I have a standard default config openvpn running on a Google Debian instance which works as expected on my PC, Mac, and phone (Android).
I have DD-WRT (build 33555) on a Netgear WNDR4300 (atheros 1s) with entware.
I configured the DD-WRT VPN client using paramaters from the working ovpn file that is use successfully on the other three "devices".
However the only thing I can ping or access is the VPN server itself. DNS resolves, but I can't get to anything else.
Example:
C:\Users\barte>ping www.google.com
Pinging www.google.com [172.217.6.4] with 32 bytes of data:
Request timed out.
Ping statistics for 172.217.6.4:
Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
Control-C
^C
C:\Users\barte>ping 35.232.0.68
Pinging 35.232.0.68 with 32 bytes of data:
Reply from 35.232.0.68: bytes=32 time=20ms TTL=58
Reply from 35.232.0.68: bytes=32 time=19ms TTL=58
Ping statistics for 35.232.0.68:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 19ms, Maximum = 20ms, Average = 19ms
Control-C
^C
C:\Users\barte>
I set to keys from the ovpn file for these:
TLS Auth Key
CA Cert
Public client Cert
Private Client Key
Log appears as follows:
Jan 14 23:15:03 snowstorm user.info : pptpd : pptp daemon successfully stopped
Jan 14 23:15:03 snowstorm user.info : openvpn : OpenVPN daemon (Client) starting/restarting...
Jan 14 23:15:03 snowstorm daemon.warn openvpn[22478]: WARNING: file '/tmp/openvpncl/client.key' is group or others accessible
Jan 14 23:15:03 snowstorm daemon.warn openvpn[22478]: WARNING: file '/tmp/openvpncl/ta.key' is group or others accessible
Jan 14 23:15:03 snowstorm daemon.notice openvpn[22478]: OpenVPN 2.4.4 mips-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Oct 20 2017
Jan 14 23:15:03 snowstorm daemon.notice openvpn[22478]: library versions: OpenSSL 1.1.0f 25 May 2017, LZO 2.09
Jan 14 23:15:03 snowstorm daemon.notice openvpn[22480]: MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
Jan 14 23:15:03 snowstorm daemon.warn openvpn[22480]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Jan 14 23:15:03 snowstorm daemon.warn openvpn[22480]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 14 23:15:03 snowstorm daemon.notice openvpn[22480]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Jan 14 23:15:03 snowstorm daemon.notice openvpn[22480]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Jan 14 23:15:03 snowstorm daemon.notice openvpn[22480]: TCP/UDP: Preserving recently used remote address: [AF_INET]35.232.0.68:1194
Jan 14 23:15:03 snowstorm daemon.notice openvpn[22480]: Socket Buffers: R=[172032->172032] S=[172032->172032]
Jan 14 23:15:03 snowstorm daemon.notice openvpn[22480]: UDPv4 link local: (not bound)
Jan 14 23:15:03 snowstorm daemon.notice openvpn[22480]: UDPv4 link remote: [AF_INET]35.232.0.68:1194
Jan 14 23:15:03 snowstorm daemon.notice openvpn[22480]: TLS: Initial packet from [AF_INET]35.232.0.68:1194, sid=5163d961 62c51d36
Jan 14 23:15:03 snowstorm daemon.notice openvpn[22480]: VERIFY OK: depth=1, CN=ChangeMe
Jan 14 23:15:03 snowstorm daemon.notice openvpn[22480]: VERIFY OK: depth=0, CN=server
Jan 14 23:15:04 snowstorm daemon.warn openvpn[22480]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1602', remote='link-mtu 1601'
Jan 14 23:15:04 snowstorm daemon.warn openvpn[22480]: WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Jan 14 23:15:04 snowstorm daemon.notice openvpn[22480]: Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Jan 14 23:15:04 snowstorm daemon.notice openvpn[22480]: [server] Peer Connection Initiated with [AF_INET]35.232.0.68:1194
Jan 14 23:15:05 snowstorm daemon.notice openvpn[22480]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Jan 14 23:15:05 snowstorm daemon.notice openvpn[22480]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 35.232.0.68,dhcp-option DNS 8.8.8.8,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255
Jan 14 23:15:05 snowstorm daemon.notice openvpn[22480]: OPTIONS IMPORT: timers and/or timeouts modified
Jan 14 23:15:05 snowstorm daemon.notice openvpn[22480]: NOTE: --mute triggered...
Jan 14 23:15:05 snowstorm daemon.notice openvpn[22480]: 7 variation(s) on previous 3 message(s) suppressed by --mute
Jan 14 23:15:05 snowstorm daemon.notice openvpn[22480]: Data Channel: using negotiated cipher 'AES-256-GCM'
Jan 14 23:15:05 snowstorm daemon.notice openvpn[22480]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 14 23:15:05 snowstorm daemon.notice openvpn[22480]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 14 23:15:05 snowstorm daemon.notice openvpn[22480]: TUN/TAP device tun1 opened
Jan 14 23:15:05 snowstorm daemon.notice openvpn[22480]: TUN/TAP TX queue length set to 100
Jan 14 23:15:05 snowstorm daemon.notice openvpn[22480]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Jan 14 23:15:05 snowstorm daemon.notice openvpn[22480]: /sbin/ifconfig tun1 10.8.0.2 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Jan 14 23:15:05 snowstorm daemon.notice openvpn[22480]: /sbin/route add -net 35.232.0.68 netmask 255.255.255.255 gw 192.168.1.1
Jan 14 23:15:05 snowstorm daemon.warn openvpn[22480]: ERROR: Linux route add command failed: external program exited with error status: 255
Jan 14 23:15:05 snowstorm daemon.notice openvpn[22480]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.0.1
Jan 14 23:15:05 snowstorm daemon.notice openvpn[22480]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.0.1
Jan 14 23:15:05 snowstorm daemon.warn openvpn[22480]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jan 14 23:15:05 snowstorm daemon.notice openvpn[22480]: Initialization Sequence Completed
^C
root@snowstorm:/tmp/var/log# ping www.google.com
PING www.google.com (172.217.4.228): 56 data bytes
^C
--- www.google.com ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
root@snowstorm:/tmp/var/log# ping 35.232.0.68
PING 35.232.0.68 (35.232.0.68): 56 data bytes
64 bytes from 35.232.0.68: seq=0 ttl=59 time=20.138 ms
64 bytes from 35.232.0.68: seq=1 ttl=59 time=20.014 ms
^C
I see one error, which everytime I looked this error up and find status code 2 not 255, and it is simple server configuration issues, which I don't think mine is a server config issue given that 3 other clients it works fine with.
Jan 15 01:06:50 snowstorm daemon.notice openvpn[24938]: /sbin/route add -net 35.232.0.68 netmask 255.255.255.255 gw 192.168.1.1
Jan 15 01:06:50 snowstorm daemon.warn openvpn[24938]: ERROR: Linux route add command failed: external program exited with error status: 255
Note that running that roue add -net command from the command line works fine.
This also looks odd to me like we are missing a 255.0???
Jan 15 01:06:50 snowstorm daemon.notice openvpn[24938]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 35.232.0.68,dhcp-option DNS 8.8.8.8,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255
Thoughts?
Note that running that route
server.conf is as follows: