OpenVPN on Asus WL-500gP

[wpte]

My question is therefore if it is possible to make OpenVPN start BEFORE drives are mounted?

Well with some work maybe
If you are using the firmware from googlecode it would be the easiest since you'd have a proper crosscompiler with the right uclibc.

you see, the firmware and optware both use a different version of uclibc. SO if you would use the optware version of openvpn there might be compatibility issues when there is no optware uclibc library...

So pretty much you need to compile openvpn yourself, place it somewhere in flash and start it. It seems to be small enough

I don't know if you ever compiled something?
if you have linux (something like ubuntu) you can follow this how-to:
http://code.google.com/p/wl500g/wiki...CustomFirmware
just install the crosscompiler:

mkdir -p /opt/brcm
tar -C /opt/brcm -jxvf hndtools-mipsel-uclibc-4.2.4.tar.bz2
ln -sf /opt/brcm/hndtools-mipsel-uclibc-4.2.4 /opt/brcm/hndtools-mipsel-uclibc
export PATH=$PATH:/opt/brcm/hndtools-mipsel-uclibc/bin

after that you can configure the sources by:

./configure --prefix=/somewhere/to/save --host=mipsel-linux

[Tamadite]

To get access to router's GUI from WAN try:

Code:

iptables -I INPUT -p tcp --dport 1024 -j ACCEPT

If it does not work, execute

Code:

iptables -L INPUT -n -v

and paste the result here.

Regarding the dependencies you are having with OpenVPN and the mounting of drives, it sounds to me OpenVPN is configured to run something on one of the drives to mount, e.g. OpenVPN log. Try to configure OpenVPN so it is not depending on any drive to mount.

[totom17]

Hello,
I try to set up openvpn (tap mode) on a asus wl500gPv2.
The implementation of the server does not pose problem.
But on the clients (4) when I run openvpn, the connection fall. No ping, and no SSH ...
I tried with creating tap in manual and automatic, classical
openvpn - mktun - dev tap0
bridge addif br-lan tap0
ifconfig tap0 0.0.0.0 promisc up
This procedure works but when I run openvpn, nothing?? the network is down.

NB: there is a problem of time but I installed ntpdate and I will update the time regularly.

System: Backfire OpenWrt 10.03
Thank a lot.

News :
it works
but I have to start openvpn without using the init script provided and by running openvpn - config myconf
And only on clients? if someone know why

[wpte]

I've openvpn running, and I'm not sure what you're saying
btw, for dd-wrt it would be probably better to post in their forums, since we don't have many dd-wrt experts here.

I still give it a shot tho

I have additional firewall rules in oleg to make things work:

#allow tun
iptables -I INPUT -i tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -j ACCEPT
iptables -I FORWARD -o tun0 -j ACCEPT
iptables -I OUTPUT -o tun0 -j ACCEPT

makes sure you can ping and everything

and... openvpn clients should be tested outside your router, not in the LAN, otherwise it usually doesn't work because it messes with the routing

for clients config (windows vista and above) you need 2 extra lines of config btw.. don't have them here atm

[AlexSantos]

At my office I have a server running OpenVPN. At home I have a WL500gP with Open VPN as a client. I can connect to my office server and ping the network.
At home I want to use the WL500 as a router to my office's network but the traffic isn't going there... I inserted 2 rules on the firewall to allow forwarding of the traffic from and to tun0.
My question is: do I need masquerading? I just want a plain router...

247 166K ACCEPT all -- * tun0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0

[Tamadite]

You have to use "route", not "iptables"

[AlexSantos]

This is my route table:

Destination Gateway Genmask Flags Metric Ref Use Iface
10.64.64.64 * 255.255.255.255 UH 0 0 0 ppp0
192.168.3.13 * 255.255.255.255 UH 0 0 0 tun0
192.168.3.0 192.168.3.13 255.255.255.0 UG 0 0 0 tun0
192.168.2.0 * 255.255.255.0 U 0 0 0 br0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 10.64.64.64 0.0.0.0 UG 0 0 0 ppp0

My WL500 pings 192.168.3.0 network but the clients that connect to WL500 through the br0 interface can't. I think that the problem is that tun0 is a WAN interface so it's blocked. How can I change this to a LAN interface?

[Tamadite]

This is my route table:

Destination Gateway Genmask Flags Metric Ref Use Iface
10.64.64.64 * 255.255.255.255 UH 0 0 0 ppp0
192.168.3.13 * 255.255.255.255 UH 0 0 0 tun0
192.168.3.0 192.168.3.13 255.255.255.0 UG 0 0 0 tun0
192.168.2.0 * 255.255.255.0 U 0 0 0 br0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 10.64.64.64 0.0.0.0 UG 0 0 0 ppp0

My WL500 pings 192.168.3.0 network but the clients that connect to WL500 through the br0 interface can't. I think that the problem is that tun0 is a WAN interface so it's blocked. How can I change this to a LAN interface?

Can you ping 192.168.3.13?

[AlexSantos]

No.
From my Ubuntu PC at home I can ping 192.168.3.14 (which is the IP of the WL500) but I cannot ping 192.168.3.13 (which is the IP of the OpenVPN ppp server)

[fukushimaku]

Hello,

before I submit any configurations etc, I would like to know from anyone's
previous experience why an OpenVPN client (router) freezes suddenly after
1st ping replayed, at 3 seconds of running ? It's non-responsive (request
timed outs, cannot access it through ssh, gui etc), so I have to re-plug the
power cord.

I just saw in GUI how the Router's CPU is loaded, then freezes.
The certificates are ok, the configurations looks fine; The Router#1 (server)
accept and serves very well the others OpenVPN PC clients from WAN
(internet/intermediary upstream lan).

Thank you


I can provide both logs (client & server) with 3(default) and 9 verbose levels.
Both routers has 2.1.4-2 OpenVPN packages installed.

The scheme is like:

...........................Router#3's lan[10.10.10.0/24](cisco)
.........................../.................................................\
[Router#1-OpenVPN-Server]>[tunnel 10.8.0.0]<[Router#2-OpenVPN-Client]
(wl-500gp v1)............................................(wl-500gp v2)
......(both LAN: 192.168.0.0/24, both WAN: 10.10.10.0/24)

[fukushimaku]

I left 1st router on 192.168.0.0/24 network and 2nd router on 192.168.1.0/24.

Not freezing anymore.

[fukushimaku]

Hello,

I am using a vpn routed configuration (see below)
and I am trying to connect two lans.
At this moment I am able to ping:

1) from pc's from asus-vpn-server's lan (192.168.0.1):
- ping 10.8.0.1 OK
- ping 10.8.0.4 OK
- ping 192.168.1.222 Request timed out.
- ping 192.168.1.1 Request timed out.

2) from asus-vpn-server (192.168.0.111):
- ping 10.8.0.4 OK
- ping 192.168.1.222 Request timed out.
- ping 192.168.1.1 Request timed out.

3) from asus-vpn-client (192.168.1.222):
- ping 10.8.0.1 OK
- ping 192.168.0.111 OK
- ping 192.168.0.1 OK

4) from pc's from asus-vpn-client's lan (192.168.1.1):
- ping 10.8.0.1 Request timed out.
- ping 10.8.0.4 OK
- ping 192.168.0.111 Request timed out.
- ping 192.168.0.1 Request timed out.

I already added a route to asus-vpn-client (192.168.1.222),
but without success (can't ping remote pc's from server's lan):
route add -net 10.8.0.0 netmask 255.255.255.0 gw 192.168.1.222

I need a hint, I am out of resources, I searched and read a lot...
Thank you very much

-------------------------------------------------
--------------Configuration----------------------
-------------------------------------------------

WL-500gP1 (OpenVPN Server)
---------
LAN: 192.168.0.111 255.255.255.0
WAN: 10.10.10.10 255.255.255.0 (GW: 10.10.10.1)
VPN: 10.8.0.1 255.255.255.0

WL-500gP2 (OpenVPN Client)
---------
LAN: 192.168.1.222 255.255.255.0
WAN: 10.10.10.11 255.255.255.0 (GW: 10.10.10.1)
VPN: 10.8.0.4 255.255.255.0

----------
1. Server:
----------

/usr/local/sbin/post-firewall
=============================
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I INPUT -i tun+ -j ACCEPT
iptables -I INPUT -m udp -p udp --dport 1194 -j ACCEPT

/opt/etc/init.d/S50openvpn
==========================
# start
# ...
insmod tun.o
echo 1 > /proc/sys/net/ipv4/ip_forward
/opt/sbin/openvpn --cd /opt/etc/openvpn --daemon --config /opt/etc/openvpn/server.conf

# stop
# ...
killall openvpn 2> /dev/null
echo 0 > /proc/sys/net/ipv4/ip_forward
rmmod tun

/opt/etc/openvpn/server.conf
============================
port 1194
proto udp
dev tun
server 10.8.0.0 255.255.255.0
ifconfig 10.8.0.1 10.8.0.2
ifconfig-pool-persist /opt/etc/openvpn/ipp.txt
### content of ipp.txt:
### Client,10.8.0.4
ca /opt/etc/openvpn/easy-rsa/keys/ca.crt
cert /opt/etc/openvpn/easy-rsa/keys/server.crt
key /opt/etc/openvpn/easy-rsa/keys/server.key
dh /opt/etc/openvpn/easy-rsa/keys/dh1024.pem
tls-auth /opt/etc/openvpn/easy-rsa/keys/ta.key 0
cipher BF-CBC
push "route 192.168.0.0 255.255.255.0"
topology subnet
log-append /opt/var/log/openvpn.log
verb 3
script-security 2
up /opt/etc/openvpn/openvpn.up
### content of openvpn.up:
### #!/bin/sh
### route add -net 10.8.0.0 netmask 255.255.255.0 gw 192.168.0.111
down /opt/etc/openvpn/openvpn.down
user nobody
group nobody
comp-lzo
persist-tun
persist-key
keepalive 10 60

----------
2. Client:
----------

/opt/etc/init.d/S50openvpn
==========================
# start
# ...
insmod tun.o
echo 1 > /proc/sys/net/ipv4/ip_forward
/opt/sbin/openvpn --cd /opt/etc/openvpn --daemon --config /opt/etc/openvpn/client.conf

# stop
# ...
killall openvpn 2> /dev/null
echo 0 > /proc/sys/net/ipv4/ip_forward
rmmod tun

/usr/local/sbin/post-firewall
=============================
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I INPUT -i tun+ -j ACCEPT
iptables -I INPUT -m udp -p udp --dport 1194 -j ACCEPT

/opt/etc/openvpn/client.conf
============================
client
remote 10.10.10.10 1194
proto udp
dev tun
resolv-retry infinite
nobind
ca /opt/etc/openvpn/easy-rsa/keys/ca.crt
cert /opt/etc/openvpn/easy-rsa/keys/client.crt
key /opt/etc/openvpn/easy-rsa/keys/client.key
tls-auth /opt/etc/openvpn/easy-rsa/keys/ta.key 1
cipher BF-CBC
ns-cert-type server
log-append /opt/var/log/openvpn.log
verb 3
script-security 2
comp-lzo
persist-tun
persist-key
user nobody
group nobody
keepalive 10 60

[fukushimaku]

I am able to ping from 192.168.1.0/24 hosts the hosts from 192.168.0.0/24

I added the following line in client's configuration (client.conf):

up /opt/etc/openvpn/openvpn.up

### content of openvpn.up:
#!/bin/sh
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o tun+ -j MASQUERADE

[fukushimaku]

According to OpenVPN's documentation,
http://openvpn.net/index.php/open-so...wto.html#scope
I added:

1. two other lines in server's configuration (../server.conf):
---
client-config-dir /opt/etc/openvpn/ccd
route 192.168.1.0 255.255.255.0 10.8.0.1
---

2. also, in the above directory (../ccd)created a file named "ABCD",
where ABCD is the content of "CN" field from the certificate-file
/opt/etc/openvpn/easy-rsa/keys/client.crt

This file contains:
---
iroute 192.168.1.0 255.255.255.0
---

The results are:

- can ping the client's pcs from the server
- cannot ping the client's pcs from the server's lan
- cannot ping anymore the server's pcs from the client's lan
- cannot ping anymore the server's pcs from the client

Throwing my eyes on net, I have read:
https://community.openvpn.net/openvpn/ticket/90

and finally add:

1. to client's file /opt/etc/openvpn/openvpn.up
---
route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.8.0.5
---

2. to server's file /opt/etc/openvpn/server.conf
---
## this line, erased >> topology subnet
## this line, erased too >> route 192.168.1.0 255.255.255.0 10.8.0.1
## add new line, below:
route 192.168.1.0 255.255.255.0
---

3. to server's file /opt/etc/openvpn/openvpn.up
---
iptables -t nat -A POSTROUTING -s 10.8.0.1/24 -o br0 -j MASQUERADE
---

Now I can ping everything. Happy Happy Joy Joy !!!

Hope it helps any other people who crush his/her
head with site-to-site routed OpenVPN on Asus/etc