Please help with connection issue dd-wrt OpenVPN

[okashira]

I setup OpenVPN per this guide:
http://www.dslreports.com/shownews/OpenVPN-on-DDWRT-A-Secure-Connection-To-Home-Networks-128133

I followed it to a "T"
and am trying to connect via android client.
I used a TLS Auth Key and have it on the server config and on the phone config.


My issue is I get the error (per log):

 Transport Error: TCP connect error on 'xxxxx.duckdns.org:1194' (xxx.xxx.xxx.xxx:1194): Connection refused

Here is my firewall commands:
https://www.dropbox.com/s/j5lr6pt7hwveadc/222.PNG
And my OpenVPN config on the router:
https://www.dropbox.com/s/eyww3eva0wbl879/111.PNG
And the .ovpn profile used to import to android client:

client
dev tun0
proto tcp
remote xxxxxx.duckdns.org 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert ClientCert1.crt
key ClientCert1.key
ns-cert-type server
tls-auth ta.key 1
comp-lzo
verb 5

And finally the OpenVPN Additional config on the router:

push "route 192.168.1.0 255.255.255.0"
server 10.8.0.0 255.255.255.0
dev tun0
proto udp
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
tls-auth ta.key 0
 # Only use crl-verify if you are using the revoke list - otherwise leave it commented out
# crl-verify /tmp/openvpn/ca.crl
# management parameter allows DD-WRT's OpenVPN Status web page to access the server's management port
# port must be 5001 for scripts embedded in firmware to work
management localhost 16

I think the issue must be in my routing or subnet settings... but I am clueless in this area. My router IP is 192.168.1.1. I get the connection refused error immediately and it happens weather im on wifi on the same network and also when im on cellular data.

 

[Christopher]

At first glance I can see you have the client configured to use TCP ("proto tcp") and the server configured to use UDP ("proto udp"). You need both ends to match their protocol.

 

[okashira]

At first glance I can see you have the client configured to use TCP ("proto tcp") and the server configured to use UDP ("proto udp"). You need both ends to match their protocol.

Thanks for having a look. I did notice that, and I must have copied the wrong profile file when I posted the thread.

I have tried several combinations of port and protocall. I have tried both UDP and TCP on 1194, 10999, 64379, and all have the error connection refused.

Any ideas? :-(

 

[diizzy]

http://hardforum.com/showpost.php?p=1040195601&postcount=2

Rules (OpenWRT)

iptables -I INPUT -i tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT

..and open up port X on your server

//Danne

 

[okashira]

http://hardforum.com/showpost.php?p=1040195601&postcount=2

Rules (OpenWRT)

iptables -I INPUT -i tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT

..and open up port X on your server

//Danne

Thanks , I will look over that thread and add those commands.

For some reason, mine is set to "tun0" and not "tun" in some areas. I don't know the difference.

I am also confused by the duplicate information in the dd-wrt interface. For example, you can set the protocal to udp via a radio button, bu then in "additional configuration," you can set "proto udp/tcp" Why set it in two places?

I also dont understand this:
You say in your example you use 19.1.168.1 and 192.168.2 for network and vpn
but then there's this command, what is the 10.0.10.0 ?!?!?
server 10.0.10.0 255.255.255.0

 

[okashira]

http://hardforum.com/showpost.php?p=1040195601&postcount=2

Rules (OpenWRT)

iptables -I INPUT -i tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT

..and open up port X on your server

//Danne

Those commands are pretty different then those suggested in the dslreports guide.

If I add those, i'll have a total of 9 iptables commands ........

 

[okashira]

http://hardforum.com/showpost.php?p=1040195601&postcount=2

Rules (OpenWRT)

iptables -I INPUT -i tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT

..and open up port X on your server

//Danne

I added your firewall commands, and I also changed my "server" and route commands to match what you had in your post.
Also changed everything to udp (server addl config, dd-wrt toggle and client config)

No dice. It says "server poll timeout, trying next remote entry" and keeps trying to connect over and over.

 

[diizzy]

Open up port UDP port X on your server.
X being whatever you set in OpenVPN server conf.
//Danne

 

[okashira]

Open up port UDP port X on your server.
X being whatever you set in OpenVPN server conf.
//Danne

Here is my firewall commands:
https://www.dropbox.com/s/j5lr6pt7hwveadc/222.PNG
(before I added your commands)


Last night, i tried someone elses suggestion to remove the tls auth key and all references. After I did that I got a connect for the first time ever.
Now there is some kind of network problem. I couldnt access anything. I'll look into it some more.

 

[okashira]

I am getting connects since removing the TLS-auth key. But I am not getting any use ful connection. Can't connect to my router IP (192.168.1.1) or mount smb shares.

I have tried every combination possible I can on the router and server commands, but I am just doing trial and error at this point.

I even removed ALL firewall commands, even the one opening UDP 1194, and the connection is occurring just fine according to the android client. lol

Here is where I am at now:

Server addl config:

server 10.0.10.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
route 192.168.2.0 255.255.255.0 10.0.10.2
dev tun
proto udp
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
#tls-auth ta.key 0
 # Only use crl-verify if you are using the revoke list - otherwise leave it commented out
# crl-verify /tmp/openvpn/ca.crl
# management parameter allows DD-WRT\s OpenVPN Status web page to access the server\s management port
# port must be 5001 for scripts embedded in firmware to work
management localhost 16

Firewall commands:

iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.2.0/24 -j ACCEPT
iptables -I INPUT -i tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT
iptables -I FORWARD -i br0 -o tun -j ACCEPT
iptables -I FORWARD -i tun -o br0 -j ACCEPT
iptables -I FORWARD 1 --source 10.0.10.0/24 -j ACCEPT

Recent representative server log (pulled from dd-wrt interface in status):

20140520 22:33:43 W 107.107.188.191:8017 WARNING: normally if you use --mssfix and/or --fragment you should also set --tun-mtu 1500 (currently it is 1400) 
 20140520 22:33:43 107.107.188.191:8017 TLS: Initial packet from [AF_INET]107.107.188.191:8017 sid=18d874b7 da7e4b5d 
 20140520 22:33:44 107.107.188.191:8017 VERIFY OK: depth=1 C=US ST=XX L=MYCITY O=OpenVPN OU=OU1 CN=xxxxxxxxxxx name=JON [EMAIL="emailAddress=MYEMAIL@EMAIL"]emailAddress=MYEMAIL@EMAIL[/EMAIL] 
 20140520 22:33:44 107.107.188.191:8017 VERIFY OK: depth=0 C=US ST=XX L=MYCITY O=OpenVPN OU=OU1 CN=xxxxxxxxxxx name=JON [EMAIL="emailAddress=MYEMAIL@EMAIL"]emailAddress=MYEMAIL@EMAIL[/EMAIL] 
 20140520 22:33:44 W 107.107.188.191:8017 WARNING: 'link-mtu' is used inconsistently local='link-mtu 1470' remote='link-mtu 1542' 
 20140520 22:33:44 W 107.107.188.191:8017 WARNING: 'tun-mtu' is used inconsistently local='tun-mtu 1400' remote='tun-mtu 1500' 
 20140520 22:33:44 W 107.107.188.191:8017 WARNING: 'cipher' is used inconsistently local='cipher AES-192-CBC' remote='cipher BF-CBC' 
 20140520 22:33:44 W 107.107.188.191:8017 WARNING: 'auth' is used inconsistently local='auth SHA256' remote='auth SHA1' 
 20140520 22:33:44 W 107.107.188.191:8017 WARNING: 'keysize' is used inconsistently local='keysize 192' remote='keysize 128' 
 20140520 22:33:44 107.107.188.191:8017 Data Channel Encrypt: Cipher 'AES-192-CBC' initialized with 192 bit key 
 20140520 22:33:44 107.107.188.191:8017 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication 
 20140520 22:33:44 107.107.188.191:8017 Data Channel Decrypt: Cipher 'AES-192-CBC' initialized with 192 bit key 
 20140520 22:33:44 107.107.188.191:8017 NOTE: --mute triggered... 
 20140520 22:33:44 107.107.188.191:8017 2 variation(s) on previous 3 message(s) suppressed by --mute 
 20140520 22:33:44 I 107.107.188.191:8017 [xxxxxxxxxxx] Peer Connection Initiated with [AF_INET]107.107.188.191:8017 
 20140520 22:33:44 MULTI: new connection by client 'xxxxxxxxxxx' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect. 
 20140520 22:33:44 I MULTI_sva: pool returned IPv4=10.0.10.2 IPv6=(Not enabled) 
 20140520 22:33:44 MULTI: Learn: 10.0.10.2 -> xxxxxxxxxxx/107.107.188.191:8017 
 20140520 22:33:44 MULTI: primary virtual IP for xxxxxxxxxxx/107.107.188.191:8017: 10.0.10.2 
 20140520 22:33:45 xxxxxxxxxxx/107.107.188.191:8017 PUSH: Received control message: 'PUSH_REQUEST' 
 20140520 22:33:45 I xxxxxxxxxxx/107.107.188.191:8017 send_push_reply(): safe_cap=940 
 20140520 22:33:45 xxxxxxxxxxx/107.107.188.191:8017 SENT CONTROL [xxxxxxxxxxx]: 'PUSH_REPLY route 192.168.1.0 255.255.255.0 route-gateway 10.0.10.1 topology subnet ping 10 ping-restart 120 ifconfig 10.0.10.2 255.255.255.0' (status=1) 
 20140520 22:33:46 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
 20140520 22:33:46 D MANAGEMENT: CMD 'state' 
 20140520 22:33:46 MANAGEMENT: Client disconnected 
 20140520 22:33:46 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
 20140520 22:33:46 D MANAGEMENT: CMD 'state' 
 20140520 22:33:46 MANAGEMENT: Client disconnected 
 20140520 22:33:46 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
 20140520 22:33:46 D MANAGEMENT: CMD 'state' 
 20140520 22:33:46 MANAGEMENT: Client disconnected 
 20140520 22:33:46 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
 20140520 22:33:46 D MANAGEMENT: CMD 'log 500' 
 20140520 22:33:46 MANAGEMENT: Client disconnected 
 20140520 22:33:55 N xxxxxxxxxxx/107.107.188.191:8017 Authenticate/Decrypt packet error: packet HMAC authentication failed 
 20140520 22:34:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
 20140520 22:34:05 D MANAGEMENT: CMD 'state' 
 20140520 22:34:05 MANAGEMENT: Client disconnected 
 20140520 22:34:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
 20140520 22:34:05 D MANAGEMENT: CMD 'state' 
 20140520 22:34:05 MANAGEMENT: Client disconnected 
 20140520 22:34:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
 20140520 22:34:05 D MANAGEMENT: CMD 'state' 
 20140520 22:34:05 MANAGEMENT: Client disconnected 
 20140520 22:34:05 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
 20140520 22:34:05 D MANAGEMENT: CMD 'log 500' 
 19700101 00:00:00

 

[okashira]

OK, i'm not doing this and the openvpn server log always spams (I'm not trying to connect.)

20140520 22:52:09 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20140520 22:52:09 D MANAGEMENT: CMD 'state' 
20140520 22:52:09 MANAGEMENT: Client disconnected 
20140520 22:52:09 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20140520 22:52:09 D MANAGEMENT: CMD 'state' 
20140520 22:52:09 MANAGEMENT: Client disconnected 
20140520 22:52:09 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20140520 22:52:09 D MANAGEMENT: CMD 'state' 
20140520 22:52:09 MANAGEMENT: Client disconnected 
20140520 22:52:09 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20140520 22:52:09 D MANAGEMENT: CMD 'log 500' 
20140520 22:52:09 MANAGEMENT: Client disconnected 
20140520 22:52:28 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20140520 22:52:28 D MANAGEMENT: CMD 'state' 
20140520 22:52:28 MANAGEMENT: Client disconnected 
20140520 22:52:28 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20140520 22:52:28 D MANAGEMENT: CMD 'state' 
20140520 22:52:28 MANAGEMENT: Client disconnected 
20140520 22:52:28 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20140520 22:52:28 D MANAGEMENT: CMD 'state' 
20140520 22:52:28 MANAGEMENT: Client disconnected 
20140520 22:52:28 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20140520 22:52:28 D MANAGEMENT: CMD 'log 500' 
20140520 22:52:28 MANAGEMENT: Client disconnected 
20140520 22:52:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20140520 22:52:32 D MANAGEMENT: CMD 'state' 
20140520 22:52:32 MANAGEMENT: Client disconnected 
20140520 22:52:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20140520 22:52:32 D MANAGEMENT: CMD 'state' 
20140520 22:52:32 MANAGEMENT: Client disconnected 
20140520 22:52:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20140520 22:52:32 D MANAGEMENT: CMD 'state' 
20140520 22:52:32 MANAGEMENT: Client disconnected 
20140520 22:52:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20140520 22:52:32 D MANAGEMENT: CMD 'log 500' 
20140520 22:52:32 MANAGEMENT: Client disconnected 
20140520 22:52:34 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20140520 22:52:34 D MANAGEMENT: CMD 'state' 
20140520 22:52:34 MANAGEMENT: Client disconnected 
20140520 22:52:34 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20140520 22:52:34 D MANAGEMENT: CMD 'state' 
20140520 22:52:34 MANAGEMENT: Client disconnected 
20140520 22:52:34 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20140520 22:52:34 D MANAGEMENT: CMD 'state' 
20140520 22:52:34 MANAGEMENT: Client disconnected 
20140520 22:52:34 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20140520 22:52:34 D MANAGEMENT: CMD 'log 500' 
20140520 22:52:34 MANAGEMENT: Client disconnected 
20140520 22:52:36 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20140520 22:52:36 D MANAGEMENT: CMD 'state' 
20140520 22:52:36 MANAGEMENT: Client disconnected 
20140520 22:52:36 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20140520 22:52:36 D MANAGEMENT: CMD 'state' 
20140520 22:52:36 MANAGEMENT: Client disconnected 
20140520 22:52:36 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20140520 22:52:36 D MANAGEMENT: CMD 'state' 
20140520 22:52:36 MANAGEMENT: Client disconnected 
20140520 22:52:36 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20140520 22:52:36 D MANAGEMENT: CMD 'log 500' 
19700101 00:00:00

 

[diizzy]

It looks very odd that it connects to local host. I have no idea how DD-WRT is configured with OpenVPN but that certainly looks broken.
//Danne

 

[JoBUSH]

Well, despite a number of configuration mismatches, you're actually getting the tunnel to establish. The problem is that the HMAC authentication is failing, as indicated towards the end of your log file. This is probably because you disabled the tls-auth on the server but not on the client.

If it were me, I would switch everything to TCP since you're going to be using OpenVPN over a myriad of unreliable networks with varying requirements for MTU. TCP will be more reliable in this situation, albeit at the cost of some performance.

 

[okashira]

Well, despite a number of configuration mismatches, you're actually getting the tunnel to establish. The problem is that the HMAC authentication is failing, as indicated towards the end of your log file. This is probably because you disabled the tls-auth on the server but not on the client.

If it were me, I would switch everything to TCP since you're going to be using OpenVPN over a myriad of unreliable networks with varying requirements for MTU. TCP will be more reliable in this situation, albeit at the cost of some performance.

Thanks for the post.
I m going to again generate new certs, and profiles, switch to TCP and give it another go. I'll post again.
to disable TLS, I can just comment out the line, right? In the .ovpn client file.
Once I get my new setup again, i'll make a meticulous post showing all of my configs and it would be very helpful if you pointed out any mismatches.

 

[JoBUSH]

Thanks for the post.
I m going to again generate new certs, and profiles, switch to TCP and give it another go. I'll post again.
to disable TLS, I can just comment out the line, right? In the .ovpn client file.
Once I get my new setup again, i'll make a meticulous post showing all of my configs and it would be very helpful if you pointed out any mismatches.

Yes, quite possibly you could just comment out the tls-auth line in the client config and it would work as it is.

The mismatches are enumerated in your log file that you posted:

20140520 22:33:44 W 107.107.188.191:8017 WARNING: 'link-mtu' is used inconsistently local='link-mtu 1470' remote='link-mtu 1542' 
 20140520 22:33:44 W 107.107.188.191:8017 WARNING: 'tun-mtu' is used inconsistently local='tun-mtu 1400' remote='tun-mtu 1500' 
 20140520 22:33:44 W 107.107.188.191:8017 WARNING: 'cipher' is used inconsistently local='cipher AES-192-CBC' remote='cipher BF-CBC' 
 20140520 22:33:44 W 107.107.188.191:8017 WARNING: 'auth' is used inconsistently local='auth SHA256' remote='auth SHA1' 
 20140520 22:33:44 W 107.107.188.191:8017 WARNING: 'keysize' is used inconsistently local='keysize 192' remote='keysize 128' 
 20140520 22:33:44 107.107.188.191:8017 Data Channel Encrypt: Cipher 'AES-192-CBC' initialized with 192 bit key

This arises because you have not specified these parameters explicitly and the defaults appear to be different on your server/client.