Openvpn on Openwrt

How to customize and extend your OpenVPN installation.
Post Reply
Maverick923
OpenVpn Newbie
Posts: 1
Joined: Sun Sep 26, 2010 10:33 am

Openvpn on Openwrt

Post by Maverick923 » Sun Sep 26, 2010 10:36 am

I have a paid provider that I want to configure openvpn on the openwrt gargoyle buid.

The provider has given me a username and password along with a ca.cert.
openvpn seems connect when I use openvpn /etc/openvpn/openvpn.conf, but I would never know. because when I go to myipaddress.com, I can see my isp address.
I think I am having a routing issue. I have been searching for a way to get this going, but it seems that I am the only
one who wants my router to connect to a vpn provider. This worked in Windows. I really need help with this. Please some help me out.

Here are my files that I have created or modified

Code: Select all

client
dev tun
proto udp
remote 67.228.228.186 1194
keepalive 10 60
resolv-retry infinite
;persist-key
;persist-tun
ca /etc/easy-rsa/keys/ca.crt
auth-user-pass auth.cfg
;mute 20
comp-lzo
pull
verb 3
firewall.user

Code: Select all

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

#!/bin/sh
# Copyright (C) 2006 OpenWrt.org
 
iptables -F input_rule
iptables -F output_rule
iptables -F forwarding_rule
iptables -t nat -F prerouting_rule
iptables -t nat -F postrouting_rule
 
# The following chains are for traffic directed at the IP of the 
# WAN interface
 
iptables -F input_wan
iptables -F forwarding_wan
iptables -t nat -F prerouting_wan
 
### Open port to WAN
## -- This allows port 22 to be answered by (dropbear on) the router
iptables -t nat -A prerouting_wan -p tcp --dport 22 -j ACCEPT 
iptables        -A input_wan      -p tcp --dport 22 -j ACCEPT
## -- OpenVPN 1194
## -- This allows port 1194 to be answered by (OpenVPN on) the router
iptables -t nat -A prerouting_wan -p udp --dport 1194 -j ACCEPT
iptables        -A input_wan      -p udp --dport 1194 -j ACCEPT
 
### Port forwarding
## -- This forwards port 8080 on the WAN to port 80 on 192.168.1.2
# iptables -t nat -A prerouting_wan -p tcp --dport 8080 -j DNAT --to 192.168.1.2:80
# iptables        -A forwarding_wan -p tcp --dport 80 -d 192.168.1.2 -j ACCEPT
 
### DMZ
## -- Connections to ports not handled above will be forwarded to 192.168.1.2
# iptables -t nat -A prerouting_wan -j DNAT --to 192.168.1.2
# iptables        -A forwarding_wan -d 192.168.1.2 -j ACCEPT
 
### OpenVPN
## -- Routing between the tun and br0 interfaces is allowed
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i br0 -o tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o br0 -j ACCEPT
Here is my network

Code: Select all

config 'interface' 'loopback'
	option 'ifname' 'lo'
	option 'proto' 'static'
	option 'ipaddr' '127.0.0.1'
	option 'netmask' '255.0.0.0'

config 'interface' 'lan'
	option 'ifname' 'eth0'
	option 'type' 'bridge'
	option 'proto' 'static'
	option 'netmask' '255.255.255.0'
	option 'dns' '192.168.2.1'
	option 'ipaddr' '192.168.2.1'

config 'interface' 'wan'
	option 'ifname' 'eth1'
	option 'proto' 'dhcp'
	option 'mtu' '1400'

config 'switch'
	option 'name' 'rtl8366s'
	option 'reset' '1'
	option 'enable_vlan' '1'

config 'switch_vlan'
	option 'device' 'rtl8366s'
	option 'vlan' '1'
	option 'ports' '0 1 2 3 5'

config 'interface' 'vpn'
	option 'ifname' 'tun0'
	option 'proto' 'dhcp'
	option 'ipaddr' '10.10.0.0'
	option 'netmask' '255.255.255.0'
	option 'dns' '192.168.1.1'

config 'interface' 'tap'
	option 'ifname' 'tap0'
	option 'type' 'bridge'
	option 'proto' 'dhcp'
	option 'netmask' '255.255.255.0'
	option 'dns' '192.168.2.1'
	option 'ipaddr' '192.168.2.1'
My firewall

Code: Select all

config 'defaults'
	option 'syn_flood' '1'
	option 'input' 'ACCEPT'
	option 'output' 'ACCEPT'
	option 'forward' 'REJECT'

config 'zone'
	option 'name' 'lan'
	option 'input' 'ACCEPT'
	option 'output' 'ACCEPT'
	option 'forward' 'REJECT'

config 'zone'
	option 'name' 'wan'
	option 'input' 'REJECT'
	option 'output' 'ACCEPT'
	option 'forward' 'REJECT'
	option 'masq' '1'
	option 'mtu_fix' '1'

config 'forwarding'
	option 'src' 'lan'
	option 'dest' 'wan'

config 'rule'
	option 'src' 'wan'
	option 'proto' 'udp'
	option 'dest_port' '68'
	option 'target' 'ACCEPT'

config 'rule'
	option 'src' 'wan'
	option 'proto' 'icmp'
	option 'icmp_type' 'echo-request'
	option 'target' 'ACCEPT'

config 'include'
	option 'path' '/etc/firewall.user'

config 'include'
	option 'path' '/usr/lib/gargoyle_firewall_util/gargoyle_additions.firewall'
config zone
  	option name vpn
  	option input ACCEPT
  	option output ACCEPT
  	option forward REJECT
  	# if you use masquerading:
  	option masq 1

config forwarding
       option src lan
  	option dest vpn
This is what happens when I run openvpn

Code: Select all

root@Gargoyle:/etc/openvpn# openvpn /etc/openvpn/openvpn.conf
Sun Sep 26 15:50:56 2010 OpenVPN 2.1.1 mips-openwrt-linux [SSL] [LZO2] built on Aug  4 2010
Sun Sep 26 15:50:56 2010 WARNING: file 'auth.cfg' is group or others accessible
Sun Sep 26 15:50:56 2010 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Sun Sep 26 15:50:56 2010 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sun Sep 26 15:50:56 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Sep 26 15:50:56 2010 LZO compression initialized
Sun Sep 26 15:50:56 2010 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Sep 26 15:50:56 2010 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sun Sep 26 15:50:56 2010 Local Options hash (VER=V4): '41690919'
Sun Sep 26 15:50:56 2010 Expected Remote Options hash (VER=V4): '530fdded'
Sun Sep 26 15:50:56 2010 Socket Buffers: R=[114688->131072] S=[114688->131072]
Sun Sep 26 15:50:56 2010 UDPv4 link local (bound): [undef]:1194
Sun Sep 26 15:50:56 2010 UDPv4 link remote: 67.228.228.186:1194
Sun Sep 26 15:50:56 2010 TLS: Initial packet from 67.228.228.186:1194, sid=6dcf370a 1ba02f33
Sun Sep 26 15:50:56 2010 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Sep 26 15:50:57 2010 VERIFY OK: depth=1, /C=NZ/ST=WLG/L=LowerHutt/O=yes_VPN/CN=yesvpn.net/name=yes_VPN/emailAddress=support_yesvpn.net
Sun Sep 26 15:50:57 2010 VERIFY OK: depth=0, /C=NZ/ST=WLG/L=LowerHutt/O=yes_VPN/CN=us1.yesvpn.net/name=yes_VPN_US1/emailAddress=support@yesvpn.net
Sun Sep 26 15:50:57 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Sep 26 15:50:57 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Sep 26 15:50:57 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Sep 26 15:50:57 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Sep 26 15:50:57 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sun Sep 26 15:50:57 2010 [us1.yesvpn.net] Peer Connection Initiated with 67.228.228.186:1194
Sun Sep 26 15:51:00 2010 SENT CONTROL [us1.yesvpn.net]: 'PUSH_REQUEST' (status=1)
Sun Sep 26 15:51:00 2010 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DOMAIN lan,dhcp-option DNS 8.8.8.8,route 10.10.0.0 255.255.255.0,topology net30,ping 10,ping-restart 60,ifconfig 10.10.0.14 10.10.0.13'
Sun Sep 26 15:51:00 2010 OPTIONS IMPORT: timers and/or timeouts modified
Sun Sep 26 15:51:00 2010 OPTIONS IMPORT: --ifconfig/up options modified
Sun Sep 26 15:51:00 2010 OPTIONS IMPORT: route options modified
Sun Sep 26 15:51:00 2010 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Sep 26 15:51:00 2010 TUN/TAP device tun0 opened
Sun Sep 26 15:51:00 2010 TUN/TAP TX queue length set to 100
Sun Sep 26 15:51:00 2010 /sbin/ifconfig tun0 10.10.0.14 pointopoint 10.10.0.13 mtu 1500
Sun Sep 26 15:51:00 2010 /sbin/route add -net 67.228.228.186 netmask 255.255.255.255 gw 192.168.1.1
Sun Sep 26 15:51:00 2010 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.10.0.13
Sun Sep 26 15:51:00 2010 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.10.0.13
Sun Sep 26 15:51:00 2010 /sbin/route add -net 10.10.0.0 netmask 255.255.255.0 gw 10.10.0.13
Sun Sep 26 15:51:00 2010 Initialization Sequence Completed
When I run route and ifconfig

Code: Select all

/etc/openvpn$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
67.228.228.186  192.168.1.1     255.255.255.255 UGH   0      0        0 eth1
192.168.2.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.1.0     *               255.255.255.0   U     0      0        0 eth1
default         192.168.1.1     0.0.0.0         UG    0      0        0 eth1

/etc/openvpn$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
67.228.228.186  192.168.1.1     255.255.255.255 UGH   0      0        0 eth1
192.168.2.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.1.0     *               255.255.255.0   U     0      0        0 eth1
default         192.168.1.1     0.0.0.0         UG    0      0        0 eth1
/etc/openvpn$ ifconfig
br-lan    Link encap:Ethernet  HWaddr 00:18:E7:F0:68:97  
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:762 errors:0 dropped:0 overruns:0 frame:0
          TX packets:777 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:95636 (93.3 KiB)  TX bytes:98294 (95.9 KiB)

eth0      Link encap:Ethernet  HWaddr 00:18:E7:F0:68:99  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:769 errors:0 dropped:0 overruns:0 frame:0
          TX packets:778 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:107630 (105.1 KiB)  TX bytes:99337 (97.0 KiB)
          Interrupt:4 

eth1      Link encap:Ethernet  HWaddr 00:18:E7:F0:68:9A  
          inet addr:192.168.1.197  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1400  Metric:1
          RX packets:624 errors:0 dropped:0 overruns:0 frame:0
          TX packets:355 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:88831 (86.7 KiB)  TX bytes:35083 (34.2 KiB)
          Interrupt:5 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:66 errors:0 dropped:0 overruns:0 frame:0
          TX packets:66 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:5236 (5.1 KiB)  TX bytes:5236 (5.1 KiB)

mon.wlan0 Link encap:UNSPEC  HWaddr 00-18-E7-F0-68-97-00-00-00-00-00-00-00-00-00-00  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:39 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wlan0     Link encap:Ethernet  HWaddr 00:18:E7:F0:68:97  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:151 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:34388 (33.5 KiB)
Please help!!!

User avatar
krzee
Forum Team
Posts: 729
Joined: Fri Aug 29, 2008 5:42 pm

Re: Openvpn on Openwrt

Post by krzee » Tue Oct 05, 2010 1:22 am

it's real hard to help people with their vpn provider's setup. you should get help from them.
ps, try without filtering stuff on the firewall

Post Reply