Jump to content
Not connected, Your IP: 3.82.58.213
tedreddy

Can not get connection to work with latest DD wrt

Recommended Posts

I successfully set up three cascaded routers a few years ago using SurprisedItWorks DD WRT guide (thank you for the work you did).  I found a Netgear R6250 for a few dollars and am trying to set up latest version of DD WRT but can not get it to work.

Internet -- Router1  ----- Router2-VPN
                            | ----- Router3 - No  VPN

Router 1 is a plain, basic-setup router like grandparents use.

On router 2 on the Setup-Basic Setup page I have duplicated my previous settings (making small adjustments of IP addresses so they don't conflict).  

Router 2 has DHCP enabled, has IP addresses on a different subnet (ie 192.168.50.1), gateway and local DNS are 0.0.0.0, static DNS 1 is 10.4.0.1,  and 142.4.204.111 for DNS2.
------
on Setup - Basic setup page

Wan connection - Automatic Configuration DHCP
Ignore WAN DNS - checked off
local IP address NNN.NNN.XXX.1   XXX is my working VPN router's value + 20
Gateway and Local DNS - 0.0.0.0
DHCP type - DHCP server
DHCP server - Enable
Start IP address - NNN.NNN.XXX.100

Static DNS 1 10.4.0.1
DNS2 - 142.4.204.111


Use dnsmasq for DNS - On
DHCP-Authoritative - On
Recursive DNS Resolving (Unbound) - OFF
Forced DNS Redirection - OFF
Forced DNS Redirection DoT _ OFF


I tried using SurprisedItWorks settings, but no luck.

I downloaded a config file, and imported it but no success.

Here are my current settings

------
on Services - VPN page
Enable Client - Enable
CVE-2019-14899 Mitigation - Enable

Server IP / Name : Port  193.37.254.2:443

Set Multiple Servers - NO

Tunnel Device-TUN
Tunnel Protocol -UDP4
Encryption Cipher-AES-256-CBC
Hash Algorithm -SHA512
First Data Cipher -CHaCHA20-Polly1305
Second Data Cipher -AES-256-GCM
Third Data Cipher -AES-256-CBC
User Pass Authentication - Disable
Advanced Options -Enable
TLS Cipher - none
Compression NO
NAT Enabke
Inbound Firewall on TUN - On
Killswitch - ON
Watchdog - Disable
Source Routing (PBR) - Route all sources via VPN
Tunnel MTU Setting - 1400
Tunnel UDP Fragment - Blank
Tunnel UDP MSS Fix - Diable
Verify Server Certificate - On

Additional Configuration
pull-filter ignore ifconfig-ipv6
pull-filter ignore route-ipv6


TLS / Static Key  - TLS Auth (this is from the config file I downloaded)
certs and keys are loaded in their data fields.

PKCS12 Key - Disable



LOG

TUN/TAP read bytes    0
TUN/TAP write bytes    0
TCP/UDP read bytes    0
TCP/UDP write bytes    172
Auth read bytes    0
pre-compress bytes    0
post-compress bytes    0
pre-decompress bytes    0
post-decompress bytes    0


Client Log:
19691231 16:00:22 W WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
19691231 16:00:22 W WARNING: file '/tmp/openvpncl/ta.key' is group or others accessible
19691231 16:00:22 I OpenVPN 2.5.8 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 8 2022
19691231 16:00:22 I library versions: OpenSSL 1.1.1s 1 Nov 2022 LZO 2.10
19691231 16:00:22 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
19691231 16:00:22 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
19691231 16:00:22 W WARNING: Your certificate is not yet valid!
19691231 16:00:22 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
19691231 16:00:22 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
19691231 16:00:22 W WARNING: normally if you use --mssfix and/or --fragment you should also set --tun-mtu 1500 (currently it is 1400)
19691231 16:00:22 I TCP/UDP: Preserving recently used remote address: [AF_INET]193.37.254.2:443
19691231 16:00:22 Socket Buffers: R=[262144->262144] S=[262144->262144]
19691231 16:00:22 I UDPv4 link local: (not bound)
19691231 16:00:22 I UDPv4 link remote: [AF_INET]193.37.254.2:443
19691231 16:00:24 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
19691231 16:00:24 D MANAGEMENT: CMD 'state'
19691231 16:00:24 MANAGEMENT: Client disconnected
19691231 16:00:24 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
19691231 16:00:24 D MANAGEMENT: CMD 'state'
19691231 16:00:24 MANAGEMENT: Client disconnected
19691231 16:00:24 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
19691231 16:00:24 D MANAGEMENT: CMD 'state'
19691231 16:00:24 MANAGEMENT: Client disconnected
19691231 16:00:24 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
19691231 16:00:24 D MANAGEMENT: CMD 'status 2'
19691231 16:00:24 MANAGEMENT: Client disconnected
19691231 16:00:24 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
19691231 16:00:24 D MANAGEMENT: CMD 'log 500'

Any ideas what to adjust to get the connection working?

Thanks

 

Share this post


Link to post

You can't get a connection until you have acquired network time via the ntp client. The clue that this has not happened yet is the 1969 dates on all your log entries!

I've never set up a router to run everything through the VPN. I prefer (source) policy-based routing (PBR) for many reasons, one of which, relevant here I'm guessing, is that I want to be able to see that the nonVPN parts of the router are working well before I get into the VPN setup.

Have to admit I'm surprised by your decision to use TLS-auth. Is TLS-crypt not available for the particular router you are using?

I'll have a closer look at your setup in another dozen hours or so. Won't be near a proper computer (to compare to my settings) again before that.

Meanwhile, if you haven't already checked it out, do read through @egc's OpenVPN client-setup guide posted in a Sticky at the top of the Advanced Networking forum at https://forum.dd-wrt.com, as that's where you'll find the details to do with how things have changed since I wrote my AirVPN setup guide for dd-wrt so many moons ago. 

Share this post


Link to post

< You can't get a connection until you have acquired network time via the ntp client > that makes sense.

< Have to admit I'm surprised by your decision to use TLS-auth. >  that was from the OpenVPN config generator - I'll update once I get the VPN connection working.

After I had my routers set up a few years ago, I just left them working. PBR is new to me,  so I went with what I know.  I'll adjust the  PBR entry and  try again.  ( I have gone  over the  DD  WRT  forums many times, trying  to understand the black magick of networkeing - you sorcerers have my admiration )

Thanks for ;your comments.


 

Share this post


Link to post

Re PBR: no need to try.  Just temporarily disable the OpenVPN client in the GUI (it won't lose your settings), save and apply, and reboot.  If it starts up fine with everything working, you should be fine to re-enable it.

Looking more carefully at your settings, I don't see any obvious problems other than NTP time.  So in dd-wrt Settings/BasicSetup, be sure you are setting your time zone but leaving the ServerIP/Name following it empty so that it defaults.  To verify that time is up and not stuck in 1969, either do "date" in the CLI or in the GUI look at Current Time in Status/Router in the GUI.  Once it is up, OpenVPN should untangle itself within a few minutes unless the process has died.  Give it at least 5m, as its retry intervals get longer and longer and will definitely reach that level.  Re process death, in the CLI do "ps | grep [o]penvpn" and look for the command that started the process.  If the process has died, you'll instead get nothing.  (You can likely tell at GUI/Services/VPN as well, but I forget the details.)  If the process has died, you should be able to restart it by going to dd-wrt Services/VPN page and clicking Apply Settings.  If it always dies too soon - I've seen this with some routers - you can try the watchdog, and if even that fails, we can hand code a super-simple custom watchdog for Startup.  I have used the latter approach for years with one router, and it seems fine.  (I've never tried the standard watchdog, as I was using my own before it existed.)

Other, lesser suggestions... Settings/BasicSetup: Ignore WAN DNS on, to avoid DNS leaks.  Shortcut Forwarding Engine off, just because SFE is often mysteriously troublesome.  MTU to Auto.  Re TLS-auth vs TLS-crypt: You clearly are on top of this, but for others... On the Air configurator page, check the advanced box near the top to get the much longer list of protocol/port choices, and scan down to the first entry showing tls-crypt in the rightmost column.  That line should still show port 443.  Select that line (and expect the last octet of your server IP to change slightly, to reflect Entry 3 instead of Entry 1).  I'm not big on actually importing a config from Air's configurator, as there are details in what dd-wrt needs that differ slightly (at least in the PBR case, and I haven't checked your case).

That's what I can think of at the moment.  Your dd-wrt build and openvpn versions are slightly newer than mine (50474 and 2.5.7), so its conceivable that you have met quirks that I have not.  I haven't had problems for many months when changing builds though, so that feels unlikely.

 

Share this post


Link to post

Surprised - thanks for your help, the time comment was the key  - I set the PBR to Route Selected as you suggested and now I'm connected though VPN.

I  reset the router and generated a new open vpn config with TLS crypt..


[  For other new users - pay attention to the small Advanced checkbox in the upper right of the generate configurations page, this will give you access to a larger selection of config files, and scroll down to find the TLS crypt one.  Otherwise you will get the older type of TLS config file.  ]


I'm still unclear about PBR and what is and is not passed through.  I copied your example and so far my computer is routed through the VPN.  I had searched for info on PBR when DD WRT first implented it, buy didn't find anything clear for a non-networking person.

Although the  router is connecting through the VPN, the log shows the router is connecting and disconnecting again and again.  Any ideas what is causing this?

20221124 07:55:43 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20221124 07:55:43 D MANAGEMENT: CMD 'log 500'
20221124 07:55:43 MANAGEMENT: Client disconnected
20221124 07:55:45 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20221124 07:55:45 D MANAGEMENT: CMD 'state'
20221124 07:55:45 MANAGEMENT: Client disconnected
20221124 07:55:45 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20221124 07:55:45 D MANAGEMENT: CMD 'state'
20221124 07:55:45 MANAGEMENT: Client disconnected

=======================================================================================================
For anyone else trying to get your router working here is the link to SurprisedItWork's DD WRT post on setting up a router for AirVPN.
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321856

Share this post


Link to post

Glad to hear you got it going!

Re PBR, to make it easy, change your DHCP settings to start/max of 128/64 rather than the default 100/50. Then if your router is at (for example) 192.168.1.1 with netmask 255.255.255.0, the CIDR notation to represent DHCP range 192.168.1.128 through 192.168.1.191 is 192.168.1.128/26, and that is all you need in the PBR window to specify the IPs. Easy to add other IPs or ranges outside of the DHCP range as well if you have some fixed/static addresses.  Just add each spec on a separate line.  (Stay away from IPs ending in .0 and .1 and .255 unless you are really sure you know what you are doing.) Lots of brief online tutorials out there on CIDR notation if that would help.

Share this post


Link to post

You can ignore the MANAGEMENT lines.  That is not the main data connection through the VPN.  Instead it's a separate low-speed connection through which the dd-wrt GUI communicates with the openvpn process.  No problem at all.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...