Tomato Firmware OpenVPN Client (PIA) and Server Simultaneously, Firewall Issues and Wrong Certificate

[kevroy314]

Hello!

I've been working on getting an OpenVPN Client (via PIA) and Server set up on my Tomato Firmware with some firewall rules to allow certain domains/ips to bypass the VPNs. The Client works great (as do the firewall rules), and the server worked up until I set up the firewall. The rules are meant to allow my Chromecasts and certain domains (such as Netflix and Plex) to bypass the client VPN. Both the client and server worked together up until I made the firewall changes to make netflix/plex work, so I'm pretty sure that's where the issue is. I didn't write the rules, but I put them together from a variety of sources (the main one linked in the script).

The problem appears to be that somehow the PIA certificate is ending up in the chain for the server. Below is the log file from a client attempting to connect, followed by the firewall rules (both have some IPs redacted):

Client Log

Code: Select all

OpenVPN Client google release 2.15.21 (1021521)
OpenVPN 2.4.0 android-armeabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Mar 25 2017
library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.09
TCP/UDP: Preserving recently used remote address: [AF_INET]ser.ver.add.res:1194
Socket Buffers: R=[163840->163840] S=[163840->163840]
UDPv4 link local (bound): [AF_INET][undef]:1194
UDPv4 link remote: [AF_INET]ser.ver.add.res:1194
TLS: Initial packet from [AF_INET]ser.ver.add.res:1194, sid=709f4f19 a19c8367
VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, emailAddress=secure@privateinternetaccess.com
OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
TLS_ERROR: BIO read tls_read_plaintext error
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
SIGUSR1[soft,tls-error] received, process restarting
Restart pause, 5 second(s)
TCP/UDP: Preserving recently used remote address: [AF_INET]ser.ver.add.res:1194
Socket Buffers: R=[163840->163840] S=[163840->163840]
UDPv4 link local (bound): [AF_INET][undef]:1194
UDPv4 link remote: [AF_INET]ser.ver.add.res:1194
TLS: Initial packet from [AF_INET]ser.ver.add.res:1194, sid=d0134e8d 88356341
VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, emailAddress=secure@privateinternetaccess.com
OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
TLS_ERROR: BIO read tls_read_plaintext error
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
SIGUSR1[soft,tls-error] received, process restarting
Restart pause, 5 second(s)
SIGINT[soft,init_instance] received, process exiting

Firewall Rules

Code: Select all

# http://www.linksysinfo.org/index.php?threads/routing-traffic-between-regular-isp-and-two-vpn-connections.72248/
# Put this in the Firewall portion of the script section in Administration

#!/bin/sh
set -x # uncomment/comment to enable/disable debug mode

(
TID="200"
FW_MARK="0x88"
IPSET="myipset"

# cleanup from prior execution
(
# stop split tunnel
ip rule del fwmark $FW_MARK table $TID

# delete firewall rules
iptables -t mangle -F

# delete ipset hash table
ipset -F $IPSET
ipset -X $IPSET

# delete alternate routing table
ip route flush table $TID

# force routing system to recognize our changes
ip route flush cache

# enable reverse path filtering
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i; done

sleep 3
) > /dev/null 2>&1

# quit if neither OpenVPN client is active
! ip route show | egrep -qm1 'tun1[1-2]' && exit

# copy main routing table (exclude all default gateway routes)
ip route show | egrep -v '^default|^0.0.0.0/1|^128.0.0.0/1' \
  | while read route; do
  ip route add $route table $TID
  done

# add WAN as default gateway
ip route add default via $(nvram get wan_gateway) table $TID

# force routing system to recognize our changes
ip route flush cache

# disable reverse path filtering
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $i; done

# load required netfilter modules
(modprobe xt_set || modprobe ipt_set) 2> /dev/null

# create ipset hash table
insmod ip_set_hash_ip
ipset -N $IPSET iphash -q
ipset -F $IPSET

# add firewall rule
iptables -t mangle -A PREROUTING -p tcp -m multiport --sport 3000,8085,32400 -j MARK --set-mark $FW_MARK
iptables -t mangle -A PREROUTING -m set --match-set $IPSET dst -j MARK --set-mark $FW_MARK

# OUTPUT for Admin page of router (Set port for your setting)
# iptables -t mangle -A OUTPUT -p tcp -m multiport --sport 80 -j MARK --set-mark $FW_MARK

# start split tunnel
ip rule add fwmark $FW_MARK table $TID

) 2>&1 | logger -t "ovpn_split[$$]"

iptables -t mangle -I PREROUTING -i br0 -s 192.168.2.8 -j MARK --set-mark 1
iptables -t mangle -I PREROUTING -i br0 -s 192.168.2.9 -j MARK --set-mark 1
iptables -t mangle -I PREROUTING -i br0 -s 192.168.2.10 -j MARK --set-mark 1

[kevroy314]

I've narrowed it down to what appears to be a big part of the problem. When the PIA client is on, the remote client (my phone) doesn't get the proper server IP. It's being automatically rerouted to PIA's servers. I think if I can get it to look at the proper IP, I might be in the right direction. The DNS lookup shows the right IP, so it has to do with how it's being routed I guess.

[kevroy314]

Fixed the wrong IP issue by changing the settings in the client:

Not route the local network
and
Allow recursive routing

are now disabled.

Now the behavior is just that, when the PIA client is enabled, the phone client just hangs when trying to connect. When the PIA client is disabled, it connects fine.

So the question is, how to I make it so I can simultaneously run the client and server on the tomato router and still get access to the server remotely?