OpenVPN on OpenWRT - A little more detail

Posted
Comments: 24

Routing all remote traffic through OpenVPN

There’s a great guide on OpenWRT.org that covers most of what I wanted to do. However, I ran into a few snags and figured this might help someone else.

My goal was to do the following:

  1. Set up an OpenVPN running on my DD-WRT/OpenWRT compatible router
  2. Configure a Windows 7/8 laptop to connect to the tunnel for the following reasons:
    • Default route all traffic through the router in hopes of protecting traffic when on public networks
    • Access “local” resource while out on the road

DD-WRT vs. OpenWRT

I’ve tested OpenVPN on a Linksys E2000 running DD-WRT and had good luck with it. I also have a TPLink 4300 which runs DD-WRT, but I had trouble getting SSH to work (the option was greyed out) and ultimately could not get OpenVPN to run. So I decided to try OpenWRT instead. For my needs, I much preferred OpenWRT and the steps here are geared for OpenVPN running on OpenWRT.

OpenWRT

192.168.0.x and 192.168.1.x are very commonly used and could cause some problems when you are connecting to various routers and public networks.

Once you have OpenWRT installed on your router, I suggested that you change the default LAN IPs to be something other than 192.168.1.x. For this tutorial, I have changed the IPs to be 192.168.99.x. So when you see .99. then just replace it with whatever you configured the router to use.

OpenVPN Server Installation and Configurations

Turn on SSH

You may need to enable SSH access before you can log in. To do so go to System -> Administration

Open WRT -> System -> Administration

Then scroll down to the section that says SSH Access and make sure the settings are enabled:

Open WRT ---> SSH Acces

Install the OpenVPN and SFTP Packages

SSH into your router by going to 192.168.99.1 using the SSH Port that you set above. The default is 22. Sign in as root and use the password that you have set to sign into your OpenWRT admin website.

Once you are signed in, you can run the following commands. There is no need to change the directory/path that you are in.

This will run a command line update:

opkg update

This will install the OpenVPN and Easy RSA (for generating the keys):

opkg install openvpn openvpn-easy-rsa

This will install SFTP (FTP over SSH) which is useful when you want securely to copy the keys off the server and onto a client:

opkg install openssh-sftp-server

The OpenWRT guide suggested that you can install the GUI package (luci-app-openvpn), but this failed for me using the latest build of OpenWRT saying that the package could not be located. This package is not needed in order to get things working.

Building the Certificates/Keys

Changing defaults (optional)

When generating the keys, you will be prompted for a lot of settings. You can change some of these default values in order to make the prompts easier. That is, you can just press [enter] for the defaults.
So, to help make some of the prompts easier, you can edit this file. Towards the bottom are some of the defaults:

vi /etc/easy-rsa/vars

Get your server/keys ready:

Next run the following: 

clean-all

build-ca

build-dh

Next build the server keys:

build-key-server server

This will give you a lot of prompts. I tried to keep the answers here similar across the server and client keys, though you will need to keep the file names and common-names unique. That is you can’t have two client keys called “user1”

WRT --> SSH --> Build Server Keys

Note, when asked for a challenge password I put a randomly generated one in there. This did not seem to come up anywhere else or cause any problems.

Get your client keys ready:

I used the PCKS12 format. This format combines all the keys you need for the client to connect into one .p12 file. This would be the only file that you would need to ship to each client. 

build-key-pkcs12 user1

Note, make sure you keep the Common Name unique. I just left it as user1 to match the file names.

Also, you can put an export password on this .p12 key which means that the client would have to enter this password anytime they connect or use the key. This password is optional and you can choose to leave the export password blank.

WRT --> SSH --> Client Key

Copying the keys over

The keys that you are generating will be stored int he /etc/easy-rsa/keys folder. You will need to copy the server keys over to the /etc/openvpn/ folder for use with OpenVPN:

cd /etc/easy-rsa/keys

cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn/

OpenVPN Server configuration

Edit the OpenVPN Server configuration:

vi /etc/config/openvpn

Replace the server config with the following:

config 'openvpn' 'lan'
        option 'enable' '1'
        option 'port' '1194'
        option 'proto' 'udp'
        option 'dev' 'tap0'
        option 'ca' '/etc/openvpn/ca.crt'
        option 'cert' '/etc/openvpn/server.crt'
        option 'key' '/etc/openvpn/server.key'
        option 'dh' '/etc/openvpn/dh1024.pem'
        option 'ifconfig_pool_persist' '/tmp/ipp.txt'
        option 'keepalive' '10 120'
        option 'comp_lzo' '1'
        option 'persist_key' '1'
        option 'persist_tun' '1'
        option 'status' '/tmp/openvpn-status.log'
        option 'verb' '3'
        option 'server_bridge' '192.168.99.1 255.255.255.0 192.168.99.200 192.168.99.219'
        option 'push' 'redirect-gateway def1'
        list 'push' 'dhcp-option DNS 192.168.99.1'

Notes

  • option ‘push’ ‘redirect-gateway def1’ – will instruct the clients to push all traffic through the router. This is what I wanted as one of my goals was to “encrypt” traffic from the client when connected to public networks. If you leave this option off, your clients will still be connected to the network and have access to local resources, but their default gateway may still be their outside network.
  • list ‘push’ ‘dhcp-option DNS 192.168.99.1’ – will tell the router to push the DNS server (itself) down to the client. I ran into some trouble where the client could not resolve DNS without this command.

Start the server

Start server from Command line

/etc/init.d/openvpn start

If needed, you can also stop or restart the service:

/etc/init.d/openvpn stop

/etc/init.d/openvpn restart

Enable the OpenVPN server so that it automatically startup on boot. 

/etc/init.d/openvpn enable

This can also be done via the OpenWRT GUI through System —> Startup and then clicking Enable next to OpenVPN:

WRT --> System --> Startup ---> Enable

Router Network Configuration

Now that you have your server configured and started, the network/interface should show up and can be bridged. Using the OpenWRT web management, go to WRT —> Network —> Interfaces —> Edit LAN

WRT --> Network --> Interfaces ---> Edit

Then click on Physical Settings and check the box next to the tap0 interface in order to bridge that network. This essentially means that when someone connects to the tap0 (your OpenVPN network), they will have access to the other resources on the LAN, WLAN, etc.

WRT --> Network --> Interfaces --> Edit LAN --> Physical Settings

Firewall and DHCP

Back to the SSH console for the next changes.

Update the firewall to allow Port 1194 UDP traffic. 

vi /etc/config/firewall

Add the following to the bottom of this file:

config 'rule'
        option 'target' 'ACCEPT'
        option 'dest_port' '1194'
        option 'src' 'wan'
        option 'proto' 'tcpudp'
        option 'family' 'ipv4'

Restart the iptables based firewall: 

/etc/init.d/firewall restart

Next let’s update the DHCP ranges:

Initially I understood the DHCP changes incorrectly. The original configuration had 50 and 200 for the DHCP. I though it meant that the DHCP LAN should start at 50 and run through 200. However the second command limit means that the DHCP would be starting at 50 and run for 200 addresses thus ending at 250. If you remember from our OpenVPN configuration (above), we configured the OpenVPN clients to receive addresses from ~200-220. We don’t want this to overlap, so the settings must be changed to something like the above which says: Start at 50 and run for 150, giving a normal LAN DCHP range of 50-200. 

 vi /etc/config/dhcp

Change the LAN section to something like the following:

config 'dhcp' 'lan'
        option 'interface' 'lan'
        option 'ignore' '0'
        option 'start' '50'
        option 'limit' '150'

restart dnsmasq:

/etc/init.d/dnsmasq restart

To review:

  • 50-200: LAN/WLAN address lease range
  • 201-220: OpenVPN address lease range

Connect your clients:

Now that your server is up and running, let’s try connecting one of your clients. You need three things on the client to do this:

  1. Client must have OpenVPN client installed (Download here)
  2. The client configuration file must exist that matches the server and points to the right outside IP of your router
  3. The server key/certificate that we created above (we are using the .p12 format for this tutorial)

Client Config File (.ovpn)

Note, you may need to l launch notepad.exe with administrative privileges in order to write to the above folder. Alternately, you can create it somewhere else and then copy it in (where you will then need to grant admin privileges to copy).

Once you have the OpenVPN client installed, create a configuration file. On my Windows 7/8 instance, this file would exist in

C:\Program Files\OpenVPN\config\

In this path, use notepad.exe (or equivalent) to create a file called OpenWRT.ovpn

In this file put the following:

#Configuration
remote <your.server.address.here> 1194
client
tls-client
dev tap
proto udp
remote-cert-tls server
resolv-retry infinite
nobind
persist-tun
persist-key
pkcs12 user1.p12 
comp-lzo
verb 3

On line 1, make sure you update to your servers outside WAN IP address.

Validating the Server/Keys

WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

remote-cert-tls server – this line is required or else you will receive a warning in the log about MITM attacks. This warning is telling you that if you don’t validate the servers authenticity somehow, then someone could hack/attack your “secure connection” using a man-in-the-middle attack. This line asks your client to authenticate/validate the server keys first and should remove that warning.

Client certificate/key

This is the file that you created back in the SSH session on the OpenWRT. For this tutorial we are using the PKCS12 format which means all the keys are combined into a single file. You’ll need to copy your user1.p12 file from the OpenWRT server to the same path as the client configuration file that we just created (C:\Program Files\OpenVPN\config\).

One of the first steps that we did was to install the SFTP server onto your OpenWRT router. This will allow you to securely login and copy the file out. I used a program called FileZilla to do this.

Once you have the file in the right place, you should be all set to connect.

Connecting for the first time

Run the OpenVPN GUI which will put a little icon into your taksbar that has two red-monitor screens. Right click on this and select “connect”

Note, if you have more than one connection, then you will see them listed here and you would select one of those first, then select connect.

WRT / Client / Connect

When you connect, a status screen will show up that will have a lot of log information. If you have an export password on your .p12 file, then you will see a prompt for that here.

OpenVPN Password

Once you successfully connect, the monitor lights will turn from red to yellow and finally to green and that should mean you are all set.

Testing 1…2…3…

You should be able to connect to the VPN even if you are connected behind the OpenWRT router. However, in order to properly test things out, you should really try connecting from an outside network (coffee shop, etc.).

Once you get the green light on the OpenVPN GUI, try some of the following tests.

Open WRT Management Web

Try to connect to http://192.168.99.1/ (or https://192.168.99.1/ if you have that turned) on. If you successfully see the login screen, then that means your VPN is working and you have access to your local resources. If you disconnect the VPN, you should not longer be able to access the management site.

tracert

First, let’s test this with the VPN connection off. So make sure the OpenVPN lights are red and you are disconnected.

In Windows, open up a command prompt (cmd) and type in:

tracert www.google.com

and then watch the results. You really only care about the first few lines.

You should now see a set of hops showing that you are routing through the network you are connected to (coffee shop, etc.).

Next, connect to your VPN. Once you have green lights and can get online, run the same command again. You want to see something like the following:

Notice that the first hop is your OpenWRT router at 192.168.99.1. The second hop should be whatever network your OpenWRT router uses to connect out. For testing, I had my OpenWRT router behind another network that ran off 192.168.1.254. Note: If you are running behind another router/firewall, you will need to open port 1194 on the “outside” firewall and point it to the OpenWRT’s LAN address on that network. This type of setup may be common for those plugging in behind an “all in one” Cable Modem/Router/Switch.

If you don’t see any difference in the tracert, but can successfully see local resources, that could mean that your VPN is connecting okay but not acting as the secure default route of all our traffic. Ensure that the setting: option ‘push’ ‘redirect-gateway def1’ is properly configured in the OpenVPN configuration file.

“What is my IP” test

As a final test. go to google and type in “what is my ip” and see what address it gives you. This should give you the outbound WAN address of whatever network your OpenWRT is connected. What this means is that when you visit websites, they are “seeing” you as though you are coming from the OpenWRT connected network and not the one you are directly connected to (coffee shop, etc.).

Comments?

Hope this guide sheds some additional light on configuring OpenVPN on an OpenWRT router. If you have any questions or suggestions, please leave them in the comments below.

Author
Categories ,

Comments

  1. MrC

    Thank you very much! I got this working with (OSX) Tunnelblick…

  2. JamesP

    Awesome guide. Followed it and everything is working perfectly :).

  3. ste (Author)

    @MrC, @JamesP

    Thank you for the comments. Glad this was of use to you. So far mine has been up and running without issue. Hopefully it will stay that way.

  4. Chris Nedman

    Thank you!!
    The guide on OpenWRT’s own site doesn’t work. But your guide works with latest stable version of OpenWRT. :)
    Works with current stable version of “Attitude Adjustment”.

    Big thanks!

  5. ste (Author)

    @Chris

    Glad this guide was a help to you. If you have any other tips or suggestions on the set up, feel free to post them.

  6. alli

    Thanks for the great tutorial. My question: how to get it work with dynamic IP? Tried using noip.org service (free), but no luck :(

  7. Ido

    Thank you for your tutorial!
    But I’m looking for the same goals (tunneling my connections on the road through my vpn) without using the OpenVPN software, just connect with username and password on the regular windows settings for VPN.
    Thanks!

  8. ste (Author)

    @alli

    You mean that your router is on a dynamic IP? A lot of home services are technically on a dynamic IP, but it rarely changes. Is your router IP changing regularly. Mine usually goes for several months/years before changing.

    Out of curiosity, is the issue that the connection fails anytime the IP changes (without re-doing configuration) or just that you don’t know the IP address?

  9. ste (Author)

    @Ido

    I think you can achieve this using different protocols (L2TP, IPSec, etc.) but the configuration and firmware may need to change.

    If you find a good method for this, please post it here.

  10. George

    Hello and thank you very much for this nice tutorial.
    I managed to setup successfuly my openvpn network.
    One problem I have though is that when I am connecting from a network and checking the IP and when connected to my vpn through that network and check again the IP,is the same..
    Shouldn’t return the IP of my router?
    Note that tracert is different when connecting to vpn and when just connecting to a network.
    Can I do sth about that?

    Thank you!

  11. twinclouds

    Hi, Good tutorial.
    Before I try it, I would like to know a little more about your set up. I think you said your 192.168.99.x network is behind the 192.168.1.x network. Is this true? If it is, which network connects to internet (wan)? is the .1.x network or .99.x network? If it is the 192.168.1.x network, how are you going to open the 1194 port? You need to open it on both firewall (.1.x and .99.x)? Please correct me if I didn’t understand correctly. Thanks.

  12. twinclouds

    Hi.
    I would like to know your system’s topology. Looks like you have two lans: 192.168.1.x/192.168.99.x. Does your internet come into your 192.168.1.x lan’s wan port and your 192.168.99.x lan’s wan port connects to one of the port of the 192.168.1.x lan? If that is the case, do you have open the 1194 port on both lans? If it is not can you explain how the networks is set-up? Thanks.
    (I submitted a similar question but didn’t see it posted. If you already seen the previous one, you can ignore one of these two.)

  13. twinclouds

    @Ido
    I found PPTP is very easy to set up. It is not as reliable as Openvpn but it may be sufficient for you. Please take a look of this: http://www.howtogeek.com/51237/setting-up-a-vpn-pptp-server-on-debian/.

  14. twinclouds

    @alli
    Using noip, dyndns or similar should work. I have set up an openvpn server on a linux arm box and everything work out just fine.

  15. ste (Author)

    @twinclouds

    Sorry for the delay in replying to your comment. Hope this helps answer your question. When I was testing, I had the OpenWRT router running behind a second router. This second router’s WAN was connected to the Internet and my OpenWRT router’s WAN was connected to the “second router”

    OpenWRT (192.168.99.x) <===> Second Router (192.168.1.x) <===> Internet

    On the second router (the “outside one”), you are correct that you would need to open up the port 1194 on the firewall and point it to the OpenWRT’s LAN address on the (192.168.1.x) network. This type of setup may be common for those plugging in behind an “all in one” Cable Modem/Router/Switch. Will update the post as well.

    Let me know if this helps

  16. twinclouds

    @ste:
    Thanks. I only need to have an OpenVPN server on my network but not necessary to have a second router. So eventually, I set the Openwrt router as a node of the router connected to wan. Thus, I forwarded the port 1194 of the outer router directly to 1194 port of the node. Everything seems working now. Thank you for your reply anyway. I will ask you further questions if I encounter any problems.

  17. twinclouds

    @ste
    It works but I have one problem. The computer with the VPN client can access the local net devices when connected. However, it lost internet connection. Any ideas how to fix this?

  18. ste (Author)

    @twinclouds

    Sorry for the delay in responding - was traveling a bit.

    I’ve seen this happen occasionally with VPNs, but have not had this trouble with OpenVPN when running through OpenWRT. Does it happen on every network that you connect from? Have you tried connecting from another test network (e.g. coffee-shop, etc.)?

    The command listed above for option ‘push’ ‘redirect-gateway def1’ is supposed to push all traffic through the VPN router.

    Let me know if you figure out the issue.

  19. Chan

    Thanks for the detailed instructions. I’ve tried various other forums and I’ve gotten the nearest to having this all setup with this blog. However, my WAN IP doesn’t change after a successful connection and I’m unable to hit any of my internal LAN IPs. I’d really appreciate if you can help me resolve this.

    Tunnelblick 3.3beta44 (build3276) – OpenVPN 2.3.1
    Set DNS/WINS to Set nameserver (3.0b10)

    Server Config for firewall
    config rule
    option ‘name’ ‘OpenVPN’
    option ‘target’ ‘ACCEPT
    option ‘dest_port’ ‘1194’
    option ‘src’ ‘wan’
    option ‘proto’ ‘tcpudp’
    option ‘family’ ‘ipv4’

    Server Config for OpenVPN
    root@<OpenWRT>:~# cat /etc/config/openvpn

    config ‘openvpn’ ‘lan’
    option ‘enable’ ‘1’
    option ‘dev’ ‘tap0’
    option ‘persist_tun’ ‘1’
    option ‘persist_key’ ‘1’
    option ‘proto’ ‘udp’
    option ‘comp_lzo’ ‘1’
    option ‘verb’ ‘3’
    option ‘log’ ‘/tmp/openvpn.log’
    option ‘status’ ‘/tmp/openvpn-status.log’
    option ‘ca’ ‘/etc/openvpn/ca.crt’
    option ‘cert’ ‘/etc/openvpn/server.crt’
    option ‘key’ ‘/etc/openvpn/server.key’
    option ‘server_bridge’ ’192.168.1.1 255.255.255.0 192.168.1.200 192.168.1.219’
    option ‘port’ ‘1194’
    option ‘ifconfig_pool_persist’ ‘/tmp/ipp.txt’
    option ‘keepalive’ ’10 120’
    option ‘dh’ ‘/etc/openvpn/dh1024.pem’
    option ‘push’ ‘redirect-gateway def1’
    list ‘push’ ‘dhcp-option DNS 192.168.1.1’

    Client Config (Tunnelblick)
    client
    tls-client
    dev tap
    proto udp
    remote <WAN IP> 1194
    remote-cert-tls server
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    pkcs12 user1.p12
    comp-lzo
    verb 3

    Client Logs:
    2014-07-13 10:21:00 *Tunnelblick: openvpnstart starting OpenVPN: * /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.1/openvpn —cd /Library/Application Support/Tunnelblick/Users/<username>/Atmun1.tblk/Contents/Resources —daemon —management 127.0.0.1 1337 —config /Library/Application Support/Tunnelblick/Users/<username>/Atmun1.tblk/Contents/Resources/config.ovpn —log /Library/Application Support/Tunnelblick/Logs/-SUsers-S<username>-SLibrary-SApplication Support-STunnelblick-SConfigurations-SAtmun1.tblk-SContents-SResources-Sconfig.ovpn.9_0_1_1_882.1337.openvpn.log —management-query-passwords —management-hold —redirect-gateway def1 —script-security 2 —up /Applications/Tunnelblick.app/Contents/Resources/client.2.up.tunnelblick.sh -w -d -a -f -atADGNWradsgnw —down /Applications/Tunnelblick.app/Contents/Resources/client.2.down.tunnelblick.sh -w -d -a -f -atADGNWradsgnw —up-restart
    2014-07-13 10:21:01 *Tunnelblick: Established communication with OpenVPN
    2014-07-13 10:21:01 OpenVPN 2.3.1 i386-apple-darwin10.8.0 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [MH] [IPv6] built on Apr 8 2013
    2014-07-13 10:21:01 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1337
    2014-07-13 10:21:01 Need hold release from management interface, waiting…
    2014-07-13 10:21:01 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337
    2014-07-13 10:21:01 MANAGEMENT: CMD ‘pid’
    2014-07-13 10:21:01 MANAGEMENT: CMD ‘state on’
    2014-07-13 10:21:01 MANAGEMENT: CMD ‘state’
    2014-07-13 10:21:01 MANAGEMENT: CMD ‘bytecount 1’
    2014-07-13 10:21:01 MANAGEMENT: CMD ‘hold release’
    2014-07-13 10:21:01 NOTE: the current —script-security setting may allow this configuration to call user-defined scripts
    2014-07-13 10:21:04 MANAGEMENT: CMD ‘password […]’
    2014-07-13 10:21:04 WARNING: this configuration may cache passwords in memory — use the auth-nocache option to prevent this
    2014-07-13 10:21:04 Socket Buffers: R=[196724->65536] S=[9216->65536]
    2014-07-13 10:21:04 UDPv4 link local: [undef]
    2014-07-13 10:21:04 UDPv4 link remote: [AF_INET]<WAN IP>:1194
    2014-07-13 10:21:04 MANAGEMENT: >STATE:1405272064,WAIT,,,
    2014-07-13 10:21:04 MANAGEMENT: >STATE:1405272064,AUTH,,,
    2014-07-13 10:21:04 TLS: Initial packet from [AF_INET]<WAN IP>:1194, sid=d69d5d33 0d40ac3e
    2014-07-13 10:21:04 VERIFY OK: depth=1, C=US, ST=CA, L=<l>, O=<o>, OU=<ou>, CN=user1, name=user1, emailAddress=<email>
    2014-07-13 10:21:04 Validating certificate key usage
    2014-07-13 10:21:04 ++ Certificate has key usage 00a0, expects 00a0
    2014-07-13 10:21:04 VERIFY KU OK
    2014-07-13 10:21:04 Validating certificate extended key usage
    2014-07-13 10:21:04 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
    2014-07-13 10:21:04 VERIFY EKU OK
    2014-07-13 10:21:04 VERIFY OK: depth=0, C=US, ST=CA, L=<l>, O=<o>, OU=<ou>, CN=server, name=server, emailAddress=<email>
    2014-07-13 10:21:05 Data Channel Encrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
    2014-07-13 10:21:05 Data Channel Encrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
    2014-07-13 10:21:05 Data Channel Decrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
    2014-07-13 10:21:05 Data Channel Decrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
    2014-07-13 10:21:05 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    2014-07-13 10:21:05 [server] Peer Connection Initiated with [AF_INET]<WAN IP>:1194
    2014-07-13 10:21:06 MANAGEMENT: >STATE:1405272066,GET_CONFIG,,,
    2014-07-13 10:21:07 SENT CONTROL [server]: ‘PUSH_REQUEST’ (status=1)
    2014-07-13 10:21:07 PUSH: Received control message: ‘PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 192.168.1.1,route-gateway 192.168.1.1,ping 10,ping-restart 120,ifconfig 192.168.1.200 255.255.255.0’
    2014-07-13 10:21:07 OPTIONS IMPORT: timers and/or timeouts modified
    2014-07-13 10:21:07 OPTIONS IMPORT: —ifconfig/up options modified
    2014-07-13 10:21:07 OPTIONS IMPORT: route options modified
    2014-07-13 10:21:07 OPTIONS IMPORT: route-related options modified
    2014-07-13 10:21:07 OPTIONS IMPORT: —ip-win32 and/or —dhcp-option options modified
    2014-07-13 10:21:07 TUN/TAP device /dev/tap0 opened
    2014-07-13 10:21:07 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    2014-07-13 10:21:07 MANAGEMENT: >STATE:1405272067,ASSIGN_IP,,192.168.1.200,
    2014-07-13 10:21:07 /sbin/ifconfig tap0 delete ifconfig: ioctl (SIOCDIFADDR): Can’t assign requested address
    2014-07-13 10:21:07 NOTE: Tried to delete pre-existing tun/tap instance — No Problem if failure
    2014-07-13 10:21:07 /sbin/ifconfig tap0 192.168.1.200 netmask 255.255.255.0 mtu 1500 up
    2014-07-13 10:21:07 /Applications/Tunnelblick.app/Contents/Resources/client.2.up.tunnelblick.sh -w -d -a -f -atADGNWradsgnw tap0 1500 1574 192.168.1.200 255.255.255.0 init
    2014-07-13 10:21:08 /sbin/route add -net <WAN IP> 192.168.1.1 255.255.255.255 add net <WAN IP>: gateway 192.168.1.1
    2014-07-13 10:21:08 /sbin/route add -net 0.0.0.0 192.168.1.1 128.0.0.0 add net 0.0.0.0: gateway 192.168.1.1
    2014-07-13 10:21:08 /sbin/route add -net 128.0.0.0 192.168.1.1 128.0.0.0 add net 128.0.0.0: gateway 192.168.1.1
    2014-07-13 10:21:08 Initialization Sequence Completed
    2014-07-13 10:21:08 MANAGEMENT: >STATE:1405272068,CONNECTED,SUCCESS,192.168.1.200,<WAN IP>
    2014-07-13 10:21:14 *Tunnelblick: This computer’s apparent public IP address (<MiFi WAN IP>) was unchanged after the connection was made

    Server Logs
    root@<OpenWrt>:~# cat /tmp/openvpn.log
    Sun Jul 13 10:20:18 2014 MULTI: multi_create_instance called
    Sun Jul 13 10:20:18 2014 <MiFi WAN IP>:12650 Re-using SSL/TLS context
    Sun Jul 13 10:20:18 2014 <MiFi WAN IP>:12650 LZO compression initialized
    Sun Jul 13 10:20:18 2014 <MiFi WAN IP>:12650 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Sun Jul 13 10:20:18 2014 <MiFi WAN IP>:12650 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
    Sun Jul 13 10:20:18 2014 <MiFi WAN IP>:12650 TLS: Initial packet from <MiFi WAN IP>:12650, sid=099f1afb 1c3d76f7
    Sun Jul 13 10:20:19 2014 <MiFi WAN IP>:12650 VERIFY OK: depth=1, /C=US/ST=CA/L=<l>/O=<o>/OU=<ou>/CN=user1/name=user1/emailAddress=<email>
    Sun Jul 13 10:20:19 2014 <MiFi WAN IP>:12650 VERIFY OK: depth=0, /C=US/ST=CA/L=<l>/O=<o>/OU=<ou>/CN=user1/emailAddress=<email>
    Sun Jul 13 10:20:19 2014 <MiFi WAN IP>:12650 Data Channel Encrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
    Sun Jul 13 10:20:19 2014 <MiFi WAN IP>:12650 Data Channel Encrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
    Sun Jul 13 10:20:19 2014 <MiFi WAN IP>:12650 Data Channel Decrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
    Sun Jul 13 10:20:19 2014 <MiFi WAN IP>:12650 Data Channel Decrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
    Sun Jul 13 10:20:19 2014 <MiFi WAN IP>:12650 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Sun Jul 13 10:20:19 2014 <MiFi WAN IP>:12650 [user1] Peer Connection Initiated with <MiFi WAN IP>:12650
    Sun Jul 13 10:20:19 2014 MULTI: new connection by client ‘user1’ will cause previous active sessions by this client to be dropped. Remember to use the —duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
    Sun Jul 13 10:20:22 2014 user1/<MiFi WAN IP>:12650 PUSH: Received control message: ‘PUSH_REQUEST’
    Sun Jul 13 10:20:22 2014 user1/<MiFi WAN IP>:12650 SENT CONTROL [user1]: ‘PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 192.168.1.1,route-gateway 192.168.1.1,ping 10,ping-restart 120,ifconfig 192.168.1.200 255.255.255.0’ (status=1)
    Sun Jul 13 10:20:22 2014 user1/<MiFi WAN IP>:12650 MULTI: Learn: <MAC ADDR> -> user1/<MiFi WAN IP>:12650

    root@<OpenWRT>:~# cat /tmp/openvpn-status.log
    OpenVPN CLIENT LIST
    Updated,Sun Jul 13 10:42:05 2014
    Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
    user1,<MiFi WAN IP>:12650,28411,80825,Sun Jul 13 10:20:18 2014
    ROUTING TABLE
    Virtual Address,Common Name,Real Address,Last Ref
    <MAC ADDR>,user1,<MiFi WAN IP>:12650,Sun Jul 13 10:20:33 2014
    GLOBAL STATS
    Max bcast/mcast queue length,1
    END

  20. RangerZ

    Hi
    I am trying to get OpenVPN running on OpenWRT. I had poor performance with DD-WRT on an Buffalo WZR-HP-G300NH, about 2MBps. not usable. Can you comment on your performance w/ DD-WRT

    I have a Primary Router that only acts as a router (DD-WRT). Only what needs to be there. I have a separate AP, 2 OpenVPN routers (TAP for windows, TUN for iPhone) behind the primary router with static IP in the primary routers subnet. Installing a PC-engines ALIX as it has HW encryption supported in Open-WRT, not in DD-WRT. Hoping to improve performance.

    Want to make sure I have the correct port forwards, firewall rules, etc on the right boxes. I think this is what you are basically doing with the two routers above. Just want to be sure. Not clear on why you have your main router at a different ip than the VPN router under TAP. I thought this was only needed under TUN. I just allocate a different IP range than my static and DHCP to the Open VPN (Static 20-99, DHCP 100-110, VPN 200-210)

    If possible I would like to condense my environment down to one TUN based router for both iPhone and Windows, but have not been able to get the TUN devices to see the LAN in DD-WRT Do you know if I will get the check box under the LAN adapter if I create a TUN interface?

    Thanks… RangerZ

  21. bobbybobby

    i get this error:
    Apr 3 01:35:05 OpenWrt daemon.notice openvpn(lan)1161: 192.168.1.124:51225 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Apr 3 01:35:05 OpenWrt daemon.notice openvpn(lan)1161: 192.168.1.124:51225 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
    Apr 3 01:35:05 OpenWrt daemon.notice openvpn(lan)1161: 192.168.1.124:51225 TLS: Initial packet from 192.168.1.124:51225, sid=b6318bd6 e6f8011a
    Apr 3 01:36:05 OpenWrt daemon.err openvpn(lan)1161: 192.168.1.124:51225 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Apr 3 01:36:05 OpenWrt daemon.err openvpn(lan)1161: 192.168.1.124:51225 TLS Error: TLS handshake failed
    Apr 3 01:36:05 OpenWrt daemon.notice openvpn(lan)1161: 192.168.1.124:51225 SIGUSR1[soft,tls-error] received, client-instance restarting
    Apr 3 01:36:06 OpenWrt daemon.notice openvpn(lan)1161: MULTI: multi_create_instance called
    Apr 3 01:36:06 OpenWrt daemon.notice openvpn(lan)1161: 192.168.1.124:57965 Re-using SSL/TLS context
    Apr 3 01:36:06 OpenWrt daemon.notice openvpn(lan)1161: 192.168.1.124:57965 LZO compression initialized
    Apr 3 01:36:06 OpenWrt daemon.notice openvpn(lan)1161: 192.168.1.124:57965 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Apr 3 01:36:06 OpenWrt daemon.notice openvpn(lan)1161: 192.168.1.124:57965 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
    Apr 3 01:36:06 OpenWrt daemon.notice openvpn(lan)1161: 192.168.1.124:57965 TLS: Initial packet from 192.168.1.124:57965, sid=d6ef804e b7ad21c0
    Apr 3 01:37:06 OpenWrt daemon.err openvpn(lan)1161: 192.168.1.124:57965 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Apr 3 01:37:06 OpenWrt daemon.err openvpn(lan)1161: 192.168.1.124:57965 TLS Error: TLS handshake failed
    Apr 3 01:37:06 OpenWrt daemon.notice openvpn(lan)1161: 192.168.1.124:57965 SIGUSR1[soft,tls-error] received, client-instance restarting
    Apr 3 01:37:09 OpenWrt daemon.notice openvpn(lan)1161: MULTI: multi_create_instance called
    Apr 3 01:37:09 OpenWrt daemon.notice openvpn(lan)1161: 192.168.1.124:57965 Re-using SSL/TLS context
    Apr 3 01:37:09 OpenWrt daemon.notice openvpn(lan)1161: 192.168.1.124:57965 LZO compression initialized
    Apr 3 01:37:09 OpenWrt daemon.notice openvpn(lan)1161: 192.168.1.124:57965 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Apr 3 01:37:09 OpenWrt daemon.notice openvpn(lan)1161: 192.168.1.124:57965 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
    Apr 3 01:37:09 OpenWrt daemon.notice openvpn(lan)1161: 192.168.1.124:57965 TLS: Initial packet from 192.168.1.124:57965, sid=16aed019 ffc3d3d5
    Apr 3 01:38:09 OpenWrt daemon.err openvpn(lan)1161: 192.168.1.124:57965 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Apr 3 01:38:09 OpenWrt daemon.err openvpn(lan)1161: 192.168.1.124:57965 TLS Error: TLS handshake failed
    Apr 3 01:38:09 OpenWrt daemon.notice openvpn(lan)1161: 192.168.1.124:57965 SIGUSR1[soft,tls-error] received, client-instance restarting

    any help?????

  22. Gil

    It works for me, many thanks.
    However I would like to connect 2 routers via the tunnel.
    Can you help me further with the client config for an openwrt luci router. I think my firewall / routing rules need further configuring? thanks

  23. john

    Hi. nice tutorial. i am trying to follow the guide, but i cannot see anywhere in my config of interfaces the tap0. how do i create it, please?

  24. jone liu

    Thank you very much for writing such a good document. I now have a question to ask you. Now the client key is PCKS12 format, and this key format can limit the key from one client to another. Do you know that? Thank you

Comment

Enter your comment below. Fields marked * are required. You must preview your comment before submitting it.





Comments

← Older Newer →