Some specific questions on OpenVPN setup

My first shot at setting up a VPN, and feel like I have been spinning my wheels for the last day and a half-
I read the VPN primer (at least half of it ), and have googled excessively, but can't seem to get iphone to connect. I think I am close.

Here is my situation:

1) I have a cable provider, with their provided Arris modem. It is configured as RoutedWithNAT. (Wireless is off). I do not have a static IP address, but I believe it rarely changes. For this initial test config, I have been using my WAN address from What Is My IP? Shows your real IP - IPv4 - IPv6 - WhatIsMyIP.com®. Once working I will go through DynDNS.

2) I have a TP-Link router, running DD-WRT, with OpenVPN installed. I installed OpenVPN on my BlueIris PC to generate the required CA, server and client keys, and client configuration (for an iphone). I've transferred the required files to the iphone though iTunes (ca.crt, client config, and client key and crt)
This was a PITA to configure, as many of the online quides are outdated, bugs in the firmware, etc. I finally got it running (although there are a few warnings in router syslog).

At one point, I set MODEM to BRIDGED, and was able to conect from iPhone (VPN lights up). Everything worked as it should!!!.... but then I realized iphone had WIFI ON.... when I turned it off and connected through cell provide, I could no longer connect. I even tried turning firewall off on MODEM.

Now, with MODEM back to RoutedWithNAT and firewall on:

On the client log, I am getting the following:

On the Router syslog (with warnings):


Question:
1) With my setup, should the Modem be put into BRIDGED mode? Or running as RoutedWithNAT
2) If in bridged mode, do I need to make changes to the MODEM firewall?
3) I have NTP set on Router, with Time Zone set as US/EASTERN. But Server IP/Name is blank.

Any other suggestions?

Thank you!

Do not test the VPN using the phone and your cell provider. A lot of cell services have problems with the VPN. Start by connecting to the VPN from work or from a remote WiFi. Test the VPN using WiFi or a connected wired network.

I use Comcast as my Internet provider. I use Arris router/modem with a Asus router. The Arris modem is in bridge mode.

Switched back to bridged, and have the same issue. I can connect while on my own LAN, but not from a remote LAN.

Log from iphone while on remote WIFI:

Part of me is thinking this is a problem with my router and DD_WRT, which is showing the following:

@WannaTheater It sounds like your cable modem is blocking the incoming connection on the WAN. Try logging into it and see if there are any port forwarding rules. If so forward port 1194 to your VPN server.

I tried to set up port forwarding, but the modem config it is telling me "Invalid IP address." I tried to forward to the 192.x address of the router, and even the 10.x (local address of the VPN server)

I guess I am confused on how bridging works-
1) The WAN side of the MODEM has an IP address assigned by my ISP. I can ping this from my iphone when connected to cellular network (... when I don't block PING in the modem config). I cannot disable DHCP, as the MODEM states I have to configure a static IP address first... and there is not place I can find to do this.
2) The WAN side of the ROUTER also has an IP address assigned by my ISP, which is different than the address in (1). This address address is what is showing as my public IP address. I can ping this address also when connected to cellular (...when I don't block PING in the router config).

My OpenVPN config for the iphone references the WAN address from #2.

The Arris modem is in bridge mode. It should not do any routing.
What is the Arris model number.
Lan setup DHCP off
Enable DNS override off
DNS relay off
Natt mode bridge
Enable upnp off.

Wireless off for both 2.4 and 5 ghz

DynDNS should give you the IP the public address of your network connection, that is provided by your internet provider.

It should be displayed on the wan setup tab.

Provide screen shots of the Arris moden setting .

@WannaTheater Did you enable VPN Passthrough on the DDWRT router? CHeck out this site as it may help a bit: Dual-router setup w/ a dedicated VPN Router: A step-by-step tutorial

Atmelton... I do not think they want a two router system. There objective is a modem and a router.

Correct, I am looking to accomplish a bridged modem, connected to a single router running DD-WRT (and hosting OpenVPN).

Answers to questions:
The Arris modem is in bridge mode. It should not do any routing.
- Correct. Once in bridge mode, you can not access the standard admin interface at 192.168.0.1... there is another address to get to it.

What is the Arris model number.
-Arris TG1682G

Lan setup DHCP off
-Yes. On the WAN tab, I could NOT disable DHCP. But I could on the LAN tab. I left the LAN IP address setting at its default (192.168.0.1)

Enable DNS override off
-Yes.

DNS relay off
-Yes

Natt mode bridge
-Yes

Enable upnp off.
-It was NOT. But I just unchecked it, hence disabling upnp.

Wireless off for both 2.4 and 5 ghz
-Correct. Router handles wireless.

DynDNS should give you the IP the public address of your network connection, that is provided by your internet provider.
-I do not have DynDNS setup yet. For this test, I am using my public IP address (from several sources- my favorite is www.ipmonkey.com). This is the same as my ROUTER WAN IP address.

It should be displayed on the wan setup tab.
- The IP address showing on the WAN tab on the MODEM is not the same as the IP address showing on the WAN tab on the ROUTER. The WAN tab on my MODEM shows me an IP address that is different than my public IP address.

Did you enable VPN Passthrough on the DDWRT router?
-Yes

Additional Questions:
Do any ports need to be opened up on the router?
When I use Open Port Check Tool to check 1194 on my public IP address, the response is "Error: I could not see your service on xxx.xxx.xxx.xxx on port (1194)

Thank for helping-

Why do you have openVPN on the BI PC?
Is the openVPN on the router ?
Where is the client.ovpn file created ?

Why do you have openVPN on the BI PC?
- It is not running. I only installed it there to use the utilities to create the required certs/keys, etc, that need to be loaded into the router. I could have done this on any PC-

Is the openVPN on the router ?
- Yes.. Started and running. Here is what the log looks like:
Where is the client.ovpn file created ?
- It was created on the BlueIris machine (using the openVPN tools).

Here is what it looks like:

The client.ovpn, ca.crt, "my_iphone.key", and "my_iphone.crt" then pushed over to the iphone through iTunes. When I open the OpenVPN connect app on the iphone, I then import this profile.

I am pretty sure VPN on server and on client are installed and running correctly (I can successfully connect when I am on my own LAN), and both the log files on client and server report successful connection, show appropriate in/out data, etc.

But once outside, when I try to connect to the public IP, the iphone waits for a response and gets nothing. The OpenVPN server log log doesn't even see the connection attempt.

Here is the iphone client log:

SOLVED - Partially user error, partially varying degrees of DD-WRT and OpenVPN with some parts seeming to work, others don't... or I just don't know enough about it.

SOLUTION:
1) Blindly following some pretty How-To guides, the server side protocol in the configuration was set to TCP. Yet the guide directs the firewall to open up 1194 for UDP. Apparently port 1194 for OpenVPN is for UDP. So switching both the server and client config entries to "proto UDP4" works.
2) To compound matters, which is not documented well in OpenVPN, you can't just use "proto TCP" or "proto UDP" because it fails to start (something about IPv6 not being recognized). I am not sure if it is a problem with OpenVPN, DD_WRT, or both. Specifying UDP4 worked. (I also tried TCP4, which did allow the server daemon to at least start, although I could not get the client to connect)

Spent all day on this.... Should have just purchased a VPN-capable router.

ALSO: I can connect through my iPhone on mobile network (Verizon), with Wifi Off.

I use a ASUS router. It took me less than 1 hour to get openVPN up and running for the BI Android app. I originally tested use WIFI (remote/not local) from by phone, Then tested use the phones ATT cellular network. A lot of different people have been having problems with openVPN and cellular service

I use a ASUS router. It took me less than 1 hour to get openVPN up and running for the BI Android app.

Click to expand...

That-a-way, throw some salt on the wound!!! Just kidding. I appreciate you trying to help.

I thought about buying a new router out of frustration, but just kept forging forth..... Even today, I found another thing that doesn't work as advertised.

At the end of the day, it was a learning experience. I am now pretty comfortable with OpenVPN and DD-WRT. I even got to refresh my unix/linux skills which I've not needed in awhile-

I've also learned that while DD-WRT is very powerful, I've spent a huge amount of time chasing my tail (not only on this OpenVPN issue) due to the many bugs, and dozens of builds, all with different degrees of completion/correct functionality.