OpenWrt Forum Archive

Post #1

vcgonzales

15 Oct 2007, 10:43

Dear all, I have tried numerous solutions mentioned on this forum and on the openVPN site, but none worked on my problem.

I have a server running OpenVPN 2 Beta (Since I have some VISTA Clients), I already have other OSes (Windows and RedHat clients) connecting to it without problem. Since I have learned about these Busyboxes, I have tried to make the VPN work on these boxes with partial luck.

At first, I tried DDR-WRT and the VPN worked smoothly as I expect it. My only goal is to tunnel all internet traffic thru the VPN. My problem with DDR is that it is very limited to it's built-in functions and there's not much customization available unlike OpenWRT where there are numerous options, packages and memory space.

This is my SERVER Configuration file: Running on a Windows XP Pro System.

# Sample OpenVPN 2.0 config file for #
# multi-client server. #
# #
# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d
port 1194
#proto tcp
proto udp
;dev tap
dev tun
;dev-node MyTap
ca C:\\keys\\ca.crt
cert C:\\keys\\server.crt
key C:\\keys\\server.key # This file should be kept secret
dh C:\\ANA-3\\dh1024.pem
server 8.8.0.0 255.255.0.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
client-config-dir ccd
push "redirect-gateway"
;client-to-client
;duplicate-cn
keepalive 10 120
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
#comp-lzo
max-clients 100
;user nobody
;group nobody
persist-key
persist-tun
status openvpn-status.log
;log openvpn.log
;log-append openvpn.log
verb 3
;mute 20

(I am using WhiteRussian 0.9)

on the OpenWRT Box, I have OpenVPN Installed already, but disabled it on the WebIf page. I tried to run it using SSH.

going inside the box, I would go to //etc/openvpn where the certificates are stored. I will then issue the following command:

openvpn --client --dev tun0 --proto udp --remote myServerIP.com 1194 --resolv-retry infinite --nobind --persist-key --persist-tun --ca ca.crt --cert client.crt --key client.key --verb 3 --ping-restart 15

(where myServerIP.com is replaced by the actual IP of the server)

the following is my connection Log:

root@OpenWrtx:/etc/openvpn$ openvpn --client --dev tun0 --proto udp --remote myServerIP.com 1194 --resolv-retry infinite --nobind --persist-key --persist-tun --ca ca.crt --cert client.crt --key client.key --verb 3 --ping-restart 15
Mon Oct 15 16:07:16 2007 OpenVPN 2.0.9 mipsel-linux [SSL] [LZO] [EPOLL] built on Feb 13 2007
Mon Oct 15 16:07:16 2007 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Mon Oct 15 16:07:16 2007 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mon Oct 15 16:07:17 2007 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Oct 15 16:07:17 2007 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Mon Oct 15 16:07:17 2007 Local Options hash (VER=V4): '3514370b'
Mon Oct 15 16:07:17 2007 Expected Remote Options hash (VER=V4): '239669a8'
Mon Oct 15 16:07:17 2007 UDPv4 link local: [undef]
Mon Oct 15 16:07:17 2007 UDPv4 link remote: myServerIP.com:1194
Mon Oct 15 16:07:17 2007 TLS: Initial packet from myServerIP.com:1194, sid=78c37fa2 10466422
Mon Oct 15 16:07:18 2007 VERIFY OK: depth=1, /C=HK/ST=WANCHAI________/L=HongKong/O=ANA/CN=ANA-3/emailAddress=support@myServerIP.com
Mon Oct 15 16:07:18 2007 VERIFY OK: depth=0, /C=HK/ST=WANCHAI________/O=ANA/CN=ANA-3/emailAddress=support@myServerIP.com
Mon Oct 15 16:07:20 2007 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Oct 15 16:07:20 2007 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Oct 15 16:07:20 2007 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Oct 15 16:07:20 2007 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Oct 15 16:07:20 2007 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Oct 15 16:07:20 2007 [ANA-3] Peer Connection Initiated with myServerIP.com:1194
Mon Oct 15 16:07:22 2007 SENT CONTROL [ANA-3]: 'PUSH_REQUEST' (status=1)
Mon Oct 15 16:07:27 2007 SENT CONTROL [ANA-3]: 'PUSH_REQUEST' (status=1)
Mon Oct 15 16:07:27 2007 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway,route 8.8.0.1,ping 10,ping-restart 120,ifconfig 8.8.0.6 8.8.0.5'
Mon Oct 15 16:07:27 2007 OPTIONS IMPORT: timers and/or timeouts modified
Mon Oct 15 16:07:27 2007 OPTIONS IMPORT: --ifconfig/up options modified
Mon Oct 15 16:07:27 2007 OPTIONS IMPORT: route options modified
Mon Oct 15 16:07:27 2007 TUN/TAP device tun0 opened
Mon Oct 15 16:07:27 2007 /sbin/ifconfig tun0 8.8.0.6 pointopoint 8.8.0.5 mtu 1500
Mon Oct 15 16:07:27 2007 /sbin/route add -net myServerIP.com netmask 255.255.255.255 gw 192.168.25.1
Mon Oct 15 16:07:28 2007 /sbin/route del -net 0.0.0.0 netmask 0.0.0.0
Mon Oct 15 16:07:28 2007 /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 gw 8.8.0.5
Mon Oct 15 16:07:28 2007 /sbin/route add -net 8.8.0.1 netmask 255.255.255.255 gw 8.8.0.5
Mon Oct 15 16:07:28 2007 Initialization Sequence Completed
Mon Oct 15 16:11:16 2007 [ANA-3] Inactivity timeout (--ping-restart), restarting
Mon Oct 15 16:11:16 2007 TCP/UDP: Closing socket
Mon Oct 15 16:11:16 2007 SIGUSR1[soft,ping-restart] received, process restarting
Mon Oct 15 16:11:16 2007 Restart pause, 2 second(s)
Mon Oct 15 16:11:18 2007 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Mon Oct 15 16:11:18 2007 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mon Oct 15 16:11:18 2007 Re-using SSL/TLS context
Mon Oct 15 16:11:18 2007 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]

After the above connection has been made, starting another SSH to the router would give me the following details

root@OpenWrtx:/etc$ ifconfig
br0 Link encap:Ethernet HWaddr 00:12:17:C9:3F:31
inet addr:192.168.6.1 Bcast:192.168.6.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:17157 errors:0 dropped:0 overruns:0 frame:0
TX packets:14821 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1444893 (1.3 MiB) TX bytes:2822081 (2.6 MiB)

eth0 Link encap:Ethernet HWaddr 00:12:17:C9:3F:31
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:28608 errors:0 dropped:0 overruns:0 frame:0
TX packets:24691 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4404625 (4.2 MiB) TX bytes:4126332 (3.9 MiB)
Interrupt:5

eth1 Link encap:Ethernet HWaddr 00:12:17:C9:3F:33
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:76168
TX packets:149 errors:304 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:20253 (19.7 KiB)
Interrupt:4 Base address:0x1000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:8.8.0.6 P-t-P:8.8.0.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:7 errors:0 dropped:0 overruns:0 frame:0
TX packets:89 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1015 (1015.0 B) TX bytes:5507 (5.3 KiB)

vlan0 Link encap:Ethernet HWaddr 00:12:17:C9:3F:31
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:17446 errors:0 dropped:0 overruns:0 frame:0
TX packets:14821 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1531787 (1.4 MiB) TX bytes:2881365 (2.7 MiB)

vlan1 Link encap:Ethernet HWaddr 00:12:17:C9:3F:31
inet addr:192.168.25.80 Bcast:192.168.25.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11161 errors:0 dropped:0 overruns:0 frame:0
TX packets:9867 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2357966 (2.2 MiB) TX bytes:1130749 (1.0 MiB)

It is now confirmed that the VPN is actually working by checking the traceroute

root@OpenWrtx:/etc$ traceroute www.yahoo.com
traceroute to www.yahoo-ht3.akadns.net (87.248.113.14), 30 hops max, 38 byte packets
1 8.8.0.1 (8.8.0.1) 199.246 ms 195.206 ms 197.933 ms

All traffic originating from the box is actually using my VPN network. However, the problem is, if i ping or tracert from any PC connected to LAN side of the router, I DO NOT HAVE INTERNET at all.

the route have been handled by OpenVPN smoothly. My route on the OpenWRT box is:

root@OpenWrtx:/etc$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
8.8.0.5 * 255.255.255.255 UH 0 0 0 tun0
myServerIP.com 192.168.25.1 255.255.255.255 UGH 0 0 0 vlan1
8.8.0.1 8.8.0.5 255.255.255.255 UGH 0 0 0 tun0
192.168.6.0 * 255.255.255.0 U 0 0 0 br0
192.168.25.0 * 255.255.255.0 U 0 0 0 vlan1
default 8.8.0.5 0.0.0.0 UG 0 0 0 tun0
root@OpenWrtx:/etc$

I apologize if this has been tackled on the forum already, but I have been reading posts on this forum for 3 days already but I just can't make my box work. Going back to DDRwrt, there is a script launched after connecting which is:

iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE

I have tried this but did not work.

iptables -A forwarding_rule -i tun0 -o br0 -d 192.168.6.0/24 -j ACCEPT

also did not worked.

I apologize if this has been answered but I have spent the last 3 days reading posts on this site but unable to find the solution for my case. I will truly appreciate it if anyone can point me in the right direction or any discussions that would lead me to the solution of my problem.

Many thanks!

(Last edited by vcgonzales on 15 Oct 2007, 10:47)

Post #2

Cyberian75

17 Oct 2007, 03:09

Have you seen this tutorial?

Post #3

vcgonzales

17 Oct 2007, 05:16

Thanks.

I have seen that documentation already. But it is designed for bridge mode operation.

I have also checked out http://wiki.openwrt.org/OpenVPNTunHowTo w/c is focussed on ROUTE mode.
I have not modified the actual firewall file, but instead I issued the commands (iptables) after I have connected the VPN manually.
The same configuration I used are all working, and in fact, the vpn is actually kicking in, except the fact that the packets are not NAT to the LAN/Wifi Networks.

Post #4

vcgonzales

17 Oct 2007, 08:13

Thanks to all, I finally got mine working.

iptables -A POSTROUTING -t nat -o tun+ -j MASQUERADE didn't worked for me.

iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE did the job.

Post #5

cititechs

28 Oct 2007, 02:36

Thanks vcgonzales I want to let you know that I also used. iptables -A POSTROUTING -t nat -o tun+ -j MASQUERADE
To setup a Site to Site OpenVPN tunnel between my Microsoft ISA 2006.

I still have a Microsoft ISA issue but I have an open thread at

http://forums.isaserver.org/m_200205616 … 2002056171

Hopefully I get some help and it gets resolved soon.

Thanks Again

Post #6

vcgonzales

28 Oct 2007, 16:53

Cititechs,

Based on your requirements, I think using NAT or routed VPN is not the best choice.

My suggestion is try to switch to bridge mode instead of tunnel. these documentations might help: http://openvpn.net/bridge.html and http://openvpn.net/faq.html#bridge1

also, if you plan to bridge the entire LAN on the openWRT, it may raise security issues on your networks behind the ISA. I have not tried this setup yet.

(Last edited by vcgonzales on 28 Oct 2007, 17:12)