Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

OpenWrt TLS problem

Looking for assistance with a cryptostorm connection issue? Post here & we'll help out. Also: if you're not sure where to post, do so here & we'll move things around as needed. Also: for quickest support, email our oddly calm & easygoing support reps at support@cryptostorm.is :)
User avatar

Topic Author
Tealc
ForumHelper
Posts: 283
Joined: Tue Jan 28, 2014 12:38 am

OpenWrt TLS problem

Postby Tealc » Fri Oct 17, 2014 10:00 pm

Hi there community!

So I've started doing some work to get my WDR3600 with OpenWrt Attitude Adjustment 12.09 to behave like normal routers :-D and have one dedicated wifi (radio1) to access CS VPN while the rest of the network keeps the normal connection (eth0 to eth5 & radio0).
Currently I'm running a separated router with DD-WRT to connected to CS and give out a wifi signal just for that, but this isn't a good opinion since with this I have 3 routers running, cable provider, WDR3600 and the TPLink.

I've read this topic viewtopic.php?f=37&t=4480 and I figure out that the method there isn't good anymore (it actually bricked my router), so I've Google It! and found some bits here and there and started compiling a new HOWTO to give out to the community. The most difficult part, or so I thought, was to correctly install the openvpn luci app since it's deprecate and no longer maintain by the makers, but that's ok, I now have a new "folder" in the Luci interface with the "services" and "openvpn".

But I came across a problem that I just can't seem to bypass:

Oct 16 22:10:53 WDR3600 daemon.err openvpn(cryptostorm)[9611]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Oct 16 22:13:42 WDR3600 daemon.err openvpn(cryptostorm)[9611]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Oct 16 22:13:42 WDR3600 daemon.err openvpn(cryptostorm)[9611]: TLS Error: TLS handshake failed
Oct 16 22:20:19 WDR3600 daemon.err openvpn(cryptostorm)[15861]: Problem with cipher list: TLS-DHE-RSA-WITH-AES-256-CBC-SHA: error:1410D0B9:lib(20):func(269):reason(185)
Oct 16 22:20:28 WDR3600 daemon.err openvpn(cryptostorm)[15867]: Problem with cipher list: TLS-DHE-RSA-WITH-AES-256-CBC-SHA: error:1410D0B9:lib(20):func(269):reason(185)
Oct 16 22:24:46 WDR3600 daemon.err openvpn(cryptostorm)[15955]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Oct 16 22:24:56 WDR3600 daemon.err openvpn(cryptostorm)[15955]: read UDPv4 [EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH|EHOSTUNREACH


This problem has to do with the vpn config file since I can't add the cipher that CS uses, or maybe I'm wrong?

VPN Conf file:
config openvpn 'cryptostorm'
option dev 'tun'
option proto 'udp'
option dev_type 'tun'
option nobind '1'
option persist_key '1'
option float '1'
option client '1'
option reneg_sec '0'
option comp_lzo '1'
option remote '94.46.8.228'
option persist_tun '1'
option port '443'
option ca '/etc/openvpn/TrustedRoot.pem' (added the latest CA)
list auth_user_pass '/etc/openvpn/client.dat' (chmod 600)
option cipher 'AES-256-CBC'
option verb '11'
option tls_client '1'


As everyone can see I didn't add the "tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA" command because that crash the openvpn app and it doesn't even boot the luci interface, and when I do it with the command line and force it to start it gives out the "Problem with cipher list: TLS-DHE-RSA-WITH-AES-256-CBC-SHA: error:1410D0B9:lib(20):func(269):reason(185)", I've search for this and it seems, it's not a problem per say (https://community.openvpn.net/openvpn/ticket/304) but I can't find a solution.

So I'm asking the all mighty openvpn god's to tell me what the hell I'm doing wrong?

Thank you

User avatar

df
Site Admin
Posts: 371
Joined: Thu Jan 01, 1970 5:00 am

Re: OpenWrt TLS problem

Postby df » Sat Oct 18, 2014 11:56 am

Yea, you need the tls-cipher bit and it has to be set to the correct ciphers in order to connect.

Try doing the command `openssl ciphers -v DHE-RSA-AES256-SHA` to see if that cipher is even supported. Pretty sure that 1410D0B9 error code means it's not. If that's the case, you'll have to find a way to upgrade openssl.

User avatar

Topic Author
Tealc
ForumHelper
Posts: 283
Joined: Tue Jan 28, 2014 12:38 am

Re: OpenWrt TLS problem

Postby Tealc » Sat Oct 18, 2014 12:33 pm

root@WDR3600:~# openssl ciphers -v DHE-RSA-AES256-SHA
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1

User avatar

df
Site Admin
Posts: 371
Joined: Thu Jan 01, 1970 5:00 am

Re: OpenWrt TLS problem

Postby df » Sat Oct 18, 2014 12:34 pm

Well wtf. `openssl version`? `openvpn --version` too while you're at it.

User avatar

Topic Author
Tealc
ForumHelper
Posts: 283
Joined: Tue Jan 28, 2014 12:38 am

Re: OpenWrt TLS problem

Postby Tealc » Sat Oct 18, 2014 12:57 pm

OpenSSL 1.0.1e 11 Feb 2013 (Library: OpenSSL 1.0.1h 5 Jun 2014)

yeah it's outdated but it should work no?

User avatar

df
Site Admin
Posts: 371
Joined: Thu Jan 01, 1970 5:00 am

Re: OpenWrt TLS problem

Postby df » Sat Oct 18, 2014 1:10 pm

Not sure if it's causing this, but having different openssl versions on one system has always caused problems with anything to do with ssl. Since OpenVPN is probably using shared libraries, see if you can upgrade openssl.

Do:
ldd `which openssl`|grep crypto.so
ldd `which openvpn`|grep crypto.so

To see what directory the libcrypto.so.* libraries are. If you can compile openssl, try fiddling with --prefix to get those libs in the same dir that openvpn is looking for them in.
That or recompile openvpn and point it to a newer openssl install.

For use with openvpn, I usually use these configure args to compile openssl:
./config --prefix=/usr -fPIC no-gost shared zlib


Also, maybe throw in a "option log '/tmp/somelog'" in your vpn conf too since you already have verb set to 11 (That is, if it's not already in there and you just omitted it when you pasted your conf above)

User avatar

marzametal
Posts: 517
Joined: Mon Aug 05, 2013 11:39 am

Re: OpenWrt TLS problem

Postby marzametal » Sat Oct 18, 2014 1:25 pm

I love you hardcore nerds... I am severely tempted to get drunk, hop on a train from one side of the country to another... and read these forum posts out loud.

User avatar

df
Site Admin
Posts: 371
Joined: Thu Jan 01, 1970 5:00 am

Re: OpenWrt TLS problem

Postby df » Sat Oct 18, 2014 1:28 pm

:geek:

User avatar

Topic Author
Tealc
ForumHelper
Posts: 283
Joined: Tue Jan 28, 2014 12:38 am

Re: OpenWrt TLS problem

Postby Tealc » Sat Oct 18, 2014 1:29 pm

~# ldd `which openssl`|grep crypto.so
libcrypto.so.1.0.0 => /usr/lib/libcrypto.so.1.0.0 (0x777e7000)
~# ldd `which openvpn`|grep crypto.so
libcrypto.so.1.0.0 => /usr/lib/libcrypto.so.1.0.0 (0x76fcb000)

And the log is on, that's how I got the errors logged but I seem to did a wrong copy past and forgot about that

User avatar

Topic Author
Tealc
ForumHelper
Posts: 283
Joined: Tue Jan 28, 2014 12:38 am

Re: OpenWrt TLS problem

Postby Tealc » Sat Oct 18, 2014 1:31 pm

And since we're talking about this I have another problem, when I get this to work ALL connections will go trough the VPN, but I want only the radio1 (wlan1) to do that, do you think that this is something we can do with iptables? If so do you know where I can get some help about this?

User avatar

df
Site Admin
Posts: 371
Joined: Thu Jan 01, 1970 5:00 am

Re: OpenWrt TLS problem

Postby df » Sat Oct 18, 2014 1:52 pm

That's odd. that says they're both using the same libs. Maybe the $PATH environment variable is set with /usr/local/bin before /usr/bin or something else different so the `which` command isn't being accurate.
do `whereis openssl;whereis openvpn`. if there's more than one openssl, do `ldd` against it again and see if those libcrypto.so's are different.

But even if they are, I'm still leaning towards compiling openvpn and openssl from source to fix this problem.

As for the other thing, google found me this (and I just changed a tiny bit)

Code: Select all

ip route add default table 100 via [Your ISP's Gateway]​
ip rule add fwmark 1 table 100​
ip route flush cache​
iptables -t mangle -I PREROUTING -p tcp -s [The IP address of the interface you DONT want to go through the VPN] -j MARK --set-mark 1​


or do the reverse:

Code: Select all

ip route add default table 100 via [Cryptostorm's gateway. It'll look like 10.44.0.1, just gotta login to that instance from another system to see if it's 10.44 or 10.33 or 10.88 or whatever, as long as it ends in .0.1]​
ip rule add fwmark 1 table 100​
ip route flush cache​
iptables -t mangle -I PREROUTING -p tcp -s [The IP address of the interface you DO want to go through the VPN] -j MARK --set-mark 1​

Something like that would work, maybe mod it a bit to not just work with tcp. By interface name maybe?

User avatar

Topic Author
Tealc
ForumHelper
Posts: 283
Joined: Tue Jan 28, 2014 12:38 am

Re: OpenWrt TLS problem

Postby Tealc » Sat Oct 18, 2014 2:07 pm

sudo ip rule add fwmark 1 table 100​
Error: argument "100​" is wrong: invalid table ID

User avatar

df
Site Admin
Posts: 371
Joined: Thu Jan 01, 1970 5:00 am

Re: OpenWrt TLS problem

Postby df » Sat Oct 18, 2014 2:10 pm

Works fine on centos and ubuntu. Oh well, get back to getting openvpn/openssl compiling on there first, then worry about iptables :-P

As for me, I'm going to bed. Have fun!

User avatar

Topic Author
Tealc
ForumHelper
Posts: 283
Joined: Tue Jan 28, 2014 12:38 am

Re: OpenWrt TLS problem

Postby Tealc » Sun Oct 19, 2014 5:21 pm

Just a small updated, so I've done all the upgrade of openvpn and openssl, it wasn't easy.

I can now connect to CS with openvpn but it forces my router to send all traffic trough the vpn, and that's not what I'm seeking.
Currently I run OpenWRT in a WDR6000 (dual wifi antenas) and I would like to one wifi & lan go my cable provider and the other to the VPN

My network it's like this:

Cable Provider ISP - Modem 192.168.0.1

WDR6000 interfaces:
WAN 192.168.0.11
LAN & RADIO0 192.168.1.1
RADIO1 & TUN0 192.168.2.1

I do know that we can edit the default routes to do what I need but I can't seem to do it, does anyone have some idea how can I do this?


Some screenshots of the work in progress:
1.jpg

2.jpg

3.jpg

4.jpg

User avatar

Topic Author
Tealc
ForumHelper
Posts: 283
Joined: Tue Jan 28, 2014 12:38 am

Re: OpenWrt TLS problem

Postby Tealc » Thu Nov 13, 2014 10:45 pm

Hi there ppl, just to close this, already lost in the wild, post and giving some tips for someone that would like to do the same has I did, have a separated WiFi from the LAN and the other WiFi to access CS and routing everyone that connects to that special WiFi to CS.
After putting the new BB 14.07 that comes out with ipv6 :-D I've found this awesome post and worked like a charm.

Living the URL here for new comers: http://www.loganmarchione.com/2014/10/o ... tl-mr3020/


Return to “member support & tech assistance”

Who is online

Users browsing this forum: No registered users and 25 guests

Login