Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

dd-wrt configuration, can't connect

Looking for assistance with a cryptostorm connection issue? Post here & we'll help out. Also: if you're not sure where to post, do so here & we'll move things around as needed. Also: for quickest support, email our oddly calm & easygoing support reps at support@cryptostorm.is :)

Topic Author
dexter
Posts: 24
Joined: Thu Dec 21, 2017 3:34 am

dd-wrt configuration, can't connect

Postby dexter » Thu Dec 21, 2017 3:41 am

Hi, I can't connect to to the vpn using dd-wrt router. Below are screen shots of my settings.
(I have purchased the token for 1 week)
Image
Image
Image
Image


AnonAsPossible
Posts: 16
Joined: Fri Feb 10, 2017 3:49 am

Re: dd-wrt configuration, can't connect

Postby AnonAsPossible » Thu Dec 21, 2017 7:16 am

Try the main dd-wrt thread viewtopic.php?t=4298

just a quick look & I notice you've entered the 'User Pass Authentication' wrong & you left all of the 'Additional Configuration' empty.

go through the thread & follow the info there


Topic Author
dexter
Posts: 24
Joined: Thu Dec 21, 2017 3:34 am

Re: dd-wrt configuration, can't connect

Postby dexter » Thu Dec 21, 2017 9:07 am

Hi, so I tried fixing it

Ifconfig shows me this:

Code: Select all

ifconfig

ath0      Link encap:Ethernet  HWaddr ***************   
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
ath0.1    Link encap:Ethernet  HWaddr *************** 
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:791 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1462 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:138109 (134.8 KiB)  TX bytes:651219 (635.9 KiB)
ath1      Link encap:Ethernet  HWaddr ***************
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
br0       Link encap:Ethernet  HWaddr *************** 
          inet addr:192.168.77.1  Bcast:192.168.77.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7792 errors:0 dropped:156 overruns:0 frame:0
          TX packets:10960 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1885019 (1.7 MiB)  TX bytes:6899109 (6.5 MiB)
br0:0     Link encap:Ethernet  HWaddr *************** 
          inet addr:169.254.255.1  Bcast:169.254.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
eth0      Link encap:Ethernet  HWaddr ***************
          inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:9239 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6023 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:5616255 (5.3 MiB)  TX bytes:1716796 (1.6 MiB)
          Interrupt:36
eth1      Link encap:Ethernet  HWaddr ***************   
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7529 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10794 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:532
          RX bytes:1995576 (1.9 MiB)  TX bytes:6575996 (6.2 MiB)
          Interrupt:37
g0        Link encap:Ethernet  HWaddr *************** 
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
imq0      Link encap:UNSPEC  HWaddr   
          UP RUNNING NOARP  MTU:1500  Metric:1
          RX packets:14469 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14469 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:30
          RX bytes:6797458 (6.4 MiB)  TX bytes:6797458 (6.4 MiB)
imq1      Link encap:UNSPEC  HWaddr   
          UP RUNNING NOARP  MTU:1500  Metric:1
          RX packets:318 errors:0 dropped:0 overruns:0 frame:0
          TX packets:318 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:30
          RX bytes:68517 (66.9 KiB)  TX bytes:68517 (66.9 KiB)
lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING MULTICAST  MTU:65536  Metric:1
          RX packets:39 errors:0 dropped:0 overruns:0 frame:0
          TX packets:39 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:2942 (2.8 KiB)  TX bytes:2942 (2.8 KiB)


Startup I have

Code: Select all

echo "****-****-****-**** " > /tmp/user.conf
echo 93b66e7059176bbfa418061c5cba87dd >> /tmp/user.conf
chmod 600 /tmp/user.conf


Firewall

Code: Select all

iptables -I INPUT -p udp --dport 68 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan2 -j DROP
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

services fixes

User Pass Authentication : Disable

IP Address : deleted it


additional conf:

Code: Select all

       
resolv-retry infinite

nobind

float

sndbufsize 1655368

rcvbuf size 1655368

down-pre

allow-pull-fqdn

explicit-exit-notify 3

hand-window 37

auth-user-pass /tmp/user.conf

replay-windows 128 30

tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA

tls-client

key-method 2

auth-retry nointeract


 ! Message from: parityboy
Added code tags


AnonAsPossible
Posts: 16
Joined: Fri Feb 10, 2017 3:49 am

Re: dd-wrt configuration, can't connect

Postby AnonAsPossible » Fri Dec 22, 2017 2:50 am

.. looks like you didn't 'hash' your token, before you can use your token you must calculate the sha512 hash of it, don't use the 'token' as your user name.

Go to https://cryptostorm.is/ and near the bottom of the page there's a 'sha512 calculator' or use your own, then try again.


Topic Author
dexter
Posts: 24
Joined: Thu Dec 21, 2017 3:34 am

Re: dd-wrt configuration, can't connect

Postby dexter » Fri Dec 22, 2017 3:41 am

AnonAsPossible wrote:.. looks like you didn't 'hash' your token, before you can use your token you must calculate the sha512 hash of it, don't use the 'token' as your user name.

Go to https://cryptostorm.is/ and near the bottom of the page there's a 'sha512 calculator' or use your own, then try again.

I did it once, but I didn't know I should put it, because it was too long to fit, so I should put it here "echo "****-****-****-**** " > /tmp/user.conf"?

Does this Startup command looking ok?
Image


AnonAsPossible
Posts: 16
Joined: Fri Feb 10, 2017 3:49 am

Re: dd-wrt configuration, can't connect

Postby AnonAsPossible » Fri Dec 22, 2017 5:55 am

remove the " ", only your 'hased' token number, like the following;
echo 12345678901234567890123456789012345678901234567890 > /tmp/user.conf
echo 93b66e7059176bbfa418061c5cba87dd >> /tmp/user.conf
chmod 600 /tmp/user.conf

For the 'Server IP/Name' = 5.101.137.252 (the # ip for london)


Topic Author
dexter
Posts: 24
Joined: Thu Dec 21, 2017 3:34 am

Re: dd-wrt configuration, can't connect

Postby dexter » Fri Dec 22, 2017 6:36 am

Thanks for the info, did everything, but still not connecting at all.

Image

Should I put something in static DNS? on the setup tab?


AnonAsPossible
Posts: 16
Joined: Fri Feb 10, 2017 3:49 am

Re: dd-wrt configuration, can't connect

Postby AnonAsPossible » Fri Dec 22, 2017 6:45 am

Just for a test put a DNS server like 37.235.49.61

Don't forget the 'spaces' are important too, so recheck everything.
SO: echo'space'"your hashed #"'space'> /tmp/user.conf

If you still can't connect, try removing all the Firewall rules for now, just to see if you can connect, remember to reboot after each change, just to be sure the changes are properly applied.


Topic Author
dexter
Posts: 24
Joined: Thu Dec 21, 2017 3:34 am

Re: dd-wrt configuration, can't connect

Postby dexter » Fri Dec 22, 2017 7:00 am

I have no idea what I'm doing wrong, but I do something wrong...

So turned off firewall command, rebooted, double checked the startup command and it is exactly like this except I changed the hash key to "*" to cenzor it on the forums here
And also did put the DNS you gave.

Code: Select all

echo ****************************************** >/tmp/user.conf
echo 93b66e7059176bbfa418061c5cba87dd >> /tmp/user.conf
chmod 600 /tmp/user.conf



 ! Message from: parityboy
Edited for better formatting.


AnonAsPossible
Posts: 16
Joined: Fri Feb 10, 2017 3:49 am

Re: dd-wrt configuration, can't connect

Postby AnonAsPossible » Fri Dec 22, 2017 7:17 am

I don't know which time zone you're in,try their new ca.crt which is required starting 22 Dec;

Code: Select all

-----BEGIN CERTIFICATE-----
MIIFIDCCBAigAwIBAgIJAKekpGXxXvhbMA0GCSqGSIb3DQEBCwUAMIG6MQswCQYD
VQQGEwJDQTELMAkGA1UECBMCUUMxETAPBgNVBAcTCE1vbnRyZWFsMTYwNAYDVQQK
FC1LYXRhbmEgSG9sZGluZ3MgTGltaXRlIC8gIGNyeXB0b3N0b3JtX2RhcmtuZXQx
ETAPBgNVBAsTCFRlY2ggT3BzMRcwFQYDVQQDFA5jcnlwdG9zdG9ybV9pczEnMCUG
CSqGSIb3DQEJARYYY2VydGFkbWluQGNyeXB0b3N0b3JtLmlzMCAXDTE3MTIxNjA3
NTk0MloYDzIwNjcxMjE2MDc1OTQyWjCBujELMAkGA1UEBhMCQ0ExCzAJBgNVBAgT
AlFDMREwDwYDVQQHEwhNb250cmVhbDE2MDQGA1UEChQtS2F0YW5hIEhvbGRpbmdz
IExpbWl0ZSAvICBjcnlwdG9zdG9ybV9kYXJrbmV0MREwDwYDVQQLEwhUZWNoIE9w
czEXMBUGA1UEAxQOY3J5cHRvc3Rvcm1faXMxJzAlBgkqhkiG9w0BCQEWGGNlcnRh
ZG1pbkBjcnlwdG9zdG9ybS5pczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAMlo5Jghf+yb7j86QKDIA9gH9U+MOj1gFz7POcobF3UXx8CR6py4+kY0LEwE
s66YuwF3Et1Haymkrxy72RjHqD58FRC1KGg6PzhDr6foXgOpuOweUvBTLS6WR5Ba
TW+8oqSkFWIZUWxnk4N1npxonZRjYLjU4AJNB1uUKpp5uwtC+n9UYpNZ2H1SwZDc
tpJNzG3Q+ySqkaJYRR44YbeYoTQpbK/G3o7H2Kz1BsNck5h2SVBo9f3JS4gjTcaP
fGb6+Lqra/MPlXKY55MzKTLsZ5q1t3ZTjn0vDO7+D7xXoRCXyq9atcRJf9ldm80b
xABw5dTiS00E6hm3CzpPOSelAXcCAwEAAaOCASMwggEfMAwGA1UdEwQFMAMBAf8w
HQYDVR0OBBYEFDhY4fdfMy+L0fMdat75Kep6cFElMIHvBgNVHSMEgecwgeSAFDhY
4fdfMy+L0fMdat75Kep6cFEloYHApIG9MIG6MQswCQYDVQQGEwJDQTELMAkGA1UE
CBMCUUMxETAPBgNVBAcTCE1vbnRyZWFsMTYwNAYDVQQKFC1LYXRhbmEgSG9sZGlu
Z3MgTGltaXRlIC8gIGNyeXB0b3N0b3JtX2RhcmtuZXQxETAPBgNVBAsTCFRlY2gg
T3BzMRcwFQYDVQQDFA5jcnlwdG9zdG9ybV9pczEnMCUGCSqGSIb3DQEJARYYY2Vy
dGFkbWluQGNyeXB0b3N0b3JtLmlzggkAp6SkZfFe+FswDQYJKoZIhvcNAQELBQAD
ggEBABrPLmFpugICgUKyJ+6q5h8ZKfoV3S0RtTfrwtobNSFf7H4ZQvCXF2bOuhyc
g00ffreEGZN2uwtiLh38ncB/BFhHfgkITfTe88m08pJ45PkrpeBfrFbZ+ckXVhV/
aCnUKkIZgmCNKnn1RIbUt4mzTzggwtN3GamoTzSWqSwCEO9Ig1AJKi5Ms/5Awtdz
nr95qaqI0ih0NGnfC/yIGYvt1Yay0hCil3jIUT9Ogdw6DW6RqUdJaPrwm58fTwIR
U33KzBqGs8r3UEIMWXuIGc6eXOm2Br08iFgOsUPGqp1ulvD52pFH1o1vT21v3aXl
D9Ier/83JLMnBGctT1Kzs9OP/U0=
-----END CERTIFICATE-----


YOU NEED TO HIT RETURN AFTER THE LAST LINE "-----END CERTIFICATE-----", so there's an empty line
========================================================================

also here are 3 other 'additional conf:' you can try, I've included 3 different groups, just copy and paste, over-write everything you currently have in the box, reboot for each group, so that's 3 times, maybe 1 will work..

---------------------------------------------------------------------------

Code: Select all

resolv-retry infinite
nobind
float
sndbuf size 1655368
rcvbuf size 1655368
down-pre
allow-pull-fqdn
explicit-exit-notify 3
hand-window 37
auth-user-pass /tmp/user.conf
replay-window 128 30
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
tls-client
key-method 2
auth-retry nointeract

---------------------------------------------------------------------------

Code: Select all

auth-user-pass /tmp/user.conf
resolv-retry infinite
tls-client
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
verb 3
mute 1
key-method 2

-----------------------------------------------------------------------------

Code: Select all

tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
resolv-retry infinite
down-pre
explicit-exit-notify 3
hand-window 37
replay-window 128 30
float
verb 7
mute 3
auth-user-pass /tmp/user.conf
tls-client
key-method 2

--------------------------------------------------------------------------

GOOD LUCK !!

 ! Message from: parityboy
Edited for better formatting. Edited incorrect OpenVPN option "Hand Window".


Topic Author
dexter
Posts: 24
Joined: Thu Dec 21, 2017 3:34 am

Re: dd-wrt configuration, can't connect

Postby dexter » Fri Dec 22, 2017 7:25 am

Thank you so much, I really appreciate you help. I'm in UK time zone, ill try the cert and add configs, ill let you know with the results, if this will not help, please let me know what setting you want me to show you, so if you can double check, thanks once again for trying to help me. I've got vpn's previouslt, and all of them were working fine, I hope I get this one working too.


Topic Author
dexter
Posts: 24
Joined: Thu Dec 21, 2017 3:34 am

Re: dd-wrt configuration, can't connect

Postby dexter » Fri Dec 22, 2017 7:33 am

So unfortunately, no success, I'm sure it should work...

But, also I'm sure that I do something wrong, it might be really little thing like missing space, or some checkbox....

Ill ask you last time if you can try fixing it with me, and if all fails, I will give up, and no longer take your time.

So last time please let me know, what settings should I show you on ss, and ill upload all info you need...


AnonAsPossible
Posts: 16
Joined: Fri Feb 10, 2017 3:49 am

Re: dd-wrt configuration, can't connect

Postby AnonAsPossible » Fri Dec 22, 2017 7:46 am

try;
LZO Compression = No
& you need;
nsCertType verification = Checked "in your pic it was unchecked"

Are you on 'Windows'? have you tried their Widget? did it work? Did you get online?


Topic Author
dexter
Posts: 24
Joined: Thu Dec 21, 2017 3:34 am

Re: dd-wrt configuration, can't connect

Postby dexter » Fri Dec 22, 2017 8:02 am

LZO Compression = No (done)

nsCertType verification (checked)


Are you on 'Windows'? have you tried their Widget? did it work? Did you get online? (yes it works)

And still, it doesn't connect, so Ill upload pics again, to be 100% sure...


Image
Image
Image
Image
Image
Image
Image
Image
Image


AnonAsPossible
Posts: 16
Joined: Fri Feb 10, 2017 3:49 am

Re: dd-wrt configuration, can't connect

Postby AnonAsPossible » Fri Dec 22, 2017 8:18 am

for the end of "CA Cert", you have 1 return too many. Other than that, try inserting the Firewall rules again, Go to ADMINISTRATION --> COMMANDS and enter the following code. Hit SAVE FIREWALL when you are done.

Code: Select all

iptables -I INPUT -p udp --dport 68 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan2 -j DROP
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE



other than that, I don't know what other advice I can give you, besides it's really late in the day over in the UK(3am??). I'm in North America.


Topic Author
dexter
Posts: 24
Joined: Thu Dec 21, 2017 3:34 am

Re: dd-wrt configuration, can't connect

Postby dexter » Fri Dec 22, 2017 8:23 am

Ok, tried everything, no success, I give up....

Yup, 3am here :)


AnonAsPossible
Posts: 16
Joined: Fri Feb 10, 2017 3:49 am

Re: dd-wrt configuration, can't connect

Postby AnonAsPossible » Fri Dec 22, 2017 8:28 am

Here's something else to check;
Navigate to 'Services' > 'Services'
Under 'DHCP Server', set 'Used Domain' = LAN & WLAN


AnonAsPossible
Posts: 16
Joined: Fri Feb 10, 2017 3:49 am

Re: dd-wrt configuration, can't connect

Postby AnonAsPossible » Fri Dec 22, 2017 8:34 am

also, your router may have a different 'tun' numbering, try this

Code: Select all

iptables -I INPUT -p udp --dport 68 -j ACCEPT
iptables -I FORWARD -i br0 -o tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan2 -j DROP
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE


or better yet, just have a 'Kill Switch' in the firewall when the VPN tunnel drops

Code: Select all

iptables -t nat -I POSTROUTING -o tun+ -j MASQUERADE


If I think of anything else, I'll update......


 ! Message from: parityboy
Edited for better formatting.


AnonAsPossible
Posts: 16
Joined: Fri Feb 10, 2017 3:49 am

Re: dd-wrt configuration, can't connect

Postby AnonAsPossible » Fri Dec 22, 2017 8:38 am

Are you running the latest build of DD-wrt?
Check here; ftp://ftp.dd-wrt.com/betas/2017/12-14-2017-r34080/


Topic Author
dexter
Posts: 24
Joined: Thu Dec 21, 2017 3:34 am

Re: dd-wrt configuration, can't connect

Postby dexter » Fri Dec 22, 2017 8:42 am

Tried LAN & WAN - didn't help

tried the firewall - didn't help

I have no clue what's fucked up...

Does DNSMasq options have any impact on this?

My router is WRT1900ACSv2 Firmware: DD-WRT v3.0-r34080 std (12/14/17)


AnonAsPossible
Posts: 16
Joined: Fri Feb 10, 2017 3:49 am

Re: dd-wrt configuration, can't connect

Postby AnonAsPossible » Fri Dec 22, 2017 8:49 am

Since nothing works, play around with the DNSMasq options and see what happens. My settings; DNSMasq, Local DNS, No DNS Rebind and Query DNS in Strict Order are all 'enabled'.

Also fill up your DNS addresses and see what happens, add 4.2.2.3 4.2.2.2


Topic Author
dexter
Posts: 24
Joined: Thu Dec 21, 2017 3:34 am

Re: dd-wrt configuration, can't connect

Postby dexter » Fri Dec 22, 2017 8:59 am

Still no sucess...

I use this router with ADSL2 router

WAN connection type Automatic DHCP Configuration
in Advanced Routing
Operating Mode
Operating Mode: Gateway

in Dynamic Routing should I change from Disable to : Both?


AnonAsPossible
Posts: 16
Joined: Fri Feb 10, 2017 3:49 am

Re: dd-wrt configuration, can't connect

Postby AnonAsPossible » Fri Dec 22, 2017 9:06 am

Mine is 'Disabled',

Go get some sleep...........


Topic Author
dexter
Posts: 24
Joined: Thu Dec 21, 2017 3:34 am

Re: dd-wrt configuration, can't connect

Postby dexter » Fri Dec 22, 2017 9:09 am

Insomnia tonight :)


AnonAsPossible
Posts: 16
Joined: Fri Feb 10, 2017 3:49 am

Re: dd-wrt configuration, can't connect

Postby AnonAsPossible » Fri Dec 22, 2017 9:19 am

This may sound like a dumb Q, but you did hit 'Save' and 'Apply Settings'?


Time for you call over a 'mate' who knows their way around routers & vpn's.


Topic Author
dexter
Posts: 24
Joined: Thu Dec 21, 2017 3:34 am

Re: dd-wrt configuration, can't connect

Postby dexter » Fri Dec 22, 2017 9:37 am

Of course I did Save & Apply, hehe.
Lucky me, I got noone who knows shit about computer haha :D

Thank you for trying to help me AnonAsPossible!

Maybe someone will know, what's the issue here, posted a lot of pictures and shit, we created a long post and spammed the forum a little haha :D


Topic Author
dexter
Posts: 24
Joined: Thu Dec 21, 2017 3:34 am

Re: dd-wrt configuration, can't connect

Postby dexter » Fri Dec 22, 2017 10:24 am

So, turned on log's and the router log shows"

Code: Select all

Dec 22 05:22:48 DexLab7 user.info : openvpn : OpenVPN daemon (Client) starting/restarting...
Dec 22 05:22:48 DexLab7 daemon.err openvpn[3268]: Options error: Unrecognized option or missing or extra parameter(s) in /tmp/openvpncl/openvpn.conf:31: Hand (2.4.4)
Dec 22 05:22:48 DexLab7 daemon.warn openvpn[3268]: Use --help for more information.


So something in the startup options then?

 ! Message from: parityboy
Edited for better formatting.

User avatar

parityboy
Site Admin
Posts: 1282
Joined: Wed Feb 05, 2014 3:47 am

Re: dd-wrt configuration, can't connect

Postby parityboy » Sun Dec 24, 2017 9:44 am

@dexter

The error comes from the incorrect option "Hand Window", which should be "hand-window". It's been edited accordingly.:) Try this for your "additional conf":

Code: Select all

resolv-retry infinite
nobind
float
sndbuf size 1655368
rcvbuf size 1655368
down-pre
allow-pull-fqdn
explicit-exit-notify 3
hand-window 37
auth-user-pass /tmp/user.conf
replay-window 128 30
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
tls-client
key-method 2
auth-retry nointeract
verb 3
mute 1


Topic Author
dexter
Posts: 24
Joined: Thu Dec 21, 2017 3:34 am

Re: dd-wrt configuration, can't connect

Postby dexter » Tue Dec 26, 2017 10:01 pm

parityboy wrote:@dexter

The error comes from the incorrect option "Hand Window", which should be "hand-window". It's been edited accordingly.:) Try this for your "additional conf":

Code: Select all

resolv-retry infinite
nobind
float
sndbuf size 1655368
rcvbuf size 1655368
down-pre
allow-pull-fqdn
explicit-exit-notify 3
hand-window 37
auth-user-pass /tmp/user.conf
replay-window 128 30
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
tls-client
key-method 2
auth-retry nointeract
verb 3
mute 1


Tried it, and got error:

Code: Select all

Dec 26 16:58:31 DexLab7 daemon.err openvpn[4294]: Options error: Unrecognized option or missing or extra parameter(s) in /tmp/openvpncl/openvpn.conf:30: sndbuf (2.4.4)
Dec 26 16:58:31 DexLab7 daemon.warn openvpn[4294]: Use --help for more information.

User avatar

parityboy
Site Admin
Posts: 1282
Joined: Wed Feb 05, 2014 3:47 am

Re: dd-wrt configuration, can't connect

Postby parityboy » Wed Dec 27, 2017 3:26 pm

@dexter

Comment out any line with sndbuf or rcvbuf - they used to be in the Linux config files, but they were removed a while back.


Topic Author
dexter
Posts: 24
Joined: Thu Dec 21, 2017 3:34 am

Re: dd-wrt configuration, can't connect

Postby dexter » Thu Dec 28, 2017 12:23 am

parityboy wrote:@dexter

Comment out any line with sndbuf or rcvbuf - they used to be in the Linux config files, but they were removed a while back.



Wow. Thanks a lot, it works now. :thumbup:

:clap: :clap: :clap: :clap: :clap:


Topic Author
dexter
Posts: 24
Joined: Thu Dec 21, 2017 3:34 am

Re: dd-wrt configuration, can't connect

Postby dexter » Thu Dec 28, 2017 1:22 am

Hi, just last issue, I'm connected, but VPN log giving me:

Code: Select all

Clientlog:
20171227 20:19:50 I OpenVPN 2.4.4 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 14 2017
20171227 20:19:50 I library versions: OpenSSL 1.1.0g 2 Nov 2017 LZO 2.09
20171227 20:19:50 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
20171227 20:19:50 W WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
20171227 20:19:50 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts


Topic Author
dexter
Posts: 24
Joined: Thu Dec 21, 2017 3:34 am

Re: dd-wrt configuration, can't connect

Postby dexter » Thu Dec 28, 2017 7:22 am

And I can't connect to TOR via firefox I did set this in about:config

Code: Select all

network.proxy.socks_remote_dns - true
network.dns.blockDotOnion - false


blurb
Posts: 21
Joined: Fri Dec 29, 2017 4:42 pm

Re: dd-wrt configuration, can't connect

Postby blurb » Fri Dec 29, 2017 6:57 pm

try replacing the '.onion' with 'torstorm.org' in your browser.
https://github.com/cryptostorm/torstorm

Saying that, it's not working for me right now!

User avatar

parityboy
Site Admin
Posts: 1282
Joined: Wed Feb 05, 2014 3:47 am

Re: dd-wrt configuration, can't connect

Postby parityboy » Fri Dec 29, 2017 10:24 pm

@dexter

You don't need to worry about the SOCKS setting, since you're not running Tor router software locally. Setting network.dns.blockDotOnion to false is correct. :) It should work transparently - try connecting to the Hidden Wiki and see how you fare. :)


Topic Author
dexter
Posts: 24
Joined: Thu Dec 21, 2017 3:34 am

Re: dd-wrt configuration, can't connect

Postby dexter » Sun Dec 31, 2017 11:15 pm

parityboy wrote:@dexter

You don't need to worry about the SOCKS setting, since you're not running Tor router software locally. Setting network.dns.blockDotOnion to false is correct. :) It should work transparently - try connecting to the Hidden Wiki and see how you fare. :)

Can't connect.

User avatar

parityboy
Site Admin
Posts: 1282
Joined: Wed Feb 05, 2014 3:47 am

Re: dd-wrt configuration, can't connect

Postby parityboy » Mon Jan 01, 2018 6:03 pm

@dexter

OK, I think I see the issue. There's two possible steps so let's deal with the first one. When you set up the DNS in DD-WRT, which DNS servers did you set?


Topic Author
dexter
Posts: 24
Joined: Thu Dec 21, 2017 3:34 am

Re: dd-wrt configuration, can't connect

Postby dexter » Tue Jan 02, 2018 5:41 am

Tried those one :

Code: Select all

37.235.49.61

4.2.2.3
4.2.2.2

User avatar

parityboy
Site Admin
Posts: 1282
Joined: Wed Feb 05, 2014 3:47 am

Re: dd-wrt configuration, can't connect

Postby parityboy » Tue Jan 02, 2018 7:02 am

@dexter

You need a DNS instance that actually knows what to do with .onion TLDs. That means using a Cryptostorm DNS server;unlike the widget (Windows), Tunnelblick (macOS) or NetworkManager(GNU/Linux), router distros such as DD-WRT and pfSense do not allow their DNS settings to be updated by the OpenVPN client once it connects.

This means you will need to tell DD-WRT to use one of the DeepDNS instances that Cryptostorm run on their exit nodes and it will need to be the instance running on the very same exit node you are connected to - that last part is a Cryptostorm-enforced restriction.

So for example, if you're connected to the Paris exit node (212.129.27.79), you will need to set 212.129.46.86 as your DNS. For a list of DeepDNS IP addresses, see here.

Having this work when maintaining connections to multiple different exit nodes can either be simple or impossible (due to the restriction mentioned above), depending on your routing platform. I managed to get to it work on pfSense, but for DD-WRT I'm not so sure.

 ! Message from: parityboy
Edited for better readability.


Topic Author
dexter
Posts: 24
Joined: Thu Dec 21, 2017 3:34 am

Re: dd-wrt configuration, can't connect

Postby dexter » Tue Jan 02, 2018 4:01 pm

parityboy wrote:@dexter

You need a DNS instance that actually knows what to do with .onion TLDs. That means using a Cryptostorm DNS server;like pfSense (and unlike the widget (Windows), Tunnelblick (macOS) or NetworkManager(GNU/Linux)) router distros such as DD-WRT do not allow their DNS settings to be updated by the OpenVPN client once it connects.

This means you will need to tell DD-WRT to use one of the DeepDNS instances that Cryptostorm run on their exit nodes and it will need to be the instance running on the very same exit node you are connected to - that last part is a Cryptostorm-enforced restriction.

So for example, if you're connected to the Paris exit node (212.129.27.79), you will need to set 212.129.46.86 as your DNS. For a list of DNS IP addresses, see here.

Having this work when maintaining connections to multiple different exit nodes can either be simple or impossible (due to the restriction mentioned above), depending on your routing platform. I managed to get to it work on pfSense, but for DD-WRT I'm not so sure.

Ok then, thank you so much for helping me here, I hope if someone get similar problem to mine they can find the fix here :thumbup:

In case of Tor, I don't really need this future, I don't use it anyways, but it's a fun future to have in a vpn tough :)

And did you guys updated UK servers? Image

It hella fast now :D

User avatar

parityboy
Site Admin
Posts: 1282
Joined: Wed Feb 05, 2014 3:47 am

Re: dd-wrt configuration, can't connect

Postby parityboy » Wed Jan 03, 2018 8:49 pm

@dexter

Since it's carrying the same IP address I doubt it, unless it was artificially restricted, i.e. the server comes with a 1Gb/s network port anyway but it actually connects to a 100Mb/s switch port and the switch port has now been "upgraded" to 1Gb/s.

How does your VPN speed compare to your "naked" speed? Also, could you post that in the speed test thread (see my sig.)? Many thanks. :)

User avatar

df
Site Admin
Posts: 418
Joined: Thu Jan 01, 1970 5:00 am

Re: dd-wrt configuration, can't connect

Postby df » Mon Oct 29, 2018 9:08 am

Can't remember when exactly it was, might have been as far back as January of 2018, but these days the England server is 10gbps

User avatar

df
Site Admin
Posts: 418
Joined: Thu Jan 01, 1970 5:00 am

Re: dd-wrt configuration, can't connect

Postby df » Wed Oct 31, 2018 12:51 pm

I recently helped out another customer who was having issues with DD-WRT, so I'll copy/paste the solution here if anyone else has the same problems:

I loaded up DD-WRT from https://download1.dd-wrt.com/dd-wrtv2/d ... _vga.image onto a VM so I can test...
That's DD-WRT v3.0-r37442 std (10/19/18), which includes OpenVPN 2.4.6 and OpenSSL 1.1.1 (the latest version for both, as of this post).

So far, I'm seeing at least two bugs that'll prevent this from working as is.
One bug is that they're supplying the OpenVPN option --down-pre the parameter /tmp/openvpncl/route-down.sh, but according to the OpenVPN 2.4 manual, --down-pre takes no paramaters:
Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: down-pre (2.4.6)

Another bug is that if you put our tls-auth key into the "TLS Auth Key" section of the web UI, they incorrectly assume that everyone will have key-direction set to 1 when ours is set to 0, so even if you specify key-direction 0 later in the Additional Config section, it's already set to 1 because of their previous "tls-auth ta.key 1".

What worked for me is the web UI settings in the attached "settings.png":
settings.png

Oops, I left the word "test" in the "TLS Auth Key" section of that screen shot.
That part should be empty.

For the "Additional Config" section I used:
remote-cert-tls server
auth-user-pass /tmp/openvpncl/credentials
explicit-exit-notify 3
resolv-retry 16
nobind
down-pre
reneg-sec 0
key-method 2
tls-client
tls-cipher TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA
key-direction 0
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
5de9814eb021477ce3b58638031072c5
b20f34a9f3c417bc95df950ae37bdbf4
12aa255734184171a9c46f8251cf9207
6c1d352ddcd7c71a411d7872d8d50090
b06fd70801dda425cd4ee474a81d2367
a372a22db2baeee2ef7ac1c4a9dd4867
32bd978244db2ae2dbfcb5ab3b8669bc
9c35e0a48e298109e9acff687d5698db
7a864247b38e036187cfdf81feefc388
411767b66891056abef9ffc6a2464428
e0ccbf8130536473a71b10263c7dafdb
160da61d4402be6a10d47c9fe08e57dd
121c6b7d2e6d767c1a18dc0aa6567d56
26e020308ed197b5bfc7374b3d135085
31afcf87e1ae90ec20ee072100daf478
5aaa3bce8db5d6eabef2495752c849b6
-----END OpenVPN Static key V1-----
</tls-auth>

Then put the CA certificate in the "CA Cert" section.
For the startup commands under Administrator -> Commands, I used:
#!/bin/sh
echo TOKEN_HASH_GOES_HERE > /tmp/openvpncl/credentials
echo whatever >> /tmp/openvpncl/credentials
sleep 2
openvpn --cd /tmp/openvpncl --route-up route-up.sh --route-pre-down route-down.sh --config openvpn.conf


Just replace TOKEN_HASH_GOES_HERE with your token's sha512 hash.
That last command will automatically start OpenVPN whenever you reboot your device, so if you don't want it to do that then remove the last line.

All of the above was done using an RSA UDP config from https://cryptostorm.is/configs/rsa/
If you're using the same recent firmware that I used for this test, then you've also got OpenVPN 2.4.6 and OpenSSL 1.1.1. That means you can use the faster ECC or Ed25519 or Ed448 configs instead, with a few changes to the above config.
The ECC configs are up at https://cryptostorm.is/configs/ecc/ and https://github.com/cryptostorm/cryptost ... master/ecc


Return to “member support & tech assistance”

Who is online

Users browsing this forum: Google [Bot] and 31 guests

Login