[plug] Working from home - VPN routers

Ian Kent raven at themaw.net
Sun Apr 12 13:07:24 AWST 2020


On Sun, 2020-04-12 at 10:46 +0800, Kevin Shackleton wrote:
> Thanks for playing around with this problem Ian.  Still - what else
> are we all doing on the long weekend - Dunsborough?!  Not.

LOL.

> 
> Is your router using DD-WRT or similar, that makes the client.ovpn
> and the server_ovpn.cert files for the client?

Nope. don't much like dd-wrt.

At the moment I'm using ASUSWRT or ASUSWRT Merlin (the log fragment
I posted is from ASUSWRT Merlin).

My server generated config is a bit different but see below ...

> 
> The client.ovpn file (built by the ASUS router and not edited) starts
> with:
> 
> remote xxx.xxx.xxx.xxx 1194
> float
> nobind
> proto udp
> dev tap

No, I think this isn't ok, you want tun.

I believe the tap driver behaves quite differently to the tun
driver device wise and I've never used it.

If this was generated on the server then change the server to use
tun not tap and start over. Unfortunately you'll need to update
your other clients too.

> 
> # Windows needs the TAP-Win32 adapter name
> # from the Network Connections panel
> # if you have more than one.  On XP SP2,
> # you may need to disable the firewall
> # for the TAP adapter.
> ;dev-node MyTap
> 
> sndbuf 0
> rcvbuf 0
> keepalive 15 60
> comp-lzo adaptive
> auth-user-pass
> client
> auth SHA256
> cipher AES-256-CBC
> remote-cert-tls server
> 
> followed by three certificates <ca>, <cert> and <key>, bound by -
> --BEGIN CERTIFICATE---  . . ---END CERTIFICATE---.  I saved the
> inline certificates to files including the bounds in order to use the
> Network Manager configurator, though that's not needed for the
> command-line connection.

The rest of this shouldn't make much difference.

> 
> The guys wanted a TAP VPN (which CMIIW I understand as a bridging VPN
> whereas a TUN is a routing VPN.  I'll try changing the config to a
> TUN and see if my problems disappear . .

Yep.

One advantage of a routing driver is it can fairly easily route
packets for the target vpn network only and let your home internet
traffic use your home internet. In Network Manager there's an option
to do just that (there used to be anyway). I expect a similar option
is present in Windows. I'm not sure a bridging driver will allow that
quite so easily but, as I say, I never use it.

> 
> It's galling that it *just works* in the openvpn client compiled for
> Windows but does not in Ubuntu 18.04.

LOL, both command line and importing the client config "just worked"
for me, at least looked like it but I can't actually test it on the
same network here at home so maybe not ...

> 
> Cheers,
> Kevin.
> 
> 
> 
> 
> On Sun, 12 Apr 2020 at 09:48, Ian Kent <raven at themaw.net> wrote:
> > On Sat, 2020-04-11 at 13:18 +0800, Kevin Shackleton wrote:
> > > I was assuming that sudo would run openvpn with adequate
> > permissions
> > > 
> > > Running from a root login results in the same output (specific
> > > details x'd out):
> > > 
> > > # openvpn --config /etc/openvpn/client.ovpn
> > > Sat Apr 11 12:57:44 2020 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL
> > > (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built
> > on
> > > May 14 2019
> > > Sat Apr 11 12:57:44 2020 library versions: OpenSSL 1.1.1  11 Sep
> > > 2018, LZO 2.08
> > > Enter Auth Username: xxxxxx
> > > Enter Auth Password: ********
> > > Sat Apr 11 12:57:54 2020 TCP/UDP: Preserving recently used remote
> > > address: [AF_INET]xxx.xxx.xxx.xxx:1194
> > > Sat Apr 11 12:57:54 2020 UDP link local: (not bound)
> > > Sat Apr 11 12:57:54 2020 UDP link remote:
> > > [AF_INET]xxx.xxx.xxx.xxx:1194
> > > Sat Apr 11 12:57:54 2020 WARNING: this configuration may cache
> > > passwords in memory -- use the auth-nocache option to prevent
> > this
> > > Sat Apr 11 12:57:54 2020 [DSL-AC68U] Peer Connection Initiated
> > with
> > > [AF_INET]xxx.xxx.xxx.xxx:1194
> > > Sat Apr 11 12:57:55 2020 TUN/TAP device tap0 opened
> > > Sat Apr 11 12:57:55 2020 Initialization Sequence Completed
> > > Sat Apr 11 12:58:56 2020 [DSL-AC68U] Inactivity timeout (--ping-
> > > restart), restarting
> > > Sat Apr 11 12:58:56 2020 SIGUSR1[soft,ping-restart] received,
> > process
> > > restarting
> > > Sat Apr 11 12:58:56 2020 SIGUSR1[soft,ping-restart] received,
> > process
> > > restarting
> > > Sat Apr 11 12:59:01 2020 TCP/UDP: Preserving recently used remote
> > > address: [AF_INET]xxx.xxx.xxx.xxx:1194
> > > Sat Apr 11 12:59:01 2020 UDP link local: (not bound)
> > > Sat Apr 11 12:59:01 2020 UDP link remote:
> > > [AF_INET]xxx.xxx.xxx.xxx:1194
> > > Sat Apr 11 12:59:01 2020 WARNING: 'link-mtu' is used
> > inconsistently,
> > > local='link-mtu 1582', remote='link-mtu 1602'
> > > Sat Apr 11 12:59:01 2020 WARNING: 'cipher' is used
> > inconsistently,
> > > local='cipher AES-256-GCM', remote='cipher AES-256-CBC'
> > > Sat Apr 11 12:59:01 2020 WARNING: 'auth' is used inconsistently,
> > > local='auth [null-digest]', remote='auth SHA256'
> > > Sat Apr 11 12:59:01 2020 [DSL-AC68U] Peer Connection Initiated
> > with
> > > [AF_INET]xxx.xxx.xxx.xxx:1194
> > > Sat Apr 11 12:59:02 2020 TUN/TAP device tap0 opened
> > > Sat Apr 11 12:59:02 2020 Initialization Sequence Completed
> > > Sat Apr 11 13:00:02 2020 [DSL-AC68U] Inactivity timeout (--ping-
> > > restart), restarting
> > 
> > So I thought I'd try enabling a VPN server on my router and see if
> > I could connect to it from the ubuntu vpn. It's far from a sensible
> > test since it's on the same LAN as the vpn server and a different
> > router than you are using and likely a different firmware.
> > 
> > I get quite different result than you do:
> > 
> > raven at sparky:~$ sudo openvpn --config /etc/openvpn/client1.ovpn
> > Sun Apr 12 09:39:39 2020 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL
> > (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built
> > on May 14 2019
> > Sun Apr 12 09:39:39 2020 library versions: OpenSSL 1.1.1  11 Sep
> > 2018, LZO 2.08
> > Enter Auth Username: raven
> > Enter Auth Password: ******
> > Sun Apr 12 09:39:46 2020 TCP/UDP: Preserving recently used remote
> > address: [AF_INET]118.209.191.183:1194
> > Sun Apr 12 09:39:46 2020 UDP link local: (not bound)
> > Sun Apr 12 09:39:46 2020 UDP link remote:
> > [AF_INET]118.209.191.183:1194
> > Sun Apr 12 09:39:46 2020 WARNING: this configuration may cache
> > passwords in memory -- use the auth-nocache option to prevent this
> > Sun Apr 12 09:39:46 2020 [RT-AX88U] Peer Connection Initiated with
> > [AF_INET]192.168.1.1:1194
> > Sun Apr 12 09:39:47 2020 TUN/TAP device tun0 opened
> > Sun Apr 12 09:39:47 2020 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
> > Sun Apr 12 09:39:47 2020 /sbin/ip link set dev tun0 up mtu 1500
> > Sun Apr 12 09:39:47 2020 /sbin/ip addr add dev tun0 10.8.0.2/24
> > broadcast 10.8.0.255
> > Sun Apr 12 09:39:47 2020 Initialization Sequence Completed
> > 
> > and ifconfig shows tun0 present, but I haven't checked if I have
> > throughput or actual connectivity.
> > 
> > Ian
> > 



More information about the plug mailing list