. Openvpn will ask you for a password each time it is run. This might solve part of your problem.

SgtPepperKSU since roadkill is not interested to develop his version of mods
can u integrate all the features together with your mods maybe as another line of firmware mods

especially if your webui vpn mod based on Victeks modified firmware it will be one hell of a superb combo for sure

my vpn sever failed to connect again after PPPoE to WAN reconnected even if i moved the entire INIT script to WAN Up script. :frown: VPN tunneling in GUI displays "Stop Now" normally and no same problem with the previous vpn2.0004.

Cold reboot or reboot in Tomato GUI is OK.

I got this to work. Thanks. Does just what I need.

How about this: Put the normal script back to the INIT script, but in the WAN UP script put

Code:

sleep 20
service vpnclient1 restart

(replace vpnclient1 as appropriate, and try different sleep values if it doesn't work).

This will kill the running vpn instance upon WAN up and start it fresh.

I made a stupid mistake :redface: that I got a wrong dport number in firewall. Now everything is OK except for why cold reboot or reboot in GUI is OK previously.

Anyway, THX a lot.

It seems that I've found the explanation for the whole strange phenomena with my WRT54GS v1. That is, reboot in GUI or start vpnserver in WAN Up script when cold reboot will bypass the Firewall script, and reconecting PPPoE to WAN will dismiss this bypass.

This bypass can be observed in iptables chains as follows:

Code:

Chain FORWARD (policy DROP)
target     prot opt source               destination
...
[COLOR="Red"]ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0[/COLOR]

That is why reboot in GUI or start vpnserver in WAN Up script when cold reboot is OK even if a wrong dport number in Firewall script. And after reconecting PPPoE the wrong dport number prevents me from remote vpn logon.

Now I've put vpnserver starting command line in Init script, and then avoid reboot in GUI as far as possible.

Thanks! Finally and Vegas AND OpenVPN Mod combined! The ND version is also a bonus. Keep up the work, very, very nice!

VPN on this build has stopped working for me, as the server doesn't seem to be giving DHCP addresses to the client, so it is often stuck using "automatic private address". Is DHCP something I need to manually push?

I'm using this in the init script:

Code:

sleep 20
service vpnserver1 start

## Start VPN init script
#Generate vpnup.sh
echo "#!/bin/sh
killall -0 vpn\$1 2> /dev/null
if [ \$? != 0 ]
then
logger \"\$0: Starting vpn\$1\"
service vpn\$1 start
else
logger \"\$0: vpn\$1 already running: \$(pidof vpn\$1)\"
fi
" > /tmp/vpnup.sh
# Make vpnup.sh executable
chmod +x /tmp/vpnup.sh
# Schedule vpnup.sh to run every 30 minutes
cru a CheckVPNServer "*/30 * * * * /tmp/vpnup.sh server1"
# Wait 10 seconds and run vpnup.sh once
sleep 10
/tmp/vpnup.sh server1
## End VPN init script

This as the client config:

Code:

dev tap
proto udp
remote <myusername>.dyndns.org 444
resolv-retry infinite
nobind
persist-key
persist-tun
secret static.key
comp-lzo
verb 3
float

and these settings in the VPN tunneling config:

TAP
UDP
Port 444
Static key
Default encryption
Adaptive compression

I'm also using this hack for access to modem bridges in the Firewall script:

Code:

iptables -I POSTROUTING -t nat -o vlan1 -d 192.168.1.0/30 -j MASQUERADE
ip addr add 192.168.1.2/30 dev vlan1 brd +

Any ideas? Thanks...

Could you log into the router with ssh/telnet while the tunnel is running, and post the contents of /etc/openvpn/server1.ovpn?

I'm back at home now, and when I initiate the tunnel from within my local network, it seems I do get a DHCP address properly. I guess this situation probably doesn't help you much, but here are the server1.ovpn contents when in this state:

Code:

# cat /etc/openvpn/server1.ovpn
# Automatically generated configuration
daemon
proto udp
port 444
dev tap21
comp-lzo adaptive
keepalive 15 60
verb 3
secret server1-static.key
status-version 2
status server1.status

So, when you are connecting from within your network, you end up with two IP DHCP addresses (one for your ethernet/wireless device, one for the tunnel device), but when you connect from outside of your network, you don't have any (your ethernet/wireless device of course keeps its original address, and the tunnel device can't get one). Is that correct?

I've used the same setup before and gotten an IP address fine. Have you tried it without your modem bridges "hack"?

It seems that

Code:

service vpnserver1 start

is not necessory in the Init script. Cause

Code:

/tmp/vpnup.sh server1

has the same function.

Pls replace the Firewall script as follows and try it again.

Code:

iptables -I INPUT 1 -p udp --dport 444 -j ACCEPT

I've encountered the similar problem as you when I tried to define a client IP in my client config file. Maybe it will also fail in Firewall script.

Some config samples in the following thread
http://www.linksysinfo.org/forums/showthread.php?t=53233
and I removed the client IP definition line like

Code:

ifconfig 192.168.0.102 255.255.255.0

Yes, exactly.

Me too, it worked before.... I'll try playing around with taking various stuff out, including the hack, and get back to you...

Good news, it's working again. Seems you do have to have this entered manually in the firewall config:

Code:

iptables -I INPUT 1 -p udp --dport 444 -j ACCEPT

Also, I seem to have the "force all traffic + DNS over the vpn" hack working better, using this in the client config, instead of just the second line:

Code:

route-gateway 192.168.0.1
redirect-gateway def1

...which seems to have the added benefit of now allowing the hack for access to modem bridges, to work remotely over the VPN as well!

Fingers crossed it stays this way ... Thanks for your help

So did you replace your "hack" with this, or is it in addition to it? Without either, does the DHCP not work or just not accessing your modem bridges? Perhaps I'm showing my ignorance, but I just don't know what port 444 is being used for here. If it is needed to allow DHCP to work across the tunnel, then I need to add it as an option.

Yah, I guess I only looked into doing that for TLS, which the firmware-generated server config automatically pushes out the "route-gateway" to all the clients. Out of curiosity, when you say it is working "better", what changed by adding the first line (ie what didn't work right without it)?

Glad to hear everything is working for you :smile:

I wasn't very clear. I'm using Port 444 instead of the standard 1194 for OpenVPN, for whatever reason. So it's just a standard line to Open the VPN Port.

As for the force-hack working better - well before (using only the redirect-gateway command) I could never get the modem-bridge hack to work remotely, whereas now it does.

I'm sorry my testing isn't being very scientific, as there are many variables involved. It's hard to test from one state to another as I'm never sure if I need to fully reboot the router to effect a change in e.g. the firewall script etc. Also when playing with the OpenVPN force-hack, it seems some remnants of a session get left over and you need to close your browser, repair the connection (flush DNS caches etc), if you want to try it properly in the new state... I always seem to end up changing multiple variables at one

This is the log with both the route-gateway and redirect-gateway commands:

Code:

Tue Feb 03 19:49:47 2009 OpenVPN 2.1_rc7 Win32-MinGW [SSL] [LZO2] [PKCS11] built on Jan 29 2008
Tue Feb 03 19:49:47 2009 Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Feb 03 19:49:47 2009 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb 03 19:49:47 2009 Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Feb 03 19:49:47 2009 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb 03 19:49:47 2009 LZO compression initialized
Tue Feb 03 19:49:48 2009 TAP-WIN32 device [OpenVPN] opened: \\.\Global\{3122330E-EDEE-4609-B387-A4F6E33F8BF5}.tap
Tue Feb 03 19:49:48 2009 TAP-Win32 Driver Version 9.4 
Tue Feb 03 19:49:48 2009 TAP-Win32 MTU=1500
Tue Feb 03 19:49:48 2009 Successful ARP Flush on interface [2] {3122330E-EDEE-4609-B387-A4F6E33F8BF5}
Tue Feb 03 19:49:48 2009 Data Channel MTU parms [ L:1577 D:1450 EF:45 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Feb 03 19:49:48 2009 Local Options hash (VER=V4): '83c3b015'
Tue Feb 03 19:49:48 2009 Expected Remote Options hash (VER=V4): '83c3b015'
Tue Feb 03 19:49:48 2009 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Feb 03 19:49:48 2009 UDPv4 link local: [undef]
Tue Feb 03 19:49:48 2009 UDPv4 link remote: <mypublicipaddress>:444
Tue Feb 03 19:49:58 2009 Peer Connection Initiated with <mypublicipaddress>:444
Tue Feb 03 19:50:04 2009 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
Tue Feb 03 19:50:04 2009 route ADD <mypublicipaddress> MASK 255.255.255.255 10.11.55.1
Tue Feb 03 19:50:04 2009 Route addition via IPAPI succeeded [adaptive]
Tue Feb 03 19:50:04 2009 route ADD 0.0.0.0 MASK 128.0.0.0 192.168.0.1
Tue Feb 03 19:50:04 2009 Route addition via IPAPI succeeded [adaptive]
Tue Feb 03 19:50:04 2009 route ADD 128.0.0.0 MASK 128.0.0.0 192.168.0.1
Tue Feb 03 19:50:04 2009 Route addition via IPAPI succeeded [adaptive]
Tue Feb 03 19:50:04 2009 Initialization Sequence Completed

And this is with just the redirect-gateway command:

Code:

Tue Feb 03 20:00:44 2009 OpenVPN 2.1_rc7 Win32-MinGW [SSL] [LZO2] [PKCS11] built on Jan 29 2008
Tue Feb 03 20:00:44 2009 Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Feb 03 20:00:44 2009 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb 03 20:00:44 2009 Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Feb 03 20:00:44 2009 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb 03 20:00:44 2009 LZO compression initialized
Tue Feb 03 20:00:44 2009 TAP-WIN32 device [OpenVPN] opened: \\.\Global\{3122330E-EDEE-4609-B387-A4F6E33F8BF5}.tap
Tue Feb 03 20:00:44 2009 TAP-Win32 Driver Version 9.4 
Tue Feb 03 20:00:44 2009 TAP-Win32 MTU=1500
Tue Feb 03 20:00:44 2009 Successful ARP Flush on interface [2] {3122330E-EDEE-4609-B387-A4F6E33F8BF5}
Tue Feb 03 20:00:44 2009 Data Channel MTU parms [ L:1577 D:1450 EF:45 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Feb 03 20:00:44 2009 Local Options hash (VER=V4): '83c3b015'
Tue Feb 03 20:00:44 2009 Expected Remote Options hash (VER=V4): '83c3b015'
Tue Feb 03 20:00:44 2009 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Feb 03 20:00:44 2009 UDPv4 link local: [undef]
Tue Feb 03 20:00:44 2009 UDPv4 link remote: <mypublicipaddress>:444
Tue Feb 03 20:00:54 2009 Peer Connection Initiated with <mypublicipaddress>:444
Tue Feb 03 20:01:00 2009 TEST ROUTES: 0/0 succeeded len=0 ret=1 a=0 u/d=up
Tue Feb 03 20:01:00 2009 NOTE: unable to redirect default gateway -- VPN gateway parameter (--route-gateway or --ifconfig) is missing
Tue Feb 03 20:01:00 2009 Initialization Sequence Completed

Note the error in the second last line....

...though frankly this is all starting to get a bit above me

No, you were fine. I should have noticed you were using port 444 for the VPN from your config. Now, that iptables command should be automatically added without having to put anything in the firewall script. If you're having to add it manually, there is a bug.

Could you post the result of

Code:

iptables -L

with the server running both with and without the line in the firewall script? (or at least post what the differences, however small, there are)? And, also could you post the contents of /etc/openvpn/server1-fw.sh (with the server running)?

Thanks!

The problem I have is that remotely I can only use my Win XP laptop, and I don't know how to ssh into the router and/or execute these commands via a terminal in XP.

At home I have a Mac OS X desktop and know how to ssh in and use the terminal, but vpn'ing only across my home LAN isn't going to give you an accurate answer I think...

SgtPepper...

I VPN'd remotely with XP laptop over cell connection and then ssh'd into router with the Mac. The "iptables -l" output was quite long but I could not tell any difference at all between using the two-line client config hack and the one-line hack. It's a bit too long to post here so I will PM the two logs to you.

Regarding the ouput of /etc/openvpn/server1-fw.sh, it was also the same with both setups, and also with no force-hack lines in the client config:

Code:

iptables -I INPUT -p udp --dport 444 -j ACCEPT
iptables -A INPUT -i tap21 -j ACCEPT
iptables -A FORWARD -i tap21 -j ACCEPT 

I then removed the (manual) firewall script line:

Code:

iptables -I INPUT 1 -p udp --dport 444 -j ACCEPT 

rebooted the router, vpned in with the two line setup, which again resulted in me not getting a DHCP address for the OpenVPN client, only an "automatic private address" of 169.254.58.189.... and the /etc/openvpn/server1-fw.sh ouput was the same. However when I ran iptables -L again, there was a difference, this line was missing from the "CHAIN input":

Code:

ACCEPT     udp  --  anywhere             anywhere            udp dpt:snpp 

I hope this all means something to you! Regards, Ben

Yes, it means that either a) server1-fw.sh isn't being run or b) the rule isn't taking when it is run. That line that was different should have been there either way.

Sorry to run you through so many hoops, but could you try (with the line removed from the firewall script) running /etc/openvpn/server1-fw.sh after the server is started (but before a client connects) via telnet/ssh.

And, btw, telnet is built in to Windows (run from the command line) and PuTTY is a good free Windows ssh client you can download.

No need to be sorry, your help is much appreciated. I just hope there's not some weird setting I have somewhere that's causing this and wasting your time... (Not sure if you remember but it was me who didn't flash the NVRAM when I upgraded from roadkill mod, I hope it's nothing to do with that).

I ran it as you suggested above, it's the same output as before...

I'd forgotten about telnet in XP, thanks.... and maybe will re-install PuTTY, I had it on before...

Wow, so you ran /etc/openvpn/server1.ovpn (with the server running), and a subsequent iptables -L didn't show that line? Very strange. What if you run

Code:

iptables -I INPUT -p udp --dport 444 -j ACCEPT

directly?

Is this relative to what I posted in #368 & #369? I found

Code:

iptables -I INPUT 1 -p udp --dport ???? -j ACCEPT

essential for me too if I put vpnsever start command in Init script. Otherwise an error occured.

Code:

Wed Feb 04 20:11:35 2009 UDPv4 link remote: *.*.*.*:????
Wed Feb 04 20:11:35 2009 MANAGEMENT: >STATE:1233749495,WAIT,,,
Wed Feb 04 20:12:36 2009 [UNDEF] Inactivity timeout (--ping-restart), restarting

If I reboot in GUI or put it in WAN Up script then cold reboot

Code:

Chain FORWARD (policy DROP)
target     prot opt source               destination
. . .
[COLOR="Red"]ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0[/COLOR]

the last line will be automatically added in iptables chains (observed via telnet/ssh) that seems to be the automatic iptables command you mentioned. And it will disappear automatically when PPPoE to WAN reconnected or I put vpnsever start command back to Init script then cold reboot.

And also I found the automatic iptables command will bypass the other iptables command inputted manually in Firewall script. That should be the reason why reboot in GUI or start vpnserver in Init script when cold reboot is OK on my router even if I got a wrong dport number in Firewall script, and why Occamsrazor found the force-hack working better after

Code:

iptables -I INPUT 1 -p udp --dport 444 -j ACCEPT

added manually. So it should work too (except of the force-hack working better) if he reboot in GUI or put vpnserver start command in WAN Up script then cold reboot even if the above iptables command removed in Firewall script.

I've encountered a similar problem as Occamsrazor when I tried a sample of "Configuring client-specific rules and access policies" in HOWTO. These access policies will be invalid when reboot in GUI or start vpnserver in WAN Up script within cold reboot, and furthermore, the router will Respond To ICMP Ping from my vpnclient of router mode even if unchecked in Advanced>Firewall of GUI.

Now I have to put vpnserver start command in Init script, and then avoid reboot in GUI as far as possible.

In one word, the automatic iptables command seems to be available only when reboot in GUI or start vpnserver in WAN Up script within cold reboot, and seems to bypass the Firewall script and the other Firewall setting in GUI.

I just read quinezhu's post... I should add that as per his earlier advice I'd removed the "start vpnserver ...." command from the init script - this was the case for all my above testing after post #376. My init script for all that testing reads:

Code:

sleep 10

## Start VPN init script
#Generate vpnup.sh
echo "#!/bin/sh
killall -0 vpn\$1 2> /dev/null
if [ \$? != 0 ]
then
logger \"\$0: Starting vpn\$1\"
service vpn\$1 start
else
logger \"\$0: vpn\$1 already running: \$(pidof vpn\$1)\"
fi
" > /tmp/vpnup.sh
# Make vpnup.sh executable
chmod +x /tmp/vpnup.sh
# Schedule vpnup.sh to run every 30 minutes
cru a CheckVPNServer "*/30 * * * * /tmp/vpnup.sh server1"
# Wait 10 seconds and run vpnup.sh once
sleep 10
/tmp/vpnup.sh server1
## End VPN init script

Hmm... I might have to check that again (can't do right now, will have to wait until later), when I said in post #386 that the output was again the same, I meant the output of "/etc/openvpn/server1-fw.sh", not "iptables -L"

Although it seems that quinezhu understands this all better than me and may be of more help to you....

Yes, that command should be necessary as a nearly identical (it leaves out the "1", but that is the default value when none is given) is run every time a server is started. Further, any time the firewall script is run, it should reapply it. Obviously, there is something wrong.

That would be one of them. Three rules are added each time (and can be seen in /etc/openvpn/server1-fw.sh).

Could you try putting that command in WAN up instead (just the start command, if you are generating a script, that part needs to be done in init). I think that is a better place for it, and may fix things.

Could you expound on that a little? What do you mean by bypassing the other commands?

Could you try running

Code:

nvram set vpn_debug="1"
nvram commit

Then trying the different scenarios that you've described (both that work properly and those that need the extra iptables command)? Could you check the router logs after each and see if you find any "Running firewall script:" VPN debug messages?

Obviously, there is a problem in getting the proper firewall rules in place automatically, but I'm not sure where the problem is.

Yeah, I found them, and these three rules seem not work when vpnserver start command in Init script within cold reboot.

Code:

#!/bin/sh
iptables -I INPUT -p udp --dport ???? -j ACCEPT
[COLOR="Red"]iptables -A INPUT -i tun21 -j ACCEPT
iptables -A FORWARD -i tun21 -j ACCEPT[/COLOR]

and furthermore, how to get the last two lines removed? They should be the reason why my own Firewall script bypassed on my router.

I only moved the following lines to WAN Up script, and then did the test in post #388.

Code:

# Wait 10 seconds and run vpnup.sh once
sleep 10
/tmp/vpnup.sh server1

Sorry english is not my mother tongue so I don't know how to make a clear explanation on it. :redface:

Bypass means the command lines inputted manually in Firewall script doesn't apply, unchecked "Respond To ICMP" in Advanced>Firewall of GUI doesn't apply either. My vpnclients of router mode can access my private network without any access policies.

As long as I put vpnserver start command in Init script and avoid reboot in GUI, both my own Firewall script and unchecked "Respond To ICMP" works fine.

What were the results? Did it fix the problem (aside from the access restrictions, see below)?

Oh, I see now. I have those rules specifically to give access to the network for the VPN clients. It didn't occur to me that someone would want to do differently. I guess I can make those lines an option in the next release.

Yes.

Yes, vpnclient can logon remotely, and it works too after reboot in GUI aside from my own access restrictions.

Looking forward to it. And is it possible to make those lines apply too when vpnserver start command in Init script within cold reboot or when PPPoE to WAN reconnected?

thx. and then run the following to restore it after test?

Code:

nvram set vpn_debug="0"
nvram commit

Okay, I know what is going on. Thanks for your help tracking it down.

Once I make a change to make those last two lines optional, you will want to put the start command (actually, you should use the vpnup script, instead) in the WAN Up script, and it will work as you want.

Yes, that would undo it, but I don't think you need to do anymore testing. The problem was that I didn't understand at first what you were saying didn't work. Once I got that, I realized there were two "problems":

• Starting the VPN server in the init script was troublesome because it happened before routers firewall stuff is run.
  • The fix for this is for people to start the server in the WAN Up script (after the router's firewall initialization). This also means the vpnup.sh script in the README is more appropriate. (occamsrazor, this should fix your problem)
• I didn't account for the fact that people might want to set up themselves the firewall rules that allow the tunnel access to the LAN.
  • I will add an option to set up this manually

I see. And I don't know why reconnecting PPPoE to WAN in GUI seems to make the default three firewall rules in server1-fw.sh invalid too even if I've moved vpnserver start command (only this command) into the WAN Up script, just like starting the VPN server in the Init script.

In that case, could you set that debug flag, try your reconnect, and check the router log for debug messages?

My router log after cold reboot and then reconnecting PPPoE to WAN with debug flag set.

Code:

Feb  5 23:14:17 unknown user.notice root: /tmp/vpnup.sh: Starting vpnserver1
Feb  5 23:14:18 unknown user.info kernel: Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
Feb  5 23:14:19 unknown user.info kernel: device tun21 entered promiscuous mode
Feb  5 23:14:20 unknown daemon.notice openvpn[471]: OpenVPN 2.1_rc15 mipsel-unknown-linux-gnu [SSL] [LZO2] built on Dec 14 2008
Feb  5 23:14:20 unknown daemon.warn openvpn[471]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Feb  5 23:14:21 unknown daemon.notice openvpn[471]: Diffie-Hellman initialized with 1024 bit key
Feb  5 23:14:21 unknown daemon.notice openvpn[471]: TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Feb  5 23:14:21 unknown daemon.notice openvpn[471]: TUN/TAP device tun21 opened
Feb  5 23:14:21 unknown daemon.notice openvpn[471]: TUN/TAP TX queue length set to 100
Feb  5 23:14:21 unknown daemon.notice openvpn[471]: /sbin/ifconfig tun21 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Feb  5 23:14:21 unknown daemon.notice openvpn[471]: /sbin/route add -net 10.8.1.0 netmask 255.255.255.0 gw 10.8.0.2
Feb  5 23:14:21 unknown daemon.notice openvpn[471]: /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Feb  5 23:14:21 unknown daemon.notice openvpn[471]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Feb  5 23:14:21 unknown daemon.notice openvpn[478]: Socket Buffers: R=[65535->131070] S=[65535->131070]
Feb  5 23:14:21 unknown daemon.notice openvpn[478]: UDPv4 link local (bound): [undef]:3329
Feb  5 23:14:21 unknown daemon.notice openvpn[478]: UDPv4 link remote: [undef]
Feb  5 23:14:21 unknown daemon.notice openvpn[478]: MULTI: multi_init called, r=256 v=256
Feb  5 23:14:21 unknown daemon.notice openvpn[478]: IFCONFIG POOL: base=10.8.0.4 size=62
Feb  5 23:14:21 unknown daemon.notice openvpn[478]: IFCONFIG POOL LIST
Feb  5 23:14:21 unknown daemon.notice openvpn[478]: Initialization Sequence Completed
Feb  5 23:14:48 unknown cron.err crond[130]: time disparity of 20564112 minutes detected
Feb  5 23:16:24 unknown daemon.info dnsmasq[177]: exiting on receipt of SIGTERM
[COLOR="Red"]Feb  5 23:16:24 unknown daemon.notice pppoe[167]: Disconnected.[/COLOR]
Feb  5 23:16:24 unknown daemon.notice pppoe[167]: Connect time 2.6 minutes.
Feb  5 23:16:24 unknown daemon.notice pppoe[167]: Sent 2547495 bytes, received 149626 bytes.
Feb  5 23:16:26 unknown daemon.info dnsmasq[547]: started, version 2.46 cachesize 150
Feb  5 23:16:26 unknown daemon.info dnsmasq[547]: compile time options: no-IPv6 GNU-getopt no-RTC no-DBus no-I18N no-TFTP
Feb  5 23:16:26 unknown daemon.info dnsmasq[547]: DHCP, IP range 192.168.9.7 -- 192.168.9.15, lease time 1d
Feb  5 23:16:26 unknown daemon.warn dnsmasq[547]: no servers found in /etc/resolv.dnsmasq, will retry
Feb  5 23:16:26 unknown daemon.info dnsmasq[547]: read /etc/hosts - 0 addresses
Feb  5 23:16:26 unknown daemon.info dnsmasq[547]: read /etc/hosts.dnsmasq - 7 addresses
Feb  5 23:16:32 unknown daemon.info dnsmasq[547]: exiting on receipt of SIGTERM
Feb  5 23:16:32 unknown daemon.info dnsmasq[554]: started, version 2.46 cachesize 150
Feb  5 23:16:32 unknown daemon.info dnsmasq[554]: compile time options: no-IPv6 GNU-getopt no-RTC no-DBus no-I18N no-TFTP
Feb  5 23:16:32 unknown daemon.info dnsmasq[554]: DHCP, IP range 192.168.9.7 -- 192.168.9.15, lease time 1d
Feb  5 23:16:32 unknown daemon.warn dnsmasq[554]: no servers found in /etc/resolv.dnsmasq, will retry
Feb  5 23:16:32 unknown daemon.info dnsmasq[554]: read /etc/hosts - 0 addresses
Feb  5 23:16:32 unknown daemon.info dnsmasq[554]: read /etc/hosts.dnsmasq - 7 addresses
Feb  5 23:16:32 unknown user.info redial[556]: Started. Time: 30
[COLOR="Red"]Feb  5 23:16:35 unknown daemon.notice pppoe[557]: Connected.[/COLOR]
Feb  5 23:16:35 unknown daemon.notice pppoe[557]: IP Address: *.*.*.*
Feb  5 23:16:35 unknown daemon.notice pppoe[557]: DNS Address: 202.109.15.135, 202.96.209.6
Feb  5 23:16:35 unknown daemon.info dnsmasq[554]: exiting on receipt of SIGTERM
Feb  5 23:16:35 unknown daemon.info dnsmasq[565]: started, version 2.46 cachesize 150
Feb  5 23:16:35 unknown daemon.info dnsmasq[565]: compile time options: no-IPv6 GNU-getopt no-RTC no-DBus no-I18N no-TFTP
Feb  5 23:16:35 unknown daemon.info dnsmasq[565]: DHCP, IP range 192.168.9.7 -- 192.168.9.15, lease time 1d
Feb  5 23:16:35 unknown daemon.info dnsmasq[565]: reading /etc/resolv.dnsmasq
Feb  5 23:16:35 unknown daemon.info dnsmasq[565]: using nameserver 208.67.220.220#53
Feb  5 23:16:35 unknown daemon.info dnsmasq[565]: using nameserver 208.67.222.222#53
Feb  5 23:16:35 unknown daemon.info dnsmasq[565]: read /etc/hosts - 0 addresses
Feb  5 23:16:35 unknown daemon.info dnsmasq[565]: read /etc/hosts.dnsmasq - 7 addresses
[COLOR="Red"]Feb  5 23:16:39 unknown user.info ip-up[562]: VPN DEBUG: 595: Running firewall script:
Feb  5 23:16:39 unknown user.info ip-up[562]: VPN DEBUG: 596: server1-fw.sh[/COLOR]
Feb  5 23:16:57 unknown user.notice root: /tmp/vpnup.sh: vpnserver1 already running: 478

After cold reboot the default firewall rules in server1-fw.sh was running

Code:

:/root # iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination
[COLOR="Red"]ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:????[/COLOR]
DROP       0    --  0.0.0.0/0            *.*.*.*
DROP       0    --  0.0.0.0/0            0.0.0.0/0           state INVALID
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTAB                                             LISHED
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  0.0.0.0/0            192.168.9.1         tcp dpt:22
[COLOR="Red"]ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0[/COLOR]
. . .

Chain FORWARD (policy DROP)
target     prot opt source               destination
. . .
[COLOR="Red"]ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0[/COLOR]

But after PPPoE to WAN reconnected, they disappeared.

Very odd, as it clearly shows that the server1-fw.sh file is being run upon reconnect. And, at that point (when the rules are not in place), if you run /etc/openvpn/server1-fw.sh manually, those rules don't show back up? What about if you run the iptables commands manually?

Code:

iptables -I INPUT -p udp --dport ???? -j ACCEPT
iptables -A INPUT -i tun21 -j ACCEPT
iptables -A FORWARD -i tun21 -j ACCEPT

Of course, replacing your port number.

After I run /etc/openvpn/server1-fw.sh manually or run the iptables commands manually, those rules show back up. But they will still be killed if I reconnect PPPoE to WAN in GUI again. :frown:

Maybe sleep command line is needed before server1-fw.sh loaded automatically during reconnecting PPPoE to WAN.

Okay, then it seems the server1-fw.sh script isn't actually being run when the debug statements show that it is at least attempting to run it.

As I was typing that I took another look at the code, and I think I see why it's not actually being run. I will correct it in the next release. Sorry for the trouble.