[Help Needed] Setting up OpenVPN on DD-WRT Router

December 12, 2016 687 views
VPN Ubuntu

Dears,
I've used this script:
https://github.com/Nyr/openvpn-install

To install an OpenVPN server on my DigitalOcean VPS/Droplet

However I had some rough time getting this to work on my DD-WRT Router:
DD-WRT v3.0-r28788 std (01/13/16)
Router: Linksys WRT1200AC

I'm getting error:
TLS Handshake Failed

I just can't figure out the correct settings and I would really appreciate it if you give me some help or tell me at least where to search

P.S.: My OpenVPN file works perfectly on Tunnelblick on Mac so I'm sure that there's nothing wrong with my server installation

My OpenVPN file:

client
dev tun
proto udp
sndbuf 0
rcvbuf 0
remote 46.101.222.212 443
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-128-CBC
comp-lzo
setenv opt block-outside-dns
key-direction 1
verb 3
<ca>
-----BEGIN CERTIFICATE-----
[XXXXXXXXX]
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=ChangeMe
        Validity
            Not Before: Dec  7 07:17:46 2016 GMT
            Not After : Dec  5 07:17:46 2026 GMT
        Subject: CN=client
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e2:77:66:d0:5b:84:1d:c5:cd:1f:15:db:67:e9:
                    67:70:18:1f:44:ce:be:e2:27:ae:53:e8:2b:75:7e:
                    23:48:c5:3d:c2:af:4d:51:cf:c9:2e:99:00:72:85:
                    e2:2e:d3:0f:56:06:dc:24:3a:85:5f:05:a7:12:ae:
                    a1:3d:66:14:ab:83:ef:dc:5c:d7:61:59:97:f3:73:
                    e8:6f:08:36:3d:2f:07:7a:00:bc:ed:4c:1b:f0:fe:
                    4e:c3:80:91:3d:ae:2f:9f:f4:93:41:09:37:20:18:
                    83:9c:33:f1:68:22:e7:2c:b2:19:59:c0:a6:ca:ca:
                    8e:4f:02:8e:16:8f:4c:47:36:ef:56:7b:8f:e4:52:
                    d2:88:3c:2d:d1:00:7a:ca:ee:e9:b5:59:11:79:5d:
                    24:d3:e2:a9:fa:88:34:70:1e:b2:92:f0:88:0b:7d:
                    b1:a3:84:f1:a9:05:c7:cc:9b:29:55:c6:1a:5c:ef:
                    40:50:65:e0:07:0c:ee:ce:91:00:87:33:39:2a:1f:
                    3c:fd:29:41:77:14:c3:ea:25:88:b1:84:75:8d:9b:
                    98:24:f8:ec:60:fa:71:cc:ef:0d:46:f0:be:dd:b4:
                    82:5e:01:ff:8e:0a:de:ce:aa:50:3a:74:3b:79:12:
                    41:1c:05:ae:2b:67:a8:83:c0:ae:49:8c:04:c8:c2:
                    24:cb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                26:EB:C5:D6:DF:E3:2B:33:D0:70:66:02:7A:84:93:8F:76:2F:95:81
            X509v3 Authority Key Identifier: 
                keyid:BF:F6:38:8F:C6:E1:8F:15:C4:0A:E7:9E:50:49:48:D4:BA:93:39:20
                DirName:/CN=ChangeMe
                serial:ED:A1:36:6E:60:F6:C9:13

            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 Key Usage: 
                Digital Signature
    Signature Algorithm: sha256WithRSAEncryption
         c6:52:64:97:ba:dd:1a:9c:7e:78:0e:12:b8:93:3b:ba:6f:6a:
         89:d3:3f:a9:e8:54:80:b4:0d:5a:37:6d:ff:02:82:17:1a:10:
         fd:fb:69:e0:a7:67:55:1b:cd:c8:19:61:ec:c7:69:b8:d0:46:
         40:29:e5:e6:a6:3a:77:12:75:c5:0d:59:a5:67:02:18:1e:66:
         dd:61:01:c7:d2:9b:0d:a3:5e:cd:49:14:2b:c3:79:45:14:23:
         78:f4:78:e4:96:70:f7:f2:e5:f8:1a:31:16:9d:04:bb:52:cf:
         bc:e4:e2:1c:1c:e6:a2:5f:2d:b1:8d:b9:71:4a:da:08:25:f3:
         f3:46:98:8f:28:11:ce:dc:63:9d:d8:4a:43:19:52:6f:bf:fc:
         38:e6:31:9c:d7:40:e7:0f:1a:45:75:71:e3:16:0b:81:fe:bb:
         00:aa:be:31:dc:45:2c:65:07:00:67:97:6e:ad:7f:a2:80:20:
         82:98:59:c4:5b:7b:15:0d:88:60:14:75:e2:ec:5e:1b:c2:d4:
         2d:99:d8:04:d2:b3:e5:52:6a:9f:d9:d0:a1:d4:28:e1:29:b5:
         8c:3e:ad:b2:04:a7:78:8b:5d:2a:ae:2e:d7:a4:20:c6:e3:3d:
         c6:56:33:3c:80:84:ef:83:ff:70:02:7b:ab:95:9c:1b:3a:c3:
         fe:fb:0c:41
-----BEGIN CERTIFICATE-----
[XXXXXXXX]
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
[XXXXXXXXXX]
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
[XXXXXXXX]
-----END OpenVPN Static key V1-----
</tls-auth>

An image which shows my current config:
http://static.msaleh.me/ddwrt.jpg

My error log:

20161212 11:09:16 I OpenVPN 2.3.8 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jan 13 2016 
20161212 11:09:16 I library versions: OpenSSL 1.0.2e 3 Dec 2015 LZO 2.09 
20161212 11:09:16 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16 
20161212 11:09:16 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 
20161212 11:09:16 W WARNING: file '/tmp/openvpncl/client.key' is group or others accessible 
20161212 11:09:16 W WARNING: file '/tmp/openvpncl/ta.key' is group or others accessible 
20161212 11:09:16 I Control Channel Authentication: using '/tmp/openvpncl/ta.key' as a OpenVPN static key file 
20161212 11:09:16 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication 
20161212 11:09:16 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication 
20161212 11:09:16 Socket Buffers: R=[180224->131072] S=[180224->131072] 
20161212 11:09:16 I UDPv4 link local: [undef] 
20161212 11:09:16 I UDPv4 link remote: [AF_INET]46.101.222.212:443 
20161212 11:09:16 TLS: Initial packet from [AF_INET]46.101.222.212:443 sid=99851032 d5ab07b6 
20161212 11:09:16 VERIFY OK: depth=1 CN=ChangeMe 
20161212 11:09:16 VERIFY nsCertType ERROR: CN=server require nsCertType=SERVER 
20161212 11:09:16 N TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:lib(20):func(144):reason(134) 
20161212 11:09:16 N TLS Error: TLS object -> incoming plaintext read error 
20161212 11:09:16 N TLS Error: TLS handshake failed 
20161212 11:09:16 I SIGUSR1[soft tls-error] received process restarting 
20161212 11:09:16 Restart pause 2 second(s) 
20161212 11:09:18 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 
20161212 11:09:18 Socket Buffers: R=[180224->131072] S=[180224->131072] 
20161212 11:09:18 I UDPv4 link local: [undef] 
20161212 11:09:18 I UDPv4 link remote: [AF_INET]46.101.222.212:443 
20161212 11:09:20 TLS: Initial packet from [AF_INET]46.101.222.212:443 sid=89e2422e ef2a8c8c 
20161212 11:09:20 VERIFY OK: depth=1 CN=ChangeMe 
20161212 11:09:20 VERIFY nsCertType ERROR: CN=server require nsCertType=SERVER 
20161212 11:09:20 N TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:lib(20):func(144):reason(134) 
20161212 11:09:20 N TLS Error: TLS object -> incoming plaintext read error 
20161212 11:09:20 N TLS Error: TLS handshake failed 
20161212 11:09:20 I SIGUSR1[soft tls-error] received process restarting 
20161212 11:09:20 Restart pause 2 second(s) 
20161212 11:09:21 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20161212 11:09:21 D MANAGEMENT: CMD 'state' 
20161212 11:09:21 MANAGEMENT: Client disconnected 
20161212 11:09:21 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20161212 11:09:21 D MANAGEMENT: CMD 'state' 
20161212 11:09:21 MANAGEMENT: Client disconnected 
20161212 11:09:21 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20161212 11:09:21 D MANAGEMENT: CMD 'state' 
20161212 11:09:21 MANAGEMENT: Client disconnected 
20161212 11:09:21 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20161212 11:09:21 D MANAGEMENT: CMD 'status 2' 
20161212 11:09:21 MANAGEMENT: Client disconnected 
20161212 11:09:21 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20161212 11:09:21 D MANAGEMENT: CMD 'log 500' 
19700101 01:00:00 

I'm not really sure if it's fine to post this question :)
If it's not then I apologize and please delete it

But really I would appreciate any help
Thanks.

2 Answers

You're likely going to need to follow a guide focused on dd-wrt. As an embedded distribution it can not be assumed that all utilities and prerequisites that would be available on a full server distro would be there. I would start here with the dd-wrt documentation regarding OpenVPN.

Hi @ryanpq
Thanks a lot for your reply
I got it to work finally

I removed all of the extra config and left only:

persist-key
persist-tun

and removed also the checkmark on nsCertType
and finally it connected successfully

For anyone stuck with this kindly check the answer here as well:
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=306070&sid=7e4ee3c75056a710003cb40a8b88d61e

Have another answer? Share your knowledge.