Sending all traffic through the VPN?

Got a problem with Viscosity or need help? Ask here!

James

User avatar
Posts: 1898
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Fri Mar 06, 2009 7:23 pm
hmmm seems that enabling send all trafic over vpn connection doesn't work
If using a TUN interface DD-WRT needs to be configured to perform NAT on the interface (and firewall rules adjusted to allow the VPN traffic out and in). If using a TAP based interface, it would need to be bridged with the main LAN interface, and the firewall rules also adjusted.

I plan on setting up a DD-WRT box when I get the chance to take a look, however I'm afraid it has been flat out around here so far!

Regards,
James
James Bekkema
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

mutz

Posts: 9
Joined: Thu Mar 05, 2009 8:40 pm

Post by mutz » Fri Mar 06, 2009 10:00 pm
thanks for the reply :)
here are my settings

Firmware: DD-WRT v24-sp2 (01/29/09) vpn
All my machines have static IP's

DD-WRT server settings
Code: Select all
push "route 192.168.80.0 255.255.255.0" 
server 192.168.90.0 255.255.255.0 
verb 5
dev tun0 
proto udp 
keepalive 10 120 
dh /tmp/openvpn/dh.pem 
ca /tmp/openvpn/ca.crt 
cert /tmp/openvpn/cert.pem 
key /tmp/openvpn/key.pem
comp-lzo
dd-wrt firewall settings
Code: Select all
iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.90.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
viscosity settings
Code: Select all
#-- Config Auto Generated By Viscosity --#

#viscosity startonopen false
#viscosity dhcp true
#viscosity dnssupport true
#viscosity name VPN
persist-key
tls-client
remote ****redacted**** 1194
proto udp
ca ca.crt
dev tun
persist-tun
cert cert.crt
comp-lzo
nobind
key key.key
pull
ns-cert-type server
output when viscosity is connecting
Code: Select all
Fri Mar  6 10:37:51 2009: IMPORTANT: OpenVPN's default port number is now 1194
Fri Mar  6 10:37:51 2009: LZO compression initialized
Fri Mar  6 10:37:52 2009: UDPv4 link local: [undef]
Fri Mar  6 10:37:52 2009: UDPv4 link remote: ***redacted***:1194
Fri Mar  6 10:37:53 2009: [server] Peer Connection Initiated with ***redacted***:1194
Fri Mar  6 10:37:54 2009: Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:3: topology (2.0.9)
Fri Mar  6 10:37:54 2009: gw 192.168.1.100
Fri Mar  6 10:37:54 2009: TUN/TAP device /dev/tun0 opened
Fri Mar  6 10:37:54 2009: /sbin/ifconfig tun0 delete
Fri Mar  6 10:37:54 2009: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
Fri Mar  6 10:37:54 2009: /sbin/ifconfig tun0 192.168.90.10 192.168.90.9 mtu 1500 netmask 255.255.255.255 up
Fri Mar  6 10:37:54 2009: /Applications/Viscosity.app/Contents/Resources/dnsup.py tun0 1500 1542 192.168.90.10 192.168.90.9 init
Fri Mar  6 10:37:54 2009: Initialization Sequence Completed
Always get the "Options error: Unrecognized option or missing... "
If you want i can give you access to my router or i can try to use new configurations...

cheers
Lieven

If you want i can give you the output of the dd-wrt console when connecting.

mutz

Posts: 9
Joined: Thu Mar 05, 2009 8:40 pm

Post by mutz » Thu Mar 12, 2009 10:55 pm
Update!!!

Finally got it working
my new viscosity settings
Code: Select all
#-- Config Auto Generated By Viscosity --#

#viscosity startonopen false
#viscosity dhcp true
#viscosity dnssupport true
#viscosity name VPN_kerberos test ok
persist-key
tls-client
remote xxxredactedxxx 1194
proto udp
ca ca.crt
redirect-gateway def1
dev tun
persist-tun
cert cert.crt
comp-lzo
nobind
key key.key
pull
ns-cert-type server
The problem seemed to be a DNS server problem at my work we used isp (adsl) x dns-servers and at home i use opendns servers with Y isp (cable). You can't use the isp x dns-servers on isp y network. Switching to opendns did the trick

8-)

didn't try dhcp yet i'm always using static ips's... but so far so good

http://www.opendns.com/

super_kev

Posts: 17
Joined: Fri Nov 14, 2008 3:05 am

Post by super_kev » Wed Mar 25, 2009 7:27 am
mutz,
Can you explain
Code: Select all
push "route 192.168.80.0 255.255.255.0" 
server 192.168.90.0 255.255.255.0 
for me? I'm trying to connect to a router with a LAN of 192.168.1.1, handing out DHCP addresses starting at 192.168.1.100. I changed both the 80.0 & 90.0 to 1.1 (192.168.1.1), but I'm still getting: "TLS Error: TLS key negotiation failed to occur within 60 seconds... SIGUSR1[soft", etc. So that means I either have bad certificates (just generated them this morning using OpenVPN's easy-rsa tools) or I'm missing something in the config. I've copied your config and I'm using a slightly newer VPN build (3/19/09) but it should work....

mutz

Posts: 9
Joined: Thu Mar 05, 2009 8:40 pm

Post by mutz » Wed Mar 25, 2009 10:40 am
Code: Select all
push "route 192.168.80.0 255.255.255.0"
server 192.168.90.0 255.255.255.0 
the push is my 192.168.80.0 is my lan network at home
server 192.168.90.0 is the lan network that is created by openvpn on the tun interface... no need set that the same as your 'real' local network
At my work the where i use viscosity to connect to my router they have a 192.168.80.1 network.
I think openvpn doesn't work if both the lan at place x and then lan at home are the same range.

I had the tls error too i think something wrong with your keys

follow the steps from this thread http://www.dd-wrt.com/phpBB2/viewtopic. ... ht=openvpn

starting from
Paste in the Certificates

The certs (and keys) generated above, on your regular workstation computer, will located be in the new directory "keys". Paste those files into the DD-WRT web interface as follows:

For a DD-WRT OpenVPN Server:

Code:
Public Server Cert > ca.crt
Certificate Revoke List (CRL) > (blank)
Public Client Cert > server.crt
Private Client Key > server.key
DH PEM > dh1024.pem
OpenVPN Config > (see below)
OpenVPN TLS Auth > (blank)


NOTE: Only paste in the sections that appear between
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
in the text files, including the two ---BEGIN/END CERTIFICATE--- lines above. Do not paste all the descriptive stuff above that section
.

Also, set "Start OpenVPN: Enable" and "Start type: WAN Up". (Bug: 2008-07-31 setting "Start type: System" causes OpenVPN to die during the first connection attempt.)
to create your keys correctly look at http://openmaniak.com/openvpn_pki.php

Try to use http and not https to enter all the stuff into you router theres a bug in dd-wrt that cuts of a portion of pasted text when saving and as a result you get a partially stored key
Troubleshooting

Prerequisite: Running commands and watching logs.

Use telnet, SSH, or Administration > Commands to run commands.
The default username/password are user: "root", password: "admin".

To troubleshoot, you should turn on logging, and then watch the log file using this command:
Code:
tail -f /var/log/messages
Was helpful for me to get everything running

Sorry for all the cut and pasting cause it was alot of trying and rebooting of the router before everything was ok. :oops:

super_kev

Posts: 17
Joined: Fri Nov 14, 2008 3:05 am

Post by super_kev » Wed Mar 25, 2009 4:24 pm
This is my log... it looks like I have an invalid certificate, but it doesn't make sense, as I've generated all new keys/certs/etc. on a Windows machine twice (using OpenVPN's easy-rsa) and then on OS X 10.5 twice (using built-in OpenSSL & OpenVPN config files). Rebooted router, reset configs, etc.
Code: Select all
Mar 24 22:03:33 DD-WRT daemon.notice openvpn[15502]: xx.xxx.xxx.xxx:60432 Re-using SSL/TLS context
Mar 24 22:03:33 DD-WRT daemon.notice openvpn[15502]: xx.xxx.xxx.xxx:60432 LZO compression initialized
Mar 24 22:03:33 DD-WRT daemon.notice openvpn[15502]: xx.xxx.xxx.xxx:60432 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mar 24 22:03:33 DD-WRT daemon.notice openvpn[15502]: xx.xxx.xxx.xxx:60432 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mar 24 22:03:33 DD-WRT daemon.notice openvpn[15502]: xx.xxx.xxx.xxx:60432 TLS: Initial packet from xx.xxx.xxx.xxx:60432, sid=xxxxxxxxx xxxxxxxxx
Mar 24 22:03:39 DD-WRT daemon.err openvpn[15502]: xx.xxx.xxx.xxx:60432 VERIFY ERROR: depth=1, error=certificate is not yet valid: /C=US/ST=XX/L=TEST/O=TEST/CN=master-TEST/[email protected]
Mar 24 22:03:39 DD-WRT daemon.err openvpn[15502]: xx.xxx.xxx.xxx:60432 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:lib(20):func(137):reason(178)
Mar 24 22:03:39 DD-WRT daemon.err openvpn[15502]: xx.xxx.xxx.xxx:60432 TLS Error: TLS object -> incoming plaintext read error
Mar 24 22:03:39 DD-WRT daemon.err openvpn[15502]: xx.xxx.xxx.xxx:60432 TLS Error: TLS handshake failed
Mar 24 22:03:39 DD-WRT daemon.notice openvpn[15502]: xx.xxx.xxx.xxx:60432 SIGUSR1[soft,tls-error] received, client-instance restarting

mutz

Posts: 9
Joined: Thu Mar 05, 2009 8:40 pm

Post by mutz » Wed Mar 25, 2009 8:54 pm
Hi kev.
Code: Select all
60432 VERIFY ERROR: depth=1, error=certificate is not yet valid: /C=US/ST=XX/L=TEST/O=TEST/CN=master-TEST/[email protected]
First of all, is your system date/time of dd-wrt running okay? i would suggest you setup NTP on dd-wrt somewhere so you have a correct date/time do the same on your mac...

Not sure that's the problem but my experience with kerberos and open directory says your date/time have to be OK for all the certificate magic to work

another good info page
http://openvpn.net/index.php/documentation/howto.html

super_kev

Posts: 17
Joined: Fri Nov 14, 2008 3:05 am

Post by super_kev » Wed Mar 25, 2009 11:59 pm
Yep, time is working... even have it using time.apple.com (since the Macs use that).

mutz

Posts: 9
Joined: Thu Mar 05, 2009 8:40 pm

Post by mutz » Thu Mar 26, 2009 2:55 am
check out http://forum.openwrt.org/viewtopic.php?id=4925
remove the tls option and try again

Oh one more thing
DD-wrt uses openvpn 2.0.x i think i tried viscosity on 2.1 and it doesn't work (preferences -> advanced)

super_kev

Posts: 17
Joined: Fri Nov 14, 2008 3:05 am

Post by super_kev » Fri Mar 27, 2009 12:22 am
Well I'm not using the TLS option (should have mentioned that... the OpenVPN TLS Auth field is blank) and so I don't have tls-client or tls-server in my configs.
35 posts Page 3 of 4