OpenVPN server on the Keenetic 1810

persona · Post by **persona** » Sun Apr 19, 2020 9:01 am

Hello, I configure the OpenVPN server on the Keenetic 1810 modem. This is my first experience. The goal is to connect from the phone to the server, and get the local network ip, to use the local network at home. We would like to ask you to check the correctness of settings. At this stage the configs are as follows

Server config

mode server
proto tcp-server
port 1194
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
server 192.168.0.0 255.255.255.0
keepalive 10 120
cipher AES-128-CBC
auth SHA1
comp-lzo
persist-tun
persist-key
verb 3
route 192.168.0.1 255.255.255.0
route 10.1.1.1 255.0.0.0
client-to-client
push "redirect-gateway def1"
push "route 10.1.1.0 255.0.0.0"
tls-server
tls-auth 0
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
***
-----END OpenVPN Static key V1-----
</tls-auth>
<ca>
-----BEGIN CERTIFICATE-----
***
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
***
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
***
-----END PRIVATE KEY-----
</key>
<dh>
-----BEGIN DH PARAMETERS-----
***
-----END DH PARAMETERS-----
</dh>

Client config

client
proto tcp-client
remote ***.***.***.***
port 1194
dev tun
resolv-retry infinite
nobind
ns-cert-type server
remote-cert-tls server
auth SHA1
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
cipher AES-128-CBC
comp-lzo
persist-tun
persist-key
verb 3
tls-client
tls-auth 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
***
-----END OpenVPN Static key V1-----
</tls-auth>
<ca>
-----BEGIN CERTIFICATE-----
***
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
***
-----END CERTIFICATE-----
</cert>
<key>
----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,***********************************
***
-----END RSA PRIVATE KEY-----
</key>

Server seems to be working but there are problems, and the client is a problem

problem client
WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
ROUTE: route addition failed using service: Ïàðàìåòð çàäàí íåâåðíî. [status=87 if_index=43]
WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

log server

Code: Select all

[I] Apr 19 14:04:39 ndm: Core::Syslog: the system log has been cleared.
[I] Apr 19 14:04:43 ndm: Network::Interface::Base: "OpenVPN0": interface is up.
[I] Apr 19 14:04:43 ndm: Core::ConfigurationSaver: saving configuration...
[I] Apr 19 14:04:46 OpenVPN0: OpenVPN 2.4.6 [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [AEAD]
[I] Apr 19 14:04:46 OpenVPN0: library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
[I] Apr 19 14:04:46 OpenVPN0: Diffie-Hellman initialized with 2048 bit key
[I] Apr 19 14:04:46 OpenVPN0: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
[I] Apr 19 14:04:46 OpenVPN0: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
[I] Apr 19 14:04:46 OpenVPN0: TUN/TAP device tun0 opened
[I] Apr 19 14:04:46 OpenVPN0: TUN/TAP TX queue length set to 100
[I] Apr 19 14:04:46 OpenVPN0: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
[I] Apr 19 14:04:46 ndm: Network::Interface::Ip: "OpenVPN0": IP address is 192.168.0.1/32.
[I] Apr 19 14:04:46 ndm: Network::Interface::OpenVpn: "OpenVPN0": TUN peer address is 192.168.0.2.
[I] Apr 19 14:04:46 ndm: Network::Interface::OpenVpn: "OpenVPN0": added host route to peer 192.168.0.2 via 192.168.0.1.
[E] Apr 19 14:04:46 ndm: Network::RoutingTable: invalid destination prefix: 192.168.0.1/24.
[C] Apr 19 14:04:46 ndm: Network::Interface::OpenVpn: "OpenVPN0": system failed [0xcffd093a].
[E] Apr 19 14:04:46 ndm: Network::RoutingTable: invalid destination prefix: 10.1.1.1/8.
[C] Apr 19 14:04:46 ndm: Network::Interface::OpenVpn: "OpenVPN0": system failed [0xcffd093a].
[I] Apr 19 14:04:46 ndm: Network::Interface::OpenVpn: "OpenVPN0": install accepted route to 192.168.0.0/255.255.255.0 via 192.168.0.1.
[W] Apr 19 14:04:47 OpenVPN0: Could not determine IPv4/IPv6 protocol. Using AF_INET6
[I] Apr 19 14:04:47 OpenVPN0: Socket Buffers: R=[87380->87380] S=[16384->16384]
[I] Apr 19 14:04:47 OpenVPN0: setsockopt(IPV6_V6ONLY=0)
[I] Apr 19 14:04:47 OpenVPN0: Listening for incoming TCP connection on [AF_INET6][undef]:1194
[I] Apr 19 14:04:47 OpenVPN0: TCPv6_SERVER link local (bound): [AF_INET6][undef]:1194
[I] Apr 19 14:04:47 OpenVPN0: TCPv6_SERVER link remote: [AF_UNSPEC]
[I] Apr 19 14:04:47 OpenVPN0: GID set to nobody
[I] Apr 19 14:04:47 OpenVPN0: UID set to nobody
[I] Apr 19 14:04:47 OpenVPN0: MULTI: multi_init called, r=256 v=256
[I] Apr 19 14:04:47 OpenVPN0: IFCONFIG POOL: base=192.168.0.4 size=62, ipv6=0
[I] Apr 19 14:04:47 OpenVPN0: MULTI: TCP INIT maxclients=1024 maxevents=1028
[I] Apr 19 14:04:47 OpenVPN0: Initialization Sequence Completed
[I] Apr 19 14:04:47 ndm: Http::Nginx: loaded SSL certificate for "**********.keenetic.io".
[I] Apr 19 14:04:47 ndm: Core::Server: started Session /var/run/ndm.core.socket.
[I] Apr 19 14:04:47 ndm: Core::Session: client disconnected.
[I] Apr 19 14:04:47 ndm: Http::Manager: updated configuration.
[I] Apr 19 14:04:47 ndm: Core::Server: started Session /var/run/ndm.core.socket.
[I] Apr 19 14:04:47 ndm: Core::ConfigurationSaver: configuration saved.
[I] Apr 19 14:04:47 ndm: Core::Session: client disconnected.

[I] Apr 19 14:12:10 OpenVPN0: TCP connection established with [AF_INET6]::ffff:***.***.***.***:*****
[I] Apr 19 14:12:11 OpenVPN0: ***.***.***.*** TLS: Initial packet from [AF_INET6]::ffff:***.***.***.***:*****, sid=4d039adf 26076655
[I] Apr 19 14:12:12 OpenVPN0: ***.***.***.*** VERIFY SCRIPT OK: depth=1, C=., ST=., L=., O=., CN=server
[I] Apr 19 14:12:12 OpenVPN0: ***.***.***.*** VERIFY OK: depth=1, C=., ST=., L=., O=., CN=server
[I] Apr 19 14:12:12 OpenVPN0: ***.***.***.*** VERIFY SCRIPT OK: depth=0, C=., ST=., L=., O=., CN=., name=client1
[I] Apr 19 14:12:12 OpenVPN0: ***.***.***.*** VERIFY OK: depth=0, C=., ST=., L=., O=., CN=., name=client1
[I] Apr 19 14:12:12 OpenVPN0: ***.***.***.*** peer info: IV_VER=2.4.8
[I] Apr 19 14:12:12 OpenVPN0: ***.***.***.*** peer info: IV_PLAT=win
[I] Apr 19 14:12:12 OpenVPN0: ***.***.***.*** peer info: IV_PROTO=2
[I] Apr 19 14:12:12 OpenVPN0: ***.***.***.*** peer info: IV_NCP=2
[I] Apr 19 14:12:12 OpenVPN0: ***.***.***.*** peer info: IV_LZ4=1
[I] Apr 19 14:12:12 OpenVPN0: ***.***.***.*** peer info: IV_LZ4v2=1
[I] Apr 19 14:12:12 OpenVPN0: ***.***.***.*** peer info: IV_LZO=1
[I] Apr 19 14:12:12 OpenVPN0: ***.***.***.*** peer info: IV_COMP_STUB=1
[I] Apr 19 14:12:12 OpenVPN0: ***.***.***.*** peer info: IV_COMP_STUBv2=1
[I] Apr 19 14:12:12 OpenVPN0: ***.***.***.*** peer info: IV_TCPNL=1
[I] Apr 19 14:12:12 OpenVPN0: ***.***.***.*** peer info: IV_GUI_VER=OpenVPN_GUI_11
[I] Apr 19 14:12:12 OpenVPN0: ***.***.***.*** Control Channel: TLSv1.2, cipher TLSv1.2 ***-***-****-***-***, 4096 bit RSA
[I] Apr 19 14:12:12 OpenVPN0: ***.***.***.*** [client1] Peer Connection Initiated with [AF_INET6]::ffff:***.***.***.***:*****
[I] Apr 19 14:12:12 ndm: Network::Interface::OpenVpn: "OpenVPN0": connecting via ISP (GigabitEthernet1).
[I] Apr 19 14:12:12 ndm: Network::Interface::OpenVpn: "OpenVPN0": added host route to remote endpoint ***.***.***.***:***** via ***.***.***.***:*****
[I] Apr 19 14:12:12 OpenVPN0: client1/***.***.***.***:***** MULTI_sva: pool returned IPv4=192.168.0.6, IPv6=(Not enabled)
[I] Apr 19 14:12:12 ndm: Network::Interface::OpenVpn: "OpenVPN0": initialize routing table for client "client1" (***.***.***.***:*****).
[I] Apr 19 14:12:12 OpenVPN0: client1/***.***.***.***:***** OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_3858af7c776785a6.tmp
[I] Apr 19 14:12:12 OpenVPN0: client1/***.***.***.***:***** MULTI: Learn: 192.168.0.6 -> client1/***.***.***.***
[I] Apr 19 14:12:12 OpenVPN0: client1/***.***.***.***:***** MULTI: primary virtual IP for client1/***.***.***.***: 192.168.0.6
[I] Apr 19 14:12:13 OpenVPN0: client1/***.***.***.***:***** PUSH: Received control message: 'PUSH_REQUEST'
[I] Apr 19 14:12:13 OpenVPN0: client1/***.***.***.***:***** SENT CONTROL [client1]: 'PUSH_REPLY,redirect-gateway def1,route 10.1.1.0 255.0.0.0,route 192.168.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 192.168.0.6 192.168.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
[I] Apr 19 14:12:13 OpenVPN0: client1/***.***.***.***:***** Data Channel: using negotiated cipher 'AES-256-GCM'
[I] Apr 19 14:12:13 OpenVPN0: client1/***.***.***.***:***** Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
[I] Apr 19 14:12:13 OpenVPN0: client1/***.***.***.***:***** Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
[E] Apr 19 14:12:19 ndnproxy: unable to extract domain from request.
[E] Apr 19 14:12:22 ndnproxy: Core::Syslog: last message repeated 7 times.
[E] Apr 19 14:12:45 OpenVPN0: client1/***.***.***.***:***** Connection reset, restarting [-1]
[I] Apr 19 14:12:45 OpenVPN0: client1/***.***.***.***:***** SIGTERM[soft,connection-reset] received, client-instance exiting
[I] Apr 19 14:12:46 ndm: Network::Interface::OpenVpn: "OpenVPN0": clear routing table for client "client1" (***.***.***.***).
[I] Apr 19 14:12:53 wmond: WifiMaster0/AccessPoint0: (MT7615) STA(**:**:**:**:**:**) had associated successfully.
[I] Apr 19 14:12:53 wmond: WifiMaster0/AccessPoint0: (MT7615) STA(**:**:**:**:**:**) set key done in WPA2/WPA2PSK.
[I] Apr 19 14:12:53 wmond: WifiMaster0/AccessPoint0: (MT7615) STA(**:**:**:**:**:**) had disassociated by STA (reason: STA is leaving or has left BSS).
[I] Apr 19 14:12:56 wmond: WifiMaster0/AccessPoint0: (MT7615) STA(**:**:**:**:**:**) had associated successfully.
[I] Apr 19 14:12:56 wmond: WifiMaster0/AccessPoint0: (MT7615) STA(**:**:**:**:**:**) set key done in WPA2/WPA2PSK.
[I] Apr 19 14:12:56 ndhcps: DHCPREQUEST received (STATE_INIT) for 10.1.1.42 from **:**:**:**:**:**.
[I] Apr 19 14:12:56 ndhcps: sending ACK of 10.1.1.42 to **:**:**:**:**:**.
[E] Apr 19 14:12:56 ndnproxy: unable to extract domain from request.
[E] Apr 19 14:13:10 ndnproxy: Core::Syslog: last message repeated 36 times.

log client

Code: Select all

[I] Apr 19 14:04:39 ndm: Core::Syslog: the system log has been cleared.
[I] Apr 19 14:04:43 ndm: Network::Interface::Base: "OpenVPN0": interface is up.
[I] Apr 19 14:04:43 ndm: Core::ConfigurationSaver: saving configuration...
[I] Apr 19 14:04:46 OpenVPN0: OpenVPN 2.4.6 [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [AEAD]
[I] Apr 19 14:04:46 OpenVPN0: library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
[I] Apr 19 14:04:46 OpenVPN0: Diffie-Hellman initialized with 2048 bit key
[I] Apr 19 14:04:46 OpenVPN0: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
[I] Apr 19 14:04:46 OpenVPN0: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
[I] Apr 19 14:04:46 OpenVPN0: TUN/TAP device tun0 opened
[I] Apr 19 14:04:46 OpenVPN0: TUN/TAP TX queue length set to 100
[I] Apr 19 14:04:46 OpenVPN0: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
[I] Apr 19 14:04:46 ndm: Network::Interface::Ip: "OpenVPN0": IP address is 192.168.0.1/32.
[I] Apr 19 14:04:46 ndm: Network::Interface::OpenVpn: "OpenVPN0": TUN peer address is 192.168.0.2.
[I] Apr 19 14:04:46 ndm: Network::Interface::OpenVpn: "OpenVPN0": added host route to peer 192.168.0.2 via 192.168.0.1.
[E] Apr 19 14:04:46 ndm: Network::RoutingTable: invalid destination prefix: 192.168.0.1/24.
[C] Apr 19 14:04:46 ndm: Network::Interface::OpenVpn: "OpenVPN0": system failed [0xcffd093a].
[E] Apr 19 14:04:46 ndm: Network::RoutingTable: invalid destination prefix: 10.1.1.1/8.
[C] Apr 19 14:04:46 ndm: Network::Interface::OpenVpn: "OpenVPN0": system failed [0xcffd093a].
[I] Apr 19 14:04:46 ndm: Network::Interface::OpenVpn: "OpenVPN0": install accepted route to 192.168.0.0/255.255.255.0 via 192.168.0.1.
[W] Apr 19 14:04:47 OpenVPN0: Could not determine IPv4/IPv6 protocol. Using AF_INET6
[I] Apr 19 14:04:47 OpenVPN0: Socket Buffers: R=[87380->87380] S=[16384->16384]
[I] Apr 19 14:04:47 OpenVPN0: setsockopt(IPV6_V6ONLY=0)
[I] Apr 19 14:04:47 OpenVPN0: Listening for incoming TCP connection on [AF_INET6][undef]:1194
[I] Apr 19 14:04:47 OpenVPN0: TCPv6_SERVER link local (bound): [AF_INET6][undef]:1194
[I] Apr 19 14:04:47 OpenVPN0: TCPv6_SERVER link remote: [AF_UNSPEC]
[I] Apr 19 14:04:47 OpenVPN0: GID set to nobody
[I] Apr 19 14:04:47 OpenVPN0: UID set to nobody
[I] Apr 19 14:04:47 OpenVPN0: MULTI: multi_init called, r=256 v=256
[I] Apr 19 14:04:47 OpenVPN0: IFCONFIG POOL: base=192.168.0.4 size=62, ipv6=0
[I] Apr 19 14:04:47 OpenVPN0: MULTI: TCP INIT maxclients=1024 maxevents=1028
[I] Apr 19 14:04:47 OpenVPN0: Initialization Sequence Completed
[I] Apr 19 14:04:47 ndm: Http::Nginx: loaded SSL certificate for "*******.keenetic.io".
[I] Apr 19 14:04:47 ndm: Core::Server: started Session /var/run/ndm.core.socket.
[I] Apr 19 14:04:47 ndm: Core::Session: client disconnected.
[I] Apr 19 14:04:47 ndm: Http::Manager: updated configuration.
[I] Apr 19 14:04:47 ndm: Core::Server: started Session /var/run/ndm.core.socket.
[I] Apr 19 14:04:47 ndm: Core::ConfigurationSaver: configuration saved.
[I] Apr 19 14:04:47 ndm: Core::Session: client disconnected.

local ip network 10.1.1.1 255.0.0.0

persona · Post by **persona** » Sun Apr 19, 2020 11:59 am

the client configuration is not added to openvpn connect (ios) until I remove it from the configuration

Code: Select all

tls-client
tls-auth 1
<tls-auth> 
***
</tls-auth>

why?

TinCanTech · Post by **TinCanTech** » Sun Apr 19, 2020 12:36 pm

These items are wrong:

Server:

Code: Select all
```
tls-auth 0
```
This should be:
Code: Select all
```
key-direction 0
```
and what you have now should cause openvpn to crash and burn, so you probably listed it incorrectly, please double check and let me know.
Code: Select all
```
server 192.168.0.0 255.255.255.0
```
This is almost certainly incorrect because that subnet will conflict with your home network. Use this instead:
Code: Select all
```
server 10.8.0.0 255.255.255.0
```

Client:

Code: Select all
```
tls-auth 1
```
This should be:
Code: Select all
```
key-direction 1
```
As above..

persona · Post by **persona** » Sun Apr 19, 2020 1:54 pm

well, I'll deal with this, but what do you say about the first letter?
my home network has an ip of 10.1.1.1, so I am using vpn 192.168.0.1
and how to achieve that when connecting via vpn to get into the home network, and get a home ip?

TinCanTech · Post by **TinCanTech** » Sun Apr 19, 2020 2:06 pm

persona wrote: ↑
Sun Apr 19, 2020 1:54 pm
my home network has an ip of 10.1.1.1, so I am using vpn 192.168.0.1

Using 192.168.0.0/24 for anything is a bad idea .. don't use it.

persona wrote: ↑
Sun Apr 19, 2020 1:54 pm
what do you say about the first letter?

I'll take a stab in the dark here ..

persona wrote: ↑
Sun Apr 19, 2020 9:01 am
problem client
WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.

Do what it says.

persona wrote: ↑
Sun Apr 19, 2020 9:01 am
ROUTE: route addition failed using service: Ïàðàìåòð çàäàí íåâåðíî. [status=87 if_index=43]

Probably 192.168.0.0 .. don't use it.

persona wrote: ↑
Sun Apr 19, 2020 9:01 am
WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

Just ignore it.

persona wrote: ↑
Sun Apr 19, 2020 1:54 pm
how to achieve that when connecting via vpn to get into the home network,

Explained here: https://community.openvpn.net/openvpn/wiki/HOWTO

persona wrote: ↑
Sun Apr 19, 2020 1:54 pm
and get a home ip?

You get a VPN IP not a home IP but the principle is the same.

persona · Post by **persona** » Wed Apr 22, 2020 4:05 pm

thank you, the VPN has earned, the connection is there.
I can't figure out why the IP(176.16.....) of the tunnel is assigned, and not the IP (10.1.....) of the home network.
And there is no access to the home network.
tell me what's wrong with the configuration?

Code: Select all

mode server
proto udp
port 1194
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
server 172.16.1.0 255.255.255.0
keepalive 10 120
cipher AES-128-CBC
auth SHA1
comp-lzo
persist-tun
persist-key
verb 0
route 172.16.1.1 255.255.255.0
route 10.1.1.1 255.255.255.0
client-to-client
push "redirect-gateway def1"
push "route 172.16.1.0 255.255.255.0"
push "route 10.1.1.0 255.255.255.0"
tls-server
key-direction 0

I try to ping the network from a PC (ip 10.1.*****) on a smartphone (172.16.******) connected via a VPN to the network passes.
but there is no access to the device on the network from a smartphone

TinCanTech · Post by **TinCanTech** » Wed Apr 22, 2020 5:06 pm

persona wrote: ↑
Wed Apr 22, 2020 4:05 pm
I can't figure out why the IP(176.16.....) of the tunnel is assigned, and not the IP (10.1.....) of the home network

Because that is how it is supposed to work.

persona wrote: ↑
Wed Apr 22, 2020 4:05 pm
there is no access to the home network.

See the Howto link above - Section "Expanding the scope of the VPN"

mariusz84 · Post by **mariusz84** » Thu Mar 02, 2023 12:38 pm

Good morning, may I please ask someone to paste the server and client configurations on the KEENETIC router, adding comments in the place of the XXXX certificates? It would be a very helpful solution.

OpenVPN Support Forum

OpenVPN server on the Keenetic 1810

OpenVPN server on the Keenetic 1810

Re: OpenVPN server on the Keenetic 1810

Re: OpenVPN server on the Keenetic 1810

Re: OpenVPN server on the Keenetic 1810

Re: OpenVPN server on the Keenetic 1810

Re: OpenVPN server on the Keenetic 1810

Re: OpenVPN server on the Keenetic 1810

Re: OpenVPN server on the Keenetic 1810