For the last several days, I have been trying to setup OpenVPN on my Netgear R7000 router running DD WRT. From my Android phone, I can connect to the VPN, but internet access doesn't work. Please give me your suggestions.
The current setup is as follows:
There are two routers - one provided by ISP and my Netgear.
In Services->VPN->Additional Config:
In Administration->Commands, I used the following firewall commands.
After searching on the Internet, I have also tried
For testing, I connect my phone (skyrocket) to the ISP router. Phone gets the IP 10.0.0.5. OpenVPN log on DD WRT during one of the connection attempts is given below:
Note that the line
The current setup is as follows:
There are two routers - one provided by ISP and my Netgear.
- ISP one has IP 10.0.0.1. Netgear connected to ISP router has IP 10.0.0.17.
- All my devices connect to Netgear. I access Netgear setup using 192.168.1.1. All the devices get IP in the 192.168.1.x range.
In Services->VPN->Additional Config:
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
server 192.168.66.0 255.255.255.0
dev tun0
proto udp
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
management localhost 16
verb 5
In Administration->Commands, I used the following firewall commands.
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.66.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
After searching on the Internet, I have also tried
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.66.0/24 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.1.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.66.0/24 -o br0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.66.0/24 -j MASQUERADE
iptables -I POSTROUTING -t nat -o tun0 -j RETURN
For testing, I connect my phone (skyrocket) to the ISP router. Phone gets the IP 10.0.0.5. OpenVPN log on DD WRT during one of the connection attempts is given below:
Serverlog dh /tmp/openvpn/dh.pem ca /tmp/openvpn/ca.crt key /tmp/openvpn/key.pem push "route 192.168.1.0 255.255.255.0" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" server 192.168.66.0 255.255.255.0 dev tun0 proto udp keepalive 10 120 dh /tmp/openvpn/dh.pem ca /tmp/openvpn/ca.crt cert /tmp/openvpn/cert.pem key /tmp/openvpn/key.pem management localhost 16 verb 5 Clientlog 19700101 00:00:06 use_iv = ENABLED
19700101 00:00:06 test_crypto = DISABLED
19700101 00:00:06 tls_server = ENABLED
19700101 00:00:06 tls_client = DISABLED
19700101 00:00:06 key_method = 2
19700101 00:00:06 ca_file = '/tmp/openvpn/ca.crt'
19700101 00:00:06 ca_path = '[UNDEF]'
19700101 00:00:06 dh_file = '/tmp/openvpn/dh.pem'
19700101 00:00:06 cert_file = '/tmp/openvpn/cert.pem'
19700101 00:00:06 priv_key_file = '/tmp/openvpn/key.pem'
19700101 00:00:06 pkcs12_file = '[UNDEF]'
19700101 00:00:06 cipher_list = '[UNDEF]'
19700101 00:00:06 tls_verify = '[UNDEF]'
19700101 00:00:06 tls_export_cert = '[UNDEF]'
19700101 00:00:06 verify_x509_type = 0
19700101 00:00:06 verify_x509_name = '[UNDEF]'
19700101 00:00:06 crl_file = '[UNDEF]'
19700101 00:00:06 ns_cert_type = 0
19700101 00:00:06 remote_cert_ku = 0
19700101 00:00:06 remote_cert_ku = 0
19700101 00:00:06 remote_cert_ku = 0
19700101 00:00:06 remote_cert_ku = 0
19700101 00:00:06 remote_cert_ku = 0
19700101 00:00:06 remote_cert_ku = 0
19700101 00:00:06 remote_cert_ku = 0
19700101 00:00:06 remote_cert_ku = 0
19700101 00:00:06 remote_cert_ku = 0
19700101 00:00:06 remote_cert_ku = 0
19700101 00:00:06 remote_cert_ku = 0
19700101 00:00:06 remote_cert_ku = 0
19700101 00:00:06 remote_cert_ku = 0
19700101 00:00:06 remote_cert_ku = 0
19700101 00:00:06 remote_cert_ku = 0
19700101 00:00:06 remote_cert_ku = 0
19700101 00:00:06 remote_cert_eku = '[UNDEF]'
19700101 00:00:06 ssl_flags = 0
19700101 00:00:06 tls_timeout = 2
19700101 00:00:06 renegotiate_bytes = 0
19700101 00:00:06 renegotiate_packets = 0
19700101 00:00:06 renegotiate_seconds = 3600
19700101 00:00:06 handshake_window = 60
19700101 00:00:06 transition_window = 3600
19700101 00:00:06 single_session = DISABLED
19700101 00:00:06 push_peer_info = DISABLED
19700101 00:00:06 tls_exit = DISABLED
19700101 00:00:06 tls_auth_file = '[UNDEF]'
19700101 00:00:06 server_network = 192.168.66.0
19700101 00:00:06 server_netmask = 255.255.255.0
19700101 00:00:06 server_network_ipv6 = ::
19700101 00:00:06 server_netbits_ipv6 = 0
19700101 00:00:06 server_bridge_ip = 0.0.0.0
19700101 00:00:06 server_bridge_netmask = 0.0.0.0
19700101 00:00:06 server_bridge_pool_start = 0.0.0.0
19700101 00:00:06 server_bridge_pool_end = 0.0.0.0
19700101 00:00:06 push_entry = 'route 192.168.1.0 255.255.255.0'
19700101 00:00:06 push_entry = 'dhcp-option DNS 8.8.8.8'
19700101 00:00:06 push_entry = 'dhcp-option DNS 8.8.4.4'
19700101 00:00:06 push_entry = 'route 192.168.66.1'
19700101 00:00:06 push_entry = 'topology net30'
19700101 00:00:06 push_entry = 'ping 10'
19700101 00:00:06 push_entry = 'ping-restart 120'
19700101 00:00:06 ifconfig_pool_defined = ENABLED
19700101 00:00:06 ifconfig_pool_start = 192.168.66.4
19700101 00:00:06 ifconfig_pool_end = 192.168.66.251
19700101 00:00:06 ifconfig_pool_netmask = 0.0.0.0
19700101 00:00:06 ifconfig_pool_persist_filename = '[UNDEF]'
19700101 00:00:06 ifconfig_pool_persist_refresh_freq = 600
19700101 00:00:06 ifconfig_ipv6_pool_defined = DISABLED
19700101 00:00:06 ifconfig_ipv6_pool_base = ::
19700101 00:00:06 ifconfig_ipv6_pool_netbits = 0
19700101 00:00:06 n_bcast_buf = 256
19700101 00:00:06 tcp_queue_limit = 64
19700101 00:00:06 real_hash_size = 256
19700101 00:00:06 virtual_hash_size = 256
19700101 00:00:06 client_connect_script = '[UNDEF]'
19700101 00:00:06 learn_address_script = '[UNDEF]'
19700101 00:00:06 client_disconnect_script = '[UNDEF]'
19700101 00:00:06 client_config_dir = '[UNDEF]'
19700101 00:00:06 ccd_exclusive = DISABLED
19700101 00:00:06 tmp_dir = '/tmp'
19700101 00:00:06 push_ifconfig_defined = DISABLED
19700101 00:00:06 push_ifconfig_local = 0.0.0.0
19700101 00:00:06 push_ifconfig_remote_netmask = 0.0.0.0
19700101 00:00:06 push_ifconfig_ipv6_defined = DISABLED
19700101 00:00:06 push_ifconfig_ipv6_local = ::/0
19700101 00:00:06 push_ifconfig_ipv6_remote = ::
19700101 00:00:06 enable_c2c = DISABLED
19700101 00:00:06 duplicate_cn = DISABLED
19700101 00:00:06 cf_max = 0
19700101 00:00:06 cf_per = 0
19700101 00:00:06 max_clients = 1024
19700101 00:00:06 max_routes_per_client = 256
19700101 00:00:06 auth_user_pass_verify_script = '[UNDEF]'
19700101 00:00:06 auth_user_pass_verify_script_via_file = DISABLED
19700101 00:00:06 port_share_host = '[UNDEF]'
19700101 00:00:06 port_share_port = 0
19700101 00:00:06 client = DISABLED
19700101 00:00:06 pull = DISABLED
19700101 00:00:06 auth_user_pass_file = '[UNDEF]'
19700101 00:00:06 I OpenVPN 2.3.2 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Apr 2 2014
19700101 00:00:06 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
19700101 00:00:06 W NOTE: starting with OpenVPN 2.1 '--script-security 2' or higher is required to call user-defined scripts or executables
19700101 00:00:06 Diffie-Hellman initialized with 1024 bit key
19700101 00:00:06 TLS-Auth MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
19700101 00:00:06 Socket Buffers: R=[180224->131072] S=[180224->131072]
19700101 00:00:06 ROUTE_GATEWAY 10.0.0.1/255.255.255.0 IFACE=vlan2 HWADDR=04:a1:51:d3:8c:13
19700101 00:00:06 I TUN/TAP device tun0 opened
19700101 00:00:06 TUN/TAP TX queue length set to 100
19700101 00:00:06 I do_ifconfig tt->ipv6=0 tt->did_ifconfig_ipv6_setup=0
19700101 00:00:06 I /sbin/ifconfig tun0 192.168.66.1 pointopoint 192.168.66.2 mtu 1500
19700101 00:00:06 /sbin/route add -net 192.168.66.0 netmask 255.255.255.0 gw 192.168.66.2
19700101 00:00:06 W WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info.
19700101 00:00:06 W WARNING: Failed running command (--route-up): external program fork failed
19700101 00:00:06 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
19700101 00:00:06 I UDPv4 link local (bound): [undef]
19700101 00:00:06 I UDPv4 link remote: [undef]
19700101 00:00:06 MULTI: multi_init called r=256 v=256
19700101 00:00:06 IFCONFIG POOL: base=192.168.66.4 size=62 ipv6=0
19700101 00:00:06 I Initialization Sequence Completed
20140406 13:06:19 MULTI: multi_create_instance called
20140406 13:06:19 10.0.0.5:1194 Re-using SSL/TLS context
20140406 13:06:20 10.0.0.5:1194 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
20140406 13:06:20 10.0.0.5:1194 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
20140406 13:06:20 10.0.0.5:1194 Local Options String: 'V4 dev-type tun link-mtu 1541 tun-mtu 1500 proto UDPv4 cipher BF-CBC auth SHA1 keysize 128 key-method 2 tls-server'
20140406 13:06:20 10.0.0.5:1194 Expected Remote Options String: 'V4 dev-type tun link-mtu 1541 tun-mtu 1500 proto UDPv4 cipher BF-CBC auth SHA1 keysize 128 key-method 2 tls-client'
20140406 13:06:20 10.0.0.5:1194 Local Options hash (VER=V4): '239669a8'
20140406 13:06:20 10.0.0.5:1194 Expected Remote Options hash (VER=V4): '3514370b'
20140406 13:06:20 10.0.0.5:1194 TLS: Initial packet from [AF_INET]10.0.0.5:1194 sid=31f5df11 3d7637eb
20140406 13:06:20 10.0.0.5:1194 VERIFY OK: depth=1 C=US ST=IL L=Peoria O=DGI OU=changeme CN=server name=changeme emailAddress=user@gmail.com
20140406 13:06:20 10.0.0.5:1194 VERIFY OK: depth=0 C=US ST=IL L=Peoria O=DGI OU=changeme CN=skyrocket name=changeme emailAddress=user@gmail.com
20140406 13:06:20 W 10.0.0.5:1194 WARNING: 'link-mtu' is used inconsistently local='link-mtu 1541' remote='link-mtu 1542'
20140406 13:06:20 W 10.0.0.5:1194 WARNING: 'comp-lzo' is present in remote config but missing in local config remote='comp-lzo'
20140406 13:06:20 10.0.0.5:1194 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
20140406 13:06:20 10.0.0.5:1194 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
20140406 13:06:20 10.0.0.5:1194 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
20140406 13:06:20 10.0.0.5:1194 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
20140406 13:06:20 10.0.0.5:1194 Control Channel: TLSv1 cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA 1024 bit RSA
20140406 13:06:20 I 10.0.0.5:1194 [skyrocket] Peer Connection Initiated with [AF_INET]10.0.0.5:1194
20140406 13:06:20 I skyrocket/10.0.0.5:1194 MULTI_sva: pool returned IPv4=192.168.66.6 IPv6=(Not enabled)
20140406 13:06:20 skyrocket/10.0.0.5:1194 MULTI: Learn: 192.168.66.6 -> skyrocket/10.0.0.5:1194
20140406 13:06:20 skyrocket/10.0.0.5:1194 MULTI: primary virtual IP for skyrocket/10.0.0.5:1194: 192.168.66.6
20140406 13:06:22 skyrocket/10.0.0.5:1194 PUSH: Received control message: 'PUSH_REQUEST'
20140406 13:06:22 I skyrocket/10.0.0.5:1194 send_push_reply(): safe_cap=940
20140406 13:06:22 skyrocket/10.0.0.5:1194 SENT CONTROL [skyrocket]: 'PUSH_REPLY route 192.168.1.0 255.255.255.0 dhcp-option DNS 8.8.8.8 dhcp-option DNS 8.8.4.4 route 192.168.66.1 topology net30 ping 10 ping-restart 120 ifconfig 192.168.66.6 192.168.66.5' (status=1)
20140406 13:06:32 W skyrocket/10.0.0.5:1194 IP packet with unknown IP version=15 seen
20140406 13:06:32 W skyrocket/10.0.0.5:1194 IP packet with unknown IP version=15 seen
20140406 13:06:34 W skyrocket/10.0.0.5:1194 IP packet with unknown IP version=15 seen
20140406 13:06:34 W skyrocket/10.0.0.5:1194 IP packet with unknown IP version=15 seen
20140406 13:06:37 W skyrocket/10.0.0.5:1194 IP packet with unknown IP version=15 seen
20140406 13:06:37 W skyrocket/10.0.0.5:1194 IP packet with unknown IP version=15 seen
20140406 13:06:39 W skyrocket/10.0.0.5:1194 IP packet with unknown IP version=15 seen
20140406 13:06:39 W skyrocket/10.0.0.5:1194 IP packet with unknown IP version=15 seen
20140406 13:06:42 W skyrocket/10.0.0.5:1194 IP packet with unknown IP version=15 seen
20140406 13:06:42 W skyrocket/10.0.0.5:1194 IP packet with unknown IP version=15 seen
20140406 13:06:44 W skyrocket/10.0.0.5:1194 IP packet with unknown IP version=15 seen
20140406 13:06:44 W skyrocket/10.0.0.5:1194 IP packet with unknown IP version=15 seen
20140406 13:06:47 W skyrocket/10.0.0.5:1194 IP packet with unknown IP version=15 seen
20140406 13:06:47 W skyrocket/10.0.0.5:1194 IP packet with unknown IP version=15 seen
20140406 13:06:49 W skyrocket/10.0.0.5:1194 IP packet with unknown IP version=15 seen
20140406 13:06:49 W skyrocket/10.0.0.5:1194 IP packet with unknown IP version=15 seen
20140406 13:06:52 W skyrocket/10.0.0.5:1194 IP packet with unknown IP version=15 seen
20140406 13:06:52 W skyrocket/10.0.0.5:1194 IP packet with unknown IP version=15 seen
20140406 13:06:52 W skyrocket/10.0.0.5:1194 IP packet with unknown IP version=15 seen
20140406 13:06:53 W skyrocket/10.0.0.5:1194 IP packet with unknown IP version=15 seen
20140406 13:06:54 W skyrocket/10.0.0.5:1194 IP packet with unknown IP version=15 seen
20140406 13:06:54 W skyrocket/10.0.0.5:1194 IP packet with unknown IP version=15 seen
20140406 13:06:57 W skyrocket/10.0.0.5:1194 IP packet with unknown IP version=15 seen
20140406 13:06:57 W skyrocket/10.0.0.5:1194 IP packet with unknown IP version=15 seen
20140406 13:06:57 W skyrocket/10.0.0.5:1194 IP packet with unknown IP version=15 seen
20140406 13:06:58 W skyrocket/10.0.0.5:1194 IP packet with unknown IP version=15 seen
20140406 13:06:59 W skyrocket/10.0.0.5:1194 IP packet with unknown IP version=15 seen
20140406 13:06:59 W skyrocket/10.0.0.5:1194 IP packet with unknown IP version=15 seen
20140406 13:07:02 W skyrocket/10.0.0.5:1194 IP packet with unknown IP version=15 seen
20140406 13:07:02 W skyrocket/10.0.0.5:1194 IP packet with unknown IP version=15 seen
20140406 13:07:02 W skyrocket/10.0.0.5:1194 IP packet with unknown IP version=15 seen
20140406 13:07:03 W skyrocket/10.0.0.5:1194 IP packet with unknown IP version=15 seen
20140406 13:07:03 W skyrocket/10.0.0.5:1194 IP packet with unknown IP version=15 seen
20140406 13:07:04 W skyrocket/10.0.0.5:1194 IP packet with unknown IP version=15 seen
20140406 13:07:04 W skyrocket/10.0.0.5:1194 IP packet with unknown IP version=15 seen
20140406 13:11:04 I skyrocket/10.0.0.5:1194 [skyrocket] Inactivity timeout (--ping-restart) restarting
20140406 13:11:04 skyrocket/10.0.0.5:1194 SIGUSR1[soft ping-restart] received client-instance restarting
20140406 13:23:50 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20140406 13:23:50 D MANAGEMENT: CMD 'state'
20140406 13:23:50 MANAGEMENT: Client disconnected
20140406 13:23:50 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20140406 13:23:50 D MANAGEMENT: CMD 'state'
20140406 13:23:50 MANAGEMENT: Client disconnected
20140406 13:23:50 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20140406 13:23:50 D MANAGEMENT: CMD 'state'
20140406 13:23:50 MANAGEMENT: Client disconnected
20140406 13:23:50 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20140406 13:23:50 D MANAGEMENT: CMD 'log 500'
19700101 00:00:00
Note that the line
usually appears whenever I try to browse some web page on the phone.[DOUBLEPOST=1396809450][/DOUBLEPOST]On the phone OpenVPN client, when I try to access any webpage, it shows the message20140406 13:06:49 W skyrocket/10.0.0.5:1194 IP packet with unknown IP version=15 seen
Bad LZO decompression header byte: 42
Last edited: