Open VPN using router configured with DD-WRT

bigwilly087bigwilly087
in VPN Setup Support

I've used PIA for some time, but now I want to use it
through OpenVPN on a router. I purchased and setup the Netgear AC1450 and
flashed DD-WRT, however i'm not able to get it to configure. The Netgear router
is connected to my FIOS router (Verizon MI424WR Router). Thinking the Fios
router might be causing problems, I turned the Firewall security to
"minimal" and opened port UDP 1194.



I followed the instructions here: http://www.instructables.com/id/Configu
... -for-Priv/



Any help would be GREATLY appreciated!



I'll post the logs below:

Comments

  • bigwilly087bigwilly087

    Here are the logs:

    State

    Client: RECONNECTING tls-error

    Local Address:

    Remote Address:

     Status

    VPN Client Stats

    TUN/TAP read bytes      0

    TUN/TAP write bytes     0

    TCP/UDP read bytes       0

    TCP/UDP write bytes     0

    Auth read bytes               0

     

    Log

    Clientlog:

    19700101 09:42:00 I SIGUSR1[soft tls-error] received process
    restarting

    19700101 09:42:00 Restart pause 2 second(s)

    19700101 09:42:02 W NOTE: the current --script-security
    setting may allow this configuration to call user-defined scripts

    19700101 09:42:02 Socket Buffers: R=[180224->131072]
    S=[180224->131072]

    19700101 09:42:02 I UDPv4 link local: [undef]

    19700101 09:42:02 I UDPv4 link remote:
    [AF_INET]50.23.131.249:1194

    19700101 09:42:02 TLS: Initial packet from
    [AF_INET]50.23.131.249:1194 sid=9ad95e1c cc9170f9

    19700101 09:42:02 N VERIFY ERROR: depth=1 error=certificate
    is not yet valid: C=US ST=OH L=Columbus O=Private Internet Access CN=Private
    Internet Access CA [email protected]

    19700101 09:42:02 N TLS_ERROR: BIO read tls_read_plaintext
    error: error:14090086:lib(20):func(144):reason(134)

    19700101 09:42:02 N TLS Error: TLS object -> incoming
    plaintext read error

    19700101 09:42:02 NOTE: --mute triggered...

    19700101 09:42:02 1 variation(s) on previous 3 message(s)
    suppressed by --mute

    19700101 09:42:02 I SIGUSR1[soft tls-error] received process
    restarting

    19700101 09:42:02 Restart pause 2 second(s)

    19700101 09:42:04 W NOTE: the current --script-security
    setting may allow this configuration to call user-defined scripts

    19700101 09:42:04 Socket Buffers: R=[180224->131072]
    S=[180224->131072]

    19700101 09:42:04 I UDPv4 link local: [undef]

    19700101 09:42:04 I UDPv4 link remote:
    [AF_INET]173.192.176.164:1194

    19700101 09:42:05 TLS: Initial packet from
    [AF_INET]173.192.176.164:1194 sid=3e57b2c0 6e6cc6bf

    19700101 09:42:05 N VERIFY ERROR: depth=1 error=certificate
    is not yet valid: C=US ST=OH L=Columbus O=Private Internet Access CN=Private
    Internet Access CA [email protected]

    19700101 09:42:05 N TLS_ERROR: BIO read tls_read_plaintext
    error: error:14090086:lib(20):func(144):reason(134)

    19700101 09:42:05 N TLS Error: TLS object -> incoming
    plaintext read error

    19700101 09:42:05 NOTE: --mute triggered...

    19700101 09:42:05 1 variation(s) on previous 3 message(s)
    suppressed by --mute

    19700101 09:42:05 I SIGUSR1[soft tls-error] received process
    restarting

    19700101 09:42:05 Restart pause 2 second(s)

    19700101 09:42:07 W NOTE: the current --script-security
    setting may allow this configuration to call user-defined scripts

    19700101 09:42:07 Socket Buffers: R=[180224->131072]
    S=[180224->131072]

    19700101 09:42:07 I UDPv4 link local: [undef]

    19700101 09:42:07 I UDPv4 link remote:
    [AF_INET]50.23.131.249:1194

    19700101 09:42:07 TLS: Initial packet from
    [AF_INET]50.23.131.249:1194 sid=5d5cbe4c 71f07d64

    19700101 09:42:08 N VERIFY ERROR: depth=1 error=certificate
    is not yet valid: C=US ST=OH L=Columbus O=Private Internet Access CN=Private
    Internet Access CA [email protected]

    19700101 09:42:08 N TLS_ERROR: BIO read tls_read_plaintext
    error: error:14090086:lib(20):func(144):reason(134)

    19700101 09:42:08 N TLS Error: TLS object -> incoming
    plaintext read error

    19700101 09:42:08 NOTE: --mute triggered...

    19700101 09:42:08 1 variation(s) on previous 3 message(s)
    suppressed by --mute

    19700101 09:42:08 I SIGUSR1[soft tls-error] received process
    restarting

    19700101 09:42:08 Restart pause 2 second(s)

    19700101 09:42:10 W NOTE: the current --script-security
    setting may allow this configuration to call user-defined scripts

    19700101 09:42:10 Socket Buffers: R=[180224->131072] S=[180224->131072]

    19700101 09:42:10 I UDPv4 link local: [undef]

    19700101 09:42:10 I UDPv4 link remote:
    [AF_INET]173.192.187.139:1194

    19700101 09:42:10 TLS: Initial packet from
    [AF_INET]173.192.187.139:1194 sid=418f341b 8ea086a9

    19700101 09:42:10 N VERIFY ERROR: depth=1 error=certificate
    is not yet valid: C=US ST=OH L=Columbus O=Private Internet Access CN=Private
    Internet Access CA [email protected]

    19700101 09:42:10 N TLS_ERROR: BIO read tls_read_plaintext
    error: error:14090086:lib(20):func(144):reason(134)

    19700101 09:42:10 N TLS Error: TLS object -> incoming
    plaintext read error

    19700101 09:42:10 NOTE: --mute triggered...

    19700101 09:42:10 1 variation(s) on previous 3 message(s)
    suppressed by --mute

    19700101 09:42:10 I SIGUSR1[soft tls-error] received process
    restarting

    19700101 09:42:10 Restart pause 2 second(s)

    19700101 09:42:12 W NOTE: the current --script-security
    setting may allow this configuration to call user-defined scripts

    19700101 09:42:12 Socket Buffers: R=[180224->131072]
    S=[180224->131072]

    19700101 09:42:12 I UDPv4 link local: [undef]

    19700101 09:42:12 I UDPv4 link remote:
    [AF_INET]173.192.176.159:1194

    19700101 09:42:12 TLS: Initial packet from
    [AF_INET]173.192.176.159:1194 sid=1091a5da 8ddc46b7

    19700101 09:42:13 N VERIFY ERROR: depth=1 error=certificate
    is not yet valid: C=US ST=OH L=Columbus O=Private Internet Access CN=Private
    Internet Access CA [email protected]

    19700101 09:42:13 N TLS_ERROR: BIO read tls_read_plaintext
    error: error:14090086:lib(20):func(144):reason(134)

    19700101 09:42:13 N TLS Error: TLS object -> incoming
    plaintext read error

    19700101 09:42:13 NOTE: --mute triggered...

    19700101 09:42:13 1 variation(s) on previous 3 message(s)
    suppressed by --mute

    19700101 09:42:13 I SIGUSR1[soft tls-error] received process
    restarting

    19700101 09:42:13 Restart pause 2 second(s)

    19700101 09:42:15 W NOTE: the current --script-security
    setting may allow this configuration to call user-defined scripts

    19700101 09:42:15 Socket Buffers: R=[180224->131072]
    S=[180224->131072]

    19700101 09:42:15 I UDPv4 link local: [undef]

    19700101 09:42:15 I UDPv4 link remote:
    [AF_INET]173.192.176.164:1194

    19700101 09:42:15 TLS: Initial packet from [AF_INET]173.192.176.164:1194
    sid=afb3c774 0ba233f1

    19700101 09:42:15 N VERIFY ERROR: depth=1 error=certificate
    is not yet valid: C=US ST=OH L=Columbus O=Private Internet Access CN=Private
    Internet Access CA [email protected]

    19700101 09:42:15 N TLS_ERROR: BIO read tls_read_plaintext
    error: error:14090086:lib(20):func(144):reason(134)

    19700101 09:42:15 N TLS Error: TLS object -> incoming
    plaintext read error

    19700101 09:42:15 NOTE: --mute triggered...

    19700101 09:42:15 1 variation(s) on previous 3 message(s)
    suppressed by --mute

    19700101 09:42:15 I SIGUSR1[soft tls-error] received process
    restarting

    19700101 09:42:15 Restart pause 2 second(s)

    19700101 09:42:17 W NOTE: the current --script-security
    setting may allow this configuration to call user-defined scripts

    19700101 09:42:17 Socket Buffers: R=[180224->131072]
    S=[180224->131072]

    19700101 09:42:17 I UDPv4 link local: [undef]

    19700101 09:42:17 I UDPv4 link remote:
    [AF_INET]50.23.131.249:1194

    19700101 09:42:17 TLS: Initial packet from
    [AF_INET]50.23.131.249:1194 sid=93aa5397 1046583b

    19700101 09:42:18 N VERIFY ERROR: depth=1 error=certificate
    is not yet valid: C=US ST=OH L=Columbus O=Private Internet Access CN=Private
    Internet Access CA [email protected]

    19700101 09:42:18 N TLS_ERROR: BIO read tls_read_plaintext
    error: error:14090086:lib(20):func(144):reason(134)

    19700101 09:42:18 N TLS Error: TLS object -> incoming
    plaintext read error

    19700101 09:42:18 NOTE: --mute triggered...

    19700101 09:42:18 1 variation(s) on previous 3 message(s)
    suppressed by --mute

    19700101 09:42:18 I SIGUSR1[soft tls-error] received process
    restarting

    19700101 09:42:18 Restart pause 2 second(s)

    19700101 09:42:18 MANAGEMENT: Client connected from
    [AF_INET]127.0.0.1:16

    19700101 09:42:18 D MANAGEMENT: CMD 'state'

    19700101 09:42:18 MANAGEMENT: Client disconnected

    19700101 09:42:19 MANAGEMENT: Client connected from
    [AF_INET]127.0.0.1:16

    19700101 09:42:19 D MANAGEMENT: CMD 'state'

    19700101 09:42:19 MANAGEMENT: Client disconnected

    19700101 09:42:19 MANAGEMENT: Client connected from
    [AF_INET]127.0.0.1:16

    19700101 09:42:19 D MANAGEMENT: CMD 'state'

    19700101 09:42:19 MANAGEMENT: Client disconnected

    19700101 09:42:19 MANAGEMENT: Client connected from
    [AF_INET]127.0.0.1:16

    19700101 09:42:19 D MANAGEMENT: CMD 'status 2'

    19700101 09:42:19 MANAGEMENT: Client disconnected

    19700101 09:42:19 MANAGEMENT: Client connected from
    [AF_INET]127.0.0.1:16

    19700101 09:42:19 D MANAGEMENT: CMD 'log 500'

    19700101 01:00:00

     

    ca /tmp/openvpncl/ca.crt management 127.0.0.1 16
    management-log-cache 100 verb 3 mute 3 syslog writepid /var/run/openvpncl.pid
    client resolv-retry infinite nobind persist-key persist-tun script-security 2
    dev tun1 proto udp cipher bf-cbc auth sha1 auth-user-pass
    /tmp/openvpncl/credentials remote us-seattle.privateinternetaccess.com 1194
    comp-lzo yes tun-mtu 1500 mtu-disc yes fast-io tun-ipv6 persist-key persist-tun
    tls-client remote-cert-tls server

  • bigwilly087bigwilly087
    Someone on another forum found the issue, it was simply the clock wasn't set!

    Now that I am successfully connected the devices through my secondary router seem to be connecting to the primary router still and aren't being routed through the VPN setup in the secondary router. 
  • cosmoxlcosmoxl
    Seems that this isn't a PIA problem.  It's best that you go to a forum dedicated to dd-wrt to get help.
  • p6688833p6688833
    My time is fine.  It too just went down.  I've retraced all my steps and followed everything to a T.  I've now got the same error.
  • WinstonSmithWinstonSmith
    Hello,

    Please reset the router back to the default settings and re-setup following this new amended step-up steps and let us know how you get along.  Good luck!


    General DD-WRT Setup Guide for the AES-128 cert
    ===============================================

    Step 1 - Log into your DD-WRT routers administrative interface
    - Open your web browser and type in your gateway/router IP similar to one of the following IPs:

    192.168.0.1
    192.168.1.1
    192.168.2.1


    Step 2 - Configure options within "Basic Setup"
    - Click "Setup"
    - Then click "Basic Setup"
    - Under "Network Address Server Settings (DHCP) set the following:

    "Static DNS 1" = "209.222.18.222"
    "Static DNS 2" = "209.222.18.218"

    "Use DNSMasq for DHCP" = "Checked"
    "Use DNSMasq for DNS" = "Checked"
    "DHCP-Authoritative" = "Checked"

    - Make sure that under "Time Settings"
    -- "NTP Client" = "Enabled"
    - Choose and set your correct time zone
    - Click "Save" and then "Apply Settings"


    Step 3 - Disable IPv6 ( If available )
    - Click "Setup"
    - Then click "IPV6" ( If this option is not listed then skip to the next step )
    - Set "IPv6" = "Disable"
    - Click "Save" and then "Apply Settings"


    * Skip the next step if you have already disabled IPv6 with the previous step.

    Step 3B - Disable IPv6 ( If available )
    - Click "Administration"
    - Then click "Management"
    - Under "IPv6 Support":
    -- Set "IPv6" = "Disable"
    - Click "Save" and then "Apply Settings"


    Step 4 - Enable Local DNS
    - Click "Services"
    - Then click the "Services" sub-tab
    - If there is a "DNS Suffix" please remove that
    - Under the "DHCP Server" section:
    -- Set "Used Domain" = "LAN & WLAN"
    - Under the "DNSMasq" section:
    -- Ensure that "DNSMasq" is "Enable"
    -- "Local DNS" is "Enable"
    -- "No DNS Rebind" is "Enable"
    - Click "Save" and then "Apply Settings"


    Step 5 - Configure the "OpenVPN Client"
    - Click "Services"
    - Then click the "VPN" sub-tab
    - Under the "OpenVPN Client" section:
    -- Set "Start OpenVPN Client" to "Enable"
    - Other options should appear
    - ( If available ) Set "Advanced Options" = "Enable"
    * More options should appear
    - Set the following:
    -- "Server IP/Name" to "us-east.privateinternetaccess.com"
    * ( Optional ) if you prefer to use a different location, you can find the full list of locations here: https://www.privateinternetaccess.com/pages/network
    -- "Port" = "1198"
    -- "Tunnel Device" = "TUN"
    -- "Tunnel Protocol" = "UDP"
    -- "Encryption Cipher" = "AES-128 CBC"
    -- "Hash Algorithm" = "SHA1"
    -- "User Pass Authentication" = "Enable"
    * ( If the Username and Password box is not here, don't worry the next step will cover that.  Please continue!)
    -- Set the "Username" and "Password" = "p1234567" and "your-password"
    * ( Be sure to replace "p1234567" and "your-password" with your actual p-username and password in the above )
    -- "TLS Cipher" = "None"
    -- "LZO Compression" = "Yes"
    -- "NAT" = "Enable"
    -- In the box next to "Additional Config" copy and paste in the following 4 lines:

    persist-key
    persist-tun
    tls-client
    remote-cert-tls server

    - Now copy and paste the following into the "CA Cert" field:
    * Also each of the longer lines are 64 characters wide, this is required!  Simply copying and pasting should work.
    ** Be sure the entire text gets pasted in including "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines.

    -----BEGIN CERTIFICATE-----
    MIIFqzCCBJOgAwIBAgIJAKZ7D5Yv87qDMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
    VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
    BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
    dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
    IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
    FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzM1
    MThaFw0zNDA0MTIxNzM1MThaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
    EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
    QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
    AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
    ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
    bmV0YWNjZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPXD
    L1L9tX6DGf36liA7UBTy5I869z0UVo3lImfOs/GSiFKPtInlesP65577nd7UNzzX
    lH/P/CnFPdBWlLp5ze3HRBCc/Avgr5CdMRkEsySL5GHBZsx6w2cayQ2EcRhVTwWp
    cdldeNO+pPr9rIgPrtXqT4SWViTQRBeGM8CDxAyTopTsobjSiYZCF9Ta1gunl0G/
    8Vfp+SXfYCC+ZzWvP+L1pFhPRqzQQ8k+wMZIovObK1s+nlwPaLyayzw9a8sUnvWB
    /5rGPdIYnQWPgoNlLN9HpSmsAcw2z8DXI9pIxbr74cb3/HSfuYGOLkRqrOk6h4RC
    OfuWoTrZup1uEOn+fw8CAwEAAaOCAVQwggFQMB0GA1UdDgQWBBQv63nQ/pJAt5tL
    y8VJcbHe22ZOsjCCAR8GA1UdIwSCARYwggESgBQv63nQ/pJAt5tLy8VJcbHe22ZO
    sqGB7qSB6zCB6DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpM
    b3NBbmdlbGVzMSAwHgYDVQQKExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4G
    A1UECxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAMTF1ByaXZhdGUg
    SW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQpExdQcml2YXRlIEludGVybmV0IEFjY2Vz
    czEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
    b22CCQCmew+WL/O6gzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQAn
    a5PgrtxfwTumD4+3/SYvwoD66cB8IcK//h1mCzAduU8KgUXocLx7QgJWo9lnZ8xU
    ryXvWab2usg4fqk7FPi00bED4f4qVQFVfGfPZIH9QQ7/48bPM9RyfzImZWUCenK3
    7pdw4Bvgoys2rHLHbGen7f28knT2j/cbMxd78tQc20TIObGjo8+ISTRclSTRBtyC
    GohseKYpTS9himFERpUgNtefvYHbn70mIOzfOJFTVqfrptf9jXa9N8Mpy3ayfodz
    1wiqdteqFXkTYoSDctgKMiZ6GdocK9nMroQipIQtpnwd4yBDWIyC6Bvlkrq5TQUt
    YDQ8z9v+DMO6iwyIDRiU
    -----END CERTIFICATE-----

    - Click "Save" and then "Apply Settings"


    Note: Skip this next step if you did have a username and password box in the above step.

    Step 5B
    - Go back to the box next to "Additional Config" copy and paste to replace what is there with the following 5 lines:

    auth-user-pass /tmp/password.txt
    persist-key
    persist-tun
    tls-client
    remote-cert-tls server

    - We have to also create a startup script with VPN Username and Password
    * ( Note: Just a reminder if you already entered the username within "Step 5" skip this and move onto the next step )
    - Click "Administration"
    - Then click "Commands"
    - Copy and paste in the following 4 lines into the Command Shell:

    echo username > /tmp/password.txt
    echo password >> /tmp/password.txt
    /usr/bin/killall openvpn
    /usr/sbin/openvpn --config /tmp/openvpncl/openvpn.conf --route-up /tmp/openvpncl/route-up.sh --down-pre /tmp/openvpncl/route-down.sh --daemon

    * Note: Replace "username" and "password" with your actual PIA username and password.
    ** For example, if your PIA username was p1234567 and password was 12345678, the first couple of lines would look as follows:

    echo p1234567 > /tmp/password.txt
    echo 12345678 >> /tmp/password.txt

    - Then click "Save Startup"
    * The commands you entered should now show in the Startup box.


    Step 6 - Reboot and test!
    - Click "Administration"
    - Then click "Management"
    - Click "Reboot Router"
    * Wait for the router to reboot, then reconnect to it.
    - To Verify the VPN is Working
    -- Click "Status"
    -- Then click "OpenVPN"
    -- Under "State", you should see the message "Client: CONNECTED SUCCESS"
    - Then test by going to this site: https://www.privateinternetaccess.com/pages/whats-my-ip/
    -- Does it say you are "You are protected by PIA" or "Your private information is exposed" ?

    ---

    Please let us know if the above steps work for you!
  • p5283284p5283284
    edited January 2017
    WinstonSmith
    Great Tutorial. thanks. Worked for me!
    Before finding your tutorial, I have followed an other tutorial that I try with no joy (https://www.privateinternetaccess.com/pages/client-support/dd-wrt-openvpn-older-build). Even after checking for typo ... did not work. hyours did.
    thanks
    PS
    I am not using the PIA DNS as you suggested but some other open out there. Any reason to use PIA DNS vs other DNSs?

  • naterade21naterade21
    I can vouch that it was because of me not setting NTP which caused the exact same problem logs above. One I turned on NTP and set it to 0.pool.ntp.org , it came right up after an apply and reboot! In regards to p5283284 said:
    WinstonSmith
    ...
    I am not using the PIA DNS as you suggested but some other open out there. Any reason to use PIA DNS vs other DNSs?

    I would imagine for the same reasons you are using a VPN. 
Sign In or Register to comment.