Redirecting Client traffic access through Server (Asus + DLink)

Pseudomax · Post by **Pseudomax** » Fri Dec 08, 2017 1:20 am

Hi

I would be extremely grateful for some help here! I have spent literally days trying to get this right!!

My setup is:
- I have a Asus Router with Merlin Firmware that is running the OpenVPN Server (local subnet is 192.168.1.0 and VPN subnet pushed is 192.168.10.0)
- D-Link Router flashed with DD-WRT to run the client OpenVPN to connect (permanently) to the Asus Router (client subnet is 192.168.0.0). This router will ultimately be at a place of work for me that is outside the country of the Asus router. This router is also setup as a Repeater Bridge to connect to a local wireless network that is secure (I pay the subscription costs) but is not managed by myself.
- Client WAN: 94.11.xx.xx
- Server WAN: 79.69.xx.xx

What I am trying to setup is the opportunity to securely access my home network and at the same time on occasions choose to stream some of my entertainment from services that geolocate to where my home (and Asus router) are located. Let me also state that I am aware that the subnets used are common, but I have no plans to use the server beyond this single connection, so I am not expecting public hotspots to complicate my setup.

So after a lot of trial & error (more error) I have successfully connected to the client to the server but regardless of settings used I seem unable to get client to redirect all internet traffic. I realise the screenshot below shows this option unselected, but I have tried with it selected and only unselected it more latterly as I added the additional config below (specifically push "redirect-gateway def1"). Let me add that I have tried all sorts of variations on this theme. I also would appreciate some help getting tls up and running but my main issue is the traffic (so I can continue 'learning' if this is outside the scope of my post here!). Let me also add that my current configuration does not seem to allow me to see my local (server side) computers ... but a previous attempt to bridge using TAP rather than TUN was not successful either!!

So any help gratefully received!

I have attached (redacted):
- the DD-WRT OpenVPN (Client) settings
- the DD-WRT OpenVPN Log
- the Asus exported settings file (.ovpn file)
- the Asus OpenVPN settings
- the Asus OpenVPN Server Status

I may well have missed something so please ask for any other details needed. (I can't state enough ... any help very appreciated!!)

Code: Select all

client
dev tun
proto udp
remote xx.xx.xx.xx:xxxx
float
cipher AES-256-CBC
comp-lzo yes
keepalive 15 60
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
resolv-retry infinite
nobind

Pseudomax · Post by **Pseudomax** » Sat Dec 09, 2017 3:34 pm

Hi, anyone willing to give me any support?

Pseudomax · Post by **Pseudomax** » Sat Dec 09, 2017 5:13 pm

I was thinking as well ... would it be better to only forward all DNS traffic if the geolocated streaming requirement only needs DNS location?

TinCanTech · Post by **TinCanTech** » Sat Dec 09, 2017 6:27 pm

Post your client log at --verb 4 and your server log if you can ..

Pseudomax · Post by **Pseudomax** » Sun Dec 10, 2017 11:16 am

Thank you TinCanTech ... I think I have given what you need ...

Server Log:

Code: Select all

Dec 10 10:02:36 openvpn[1153]: client/94.11.xxx.xxx Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 10 10:02:52 openvpn[1153]: client/94.11.xxx.xxx Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 10 10:03:06 openvpn[1153]: client/94.11.xxx.xxx Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 10 10:03:17 openvpn[1153]: client/94.11.xxx.xxx [client] Inactivity timeout (--ping-restart), restarting
Dec 10 10:03:17 openvpn[1153]: client/94.11.xxx.xxx SIGUSR1[soft,ping-restart] received, client-instance restarting
Dec 10 10:03:23 openvpn[1153]: 94.11.xxx.xxx TLS: Initial packet from [AF_INET6]::ffff:94.11.xxx.xxx:zzzzz, sid=eef27557 e8b614c0
Dec 10 10:03:23 openvpn[1153]: 94.11.xxx.xxx VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC87U, emailAddress=me@myhost.mydomain
Dec 10 10:03:23 openvpn[1153]: 94.11.xxx.xxx VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, CN=client, emailAddress=me@myhost.mydomain
Dec 10 10:03:23 openvpn[1153]: 94.11.xxx.xxx peer info: IV_VER=2.3.10
Dec 10 10:03:23 openvpn[1153]: 94.11.xxx.xxx peer info: IV_PLAT=linux
Dec 10 10:03:23 openvpn[1153]: 94.11.xxx.xxx peer info: IV_PROTO=2
Dec 10 10:03:23 openvpn[1153]: 94.11.xxx.xxx WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1570'
Dec 10 10:03:23 openvpn[1153]: 94.11.xxx.xxx WARNING: 'auth' is used inconsistently, local='auth SHA1', remote='auth SHA256'
Dec 10 10:03:23 openvpn[1153]: 94.11.xxx.xxx Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Dec 10 10:03:23 openvpn[1153]: 94.11.xxx.xxx Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 10 10:03:23 openvpn[1153]: 94.11.xxx.xxx Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Dec 10 10:03:23 openvpn[1153]: 94.11.xxx.xxx Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 10 10:03:23 openvpn[1153]: 94.11.xxx.xxx Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Dec 10 10:03:23 openvpn[1153]: 94.11.xxx.xxx [client] Peer Connection Initiated with [AF_INET6]::ffff:94.11.xxx.xxx:zzzzz
Dec 10 10:03:23 openvpn[1153]: client/94.11.xxx.xxx MULTI_sva: pool returned IPv4=192.168.10.2, IPv6=(Not enabled)
Dec 10 10:03:23 openvpn[1153]: client/94.11.xxx.xxx MULTI: Learn: 192.168.10.2 -> client/94.11.xxx.xxx
Dec 10 10:03:23 openvpn[1153]: client/94.11.xxx.xxx MULTI: primary virtual IP for client/94.11.xxx.xxx: 192.168.10.2
Dec 10 10:03:26 openvpn[1153]: client/94.11.xxx.xxx PUSH: Received control message: 'PUSH_REQUEST'
Dec 10 10:03:26 openvpn[1153]: client/94.11.xxx.xxx SENT CONTROL [client]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0 vpn_gateway 500,dhcp-option DNS 192.168.1.1,redirect-gateway def1,dhcp-option DNS 192.168.1.1,route-gateway 192.168.10.1,topology subnet,ping 15,ping-restart 60,ifconfig 192.168.10.2 255.255.255.0,peer-id 0' (status=1)
Dec 10 10:03:38 rc_service: httpd 502:notify_rc restart_chpass;restart_vpnserver1
Dec 10 10:03:38 openvpn[1153]: event_wait : Interrupted system call (code=4)
Dec 10 10:03:38 openvpn[1153]: Closing TUN/TAP interface
Dec 10 10:03:38 openvpn[1153]: /usr/sbin/ip addr del dev tun21 192.168.10.1/24
Dec 10 10:03:38 openvpn[1153]: SIGTERM[hard,] received, process exiting
Dec 10 10:03:41 openvpn[23306]: Current Parameter Settings:
Dec 10 10:03:41 openvpn[23306]:   config = 'config.ovpn'
Dec 10 10:03:41 openvpn[23306]:   mode = 1
Dec 10 10:03:41 openvpn[23306]:   persist_config = DISABLED
Dec 10 10:03:41 openvpn[23306]:   persist_mode = 1
Dec 10 10:03:41 openvpn[23306]:   show_ciphers = DISABLED
Dec 10 10:03:41 openvpn[23306]:   show_digests = DISABLED
Dec 10 10:03:41 openvpn[23306]:   show_engines = DISABLED
Dec 10 10:03:41 openvpn[23306]:   genkey = DISABLED
Dec 10 10:03:41 openvpn[23306]:   key_pass_file = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   show_tls_ciphers = DISABLED
Dec 10 10:03:41 openvpn[23306]:   connect_retry_max = 0
Dec 10 10:03:41 openvpn[23306]: Connection profiles [0]:
Dec 10 10:03:41 openvpn[23306]:   proto = udp
Dec 10 10:03:41 openvpn[23306]:   local = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   local_port = 'yyyy'
Dec 10 10:03:41 openvpn[23306]:   remote = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   remote_port = 'yyyy'
Dec 10 10:03:41 openvpn[23306]:   remote_float = DISABLED
Dec 10 10:03:41 openvpn[23306]:   bind_defined = DISABLED
Dec 10 10:03:41 openvpn[23306]:   bind_local = ENABLED
Dec 10 10:03:41 openvpn[23306]:   bind_ipv6_only = DISABLED
Dec 10 10:03:41 openvpn[23306]:   connect_retry_seconds = 5
Dec 10 10:03:41 openvpn[23306]:   connect_timeout = 120
Dec 10 10:03:41 openvpn[23306]:   socks_proxy_server = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   socks_proxy_port = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   tun_mtu = 1500
Dec 10 10:03:41 openvpn[23306]:   tun_mtu_defined = ENABLED
Dec 10 10:03:41 openvpn[23306]:   link_mtu = 1500
Dec 10 10:03:41 openvpn[23306]:   link_mtu_defined = DISABLED
Dec 10 10:03:41 openvpn[23306]:   tun_mtu_extra = 0
Dec 10 10:03:41 openvpn[23306]:   tun_mtu_extra_defined = DISABLED
Dec 10 10:03:41 openvpn[23306]:   mtu_discover_type = -1
Dec 10 10:03:41 openvpn[23306]:   fragment = 0
Dec 10 10:03:41 openvpn[23306]:   mssfix = 1450
Dec 10 10:03:41 openvpn[23306]:   explicit_exit_notification = 0
Dec 10 10:03:41 openvpn[23306]: Connection profiles END
Dec 10 10:03:41 openvpn[23306]:   remote_random = DISABLED
Dec 10 10:03:41 openvpn[23306]:   ipchange = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   dev = 'tun21'
Dec 10 10:03:41 openvpn[23306]:   dev_type = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   dev_node = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   lladdr = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   topology = 3
Dec 10 10:03:41 openvpn[23306]:   ifconfig_local = '192.168.10.1'
Dec 10 10:03:41 openvpn[23306]:   ifconfig_remote_netmask = '255.255.255.0'
Dec 10 10:03:41 openvpn[23306]:   ifconfig_noexec = DISABLED
Dec 10 10:03:41 openvpn[23306]:   ifconfig_nowarn = DISABLED
Dec 10 10:03:41 openvpn[23306]:   ifconfig_ipv6_local = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   ifconfig_ipv6_netbits = 0
Dec 10 10:03:41 openvpn[23306]:   ifconfig_ipv6_remote = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   shaper = 0
Dec 10 10:03:41 openvpn[23306]:   mtu_test = 0
Dec 10 10:03:41 openvpn[23306]:   mlock = DISABLED
Dec 10 10:03:41 openvpn[23306]:   keepalive_ping = 15
Dec 10 10:03:41 openvpn[23306]:   keepalive_timeout = 60
Dec 10 10:03:41 openvpn[23306]:   inactivity_timeout = 0
Dec 10 10:03:41 openvpn[23306]:   ping_send_timeout = 15
Dec 10 10:03:41 openvpn[23306]:   ping_rec_timeout = 120
Dec 10 10:03:41 openvpn[23306]:   ping_rec_timeout_action = 2
Dec 10 10:03:41 openvpn[23306]:   ping_timer_remote = DISABLED
Dec 10 10:03:41 openvpn[23306]:   remap_sigusr1 = 0
Dec 10 10:03:41 openvpn[23306]:   persist_tun = DISABLED
Dec 10 10:03:41 openvpn[23306]:   persist_local_ip = DISABLED
Dec 10 10:03:41 openvpn[23306]:   persist_remote_ip = DISABLED
Dec 10 10:03:41 openvpn[23306]:   persist_key = DISABLED
Dec 10 10:03:41 openvpn[23306]:   passtos = DISABLED
Dec 10 10:03:41 openvpn[23306]:   resolve_retry_seconds = 1000000000
Dec 10 10:03:41 openvpn[23306]:   resolve_in_advance = DISABLED
Dec 10 10:03:41 openvpn[23306]:   username = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   groupname = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   chroot_dir = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   cd_dir = '/etc/openvpn/server1'
Dec 10 10:03:41 openvpn[23306]:   writepid = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   up_script = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   down_script = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   down_pre = DISABLED
Dec 10 10:03:41 openvpn[23306]:   up_restart = DISABLED
Dec 10 10:03:41 openvpn[23306]:   up_delay = DISABLED
Dec 10 10:03:41 openvpn[23306]:   daemon = ENABLED
Dec 10 10:03:41 openvpn[23306]:   inetd = 0
Dec 10 10:03:41 openvpn[23306]:   log = DISABLED
Dec 10 10:03:41 openvpn[23306]:   suppress_timestamps = DISABLED
Dec 10 10:03:41 openvpn[23306]:   machine_readable_output = DISABLED
Dec 10 10:03:41 openvpn[23306]:   nice = 0
Dec 10 10:03:41 openvpn[23306]:   verbosity = 4
Dec 10 10:03:41 openvpn[23306]:   mute = 0
Dec 10 10:03:41 openvpn[23306]:   status_file = 'status'
Dec 10 10:03:41 openvpn[23306]:   status_file_version = 2
Dec 10 10:03:41 openvpn[23306]:   status_file_update_freq = 5
Dec 10 10:03:41 openvpn[23306]:   occ = ENABLED
Dec 10 10:03:41 openvpn[23306]:   rcvbuf = 0
Dec 10 10:03:41 openvpn[23306]:   sndbuf = 0
Dec 10 10:03:41 openvpn[23306]:   mark = 0
Dec 10 10:03:41 openvpn[23306]:   sockflags = 0
Dec 10 10:03:41 openvpn[23306]:   fast_io = DISABLED
Dec 10 10:03:41 openvpn[23306]:   comp.alg = 2
Dec 10 10:03:41 openvpn[23306]:   comp.flags = 0
Dec 10 10:03:41 openvpn[23306]:   route_script = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   route_default_gateway = '192.168.10.2'
Dec 10 10:03:41 openvpn[23306]:   route_default_metric = 0
Dec 10 10:03:41 openvpn[23306]:   route_noexec = DISABLED
Dec 10 10:03:41 openvpn[23306]:   route_delay = 0
Dec 10 10:03:41 openvpn[23306]:   route_delay_window = 30
Dec 10 10:03:41 openvpn[23306]:   route_delay_defined = DISABLED
Dec 10 10:03:41 openvpn[23306]:   route_nopull = DISABLED
Dec 10 10:03:41 openvpn[23306]:   route_gateway_via_dhcp = DISABLED
Dec 10 10:03:41 openvpn[23306]:   allow_pull_fqdn = DISABLED
Dec 10 10:03:41 openvpn[23306]:   management_addr = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   management_port = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   management_user_pass = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   management_log_history_cache = 250
Dec 10 10:03:41 openvpn[23306]:   management_echo_buffer_size = 100
Dec 10 10:03:41 openvpn[23306]:   management_write_peer_info_file = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   management_client_user = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   management_client_group = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   management_flags = 0
Dec 10 10:03:41 openvpn[23306]:   shared_secret_file = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   key_direction = 0
Dec 10 10:03:41 openvpn[23306]:   ciphername = 'AES-256-CBC'
Dec 10 10:03:41 openvpn[23306]:   ncp_enabled = DISABLED
Dec 10 10:03:41 openvpn[23306]:   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Dec 10 10:03:41 openvpn[23306]:   authname = 'SHA1'
Dec 10 10:03:41 openvpn[23306]:   prng_hash = 'SHA1'
Dec 10 10:03:41 openvpn[23306]:   prng_nonce_secret_len = 16
Dec 10 10:03:41 openvpn[23306]:   keysize = 0
Dec 10 10:03:41 openvpn[23306]:   engine = DISABLED
Dec 10 10:03:41 openvpn[23306]:   replay = ENABLED
Dec 10 10:03:41 openvpn[23306]:   mute_replay_warnings = DISABLED
Dec 10 10:03:41 openvpn[23306]:   replay_window = 64
Dec 10 10:03:41 openvpn[23306]:   replay_time = 15
Dec 10 10:03:41 openvpn[23306]:   packet_id_file = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   use_iv = ENABLED
Dec 10 10:03:41 openvpn[23306]:   test_crypto = DISABLED
Dec 10 10:03:41 openvpn[23306]:   tls_server = ENABLED
Dec 10 10:03:41 openvpn[23306]:   tls_client = DISABLED
Dec 10 10:03:41 openvpn[23306]:   key_method = 2
Dec 10 10:03:41 openvpn[23306]:   ca_file = 'ca.crt'
Dec 10 10:03:41 openvpn[23306]:   ca_path = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   dh_file = 'dh.pem'
Dec 10 10:03:41 openvpn[23306]:   cert_file = 'server.crt'
Dec 10 10:03:41 openvpn[23306]:   extra_certs_file = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   priv_key_file = 'server.key'
Dec 10 10:03:41 openvpn[23306]:   pkcs12_file = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   cipher_list = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   tls_verify = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   tls_export_cert = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   verify_x509_type = 0
Dec 10 10:03:41 openvpn[23306]:   verify_x509_name = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   crl_file = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   ns_cert_type = 0
Dec 10 10:03:41 openvpn[23306]:   remote_cert_ku[i] = 0
Dec 10 10:03:41 openvpn[23306]:   remote_cert_ku[i] = 0
Dec 10 10:03:41 openvpn[23306]:   remote_cert_ku[i] = 0
Dec 10 10:03:41 openvpn[23306]:   remote_cert_ku[i] = 0
Dec 10 10:03:41 openvpn[23306]:   remote_cert_ku[i] = 0
Dec 10 10:03:41 openvpn[23306]:   remote_cert_ku[i] = 0
Dec 10 10:03:41 openvpn[23306]:   remote_cert_ku[i] = 0
Dec 10 10:03:41 openvpn[23306]:   remote_cert_ku[i] = 0
Dec 10 10:03:41 openvpn[23306]:   remote_cert_ku[i] = 0
Dec 10 10:03:41 openvpn[23306]:   remote_cert_ku[i] = 0
Dec 10 10:03:41 openvpn[23306]:   remote_cert_ku[i] = 0
Dec 10 10:03:41 openvpn[23306]:   remote_cert_ku[i] = 0
Dec 10 10:03:41 openvpn[23306]:   remote_cert_ku[i] = 0
Dec 10 10:03:41 openvpn[23306]:   remote_cert_ku[i] = 0
Dec 10 10:03:41 openvpn[23306]:   remote_cert_ku[i] = 0
Dec 10 10:03:41 openvpn[23306]:   remote_cert_ku[i] = 0
Dec 10 10:03:41 openvpn[23306]:   remote_cert_eku = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   ssl_flags = 0
Dec 10 10:03:41 openvpn[23306]:   tls_timeout = 2
Dec 10 10:03:41 openvpn[23306]:   renegotiate_bytes = -1
Dec 10 10:03:41 openvpn[23306]:   renegotiate_packets = 0
Dec 10 10:03:41 openvpn[23306]:   renegotiate_seconds = 3600
Dec 10 10:03:41 openvpn[23306]:   handshake_window = 60
Dec 10 10:03:41 openvpn[23306]:   transition_window = 3600
Dec 10 10:03:41 openvpn[23306]:   single_session = DISABLED
Dec 10 10:03:41 openvpn[23306]:   push_peer_info = DISABLED
Dec 10 10:03:41 openvpn[23306]:   tls_exit = DISABLED
Dec 10 10:03:41 openvpn[23306]:   tls_auth_file = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   tls_crypt_file = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   server_network = 192.168.10.0
Dec 10 10:03:41 openvpn[23306]:   server_netmask = 255.255.255.0
Dec 10 10:03:41 openvpn[23306]:   server_network_ipv6 = ::
Dec 10 10:03:41 openvpn[23306]:   server_netbits_ipv6 = 0
Dec 10 10:03:41 openvpn[23306]:   server_bridge_ip = 0.0.0.0
Dec 10 10:03:41 openvpn[23306]:   server_bridge_netmask = 0.0.0.0
Dec 10 10:03:41 openvpn[23306]:   server_bridge_pool_start = 0.0.0.0
Dec 10 10:03:41 openvpn[23306]:   server_bridge_pool_end = 0.0.0.0
Dec 10 10:03:41 openvpn[23306]:   push_entry = 'route 192.168.1.0 255.255.255.0 vpn_gateway 500'
Dec 10 10:03:41 openvpn[23306]:   push_entry = 'dhcp-option DNS 192.168.1.1'
Dec 10 10:03:41 openvpn[23306]:   push_entry = 'redirect-gateway def1'
Dec 10 10:03:41 openvpn[23306]:   push_entry = 'dhcp-option DNS 192.168.1.1'
Dec 10 10:03:41 openvpn[23306]:   push_entry = 'route-gateway 192.168.10.1'
Dec 10 10:03:41 openvpn[23306]:   push_entry = 'topology subnet'
Dec 10 10:03:41 openvpn[23306]:   push_entry = 'ping 15'
Dec 10 10:03:41 openvpn[23306]:   push_entry = 'ping-restart 60'
Dec 10 10:03:41 openvpn[23306]:   ifconfig_pool_defined = ENABLED
Dec 10 10:03:41 openvpn[23306]:   ifconfig_pool_start = 192.168.10.2
Dec 10 10:03:41 openvpn[23306]:   ifconfig_pool_end = 192.168.10.253
Dec 10 10:03:41 openvpn[23306]:   ifconfig_pool_netmask = 255.255.255.0
Dec 10 10:03:41 openvpn[23306]:   ifconfig_pool_persist_filename = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   ifconfig_pool_persist_refresh_freq = 600
Dec 10 10:03:41 openvpn[23306]:   ifconfig_ipv6_pool_defined = DISABLED
Dec 10 10:03:41 openvpn[23306]:   ifconfig_ipv6_pool_base = ::
Dec 10 10:03:41 openvpn[23306]:   ifconfig_ipv6_pool_netbits = 0
Dec 10 10:03:41 openvpn[23306]:   n_bcast_buf = 256
Dec 10 10:03:41 openvpn[23306]:   tcp_queue_limit = 64
Dec 10 10:03:41 openvpn[23306]:   real_hash_size = 256
Dec 10 10:03:41 openvpn[23306]:   virtual_hash_size = 256
Dec 10 10:03:41 openvpn[23306]:   client_connect_script = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   learn_address_script = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   client_disconnect_script = '[UNDEF]'
Dec 10 10:03:41 openvpn[23306]:   client_config_dir = 'ccd'
Dec 10 10:03:41 openvpn[23306]:   ccd_exclusive = DISABLED
Dec 10 10:03:41 openvpn[23306]:   tmp_dir = '/tmp'
Dec 10 10:03:41 openvpn[23306]:   push_ifconfig_defined = DISABLED
Dec 10 10:03:41 openvpn[23306]:   push_ifconfig_local = 0.0.0.0
Dec 10 10:03:41 openvpn[23306]:   push_ifconfig_remote_netmask = 0.0.0.0
Dec 10 10:03:41 openvpn[23306]:   push_ifconfig_ipv6_defined = DISABLED
Dec 10 10:03:41 openvpn[23307]: TLS-Auth MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Dec 10 10:03:41 openvpn[23307]: TUN/TAP device tun21 opened
Dec 10 10:03:41 openvpn[23307]: TUN/TAP TX queue length set to 100
Dec 10 10:03:41 openvpn[23307]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Dec 10 10:03:41 openvpn[23307]: /usr/sbin/ip link set dev tun21 up mtu 1500
Dec 10 10:03:41 openvpn[23307]: /usr/sbin/ip addr add dev tun21 192.168.10.1/24 broadcast 192.168.10.255
Dec 10 10:03:41 openvpn[23307]: Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Dec 10 10:03:41 openvpn[23307]: Could not determine IPv4/IPv6 protocol. Using AF_INET6
Dec 10 10:03:41 openvpn[23307]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Dec 10 10:03:41 openvpn[23307]: setsockopt(IPV6_V6ONLY=0)
Dec 10 10:03:41 openvpn[23307]: UDPv6 link local (bound): [AF_INET6][undef]:yyyy
Dec 10 10:03:41 openvpn[23307]: UDPv6 link remote: [AF_UNSPEC]
Dec 10 10:03:41 openvpn[23307]: MULTI: multi_init called, r=256 v=256
Dec 10 10:03:41 openvpn[23307]: IFCONFIG POOL: base=192.168.10.2 size=252, ipv6=0
Dec 10 10:03:41 openvpn[23307]: Initialization Sequence Completed
Dec 10 10:04:19 openvpn[23307]: MULTI: multi_create_instance called
Dec 10 10:04:19 openvpn[23307]: 94.11.xxx.xxx Re-using SSL/TLS context
Dec 10 10:04:19 openvpn[23307]: 94.11.xxx.xxx LZO compression initializing
Dec 10 10:04:19 openvpn[23307]: 94.11.xxx.xxx Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Dec 10 10:04:19 openvpn[23307]: 94.11.xxx.xxx Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Dec 10 10:04:19 openvpn[23307]: 94.11.xxx.xxx Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
Dec 10 10:04:19 openvpn[23307]: 94.11.xxx.xxx Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
Dec 10 10:04:19 openvpn[23307]: 94.11.xxx.xxx TLS: Initial packet from [AF_INET6]::ffff:94.11.xxx.xxx:56681, sid=ac0f0091 9a24c051
Dec 10 10:04:19 openvpn[23307]: 94.11.xxx.xxx VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC87U, emailAddress=me@myhost.mydomain
Dec 10 10:04:19 openvpn[23307]: 94.11.xxx.xxx VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, CN=client, emailAddress=me@myhost.mydomain
Dec 10 10:04:19 openvpn[23307]: 94.11.xxx.xxx peer info: IV_VER=2.3.10
Dec 10 10:04:19 openvpn[23307]: 94.11.xxx.xxx peer info: IV_PLAT=linux
Dec 10 10:04:19 openvpn[23307]: 94.11.xxx.xxx peer info: IV_PROTO=2
Dec 10 10:04:19 openvpn[23307]: 94.11.xxx.xxx WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1570'
Dec 10 10:04:19 openvpn[23307]: 94.11.xxx.xxx WARNING: 'auth' is used inconsistently, local='auth SHA1', remote='auth SHA256'
Dec 10 10:04:19 openvpn[23307]: 94.11.xxx.xxx Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Dec 10 10:04:19 openvpn[23307]: 94.11.xxx.xxx Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 10 10:04:19 openvpn[23307]: 94.11.xxx.xxx Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Dec 10 10:04:19 openvpn[23307]: 94.11.xxx.xxx Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 10 10:04:19 openvpn[23307]: 94.11.xxx.xxx Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Dec 10 10:04:19 openvpn[23307]: 94.11.xxx.xxx [client] Peer Connection Initiated with [AF_INET6]::ffff:94.11.xxx.xxx:56681
Dec 10 10:04:19 openvpn[23307]: client/94.11.xxx.xxx MULTI_sva: pool returned IPv4=192.168.10.2, IPv6=(Not enabled)
Dec 10 10:04:19 openvpn[23307]: client/94.11.xxx.xxx MULTI: Learn: 192.168.10.2 -> client/94.11.xxx.xxx
Dec 10 10:04:19 openvpn[23307]: client/94.11.xxx.xxx MULTI: primary virtual IP for client/94.11.xxx.xxx: 192.168.10.2
Dec 10 10:04:22 openvpn[23307]: client/94.11.xxx.xxx PUSH: Received control message: 'PUSH_REQUEST'
Dec 10 10:04:22 openvpn[23307]: client/94.11.xxx.xxx SENT CONTROL [client]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0 vpn_gateway 500,dhcp-option DNS 192.168.1.1,redirect-gateway def1,dhcp-option DNS 192.168.1.1,route-gateway 192.168.10.1,topology subnet,ping 15,ping-restart 60,ifconfig 192.168.10.2 255.255.255.0,peer-id 0' (status=1)

Client Log:

Code: Select all

Clientlog: 
20171210 10:14:35 Current Parameter Settings: 
20171210 10:14:35 config = '/tmp/openvpncl/openvpn.conf' 
20171210 10:14:35 mode = 0 
20171210 10:14:35 NOTE: --mute triggered... 
20171210 10:14:35 224 variation(s) on previous 3 message(s) suppressed by --mute 
20171210 10:14:35 I OpenVPN 2.3.10 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Apr 25 2016 
20171210 10:14:35 I library versions: OpenSSL 1.0.2g 1 Mar 2016 LZO 2.09 
20171210 10:14:35 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16 
20171210 10:14:35 W WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 
20171210 10:14:35 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 
20171210 10:14:35 W WARNING: file '/tmp/openvpncl/client.key' is group or others accessible 
20171210 10:14:35 LZO compression initialized 
20171210 10:14:35 Control Channel MTU parms [ L:1570 D:1212 EF:38 EB:0 ET:0 EL:3 ] 
20171210 10:14:35 Socket Buffers: R=[180224->180224] S=[180224->180224] 
20171210 10:14:36 Data Channel MTU parms [ L:1570 D:1450 EF:70 EB:143 ET:0 EL:3 AF:3/1 ] 
20171210 10:14:36 Local Options String: 'V4 dev-type tun link-mtu 1570 tun-mtu 1500 proto UDPv4 comp-lzo cipher AES-256-CBC auth SHA256 keysize 256 key-method 2 tls-client' 
20171210 10:14:36 Expected Remote Options String: 'V4 dev-type tun link-mtu 1570 tun-mtu 1500 proto UDPv4 comp-lzo cipher AES-256-CBC auth SHA256 keysize 256 key-method 2 tls-server' 
20171210 10:14:36 Local Options hash (VER=V4): 'fc8ba345' 
20171210 10:14:36 Expected Remote Options hash (VER=V4): '79a26cd9' 
20171210 10:14:36 I UDPv4 link local: [undef] 
20171210 10:14:36 I UDPv4 link remote: [AF_INET]79.69.xxx.xxx:yyyy 
20171210 10:14:36 TLS: Initial packet from [AF_INET]79.69.xxx.xxx:yyyyy sid=130ea42d 8d752deb 
20171210 10:14:36 VERIFY OK: depth=1 C=TW ST=TW L=Taipei O=ASUS CN=RT-AC87U emailAddress=me@myhost.mydomain 
20171210 10:14:36 VERIFY OK: depth=0 C=TW ST=TW L=Taipei O=ASUS CN=RT-AC87U emailAddress=me@myhost.mydomain 
20171210 10:14:36 W WARNING: 'link-mtu' is used inconsistently local='link-mtu 1570' remote='link-mtu 1558' 
20171210 10:14:36 W WARNING: 'auth' is used inconsistently local='auth SHA256' remote='auth SHA1' 
20171210 10:14:36 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key 
20171210 10:14:36 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication 
20171210 10:14:36 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key 
20171210 10:14:36 NOTE: --mute triggered... 
20171210 10:14:36 2 variation(s) on previous 3 message(s) suppressed by --mute 
20171210 10:14:36 I [RT-AC87U] Peer Connection Initiated with [AF_INET]79.69.xxx.xxx:yyyy 
20171210 10:14:37 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20171210 10:14:37 D MANAGEMENT: CMD 'state' 
20171210 10:14:37 MANAGEMENT: Client disconnected 
20171210 10:14:38 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20171210 10:14:38 SENT CONTROL [RT-AC87U]: 'PUSH_REQUEST' (status=1) 
20171210 10:14:38 D MANAGEMENT: CMD 'state' 
20171210 10:14:38 MANAGEMENT: Client disconnected 
20171210 10:14:38 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20171210 10:14:38 D MANAGEMENT: CMD 'state' 
20171210 10:14:38 MANAGEMENT: Client disconnected 
20171210 10:14:38 PUSH: Received control message: 'PUSH_REPLY route 192.168.1.0 255.255.255.0 vpn_gateway 500 dhcp-option DNS 192.168.1.1 redirect-gateway def1 dhcp-option DNS 192.168.1.1 route-gateway 192.168.10.1 topology subnet ping 15 ping-restart 60 ifconfig 192.168.10.2 255.255.255.0 peer-id 0' 
20171210 10:14:38 OPTIONS IMPORT: timers and/or timeouts modified 
20171210 10:14:38 OPTIONS IMPORT: --ifconfig/up options modified 
20171210 10:14:38 NOTE: --mute triggered... 
20171210 10:14:38 5 variation(s) on previous 3 message(s) suppressed by --mute 
20171210 10:14:38 I TUN/TAP device tun1 opened 
20171210 10:14:38 TUN/TAP TX queue length set to 100 
20171210 10:14:38 I do_ifconfig tt->ipv6=1 tt->did_ifconfig_ipv6_setup=0 
20171210 10:14:38 I /sbin/ifconfig tun1 192.168.10.2 netmask 255.255.255.0 mtu 1500 broadcast 192.168.10.255 
20171210 10:14:38 /sbin/route add -net 79.69.xxx.xxx netmask 255.255.255.255 gw 192.168.0.1 
20171210 10:14:38 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 192.168.10.1 
20171210 10:14:38 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 192.168.10.1 
20171210 10:14:38 /sbin/route add -net 192.168.1.0 netmask 255.255.255.0 metric 500 gw 192.168.10.1 
20171210 10:14:38 I Initialization Sequence Completed 
20171210 10:14:38 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20171210 10:14:38 D MANAGEMENT: CMD 'status 2' 
20171210 10:14:38 MANAGEMENT: Client disconnected 
20171210 10:14:38 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20171210 10:14:38 D MANAGEMENT: CMD 'log 500' 
20171210 10:14:38 MANAGEMENT: Client disconnected 
20171210 10:14:53 N Authenticate/Decrypt packet error: packet HMAC authentication failed 
20171210 10:14:57 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20171210 10:14:57 D MANAGEMENT: CMD 'state' 
20171210 10:14:57 MANAGEMENT: Client disconnected 
20171210 10:14:57 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20171210 10:14:57 D MANAGEMENT: CMD 'state' 
20171210 10:14:57 MANAGEMENT: Client disconnected 
20171210 10:14:57 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20171210 10:14:57 D MANAGEMENT: CMD 'state' 
20171210 10:14:57 MANAGEMENT: Client disconnected 
20171210 10:14:57 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20171210 10:14:57 D MANAGEMENT: CMD 'status 2' 
20171210 10:14:57 MANAGEMENT: Client disconnected 
20171210 10:14:57 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20171210 10:14:57 D MANAGEMENT: CMD 'log 500' 
19700101 00:00:00 

ca /tmp/openvpncl/ca.crt cert /tmp/openvpncl/client.crt key /tmp/openvpncl/client.key management 127.0.0.1 16 management-log-cache 100 verb 3 mute 3 syslog writepid /var/run/openvpncl.pid client resolv-retry infinite nobind persist-key persist-tun script-security 2 dev tun1 proto udp cipher aes-256-cbc auth sha256 remote ddns.asuscomm.com yyyy comp-lzo adaptive tun-mtu 1500 mtu-disc yes fast-io tun-ipv6 resolv-retry infinite float nobind verb 4

TinCanTech · Post by **TinCanTech** » Sun Dec 10, 2017 1:17 pm

If all you want is access to your home LAN then you only need to push the route for that network .. see:
HOWTO: Expanding the scope of the VPN to include additional machines

If you do want all your traffic to go via the tunnel then that is what you have done .. see:
HOWTO: Routing all client traffic (including web-traffic) through the VPN

As for what problem you have .. I have no idea without proper documentation.

Pseudomax · Post by **Pseudomax** » Sun Dec 10, 2017 2:06 pm

Hi

Yes I have read (already) the two links you provided! It is the second scenario I am trying to setup. Yet when I link a machine to the client router I am provided a WAN address of the the client's local gateway not the Server's gateway?! I assume this is incorrect as I want the client network to use the server's gateway ...

What additional documentation do you need? The images in the first post are screenshots of all the configurations ...

TinCanTech · Post by **TinCanTech** » Sun Dec 10, 2017 4:27 pm

Pseudomax wrote: ↑
Sun Dec 10, 2017 2:06 pm
when I link a machine to the client router I am provided a WAN address of the the client's local gateway not the Server's gateway?!

This is the essence of your problem ... How are you testing this idea ?

Pseudomax · Post by **Pseudomax** » Sun Dec 10, 2017 5:37 pm

I am using: https://www.whatismyip.com/

Pseudomax · Post by **Pseudomax** » Wed Dec 13, 2017 1:11 am

By the way, am I able to generate my certificates on a Windows machine and then transfer them to the routers I will be using as server and client? I am sure this a very basic question but it's not obvious to me as a very new OpenVPN user!

Thank you again ...

TinCanTech · Post by **TinCanTech** » Wed Dec 13, 2017 2:10 am

Yes you can transfer certificates and keys as you describe .. just NOT over the internet.

OpenVPN Support Forum

Redirecting Client traffic access through Server (Asus + DLink)

Redirecting Client traffic access through Server (Asus + DLink)

Re: Redirecting Client traffic access through Server (Asus + DLink)

Re: Redirecting Client traffic access through Server (Asus + DLink)

Re: Redirecting Client traffic access through Server (Asus + DLink)

Re: Redirecting Client traffic access through Server (Asus + DLink)

Re: Redirecting Client traffic access through Server (Asus + DLink)

Re: Redirecting Client traffic access through Server (Asus + DLink)

Re: Redirecting Client traffic access through Server (Asus + DLink)

Re: Redirecting Client traffic access through Server (Asus + DLink)

Re: Redirecting Client traffic access through Server (Asus + DLink)

Re: Redirecting Client traffic access through Server (Asus + DLink)