Jump to content
Not connected, Your IP: 3.80.6.131
Sign in to follow this  
securvark

[Solved with minor issue] OpenVPN on OpenWrt CC 15.05 and DD (trunk)

Recommended Posts

I upgraded my router to the latest nightly (see title), I'm coming from Chaos Chalmer. I upgraded because I was having some other (non-vpn) related issues with CC builds.

 

I've configured my router with OpenVPN. I generated a config for routers, separate certs, resolve ticked. Copied to my router and renamed the AirVPN...ovpn to airvpn.ovpn.

 

The problem is, it takes AAAGES for something to load. It does eventually load, though. DNS resolving is quick, I can use dig or nslookup and response is instant. When I telnet to a websites IP address on port 80 it just takes minutes and finally connects. Browser sometimes simply stops loading because it's taking too long.

 

Not sure what's going on, can anyone help?

 

Here's the output:

 

root@myrouter:/etc/openvpn# openvpn --cd /etc/openvpn --config /etc/openvpn/airvpn.ovpn

Mon Jan 18 22:11:47 2016 OpenVPN 2.3.7 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6]

Mon Jan 18 22:11:47 2016 library versions: OpenSSL 1.0.2e 3 Dec 2015, LZO 2.08

Mon Jan 18 22:11:47 2016 WARNING: file 'user.key' is group or others accessible

Mon Jan 18 22:11:47 2016 WARNING: file 'ta.key' is group or others accessible

Mon Jan 18 22:11:47 2016 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file

Mon Jan 18 22:11:47 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Mon Jan 18 22:11:47 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Mon Jan 18 22:11:47 2016 Socket Buffers: R=[163840->131072] S=[163840->131072]

Mon Jan 18 22:11:47 2016 UDPv4 link local: [undef]

Mon Jan 18 22:11:47 2016 UDPv4 link remote: [AF_INET]213.152.162.148:443

Mon Jan 18 22:11:47 2016 TLS: Initial packet from [AF_INET]213.152.162.148:443, sid=a579b56c daba3750

Mon Jan 18 22:11:47 2016 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org

Mon Jan 18 22:11:47 2016 Validating certificate key usage

Mon Jan 18 22:11:47 2016 ++ Certificate has key usage  00a0, expects 00a0

Mon Jan 18 22:11:47 2016 VERIFY KU OK

Mon Jan 18 22:11:47 2016 Validating certificate extended key usage

Mon Jan 18 22:11:47 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication

Mon Jan 18 22:11:47 2016 VERIFY EKU OK

Mon Jan 18 22:11:47 2016 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org

Mon Jan 18 22:11:54 2016 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Mon Jan 18 22:11:54 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Mon Jan 18 22:11:54 2016 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Mon Jan 18 22:11:54 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Mon Jan 18 22:11:54 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA

Mon Jan 18 22:11:54 2016 [server] Peer Connection Initiated with [AF_INET]213.152.162.148:443

Mon Jan 18 22:11:56 2016 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)

Mon Jan 18 22:11:56 2016 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.4.0.1,comp-lzo no,route-gateway 10.4.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.4.21.34 255.255.0.0'

Mon Jan 18 22:11:56 2016 OPTIONS IMPORT: timers and/or timeouts modified

Mon Jan 18 22:11:56 2016 OPTIONS IMPORT: LZO parms modified

Mon Jan 18 22:11:56 2016 OPTIONS IMPORT: --ifconfig/up options modified

Mon Jan 18 22:11:56 2016 OPTIONS IMPORT: route options modified

Mon Jan 18 22:11:56 2016 OPTIONS IMPORT: route-related options modified

Mon Jan 18 22:11:56 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified

Mon Jan 18 22:11:56 2016 TUN/TAP device tun0 opened

Mon Jan 18 22:11:56 2016 TUN/TAP TX queue length set to 100

Mon Jan 18 22:11:56 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0

Mon Jan 18 22:11:56 2016 /sbin/ifconfig tun0 10.4.21.34 netmask 255.255.0.0 mtu 1500 broadcast 10.4.255.255

Mon Jan 18 22:12:01 2016 /sbin/route add -net 213.152.162.148 netmask 255.255.255.255 gw 83.84.6.1

Mon Jan 18 22:12:01 2016 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.4.0.1

Mon Jan 18 22:12:01 2016 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.4.0.1

Mon Jan 18 22:12:01 2016 Initialization Sequence Completed

^CMon Jan 18 22:14:42 2016 event_wait : Interrupted system call (code=4)

Mon Jan 18 22:14:42 2016 SIGTERM received, sending exit notification to peer

Mon Jan 18 22:14:47 2016 /sbin/route del -net 213.152.162.148 netmask 255.255.255.255

Mon Jan 18 22:14:47 2016 /sbin/route del -net 0.0.0.0 netmask 128.0.0.0

Mon Jan 18 22:14:47 2016 /sbin/route del -net 128.0.0.0 netmask 128.0.0.0

Mon Jan 18 22:14:47 2016 Closing TUN/TAP interface

Mon Jan 18 22:14:47 2016 /sbin/ifconfig tun0 0.0.0.0

Mon Jan 18 22:14:47 2016 SIGTERM[soft,exit-with-notification] received, process exiting

 

If you need anything else, let me know I'll post it.

Share this post


Link to post

Well, maybe it isn't even resolving, or maybe that changes after I disconnect/reconnect. Right now, it's not even resolving from an SSH session on the router itself.

 

I imported the profile on my PC (running Linux) and it works fine.

 

Should I downgrade to CC again?

Share this post


Link to post

I downgraded to the stable CC 15.05, and I'm seeing the same problem.

 

Funny thing is, it worked the first time around but I screwed up the config. After a factory reset I am basically following the same procedure but its not working anymore.

Share this post


Link to post

try to remove the "explicit-exit-notify" directive, it's not implemented in OpenWRTs OpenVPN.

What router is that? The general OpenVPN performance even on high end models is not very

solid, especially if you use high-bandwidth applications.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

Thanks for the reply.

 

The router is a TP-Link TL-WDR4300 v1. When it did work a couple of days ago, the performance was around 7mbit. It was actually performing quite well. I could live with 7mbit, not with not working at all .

 

I do need to remove the explicit-exit-notify, it doesn't work without it. On DD however, with a newer version of OpenVPN that directive no longer throws an error message and I assume it works.

 

I'm back at DD trunk, it seems a solid build and I get no errors in my logs and everything works. I must be doing something wrong since I couldnt get airvpn to work after I downgraded to CC 15.05 but I have no idea what I'm doing wrong.

 

I'm following this guide and I get stuck on step 14.

Share this post


Link to post

Oke, now it works. Not sure what went wrong last time but oh well.

 

Just one problem. I would like to stop at step 14 from the guide I linked to. It allows me to start/stop the VPN on demand.

 

The problem is, I need to edit /etc/config/dhcp and add the dhcp_option and restart odhcpd:

 

 

config dhcp 'lan'
....
        list dhcp_option '6,10.26.13.23,10.4.0.1'
 

 

When I disconnect VPN, I need to remove it and do /etc/init.d/odhcpd restart again.

 

Is there any way around that, short of writing a custom script that takes care of that?

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  

×
×
  • Create New...