Trouble configuring OpenVPN client on DD-WRT router

avpez · Post by **avpez** » Tue Dec 16, 2014 6:55 am

My setup contains a main gateway router (this is NOT where DD-WRT / OpenVPN client runs) with a secondary wifi router configured on the main router's subnet 192.168.0.x.

Main router is running the gateway to the WAN connection through DSL modem, as well as firewall and DHCP server, etc.

The secondary router is running DD-WRT with its WAN connection disabled and the OpenVPN client connecting to the PrivateInternetAccess service. It is configured on the same subnet as the main.

The routing through this setup works fine except
a) I cannot get any traffic routing through the VPN tunnel - what I mean by this is that all traffic bypasses the VPN tunnel
b) The password file I have created in the /tmp/openvpncl directory gets deleted every time the router is rebooted

The command line used in the linux based router to launch the client is as follows:

Code: Select all

/usr/sbin/openvpn --config /tmp/openvpncl/openvpn.conf --route-up /tmp/openvpncl/route-up.sh --down-pre /tmp/openvpncl/route-down.sh --daemon

The configuration file is as follows:

Code: Select all

ca /tmp/openvpncl/ca.crt
management 127.0.0.1 16
management-log-cache 100
verb 3
mute 3
syslog
writepid /var/run/openvpncl.pid
client
resolv-retry infinite
nobind
persist-key
persist-tun
script-security 2
dev tun1
proto udp
cipher bf-cbc
auth sha1
remote us-midwest.privateinternetaccess.com 1194
comp-lzo yes
tls-client
tun-mtu 1500
mtu-disc yes
fast-io
tun-ipv6
auth-user-pass /tmp/openvpncl/password.txt
persist-key
persist-tun
tls-client
remote-cert-tls server
log /tmp/var/log/log.openvpn

The log file is as follows:

Code: Select all

Serverlog Clientlog 20141216 00:59:01 I OpenVPN 2.3.0 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 25 2013 
20141216 00:59:01 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16 
20141216 00:59:01 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 
20141216 00:59:01 Socket Buffers: R=[114688->131072] S=[114688->131072] 
20141216 00:59:01 I UDPv4 link local: [undef] 
20141216 00:59:01 I UDPv4 link remote: [AF_INET]108.61.101.142:1194 
20141216 00:59:01 TLS: Initial packet from [AF_INET]108.61.101.142:1194 sid=ae237020 b3693215 
20141216 00:59:01 W WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this 
20141216 00:59:02 VERIFY OK: depth=1 C=US ST=OH L=Columbus O=Private Internet Access CN=Private Internet Access CA emailAddress=secure@privateinternetaccess.com 
20141216 00:59:02 Validating certificate key usage 
20141216 00:59:02 ++ Certificate has key usage 00a0 expects 00a0 
20141216 00:59:02 NOTE: --mute triggered... 
20141216 00:59:05 5 variation(s) on previous 3 message(s) suppressed by --mute 
20141216 00:59:05 W WARNING: 'link-mtu' is used inconsistently local='link-mtu 1542' remote='link-mtu 1570' 
20141216 00:59:05 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key 
20141216 00:59:05 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication 
20141216 00:59:05 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key 
20141216 00:59:05 NOTE: --mute triggered... 
20141216 00:59:05 2 variation(s) on previous 3 message(s) suppressed by --mute 
20141216 00:59:05 I [Private Internet Access] Peer Connection Initiated with [AF_INET]108.61.101.142:1194 
20141216 00:59:07 SENT CONTROL [Private Internet Access]: 'PUSH_REQUEST' (status=1) 
20141216 00:59:07 PUSH: Received control message: 'PUSH_REPLY redirect-gateway def1 dhcp-option DNS 209.222.18.222 dhcp-option DNS 209.222.18.218 ping 10 route 10.166.1.1 topology net30 ifconfig 10.166.1.6 10.166.1.5' 
20141216 00:59:07 OPTIONS IMPORT: timers and/or timeouts modified 
20141216 00:59:07 NOTE: --mute triggered... 
20141216 00:59:07 3 variation(s) on previous 3 message(s) suppressed by --mute 
20141216 00:59:07 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=br0 HWADDR=58:6d:8f:31:d5:46 
20141216 00:59:07 I TUN/TAP device tun1 opened 
20141216 00:59:07 TUN/TAP TX queue length set to 100 
20141216 00:59:07 I do_ifconfig tt->ipv6=1 tt->did_ifconfig_ipv6_setup=0 
20141216 00:59:07 I /sbin/ifconfig tun1 10.166.1.6 pointopoint 10.166.1.5 mtu 1500 
20141216 00:59:07 /sbin/route add -net 108.61.101.142 netmask 255.255.255.255 gw 192.168.0.1 
20141216 00:59:07 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.166.1.5 
20141216 00:59:07 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.166.1.5 
20141216 00:59:07 /sbin/route add -net 10.166.1.1 netmask 255.255.255.255 gw 10.166.1.5 
20141216 00:59:07 I Initialization Sequence Completed

The routing table that results from this configuration seems odd to me (see the additions in the log file above) but the problem persists even if I manually adjust it (as follows) through the route command.

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
108.61.101.142  192.168.0.1     255.255.255.255 UGH   0      0        0 br0
10.166.1.1      10.166.1.5      255.255.255.255 UGH   0      0        0 tun1
10.166.1.5      *               255.255.255.255 UH    0      0        0 tun1
192.168.0.0     *               255.255.255.0   U     0      0        0 br0
169.254.0.0     *               255.255.0.0     U     0      0        0 br0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         10.166.1.5      0.0.0.0         UG    0      0        0 tun1

I am certainly no routing-, VPN-, DD-WRT- or linux- expert, but this problem is baffling me.

Any assistance in resolving this would be greatly appreciated!

Bill

Post by **maikcat** » Tue Dec 16, 2014 9:46 am

a) I cannot get any traffic routing through the VPN tunnel - what I mean by this is that all traffic bypasses the VPN tunnel

your logs show that routes that redirect internet traffic ARE added

Code: Select all

20141216 00:59:07 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.166.1.5
20141216 00:59:07 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.166.1.5

also dsn entries pushed

Code: Select all

20141216 00:59:07 PUSH: Received control message: 'PUSH_REPLY redirect-gateway def1 dhcp-option DNS 209.222.18.222 dhcp-option DNS 209.222.18.218 ping 10 route 10.166.1.1 topology net30 ifconfig 10.166.1.6 10.166.1.5'

but the problem persists even if I manually adjust it (as follows) through the route command.

adjust it?

please leave it as is...

can you please post the output of tracert 8.8.8.8?

b) The password file I have created in the /tmp/openvpncl directory gets deleted every time the router is rebooted

if /tmp is emptied on reboot thats why you are loosing your file...
cant you placed it somewhere else?

Michael.

avpez · Post by **avpez** » Wed Dec 17, 2014 6:17 am

Thanks so much for your reply.

Following is the output requested:

Code: Select all

root@E2500-59397:~# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 38 byte packets
 1  10.166.1.1 (10.166.1.1)  33.081 ms  32.070 ms  32.253 ms
 2  *  *  *
 3  184-75-214-65.amanah.com (184.75.214.65)  45.724 ms  dpaall.webexpressmail.n
et (162.219.179.65)  44.167 ms  184-75-211-129.amanah.com (184.75.211.129)  47.0
55 ms
 4  80.94.66.77 (80.94.66.77)  54.330 ms  38.88.240.133 (38.88.240.133)  59.908
ms  te0-7-0-9.221.ccr22.yyz02.atlas.cogentco.com (38.122.69.121)  45.014 ms
 5  xe-0-2-1.chi11.ip4.gtt.net (89.149.187.78)  54.730 ms  be2080.ccr42.ord01.at
las.cogentco.com (154.54.42.5)  61.509 ms  xe-0-2-1.chi11.ip4.gtt.net (89.149.18
7.78)  54.243 ms
 6  eth2-1.r1.ash1.us.as5580.net (78.152.34.117)  102.252 ms  be2003.ccr21.ord03
.atlas.cogentco.com (154.54.29.22)  155.898 ms  eth2-1.r1.ash1.us.as5580.net (78
.152.34.117)  81.851 ms
 7  209.85.246.107 (209.85.246.107)  54.565 ms  38.88.204.78 (38.88.204.78)  68.
414 ms  63.699 ms
 8  ae2-69.cr1.ord1.ip4.gtt.net (173.241.130.78)  57.232 ms  53.303 ms  209.85.2
45.135 (209.85.245.135)  72.609 ms
 9  google-public-dns-a.google.com (8.8.8.8)  63.440 ms  61.345 ms  54.091 ms

looks like the route chosen does traverse the vpn tunnel...

My claim that it didn't was based on the result of pointing my browser to www.whatismyip.com, which reports my static IP address as assigned to my gateway by my DSL provider. Am I missing something?

WRT where to put my password.txt files ... there seem to be no other read write filesystem than the /tmp ... The /tmp/openvpncl directory contains the openvpn.conf, ca.crt, route-up.sh and route-down.sh files, which I assume are written after boot up by some script. Perhaps I need to recreate the password.txt file at the same time? Which script would that be? Or is there another approach for this?

Finally, wrt to the routing table "adjustments" that I made, these were to remove the following two routes (that were at the bottom of the table) which made no sense to me:

Code: Select all

128.0.0.0       10.166.1.5               255.0.0.0       UG     0      0        0 tun1
default          192.168.0.1              255.0.0.0       UG     0      0        0 br0

I also changed the netmask from 128.0.0.0 to 0.0.0.0 for the last (default) entry to arrive at the routing table as reported previously. Were my "adjustments" incorrect? Can you explain why the entries I adjusted should have been left as they were? On the other hand, if my adjustments were correct, then what should I do to ensure that the routing table comes out correctly (what can I put in the "policy based routing" text box of the dd-wrt configuration page for OpenVPN)?

much appreciated ...

Post by **maikcat** » Thu Dec 18, 2014 5:20 pm

My claim that it didn't was based on the result of pointing my browser to www.whatismyip.com, which reports my static IP address as assigned to my gateway by my DSL provider. Am I missing something?

to be honest, i cant think of something.. did you opened www.whatismyip.com right before starting openvpn?
if yes , then maybe a stale route for it..?

WRT where to put my password.txt files ... there seem to be no other read write filesystem than the /tmp ... The /tmp/openvpncl directory contains the openvpn.conf, ca.crt, route-up.sh and route-down.sh files, which I assume are written after boot up by some script. Perhaps I need to recreate the password.txt file at the same time? Which script would that be? Or is there another approach for this?

unfortunately i havent got much expirience with ddwrt or openwrt...
but if they use ext3 maybe you can "immune" this file by using chattr +i , if of course chattr exists..

Finally, wrt to the routing table "adjustments" that I made, these were to remove the following two routes (that were at the bottom of the table) which made no sense to me:
Code: Select all
128.0.0.0       10.166.1.5               255.0.0.0       UG     0      0        0 tun1
default          192.168.0.1              255.0.0.0       UG     0      0        0 br0
I also changed the netmask from 128.0.0.0 to 0.0.0.0 for the last (default) entry to arrive at the routing table as reported previously

please read how redirect-gateway def1 statement works in opevpn manual..

Michael.

OpenVPN Support Forum

Trouble configuring OpenVPN client on DD-WRT router

Trouble configuring OpenVPN client on DD-WRT router

Re: Trouble configuring OpenVPN client on DD-WRT router

Re: Trouble configuring OpenVPN client on DD-WRT router

Re: Trouble configuring OpenVPN client on DD-WRT router