Connecting to OpenVPN on DD-WRT from a Windows client

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
Fractalogic
OpenVpn Newbie
Posts: 6
Joined: Sat Jan 19, 2019 3:14 pm

Connecting to OpenVPN on DD-WRT from a Windows client

Post by Fractalogic » Sun Jan 20, 2019 3:19 pm

Hi everyone!

I have been trying to setup OpenVPN server on my DD-WRT router for several months, on and off. I would read a number of tutorials and forum posts, try a few things and then give up, discouraged by the complexities of things. My intention was to access my home LAN from a remote location over the Internet in a secure way.

I finally made it work yesterday! :D

So I thought I would share some of my findings here. Hopefully it can be useful to others.

Easy RSA Certificates and Keys
I installed OpenVPN 2.4.6 on my main PC at home. I used the following Easy RSA scripts/commands that are included with OpenVPN. In order of execution...

Code: Select all

init-config
vars
clean-all
build-ca
build-key client1
build-key-server server
build-dh
I currently have the following files in the keys folder.
You will find this folder in C:\Program Files\OpenVPN\easy-rsa

Code: Select all

01.pem
02.pem
ca.crt
ca.key
client1.crt
client1.csr
client1.key
dh2048.pem
index.txt
index.txt.attr
serial
server.crt
server.csr
server.key
Server Configuration
Since I wanted OpenVPN on my router to function as my VPN server, I used its web GUI to set the following options under Services - VPN.
OpenVPN: Enable
Start Type: WAN up
Config as: Server
Server mode: Bridge (TAP)
DHCP-Proxy mode: Enable
Port: 1194
Tunnel Protocol: UDP
Encryption Cipher: AES-128 CBC
Hash Algorithm: SHA1
Advanced Options: Enable
TLS Cipher: None
LZO Compression: Adaptive
Redirect default Gateway: Disable
Allow Client to Client: Enable
Allow duplicate cn: Disable
Tunnel MTU setting: 1500
Tunnel UDP Fragment: _blank_
Tunnel UDP MSS-Fix: Disable
CCD-Dir DEFAULT file: _blank_
Client connect script: _blank_
Static Key: _blank_
PKCS12 Key: _blank_
Public Server Cert: cert from server.crt
CA Cert: cert from ca.crt
Private Server Key: key from server.key
DH PEM: dh key from dh2048.pem
Additional Config: _blank_
TLS Auth Key: _blank_
Certificate Revoke List: _blank_
Note!
I did not do any manual port forwarding or make any special routing rules. Your router should do this for you. As long as you select Server as the mode of operation for the OpenVPN. You will only have the "Daemon" option if your DD-WRT version is too old. In that case you would have to do this all manually.

Client Configuration
I installed OpenVPN 2.4.6 on my laptop PC, without Easy RSA (since I already generated certificates and keys).

I copied the ca.crt, ca.key, client1.crt and client1.key files from the main PC to the laptop PC using a USB drive. I copied these files to the config folder.

I then created a blank client.ovpn file on the laptop and entered the following lines in it.

Code: Select all

client
dev tap
proto udp
remote MY.IP.GOES.HERE 1194 udp
nobind
persist-key
persist-tun
verb 4
float
ca ca.crt
cert client1.crt
key client1.key
comp-lzo yes
tun-mtu 1500
auth SHA1
cipher AES-128-CBC
Connection Problems
When I tried to connect to the server from a remote location the icon in OpenVPN GUI would turn yellow and I would get a number of messages in the "OpenVPN Connection (client)" status window. The main problem appeared to be related to TLS. I also got a warning about MITM attacks.

I have stripped out the IP number, but here is the rest of the log.
Sat Jan 19 15:43:49 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Jan 19 15:43:49 2019 TLS Error: TLS handshake failed
Sat Jan 19 15:43:49 2019 TCP/UDP: Closing socket
Sat Jan 19 15:43:49 2019 SIGUSR1[soft,tls-error] received, process restarting
Sat Jan 19 15:43:49 2019 MANAGEMENT: >STATE:1547909029,RECONNECTING,tls-error,,,,,
Sat Jan 19 15:43:49 2019 Restart pause, 10 second(s)
Sat Jan 19 15:43:59 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Jan 19 15:43:59 2019 Re-using SSL/TLS context
Sat Jan 19 15:43:59 2019 LZO compression initializing
Sat Jan 19 15:43:59 2019 Control Channel MTU parms [ L:1654 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Sat Jan 19 15:43:59 2019 Data Channel MTU parms [ L:1654 D:1450 EF:122 EB:411 ET:32 EL:3 ]
Sat Jan 19 15:43:59 2019 Local Options String (VER=V4): 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sat Jan 19 15:43:59 2019 Expected Remote Options String (VER=V4): 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sat Jan 19 15:43:59 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]MY.IP.GOES.HERE
Sat Jan 19 15:43:59 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sat Jan 19 15:43:59 2019 UDP link local: (not bound)
Sat Jan 19 15:43:59 2019 UDP link remote: [AF_INET]MY.IP.GOES.HERE
Sat Jan 19 15:43:59 2019 MANAGEMENT: >STATE:1547909039,WAIT,,,,,,
Sat Jan 19 15:44:59 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Jan 19 15:44:59 2019 TLS Error: TLS handshake failed
Sat Jan 19 15:44:59 2019 TCP/UDP: Closing socket
Sat Jan 19 15:44:59 2019 SIGUSR1[soft,tls-error] received, process restarting
Sat Jan 19 15:44:59 2019 MANAGEMENT: >STATE:1547909099,RECONNECTING,tls-error,,,,,
Sat Jan 19 15:44:59 2019 Restart pause, 20 second(s)
Sat Jan 19 15:45:19 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Jan 19 15:45:19 2019 Re-using SSL/TLS context
Sat Jan 19 15:45:19 2019 LZO compression initializing
Sat Jan 19 15:45:19 2019 Control Channel MTU parms [ L:1654 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Sat Jan 19 15:45:19 2019 Data Channel MTU parms [ L:1654 D:1450 EF:122 EB:411 ET:32 EL:3 ]
Sat Jan 19 15:45:19 2019 Local Options String (VER=V4): 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sat Jan 19 15:45:19 2019 Expected Remote Options String (VER=V4): 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sat Jan 19 15:45:19 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]MY.IP.GOES.HERE
Sat Jan 19 15:45:19 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sat Jan 19 15:45:19 2019 UDP link local: (not bound)
Sat Jan 19 15:45:19 2019 UDP link remote: [AF_INET]MY.IP.GOES.HERE
Sat Jan 19 15:45:19 2019 MANAGEMENT: >STATE:1547909119,WAIT,,,,,,
Sat Jan 19 15:46:19 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Jan 19 15:46:19 2019 TLS Error: TLS handshake failed
Sat Jan 19 15:46:19 2019 TCP/UDP: Closing socket
Sat Jan 19 15:46:19 2019 SIGUSR1[soft,tls-error] received, process restarting
Sat Jan 19 15:46:19 2019 MANAGEMENT: >STATE:1547909179,RECONNECTING,tls-error,,,,,
Sat Jan 19 15:46:19 2019 Restart pause, 40 second(s)
Sat Jan 19 15:46:59 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Jan 19 15:46:59 2019 Re-using SSL/TLS context
Sat Jan 19 15:46:59 2019 LZO compression initializing
Sat Jan 19 15:46:59 2019 Control Channel MTU parms [ L:1654 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Sat Jan 19 15:46:59 2019 Data Channel MTU parms [ L:1654 D:1450 EF:122 EB:411 ET:32 EL:3 ]
Sat Jan 19 15:46:59 2019 Local Options String (VER=V4): 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sat Jan 19 15:46:59 2019 Expected Remote Options String (VER=V4): 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sat Jan 19 15:46:59 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]MY.IP.GOES.HERE
Sat Jan 19 15:46:59 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sat Jan 19 15:46:59 2019 UDP link local: (not bound)
Sat Jan 19 15:46:59 2019 UDP link remote: [AF_INET]MY.IP.GOES.HERE
Sat Jan 19 15:46:59 2019 MANAGEMENT: >STATE:1547909219,WAIT,,,,,,
Sat Jan 19 15:47:59 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Jan 19 15:47:59 2019 TLS Error: TLS handshake failed
Sat Jan 19 15:47:59 2019 TCP/UDP: Closing socket
Sat Jan 19 15:47:59 2019 SIGUSR1[soft,tls-error] received, process restarting
Sat Jan 19 15:47:59 2019 MANAGEMENT: >STATE:1547909279,RECONNECTING,tls-error,,,,,
Sat Jan 19 15:47:59 2019 Restart pause, 80 second(s)
Sat Jan 19 15:49:19 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Jan 19 15:49:19 2019 Re-using SSL/TLS context
Sat Jan 19 15:49:19 2019 LZO compression initializing
Sat Jan 19 15:49:19 2019 Control Channel MTU parms [ L:1654 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Sat Jan 19 15:49:19 2019 Data Channel MTU parms [ L:1654 D:1450 EF:122 EB:411 ET:32 EL:3 ]
Sat Jan 19 15:49:19 2019 Local Options String (VER=V4): 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sat Jan 19 15:49:19 2019 Expected Remote Options String (VER=V4): 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sat Jan 19 15:49:19 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]MY.IP.GOES.HERE
Sat Jan 19 15:49:19 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sat Jan 19 15:49:19 2019 UDP link local: (not bound)
Sat Jan 19 15:49:19 2019 UDP link remote: [AF_INET]MY.IP.GOES.HERE
Sat Jan 19 15:49:19 2019 MANAGEMENT: >STATE:1547909359,WAIT,,,,,,
Sat Jan 19 15:50:19 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Jan 19 15:50:19 2019 TLS Error: TLS handshake failed
Sat Jan 19 15:50:19 2019 TCP/UDP: Closing socket
Sat Jan 19 15:50:19 2019 SIGUSR1[soft,tls-error] received, process restarting
Sat Jan 19 15:50:19 2019 MANAGEMENT: >STATE:1547909419,RECONNECTING,tls-error,,,,,
Sat Jan 19 15:50:19 2019 Restart pause, 160 second(s)
Sat Jan 19 15:52:59 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Jan 19 15:52:59 2019 Re-using SSL/TLS context
Sat Jan 19 15:52:59 2019 LZO compression initializing
Sat Jan 19 15:52:59 2019 Control Channel MTU parms [ L:1654 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Sat Jan 19 15:52:59 2019 Data Channel MTU parms [ L:1654 D:1450 EF:122 EB:411 ET:32 EL:3 ]
Sat Jan 19 15:52:59 2019 Local Options String (VER=V4): 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sat Jan 19 15:52:59 2019 Expected Remote Options String (VER=V4): 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sat Jan 19 15:52:59 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]MY.IP.GOES.HERE
Sat Jan 19 15:52:59 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sat Jan 19 15:52:59 2019 UDP link local: (not bound)
Sat Jan 19 15:52:59 2019 UDP link remote: [AF_INET]MY.IP.GOES.HERE
Sat Jan 19 15:52:59 2019 MANAGEMENT: >STATE:1547909579,WAIT,,,,,,
Sat Jan 19 15:53:59 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Jan 19 15:53:59 2019 TLS Error: TLS handshake failed
Sat Jan 19 15:53:59 2019 TCP/UDP: Closing socket
Sat Jan 19 15:53:59 2019 SIGUSR1[soft,tls-error] received, process restarting
Sat Jan 19 15:53:59 2019 MANAGEMENT: >STATE:1547909639,RECONNECTING,tls-error,,,,,
Sat Jan 19 15:53:59 2019 Restart pause, 300 second(s)
Note that TLS key negotiation kept failing.
Sat Jan 19 15:43:49 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Jan 19 15:44:59 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Jan 19 15:46:19 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Jan 19 15:47:59 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Jan 19 15:50:19 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Jan 19 15:53:59 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
I resolved this by rebooting the router. It seems that each time I change the VPN port number on the router I have to reboot it.

This is interesting...
Restart pause, 10 second(s)
Restart pause, 20 second(s)
Restart pause, 40 second(s)
Restart pause, 80 second(s)
Restart pause, 160 second(s)
Restart pause, 300 second(s)
Why does the "restart pause" become longer and longer for each turn?... it appears to double each time. Weird!

By inserting the following line in the client.ovpn file, you can also resolve the MITM warning message.

Code: Select all

remote-cert-tls server
This is recommended.

If anyone has any questions or suggestions, speak up now please.

Post Reply