N
N
nvr2588522018-04-19 16:12:54
openvpn
nvr258852, 2018-04-19 16:12:54

ASUS RT-N10U router with DD-WRT firmware, which is configured as an OpenVPN client, "disappears" after trying to get an IP. What is the problem?

Good day!
There are two ASUS RT-N10U routers with DD-WRT v24-sp2 (03/25/13) vpn firmware.
One is configured as a server, the other as a client. Everything is done as part of the training task, so everything is within the local network.
Server
IP 192.168.2.1/24 Client IP 192.168.2.2/24
VPN distributes IP from subnet 10.8.0.0/24
Server settings:
OpenVPN Server/Daemon
OpenVPN: Enable
Start Type: WAN Up
Config as: Daemon
Additional Config:

push "route 192.168.2.0 255.255.255.0"
push "route 192.168.2.1 255.255.255.255"

server 10.8.0.0 255.255.255.0

dev tun0
proto tcp
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem

comp-lzo

management localhost 16

Administration - Commands - Firewall:
iptables -I INPUT 1 -p udp -dport 1194 -j ACCEPT
iptables -I FORWARD 1 -source 192.168.2.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

Client settings:
5ad88c4e1df4a276537631.png

The client configuration looks like this:
client
dev tun
proto tcp
remote 192.168.2.1 1194
resolv-retry infinite
nobind
persist-key
persist-tun

ca /tmp/openvpncl/ca.crt
cert /tmp/openvpncl/client.crt
key /tmp/openvpncl/client.key
ns-cert-type server

comp-lzo
verb 4

When the client starts , it disappears (neither 192.168.2.2 nor 10.8.0.6 can be connected
. On the client, I manage to observe the following in the Status - OpenVPN:
State
Server: : Local Address: Remote Address: Client: AUTH: Local Address: Remote Address:

Log
Serverlog Clientlog 20180419 19:02:36 Current Parameter Settings: 
20180419 19:02:36 config = '/tmp/openvpncl/openvpn.conf' 
20180419 19:02:36 mode = 0 
20180419 19:02:36 NOTE: --mute triggered... 
20180419 19:02:36 270 variation(s) on previous 3 message(s) suppressed by --mute 
20180419 19:02:36 I OpenVPN 2.3.0 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 25 2013 
20180419 19:02:36 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16 
20180419 19:02:36 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 
20180419 19:02:37 W WARNING: file '/tmp/openvpncl/client.key' is group or others accessible 
20180419 19:02:37 LZO compression initialized 
20180419 19:02:37 Control Channel MTU parms [ L:1540 D:140 EF:40 EB:0 ET:0 EL:0 ] 
20180419 19:02:37 Socket Buffers: R=[87380->131072] S=[16384->131072] 
20180419 19:02:37 Data Channel MTU parms [ L:1540 D:1450 EF:40 EB:135 ET:0 EL:0 AF:3/1 ] 
20180419 19:02:37 Local Options String: 'V4 dev-type tun link-mtu 1540 tun-mtu 1500 proto TCPv4_CLIENT comp-lzo cipher BF-CBC auth MD5 keysize 128 key-method 2 tls-client' 
20180419 19:02:37 Expected Remote Options String: 'V4 dev-type tun link-mtu 1540 tun-mtu 1500 proto TCPv4_SERVER comp-lzo cipher BF-CBC auth MD5 keysize 128 key-method 2 tls-server' 
20180419 19:02:37 Local Options hash (VER=V4): 'a4a8100a' 
20180419 19:02:37 Expected Remote Options hash (VER=V4): 'f457ea0a' 
20180419 19:02:37 I Attempting to establish TCP connection with [AF_INET]192.168.2.1:1194 [nonblock] 
20180419 19:02:38 I TCP connection established with [AF_INET]192.168.2.1:1194 
20180419 19:02:38 I TCPv4_CLIENT link local: [undef] 
20180419 19:02:38 I TCPv4_CLIENT link remote: [AF_INET]192.168.2.1:1194 
20180419 19:02:38 TLS: Initial packet from [AF_INET]192.168.2.1:1194 sid=a8835141 01ca3bb0 
20180419 19:02:39 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20180419 19:02:39 D MANAGEMENT: CMD 'state' 
20180419 19:02:39 MANAGEMENT: Client disconnected 
20180419 19:02:39 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20180419 19:02:39 D MANAGEMENT: CMD 'state' 
20180419 19:02:39 MANAGEMENT: Client disconnected 
20180419 19:02:39 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20180419 19:02:39 D MANAGEMENT: CMD 'state' 
20180419 19:02:39 MANAGEMENT: Client disconnected 
20180419 19:02:39 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20180419 19:02:39 D MANAGEMENT: CMD 'log 500' 
19700101 00:00:00

after that access is lost
On the server:
State
Server: : Local Address: Remote Address: Client: CONNECTED: SUCCESS Local Address: 10.8.0.1 Remote Address:

Log
Serverlog Clientlog 20180419 19:01:47 I OpenVPN 2.3.0 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 25 2013 
20180419 19:01:47 W NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables 
20180419 19:01:51 I TUN/TAP device tun0 opened 
20180419 19:01:51 I do_ifconfig tt->ipv6=0 tt->did_ifconfig_ipv6_setup=0 
20180419 19:01:51 I /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500 
20180419 19:01:51 W WARNING: External program may not be called unless '--script-security 2' or higher is enabled. Use '--script-security 3 system' for backward compatibility with 2.1_rc8 and earlier. See --help text or man page for detailed info. 
20180419 19:01:51 W WARNING: Failed running command (--route-up): external program fork failed 
20180419 19:01:51 I Listening for incoming TCP connection on [undef] 
20180419 19:01:51 I TCPv4_SERVER link local (bound): [undef] 
20180419 19:01:51 I TCPv4_SERVER link remote: [undef] 
20180419 19:01:51 I Initialization Sequence Completed 
20180419 19:02:46 I TCP connection established with [AF_INET]192.168.2.2:32835 
20180419 19:02:59 W 192.168.2.2:32835 WARNING: 'link-mtu' is used inconsistently local='link-mtu 1544' remote='link-mtu 1540' 
20180419 19:02:59 W 192.168.2.2:32835 WARNING: 'auth' is used inconsistently local='auth SHA1' remote='auth MD5' 
20180419 19:02:59 I 192.168.2.2:32835 [client1] Peer Connection Initiated with [AF_INET]192.168.2.2:32835 
20180419 19:02:59 I client1/192.168.2.2:32835 MULTI_sva: pool returned IPv4=10.8.0.6 IPv6=(Not enabled) 
20180419 19:03:01 I client1/192.168.2.2:32835 send_push_reply(): safe_cap=940 
19700101 00:00:00

cat /tmp/var/log/messageson server:
Apr 19 19:01:10 DD-WRT user.debug syslog: ttraff: data collection started
Apr 19 19:01:43 DD-WRT user.info syslog: klogd : kernel log daemon successfully stopped
Apr 19 19:01:43 DD-WRT user.info syslog: ttraff : traffic counter daemon successfully stopped
Apr 19 19:01:43 DD-WRT user.info syslog: dnsmasq : dnsmasq daemon successfully stopped
Apr 19 19:01:43 DD-WRT user.info syslog: telnetd : telnet daemon successfully stopped
Apr 19 19:01:43 DD-WRT kern.notice kernel: klogd: exiting
Apr 19 19:01:45 DD-WRT user.info syslog: klogd : kernel log daemon successfully stopped
Apr 19 19:01:45 DD-WRT user.info syslog: syslogd : syslog daemon successfully stopped
Apr 19 19:01:45 DD-WRT user.info syslog: ttraff : traffic counter daemon successfully started
Apr 19 19:01:45 DD-WRT user.info syslog: telnetd : telnet daemon successfully started
Apr 19 19:01:45 DD-WRT user.info syslog: openvpn : OpenVPN daemon (Server) starting/restarting...
Apr 19 19:01:45 DD-WRT syslog.info syslogd exiting
Apr 19 19:01:45 DD-WRT syslog.info syslogd started: BusyBox v1.21.0
Apr 19 19:01:45 DD-WRT syslog.info syslogd started: BusyBox v1.21.0
Apr 19 19:01:45 DD-WRT kern.notice kernel: klogd started: BusyBox v1.21.0 (2013-03-25 02:54:18 CET)
Apr 19 19:01:45 DD-WRT user.info syslog: klogd : klog daemon successfully started
Apr 19 19:01:45 DD-WRT kern.notice kernel: klogd started: BusyBox v1.21.0 (2013-03-25 02:54:18 CET)
Apr 19 19:01:45 DD-WRT user.info syslog: klogd : klog daemon successfully started
Apr 19 19:01:47 DD-WRT daemon.notice openvpn[1339]: OpenVPN 2.3.0 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 25 2013
Apr 19 19:01:47 DD-WRT daemon.warn openvpn[1339]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Apr 19 19:01:51 DD-WRT daemon.notice openvpn[1339]: TUN/TAP device tun0 opened
Apr 19 19:01:51 DD-WRT daemon.notice openvpn[1339]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Apr 19 19:01:51 DD-WRT daemon.notice openvpn[1339]: /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Apr 19 19:01:51 DD-WRT daemon.warn openvpn[1339]: WARNING: External program may not be called unless '--script-security 2' or higher is enabled.  Use '--script-security 3 system' for backward compatibility with 2.1_rc8 and earlier.  See --help text or 
an page for detai
Apr 19 19:01:51 DD-WRT daemon.warn openvpn[1339]: WARNING: Failed running command (--route-up): external program fork failed
Apr 19 19:01:51 DD-WRT daemon.notice openvpn[1575]: Listening for incoming TCP connection on [undef]
Apr 19 19:01:51 DD-WRT daemon.notice openvpn[1575]: TCPv4_SERVER link local (bound): [undef]
Apr 19 19:01:51 DD-WRT daemon.notice openvpn[1575]: TCPv4_SERVER link remote: [undef]
Apr 19 19:01:51 DD-WRT daemon.notice openvpn[1575]: Initialization Sequence Completed
Apr 19 19:02:46 DD-WRT daemon.notice openvpn[1575]: TCP connection established with [AF_INET]192.168.2.2:32835
Apr 19 19:02:59 DD-WRT daemon.warn openvpn[1575]: 192.168.2.2:32835 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1544', remote='link-mtu 1540'
Apr 19 19:02:59 DD-WRT daemon.warn openvpn[1575]: 192.168.2.2:32835 WARNING: 'auth' is used inconsistently, local='auth SHA1', remote='auth MD5'
Apr 19 19:02:59 DD-WRT daemon.notice openvpn[1575]: 192.168.2.2:32835 [client1] Peer Connection Initiated with [AF_INET]192.168.2.2:32835
Apr 19 19:02:59 DD-WRT daemon.notice openvpn[1575]: client1/192.168.2.2:32835 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Apr 19 19:03:01 DD-WRT daemon.notice openvpn[1575]: client1/192.168.2.2:32835 send_push_reply(): safe_cap=940

I tried to set SHA1 and MD5 on the client,
the client with the same certificates and the same configuration successfully receives an IP and pings the router (10.8.0.1)

Answer the question

In order to leave comments, you need to log in

1 answer(s)
M
mureevms, 2018-04-19
@mureevms

Judging by the server log, the client connects successfully. It looks like the client is overwriting the default getway, which is why it doesn't respond after establishing a connection to the OVPN server. Although it is strange that this parameter is not in the server config. I have not dealt with DD-WRT, but I assume that there are other default settings. Google in that direction. Those. you need to force the server not to push the default getway to the client

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question