[SOLVED] Noob can't connect using dd-wrt

MessyNick

Hi, I'm trying to setup my dd-wrt router so that all traffic goes through VPN. I've followed the AirVPN instructions, but after doing from scratch 3 times I can't get it to work. Any tips / guidance / help very gratefully received.

Log

Serverlog Clientlog 20121204 17:18:43 I SIGUSR1[soft tls-error] received process restarting

20121204 17:18:43 Restart pause 2 second(s)

20121204 17:18:45 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

20121204 17:18:45 I Re-using SSL/TLS context

20121204 17:18:45 I LZO compression initialized

20121204 17:18:45 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]

20121204 17:18:45 Socket Buffers: R=[114688->131072] S=[114688->131072]

20121204 17:18:45 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]

20121204 17:18:45 Local Options String: 'V4 dev-type tun link-mtu 1558 tun-mtu 1500 proto UDPv4 comp-lzo cipher AES-256-CBC auth SHA1 keysize 256 key-method 2 tls-client'

20121204 17:18:45 Expected Remote Options String: 'V4 dev-type tun link-mtu 1558 tun-mtu 1500 proto UDPv4 comp-lzo cipher AES-256-CBC auth SHA1 keysize 256 key-method 2 tls-server'

20121204 17:18:45 Local Options hash (VER=V4): '22188c5b'

20121204 17:18:45 Expected Remote Options hash (VER=V4): 'a8f55717'

20121204 17:18:45 I UDPv4 link local: [undef]

20121204 17:18:45 I UDPv4 link remote: 31.193.12.74:443

20121204 17:18:45 TLS: Initial packet from 31.193.12.74:443 sid=1501dc1e 9cc2659c

20121204 17:18:45 VERIFY OK: depth=1 /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org_CA/emailAddress=info@airvpn.org

20121204 17:18:45 VERIFY OK: nsCertType=SERVER

20121204 17:18:45 VERIFY OK: depth=0 /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=server/emailAddress=info@airvpn.org

20121204 17:19:45 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

20121204 17:19:45 N TLS Error: TLS handshake failed

20121204 17:19:45 TCP/UDP: Closing socket

20121204 17:19:45 I SIGUSR1[soft tls-error] received process restarting

20121204 17:19:45 Restart pause 2 second(s)

20121204 17:19:47 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

20121204 17:19:47 I Re-using SSL/TLS context

20121204 17:19:47 I LZO compression initialized

20121204 17:19:47 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]

20121204 17:19:47 Socket Buffers: R=[114688->131072] S=[114688->131072]

20121204 17:19:47 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]

20121204 17:19:47 Local Options String: 'V4 dev-type tun link-mtu 1558 tun-mtu 1500 proto UDPv4 comp-lzo cipher AES-256-CBC auth SHA1 keysize 256 key-method 2 tls-client'

20121204 17:19:47 Expected Remote Options String: 'V4 dev-type tun link-mtu 1558 tun-mtu 1500 proto UDPv4 comp-lzo cipher AES-256-CBC auth SHA1 keysize 256 key-method 2 tls-server'

20121204 17:19:47 Local Options hash (VER=V4): '22188c5b'

20121204 17:19:47 Expected Remote Options hash (VER=V4): 'a8f55717'

20121204 17:19:47 I UDPv4 link local: [undef]

20121204 17:19:47 I UDPv4 link remote: 31.193.12.74:443

20121204 17:19:47 TLS: Initial packet from 31.193.12.74:443 sid=6376028a e17a23ad

20121204 17:19:47 VERIFY OK: depth=1 /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org_CA/emailAddress=info@airvpn.org

20121204 17:19:47 VERIFY OK: nsCertType=SERVER

20121204 17:19:47 VERIFY OK: depth=0 /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=server/emailAddress=info@airvpn.org

20121204 17:20:06 MANAGEMENT: Client connected from 127.0.0.1:5001

20121204 17:20:06 D MANAGEMENT: CMD 'state'

20121204 17:20:06 MANAGEMENT: Client disconnected

20121204 17:20:06 MANAGEMENT: Client connected from 127.0.0.1:5001

20121204 17:20:06 D MANAGEMENT: CMD 'state'

20121204 17:20:06 MANAGEMENT: Client disconnected

20121204 17:20:06 MANAGEMENT: Client connected from 127.0.0.1:5001

20121204 17:20:06 D MANAGEMENT: CMD 'state'

20121204 17:20:06 MANAGEMENT: Client disconnected

20121204 17:20:06 MANAGEMENT: Client connected from 127.0.0.1:5001

20121204 17:20:06 D MANAGEMENT: CMD 'log 500'

19700101 00:00:00

Staff

Hello!

From the logs, it appears that you have one of the bugged DD-WRT OpenVPN firmwares. A re-flash of a different firmware version should solve the problem, what is you router model?

Kind regards

MessyNick

ahh, this is running on Linksys e3200. I'm happy to try other version, but if you know a non-bugged version I'd be very grateful.

Cheers

Staff

Hello!

dd-wrt.v24-18774_NEWD-2_K2.6_openvpn.bin is reported as working.

Before re-flashing, please check your iptables rules (just in case...).

You might also like to read this thread:

https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=3948&limit=6&limitstart=12&Itemid=142#4002

Kind regards

MessyNick

Many thanks for the guidance so far...

However, I'm in a little over my head!

my ip table looks like this

192.168.1.0 * 255.255.255.0 U 0 0 0 br0

81.102.244.0 * 255.255.252.0 U 0 0 0 vlan2

169.254.0.0 * 255.255.0.0 U 0 0 0 br0

127.0.0.0 * 255.0.0.0 U 0 0 0 lo

default cpc1-brig16-2-0 0.0.0.0 UG 0 0 0 vlan2

Would I be correct in thinking thinking that the vlan is causing a problem? I tried substituting tun0 with vlan2 in the firewall rules, but that killed my connection. I've never come across vlan before and don't have any use for it so am happy to turn if off if this is the problem.

Staff

Many thanks for the guidance so far...
However, I'm in a little over my head!
my ip table looks like this
192.168.1.0 * 255.255.255.0 U 0 0 0 br0
81.102.244.0 * 255.255.252.0 U 0 0 0 vlan2
169.254.0.0 * 255.255.0.0 U 0 0 0 br0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default cpc1-brig16-2-0 0.0.0.0 UG 0 0 0 vlan2
Would I be correct in thinking thinking that the vlan is causing a problem? I tried substituting tun0 with vlan2 in the firewall rules, but that killed my connection. I've never come across vlan before and don't have any use for it so am happy to turn if off if this is the problem.

Hello!

Wait, the admin meant the iptables rules for your DD-WRT router, according to the instructions.

Kind regards

MessyNick

I posted what I thought was the iptable from the wrt router (telnet in and netstat -r). Below is the routing table from the router GUI

192.168.1.0 255.255.255.0 0.0.0.0 LAN & WLAN

81.102.244.0 255.255.252.0 0.0.0.0 WAN

169.254.0.0 255.255.0.0 0.0.0.0 LAN & WLAN

0.0.0.0 0.0.0.0 81.102.244.1 WAN

can you please let me know if neither of these were what was asked about. Also, in the post that you pointed me towards he mentioned changing LZO compression to adaptive. I've done this and no change. I'm happy to try the firmware build suggested to rule out a bugged version. I'll let you now how this goes later tonight.

Many thanks for your time so far, it's much appreciated.

MessyNick

I've just got the following from the iptables

root@DD-WRT:~# iptables -t filter -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

REJECT 0 -- anywhere anywhere reject-with icmp-port-unreachable

ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED

DROP udp -- anywhere anywhere udp dpt:route

ACCEPT udp -- anywhere anywhere udp dpt:route

DROP icmp -- anywhere anywhere

DROP igmp -- anywhere anywhere

ACCEPT 0 -- anywhere anywhere state NEW

DROP 0 -- anywhere anywhere

Chain FORWARD (policy ACCEPT)

target prot opt source destination

ACCEPT 0 -- anywhere anywhere

ACCEPT gre -- 192.168.1.0/24 anywhere

ACCEPT tcp -- 192.168.1.0/24 anywhere tcp dpt:1723

ACCEPT 0 -- anywhere anywhere

TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU

lan2wan 0 -- anywhere anywhere

ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED

TRIGGER 0 -- anywhere anywhere TRIGGER type:in match:0 relate:0

trigger_out 0 -- anywhere anywhere

ACCEPT 0 -- anywhere anywhere state NEW

DROP 0 -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

Chain advgrp_1 (0 references)

target prot opt source destination

Chain advgrp_10 (0 references)

target prot opt source destination

Chain advgrp_2 (0 references)

target prot opt source destination

Chain advgrp_3 (0 references)

target prot opt source destination

Chain advgrp_4 (0 references)

target prot opt source destination

Chain advgrp_5 (0 references)

target prot opt source destination

Chain advgrp_6 (0 references)

target prot opt source destination

Chain advgrp_7 (0 references)

target prot opt source destination

Chain advgrp_8 (0 references)

target prot opt source destination

Chain advgrp_9 (0 references)

target prot opt source destination

Chain grp_1 (0 references)

target prot opt source destination

Chain grp_10 (0 references)

target prot opt source destination

Chain grp_2 (0 references)

target prot opt source destination

Chain grp_3 (0 references)

target prot opt source destination

Chain grp_4 (0 references)

target prot opt source destination

Chain grp_5 (0 references)

target prot opt source destination

Chain grp_6 (0 references)

target prot opt source destination

Chain grp_7 (0 references)

target prot opt source destination

Chain grp_8 (0 references)

target prot opt source destination

Chain grp_9 (0 references)

target prot opt source destination

Chain lan2wan (1 references)

target prot opt source destination

Chain logaccept (0 references)

target prot opt source destination

ACCEPT 0 -- anywhere anywhere

Chain logdrop (0 references)

target prot opt source destination

DROP 0 -- anywhere anywhere

Chain logreject (0 references)

target prot opt source destination

REJECT tcp -- anywhere anywhere reject-with tcp-reset

Chain trigger_out (1 references)

target prot opt source destination

root@DD-WRT:~# iptables -t nat -L

Chain PREROUTING (policy ACCEPT)

target prot opt source destination

DNAT icmp -- anywhere cpc1-brig16-2-0-cust59.3-3.cable.virginmedia.com to:192.168.1.1

TRIGGER 0 -- anywhere cpc1-brig16-2-0-cust59.3-3.cable.virginmedia.com TRIGGER type:dnat match:0 relate:0

Chain POSTROUTING (policy ACCEPT)

target prot opt source destination

SNAT 0 -- 192.168.1.0/24 anywhere to:81.102.244.60

RETURN 0 -- anywhere anywhere PKTTYPE = broadcast

MASQUERADE 0 -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

Staff

Hello!

Please make sure that you have inserted the iptables rules reported in the "DD-WRT firewall rules" section in https://airvpn.org/ddwrt so that they are inserted when the tun+ interface comes up with the OpenVPN client.

After that, if the router still fails connection and the logs are the same then please proceed to re-flash the firmware.

Kind regards

MessyNick

Very happy to say that updated to the recommended firmware and worked on first boot. Many thanks for your help and patience.

Cheers, have a good one.

Nick

Staff

Very happy to say that updated to the recommended firmware and worked on first boot. Many thanks for your help and patience.
Cheers, have a good one.
Nick

Hello!

That's great, thank you for the information!

Kind regards

airfyh

I also have an E3200 with DD-WRT, and can verify that the later DD-WRT firmware versions do not work to connect with OpenVPN. I started with 19432 and worked backwards through the firmware versions, finally found that the latest "big" version of the firmware that works is 17990, that is working good for me.

[SOLVED] Noob can't connect using dd-wrt

Recommended Posts

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Join the conversation