[操作疑難] 請問一下OpenVPN以經可以連接到但上唔到網(DD-WRT Router)

我用緊既router係buffalo WZR-HP-G300NH, 內建DD-WRT
設定好晒所有野, 但連線後一直都出唔到街, 請問可以幫我看看嗎?
有一個奇怪的情況是我必須port forward 1194 到 external ip, 外面先可以連接入去.

client config

client
dev tun0
proto udp
remote ip 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3
redirect-gateway def1




附件: 您需要登錄才可以下載或查看附件。沒有帳號?註冊

試o下響個 client config 開一行,加個
float
字落去。行 udp 一定要有個 float 字架。

TOP

本帖最後由 tomleehk 於 2014-6-24 23:39 編輯

On dd-wrt server

1) Activate "redirect default gateway"

2) Public Server Cert = server.crt
    should only populate  content beginning from "-----BEGIN CERTIFICATE-----" to "-----END CERTIFICATE-----" inclusive

3) Additional config
    push "dhcp-option DNS 8.8.8.8"
附件: 您需要登錄才可以下載或查看附件。沒有帳號?註冊

TOP

本帖最後由 tomleehk 於 2014-6-24 23:54 編輯

Personally feel the below 2 configurations not needed as well

1) Port forwarding

2) Custom script :
     iptables -t nat -postrouting .....  masquerade

actually no need to configurate anything extra, e.g. vlan

Just configurate ddns for remote access..

Also need to check date/time synchronization on server and client. Need to synchronize the DD-WRT router's clock by proper configuration at Setup > BasicSetup > Time Settings

Begin testing with Windows client, rather than Android phone which may have some inherent problem on some version.

TOP

搭單問下, 其實D CERT 係咪可以自己作??

TOP

回覆 4# tomleehk


多謝你, 我有睇過你果編OpenVPN, 非常詳細同貼心, 真係獲益良多
今日用 telnat 連入router 睇一睇個iptables, 發現根本沒有run iptables既code.
原來必須防火牆指令果度先可以運行到



for server can be connected to the subnet br0 :
iptables -t nat -A POSTROUTING -s 192.168.60.0/24 -o br0 -j MASQUERADE
要連到br0既subnet還要係server config 加入push "redirect-gateway def1"
或者client加入redirect-gateway def1

for server can connect to internet
iptables -t nat -A POSTROUTING -s 192.168.60.0/24 -o vlan2 -j MASQUERADE

基本上指令只係加呢兩句就成功連到出街, ip check都睇到係server ip出街
但唔明點解port forward係要連去 external ip 既 1194度, 唔係應該連去192.168.60.0咩?
附件: 您需要登錄才可以下載或查看附件。沒有帳號?註冊

TOP

本帖最後由 tomleehk 於 2014-6-25 19:43 編輯

回覆 6# JACKLMF1990

At firewall command, I only used
iptables -I INPUT -p tcp --dport 1194 -j ACCEPT
  iptables -I INPUT -p udp --dport 1194 -j ACCEPT
  iptables -I FORWARD 1 --source 192.168.60.0/24 -j ACCEPT
  # These next two lines may or may not be necessary.
  # Thus, we include them so that this works for more people:
  iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
  iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
and everything already worked fine on all my working dd-wrt servers.

I really never use
  iptables -t nat -A POSTROUTING -s 192.168.60.0/24 -o br0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.60.0/24 -o vlan2 -j MASQUERADE


回覆  tomleehk

但唔明點解port forward係要連去 external ip 既 1194度, 唔係應該連去192.168.60.0咩?

JACKLMF1990 發表於 2014-6-25 14:01

I really do not need to set up any port forwarding to external ip on any working dd-wrt router of mine. I wonder if this is an alternative to implement "re-direct default gateway" and NAT, even if it really works. However, this is not practical even though it worked since the external ip changes every times you restart the router.

How did you test your dd-wrt OpenVPN server ?  

Have you tested the OpenVPN connection from a Windows client at a remote site ?

TOP

本帖最後由 tomleehk 於 2014-6-25 22:24 編輯

If your dd-wrt OpenVPN really works, there should be a few characteristics :

1) A virtual IP address 192.160.60.x  will be assigned properly to a Windows client's successful connection from a remote site.

2) After successful connection from a Windows client at remote site, at Windows client's browser
run http://192.168.60.1 it should turn up the dd-wrt router's configuration page, and
run http://www.getip.com it should show the WAN IP address of the dd-wrt router

TOP

本帖最後由 JACKLMF1990 於 2014-6-26 11:47 編輯

回覆 7# tomleehk

iptables -I INPUT -p udp --dport 1194 -j ACCEPT
I watched the list of iptables found OpenVPN router at startup automatically added to the input of iptables


iptables -I FORWARD 1 --source 192.168.60.0/24 -j ACCEPT
這句式我在 port forward 版面 連去 external ip 就可以了


最後再加入這句式到firewall指令度就可以連出街上網
iptables -t nat -A POSTROUTING -s 192.168.60.0/24 -o vlan2 (external ip interface) -j MASQUERADE

external ip 因為唔會成日轉所以 port forward 唔太大問題
附件: 您需要登錄才可以下載或查看附件。沒有帳號?註冊

TOP

回覆 8# tomleehk

我係係遠端電腦安裝OpenVpn連入server測試
ip係192.168.60.2, 192.168.60.1可以連接到dd-wrt router介面度
經過測試可以連到出街同WAN IP address 係 dd-wrt router 既 external ip 黎

琴晚試過Android都可以成功連接, 不過速度唔太快

TOP