OpenVPN Server on DD-WRT - Client doesn't have internet

[partisanentity]

Hi all,

I have a WRT54GL (v 1.1).
Firmware is: DD-WRT v24-sp2 (10/10/09) vpn

I have setup the OpenVPN server on the router as per these instructions: http://www.dd-wrt.com/wiki/index.php/VP ... %29_v24%2B

I installed "OpenVPN Connect" on my Nexus 4 running Android 4.3.1

I can connect to my OpenVPN Server on my DD-WRT router.

But:

a) I cannot ping any other machine from my Android client on my network
b) I have no internet on my Android client

The config for openvpn server on the router:

Code: Select all

push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.66.1"
server 192.168.66.0 255.255.255.0

dev tun0
proto udp
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem

The firewall settings on the router:

Code: Select all

iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT

iptables -I FORWARD 1 --source 192.168.66.0/24 -j ACCEPT

 # These next two lines may or may not be necessary.
 # I (dereks) did not need them, but bmatthewshea did.
 # Thus, we include them so that this works for more people:
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

The client config:

Code: Select all

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote xx.xxx.xx.xxx 1194


# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client


# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun0


# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
proto udp


# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite


# Most clients don't need to bind to
# a specific local port number.
nobind


# Try to preserve some state across restarts.
persist-key
persist-tun


# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca ca.crt
cert client1.crt
key client1.key


# To avoid a possible Man-in-the-Middle attack 
# where an authorized client tries to connect 
# to another client by impersonating the server, 
# make sure to enforce some kind of server 
# certificate verification by clients.
#
# You can build your server certificates with 
# the build-key-server script (see the easy-rsa 
# documentation for more info). This will designate 
# the certificate as a server-only certificate 
# by setting the right attributes. Now add the 
# following line to your client configuration:
remote-cert-tls server


# Delay n seconds (default=0) after connection 
# establishment, before adding routes. If n is 0, 
# routes will be added immediately upon connection 
# establishment. If --route-delay is omitted, routes 
# will be added immediately after TUN/TAP device open 
# and --up script execution, before any --user or 
# --group privilege downgrade (or --chroot execution.)
#
# This option is designed to be useful in scenarios 
# where DHCP is used to set tap adapter 
# addresses. The delay will give the DHCP handshake 
# time to complete before routes are added. 
# 
# (Also if the pushed routes appear not to be added 
# on windows hosts, add the following:)
route-delay 30


# Allow remote peer to change its IP address 
# and/or port number, such as due to DHCP 
# (this is the default if --remote is not used). 
# --float when specified with --remote allows an 
# OpenVPN session to initially connect to a peer 
# at a known address, however if packets arrive 
# from a new address and pass all authentication 
# tests, the new address will take control of the 
# session. This is useful when you are connecting 
# to a peer which holds a dynamic address such 
# as a dial-in user or DHCP client.
#
# Essentially, --float tells OpenVPN to accept 
# authenticated packets from any address, 
# not only the address which was specified 
# in the --remote option.
float

I am a total newbie when it comes to networking in general, and also vpn.

I would really appreciate any help.

[partisanentity]

Here is the log output:

Code: Select all

20140311 21:41:22 I OpenVPN 2.1_rc20 mipsel-unknown-linux-gnu [SSL] [LZO1] [EPOLL] built on Oct 10 2009
20140311 21:41:22 W IMPORTANT: OpenVPN's default port number is now 1194 based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
20140311 21:41:31 W WARNING: file '/tmp/openvpn/key.pem' is group or others accessible
20140311 21:41:31 I TUN/TAP device tun0 opened
20140311 21:41:31 I /sbin/ifconfig tun0 192.168.66.1 pointopoint 192.168.66.2 mtu 1500
20140311 21:41:31 I UDPv4 link local (bound): [undef]:1194
20140311 21:41:31 I UDPv4 link remote: [undef]
20140311 21:41:31 I Initialization Sequence Completed
20140311 21:43:19 I xx3.162.68.29:59xxx Re-using SSL/TLS context
20140311 21:43:25 I xx3.162.68.29:59xxx [client1] Peer Connection Initiated with xx3.162.68.29:59xxx
19700101 00:00:00 

If anyone can help, it would be greatly appreciated, I am at the end of my knowledge

[partisanentity]

Thanks very much.

After I went through both HOWTOs and added the rule to NAT the outgoing traffic I still was not able to obtain internet access on the client.

However on my DD-WRT router I decided to go to Status > WAN and I copied the IP listed under DNS 1

I then added this IP in the openvpn config as:

Code: Select all

push "dhcp-option DNS  xxx.xx.xxx.xx"

Now I am able access the internet on my client.

Originally I had the IP of the openvpn as the dhcp-option for DNS but that did not work for some reason. I was under the impression based on what I have been reading, that any IP number that the vpn client can ping can serve as a DNS IP?

Also, thanks to the other HOWTO you mentioned I am now able to ping all the machines behind the router from the client and vice-versa.

[partisanentity]

Thanks again for your help.

At the moment, I have the ISP-assigned DNS Server IP included in my server config.

Is that a problem? I assume by doing this I am leaking data to my ISP?

I guess what I am trying to ask is, does it make sense to set up my own DNS server on my router? What are the drawbacks of doing this? Is it worth it? Or can I keep using my ISPs DNS Server?

[partisanentity]

I have done some more reading since my previous post, and I think my question stemmed from a misunderstanding.

The articles I was reading were talking about a local DNS server that could possible by set up on the router.

I falsely assumed that they were talking about external DNS.

So now I have a new question

Should I stay with the DNS servers of my ISP or should I use something like a public DNS from Google?

Any drawbacks to using my ISP DNS servers and pushing those to my vpn clients?

[bhuggins]

I realize this is over a year old but hopefully someone will see it bumped...

I thought I had found a solution to my problem as well, but after reading the op's posts there was apparently another user's comments deleted from the thread...

What exactly did you end up correcting to communicate to your client ip's on the router side (other side of firewall from the VPN server)?

I can connect to my DD-WRT OpenVPN server but can not get get through to the other subnet. My setup is similar to yours in the first post with . I have my vpn network as 192.168.2.xxx (of course I'm not using x's ) 255.255.255.0 and my network connected to the router is 192.168.1.xxx 255.255.255.0

Code: Select all

iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.2.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun2 -j ACCEPT
iptables -I FORWARD -i tun2 -o br0 -j ACCEPT

If questioning the tun adapter I entered tun2 because looking into the routing tables under advanced routing in the DD-WRT router it is creating the adapter with the tun2 name instead of tun0 by default for some reason.

Thanks!

Brian

[Traffic]

DD-WRT router it is creating the adapter with the tun2 name instead of tun0

With Linux you can specify the tun device with --dev tunX (X = number) ..