Found the problem, try again now

ok that fixed the first now here is the next message

root@OpenWrt tmp# opkg install kmod-crypto-authenc
Installing kmod-crypto-authenc (3.10.36-1) to root...
Downloading http://enduser.subsignal.org/~trondah/r … r71xx.ipk.
Configuring kmod-crypto-authenc.
kmod: failed to insert /lib/modules/3.10.36/authenc.ko

Yeah, I noticed that. If you look at dmesg then you will see there is an unknown symbol crypto_aead_type, which means there is another module required. Maybe there's a dependency lacking for the kmod-crypto-authenc package. Try installing kmod-ipsec and modprobe it after.

(Last edited by arokh on 23 Jun 2014, 00:09)

I'm back.

What in the world did you do to the IPs? I thought that you were going to change the OpenVPN IP to 10.1.1.1, not the router's IP... Also, 192.168.100.1 is the most common IP address for cable modems in the United States, so that was a bad choice for the OpenVPN server IP.

I am not sure how to use modprobe exactly. the strongswan installs kmod-ipsec according to the opkg output.

as far as the openvpn the latest update seems to fix the problem and now at home I get a Green icon in Windows 8, I will try this away from home to see if it still works

The idea was a simple address for the router and a distinct address for VPN that will be easy to differentiate in a tcpdump for instance. Didn't know 192.168.100 was used for cable modems, I'll pick something new for the next then

Please, leave the default router IP as 192.168.1.1. I think anyone who is smart enough to know how to flash this build is smart enough to remember the default IP for most routers. I'd just change the OpenVPN server IP to 10.1.1.1 and change the default router IP back to the old one.

Stop making sense You're right, anyone with half a brain can change the default. Didn't quite think that one through, people might get confused by the documentation on the wiki etc. I'll revert to default and just use 10.1.1.x for VPN then.

Rebuilding 41302 with sane defaults lol. Let's try and settle on this then

Did anyone try to use the VPN from a 192.168.1.x network? Wondering if that will work correctly. Not sure if the redirect gateway will override the local route and let you access servers on the remote 192.168.1.x network.

(Last edited by arokh on 23 Jun 2014, 08:10)

ok so I have a slight issue, I am testing the VPN and can connect and ping some devices but a device that has an ip of 192.168.2.248 cannot ping from the VPN connection but I can ping 192.168.2.1 and 192.168.2.131 just fine and I can ssh into the router and the router can ping 192.168.2.248 just fine, what log can I look at to find out why it is not pinging?

one other thing about the web interface and it is a slight issue is that it does not work with a touchscreen system since the menus only come down on hover touchscreens do not hover, a click menu would work fine for the touch screen devices that I use.

(Last edited by wesleyhey on 23 Jun 2014, 15:36)

I didn't quite understand your problem. My build is configured to use 192.168.2.1 for server and 192.168.2.1 for the client. The LAN is on 192.168.1.x. It should work out of the box, just copy the .ovpn to the client. If you made changes you are on your own.

About the web interface, create a ticket or something. I'm not a developer and do not code any of the stuff in this build.

(Last edited by arokh on 23 Jun 2014, 16:05)

ok, hopefully this clears it up a little
my home network ip range is 192.168.2.1 -254
the VPN ip is 192.168.100.1
The problem is if I vpn in to the home network I can ping 192.168.2.1 and 192.168.2.131 both Linux version os, but when I ping a windows machine from the computer that I am using remote I cannot ping the windows system which is 192.168.2.248

I CAN ssh into the router at 192.168.2.1 and ping the 192.168.2.248 just fine.
I am not sure if this is a router firewall issue or something else but this problem only occurs when I am using VPN, it works fine when I get home

(Last edited by wesleyhey on 23 Jun 2014, 17:58)

If you can ping 131 there is no reason you should not be able to ping 248. Windows firewall perhaps allowing LAN but nothing else?

If that is the case then why would it ping from the router and on the same system when at home, it only has a problem when i use the open on connection, when I tracert it it shows 192.168.100.1 but then dies there, is there some logs on the router that would show why it is blocked or if it is going through?

Also can you make the change using the fix suggested above

(Last edited by wesleyhey on 23 Jun 2014, 21:23)

Because the router is on it's own network. I don't use Windows so I don't know how the firewall works but it could be setup to put your home network in a trusted zone I guess. Like I said, they're both on the same layer 2+3 network right so why would one answer and the other one not? Just do a tcpdump on br-lan to see if the traffic goes through which I'm guessing it does.

That fix should end up in git soon enough, not pressing enough to start manually patching.

(Last edited by arokh on 23 Jun 2014, 21:52)

ok here is an odd one, when using the vpn at home I can ping 192.168.2.1 but the tracert shows it is putting it through 192.168.2.1 for resolution and path, when on vpn it is using 192.168.100.1 as the path and trying to resolve. I will try another network and will check my firewall settings but is openvpn not being treated as a local connection? why would it work at home but not outside the network?

Open VPN does not redirect all the traffic over the VPN so I cannot do a true test at home, what do I need to set to force it to send everything over the VPN connection as I cannot do true testing at home. if I tcpdump the vpn0 then I see no traffic during pinging at home, I will have to test tomorrow when I have another connection.

What in open VPN would make this machine look different on the system that I am pinging than it does at home.

EDIT
ok I installed on another system, for some reason I see no ping traffic from the VPN to the BR-LAN I do see this from the TUN0
17:19:46.829643 IP 192.168.100.2 > HOMEMC.lan: ICMP echo request, id 1, seq 53, length 4   0

I see no traffic across the br-lan that matches this

here is the firewall startup could one of these messages be an issue?

root@OpenWrt config# /etc/init.d/firewall restart
Warning: Unable to locate ipset utility, disabling ipset support
Warning: Option @forwarding[3].forward is unknown
* Flushing IPv4 filter table
* Flushing IPv4 nat table
* Flushing IPv4 mangle table
* Flushing IPv4 raw table
* Flushing IPv6 filter table
* Flushing IPv6 mangle table
* Flushing IPv6 raw table
* Flushing conntrack table ...
* Populating IPv4 filter table
   * Zone 'lan'
   * Zone 'vpn'
   * Zone 'wan'
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow OpenVPN'
   * Rule #6
   * Redirect 'Redirect UDP port 443 to OpenVPN'
   * Forward 'lan' -> 'wan'
   * Forward 'vpn' -> 'wan'
   * Forward 'vpn' -> 'lan'
   * Forward 'lan' -> 'vpn'
* Populating IPv4 nat table
   * Zone 'lan'
   * Zone 'vpn'
   * Zone 'wan'
   * Redirect 'Redirect UDP port 443 to OpenVPN'
* Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'vpn'
   * Zone 'wan'
* Populating IPv4 raw table
   * Zone 'lan'
   * Zone 'vpn'
   * Zone 'wan'
* Populating IPv6 filter table
   * Zone 'lan'
   * Zone 'vpn'
   * Zone 'wan'
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow OpenVPN'
   * Rule #6
   * Forward 'lan' -> 'wan'
   * Forward 'vpn' -> 'wan'
   * Forward 'vpn' -> 'lan'
   * Forward 'lan' -> 'vpn'
* Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'vpn'
   * Zone 'wan'
* Populating IPv6 raw table
   * Zone 'lan'
   * Zone 'vpn'
   * Zone 'wan'
* Set tcp_ecn to off
* Set tcp_syncookies to on
* Set tcp_window_scaling to on
* Running script '/etc/firewall.user'
* Running script '/usr/share/miniupnpd/firewall.include'
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
   ! Failed with exit code 1

(Last edited by wesleyhey on 24 Jun 2014, 02:05)

OpenVPN does redirect everything through the VPN that is what the redirect-gateway directive is for. Like I said there is nothing in OpenVPN to differentiate IP addresses. If it stops at the router then I can only assume that you have some rule denying the traffic.

Reset the router and try again with default settings, it should work out of the box.

(Last edited by arokh on 24 Jun 2014, 08:23)

Rebuilt 41302 with proper miniupnd fix. Also removed a couple of unnecessary forward rules and added support for /proc/config.gz.

Is there a reason why you use tun instead of tap with openvpn?

The local firewall of the system blocks the packet as it does not show up using what the machine would expect ping to come over.

According to openvpn they recommend the tap tunnel for windows based systems and file shares and media streaming on your systems, it looks like my issues stem from this being a tun issue

(Last edited by wesleyhey on 25 Jun 2014, 01:34)

Sigh.... No, it is not a TUN issue. TUN is layer 3 routed tunnel and TAP is  layer 2 bridging. My build uses layer 3 routing because it is far more efficient. The reason TAP is recommended for file sharing and media streaming is because it also forwards broadcast and multicast. My build has a working smcroute setup that forwards multicast for you and makes media streaming (UPnP/DLNA) work over the tunnel, so you get the best of both worlds. TUN has absolutely nothing to do with your Windows machine accepting ICMP. If you are going to refuse instructions and ignore advice you are free to set up your own config and create a thread in the general section.

(Last edited by arokh on 25 Jun 2014, 07:01)

I downloaded the file in the link you provided
i cant load it up to the router using the netgear GUI or WinSCP or tftp2 either

it is very frustrating, is there a trick to it .

do I need a version of the factory firmware that is v1.0.0.12 or lower,
i cant find it on the netgear site, does anyone  have a link to it.

It's been a very long time since I tried flashing from the stock webinterface, but I believe the factory image should work. Try downloading again.

http://enduser.subsignal.org/~trondah/r … actory.img

If it doesn't work, find instructions for flashing via TFTP on the wiki.

Like Arokh said (and the wiki says http://wiki.openwrt.org/toh/netgear/wnd … .to.device ), if you flash from the original Netgear GUI, you will need the "factory.img" version of Openwrt firmware image.  (Similarly the factory.img version is used with the TFTP mode for recovery.)

"sysupgrade.bin" is only for upgrading an existing and running Openwrt system from inside it.

That is the problem I have used you build multiple times going back to a clean install using the sysupgrade -n command, which wipe all the settings the all I do is set my ddns, change up to 192.168.2.1 for home network and wireless password, I make no other changes and it still is not pinging unless u completely turn off the firewall and it pings realm slow at 2000ms times which is worse than going overseas and back