WNDR4300 with DD-WRT and OpenVPN client

2 posts / 0 new
Last post
bartelsjoshuac@...
bartelsjoshuac@gmail.com's picture
WNDR4300 with DD-WRT and OpenVPN client
I have a standard default config openvpn running on a Google Debian instance which works as expected on my PC, Mac, and phone (Android). 
 
I have DD-WRT (build 33555) on a Netgear WNDR4300 (atheros 1s) with entware. 
 
I configured the DD-WRT VPN client using paramaters from the working ovpn file that is use successfully on the other three "devices". 
 
However the only thing I can ping or access is the VPN server itself. DNS resolves, but I can't get to anything else. 
 
Example: 
C:\Users\barte>ping www.google.com 
 
Pinging www.google.com [172.217.6.4] with 32 bytes of data: 
Request timed out. 
 
Ping statistics for 172.217.6.4: 
Packets: Sent = 1, Received = 0, Lost = 1 (100% loss), 
Control-C 
^C 
C:\Users\barte>ping 35.232.0.68 
 
Pinging 35.232.0.68 with 32 bytes of data: 
Reply from 35.232.0.68: bytes=32 time=20ms TTL=58 
Reply from 35.232.0.68: bytes=32 time=19ms TTL=58 
 
Ping statistics for 35.232.0.68: 
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss), 
Approximate round trip times in milli-seconds: 
Minimum = 19ms, Maximum = 20ms, Average = 19ms 
Control-C 
^C 
C:\Users\barte> 
 
I set to keys from the ovpn file for these: 
TLS Auth Key 
CA Cert 
Public client Cert 
Private Client Key 
 
Log appears as follows:
Jan 14 23:15:03 snowstorm user.info : pptpd : pptp daemon successfully stopped
Jan 14 23:15:03 snowstorm user.info : openvpn : OpenVPN daemon (Client) starting/restarting...
Jan 14 23:15:03 snowstorm daemon.warn openvpn[22478]: WARNING: file '/tmp/openvpncl/client.key' is group or others accessible
Jan 14 23:15:03 snowstorm daemon.warn openvpn[22478]: WARNING: file '/tmp/openvpncl/ta.key' is group or others accessible
Jan 14 23:15:03 snowstorm daemon.notice openvpn[22478]: OpenVPN 2.4.4 mips-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Oct 20 2017
Jan 14 23:15:03 snowstorm daemon.notice openvpn[22478]: library versions: OpenSSL 1.1.0f  25 May 2017, LZO 2.09
Jan 14 23:15:03 snowstorm daemon.notice openvpn[22480]: MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
Jan 14 23:15:03 snowstorm daemon.warn openvpn[22480]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Jan 14 23:15:03 snowstorm daemon.warn openvpn[22480]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 14 23:15:03 snowstorm daemon.notice openvpn[22480]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Jan 14 23:15:03 snowstorm daemon.notice openvpn[22480]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Jan 14 23:15:03 snowstorm daemon.notice openvpn[22480]: TCP/UDP: Preserving recently used remote address: [AF_INET]35.232.0.68:1194
Jan 14 23:15:03 snowstorm daemon.notice openvpn[22480]: Socket Buffers: R=[172032->172032] S=[172032->172032]
Jan 14 23:15:03 snowstorm daemon.notice openvpn[22480]: UDPv4 link local: (not bound)
Jan 14 23:15:03 snowstorm daemon.notice openvpn[22480]: UDPv4 link remote: [AF_INET]35.232.0.68:1194
Jan 14 23:15:03 snowstorm daemon.notice openvpn[22480]: TLS: Initial packet from [AF_INET]35.232.0.68:1194, sid=5163d961 62c51d36
Jan 14 23:15:03 snowstorm daemon.notice openvpn[22480]: VERIFY OK: depth=1, CN=ChangeMe
Jan 14 23:15:03 snowstorm daemon.notice openvpn[22480]: VERIFY OK: depth=0, CN=server
Jan 14 23:15:04 snowstorm daemon.warn openvpn[22480]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1602', remote='link-mtu 1601'
Jan 14 23:15:04 snowstorm daemon.warn openvpn[22480]: WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Jan 14 23:15:04 snowstorm daemon.notice openvpn[22480]: Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Jan 14 23:15:04 snowstorm daemon.notice openvpn[22480]: [server] Peer Connection Initiated with [AF_INET]35.232.0.68:1194
Jan 14 23:15:05 snowstorm daemon.notice openvpn[22480]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Jan 14 23:15:05 snowstorm daemon.notice openvpn[22480]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 35.232.0.68,dhcp-option DNS 8.8.8.8,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255
Jan 14 23:15:05 snowstorm daemon.notice openvpn[22480]: OPTIONS IMPORT: timers and/or timeouts modified
Jan 14 23:15:05 snowstorm daemon.notice openvpn[22480]: NOTE: --mute triggered...
Jan 14 23:15:05 snowstorm daemon.notice openvpn[22480]: 7 variation(s) on previous 3 message(s) suppressed by --mute
Jan 14 23:15:05 snowstorm daemon.notice openvpn[22480]: Data Channel: using negotiated cipher 'AES-256-GCM'
Jan 14 23:15:05 snowstorm daemon.notice openvpn[22480]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 14 23:15:05 snowstorm daemon.notice openvpn[22480]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 14 23:15:05 snowstorm daemon.notice openvpn[22480]: TUN/TAP device tun1 opened
Jan 14 23:15:05 snowstorm daemon.notice openvpn[22480]: TUN/TAP TX queue length set to 100
Jan 14 23:15:05 snowstorm daemon.notice openvpn[22480]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Jan 14 23:15:05 snowstorm daemon.notice openvpn[22480]: /sbin/ifconfig tun1 10.8.0.2 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Jan 14 23:15:05 snowstorm daemon.notice openvpn[22480]: /sbin/route add -net 35.232.0.68 netmask 255.255.255.255 gw 192.168.1.1
Jan 14 23:15:05 snowstorm daemon.warn openvpn[22480]: ERROR: Linux route add command failed: external program exited with error status: 255
Jan 14 23:15:05 snowstorm daemon.notice openvpn[22480]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.0.1
Jan 14 23:15:05 snowstorm daemon.notice openvpn[22480]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.0.1
Jan 14 23:15:05 snowstorm daemon.warn openvpn[22480]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jan 14 23:15:05 snowstorm daemon.notice openvpn[22480]: Initialization Sequence Completed
^C
root@snowstorm:/tmp/var/log# ping www.google.com
PING www.google.com (172.217.4.228): 56 data bytes
^C
--- www.google.com ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
root@snowstorm:/tmp/var/log# ping 35.232.0.68
PING 35.232.0.68 (35.232.0.68): 56 data bytes
64 bytes from 35.232.0.68: seq=0 ttl=59 time=20.138 ms
64 bytes from 35.232.0.68: seq=1 ttl=59 time=20.014 ms
^C
 
I see one error, which everytime I looked this error up and find status code 2 not 255, and it is simple server configuration issues, which I don't think mine is a server config issue given that 3 other clients it works fine with.
Jan 15 01:06:50 snowstorm daemon.notice openvpn[24938]: /sbin/route add -net 35.232.0.68 netmask 255.255.255.255 gw 192.168.1.1
Jan 15 01:06:50 snowstorm daemon.warn openvpn[24938]: ERROR: Linux route add command failed: external program exited with error status: 255
 
Note that running that roue add -net command from the command line works fine.
This also looks odd to me like we are missing a 255.0???
Jan 15 01:06:50 snowstorm daemon.notice openvpn[24938]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 35.232.0.68,dhcp-option DNS 8.8.8.8,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255
 
Thoughts?
 

Note that running that route

bartelsjoshuac@...
bartelsjoshuac@gmail.com's picture
server.conf is as follows:

server.conf is as follows:

 
root@pihole-free:/etc/openvpn# more server.conf
port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 35.232.0.68"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
 
 
On the Mac, PC, and Android, I can access the internet, and the VPN server, http://35.232.0.68.  But when the DDWRT is the client, the DDWRT can not access anything, nor can any connected clients.