Advertisements

OpenVPN And DD-WRT Part 2

vaulted-cellar-247391_640We’re better than half way there. You’ve made arrangements with a DDNS provider and have  your own URL that points to your DD-WRT router. You’ve downloaded and installed OpenVPN. You’ve used OpenVPN to create some certificates and keys that you’ll later copy to various places. And you’ve done it all without having to learn anything complicated about certificate authorities or web servers or SSL. Easy as pie.

This is the home stretch. First, you’ll go to your DD-WRT router and tell it you want to create an OpenVPN server.To do that, you’ll fill in a few fields, copy and paste four of the files created in the last lesson into well marked text boxes, copy and paste some ‘additional configuration’ into another text box, then, finally, copy and paste some firewall settings into another text box on different DD-WRT tab.

Afterward, you will return to OpenVPN, use Notepad to to edit a configuration file, then copy three files into the same folder as the configuration file.

Done.

The Road So Far

In OpenVPN And DD-WRT Part 1, you read an overview of the full project. The introduction above summarized the article pretty well.

Now we’ll configure DD-WRT. Before starting, here’s a few things you’ll encounter.

Four of the files you created in Part 1 will be imported into DD-WRT using Notepad and copy and paste. The files look similar to this …

qnapssl01b

Some will start with ‘—–BEGIN CERTIFICATE—–‘ and end with ‘—–END CERTIFICATE—–‘. Others will have different but similar verbiage. The server certificate will have a lot of content you can ignore. It stands out … you can’t miss it.

The text to copy and paste starts with ‘—–BEGIN CERTIFICATE—–‘ and ends with ‘—–END CERTIFICATE—–‘ (or similar verbiage) INCLUDING the BEGIN and END captions and ALL of the dashes. Ignore the extra text on the server certificate and only copy the certificate part.

There will be more text to copy and paste into DD-WRT. It’s below. You may have to modify it a little depending on your network configuration. The text you copy is taken from my network configuration. Thus, I can say it works for me and, hopefully, it will work well for you.

A copy of my OpenVPN configuration file is also below. Use it for reference or use it as-is. You will have to add your URL in this file.

 DD-WRT and OpenVPN Server

Go to the Services/VPN tab in DD-WRT and configure it as shown below. Explanations follow.

DDWRT-OpenVPN-20

DDWRT-OpenVPN-21a

Selected certificates and keys are copied and pasted into the following 4 text boxes. Using the naming convention from Part 1;

  • Public Server Cert: DDWRTrouter.crt
  • CA Cert: ca.crt
  • Public Server Key: DDWRTrouter.key
  • DH PEM: dh2048.pem

 Additional Config (modify as needed, then copy and paste into DD-WRT. Do not change the certificate names below.)

push “route 192.168.1.0 255.255.255.0”
push “dhcp-option DNS 8.8.8.8”
push “redirect-gateway def1”
server 10.1.1.0 255.255.255.0
dev tun0
proto tcp
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem

Save and Apply Settings.

A couple of the tricky bits described in Part 1 are included in the Additional Configuration settings.

push “dhcp-option DNS 8.8.8.8” was included originally, but I didn’t know how important the DNS option was. OpenVPN via DD-WRT needs access to a DNS server; otherwise it won’t serve web pages. 8.8.8.8 is Google’s public DNS server. Use it or any other one you know you can reach. Don’t use one that you ‘just read about’.  Under worst case scenarios, a DNS request for Amazon.com could return an IP address for NotReallyAmazon.com. Taking control of the DNS server reduces the risk of DNS spoofing. If you have a prefered DNS server, use it instead. I had no success directing it to my local gateway. Originally, I believed that ignoring this option would direct you to the DNS server used by the public wi-fi., which may be a very bad idea.

push “redirect-gateway def1” was not included. The Advanced Options has a radio button that states you can direct all traffic through the gateway by selecting it. That button adds this line. I just typed it in myself because, to me, it’s more clear. Unfortunately, this is not all you need. Just adding this directive will do nothing special. You need the DNS option mentioned above AND a specific firewall directive. Additionally, there are variations of this line in the documentation. I have no idea if they work. Most articles use this variation. OpenVPN documentation uses two versions of this directive interchangeably.

DDWRT-OpenVPN-43b

 Altering the DD-WRT Firewall

Move to the Administration/Commands tab.

Copy and paste the following text into the open text box. Change as required. The network below is your OpenVPN network.

iptables -I INPUT 1 -p tcp –dport 443 -j ACCEPT
iptables -I FORWARD 1 –source 10.1.1.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -j MASQUERADE

Save Firewall.

Reboot Router.

The last tricky bit is in the firewall directives. There are almost innumerable variations of the POSTROUTING line. The most common version is almost identical to the one above except it is longer due to having more detail. It didn’t work. This one is the only one that worked for me. Many references offer a set of several POSTROUTING lines, all of which you are asked to include. Other references state that more than one line is redundant.  I never tried the mult-line versions, preferring to keep my configuration as simple as possible. I found this line in a forum reply somewhere and later figured out why it worked.

I suspect this line appended to the POSTROUTING chain worked because I told iptables to alter the nat table from source 10.1.1.0/24 and MASQUERADE everything, not just output for a specific interface. Specifying the wrong interface was the problem. Since 10.1.1.0/24 is the VPN subnet, dealing with all output seems OK. Anyway, it worked.

Saving your firewall changes in a live environment will knock your router out of commission while it digests the changes. Your wireless on the machine making the changes will act loopy for a while. It always cleared up in a few minutes, except once. I downloaded an application that was designed to help with client OpenVPN connections, just to see if any OpenVPN gateway to the router was possible. It appeared to pull a lot of configuration down to the client so that it would work even if the server configuration had issues. It proved OpenVPN was a good product, but I suspect having too many things messing with my laptop network connection fouled something up. The wireless never returned after one firewall alteration. Rather than waste time trying to figure it out, I restored the partition from a recent bare metal backup and picked up without the OpenVPN client helper app. The helper app also proved the client configuration file had no problems I needed to deal with. It’s fixes were all behind the scene on my laptop.

DDWRT-OpenVPN-22a

After rebooting the router, go to the Status/OpenVPN tab. You should see that the VPN is active on the router.

DDWRT-OpenVPN-23

 Configuring OpenVPN on the Client PC

The hard work is done. Here’s what’s left:

  • Install OpenVPN on the client PC (assuming it’s a different one than the one you’ve been working on all along.)
  • Copy three files from …\OpenVPN\easy-rsa\keys to ..\OpenVPN\config. Using the naming conventions from Part 1:
    1. ca.crt
    2. Laptop01.crt
    3. Laptop01.key
  • Navigate to ..\OpenVPN\config. Open Notepad with Administrator privileges and modify client.ovpn as pictured. As an alternative, you can copy and paste the provided text and change it to match your configuration.

DDWRT-OpenVPN-30

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# file for Laptop01
client
dev tun0
proto tcp

remote YOUR_URL.COM 443

resolv-retry infinite

nobind
persist-key
persist-tun

ca ca.crt
cert Laptop01.crt
key Laptop01.key

ns-cert-type server
comp-lzo
verb 3
float


The biggest gotcha with client.ovpn are Window’s text editors. This is a text file and Windows may try to name it client.ovpn.txt. If this happens, OpenVPN gui will just stare at you and offer nothing to connect to. Windows Explorer will probably be of no help discovering this problem  since it hides file types by default.

OpenVPN gui will allow you to connect to any file with a .ovpn file type. If more than one are in the folder, it will offer a choice.

If OpenVPN offers a sample configuration file with a different extension than .ovpn, you should rename it to .ovpn if you use it.

If successful, you should now be able to start OpenVPN. Double Click the OpenVPN icon. You will need to Run As Administrator. Find the OpenVPN icon at the bottom right of the taskbar. Right click on it. Select Connect. You will be prompted for a password if you asked for that option when building client certificates. If successful, a little bubble will appear above the icon and tell you that you are connected.

DDWRT-OpenVPN-33

OR

DDWRT-OpenVPN-34

After starting OpenVPN and connecting to your tunnel, open a command window and run ipconfig /all.

DDWRT-OpenVPN-45a

Next run tracert 8.8.8.8.

You should see your OpenVPN server at the top, followed by the route to your destination, the Google DNS server.

DDWRT-OpenVPN-46

Done.

Any browser windows open BEFORE you start OpenVPN will remain outside the tunnel. Make sure your browser is closed before starting OpenVPN client.

A visit to WhatIsMyIP.com will present your home IP address if the tunnel is active and functioning properly.

Assuming OpenVPN works as described, you will now be able to securely pass through your home internet connection from any public internet connection. SSL encryption will keep the session as private as if you were at home. (By inference, this also means that if your home connection is as loose as a goose, so will be your browsing session, except for the part from public wi-fi to your home internet.)

Advertisements

67 Comments on “OpenVPN And DD-WRT Part 2”

  1. tim says:

    I got it all set up and running on my home router running v24-sp2 (10/08/14) kongac – build 25100M , with the following issue. OpenVPN client on Windows 8.1 errors out. The client.ovpn has the following relevant file

    ca ca.crt
    cert Comp1.crt
    key Comp1.key

    Comp1.crt is copied into the openvpn\config directory along with Comp1.key and ca.crt but we get the following in the log file:

    Sun May 17 19:03:08 2015 OpenVPN 2.3.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Mar 19 2015
    Sun May 17 19:03:08 2015 library versions: OpenSSL 1.0.1m 19 Mar 2015, LZO 2.08
    Enter Management Password:
    Sun May 17 19:03:08 2015 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
    Sun May 17 19:03:08 2015 Need hold release from management interface, waiting…
    Sun May 17 19:03:08 2015 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
    Sun May 17 19:03:08 2015 MANAGEMENT: CMD ‘state on’
    Sun May 17 19:03:08 2015 MANAGEMENT: CMD ‘log all on’
    Sun May 17 19:03:08 2015 MANAGEMENT: CMD ‘hold off’
    Sun May 17 19:03:08 2015 MANAGEMENT: CMD ‘hold release’
    Sun May 17 19:03:08 2015 MANAGEMENT: Client disconnected
    Sun May 17 19:03:08 2015 Cannot load certificate file Comp1.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
    Sun May 17 19:03:08 2015 Exiting due to fatal error

    • Carl Rinker says:

      I’m very definitely not an OpenVPN expert. I can’t tell you where your mistake is. I can only tell you that this article documents my configuration, which has been very reliable. I remember all the effort was in my first attempt. Subsequent certificate builds or configuration changes were fast from scratch. Why not take a day off and try again from the beginning.

      Also, be sure you are trying to connect from a site that does not block OpenVPN. Even on port 443, some places deep scan and won’t allow you to get out on their internet. I was blocked once using the public wi-fi at a major university. I couldn’t even get out using Tor. Most places should give you no problems, however.

      There’s always the possibility that your currently installed version of DD-WRT has problems with OpenVPN. This should be considered as very low on the things to swap out. Occasionally, actually rarely, the DD-WRT Broadcom forum mentions issues with OpenVPN server.

      • tim says:

        Starting over, with a fresh laptop, fresh install of openvpn 64bit on Win8.1, and really paying attention, it looks like the easy-rsa part no longer is the same as when you ran it.

        When running the build-key-pass.bat file I consistently get

        -failed to update database
        -TXT_DB error number 2

        Even exactly following your example letter by letter.
        Making all the org parts unique helps and sometimes the first client works but the 2nd one errors out in the build-key-pass.bat every time.

        Easy-rsa aint easy…..

      • Carl Rinker says:

        I recall a similar problem when I built keys a second time. I think I started from scratch and it worked. I surmised that a second pass conflicted with something built earlier. I’ll take a look at a rebuild later to see if there are any differences. Are you running it as administrator, not just signed on as an admin? The key build steps have been the same for years. If you look at other articles on this subject, you’ll see virtually identical instruction. My write up differs because of all the pictures at a higher level of detail and the tricky bits referred to that create the secure link.

  2. tim says:

    Your blog is stripping out the batch file name (build key pass) from my examples above.

  3. VietDzung says:

    I follow your guide, it can connect to VPN and show ip but not connect to Internet, “tracert google” not show any hop. My device is TP-LINK WR842ND V2 dd-wrt build 26947M.

  4. Thank You says:

    Great writeup – very clear and easy to follow. I have four questions/suggestions:

    1. When you give the examples of the build-key.bat and build-key-pass.bat scripts, you may want to make more clear that only one of the scripts should be run (depending on whether you want a password or not). I was confused and ran both scripts.

    2. You referenced “Public Server Key: DDWRTrouter.key” Is this the “Private” Server Key in dd-wrt?

    3. In your examples, the “–” was somehow changed to a special hyphen character and the quotation marks were changed to smart quotation marks. Cutting and pasting into dd-wrt ends up with strange characters. Here are the lines that have problems:

    iptables -I INPUT 1 -p tcp –dport 443 -j ACCEPT
    iptables -I FORWARD 1 –source 10.1.1.0/24 -j ACCEPT

    ***
    push “route 192.168.1.0 255.255.255.0″
    push “dhcp-option DNS 8.8.8.8″
    push “redirect-gateway def1″

    4. It was not clear what the “home network” is in the statement below. Is that referring to the VPN network?

    Copy and paste the following text into the open text box. Change as required. The network below is your home network.

    iptables -I INPUT 1 -p tcp –dport 443 -j ACCEPT
    iptables -I FORWARD 1 –source 10.1.1.0/24 -j ACCEPT
    iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
    iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
    iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -j MASQUERADE

    Overall, it was a fantastic writeup and I greatly appreciate your efforts. I am still trying to get the router set up for VPN, but this explanation really helped me get started. Thank you!

    • Thank You says:

      Two more things I tried that got the server working:

      1. I read elsewhere that the keys are based on GMT time, and I needed to either wait 8 hours or set my timezone to GMT in the NTP settings. I set the timezone to GMT, and will change it back to Pacific time tomorrow.

      2. I read elsewhere that the server key needed to use the name “server.” I regenerated the keys using “server,” “client1,” “client2”, and “client3.”

      After applying these two fixes, the status showed Server: CONNECTED SUCCESS

      Thank you!

      • Carl Rinker says:

        I’ve heard nothing about time sensitive keys with DD-WRT. Kerberos is time sensitive but that has nothing to do with DD-WRT. I’m happy it worked for you eventually. I use mine every time I go out of town. My email provider gets upset if the ip-address I’m using to pull down email is not the one it’s used to seeing. The keys expire. Perhaps the first pass at key generation had a bad date which was automatically interpreted as expired the first time you used it? Just guessing.

        DD-WRT makes it a little difficult to set up OpenVPN. But, the upside is it’s free and you don’t have to pay an annual fee for safe browsing. I’ve heard some routers make it a little easier. I recently built an OpenVPN configuration using pfSense. It took a fraction of the time. pfSense uses a wizard to generate the set-up and keys. Other routers besides DD-WRT allow you to specifically name users and their passwords. Anyone who has gone through a DD-WRT application of OpenVPN would find the others anywhere from easier to quite easy in comparison.

    • Carl Rinker says:

      Yes, the password is optional. Verbiage has been tweaked to make this more obvious.

      This is where the keys go (assuming you used my naming convention): (taken from part 2)

      Public Server Cert: DDWRTrouter.crt
      CA Cert: ca.crt
      Public Server Key: DDWRTrouter.key
      DH PEM: dh2048.pem

      Sorry about the hyphen character. It worked for me as is. I’ve copied and pasted several times and had no problem.

      The network in itables is the network defined in the openVPN configuration. I’ll tweak the verbiage.

      • Thank You says:

        Again, thank you so much for putting this guide together. It was extremely helpful.

        dd-wrt is looking for a “Private” server key, not a “Public” server key. I figured it out eventually, but your reference to a “Public” server key initially confused me.

        When I cut and paste the lines mentioned above, here is what the router sees:

        push &#-109;route 192.168.1.0 255.255.255.0″
        push &#-109;dhcp-option DNS 8.8.8.8″
        push &#-109;redirect-gateway def1″

        ***

        iptables -I INPUT 1 -p tcp &#-106;dport 443 -j ACCEPT
        iptables -I FORWARD 1 &#-106;source 10.1.1.0/24 -j ACCEPT

        I just copied the lines from your article into the “custom script” window to test the cut and paste again. I didn’t want to mess with the Firewall settings now that everything is working.

        Hopefully my post will help if someone else runs into this issue.

        Thanks again!

  5. Julian Hale says:

    OK, I finally got this working myself. WordPress replaces double quotes and double dashes, so you can’t just copy and paste from the example. Replace all double quotes under “additional config” with a plain ascii one, and on the iptables commands –dport is (dash)(dash)dport, and –source is (dash)(dash)source. Now it works.

  6. B. says:

    Hi,

    I manage to connect client but I have no internet connection. Even when I run tracert 8.8.8.8, I get:

    Tracing route to 8.8.8.8 over a maximum of 30 hops

    1 4 ms 3 ms 3 ms 20.1.1.1
    2 * * * Request timed out.
    3 * * * Request timed out.
    4 * * * Request timed out.
    5 * * * Request timed out.
    6 * * * Request timed out.

    Also, in system tray there are two networks, my home network with internet connection and unidentified network without internet connection.

    what could be the problem???

    Otherwise great explanation, and the only one that actualy connected client to server!!

    Thanks

    • Carl Rinker says:

      Sorry, although I may look like an expert, I actually took the directions commonly offered by others and sorted through the little details that differed among them. This configuration works for me and I have used and re-used it several times. Try looking for some small differences between what I wrote and what you wrote.

  7. Alex Ivanov says:

    I also got an error.
    Al seemed to be ok except
    Wed Aug 12 10:07:49 2015 Initialization Sequence Completed
    Wed Aug 12 10:07:55 2015 Authenticate/Decrypt packet error: packet HMAC authenti
    cation failed
    Wed Aug 12 10:07:55 2015 Fatal decryption error (process_incoming_link), restart
    ing
    Wed Aug 12 10:07:55 2015 SIGUSR1[soft,decryption-error] received, process restar
    ting
    Wed Aug 12 10:07:55 2015 Restart pause, 5 second(s)

    What is wrong?

  8. Alex Ivanov says:

    Finally cracked it:
    my problem was that i had these errors and connection resetted
    Wed Aug 12 11:01:41 2015 WARNING: ‘link-mtu’ is used inconsistently, local=’link-mtu 1544′, remote=’link-mtu 1540′
    Wed Aug 12 11:01:41 2015 WARNING: ‘auth’ is used inconsistently, local=’auth SHA1′, remote=’auth MD5′

    i added the following lines into the Laptop1 ovpn config on the client to match the ones in the router at the end:
    auth “md5”
    tun-mtu 1540

    md5 since the open VPN i created is on md5 (If you want SHA1 add SHA1 – must match the router’s settings) and the link-mtu as 1540, cause i don’t know where to change on the router, so i changed in the client 🙂
    Now i don’t have to buy a subscription 🙂

    • dirtbikedude118 says:

      I had the same issue, thanks for posting! I also made sure to change the double quotes and dashes. OpenVPN works flawlessly routing all traffic (WRT1900ac router).

  9. daniel says:

    hi there
    i am wondering what I have to enter at the openvpn server which you have set to 10.1.1.0…. where do I set this resp where do I get that information?
    regards

    • Carl Rinker says:

      Have you installed OpenVPN on your PC, tablet, or phone? If not, you need to do that. Then you need to import the ovpn file into the proper folder along with the certificates. Then you start OpenVPN, and, after that, connect to the VPN. OpenVPN will tell you if it has connected. The subnet in the article is intended to be different from the subnet on your main network. It’s for a pass-through, not for file transfer with your main home network. The two subnets will never see each other.

      Linux is a little more difficult. I’m playing around with Mint as a possible Windows 10 alternative and have not yet been successful with my connection, although I’ve only tried a couple of times. Android almost configures itself.

      • daniel says:

        well, my problem starts at the dd-wrt router in the status openvpn section where the openvpn server should be shown up and running, which it is not…
        i have openvpn on my pc installed, including all certificates in the folders.
        so, i have my main network on 192.168.1.1. is my assumptino right that i should just leave the openvpn server with 10.1.1.0?
        now the question is.. why is my router not running with openvpn…??

        and another question: how secure is pptp vpn? that is working on my router and pc..?

        regards
        daniel cabaco

      • Carl Rinker says:

        Very few home routers offer OpenVPN in their stock firmware. Many alternate router firmwares offer OpenVPN. Those that do require different, but similar configurations to work as intended. OpenVPN Server is required to be installed on the DD-WRT router described in the articles. Not all routers with DD-WRT support OpenVPN server. Some smaller routers are, well, too small, for it to be included in the firmware. Others who may provide forked versions of DD-WRT may or may not offer it. Your router firmware may or may not have DD-WRT server support.

        There is also the possibility that OpenVPN is blocked by whoever supports your internet connection. This is uncommon, but I have run across it while using public wi-fi at a major public university.

        I have no idea which routers or DD-WRT versions include it. I don’t offer advice on the proper version for anyone’s router or provide instructions about how to install DD-WRT. It’s too easy to mess up and ruin an otherwise perfectly good router.

        PPTP is no longer secure. The manual that comes with your router will tell you which features are supported in the stock firmware. DD-WRT, in general, supports PPTP. I have no idea which routers and DD-WRT versions allow it to be enabled.

  10. Scott Vick says:

    Thank you so much for this article!! I spent about three weeks in the weeds, getting increasingly frustrated, trying to use out of date tutorials. I then found your article here and finally got it working. Kudos good man.

  11. Ted says:

    Hi,

    I followed your tutorial step by step but I fail to get a connection with OpenVPN.

    The error is: (I substituted the IP addresses. They were valid and if I read the error text correctly, they don’t play any role anyways)

    20151123 21:38:11 X.X.X.X:9860 TLS: Initial packet from [AF_INET]X.X.X.X:9860 sid=3b03c1a6 cab63989
    20151123 21:38:11 N X.X.X.X:9860 TLS_ERROR: BIO read tls_read_plaintext error: error:1408A0C1:lib(20):func(138):reason(193)
    20151123 21:38:11 N X.X.X.X:9860 TLS Error: TLS object -> incoming plaintext read error
    20151123 21:38:11 N X.X.X.X:9860 TLS Error: TLS handshake failed
    20151123 21:38:11 N X.X.X.X:9860 Fatal TLS error (check_tls_errors_co) restarting
    20151123 21:38:11 X.X.X.X:9860 SIGUSR1[soft tls-error] received client-instance restarting
    20151123 21:38:17 I TCP connection established with [AF_INET]X.X.X.X:7553
    20151123 21:38:17 Socket flags: TCP_NODELAY=1 succeeded

    So, should there be a TLS Auth Key? You left that field blank and I don’t think there was any such key in the output of those batch scripts.
    The timestamp of the router and my client are the same.

    • Ted says:

      Update: It works on my Windows 7 Machine but not on my iPhone.

      • Carl Rinker says:

        I’ve connected on several android devices ok. Sometimes it’s a little touchy but persistence pays off. If it works on Windows then it’s a config problem on android. Also, some remote sites can effectively block OpenVPN, even on port 443 tcp. I used to think it took a sophisticated operations department to block OpenVPN on 443 tcp. Later, I was blocked on public unsecured wifi in a home for active elderly people. No problems in hotels or McDonald’s.

        tun works fine with Android or iphone. tap does not work with either, except via an app that is not free. This may be a problem?

  12. George says:

    Love your write up but I cannot connect.
    I am getting a TLS error and I cant make it go away.
    =======================
    Here is my client log
    error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    Wed Dec 16 14:23:35 2015 TLS Error: TLS object -> incoming plaintext read error
    Wed Dec 16 14:23:35 2015 TLS Error: TLS handshake failed
    Wed Dec 16 14:23:35 2015 Fatal TLS error (check_tls_errors_co), restarting
    Wed Dec 16 14:23:35 2015 SIGUSR1[soft,tls-error] received, process restarting
    Wed Dec 16 14:23:35 2015 MANAGEMENT: >STATE:1450304615,RECONNECTING,tls-error,,

    • Carl Rinker says:

      The articles document my configuration. Sometimes you can’t connect from public wi-fi because it’s blocked. OpenVPN on port 443 tcp is easier to block than you might think. I’ve was recently blocked by the free wi-fi in an old folks home. See if it works at Starbucks or McDonalds.

      I’m not an OpenVPN expert so I can’t translate your logs into troubleshooting. Although the Certificate error might mean you have a problem with your certificates. Not trying to be funny.

  13. Avneesh says:

    @B – I encountered same error, basically the firewall script is not using the right tunnel adaptor. I had to modify the scripts to change the tunnel adaptor from tun0 to tun2. See here:
    http://www.teksec.org/2013/openvpn-tutorial-dd-wrt-howto-configure-properly-part-2/

    In fact, my additional config is only
    push “route 192.168.1.0 255.255.255.0”
    push “redirect-gateway def1 bypass-dhcp”
    push “dhcp-option DNS 8.8.8.8”
    keepalive 10 120

    and my firewall script is
    iptables -I INPUT 1 -p tcp –dport 443 -j ACCEPT
    iptables -I FORWARD 1 –source 10.1.1.0/24 -j ACCEPT
    iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -j -o br0 MASQUERADE
    iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -j MASQUERADE
    iptables -I FORWARD -i br0 -o tun2 -j ACCEPT
    iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
    iptables -t nat -I POSTROUTING -o tun2 -j MASQUERADE

    • Carl Rinker says:

      I remember using that article as a reference when I originally decided to create my OpenVPN implementation. I used many many others besides this one. It gave me the idea about using port 443 TCP. At the time it was one of the few articles, possibly the only article, I found that suggested it.

      One issue I had was it looked like it connected well, but it didn’t route through my home router. In fact, I don’t know what I ended up with except that it made a connection that got me to the internet. Since it wasn’t going through my home router, it wasn’t secure. Hence the addendums in the article about the little bits that were needed. The hardest part was trying to figure out the iptables. It’s a fairly intuitive language if you have the aptitude for it. I, unfortunately, didn’t and it took several hours of trial and error combined with several drives to my neighborhood free wifi before seeing results I wanted to see. The ‘additional config’ also needed some rework, as I recall.

      I’m happy it worked for you.

  14. Monte says:

    Thank you for this writeup. My PPTP setup was very inconsistent when traveling. OpenVPN has worked very well. One thing I’ve noticed is that I can get just about everything to work except accessing my routers setup page when on VPN. (I can get network shares, internet and even access other routers on my network but I can’t access the main openvpn router running ddwrt. Is it just mine….makes me wonder if it’s a ddwrt Web Access setting.

  15. Charlie says:

    I setup everything as per the instructions outlined, but can’t seem to get anything on the Status -> VPN page. One thing I have noticed is that when I save my Save or Apply in the Services -> VPN page, my Netmask field always returns to 0.0.0.0 even though I am entering 255.255.255.0.

    Anyone have any idea what may be occurring?

  16. Hi. Worderful post. Everything worked fine. Thanks a lot. Just one issue: When I connect from the internet I got a IP 10.x.x.x and, this way, I’m not able to reach any other computer form my home network (192.168.x.x). The stranger is that when I close the tunnel from inside my network , I still get a 10.x.x.x IP Address, but the servers from 192.168 become available. Some tips? Thanks!

  17. Carl Rinker says:

    This VPN documents a routed configuration, as opposed to a bridged configuration. Routed is for pass-through. It gives you the ability to browse securely over public wifi. The connection is encrypted from where you are to your home router. Then it’s just like browsing from home. You can’t access the local lan using a routed server.

    A bridged config allows you to connect to your home network securely over public wifi. Browsing is not secure, unless your’re using remote desktop over the local lan and browsing from that PC.

    These are two different configurations for two different purposes. DD-WRT supports only one OpenVPN server. Routed is the traditional one installed. I don’t know how to do a bridged config in DD-WRT. I think the Netgear routers with OpenVPN built into the stock firmware support both routed or bridged and are not too difficult to install. Check first, to be sure.

    If you need both simultaneously, pfSense can support multiple OpenVPN servers. I use pfSense now on a home made router and have both routed and bridged servers available. I use bridged to remote desktop over the local lan from afar and to also access my NAS. It’s much more secure than port forwarding since no ports are open, except those controlled by OpenVPN. For public wifi browsing, I use the routed server. There’s nothing wrong with DD-WRT. It’s just has fewer features. OpenVPN on pfSense is also about 10x easier to set up.

  18. Alex says:

    @Avneesh, you are right, changing the tun0 and applying the firewall script resolved all my issues, Note that you have a typo on the script:
    iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
    should be
    iptables -I FORWARD -i tun2 -o br0 -j ACCEPT

    Here the correct complete script

    iptables -I INPUT 1 -p tcp –dport 443 -j ACCEPT
    iptables -I FORWARD 1 –source 10.1.1.0/24 -j ACCEPT
    iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -j -o br0 MASQUERADE
    iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -j MASQUERADE
    iptables -I FORWARD -i br0 -o tun2 -j ACCEPT
    iptables -I FORWARD -i tun2 -o br0 -j ACCEPT
    iptables -t nat -I POSTROUTING -o tun2 -j MASQUERADE

    • Carl Rinker says:

      I’m happy you got it working. The examples I provided came from my configuration. Your persistence is to be commended because I know from experience that some things don’t work sometimes without extra work.

  19. ats says:

    I have two different ips both of which are static:-
    1. Wan ip which is reflected in my router
    2. Public if which is showed when i google whats my ip

    The Openvpn setup which is showed above works fine for me when i am on the same network as my isp.i.e connecting to openvpn via port 443 when connected to the same ddwrt-router via wifi which the openvpn server is running on.

    Then when i try this steup from some other network which is different from my isp i am not able to connect to openvpn both via from Wan as well as public ip while modifying the openvpn.config for the same.
    I ran the Public ip for open ports online at it seems that only port 21,22,23 & 80 are open from my isp.

    Tried to connect openvpn via these open ports and Public ip but this is the error:

    Mon Feb 06 20:57:16 2017 Restart pause, 2 second(s)
    Mon Feb 06 20:57:18 2017 MANAGEMENT: >STATE:1486394838,RESOLVE,,,,,,
    Mon Feb 06 20:57:18 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]45.124.140.122:80
    Mon Feb 06 20:57:18 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
    Mon Feb 06 20:57:18 2017 Attempting to establish TCP connection with [AF_INET]45.124.140.122:80 [nonblock]
    Mon Feb 06 20:57:18 2017 MANAGEMENT: >STATE:1486394838,TCP_CONNECT,,,,,,
    Mon Feb 06 20:57:19 2017 TCP connection established with [AF_INET]45.000.000.122:80
    Mon Feb 06 20:57:19 2017 TCP_CLIENT link local: (not bound)
    Mon Feb 06 20:57:19 2017 TCP_CLIENT link remote: [AF_INET]45.000.000.122:80
    Mon Feb 06 20:57:19 2017 MANAGEMENT: >STATE:1486394839,WAIT,,,,,,
    Mon Feb 06 20:57:22 2017 SIGTERM[hard,] received, process exiting
    Mon Feb 06 20:57:22 2017 MANAGEMENT: >STATE:1486394842,EXITING,SIGTERM,,,,,

    Also as soon i change to any other port apart from 443 the server state remains blank in dd-wrt—status—openvpn

    any help will be deeply appreciated

    • Carl Rinker says:

      You have a lot of issues.

      If your WAN ip is different from your ‘what is my ip’ address, you might be double natted. Are you using two routers and have openvpn on the inside network. This won’t work if you do without lots of misc adjustments.

      Otherwise, the web posts are exact representations of my DD-WRT / OpenVPN configuration. Try again. BTW, port 443 is not sacrosanct. You can use any port you like. Currently, I’m using pfSense, not DD-WRT. However, if I ever returned to DD-WRT I would use this configuration again.

      • ats says:

        Yep…it seems like the ISP is giving me a connection from a router at there end which comes directly to my router….

        Will asking the ISP to open port 443 on my public ip work for me?

        If the isp declines is there any work around or any reference to articles that you can point me out to follow in order to perform the misc adjustments that you were taking about?

        Thanks

      • Carl Rinker says:

        If you are double natted, i would suggest you put OpenVPN on the outside network, the one connected to the outside world. Then I would suggest you redo the configuration from scratch, assuming the outside router uses DD-WRT. As the saying goes – “It worked for me.” If you are double natted, your ISP has nothing to do with the ports on the inside router.

        Re double natting: Read This Most people use double natting to isolate the inside and outside networks from each other.

  20. John Wiemeyer says:

    Hi Carl,
    Wanted to thank-you for the detailed write up. I was able to get my VPN server running this afternoon. The main problem I had was pasting text from the website it often came with extra characters. I made plenty of mistakes as well, but going back through the article helped me understand what I was doing wrong and correct the mistakes. Once I cleaned up what I pasted and corrected my other mistakes the server showed “CONNECTED SUCCESS”. Next I will try to connect a client.

  21. Joeke says:

    Hi peeps,

    Carl, it’s a great and very easy guide to follow.. many thanks for that!

    But… In my config, the vpn client connects, validates the certificates but after that it inmedtiately closes the connection. And i can’t figure out what is going wrong.

    My DD-WRT router is only doing vpn… My other router passes through all VPN

    Can anyone put in the right direction of what perhaps is going wrong?

    The Openvpn client log:
    Sat Feb 24 11:39:59 2018 TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:1194
    Sat Feb 24 11:39:59 2018 TCP_CLIENT link local: (not bound)
    Sat Feb 24 11:39:59 2018 TCP_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
    Sat Feb 24 11:39:59 2018 MANAGEMENT: >STATE:1519468799,WAIT,,,,,,
    Sat Feb 24 11:39:59 2018 MANAGEMENT: >STATE:1519468799,AUTH,,,,,,
    Sat Feb 24 11:39:59 2018 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:1194, sid=73bf68bc 8f2bceb9
    Sat Feb 24 11:40:00 2018 VERIFY OK: depth=1, C=NL, ST=GR, L=NUIS, O=DOOM, OU=DOOM, CN=DOOM, name=DOOM, emailAddress=xxx.xxx.xxx.xxx
    Sat Feb 24 11:40:00 2018 VERIFY OK: nsCertType=SERVER
    Sat Feb 24 11:40:00 2018 VERIFY OK: depth=0, C=NL, ST=GR, L=NUIS, O=DOOM, OU=DOOM, CN=VPNrouter, name=VPNrouter, emailAddress=xxx.xxx.xxx.xxx
    Sat Feb 24 11:40:00 2018 Connection reset, restarting [0]
    Sat Feb 24 11:40:00 2018 TCP/UDP: Closing socket
    Sat Feb 24 11:40:00 2018 SIGUSR1[soft,connection-reset] received, process restarting
    Sat Feb 24 11:40:00 2018 MANAGEMENT: >STATE:1519468800,RECONNECTING,connection-reset,,,,,
    Sat Feb 24 11:40:00 2018 Restart pause, 5 second(s)

    My client ovpn file config:
    Client
    dev tun0
    proto tcp

    remote xxx.xxx.xxx.xxx 1194

    resolv-retry infinite

    nobind
    persist-key
    persist-tun

    ca ca.crt
    cert Laptop.crt
    key Laptop.key

    ns-cert-type server
    comp-lzo
    verb 5
    float

    My DD-WRT router config:
    push “route 192.168.0.0 255.255.255.0”
    push “dhcp-option DNS 8.8.8.8”
    push “redirect-gateway def1 bypass-dhcp”
    server 10.1.1.0 255.255.255.0
    dev tun0
    proto tcp
    keepalive 10 120
    dh /tmp/openvpn/dh.pem
    ca /tmp/openvpn/ca.crt
    cert /tmp/openvpn/cert.pem
    key /tmp/openvpn/key.pem

    • Carl Rinker says:

      Overall, I can only suggest start from the beginning and try again.

      The connection messages remind me of log entries from hackers who tried to break into my OpenVPN server but never connected. I suspect they could not connect because they didn’t have the correct login info and/or certificates.

      By the way, everyone who has an OpenVPN server has people try this daily. Everyone with a router receives probably several hundred scans and hack attempts daily. In general, NAT and SPI do a great job of protection. Open ports are the weak spot. Any port left open should be protected by a device with great security, such as OpenVPN. I moved my OpenVPN ports to some really non-standard ones – I now use pfSense and it supports multiple servers simultaneously – and I have never seen a attempted OpenVPN hack since then.

      • Joeke says:

        Hi Carl, thanks for your quick reply…
        Unfortunately, this was already the 3rd time i’ve reinstalled everything from scratch.. 😦

        I’m probably going to ask a friend if he wants to check my whole config… Hopefully he will see a flaw in my configuration after some testing and will correct it.

        For now, i’ve setup a pptp server which works fine, but the most convenient solution will be OpenVPN.. 🙂

      • Joeke says:

        Ok… I finally found out what the problem was in my environment.
        DD-WRT doesn’t really what time or date it is and mine had the date 1st of jan 1970…… *sigh*

        So the certificates were valid (logging says Verify – OK), but weren’t valid yet…. lol..

        In the webinterface of DD-WRT you can run a command “Date” which shows the date and time of the router.
        give it the command: Date YYYYMMDDHHMM to set it to the current date and time.

        After that it could connect… 🙂

  22. Andre says:

    Got the openVPN working with some extra info of the comments section, but one thing i cant get working,

    when i connect my home network with openVPN is connected, but i cant open any internal devices (internal IP’s) .
    like lets say my switch, router of a IP camera, and i cant find the reason why.

    anyone ?.

    • Joeke says:

      Hey Andre,

      What is your router VPN range and what is your home network ip range?
      This has to be a different range…!

      A colleague of mine had the same problem, but this was caused because his router VPN range was the same as his home network.

      • Andre says:

        Hmmm oke
        my VPN range i think you mean the IP that is filled in at “network” and the DNSMASK that is 192.168.2.0 . the DNS mask is 255.255.255.0

        the IP range of mij router is 192.168.2.1 (DHCP from the .3)

        Andre

      • Joeke says:

        It looks like you have the same range.

        When your home network has a range of 192.168.2.0, try a different range.
        For example use: 192.168.178.0 (on your VPN router and in the OVPN client).

      • Andre says:

        i wil try that but must i also change the firewall settings see below here

        this is it right now,
        iptables -I INPUT 1 -p tcp –dport 443 -j ACCEPT
        iptables -I FORWARD 1 –source 192.168.2.0/24 -j ACCEPT
        iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o br0 -j MASQUERADE
        iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j MASQUERADE
        iptables -I FORWARD -i br0 -o tun2 -j ACCEPT
        iptables -I FORWARD -i tun2 -o br0 -j ACCEPT
        iptables -t nat -I POSTROUTING -o tun2 -j MASQUERADE

        the 192.168.2.0 must be 192.168.178.0 for example ?

        Andre

      • Joeke says:

        Yep.. 🙂

        Every line, where you setup the 192.168.2.0 range, you have to change to the new one.

      • Andre says:

        oke change it, but stil the same 😦 i see now on my client app that i have IP 192.168.178.2 so that correct i have change the firewall settings to

        iptables -I INPUT 1 -p tcp –dport 443 -j ACCEPT
        iptables -I FORWARD 1 –source 192.168.178.0/24 -j ACCEPT
        iptables -t nat -A POSTROUTING -s 192.168.178.0/24 -o br0 -j MASQUERADE
        iptables -t nat -A POSTROUTING -s 192.168.178.0/24 -j MASQUERADE
        iptables -I FORWARD -i br0 -o tun2 -j ACCEPT
        iptables -I FORWARD -i tun2 -o br0 -j ACCEPT
        iptables -t nat -I POSTROUTING -o tun2 -j MASQUERADE

        stil i cant connect a local IP in the 192.168.2.X, and the strange thing is when i look on the site http://www.watismijnip.nl (a dutch site that shows your ISP IP) i see the IP adres from my mobile provider ISP I would expect to see the IP of my ISP.

        Andre

    • Carl Rinker says:

      Hi Andre,

      I don’t think this configuration will allow you to access the home network. It’s only for pass-through. If anyone contradicts me on this, I will believe them. If anyone can help you, I say ‘Thank You’ in advance.

      I’m now using pfSense on a home built router. It allows multiple simultaneous OpenVPN servers. I use one for browsing pass-through only and one for browsing and remote LAN access. Both have different users, certificates, and passwords. The pass-through VPN uses auto-logon and is used to provide secure browsing on public wifi. To lock the pass-through VPN out from the LAN, I had to create a firewall rule that prevented LAN access to the LAN created by that VPN instance, 10.1.1.0/24 in that case. I’m assuming for DD-WRT you need to do the inverse to gain access to your LAN. I have no idea how to do it in DD-WRT.

      Also, try using the device IP address in your browser or this notation \\xxx.xxx.xxx.xxx in file explorer. If the device has a name, try it like this \\devicename in file explorer.

      Edit:

      OK. You figured it out, according to later comments. Great job.

  23. Joeke says:

    You’re right about that you have to see your ISP address and not your mobile provider.

    When you rightclick on your OVPN client and check the log… Does it give you any error messages?

    I’m not sure whats going wrong… Maybe someone else knows?

    • Andre says:

      Joeke,

      i have the log of the client, is ofcourse no problem to place it here but maybe its not the intention of this site ?.
      is it posible to mail you ?, i think that wil be beter of not i wil place it here ofcourse.

      Andre

      • Joeke says:

        Andre,

        I’m not a VPN expert, so not sure if i can help you.. 😉

        I’d rather dont want to put my email here, because its publicly readable in these comments.

        Look me up on twitter Joeke van der Velde.

      • Andre says:

        Hi joeke,
        found you on twitter but i dont use twitter but oke no problem the log of my client,
        also dutch i see and in the same work like me haha.. but oke the log of my client i dont see any errors ?

        14:25:39.384 — —– OpenVPN Start —–

        14:25:39.385 — EVENT: CORE_THREAD_ACTIVE

        14:25:39.392 — Frame=512/2048/512 mssfix-ctrl=1250

        14:25:39.392 — UNUSED OPTIONS
        5 [resolv-retry] [infinite]
        6 [nobind]
        7 [persist-key]
        8 [persist-tun]
        11 [verb] [3]

        14:25:39.393 — EVENT: RESOLVE

        14:25:39.402 — Contacting 94.ISP.xx.144:443 via TCP

        14:25:39.402 — EVENT: WAIT

        14:25:39.466 — Connecting to [94.ISP.xx.144]:443 (94.ISP.xx.144) via TCPv4

        14:25:39.514 — EVENT: CONNECTING

        14:25:39.517 — Tunnel Options:V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client

        14:25:39.518 — Creds: UsernameEmpty/PasswordEmpty

        14:25:39.519 — Peer Info:
        IV_GUI_VER=OC30Android
        IV_VER=3.2
        IV_PLAT=android
        IV_NCP=2
        IV_TCPNL=1
        IV_PROTO=2
        IV_LZO=1
        IV_AUTO_SESS=1

        14:25:39.820 — VERIFY OK : depth=1
        cert. version : 3
        serial number : F9:64:C2:AB:38:88:C7:4E
        issuer name : C=NL, ST=OV, L=XXXXX, O=OpenVPN, OU=changeme, CN=openXXXXXX, ??=changeme, emailAddress=XXXXXX@gmail.com
        subject name : C=NL, ST=OV, L=XXXXX, O=OpenVPN, OU=changeme, CN=openXXXXXX, ??=changeme, emailAddress=XXXXXX@gmail.com
        issued on : 2018-04-06 06:26:39
        expires on : 2028-04-03 06:26:39
        signed using : RSA with SHA-256
        RSA key size : 4096 bits
        basic constraints : CA=true

        14:25:39.822 — VERIFY OK : depth=0
        cert. version : 3
        serial number : 01
        issuer name : C=NL, ST=OV, L=XXXXX, O=OpenVPN, OU=changeme, CN=openXXXXXX, ??=changeme, emailAddress=XXXXXX@gmail.com
        subject name : C=NL, ST=OV, L=XXXXX, O=OpenVPN, OU=changeme, CN=server1, ??=changeme, emailAddress=XXXXXX@gmail.com
        issued on : 2018-04-06 06:27:52
        expires on : 2028-04-03 06:27:52
        signed using : RSA with SHA-256
        RSA key size : 4096 bits
        basic constraints : CA=false
        cert. type : SSL Server
        key usage : Digital Signature, Key Encipherment
        ext key usage : TLS Web Server Authentication

        14:25:40.234 — SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

        14:25:40.238 — Session is ACTIVE

        14:25:40.240 — EVENT: GET_CONFIG

        14:25:40.249 — Sending PUSH_REQUEST to server…

        14:25:40.293 — OPTIONS:
        0 [route-gateway] [192.168.178.1]
        1 [topology] [subnet]
        2 [ping] [10]
        3 [ping-restart] [120]
        4 [socket-flags] [TCP_NODELAY]
        5 [ifconfig] [192.168.178.2] [255.255.255.0]
        6 [peer-id] [0]
        7 [cipher] [AES-256-GCM]

        14:25:40.295 — PROTOCOL OPTIONS:
        cipher: AES-256-GCM
        digest: SHA1
        compress: LZO
        peer ID: 0

        14:25:40.297 — EVENT: ASSIGN_IP

        14:25:40.427 — Connected via tun

        14:25:40.428 — LZO-ASYM init swap=0 asym=0

        14:25:40.428 — EVENT: CONNECTED info=’@94.ISP.xx.144:443 (94.ISP.xx.144) via /TCPv4 on tun/192.168.178.2/ gw=[192.168.178.1/]’ trans=TO_CONNECTED

  24. Joeke says:

    Haha.. Yea i already thought you were dutch, because probably your spellchecker corrects words to dutch words.. 😉

    I would set verbose mode (verb) to 5 in your client.ovpn… Gives you more detail in logging. Maybe this will give you an error.

    I also see you’re using another cipher then me… Not sure if this has anything to do with the problem, but i use “cipher BF-CBC”

    • Andre says:

      Joeke,
      i change the verb to 5, but still no error .. i think the VPN is correct but its something with the IP tables ??
      ————–
      15:12:34.896 — —– OpenVPN Start —–

      15:12:34.896 — EVENT: CORE_THREAD_ACTIVE

      15:12:34.907 — Frame=512/2048/512 mssfix-ctrl=1250

      15:12:34.918 — UNUSED OPTIONS
      5 [resolv-retry] [infinite]
      6 [nobind]
      7 [persist-key]
      8 [persist-tun]
      11 [verb] [5]

      15:12:34.918 — EVENT: RESOLVE

      15:12:34.922 — Contacting 94.SIP.xx.144:443 via TCP

      15:12:34.922 — EVENT: WAIT

      15:12:34.974 — Connecting to [94.SIP.xx.144]:443 (94.SIP.xx.144) via TCPv4

      15:12:35.014 — EVENT: CONNECTING

      15:12:35.017 — Tunnel Options:V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client

      15:12:35.019 — Creds: UsernameEmpty/PasswordEmpty

      15:12:35.020 — Peer Info:
      IV_GUI_VER=OC30Android
      IV_VER=3.2
      IV_PLAT=android
      IV_NCP=2
      IV_TCPNL=1
      IV_PROTO=2
      IV_LZO=1
      IV_AUTO_SESS=1

      15:12:35.338 — VERIFY OK : depth=1
      cert. version : 3
      serial number : F9:64:C2:AB:38:88:C7:4E
      issuer name : C=NL, ST=OV, L=XXXXX, O=OpeXXXX, OU=changeme, CN=OpenVPN-OV, ??=changeme, emailAddress=XXXXX@gmail.com
      subject name : C=NL, ST=OV, L=XXXXX, O=OpeXXXX, OU=changeme, CN=OpenVPN-OV, ??=changeme, emailAddress=XXXXX@gmail.com
      issued on : 2018-04-06 06:26:39
      expires on : 2028-04-03 06:26:39
      signed using : RSA with SHA-256
      RSA key size : 4096 bits
      basic constraints : CA=true

      15:12:35.340 — VERIFY OK : depth=0
      cert. version : 3
      serial number : 01
      issuer name : C=NL, ST=OV, L=XXXXX, O=OpeXXXX, OU=changeme, CN=OpXXXXX, ??=changeme, emailAddress=XXXXX@gmail.com
      subject name : C=NL, ST=OV, L=XXXXX, O=OpenXXX, OU=changeme, CN=XXXX, ??=changeme, emailAddress=XXXXXX@gmail.com
      issued on : 2018-04-06 06:27:52
      expires on : 2028-04-03 06:27:52
      signed using : RSA with SHA-256
      RSA key size : 4096 bits
      basic constraints : CA=false
      cert. type : SSL Server
      key usage : Digital Signature, Key Encipherment
      ext key usage : TLS Web Server Authentication

      15:12:35.748 — SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

      15:12:35.754 — Session is ACTIVE

      15:12:35.756 — EVENT: GET_CONFIG

      15:12:35.759 — Sending PUSH_REQUEST to server…

      15:12:35.793 — OPTIONS:
      0 [route-gateway] [192.168.178.1]
      1 [topology] [subnet]
      2 [ping] [10]
      3 [ping-restart] [120]
      4 [socket-flags] [TCP_NODELAY]
      5 [ifconfig] [192.168.178.2] [255.255.255.0]
      6 [peer-id] [0]
      7 [cipher] [AES-256-GCM]

      15:12:35.795 — PROTOCOL OPTIONS:
      cipher: AES-256-GCM
      digest: SHA1
      compress: LZO
      peer ID: 0

      15:12:35.796 — EVENT: ASSIGN_IP

      15:12:35.900 — Connected via tun

      15:12:35.901 — LZO-ASYM init swap=0 asym=0

      15:12:35.901 — EVENT: CONNECTED info=’@94.SIP.xx.144:443 (94.SIP.xx.144) via /TCPv4 on tun/192.168.178.2/ gw=[192.168.178.1/]’ trans=TO_CONNECTED

      15:13:22.788 — EVENT: DISCONNECTED trans=TO_DISCONNECTED

      15:13:22.799 — EVENT: CORE_THREAD_INACTIVE

      15:13:22.799 — Tunnel bytes per CPU second: 0

      15:13:22.800 — —– OpenVPN Stop —–
      ___________________

      • Joeke says:

        Andre,

        I’m a bit clueless why you can’t connect to any internal devices…

        Maybe you know someone who is a bit more into VPN’s ?
        To me it all looks OK.

      • Andre says:

        Joeke,

        FOUND IT !!! ,

        i put some rules “Additional Config” and now i can approach my internal IP’s
        Joeke, tnx for you time and think along with me

        therules are:
        push “route 192.168.2.0 255.255.255.0”
        server 192.168.178.0 255.255.255.0
        push “redirect-gateway def1”

        Andre

      • Joeke says:

        Oh, those are the extra rules in your router config!

        Haha, nice you found it yourself… 🙂
        And no problem. Glad it works now.

        Joeke


Have Something To Add?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.