OpenVPN And DD-WRT Part 2

vaulted-cellar-247391_640We’re better than half way there. You’ve made arrangements with a DDNS provider and have  your own URL that points to your DD-WRT router. You’ve downloaded and installed OpenVPN. You’ve used OpenVPN to create some certificates and keys that you’ll later copy to various places. And you’ve done it all without having to learn anything complicated about certificate authorities or web servers or SSL. Easy as pie.

This is the home stretch. First, you’ll go to your DD-WRT router and tell it you want to create an OpenVPN server.To do that, you’ll fill in a few fields, copy and paste four of the files created in the last lesson into well marked text boxes, copy and paste some ‘additional configuration’ into another text box, then, finally, copy and paste some firewall settings into another text box on different DD-WRT tab.

Afterward, you will return to OpenVPN, use Notepad to to edit a configuration file, then copy three files into the same folder as the configuration file.

Done.

The Road So Far

In OpenVPN And DD-WRT Part 1, you read an overview of the full project. The introduction above summarized the article pretty well.

Now we’ll configure DD-WRT. Before starting, here’s a few things you’ll encounter.

Four of the files you created in Part 1 will be imported into DD-WRT using Notepad and copy and paste. The files look similar to this …

qnapssl01b

Some will start with ‘—–BEGIN CERTIFICATE—–‘ and end with ‘—–END CERTIFICATE—–‘. Others will have different but similar verbiage. The server certificate will have a lot of content you can ignore. It stands out … you can’t miss it.

The text to copy and paste starts with ‘—–BEGIN CERTIFICATE—–‘ and ends with ‘—–END CERTIFICATE—–‘ (or similar verbiage) INCLUDING the BEGIN and END captions and ALL of the dashes. Ignore the extra text on the server certificate and only copy the certificate part.

There will be more text to copy and paste into DD-WRT. It’s below. You may have to modify it a little depending on your network configuration. The text you copy is taken from my network configuration. Thus, I can say it works for me and, hopefully, it will work well for you.

A copy of my OpenVPN configuration file is also below. Use it for reference or use it as-is. You will have to add your URL in this file.

 DD-WRT and OpenVPN Server

Go to the Services/VPN tab in DD-WRT and configure it as shown below. Explanations follow.

DDWRT-OpenVPN-20

DDWRT-OpenVPN-21a

Selected certificates and keys are copied and pasted into the following 4 text boxes. Using the naming convention from Part 1;

  • Public Server Cert: DDWRTrouter.crt
  • CA Cert: ca.crt
  • Public Server Key: DDWRTrouter.key
  • DH PEM: dh2048.pem

 Additional Config (modify as needed, then copy and paste into DD-WRT. Do not change the certificate names below.)

push “route 192.168.1.0 255.255.255.0”
push “dhcp-option DNS 8.8.8.8”
push “redirect-gateway def1”
server 10.1.1.0 255.255.255.0
dev tun0
proto tcp
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem

Save and Apply Settings.

A couple of the tricky bits described in Part 1 are included in the Additional Configuration settings.

push “dhcp-option DNS 8.8.8.8” was included originally, but I didn’t know how important the DNS option was. OpenVPN via DD-WRT needs access to a DNS server; otherwise it won’t serve web pages. 8.8.8.8 is Google’s public DNS server. Use it or any other one you know you can reach. Don’t use one that you ‘just read about’.  Under worst case scenarios, a DNS request for Amazon.com could return an IP address for NotReallyAmazon.com. Taking control of the DNS server reduces the risk of DNS spoofing. If you have a prefered DNS server, use it instead. I had no success directing it to my local gateway. Originally, I believed that ignoring this option would direct you to the DNS server used by the public wi-fi., which may be a very bad idea.

push “redirect-gateway def1” was not included. The Advanced Options has a radio button that states you can direct all traffic through the gateway by selecting it. That button adds this line. I just typed it in myself because, to me, it’s more clear. Unfortunately, this is not all you need. Just adding this directive will do nothing special. You need the DNS option mentioned above AND a specific firewall directive. Additionally, there are variations of this line in the documentation. I have no idea if they work. Most articles use this variation. OpenVPN documentation uses two versions of this directive interchangeably.

DDWRT-OpenVPN-43b

 Altering the DD-WRT Firewall

Move to the Administration/Commands tab.

Copy and paste the following text into the open text box. Change as required. The network below is your OpenVPN network.

iptables -I INPUT 1 -p tcp –dport 443 -j ACCEPT
iptables -I FORWARD 1 –source 10.1.1.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -j MASQUERADE

Save Firewall.

Reboot Router.

The last tricky bit is in the firewall directives. There are almost innumerable variations of the POSTROUTING line. The most common version is almost identical to the one above except it is longer due to having more detail. It didn’t work. This one is the only one that worked for me. Many references offer a set of several POSTROUTING lines, all of which you are asked to include. Other references state that more than one line is redundant.  I never tried the mult-line versions, preferring to keep my configuration as simple as possible. I found this line in a forum reply somewhere and later figured out why it worked.

I suspect this line appended to the POSTROUTING chain worked because I told iptables to alter the nat table from source 10.1.1.0/24 and MASQUERADE everything, not just output for a specific interface. Specifying the wrong interface was the problem. Since 10.1.1.0/24 is the VPN subnet, dealing with all output seems OK. Anyway, it worked.

Saving your firewall changes in a live environment will knock your router out of commission while it digests the changes. Your wireless on the machine making the changes will act loopy for a while. It always cleared up in a few minutes, except once. I downloaded an application that was designed to help with client OpenVPN connections, just to see if any OpenVPN gateway to the router was possible. It appeared to pull a lot of configuration down to the client so that it would work even if the server configuration had issues. It proved OpenVPN was a good product, but I suspect having too many things messing with my laptop network connection fouled something up. The wireless never returned after one firewall alteration. Rather than waste time trying to figure it out, I restored the partition from a recent bare metal backup and picked up without the OpenVPN client helper app. The helper app also proved the client configuration file had no problems I needed to deal with. It’s fixes were all behind the scene on my laptop.

DDWRT-OpenVPN-22a

After rebooting the router, go to the Status/OpenVPN tab. You should see that the VPN is active on the router.

DDWRT-OpenVPN-23

 Configuring OpenVPN on the Client PC

The hard work is done. Here’s what’s left:

  • Install OpenVPN on the client PC (assuming it’s a different one than the one you’ve been working on all along.)
  • Copy three files from …\OpenVPN\easy-rsa\keys to ..\OpenVPN\config. Using the naming conventions from Part 1:
    1. ca.crt
    2. Laptop01.crt
    3. Laptop01.key
  • Navigate to ..\OpenVPN\config. Open Notepad with Administrator privileges and modify client.ovpn as pictured. As an alternative, you can copy and paste the provided text and change it to match your configuration.

DDWRT-OpenVPN-30

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# file for Laptop01
client
dev tun0
proto tcp

remote YOUR_URL.COM 443

resolv-retry infinite

nobind
persist-key
persist-tun

ca ca.crt
cert Laptop01.crt
key Laptop01.key

ns-cert-type server
comp-lzo
verb 3
float


The biggest gotcha with client.ovpn are Window’s text editors. This is a text file and Windows may try to name it client.ovpn.txt. If this happens, OpenVPN gui will just stare at you and offer nothing to connect to. Windows Explorer will probably be of no help discovering this problem  since it hides file types by default.

OpenVPN gui will allow you to connect to any file with a .ovpn file type. If more than one are in the folder, it will offer a choice.

If OpenVPN offers a sample configuration file with a different extension than .ovpn, you should rename it to .ovpn if you use it.

If successful, you should now be able to start OpenVPN. Double Click the OpenVPN icon. You will need to Run As Administrator. Find the OpenVPN icon at the bottom right of the taskbar. Right click on it. Select Connect. You will be prompted for a password if you asked for that option when building client certificates. If successful, a little bubble will appear above the icon and tell you that you are connected.

DDWRT-OpenVPN-33

OR

DDWRT-OpenVPN-34

After starting OpenVPN and connecting to your tunnel, open a command window and run ipconfig /all.

DDWRT-OpenVPN-45a

Next run tracert 8.8.8.8.

You should see your OpenVPN server at the top, followed by the route to your destination, the Google DNS server.

DDWRT-OpenVPN-46

Done.

Any browser windows open BEFORE you start OpenVPN will remain outside the tunnel. Make sure your browser is closed before starting OpenVPN client.

A visit to WhatIsMyIP.com will present your home IP address if the tunnel is active and functioning properly.

Assuming OpenVPN works as described, you will now be able to securely pass through your home internet connection from any public internet connection. SSL encryption will keep the session as private as if you were at home. (By inference, this also means that if your home connection is as loose as a goose, so will be your browsing session, except for the part from public wi-fi to your home internet.)


37 Comments on “OpenVPN And DD-WRT Part 2”

  1. tim says:

    I got it all set up and running on my home router running v24-sp2 (10/08/14) kongac – build 25100M , with the following issue. OpenVPN client on Windows 8.1 errors out. The client.ovpn has the following relevant file

    ca ca.crt
    cert Comp1.crt
    key Comp1.key

    Comp1.crt is copied into the openvpn\config directory along with Comp1.key and ca.crt but we get the following in the log file:

    Sun May 17 19:03:08 2015 OpenVPN 2.3.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Mar 19 2015
    Sun May 17 19:03:08 2015 library versions: OpenSSL 1.0.1m 19 Mar 2015, LZO 2.08
    Enter Management Password:
    Sun May 17 19:03:08 2015 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
    Sun May 17 19:03:08 2015 Need hold release from management interface, waiting…
    Sun May 17 19:03:08 2015 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
    Sun May 17 19:03:08 2015 MANAGEMENT: CMD ‘state on’
    Sun May 17 19:03:08 2015 MANAGEMENT: CMD ‘log all on’
    Sun May 17 19:03:08 2015 MANAGEMENT: CMD ‘hold off’
    Sun May 17 19:03:08 2015 MANAGEMENT: CMD ‘hold release’
    Sun May 17 19:03:08 2015 MANAGEMENT: Client disconnected
    Sun May 17 19:03:08 2015 Cannot load certificate file Comp1.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
    Sun May 17 19:03:08 2015 Exiting due to fatal error

    • Carl Rinker says:

      I’m very definitely not an OpenVPN expert. I can’t tell you where your mistake is. I can only tell you that this article documents my configuration, which has been very reliable. I remember all the effort was in my first attempt. Subsequent certificate builds or configuration changes were fast from scratch. Why not take a day off and try again from the beginning.

      Also, be sure you are trying to connect from a site that does not block OpenVPN. Even on port 443, some places deep scan and won’t allow you to get out on their internet. I was blocked once using the public wi-fi at a major university. I couldn’t even get out using Tor. Most places should give you no problems, however.

      There’s always the possibility that your currently installed version of DD-WRT has problems with OpenVPN. This should be considered as very low on the things to swap out. Occasionally, actually rarely, the DD-WRT Broadcom forum mentions issues with OpenVPN server.

      • tim says:

        Starting over, with a fresh laptop, fresh install of openvpn 64bit on Win8.1, and really paying attention, it looks like the easy-rsa part no longer is the same as when you ran it.

        When running the build-key-pass.bat file I consistently get

        -failed to update database
        -TXT_DB error number 2

        Even exactly following your example letter by letter.
        Making all the org parts unique helps and sometimes the first client works but the 2nd one errors out in the build-key-pass.bat every time.

        Easy-rsa aint easy…..

      • Carl Rinker says:

        I recall a similar problem when I built keys a second time. I think I started from scratch and it worked. I surmised that a second pass conflicted with something built earlier. I’ll take a look at a rebuild later to see if there are any differences. Are you running it as administrator, not just signed on as an admin? The key build steps have been the same for years. If you look at other articles on this subject, you’ll see virtually identical instruction. My write up differs because of all the pictures at a higher level of detail and the tricky bits referred to that create the secure link.

  2. tim says:

    Your blog is stripping out the batch file name (build key pass) from my examples above.

  3. VietDzung says:

    I follow your guide, it can connect to VPN and show ip but not connect to Internet, “tracert google” not show any hop. My device is TP-LINK WR842ND V2 dd-wrt build 26947M.

  4. Thank You says:

    Great writeup – very clear and easy to follow. I have four questions/suggestions:

    1. When you give the examples of the build-key.bat and build-key-pass.bat scripts, you may want to make more clear that only one of the scripts should be run (depending on whether you want a password or not). I was confused and ran both scripts.

    2. You referenced “Public Server Key: DDWRTrouter.key” Is this the “Private” Server Key in dd-wrt?

    3. In your examples, the “–” was somehow changed to a special hyphen character and the quotation marks were changed to smart quotation marks. Cutting and pasting into dd-wrt ends up with strange characters. Here are the lines that have problems:

    iptables -I INPUT 1 -p tcp –dport 443 -j ACCEPT
    iptables -I FORWARD 1 –source 10.1.1.0/24 -j ACCEPT

    ***
    push “route 192.168.1.0 255.255.255.0″
    push “dhcp-option DNS 8.8.8.8″
    push “redirect-gateway def1″

    4. It was not clear what the “home network” is in the statement below. Is that referring to the VPN network?

    Copy and paste the following text into the open text box. Change as required. The network below is your home network.

    iptables -I INPUT 1 -p tcp –dport 443 -j ACCEPT
    iptables -I FORWARD 1 –source 10.1.1.0/24 -j ACCEPT
    iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
    iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
    iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -j MASQUERADE

    Overall, it was a fantastic writeup and I greatly appreciate your efforts. I am still trying to get the router set up for VPN, but this explanation really helped me get started. Thank you!

    • Thank You says:

      Two more things I tried that got the server working:

      1. I read elsewhere that the keys are based on GMT time, and I needed to either wait 8 hours or set my timezone to GMT in the NTP settings. I set the timezone to GMT, and will change it back to Pacific time tomorrow.

      2. I read elsewhere that the server key needed to use the name “server.” I regenerated the keys using “server,” “client1,” “client2”, and “client3.”

      After applying these two fixes, the status showed Server: CONNECTED SUCCESS

      Thank you!

      • Carl Rinker says:

        I’ve heard nothing about time sensitive keys with DD-WRT. Kerberos is time sensitive but that has nothing to do with DD-WRT. I’m happy it worked for you eventually. I use mine every time I go out of town. My email provider gets upset if the ip-address I’m using to pull down email is not the one it’s used to seeing. The keys expire. Perhaps the first pass at key generation had a bad date which was automatically interpreted as expired the first time you used it? Just guessing.

        DD-WRT makes it a little difficult to set up OpenVPN. But, the upside is it’s free and you don’t have to pay an annual fee for safe browsing. I’ve heard some routers make it a little easier. I recently built an OpenVPN configuration using pfSense. It took a fraction of the time. pfSense uses a wizard to generate the set-up and keys. Other routers besides DD-WRT allow you to specifically name users and their passwords. Anyone who has gone through a DD-WRT application of OpenVPN would find the others anywhere from easier to quite easy in comparison.

    • Carl Rinker says:

      Yes, the password is optional. Verbiage has been tweaked to make this more obvious.

      This is where the keys go (assuming you used my naming convention): (taken from part 2)

      Public Server Cert: DDWRTrouter.crt
      CA Cert: ca.crt
      Public Server Key: DDWRTrouter.key
      DH PEM: dh2048.pem

      Sorry about the hyphen character. It worked for me as is. I’ve copied and pasted several times and had no problem.

      The network in itables is the network defined in the openVPN configuration. I’ll tweak the verbiage.

      • Thank You says:

        Again, thank you so much for putting this guide together. It was extremely helpful.

        dd-wrt is looking for a “Private” server key, not a “Public” server key. I figured it out eventually, but your reference to a “Public” server key initially confused me.

        When I cut and paste the lines mentioned above, here is what the router sees:

        push &#-109;route 192.168.1.0 255.255.255.0″
        push &#-109;dhcp-option DNS 8.8.8.8″
        push &#-109;redirect-gateway def1″

        ***

        iptables -I INPUT 1 -p tcp &#-106;dport 443 -j ACCEPT
        iptables -I FORWARD 1 &#-106;source 10.1.1.0/24 -j ACCEPT

        I just copied the lines from your article into the “custom script” window to test the cut and paste again. I didn’t want to mess with the Firewall settings now that everything is working.

        Hopefully my post will help if someone else runs into this issue.

        Thanks again!

  5. Julian Hale says:

    OK, I finally got this working myself. WordPress replaces double quotes and double dashes, so you can’t just copy and paste from the example. Replace all double quotes under “additional config” with a plain ascii one, and on the iptables commands –dport is (dash)(dash)dport, and –source is (dash)(dash)source. Now it works.

  6. B. says:

    Hi,

    I manage to connect client but I have no internet connection. Even when I run tracert 8.8.8.8, I get:

    Tracing route to 8.8.8.8 over a maximum of 30 hops

    1 4 ms 3 ms 3 ms 20.1.1.1
    2 * * * Request timed out.
    3 * * * Request timed out.
    4 * * * Request timed out.
    5 * * * Request timed out.
    6 * * * Request timed out.

    Also, in system tray there are two networks, my home network with internet connection and unidentified network without internet connection.

    what could be the problem???

    Otherwise great explanation, and the only one that actualy connected client to server!!

    Thanks

    • Carl Rinker says:

      Sorry, although I may look like an expert, I actually took the directions commonly offered by others and sorted through the little details that differed among them. This configuration works for me and I have used and re-used it several times. Try looking for some small differences between what I wrote and what you wrote.

  7. Alex Ivanov says:

    I also got an error.
    Al seemed to be ok except
    Wed Aug 12 10:07:49 2015 Initialization Sequence Completed
    Wed Aug 12 10:07:55 2015 Authenticate/Decrypt packet error: packet HMAC authenti
    cation failed
    Wed Aug 12 10:07:55 2015 Fatal decryption error (process_incoming_link), restart
    ing
    Wed Aug 12 10:07:55 2015 SIGUSR1[soft,decryption-error] received, process restar
    ting
    Wed Aug 12 10:07:55 2015 Restart pause, 5 second(s)

    What is wrong?

  8. Alex Ivanov says:

    Finally cracked it:
    my problem was that i had these errors and connection resetted
    Wed Aug 12 11:01:41 2015 WARNING: ‘link-mtu’ is used inconsistently, local=’link-mtu 1544′, remote=’link-mtu 1540′
    Wed Aug 12 11:01:41 2015 WARNING: ‘auth’ is used inconsistently, local=’auth SHA1′, remote=’auth MD5′

    i added the following lines into the Laptop1 ovpn config on the client to match the ones in the router at the end:
    auth “md5”
    tun-mtu 1540

    md5 since the open VPN i created is on md5 (If you want SHA1 add SHA1 – must match the router’s settings) and the link-mtu as 1540, cause i don’t know where to change on the router, so i changed in the client 🙂
    Now i don’t have to buy a subscription 🙂

  9. daniel says:

    hi there
    i am wondering what I have to enter at the openvpn server which you have set to 10.1.1.0…. where do I set this resp where do I get that information?
    regards

    • Carl Rinker says:

      Have you installed OpenVPN on your PC, tablet, or phone? If not, you need to do that. Then you need to import the ovpn file into the proper folder along with the certificates. Then you start OpenVPN, and, after that, connect to the VPN. OpenVPN will tell you if it has connected. The subnet in the article is intended to be different from the subnet on your main network. It’s for a pass-through, not for file transfer with your main home network. The two subnets will never see each other.

      Linux is a little more difficult. I’m playing around with Mint as a possible Windows 10 alternative and have not yet been successful with my connection, although I’ve only tried a couple of times. Android almost configures itself.

      • daniel says:

        well, my problem starts at the dd-wrt router in the status openvpn section where the openvpn server should be shown up and running, which it is not…
        i have openvpn on my pc installed, including all certificates in the folders.
        so, i have my main network on 192.168.1.1. is my assumptino right that i should just leave the openvpn server with 10.1.1.0?
        now the question is.. why is my router not running with openvpn…??

        and another question: how secure is pptp vpn? that is working on my router and pc..?

        regards
        daniel cabaco

      • Carl Rinker says:

        Very few home routers offer OpenVPN in their stock firmware. Many alternate router firmwares offer OpenVPN. Those that do require different, but similar configurations to work as intended. OpenVPN Server is required to be installed on the DD-WRT router described in the articles. Not all routers with DD-WRT support OpenVPN server. Some smaller routers are, well, too small, for it to be included in the firmware. Others who may provide forked versions of DD-WRT may or may not offer it. Your router firmware may or may not have DD-WRT server support.

        There is also the possibility that OpenVPN is blocked by whoever supports your internet connection. This is uncommon, but I have run across it while using public wi-fi at a major public university.

        I have no idea which routers or DD-WRT versions include it. I don’t offer advice on the proper version for anyone’s router or provide instructions about how to install DD-WRT. It’s too easy to mess up and ruin an otherwise perfectly good router.

        PPTP is no longer secure. The manual that comes with your router will tell you which features are supported in the stock firmware. DD-WRT, in general, supports PPTP. I have no idea which routers and DD-WRT versions allow it to be enabled.

  10. Scott Vick says:

    Thank you so much for this article!! I spent about three weeks in the weeds, getting increasingly frustrated, trying to use out of date tutorials. I then found your article here and finally got it working. Kudos good man.

  11. Ted says:

    Hi,

    I followed your tutorial step by step but I fail to get a connection with OpenVPN.

    The error is: (I substituted the IP addresses. They were valid and if I read the error text correctly, they don’t play any role anyways)

    20151123 21:38:11 X.X.X.X:9860 TLS: Initial packet from [AF_INET]X.X.X.X:9860 sid=3b03c1a6 cab63989
    20151123 21:38:11 N X.X.X.X:9860 TLS_ERROR: BIO read tls_read_plaintext error: error:1408A0C1:lib(20):func(138):reason(193)
    20151123 21:38:11 N X.X.X.X:9860 TLS Error: TLS object -> incoming plaintext read error
    20151123 21:38:11 N X.X.X.X:9860 TLS Error: TLS handshake failed
    20151123 21:38:11 N X.X.X.X:9860 Fatal TLS error (check_tls_errors_co) restarting
    20151123 21:38:11 X.X.X.X:9860 SIGUSR1[soft tls-error] received client-instance restarting
    20151123 21:38:17 I TCP connection established with [AF_INET]X.X.X.X:7553
    20151123 21:38:17 Socket flags: TCP_NODELAY=1 succeeded

    So, should there be a TLS Auth Key? You left that field blank and I don’t think there was any such key in the output of those batch scripts.
    The timestamp of the router and my client are the same.

    • Ted says:

      Update: It works on my Windows 7 Machine but not on my iPhone.

      • Carl Rinker says:

        I’ve connected on several android devices ok. Sometimes it’s a little touchy but persistence pays off. If it works on Windows then it’s a config problem on android. Also, some remote sites can effectively block OpenVPN, even on port 443 tcp. I used to think it took a sophisticated operations department to block OpenVPN on 443 tcp. Later, I was blocked on public unsecured wifi in a home for active elderly people. No problems in hotels or McDonald’s.

        tun works fine with Android or iphone. tap does not work with either, except via an app that is not free. This may be a problem?

  12. George says:

    Love your write up but I cannot connect.
    I am getting a TLS error and I cant make it go away.
    =======================
    Here is my client log
    error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    Wed Dec 16 14:23:35 2015 TLS Error: TLS object -> incoming plaintext read error
    Wed Dec 16 14:23:35 2015 TLS Error: TLS handshake failed
    Wed Dec 16 14:23:35 2015 Fatal TLS error (check_tls_errors_co), restarting
    Wed Dec 16 14:23:35 2015 SIGUSR1[soft,tls-error] received, process restarting
    Wed Dec 16 14:23:35 2015 MANAGEMENT: >STATE:1450304615,RECONNECTING,tls-error,,

    • Carl Rinker says:

      The articles document my configuration. Sometimes you can’t connect from public wi-fi because it’s blocked. OpenVPN on port 443 tcp is easier to block than you might think. I’ve was recently blocked by the free wi-fi in an old folks home. See if it works at Starbucks or McDonalds.

      I’m not an OpenVPN expert so I can’t translate your logs into troubleshooting. Although the Certificate error might mean you have a problem with your certificates. Not trying to be funny.

  13. Avneesh says:

    @B – I encountered same error, basically the firewall script is not using the right tunnel adaptor. I had to modify the scripts to change the tunnel adaptor from tun0 to tun2. See here:
    http://www.teksec.org/2013/openvpn-tutorial-dd-wrt-howto-configure-properly-part-2/

    In fact, my additional config is only
    push “route 192.168.1.0 255.255.255.0”
    push “redirect-gateway def1 bypass-dhcp”
    push “dhcp-option DNS 8.8.8.8”
    keepalive 10 120

    and my firewall script is
    iptables -I INPUT 1 -p tcp –dport 443 -j ACCEPT
    iptables -I FORWARD 1 –source 10.1.1.0/24 -j ACCEPT
    iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -j -o br0 MASQUERADE
    iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -j MASQUERADE
    iptables -I FORWARD -i br0 -o tun2 -j ACCEPT
    iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
    iptables -t nat -I POSTROUTING -o tun2 -j MASQUERADE

    • Carl Rinker says:

      I remember using that article as a reference when I originally decided to create my OpenVPN implementation. I used many many others besides this one. It gave me the idea about using port 443 TCP. At the time it was one of the few articles, possibly the only article, I found that suggested it.

      One issue I had was it looked like it connected well, but it didn’t route through my home router. In fact, I don’t know what I ended up with except that it made a connection that got me to the internet. Since it wasn’t going through my home router, it wasn’t secure. Hence the addendums in the article about the little bits that were needed. The hardest part was trying to figure out the iptables. It’s a fairly intuitive language if you have the aptitude for it. I, unfortunately, didn’t and it took several hours of trial and error combined with several drives to my neighborhood free wifi before seeing results I wanted to see. The ‘additional config’ also needed some rework, as I recall.

      I’m happy it worked for you.

  14. Monte says:

    Thank you for this writeup. My PPTP setup was very inconsistent when traveling. OpenVPN has worked very well. One thing I’ve noticed is that I can get just about everything to work except accessing my routers setup page when on VPN. (I can get network shares, internet and even access other routers on my network but I can’t access the main openvpn router running ddwrt. Is it just mine….makes me wonder if it’s a ddwrt Web Access setting.

  15. Charlie says:

    I setup everything as per the instructions outlined, but can’t seem to get anything on the Status -> VPN page. One thing I have noticed is that when I save my Save or Apply in the Services -> VPN page, my Netmask field always returns to 0.0.0.0 even though I am entering 255.255.255.0.

    Anyone have any idea what may be occurring?

  16. Hi. Worderful post. Everything worked fine. Thanks a lot. Just one issue: When I connect from the internet I got a IP 10.x.x.x and, this way, I’m not able to reach any other computer form my home network (192.168.x.x). The stranger is that when I close the tunnel from inside my network , I still get a 10.x.x.x IP Address, but the servers from 192.168 become available. Some tips? Thanks!

  17. Carl Rinker says:

    This VPN documents a routed configuration, as opposed to a bridged configuration. Routed is for pass-through. It gives you the ability to browse securely over public wifi. The connection is encrypted from where you are to your home router. Then it’s just like browsing from home. You can’t access the local lan using a routed server.

    A bridged config allows you to connect to your home network securely over public wifi. Browsing is not secure, unless your’re using remote desktop over the local lan and browsing from that PC.

    These are two different configurations for two different purposes. DD-WRT supports only one OpenVPN server. Routed is the traditional one installed. I don’t know how to do a bridged config in DD-WRT. I think the Netgear routers with OpenVPN built into the stock firmware support both routed or bridged and are not too difficult to install. Check first, to be sure.

    If you need both simultaneously, pfSense can support multiple OpenVPN servers. I use pfSense now on a home made router and have both routed and bridged servers available. I use bridged to remote desktop over the local lan from afar and to also access my NAS. It’s much more secure than port forwarding since no ports are open, except those controlled by OpenVPN. For public wifi browsing, I use the routed server. There’s nothing wrong with DD-WRT. It’s just has fewer features. OpenVPN on pfSense is also about 10x easier to set up.

  18. Alex says:

    @Avneesh, you are right, changing the tun0 and applying the firewall script resolved all my issues, Note that you have a typo on the script:
    iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
    should be
    iptables -I FORWARD -i tun2 -o br0 -j ACCEPT

    Here the correct complete script

    iptables -I INPUT 1 -p tcp –dport 443 -j ACCEPT
    iptables -I FORWARD 1 –source 10.1.1.0/24 -j ACCEPT
    iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -j -o br0 MASQUERADE
    iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -j MASQUERADE
    iptables -I FORWARD -i br0 -o tun2 -j ACCEPT
    iptables -I FORWARD -i tun2 -o br0 -j ACCEPT
    iptables -t nat -I POSTROUTING -o tun2 -j MASQUERADE

    • Carl Rinker says:

      I’m happy you got it working. The examples I provided came from my configuration. Your persistence is to be commended because I know from experience that some things don’t work sometimes without extra work.


Have Something To Add?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s