Some specific questions on OpenVPN setup

W

WannaTheater

Young grasshopper
Aug 18, 2018
48
19
Florida
My first shot at setting up a VPN, and feel like I have been spinning my wheels for the last day and a half-
I read the VPN primer (at least half of it :)), and have googled excessively, but can't seem to get iphone to connect. I think I am close.

Here is my situation:

1) I have a cable provider, with their provided Arris modem. It is configured as RoutedWithNAT. (Wireless is off). I do not have a static IP address, but I believe it rarely changes. For this initial test config, I have been using my WAN address from What Is My IP? Shows your real IP - IPv4 - IPv6 - WhatIsMyIP.com®. Once working I will go through DynDNS.

2) I have a TP-Link router, running DD-WRT, with OpenVPN installed. I installed OpenVPN on my BlueIris PC to generate the required CA, server and client keys, and client configuration (for an iphone). I've transferred the required files to the iphone though iTunes (ca.crt, client config, and client key and crt)
This was a PITA to configure, as many of the online quides are outdated, bugs in the firmware, etc. I finally got it running (although there are a few warnings in router syslog).

At one point, I set MODEM to BRIDGED, and was able to conect from iPhone (VPN lights up). Everything worked as it should!!!.... but then I realized iphone had WIFI ON.... when I turned it off and connected through cell provide, I could no longer connect. I even tried turning firewall off on MODEM.

Now, with MODEM back to RoutedWithNAT and firewall on:

On the client log, I am getting the following:
2018-09-24 10:55:06 Transport Error: TCP connect error on 'xx.xxx.xxx.xxx:1194' ([xx.xxx.xxx.xxx]:1194/TCP): SYSTEM/Connection refused
2018-09-24 10:55:06 Client terminated, restarting in 2000 ms...
2018-09-24 10:55:08 EVENT: RECONNECTING
2018-09-24 10:55:08 EVENT: RESOLVE
2018-09-24 10:55:08 Contacting [xx.xxx.xxx.xxx]:1194/TCP via TCP
2018-09-24 10:55:08 EVENT: WAIT

On the Router syslog (with warnings):
Sep 24 16:03:46 CypressRouter daemon.warn openvpn[1188]: NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes t
Sep 24 16:03:46 CypressRouter daemon.warn openvpn[1188]: NOTE: starting with OpenVPN 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables
Sep 24 16:03:46 CypressRouter daemon.notice openvpn[1188]: TUN/TAP device tun0 opened
Sep 24 16:03:46 CypressRouter daemon.notice openvpn[1188]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sep 24 16:03:46 CypressRouter daemon.notice openvpn[1188]: /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Sep 24 16:03:46 CypressRouter daemon.warn openvpn[1188]: WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info.
Sep 24 16:03:46 CypressRouter daemon.warn openvpn[1188]: WARNING: Failed running command (--route-up): external program fork failed
Sep 24 16:03:46 CypressRouter daemon.notice openvpn[1188]: Listening for incoming TCP connection on [AF_INET][undef]:1194
Sep 24 16:03:46 CypressRouter daemon.notice openvpn[1188]: TCPv4_SERVER link local (bound): [AF_INET][undef]:1194
Sep 24 16:03:46 CypressRouter daemon.notice openvpn[1188]: TCPv4_SERVER link remote: [AF_UNSPEC]
Sep 24 16:03:46 CypressRouter daemon.notice openvpn[1188]: Initialization Sequence Completed


Question:
1) With my setup, should the Modem be put into BRIDGED mode? Or running as RoutedWithNAT
2) If in bridged mode, do I need to make changes to the MODEM firewall?
3) I have NTP set on Router, with Time Zone set as US/EASTERN. But Server IP/Name is blank.

Any other suggestions?

Thank you!
 
Do not test the VPN using the phone and your cell provider. A lot of cell services have problems with the VPN. Start by connecting to the VPN from work or from a remote WiFi. Test the VPN using WiFi or a connected wired network.

I use Comcast as my Internet provider. I use Arris router/modem with a Asus router. The Arris modem is in bridge mode.
 
Last edited:
Switched back to bridged, and have the same issue. I can connect while on my own LAN, but not from a remote LAN.

Log from iphone while on remote WIFI:
2018-09-24 14:38:08 ----- OpenVPN Start ----- OpenVPN core 3.2 ios arm64 64-bit PT_PROXY built on Sep 4 2018 09:41:09
.....
2018-09-24 14:38:08 EVENT: RESOLVE
2018-09-24 14:38:08 Contacting [XX.XXX.XXX.XXX]:1194/TCP via TCP
2018-09-24 14:38:08 EVENT: WAIT
2018-09-24 14:38:19 Server poll timeout, trying next remote entry...

Part of me is thinking this is a problem with my router and DD_WRT, which is showing the following:
20180924 14:30:12 W WARNING: Failed running command (--route-up): external program fork failed
 
@WannaTheater It sounds like your cable modem is blocking the incoming connection on the WAN. Try logging into it and see if there are any port forwarding rules. If so forward port 1194 to your VPN server.
 
I tried to set up port forwarding, but the modem config it is telling me "Invalid IP address." I tried to forward to the 192.x address of the router, and even the 10.x (local address of the VPN server)

I guess I am confused on how bridging works-
1) The WAN side of the MODEM has an IP address assigned by my ISP. I can ping this from my iphone when connected to cellular network (... when I don't block PING in the modem config). I cannot disable DHCP, as the MODEM states I have to configure a static IP address first... and there is not place I can find to do this.
2) The WAN side of the ROUTER also has an IP address assigned by my ISP, which is different than the address in (1). This address address is what is showing as my public IP address. I can ping this address also when connected to cellular (...when I don't block PING in the router config).

My OpenVPN config for the iphone references the WAN address from #2.
 
The Arris modem is in bridge mode. It should not do any routing.
What is the Arris model number.
Lan setup DHCP off
Enable DNS override off
DNS relay off
Natt mode bridge
Enable upnp off.

Wireless off for both 2.4 and 5 ghz

DynDNS should give you the IP the public address of your network connection, that is provided by your internet provider.

It should be displayed on the wan setup tab.

Provide screen shots of the Arris moden setting .
 
Last edited:
Atmelton... I do not think they want a two router system. There objective is a modem and a router.
 
  • Like
Reactions: looney2ns
Correct, I am looking to accomplish a bridged modem, connected to a single router running DD-WRT (and hosting OpenVPN).

Answers to questions:
The Arris modem is in bridge mode. It should not do any routing.
- Correct. Once in bridge mode, you can not access the standard admin interface at 192.168.0.1... there is another address to get to it.

What is the Arris model number.
-Arris TG1682G

Lan setup DHCP off
-Yes. On the WAN tab, I could NOT disable DHCP. But I could on the LAN tab. I left the LAN IP address setting at its default (192.168.0.1)

Enable DNS override off
-Yes.

DNS relay off
-Yes

Natt mode bridge
-Yes

Enable upnp off.
-It was NOT. But I just unchecked it, hence disabling upnp.

Wireless off for both 2.4 and 5 ghz
-Correct. Router handles wireless.

DynDNS should give you the IP the public address of your network connection, that is provided by your internet provider.
-I do not have DynDNS setup yet. For this test, I am using my public IP address (from several sources- my favorite is www.ipmonkey.com). This is the same as my ROUTER WAN IP address.

It should be displayed on the wan setup tab.
- The IP address showing on the WAN tab on the MODEM is not the same as the IP address showing on the WAN tab on the ROUTER. The WAN tab on my MODEM shows me an IP address that is different than my public IP address.

Did you enable VPN Passthrough on the DDWRT router?
-Yes

Additional Questions:
Do any ports need to be opened up on the router?
When I use Open Port Check Tool to check 1194 on my public IP address, the response is "Error: I could not see your service on xxx.xxx.xxx.xxx on port (1194)

Thank for helping-
 
Why do you have openVPN on the BI PC?
Is the openVPN on the router ?
Where is the client.ovpn file created ?
 
Why do you have openVPN on the BI PC?
- It is not running. I only installed it there to use the utilities to create the required certs/keys, etc, that need to be loaded into the router. I could have done this on any PC-

Is the openVPN on the router ?
- Yes.. Started and running. Here is what the log looks like:
Serverlog:
20180924 19:56:39 I OpenVPN 2.4.5 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 6 2018
20180924 19:56:39 I library versions: OpenSSL 1.1.0h 27 Mar 2018 LZO 2.09
20180924 19:56:39 W NOTE: starting with OpenVPN 2.1 '--script-security 2' or higher is required to call user-defined scripts or executables
20180924 19:56:39 I TUN/TAP device tun0 opened
20180924 19:56:39 D do_ifconfig tt->did_ifconfig_ipv6_setup=0
20180924 19:56:39 I /sbin/ifconfig tun0 10.x.x.x pointopoint 10.x.x.x mtu 1500
20180924 19:56:39 W WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info.
20180924 19:56:39 W WARNING: Failed running command (--route-up): external program fork failed
20180924 19:56:39 I Listening for incoming TCP connection on [AF_INET][undef]:1194
20180924 19:56:39 I TCPv4_SERVER link local (bound): [AF_INET][undef]:1194
20180924 19:56:39 I TCPv4_SERVER link remote: [AF_UNSPEC]
20180924 19:56:39 I Initialization Sequence Completed
19691231 19:00:00

I am still trying to track down the meaning of this:
20180924 19:56:39 W WARNING: Failed running command (--route-up): external program fork failed
Where is the client.ovpn file created ?
- It was created on the BlueIris machine (using the openVPN tools).

Here is what it looks like:
client
dev tun
proto tcp
remote <my_public_ip_address> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert gm-iphone.crt
key gm-iphone.key
ns-cert-type server
cipher AES-256-CBC
comp-lzo
verb 5

The client.ovpn, ca.crt, "my_iphone.key", and "my_iphone.crt" then pushed over to the iphone through iTunes. When I open the OpenVPN connect app on the iphone, I then import this profile.

I am pretty sure VPN on server and on client are installed and running correctly (I can successfully connect when I am on my own LAN), and both the log files on client and server report successful connection, show appropriate in/out data, etc.

But once outside, when I try to connect to the public IP, the iphone waits for a response and gets nothing. The OpenVPN server log log doesn't even see the connection attempt.

Here is the iphone client log:
2018-38-24 20:38:00 ----- OpenVPN Start ----- OpenVPN core 3.2 ios arm64 64-bit PT_PROXY built on Sep 4 2018 09:41:09
2018-38-24 20:38:00 Frame=512/2048/512 mssfix-ctrl=1250
2018-38-24 20:38:00 UNUSED OPTIONS
4 [resolv-retry] [infinite]
5 [nobind]
6 [persist-key]
7 [persist-tun]
14 [verb] [4]
2018-38-24 20:38:00 EVENT: RESOLVE
2018-38-24 20:38:00 Contacting [<my_public_ip_address>]:1194/TCP via TCP
2018-38-24 20:38:00 EVENT: WAIT
2018-38-24 20:38:11 Server poll timeout, trying next remote entry...
 
SOLVED - Partially user error, partially varying degrees of DD-WRT and OpenVPN with some parts seeming to work, others don't... or I just don't know enough about it.

SOLUTION:
1) Blindly following some pretty How-To guides, the server side protocol in the configuration was set to TCP. Yet the guide directs the firewall to open up 1194 for UDP. Apparently port 1194 for OpenVPN is for UDP. So switching both the server and client config entries to "proto UDP4" works.
2) To compound matters, which is not documented well in OpenVPN, you can't just use "proto TCP" or "proto UDP" because it fails to start (something about IPv6 not being recognized). I am not sure if it is a problem with OpenVPN, DD_WRT, or both. Specifying UDP4 worked. (I also tried TCP4, which did allow the server daemon to at least start, although I could not get the client to connect)

Spent all day on this.... Should have just purchased a VPN-capable router.

ALSO: I can connect through my iPhone on mobile network (Verizon), with Wifi Off.
 
  • Like
Reactions: SouthernYankee and 58chev
I use a ASUS router. It took me less than 1 hour to get openVPN up and running for the BI Android app. I originally tested use WIFI (remote/not local) from by phone, Then tested use the phones ATT cellular network. A lot of different people have been having problems with openVPN and cellular service
 
I use a ASUS router. It took me less than 1 hour to get openVPN up and running for the BI Android app.
Click to expand...
That-a-way, throw some salt on the wound!!! Just kidding. I appreciate you trying to help.

I thought about buying a new router out of frustration, but just kept forging forth..... Even today, I found another thing that doesn't work as advertised.

At the end of the day, it was a learning experience. I am now pretty comfortable with OpenVPN and DD-WRT. I even got to refresh my unix/linux skills which I've not needed in awhile-

I've also learned that while DD-WRT is very powerful, I've spent a huge amount of time chasing my tail (not only on this OpenVPN issue) due to the many bugs, and dozens of builds, all with different degrees of completion/correct functionality.
 
You must log in or register to reply here.
Top Bottom