Failing to connect multiple routers DD WRT

[DPurnell 1]

revisHi, Any help getting connected appreciated please. I have 2 routers on my network. They do not run in bridged mode and router b has dd wrt on it is connected to router A and addressed as a DMZ client device from router A. I think the issue that I am having is DNS, though I am unsure. I have had open vpn running using TorGuard from router B successfully in the past.

WEB -> ROUTER A (192.168.1.1) -> DMZ to WAN IP ADDRESS ROUTER B (192.168.1.100) -> ROUTER B LOCAL IP ADDRESS 192.168.2.1

I've telnetted router B and here is the conf for open vpn.

ca /tmp/openvpncl/ca.crt

cert /tmp/openvpncl/client.crt

key /tmp/openvpncl/client.key

management 127.0.0.1 5001

management-log-cache 50

verb 4

mute 5

log-append /var/log/openvpncl

writepid /var/run/openvpncl.pid

client

resolv-retry infinite

nobind

persist-key

persist-tun

script-security 2

mtu-disc yes

dev tun1

proto udp

cipher aes-256-cbc

auth sha1

remote 31.193.12.74 443

tls-client

tun-mtu 1500

comp-lzo yes

ns-cert-type server

fast-io

auth-user-pass /tmp/password.txt

persist-key

persist-tun

tls-client

remote-cert-tls server

[Staff 9969]

Hello!

Is router B trying to connect to AirVPN? If so, the OpenVPN configuration has several mistakes (wrong authentication type with username/password, wrong tls client directive - beware it's repeated twice..), please revert to the configuration provided by our configuraton generator.

Kind regards

[DPurnell 1]

Hi,

Thanks for help on this. I was able to verify the settings by checking the open vpn log in dd wrt and also when generating the connection log which I included as a value in the openvpn conf...

log-append /var/log/openvpncl (for anyone else looking for help on this)

I used WinSCP instead of SSH for ease on this.

I now get a connection to your service which is great, however, it appears that my connection loads as tun1 and not tun0, is this usual? Do I change your firewall setup to reflect this. I am having issues now with port forwarding. From what I have read I need to disable the NAT rules I have set up on my router pre airvpn and if I want to forward a port from the tunnel to a machine on my network I use the following command and save it in the DD WRT startup... (remote desktop to machine 192.168.2.102 on may lan)

iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 3389 -j DNAT --to-destination 192.168.2.102

I am no expert as you have by now guessed but I was wondering if this if correct or does the firewall rules you have for DD WRT just map to the existing NAT on my router?

iptables -I FORWARD -i br0 -o tun0 -j ACCEPT iptables -I FORWARD -i tun0 -o br0 -j ACCEPT iptables -I INPUT -i tun0 -j REJECT

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

Thanks again for help!

[Staff 9969]

Hi,

Thanks for help on this. I was able to verify the settings by checking the open vpn log in dd wrt and also when generating the connection log which I included as a value in the openvpn conf...

log-append /var/log/openvpncl (for anyone else looking for help on this)

I used WinSCP instead of SSH for ease on this.

I now get a connection to your service which is great, however, it appears that my connection loads as tun1 and not tun0, is this usual?

Hello!

Yes, that's normal.

Do I change your firewall setup to reflect this.

Yes, it is mandatory: replace tun0 with tun1.

I am having issues now with port forwarding. From what I have read I need to disable the NAT rules I have set up on my router pre airvpn and if I want to forward a port from the tunnel to a machine on my network I use the following command and save it in the DD WRT startup... (remote desktop to machine 192.168.2.102 on may lan)

iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 3389 -j DNAT --to-destination 192.168.2.102

I am no expert as you have by now guessed but I was wondering if this if correct or does the firewall rules you have for DD WRT just map to the existing NAT on my router?

It appears correct, assuming that the network card of the device you wish to forward port 3389 TCP to is 192.168.2.102. Of course do not forget to remotely forward port(s) on our system (menu "Member Area"->"Forwarded ports").

Kind regards

[DPurnell 1]

Hi, Thanks again for your help. I am almost on the cusp of being properly set up and need some more advice please. I have had tunnel working with port forwarding on and off. When left idle for sometime and trying to connect to the web I was having no success. Looking at the openvpn log I could see the following....

Thu Dec 20 05:09:02 2012 us=940767 MANAGEMENT: Client connected from 127.0.0.1:5001

Thu Dec 20 05:09:02 2012 us=945820 MANAGEMENT: CMD 'state'

Thu Dec 20 05:09:02 2012 us=946874 MANAGEMENT: Client disconnected

My config...

ca /tmp/openvpncl/ca.crt

cert /tmp/openvpncl/client.crt

key /tmp/openvpncl/client.key

management 127.0.0.1 5001

management-log-cache 50

verb 4

mute 5

log-append /var/log/openvpncl

writepid /var/run/openvpncl.pid

client

resolv-retry infinite

nobind

persist-key

persist-tun

script-security 2

mtu-disc yes

dev tun1

proto udp

cipher aes-256-cbc

auth sha1

remote 31.193.12.74 443

tls-client

tun-mtu 1500

comp-lzo yes

ns-cert-type server

fast-io

tls-cipher AES256-SHA

DD WRT will always overwrite the openvpn config with whatever it reads from the DD WRT GUI settings. The line 127.0.0.1:5001 does appear in the conf which I can't figure how to remove so I commented my own iptable rule that used port 5001 too as I assumed a conflict and did a reboot. (commented...)

#iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 5001 -j DNAT --to-destination 192.168.2.101

I then rebooted and open vpn would not connect to your service but this time with an auth error. Checked the certs and all good nothing changed. (Sorry about log paste, add file not working for me)

Thu Jan 1 00:00:13 1970 us=527089 OpenVPN 2.2.1 mips-linux [sSL] [LZO2] built on Jul 20 2012

Thu Jan 1 00:00:13 1970 us=527761 MANAGEMENT: TCP Socket listening on 127.0.0.1:5001

Thu Jan 1 00:00:13 1970 us=528390 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Thu Jan 1 00:00:13 1970 us=554571 WARNING: file '/tmp/openvpncl/client.key' is group or others accessible

Thu Jan 1 00:00:13 1970 us=582399 LZO compression initialized

Thu Jan 1 00:00:13 1970 us=583311 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]

Thu Jan 1 00:00:13 1970 us=583656 Socket Buffers: R=[163840->131072] S=[163840->131072]

Thu Jan 1 00:00:13 1970 us=583889 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]

Thu Jan 1 00:00:13 1970 us=584217 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'

Thu Jan 1 00:00:13 1970 us=584348 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'

Thu Jan 1 00:00:13 1970 us=584653 Local Options hash (VER=V4): '22188c5b'

Thu Jan 1 00:00:13 1970 us=584925 Expected Remote Options hash (VER=V4): 'a8f55717'

Thu Jan 1 00:00:13 1970 us=589172 UDPv4 link local: [undef]

Thu Jan 1 00:00:13 1970 us=589400 UDPv4 link remote: 31.193.12.74:443

Thu Jan 1 00:00:15 1970 us=872151 TLS: Initial packet from 31.193.12.74:443, sid=68498825 b6a6e5f2

Thu Jan 1 00:00:16 1970 us=239415 VERIFY ERROR: depth=1, error=certificate is not yet valid: /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org_CA/emailAddress=info@airvpn.org

Thu Jan 1 00:00:16 1970 us=240504 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:lib(20):func(144):reason(134)

Thu Jan 1 00:00:16 1970 us=240660 TLS Error: TLS object -> incoming plaintext read error

Thu Jan 1 00:00:16 1970 us=240784 TLS Error: TLS handshake failed

Thu Jan 1 00:00:16 1970 us=241758 TCP/UDP: Closing socket

Thu Jan 1 00:00:16 1970 us=242031 SIGUSR1[soft,tls-error] received, process restarting

Thu Jan 1 00:00:16 1970 us=242202 Restart pause, 2 second(s)

Thu Jan 1 00:00:18 1970 us=268691 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Thu Jan 1 00:00:18 1970 us=268947 Re-using SSL/TLS context

Thu Jan 1 00:00:18 1970 us=269097 LZO compression initialized

Thu Jan 1 00:00:18 1970 us=269616 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]

Thu Jan 1 00:00:18 1970 us=269861 Socket Buffers: R=[163840->131072] S=[163840->131072]

Thu Jan 1 00:00:18 1970 us=270102 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]

Thu Jan 1 00:00:18 1970 us=270450 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'

Thu Jan 1 00:00:18 1970 us=270579 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'

Thu Jan 1 00:00:18 1970 us=270860 Local Options hash (VER=V4): '22188c5b'

Thu Jan 1 00:00:18 1970 us=271127 Expected Remote Options hash (VER=V4): 'a8f55717'

Thu Jan 1 00:00:18 1970 us=271295 UDPv4 link local: [undef]

Thu Jan 1 00:00:18 1970 us=271456 UDPv4 link remote: 31.193.12.74:443

Thu Jan 1 00:00:18 1970 us=300932 TLS: Initial packet from 31.193.12.74:443, sid=9fe9566a 6aed5b8a

Thu Jan 1 00:00:18 1970 us=638163 VERIFY ERROR: depth=1, error=certificate is not yet valid: /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org_CA/emailAddress=info@airvpn.org

Thu Jan 1 00:00:18 1970 us=639277 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:lib(20):func(144):reason(134)

Thu Jan 1 00:00:18 1970 us=639444 TLS Error: TLS object -> incoming plaintext read error

Thu Jan 1 00:00:18 1970 us=639568 TLS Error: TLS handshake failed

Thu Jan 1 00:00:18 1970 us=640382 TCP/UDP: Closing socket

Thu Jan 1 00:00:18 1970 us=640639 SIGUSR1[soft,tls-error] received, process restarting

Thu Jan 1 00:00:18 1970 us=640834 Restart pause, 2 second(s)

Thu Jan 1 00:00:20 1970 us=668678 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Thu Jan 1 00:00:20 1970 us=668918 Re-using SSL/TLS context

Thu Jan 1 00:00:20 1970 us=669060 LZO compression initialized

Thu Jan 1 00:00:20 1970 us=669575 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]

Thu Jan 1 00:00:20 1970 us=669805 Socket Buffers: R=[163840->131072] S=[163840->131072]

Thu Jan 1 00:00:20 1970 us=670032 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]

Thu Jan 1 00:00:20 1970 us=670355 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'

Thu Jan 1 00:00:20 1970 us=670483 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'

Thu Jan 1 00:00:20 1970 us=670763 Local Options hash (VER=V4): '22188c5b'

Thu Jan 1 00:00:20 1970 us=671097 Expected Remote Options hash (VER=V4): 'a8f55717'

Thu Jan 1 00:00:20 1970 us=671281 UDPv4 link local: [undef]

Thu Jan 1 00:00:20 1970 us=671446 UDPv4 link remote: 31.193.12.74:443

Thu Jan 1 00:00:20 1970 us=700967 TLS: Initial packet from 31.193.12.74:443, sid=0178a35e a39bea59

Thu Dec 20 05:39:41 2012 us=531070 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

Thu Dec 20 05:39:41 2012 us=531262 TLS Error: TLS handshake failed

Thu Dec 20 05:39:41 2012 us=532203 TCP/UDP: Closing socket

Thu Dec 20 05:39:41 2012 us=532460 SIGUSR1[soft,tls-error] received, process restarting

Thu Dec 20 05:39:41 2012 us=532627 Restart pause, 2 second(s)

Thu Dec 20 05:39:43 2012 us=549065 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Thu Dec 20 05:39:43 2012 us=549306 Re-using SSL/TLS context

Thu Dec 20 05:39:43 2012 us=549447 LZO compression initialized

Thu Dec 20 05:39:43 2012 us=549957 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]

Thu Dec 20 05:39:43 2012 us=550211 Socket Buffers: R=[163840->131072] S=[163840->131072]

Thu Dec 20 05:39:43 2012 us=550443 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]

Thu Dec 20 05:39:43 2012 us=550764 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'

Thu Dec 20 05:39:43 2012 us=550891 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'

Thu Dec 20 05:39:43 2012 us=551168 Local Options hash (VER=V4): '22188c5b'

Thu Dec 20 05:39:43 2012 us=551434 Expected Remote Options hash (VER=V4): 'a8f55717'

Thu Dec 20 05:39:43 2012 us=551603 UDPv4 link local: [undef]

Thu Dec 20 05:39:43 2012 us=551765 UDPv4 link remote: 31.193.12.74:443

Thu Dec 20 05:39:43 2012 us=581529 TLS: Initial packet from 31.193.12.74:443, sid=0c12b7a4 5d1599ad

Thu Dec 20 05:39:46 2012 us=659963 event_wait : Interrupted system call (code=4)

Thu Dec 20 05:39:46 2012 us=661391 TCP/UDP: Closing socket

Thu Dec 20 05:39:46 2012 us=661634 SIGTERM[hard,] received, process exiting

Thu Dec 20 05:39:50 2012 us=711295 OpenVPN 2.2.1 mips-linux [sSL] [LZO2] built on Jul 20 2012

Thu Dec 20 05:39:50 2012 us=711948 MANAGEMENT: TCP Socket listening on 127.0.0.1:5001

Thu Dec 20 05:39:50 2012 us=712572 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Thu Dec 20 05:39:50 2012 us=718767 WARNING: file '/tmp/openvpncl/client.key' is group or others accessible

Thu Dec 20 05:39:50 2012 us=726512 LZO compression initialized

Thu Dec 20 05:39:50 2012 us=727407 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]

Thu Dec 20 05:39:50 2012 us=727760 Socket Buffers: R=[163840->131072] S=[163840->131072]

Thu Dec 20 05:39:50 2012 us=727994 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]

Thu Dec 20 05:39:50 2012 us=728348 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'

Thu Dec 20 05:39:50 2012 us=728482 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'

Thu Dec 20 05:39:50 2012 us=728787 Local Options hash (VER=V4): '22188c5b'

Thu Dec 20 05:39:50 2012 us=729865 Expected Remote Options hash (VER=V4): 'a8f55717'

Thu Dec 20 05:39:50 2012 us=739432 UDPv4 link local: [undef]

Thu Dec 20 05:39:50 2012 us=739659 UDPv4 link remote: 31.193.12.74:443

Thu Dec 20 05:39:50 2012 us=782207 TLS: Initial packet from 31.193.12.74:443, sid=8fc3bef3 9c7cf4eb

Thu Dec 20 05:39:51 2012 us=160043 VERIFY OK: depth=1, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org_CA/emailAddress=info@airvpn.org

Thu Dec 20 05:39:51 2012 us=168327 VERIFY OK: nsCertType=SERVER

Thu Dec 20 05:39:51 2012 us=168516 VERIFY OK: depth=0, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=server/emailAddress=info@airvpn.org

Thu Dec 20 05:40:50 2012 us=608987 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

Thu Dec 20 05:40:50 2012 us=609181 TLS Error: TLS handshake failed

Thu Dec 20 05:40:50 2012 us=611113 TCP/UDP: Closing socket

Thu Dec 20 05:40:50 2012 us=611402 SIGUSR1[soft,tls-error] received, process restarting

Thu Dec 20 05:40:50 2012 us=611573 Restart pause, 2 second(s)

Thu Dec 20 05:40:52 2012 us=628945 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Thu Dec 20 05:40:52 2012 us=629200 Re-using SSL/TLS context

Thu Dec 20 05:40:52 2012 us=629353 LZO compression initialized

Thu Dec 20 05:40:52 2012 us=629877 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]

Thu Dec 20 05:40:52 2012 us=630123 Socket Buffers: R=[163840->131072] S=[163840->131072]

Thu Dec 20 05:40:52 2012 us=630363 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]

Thu Dec 20 05:40:52 2012 us=630707 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'

Thu Dec 20 05:40:52 2012 us=630834 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'

Thu Dec 20 05:40:52 2012 us=631113 Local Options hash (VER=V4): '22188c5b'

Thu Dec 20 05:40:52 2012 us=631377 Expected Remote Options hash (VER=V4): 'a8f55717'

Thu Dec 20 05:40:52 2012 us=631547 UDPv4 link local: [undef]

Thu Dec 20 05:40:52 2012 us=631707 UDPv4 link remote: 31.193.12.74:443

Thu Dec 20 05:40:52 2012 us=692789 TLS: Initial packet from 31.193.12.74:443, sid=f4398aab 95b3af4e

Thu Dec 20 05:40:53 2012 us=57845 VERIFY OK: depth=1, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org_CA/emailAddress=info@airvpn.org

Thu Dec 20 05:40:53 2012 us=65399 VERIFY OK: nsCertType=SERVER

Thu Dec 20 05:40:53 2012 us=65583 VERIFY OK: depth=0, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=server/emailAddress=info@airvpn.org

Thu Dec 20 05:40:53 2012 us=940763 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Thu Dec 20 05:40:53 2012 us=940996 NOTE: --mute triggered...

Thu Dec 20 05:40:53 2012 us=941646 4 variation(s) on previous 5 message(s) suppressed by --mute

Thu Dec 20 05:40:53 2012 us=941811 [server] Peer Connection Initiated with 31.193.12.74:443

Thu Dec 20 05:40:56 2012 us=149336 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)

Thu Dec 20 05:40:56 2012 us=178318 AUTH: Received AUTH_FAILED control message

Thu Dec 20 05:40:56 2012 us=181076 TCP/UDP: Closing socket

Thu Dec 20 05:40:56 2012 us=181365 SIGTERM[soft,auth-failure] received, process exiting

Again I thought this may be my iptables rules so I commented everything that wasn't for the moment vital rebooted the router again and the tunnel started running.

full startup script....

arp -i br0 -s 192.168.2.102 BC:5F:F4:3B:61:23

arp -i br0 -s 192.168.2.101 00:11:32:14:4b:31

iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 3389 -j DNAT --to-destination 192.168.2.102

#iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 5000 -j DNAT --to-destination 192.168.2.101

#iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 5001 -j DNAT --to-destination 192.168.2.101

#iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 7000 -j DNAT --to-destination 192.168.2.101

#iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 7001 -j DNAT --to-destination 192.168.2.101

#iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 5005 -j DNAT --to-destination 192.168.2.101

#iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 5006 -j DNAT --to-destination 192.168.2.101

#iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 15222 -j DNAT --to-destination 192.168.2.101

ln -s /tmp/var/log/messages /tmp/www/log.html

ln -s /tmp/var/log/openvpncl /tmp/www/vpnlog.html

I do need the hashed ports running. Can you tell me what I am doing wrong please? Have attached the config and openvpn logs in there various states. (Success log)

Thu Jan 1 00:00:13 1970 us=920163 OpenVPN 2.2.1 mips-linux [sSL] [LZO2] built on Jul 20 2012

Thu Jan 1 00:00:13 1970 us=920833 MANAGEMENT: TCP Socket listening on 127.0.0.1:5001

Thu Jan 1 00:00:13 1970 us=921458 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Thu Jan 1 00:00:13 1970 us=937680 WARNING: file '/tmp/openvpncl/client.key' is group or others accessible

Thu Jan 1 00:00:13 1970 us=955799 LZO compression initialized

Thu Jan 1 00:00:13 1970 us=956664 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]

Thu Jan 1 00:00:13 1970 us=957052 Socket Buffers: R=[163840->131072] S=[163840->131072]

Thu Jan 1 00:00:13 1970 us=957292 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]

Thu Jan 1 00:00:13 1970 us=957619 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'

Thu Jan 1 00:00:13 1970 us=957746 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'

Thu Jan 1 00:00:13 1970 us=958049 Local Options hash (VER=V4): '22188c5b'

Thu Jan 1 00:00:13 1970 us=958319 Expected Remote Options hash (VER=V4): 'a8f55717'

Thu Jan 1 00:00:13 1970 us=964213 UDPv4 link local: [undef]

Thu Jan 1 00:00:13 1970 us=964443 UDPv4 link remote: 31.193.12.74:443

Thu Dec 20 05:51:45 2012 us=620902 [uNDEF] Inactivity timeout (--ping-restart), restarting

Thu Dec 20 05:51:45 2012 us=621614 TCP/UDP: Closing socket

Thu Dec 20 05:51:45 2012 us=621838 SIGUSR1[soft,ping-restart] received, process restarting

Thu Dec 20 05:51:45 2012 us=622004 Restart pause, 2 second(s)

Thu Dec 20 05:51:47 2012 us=650786 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Thu Dec 20 05:51:47 2012 us=651037 Re-using SSL/TLS context

Thu Dec 20 05:51:47 2012 us=651196 LZO compression initialized

Thu Dec 20 05:51:47 2012 us=651748 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]

Thu Dec 20 05:51:47 2012 us=651983 Socket Buffers: R=[163840->131072] S=[163840->131072]

Thu Dec 20 05:51:47 2012 us=652228 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]

Thu Dec 20 05:51:47 2012 us=652584 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'

Thu Dec 20 05:51:47 2012 us=652714 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'

Thu Dec 20 05:51:47 2012 us=653004 Local Options hash (VER=V4): '22188c5b'

Thu Dec 20 05:51:47 2012 us=653271 Expected Remote Options hash (VER=V4): 'a8f55717'

Thu Dec 20 05:51:47 2012 us=653438 UDPv4 link local: [undef]

Thu Dec 20 05:51:47 2012 us=653617 UDPv4 link remote: 31.193.12.74:443

Thu Dec 20 05:51:47 2012 us=705853 TLS: Initial packet from 31.193.12.74:443, sid=cbedf4ad 9e8d7acc

Thu Dec 20 05:51:48 2012 us=74035 VERIFY OK: depth=1, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org_CA/emailAddress=info@airvpn.org

Thu Dec 20 05:51:48 2012 us=82291 VERIFY OK: nsCertType=SERVER

Thu Dec 20 05:51:48 2012 us=82482 VERIFY OK: depth=0, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=server/emailAddress=info@airvpn.org

Thu Dec 20 05:51:49 2012 us=85741 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Thu Dec 20 05:51:49 2012 us=85967 NOTE: --mute triggered...

Thu Dec 20 05:51:49 2012 us=86612 4 variation(s) on previous 5 message(s) suppressed by --mute

Thu Dec 20 05:51:49 2012 us=86777 [server] Peer Connection Initiated with 31.193.12.74:443

Thu Dec 20 05:51:51 2012 us=341155 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)

Thu Dec 20 05:51:51 2012 us=426882 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.4.0.1,comp-lzo no,route 10.4.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.4.24.114 10.4.24.113'

Thu Dec 20 05:51:51 2012 us=427574 OPTIONS IMPORT: timers and/or timeouts modified

Thu Dec 20 05:51:51 2012 us=427747 OPTIONS IMPORT: LZO parms modified

Thu Dec 20 05:51:51 2012 us=427859 OPTIONS IMPORT: --ifconfig/up options modified

Thu Dec 20 05:51:51 2012 us=427967 NOTE: --mute triggered...

Thu Dec 20 05:51:51 2012 us=430334 2 variation(s) on previous 5 message(s) suppressed by --mute

Thu Dec 20 05:51:51 2012 us=430509 TUN/TAP device tun1 opened

Thu Dec 20 05:51:51 2012 us=430670 TUN/TAP TX queue length set to 100

Thu Dec 20 05:51:51 2012 us=447633 /sbin/ifconfig tun1 10.4.24.114 pointopoint 10.4.24.113 mtu 1500

Thu Dec 20 05:51:51 2012 us=464009 /sbin/route add -net 31.193.12.74 netmask 255.255.255.255 gw 192.168.1.1

Thu Dec 20 05:51:51 2012 us=469229 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.4.24.113

Thu Dec 20 05:51:51 2012 us=479181 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.4.24.113

Thu Dec 20 05:51:51 2012 us=485222 /sbin/route add -net 10.4.0.1 netmask 255.255.255.255 gw 10.4.24.113

Thu Dec 20 05:51:51 2012 us=538288 Initialization Sequence Completed

Thu Dec 20 05:51:55 2012 us=933129 event_wait : Interrupted system call (code=4)

Thu Dec 20 05:51:55 2012 us=935948 TCP/UDP: Closing socket

Thu Dec 20 05:51:55 2012 us=936350 /sbin/route del -net 10.4.0.1 netmask 255.255.255.255

Thu Dec 20 05:51:55 2012 us=945426 /sbin/route del -net 31.193.12.74 netmask 255.255.255.255

Thu Dec 20 05:51:55 2012 us=950633 /sbin/route del -net 0.0.0.0 netmask 128.0.0.0

Thu Dec 20 05:51:55 2012 us=955816 /sbin/route del -net 128.0.0.0 netmask 128.0.0.0

Thu Dec 20 05:51:55 2012 us=963689 Closing TUN/TAP interface

Thu Dec 20 05:51:55 2012 us=963975 /sbin/ifconfig tun1 0.0.0.0

Thu Dec 20 05:51:55 2012 us=971129 SIGTERM[hard,] received, process exiting

Thu Dec 20 05:51:59 2012 us=995594 OpenVPN 2.2.1 mips-linux [sSL] [LZO2] built on Jul 20 2012

Thu Dec 20 05:51:59 2012 us=996254 MANAGEMENT: TCP Socket listening on 127.0.0.1:5001

Thu Dec 20 05:51:59 2012 us=996886 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Thu Dec 20 05:52:00 2012 us=3400 WARNING: file '/tmp/openvpncl/client.key' is group or others accessible

Thu Dec 20 05:52:00 2012 us=11012 LZO compression initialized

Thu Dec 20 05:52:00 2012 us=11879 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]

Thu Dec 20 05:52:00 2012 us=12234 Socket Buffers: R=[163840->131072] S=[163840->131072]

Thu Dec 20 05:52:00 2012 us=12479 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]

Thu Dec 20 05:52:00 2012 us=12807 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'

Thu Dec 20 05:52:00 2012 us=12940 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'

Thu Dec 20 05:52:00 2012 us=13242 Local Options hash (VER=V4): '22188c5b'

Thu Dec 20 05:52:00 2012 us=13519 Expected Remote Options hash (VER=V4): 'a8f55717'

Thu Dec 20 05:52:00 2012 us=21313 UDPv4 link local: [undef]

Thu Dec 20 05:52:00 2012 us=21544 UDPv4 link remote: 31.193.12.74:443

Thu Dec 20 05:52:00 2012 us=66301 TLS: Initial packet from 31.193.12.74:443, sid=c7065ddc 002636df

Thu Dec 20 05:52:00 2012 us=454813 VERIFY OK: depth=1, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org_CA/emailAddress=info@airvpn.org

Thu Dec 20 05:52:00 2012 us=473110 VERIFY OK: nsCertType=SERVER

Thu Dec 20 05:52:00 2012 us=473298 VERIFY OK: depth=0, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=server/emailAddress=info@airvpn.org

Thu Dec 20 05:52:10 2012 us=941365 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Thu Dec 20 05:52:10 2012 us=941590 NOTE: --mute triggered...

Thu Dec 20 05:52:10 2012 us=942256 4 variation(s) on previous 5 message(s) suppressed by --mute

Thu Dec 20 05:52:10 2012 us=942424 [server] Peer Connection Initiated with 31.193.12.74:443

Thu Dec 20 05:52:13 2012 us=101167 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)

Thu Dec 20 05:52:13 2012 us=146846 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.4.0.1,comp-lzo no,route 10.4.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.4.24.114 10.4.24.113'

Thu Dec 20 05:52:13 2012 us=147576 OPTIONS IMPORT: timers and/or timeouts modified

Thu Dec 20 05:52:13 2012 us=147725 OPTIONS IMPORT: LZO parms modified

Thu Dec 20 05:52:13 2012 us=147839 OPTIONS IMPORT: --ifconfig/up options modified

Thu Dec 20 05:52:13 2012 us=147948 NOTE: --mute triggered...

Thu Dec 20 05:52:13 2012 us=150921 2 variation(s) on previous 5 message(s) suppressed by --mute

Thu Dec 20 05:52:13 2012 us=151102 TUN/TAP device tun1 opened

Thu Dec 20 05:52:13 2012 us=151267 TUN/TAP TX queue length set to 100

Thu Dec 20 05:52:13 2012 us=151648 /sbin/ifconfig tun1 10.4.24.114 pointopoint 10.4.24.113 mtu 1500

Thu Dec 20 05:52:13 2012 us=157939 /sbin/route add -net 31.193.12.74 netmask 255.255.255.255 gw 192.168.1.1

Thu Dec 20 05:52:13 2012 us=173244 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.4.24.113

Thu Dec 20 05:52:13 2012 us=178462 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.4.24.113

Thu Dec 20 05:52:13 2012 us=194562 /sbin/route add -net 10.4.0.1 netmask 255.255.255.255 gw 10.4.24.113

Thu Dec 20 05:52:13 2012 us=252467 Initialization Sequence Completed

Thu Dec 20 05:52:57 2012 us=338765 Replay-window backtrack occurred [1]

Thu Dec 20 05:56:41 2012 us=856203 Replay-window backtrack occurred [2]

[Staff 9969]

Hello!

Before proceeding on further troubleshooting, please try a connection to 443 TCP and 80 TCP. The logs show some replay-window backtracks which suggest packet loss (or a replay attack - very unlikely but if you live in some very human rights hostile country it's an option that must be taken into consideration). Try to change VPN server as well.

Finally, please attach a screenshot of the DD-WRT web interface OpenVPN configuration.

Kind regards

[DPurnell 1]

Hi,

I am connecting on 443, not in a hostile country and without air running can access these ports fine. I've done some homework and there are suggestions on chmod 600 on the cert files and also maybe running as a daemon. Which I assume is setting up via the server/daemon option in DD WRT. Do I need to have 443 open on my firewall/ it appears to me the openvpn port is auto selected and I do not need to open the firewall?

Where is the screen shot?

Thanks again....

[Staff 9969]

Hi,

I am connecting on 443, not in a hostile country and without air running can access these ports fine. I've done some homework and there are suggestions on chmod 600 on the cert files and also maybe running as a daemon. Which I assume is setting up via the server/daemon option in DD WRT. Do I need to have 443 open on my firewall/ it appears to me the openvpn port is auto selected and I do not need to open the firewall?

Where is the screen shot?

Thanks again....

Hello!

About your firewall, you just need to make sure that outbound port 443 is not "blocked", but surely it is fine, because you reach without problems OpenVPN servers listening to port 443.

You should be able to access the OpenVPN configuration panel through the web access to your DD-WRT router. Once you're there, please take a snapshot of the screen.

Kind regards

[DPurnell 1]

Hi, I think it was me being very dull. The subnet was not set on the router config on the openvpn client section on the router. Seems to be working fine now. Thanks for help.