Patch: Fix for Iran and China users

[haggismn]

Just to inform you all, the latest release of DD-WRT now includes this patch with OpenVPN. This offers, potentially, a much more elegant solution, running the VPN at the gateway wifi router, rather than on the user's device.

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=261380

http://svn.dd-wrt.com/changeset/24106

The patch has been fixed and updated for the current OpenVPN release (2.3.4)

[andy312]

You should know that the Chinese Firewall works at random. You may get a connection now and lose the connection again in 3 hours later. No matter which obfuscation you use, once it detects you are running on different port or unknown protocol, it will block you temporarily.

Hello Rainbow,

I can confirm the connection to China works at random. At our company we had alot of troubles with that.
We tried to create a openvpn tool for remote access to all our machinery. We couldn't get it to work.
Since 1 year we are using the Ixrouter from Ixon which works stable in China and where we do not have to open any ports on the customer network.
On their website www.ixon.net I couldn't find how they made it work in China but now we are able to get access to all our machines again, so I guess it should also work in Iran.

[reuben]

Anyone have any ideas on how to get the patch into an Android client? Are there instructions on building openvpn for android (I see for ics-openvpn, but prob. not the same thing?) ?

I have yet to find a way to get onto fb/youtube on my phone in China. SSH tunnels don't work because of DNS poisoning. Standard openvpn is blocked. Ideas?

Thanks

Hey, we have done this.

Although this is a paid VPN, the app is free for everyone to use (and works outside our service) since it is merely a modified version of Arne Schwabe's client with haggismn's patch in (thanks ).

https://www.bolehvpn.net/blog/2014/05/b ... r-android/

[cstrife]

Just to inform you all, the latest release of DD-WRT now includes this patch with OpenVPN. This offers, potentially, a much more elegant solution, running the VPN at the gateway wifi router, rather than on the user's device.

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=261380

http://svn.dd-wrt.com/changeset/24106

The patch has been fixed and updated for the current OpenVPN release (2.3.4)

So, all the previous patched binaries/versions in this thread prior to this are broken?

[haggismn]

Just to inform you all, the latest release of DD-WRT now includes this patch with OpenVPN. This offers, potentially, a much more elegant solution, running the VPN at the gateway wifi router, rather than on the user's device.

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=261380

http://svn.dd-wrt.com/changeset/24106

The patch has been fixed and updated for the current OpenVPN release (2.3.4)

So, all the previous patched binaries/versions in this thread prior to this are broken?

Of course not. The patch has merely been altered so that it will apply to the latest source code. The options and functionality haven't been changed.

[cstrife]

Thanks!

Everything works. I'm using bolevpn on Android and seems to be ok. Thanks to everyone.

[lagmon]

Just to inform you all, the latest release of DD-WRT now includes this patch with OpenVPN. This offers, potentially, a much more elegant solution, running the VPN at the gateway wifi router, rather than on the user's device.

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=261380

http://svn.dd-wrt.com/changeset/24106

The patch has been fixed and updated for the current OpenVPN release (2.3.4)

So, all the previous patched binaries/versions in this thread prior to this are broken?

Hi, I've flash this firmware to my AC66U router, and I uses bolehVPN on my mobile phone. After adding "scramble reverse" both in server config and client config, I could connect to OPENVPN, but I didn't have any internet access. It works fine when I delete "scramble reverse" on both server and client config and use OpenVPN app on Android. Does anyone knows the solution?

BTW, I'm using OpenVPN 2.3.4 client on WIN7, which file I should patch for it if I want to use "scramble reverse" on WIN7 client? can anyone give me a step by step guide?

Much appreciate for your help!

[rainbow6]

You should not be using DD-WRT on ac66u, bolehvpn recommends using the asusmerlin with the patch from bolehvpn site for asus models.
However, if you need to use some of the advanced dd-wrt feature, check that you have entered the dns correctly in dd-wrt setting. DD-WRT does not support push dns from openvpn.

[lagmon]

You should not be using DD-WRT on ac66u, bolehvpn recommends using the asusmerlin with the patch from bolehvpn site for asus models.
However, if you need to use some of the advanced dd-wrt feature, check that you have entered the dns correctly in dd-wrt setting. DD-WRT does not support push dns from openvpn.

Hi rainbow6, thanks for your quick response!

I found this guideline on bolehvpn website, is it correct? https://bolehvpn.net/serv_bolehvpn_asuswrt-01.php

It seems that the inline configuration file is for client openvpn, does it also works for server openvpn?

But if I uses asusmerlin on my router, which client should I use for WIN7 laptop?

Much appreciate for your help!

[pupie]

Just to inform you all, the latest release of DD-WRT now includes this patch with OpenVPN. This offers, potentially, a much more elegant solution, running the VPN at the gateway wifi router, rather than on the user's device.

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=261380

http://svn.dd-wrt.com/changeset/24106

The patch has been fixed and updated for the current OpenVPN release (2.3.4)

I've tried this patch with latest openwrt trunk with openvpn 2.3.4
without traffic obfuscation, everything is ok. but if I enable the scramble option like: scramble 'obfuscate hellokitty', clients can connect to server and no error in logs but clients just can't ping the server and in the arp tables of clients, the server arp is empty.(all zero.)

[rainbow6]

If you can post the log and config files for both server and client it would be helpful.

[pupie]

If you can post the log and config files for both server and client it would be helpful.

site server, a openwrt box: /etc/config/openvpn

config openvpn 'site_server'
option local 'myserver.ddns.domain 5556'
option proto 'udp'
option dev 'tap'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/server.crt'
option key '/etc/openvpn/server.key'
option dh '/etc/openvpn/dh2048.pem'
option ifconfig_pool_persist '/tmp/ipp-site.txt'
#option keepalive '5 30'
option comp_lzo '1'
option persist_key '1'
option persist_tun '1'
option status '/tmp/openvpn-status-site.log'
option verb '3'
option server_bridge '192.168.1.1 255.255.255.0 192.168.1.220 192.168.1.229'
option port '5556'
option enabled '1'
option client_to_client '0'
option push 'dhcp-option DNS 8.8.8.8'
option scramble 'obfuscate hellokitty'

site client, openwrt box


config openvpn 'site_client'
option client '1'
option dev 'tap'
option proto 'udp'
list remote 'myserver.ddns.domain 5556'
option nobind '1'
option persist_key '1'
option persist_tun '1'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/Client2.crt'
option key '/etc/openvpn/Client2.key'
option comp_lzo '1'
option verb '3'
option scramble 'obfuscate hellokitty'
option enabled '1'


server process:

/usr/sbin/openvpn --syslog openvpn(site_server) --writepid /var/run/openvpn-site_server.pid --comp-lzo --persist-key --persist-tun --ca /etc/openvpn/ca.crt --cert /etc/openvpn/server.crt --dev tap --dh /etc/openvpn/dh2048.pem --ifconfig-pool-persist /tmp/ipp-site.txt --key /etc/openvpn/server.key --local myserver.ddns.domain --port 5556 --proto udp --server-bridge 192.168.1.1 255.255.255.0 192.168.1.220 192.168.1.229 --status /tmp/openvpn-status-site.log --verb 3 --push dhcp-option DNS 8.8.8.8 --scramble obfuscate hellokitty





client logread:

Wed Jul 16 06:24:12 2014 daemon.notice openvpn(site_client)[8066]: OpenVPN 2.3.4 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jul 15 2014
Wed Jul 16 06:24:12 2014 daemon.notice openvpn(site_client)[8066]: library versions: OpenSSL 1.0.1h 5 Jun 2014, LZO 2.06
Wed Jul 16 06:24:12 2014 daemon.warn openvpn(site_client)[8066]: WARNING: No server certificate verification method has been enabled. See

http://openvpn.net/howto.html#mitm for more info.
Wed Jul 16 06:24:12 2014 daemon.warn openvpn(site_client)[8066]: WARNING: file '/etc/openvpn/Client2.key' is group or others accessible
Wed Jul 16 06:24:12 2014 daemon.notice openvpn(site_client)[8066]: Socket Buffers: R=[163840->131072] S=[163840->131072]
Wed Jul 16 06:24:12 2014 daemon.notice openvpn(site_client)[8066]: UDPv4 link local: [undef]
Wed Jul 16 06:24:12 2014 daemon.notice openvpn(site_client)[8066]: UDPv4 link remote: [AF_INET]1.2.3.4:5556
Wed Jul 16 06:24:12 2014 daemon.notice openvpn(site_client)[8066]: TLS: Initial packet from [AF_INET]1.2.3.4:5556, sid=e34df2c7 ffc85605
Wed Jul 16 06:24:13 2014 daemon.notice openvpn(site_client)[8066]: VERIFY OK: depth=1, C=US, ST=CA, L=Los Angeles, O=Paradise, OU=Master, CN=Gate, name=2014,

emailAddress=admin@mail.domain
Wed Jul 16 06:24:13 2014 daemon.notice openvpn(site_client)[8066]: VERIFY OK: depth=0, C=US, ST=CA, L=Los Angeles, O=Paradise, OU=Master, CN=Gate, name=2014,

emailAddress=admin@mail.domain
Wed Jul 16 06:24:15 2014 daemon.notice openvpn(site_client)[8066]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jul 16 06:24:15 2014 daemon.notice openvpn(site_client)[8066]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jul 16 06:24:15 2014 daemon.notice openvpn(site_client)[8066]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jul 16 06:24:15 2014 daemon.notice openvpn(site_client)[8066]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jul 16 06:24:15 2014 daemon.notice openvpn(site_client)[8066]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Wed Jul 16 06:24:15 2014 daemon.notice openvpn(site_client)[8066]: [Gate] Peer Connection Initiated with [AF_INET]1.2.3.4:5556
Wed Jul 16 06:24:17 2014 daemon.notice openvpn(site_client)[8066]: SENT CONTROL [Gate]: 'PUSH_REQUEST' (status=1)
Wed Jul 16 06:24:17 2014 daemon.notice openvpn(site_client)[8066]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,route-gateway

192.168.1.1,ifconfig 192.168.1.221 255.255.255.0'
Wed Jul 16 06:24:17 2014 daemon.notice openvpn(site_client)[8066]: OPTIONS IMPORT: --ifconfig/up options modified
Wed Jul 16 06:24:17 2014 daemon.notice openvpn(site_client)[8066]: OPTIONS IMPORT: route-related options modified
Wed Jul 16 06:24:17 2014 daemon.notice openvpn(site_client)[8066]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Jul 16 06:24:17 2014 daemon.notice openvpn(site_client)[8066]: TUN/TAP device tap0 opened
Wed Jul 16 06:24:17 2014 daemon.notice openvpn(site_client)[8066]: TUN/TAP TX queue length set to 100
Wed Jul 16 06:24:17 2014 daemon.notice openvpn(site_client)[8066]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Jul 16 06:24:17 2014 daemon.notice openvpn(site_client)[8066]: /sbin/ifconfig tap0 192.168.1.221 netmask 255.255.255.0 mtu 1500 broadcast 192.168.1.255
Wed Jul 16 06:24:17 2014 daemon.notice openvpn(site_client)[8066]: Initialization Sequence Completed






server logread:

Jul 16 14:24:12 OpenWrt daemon.notice openvpn(site_server)[13411]: 5.6.7.8:59562 TLS: Initial packet from [AF_INET]5.6.7.8:59562, sid=a96cb00f eb629ee8
Jul 16 14:24:14 OpenWrt daemon.notice openvpn(site_server)[13411]: 5.6.7.8:59562 VERIFY OK: depth=1, C=US, ST=CA, L=Los Angeles, O=Paradise, OU=Master, CN=Gate,

name=2014, emailAddress=admin@mail.domain
Jul 16 14:24:14 OpenWrt daemon.notice openvpn(site_server)[13411]: 5.6.7.8:59562 VERIFY OK: depth=0, C=US, ST=CA, L=Los Angeles, O=Paradise, OU=Master,

CN=Client2, name=2014, emailAddress=admin@mail.domain
Jul 16 14:24:15 OpenWrt daemon.notice openvpn(site_server)[13411]: 5.6.7.8:59562 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jul 16 14:24:15 OpenWrt daemon.notice openvpn(site_server)[13411]: 5.6.7.8:59562 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 16 14:24:15 OpenWrt daemon.notice openvpn(site_server)[13411]: 5.6.7.8:59562 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jul 16 14:24:15 OpenWrt daemon.notice openvpn(site_server)[13411]: 5.6.7.8:59562 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 16 14:24:15 OpenWrt daemon.notice openvpn(site_server)[13411]: 5.6.7.8:59562 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Jul 16 14:24:15 OpenWrt daemon.notice openvpn(site_server)[13411]: 5.6.7.8:59562 [Client2] Peer Connection Initiated with [AF_INET]5.6.7.8:59562
Jul 16 14:24:15 OpenWrt daemon.notice openvpn(site_server)[13411]: Client2/5.6.7.8:59562 MULTI_sva: pool returned IPv4=192.168.1.221, IPv6=(Not enabled)
Jul 16 14:24:17 OpenWrt daemon.notice openvpn(site_server)[13411]: Client2/5.6.7.8:59562 PUSH: Received control message: 'PUSH_REQUEST'
Jul 16 14:24:17 OpenWrt daemon.notice openvpn(site_server)[13411]: Client2/5.6.7.8:59562 send_push_reply(): safe_cap=940
Jul 16 14:24:17 OpenWrt daemon.notice openvpn(site_server)[13411]: Client2/5.6.7.8:59562 SENT CONTROL [Client2]: 'PUSH_REPLY,dhcp-option DNS

114.114.114.114,route-gateway 192.168.1.1,ifconfig 192.168.1.221 255.255.255.0' (status=1)
Jul 16 14:24:17 OpenWrt daemon.notice openvpn(site_server)[13411]: Client2/5.6.7.8:59562 MULTI: Learn: 2a:b7:0a:cf:f0:99 -> Client2/5.6.7.8:59562


ifconfig on client:

tap0 Link encap:Ethernet HWaddr 2A:B7:0A:CF:F0:99
inet addr:192.168.1.221 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::28b7:aff:fecf:f099/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:46 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:2172 (2.1 KiB)


try to ping sever from client shell, it just stuck there
root@OpenWrt:~# ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes

and in arp table the server arp is empty , all are zero:
root@OpenWrt:~# arp
IP address HW type Flags HW address Mask Device
192.168.1.1 0x1 0x0 00:00:00:00:00:00 * tap0

[rainbow6]

This has nothing to do with the patch. Its more to openvpn configuration in bridging mode.
Can you check what is your IP address given by the server? Your VPN IP address on your tap.

[pupie]

This has nothing to do with the patch. Its more to openvpn configuration in bridging mode.
Can you check what is your IP address given by the server? Your VPN IP address on your tap.

OK,thanks for you reply, I confirm this issue is not related to this patch.
it seems to be an issues related to creating multiple tap interfaces on openwrt. maybe its a openwrt's issue.

as I've running two openvpn server instances on the router box ,both of them are using tap mode.
the first one is:
dev 'tap0'

and the second is
dev 'tap1'

so I see the servers are up from logs, and system only created one tap0 devices no tap1 is created, so the second server never works..

[bashywash]

Has anyone been able to patch or know where to find Windows Openvpn 2.3.4 with this patched? Thank you.

[haggismn]

Has anyone been able to patch or know where to find Windows Openvpn 2.3.4 with this patched? Thank you.

Here

[bashywash]

Thank you so much

[sammy66]

I've patched the openvpn source code and compiled both a the openvpn server for linux and the openvpn client for windows.

Then I tried to test it out so I added "scramble obfuscate lol" to /etc/openvpn/openvpn.conf and on windows I added the same line to the C:\Program Files\OpenVPN\config\openvpn.ovpn


When trying to connect using the client it fails and the status box that is normally full of information is empty.
_________________________
* Moderated: Advertising removed *

[cstrife]

Has anyone been able to patch or know where to find Windows Openvpn 2.3.4 with this patched? Thank you.

Here

Do you know if the 2.3.4 compiled exes on that page are the l003 or l603 versions?

[neomarket]

Hi the available openVpn servers in Iran belong to the government and is too expensive. Are there any free/cheap servers that the community might offer for Iranians? We are stuck! Most free tools are very very slow... and they hardly can open a facebook page.
I guess they have blocked SSH protocols again.



----
NeoMarket
طراحی سایت