DigitalOcean Kubernetes: new control plane is faster and free, enable HA for 99.95% uptime SLA

Question

[Help Needed] Setting up OpenVPN on DD-WRT Router

Dears, I’ve used this script: https://github.com/Nyr/openvpn-install

To install an OpenVPN server on my DigitalOcean VPS/Droplet

However I had some rough time getting this to work on my DD-WRT Router: DD-WRT v3.0-r28788 std (01/13/16) Router: Linksys WRT1200AC

I’m getting error: TLS Handshake Failed

I just can’t figure out the correct settings and I would really appreciate it if you give me some help or tell me at least where to search

P.S.: My OpenVPN file works perfectly on Tunnelblick on Mac so I’m sure that there’s nothing wrong with my server installation

My OpenVPN file:

client
dev tun
proto udp
sndbuf 0
rcvbuf 0
remote 46.101.222.212 443
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-128-CBC
comp-lzo
setenv opt block-outside-dns
key-direction 1
verb 3
<ca>
-----BEGIN CERTIFICATE-----
[XXXXXXXXX]
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=ChangeMe
        Validity
            Not Before: Dec  7 07:17:46 2016 GMT
            Not After : Dec  5 07:17:46 2026 GMT
        Subject: CN=client
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e2:77:66:d0:5b:84:1d:c5:cd:1f:15:db:67:e9:
                    67:70:18:1f:44:ce:be:e2:27:ae:53:e8:2b:75:7e:
                    23:48:c5:3d:c2:af:4d:51:cf:c9:2e:99:00:72:85:
                    e2:2e:d3:0f:56:06:dc:24:3a:85:5f:05:a7:12:ae:
                    a1:3d:66:14:ab:83:ef:dc:5c:d7:61:59:97:f3:73:
                    e8:6f:08:36:3d:2f:07:7a:00:bc:ed:4c:1b:f0:fe:
                    4e:c3:80:91:3d:ae:2f:9f:f4:93:41:09:37:20:18:
                    83:9c:33:f1:68:22:e7:2c:b2:19:59:c0:a6:ca:ca:
                    8e:4f:02:8e:16:8f:4c:47:36:ef:56:7b:8f:e4:52:
                    d2:88:3c:2d:d1:00:7a:ca:ee:e9:b5:59:11:79:5d:
                    24:d3:e2:a9:fa:88:34:70:1e:b2:92:f0:88:0b:7d:
                    b1:a3:84:f1:a9:05:c7:cc:9b:29:55:c6:1a:5c:ef:
                    40:50:65:e0:07:0c:ee:ce:91:00:87:33:39:2a:1f:
                    3c:fd:29:41:77:14:c3:ea:25:88:b1:84:75:8d:9b:
                    98:24:f8:ec:60:fa:71:cc:ef:0d:46:f0:be:dd:b4:
                    82:5e:01:ff:8e:0a:de:ce:aa:50:3a:74:3b:79:12:
                    41:1c:05:ae:2b:67:a8:83:c0:ae:49:8c:04:c8:c2:
                    24:cb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                26:EB:C5:D6:DF:E3:2B:33:D0:70:66:02:7A:84:93:8F:76:2F:95:81
            X509v3 Authority Key Identifier: 
                keyid:BF:F6:38:8F:C6:E1:8F:15:C4:0A:E7:9E:50:49:48:D4:BA:93:39:20
                DirName:/CN=ChangeMe
                serial:ED:A1:36:6E:60:F6:C9:13

            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 Key Usage: 
                Digital Signature
    Signature Algorithm: sha256WithRSAEncryption
         c6:52:64:97:ba:dd:1a:9c:7e:78:0e:12:b8:93:3b:ba:6f:6a:
         89:d3:3f:a9:e8:54:80:b4:0d:5a:37:6d:ff:02:82:17:1a:10:
         fd:fb:69:e0:a7:67:55:1b:cd:c8:19:61:ec:c7:69:b8:d0:46:
         40:29:e5:e6:a6:3a:77:12:75:c5:0d:59:a5:67:02:18:1e:66:
         dd:61:01:c7:d2:9b:0d:a3:5e:cd:49:14:2b:c3:79:45:14:23:
         78:f4:78:e4:96:70:f7:f2:e5:f8:1a:31:16:9d:04:bb:52:cf:
         bc:e4:e2:1c:1c:e6:a2:5f:2d:b1:8d:b9:71:4a:da:08:25:f3:
         f3:46:98:8f:28:11:ce:dc:63:9d:d8:4a:43:19:52:6f:bf:fc:
         38:e6:31:9c:d7:40:e7:0f:1a:45:75:71:e3:16:0b:81:fe:bb:
         00:aa:be:31:dc:45:2c:65:07:00:67:97:6e:ad:7f:a2:80:20:
         82:98:59:c4:5b:7b:15:0d:88:60:14:75:e2:ec:5e:1b:c2:d4:
         2d:99:d8:04:d2:b3:e5:52:6a:9f:d9:d0:a1:d4:28:e1:29:b5:
         8c:3e:ad:b2:04:a7:78:8b:5d:2a:ae:2e:d7:a4:20:c6:e3:3d:
         c6:56:33:3c:80:84:ef:83:ff:70:02:7b:ab:95:9c:1b:3a:c3:
         fe:fb:0c:41
-----BEGIN CERTIFICATE-----
[XXXXXXXX]
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
[XXXXXXXXXX]
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
[XXXXXXXX]
-----END OpenVPN Static key V1-----
</tls-auth>

An image which shows my current config: http://static.msaleh.me/ddwrt.jpg

My error log:

20161212 11:09:16 I OpenVPN 2.3.8 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jan 13 2016 
20161212 11:09:16 I library versions: OpenSSL 1.0.2e 3 Dec 2015 LZO 2.09 
20161212 11:09:16 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16 
20161212 11:09:16 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 
20161212 11:09:16 W WARNING: file '/tmp/openvpncl/client.key' is group or others accessible 
20161212 11:09:16 W WARNING: file '/tmp/openvpncl/ta.key' is group or others accessible 
20161212 11:09:16 I Control Channel Authentication: using '/tmp/openvpncl/ta.key' as a OpenVPN static key file 
20161212 11:09:16 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication 
20161212 11:09:16 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication 
20161212 11:09:16 Socket Buffers: R=[180224->131072] S=[180224->131072] 
20161212 11:09:16 I UDPv4 link local: [undef] 
20161212 11:09:16 I UDPv4 link remote: [AF_INET]46.101.222.212:443 
20161212 11:09:16 TLS: Initial packet from [AF_INET]46.101.222.212:443 sid=99851032 d5ab07b6 
20161212 11:09:16 VERIFY OK: depth=1 CN=ChangeMe 
20161212 11:09:16 VERIFY nsCertType ERROR: CN=server require nsCertType=SERVER 
20161212 11:09:16 N TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:lib(20):func(144):reason(134) 
20161212 11:09:16 N TLS Error: TLS object -> incoming plaintext read error 
20161212 11:09:16 N TLS Error: TLS handshake failed 
20161212 11:09:16 I SIGUSR1[soft tls-error] received process restarting 
20161212 11:09:16 Restart pause 2 second(s) 
20161212 11:09:18 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 
20161212 11:09:18 Socket Buffers: R=[180224->131072] S=[180224->131072] 
20161212 11:09:18 I UDPv4 link local: [undef] 
20161212 11:09:18 I UDPv4 link remote: [AF_INET]46.101.222.212:443 
20161212 11:09:20 TLS: Initial packet from [AF_INET]46.101.222.212:443 sid=89e2422e ef2a8c8c 
20161212 11:09:20 VERIFY OK: depth=1 CN=ChangeMe 
20161212 11:09:20 VERIFY nsCertType ERROR: CN=server require nsCertType=SERVER 
20161212 11:09:20 N TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:lib(20):func(144):reason(134) 
20161212 11:09:20 N TLS Error: TLS object -> incoming plaintext read error 
20161212 11:09:20 N TLS Error: TLS handshake failed 
20161212 11:09:20 I SIGUSR1[soft tls-error] received process restarting 
20161212 11:09:20 Restart pause 2 second(s) 
20161212 11:09:21 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20161212 11:09:21 D MANAGEMENT: CMD 'state' 
20161212 11:09:21 MANAGEMENT: Client disconnected 
20161212 11:09:21 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20161212 11:09:21 D MANAGEMENT: CMD 'state' 
20161212 11:09:21 MANAGEMENT: Client disconnected 
20161212 11:09:21 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20161212 11:09:21 D MANAGEMENT: CMD 'state' 
20161212 11:09:21 MANAGEMENT: Client disconnected 
20161212 11:09:21 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20161212 11:09:21 D MANAGEMENT: CMD 'status 2' 
20161212 11:09:21 MANAGEMENT: Client disconnected 
20161212 11:09:21 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20161212 11:09:21 D MANAGEMENT: CMD 'log 500' 
19700101 01:00:00

I’m not really sure if it’s fine to post this question :) If it’s not then I apologize and please delete it

But really I would appreciate any help Thanks.

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

Sign up now

Muhammad SalehDecember 12, 2016

Hi @ryanpq Thanks a lot for your reply I got it to work finally

I removed all of the extra config and left only:

persist-key persist-tun

and removed also the checkmark on nsCertType and finally it connected successfully

For anyone stuck with this kindly check the answer here as well: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=306070&sid=7e4ee3c75056a710003cb40a8b88d61e

Ryan QuinnDecember 12, 2016

You’re likely going to need to follow a guide focused on dd-wrt. As an embedded distribution it can not be assumed that all utilities and prerequisites that would be available on a full server distro would be there. I would start here with the dd-wrt documentation regarding OpenVPN.

Try DigitalOcean for free

Click below to sign up and get $100 of credit to try our products over 60 days!

Sign up