DDWRT OpenVPN troubleshooting guide

This document hopes to aid DDWWRT users with suggestions to troubleshoot a non-function OVPN
server setup.
This is a work in progress and any suggestions are welcome.
As more problems and there solutions are posted this will be added, so it is also up to you DDWRT
users to report common mistakes and their solutions.

The latest version of this document can be found at: https://forum.dd-

wrt.com/phpBB2/viewtopic.php?t=318795

Report your problems in the Advanced Networking Forum: https://forum.dd-

wrt.com/phpBB2/viewforum.php?f=53

First thing to check is if you are up to date with a functioning build (do not use the router database)
how to do that is explained in the forum guide lines.

When reporting a problem and asking for advice, it helps if you share with us as much details from
your setup as possible
At least:
• router model, firmware build kernel version
• If your router is not connected to the internet i.e. does not have a public IP on its WAN,
share your network setup
• Post pictures of your OVPN Setup page and OVPN Status page (the whole page) when you
are trying to connect
• Post contents of Additional Config of the OVPN server
• Post the log of the client when you are trying to conn

Last edited by egc 26-4-2021 1

Table of Contents

Test from outside .................................................................................................................................... 3

Reboot ..................................................................................................................................................... 3
Use a recent build.................................................................................................................................... 3
Regenerate certificates when coming from an older build..................................................................... 3
Which Setup guide to use........................................................................................................................ 3
LAN clients not reachable........................................................................................................................ 3
Routers NAS not reachable on newer builds with ksmbd ....................................................................... 3
Reset to defaults...................................................................................................................................... 4
Do not use a TLS auth key ....................................................................................................................... 4
Check subnets.......................................................................................................................................... 4
Port Forward when your OVPN router is not connected to the internet ............................................... 5
Check LZO settings (Connection but no or little traffic) .......................................................................... 5
Client with connection but no traffic ...................................................................................................... 5
Check time/date (Certificate not valid) ................................................................................................... 5
Shortcut Forwarding Engine (SFE) ........................................................................................................... 5
Check status ............................................................................................................................................ 5
K2.6 builds are broken............................................................................................................................. 6
Connected and local access but no Internet access ................................................................................ 6
Check Routes and Firewall ...................................................................................................................... 7
MTU size problems (Connection, but no traffic, hang, slow loading, or no streaming media) .............. 8
TLS Error: TLS key negotiation failed to occur within 60 seconds ........................................................... 8
AUTH: Received control message: AUTH_FAILED ................................................................................... 9
AEAD Decrypt error: ................................................................................................................................ 9
OpenVPN server does not start on reboot .............................................................................................. 9
Recursive routing detected, drop tun packet ......................................................................................... 9
Latency problems with latency sensitive traffic (e.g. VoIP ) ................................................................... 9
OpenVPN 2.5 ......................................................................................................................................... 10

Last edited by egc 26-4-2021 2

Test from outside
When testing an OVPN server you have to do it from the outside i.e. with a phone or laptop on
cellular, you cannot test from inside the network.

Reboot
When you are done setting up always reboot the router.

Use a recent build

When your build is more than a year old consider upgrading. Before upgrading always check the
build threads for problems. This is an example of a build thread: https://forum.dd-
wrt.com/phpBB2/viewtopic.php?t=318903 .
After upgrading reset to defaults and put settings in manually.

Regenerate certificates when coming from an older build

When coming from an older build (= older VPN version) it is often necessary to regenerate your
certificates because the minimum keysize has been upped.

Which Setup guide to use

Use a setup guide which is known to be up to date and use only this guide, do not use multiple guides
together.
How can you recognise a guide which is up to date?
DDWRT in modern builds will do most of the work for you, so you do not need anything added in the
Additional Config (if Redirect Default Gateway is enabled in the GUI, otherwise you have to push a
local route) and you only need one firewall route to NAT traffic over the WAN, and even that is only
necessary if you want internet access.
So if a guide tells you to do more it is outdated.
For an example of a recent guide see: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795

LAN clients not reachable

If you LAN clients are not reachable than check that you have taken care of theCVE-2019-14899
Mitigation, see the OpenVPN server setup guide, as a quick test just disable it on the OpenVPN server
page.
Note that clients also have their own firewalls, you cannot connect to Windows clients on your LAN
without opening their firewall for the VPN's subnet: Advanced Firewall, new incoming rule, scope,
add VPN subnet to local scope.
Alternatively (but not recommended) you can use this quick and dirty workaround, i.e NATting the
OpenVPN traffic out onto the local network so that it appears if OpenVPN traffic originates from the
local network.
For this add the following rule to the firewall (first test from CLI and if working
Administration/Commands, Save Firewall:
iptables -t nat -I POSTROUTING -o br0 -s $(nvram get openvpn_net)/$(nvram
get openvpn_tunmask) -j MASQUERADE

Routers NAS not reachable on newer builds with ksmbd

When you want to access the routers NAS via internet with an app like AndSMB or from a connected
Windows client you have to make manual changes to the smb.conf file.

You need permanent storage (jffs), after you have setup USB and NAS, copy /tmp/smb.conf and
/tmp/smb.db to /jfss/etc/ , those files will then be used by ksmbd for configuration after the router
reboots (or after you restart ksmbd, see below).

Last edited by egc 26-4-2021 3

In the Global section of smb.conf add all the interface you want ksmbd to listen to.
When no interfaces are specified it seems to default to br0, eth0, vlan2, I am using a WG tunnel oet1
and an OpenVPN server tunnel tun2 and also wanted access from the LAN (br0), so I add:
interfaces = br0, oet1, tun2 (if necessary add WAN interface vlan2, eth0 and other interfaces like br1
etc.)
Some setups also need to set the hosts allow but normally this is not necessary:
hosts allow = 192.168.1.0/24, 10.4.0.0/24, 10.8.0.0/24. (some say to also include the local host
127.0.0.1)

MIN protocol should probably be NT1.

See Addendum 1 for my /jffs/etc/smb.conf.

Use stopservice samba3, startservice samba3, to stop and start, this could be necessary also if your
USB is slow and ksmbd does not detect /jffs/etc/smb.conf (so if necessary add this to a route-up
script)

You can check from the CLI that /jffs/etc/smb.conf is used and that ksmbd listens on the interfaces
you want with: ps
1857 root 1256 S ksmbd.mountd -c /jffs/etc/smb.conf -u /jffs/etc/smb.db
1859 root 1304 S ksmbd.mountd -c /jffs/etc/smb.conf -u /jffs/etc/smb.db
1861 root 0 SW [ksmbd-vlan2]
1863 root 0 SW [ksmbd-eth1]
1865 root 0 SW [ksmbd-eth0]
1869 root 0 SW [ksmbd-tun2]
1872 root 0 SW [ksmbd-oet1]
1873 root 0 SW [ksmbd-br0]

I got it working from my Android phone with AndSMB but I had to choose SMB v1 in AndSMB (and
set the min Protocol to NT1).

Reset to defaults
Sometimes you have been tinkering and trying out lots of things so if it is not working then reset to
defaults and only alter as little as possible before setting up the OVPN server.

Do not use a TLS auth key

The use of a TLS-AUTH key is not necessary from a security standpoint. So do not start with it, if you
want it, add it later.
There is an anecdotal report that a public wifi did not let you setup a VPN connection without TLS-
auth key.

Check subnets
OVPN server can only function if there are 3 different subnets involved, the subnet of the router, the
subnet of the OVPN server and the subnet of the client all have to be different (for a normal TUN
setup).
It is therefore advised to use a subnet for your router which is not common so do not use
192.168.0.0 or 192.168.1.0.

Last edited by egc 26-4-2021 4

Port Forward when your OVPN router is not connected to the internet
If the OVPN server is on a secondary router then you must not forget to set a port forward on your
primary router or place your OVPN router in the DMZ of the primary router.

Check LZO settings (Connection but no or little traffic)

If LZO settings do not match between server and client you can have a connection but you typically
do not see any traffic or only the first few bytes of the packet comes through.
The security of LZO compression has been compromised so use LZO compression NO in the DDWRT
GUI and "comp-lzo no" in the client settings.
Or better disable LZO compression on the servers GUI and leave out the comp-lzo line in the client
settings entirely.
The lzo-comp settings will be deprecated and superseded by the compress setting.
In OVPN 2.4 and later you can disable LZO compression in the GUI (set to Disable and not to No)

Client with connection but no traffic

Check if NAT is enabled on the client.

Check time/date (Certificate not valid)

If the time or date of the router is wrong, your certificates are not valid so check the time of the
router, login and have a look at Status/Router under Current Time.
Also have a look at the log on the Stus/OpenVPN page for the correct time and dat

Shortcut Forwarding Engine (SFE)

Builds between 39556 and 40459 do not forward UDP so if you have your OVPN server on a
secondary router and have set a port forward on your primary router be sure to disable SFE on your
primary router. After you disabled SFE reboot the router, in some builds it is only disabled after
reboot!

Check status
Check if the server is running, go to Status/OpenVPN.
If the OVPN server is running the page will show "Connected Success", this does not mean there is a
connection, it only tells you that OVPN server is started normally. If you do not see this and the page
is blank, then the OVPN server cannot start because of a setup problem, mostly due to a problem
with certificates, so check/redo the certificates

Last edited by egc 26-4-2021 5

K2.6 builds are broken
Builds using Linux kernel 2.6 appear not to be able to execute external scripts (problem with
busybox). So you will see errors in the log indicating it is not possible to execute route-up/down
scripts: WARNING: Failed running command (--up/--down): external program fork failed.
Not clear since when these problems started but probably after build : 36630. See: https://svn.dd-
wrt.com/ticket/6373. This problem should be fixed in builds after 40711 or go back to build 35531.
But better is using a build with Kernel 3.X

Connected and local access but no Internet access

Two rules are described in step 8a of the Setup guide, in 99,9% of all cases both work.
In rare cases only the second rule works (sometimes the case with using PPPoE).
If this is the case. post or PM me the output of the following 4 commands (telnet/Putty to your
router):
Code:
nvram get wan_iface
nvram get wan_ifname
get_wanface
echo WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"

Last edited by egc 26-4-2021 6

Check Routes and Firewall
DDWRT should take care of the right settings for your firewall and routing so normally you do not
need to check this!
With the following commands you can see your routes and firewall settings (from Command Line
interface with telnet or putty):
ip route show
route -n
iptables -vnL
iptables -vnL -t nat
Post the output in the forum
Your client also has to have some routes to reach the OVPN server, the pushed routes should be
visible in the clients log, you can post those also in the forum,

DDWRT uses tun2 as its OpenVPN interface and takes care of all necessary firewall rules (except a
NAT rule if you want internet access. So do not add any firewall rules yourself beside the NAT rule.
Check if the OVPN interface exists:
ifconfig:

Opening up the specified port on the router and opening up the TUN interface :
iptables -vnL INPUT :

See the last 2 lines indicating port 1194 is opened and TUN2 is also opened

Forwarding traffic to and from that interface to that interface (TUN2) from all other interfaces
iptables -vnL FORWARD

See the last two line

Last edited by egc 26-4-2021 7

A route to tun2 should be present:
ip route show:

Second line indicating traffic for 10.8.0.0/24 is routed through tun2

MTU size problems (Connection, but no traffic, hang, slow loading, or no streaming media)
MTU problems often manifest themselves as connections which hang during periods of active usage,
or does not load the whole page when browsing. Or you can connect but not see or use streaming
media (like an IP Camera) or your connection is unexpected slow
In the log you can see messages like: read UDP [EMSGSIZE path-MTU=1388]: Message too long (code=90)

The MTU (Maximum Transmission Units) is the maximum datagram size in bytes that can be sent
unfragmented over a particular network path. OpenVPN requires that packets on the control or data
channels be sent unfragmented.

The easiest way to deal with this is using TCP as protocol instead of UDP (i.e. change "proto udp4" to
"proto tcp" on client and server

If this does not help or you do not want to use TCP then start with: fragment 1300
On both server and client and enable mssfix on client.
fragment has to be set on both sides, mssfix only needs to be set on one side (if set on both sides the
lowest value counts), in DDWRT mssfix will take its value from fragment.

But on older clients this will not always work you then have to lower the MTU settings from its
default 1500 to lower values like 1300 i.e.: tun-mtu 1300 in server and client config.
You might need to go even lower

Make sure to reboot the router after changing!

If fragment is not set then mtu-disc yes is added to discover the right udp size which usually will work

Check the right MTU size:

https://www.sonassi.com/help/troubleshooting/setting-correct-mtu-for-openvpn
https://hamy.io/post/0003/optimizing-openvpn-throughput/
https://blog.hambier.lu/post/solving-openvpn-mtu-issues

TLS Error: TLS key negotiation failed to occur within 60 seconds

Server is not reachable i.e. you have a network connection error (unless you are using TLS-crypt
which is not setup correctly):
• Check server address/DDNS
• Check DDNS,
• Check port,
• Check Port Forward if server is not on the primary router.

Last edited by egc 26-4-2021 8

 • Check /disable firewall
• Sometimes an ISP blocks often used ports, Check with your ISP and/or use TCP port 443, this
is not blocked.
• Older DDWRT version block UDP ports when SFE is enabled, so when in doubt disable SFE

AUTH: Received control message: AUTH_FAILED

AUTH_FAILED error means that the OpenVPN server requires a username/password, but it either
wasn't provided, or perhaps was mistyped. If you're using a current dd-wrt build, there should be a
"User Pass Authentication" option. Enable it and provide the username/password given to you by the
OpenVPN provider. Or this can be seen when you are using a broken K2.6 build where it is not
possible to execute an external script

AEAD Decrypt error:

When you receive this error it has to do with using the new GCM ciphers (AES-128-GCM is the one
advised), be sure that both client and server use the new ciphers (only available starting with
OpenVPN 2.4). Depending on setup add the following to the Additional Config or configuration file of
client:
ncp-disable
If your setup is OK and you still are seeing this error then an occasional warning should not pose a
problem, it happens when using UDP and packets are lost/or mangled and resend under way.
Otherwise it could signify an MTU problem so see the MTU size Problems section or other network
problem.
It happens only when using UDP so consider using TCP or use the old cipher: AES-256-CBC.

OpenVPN server does not start on reboot

Some builds have a bug where the OpenVPN server does not start on reboot.
You can add the following code snippet to the startup command:
(
if [ "$(nvram get openvpn_enable)" != "0" ]; then
while ! ps | grep -q '[o]penvpn/'; do
openvpn --config /tmp/openvpn/openvpn.conf --daemon
sleep 10
done
fi
)&

Recursive routing detected, drop tun packet

Might be caused of servers subnet, OpenVPN subnet and clients subnet are not different (e.g. client
and server are both 192.168.1.1)

Latency problems with latency sensitive traffic (e.g. VoIP )

When using latency sensitive traffic via the VPN like VoIP SFE (shortcut forwarding Engine) might
cause hiccups. This could be because traffic from the VPN client loops thorugh the VPN server (in via
the VPN then to the Internet and back and out via the VPN)
A test with a packetloss test server (https://packetlosstest.com/) actually some sort of a continuous
ping test seems show a small hiccup in the beginign of a connection (make sure to tun the test longer
than 10 seconds).
I do not know if it is a real problem or just in this test scenario as a ping test with SFE on does not
show any problems.

Last edited by egc 26-4-2021 9

Anyway if you experience problems disable SFE and see if your problems are gone not only with the
test (because it is possible that the test cannot deal with SFE (or the other way around)) but in real
world use cases (do not forget to reboot, something which is always useful after changing settings)

OpenVPN 2.5
Some ciphers have been deprecated if necessary you can add deprecated ciphers with:
data-ciphers-fallback BF-CBC

You can add extra ciphers with:

data-ciphers AES-256-GCM:AES-128-GCM

Alternatively especially for the client, just set the cipher according to the server and add:
ncp-disable

see:
https://build.openvpn.net/man/openvpn-2.5/openvpn.8.html
https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst

References:
https://www.sonassi.com/help/troubleshooting/setting-correct-mtu-for-openvpn
https://community.openvpn.net/openvpn/wiki/271-i-can-ping-through-the-tunnel-but-any-real-
work-causes-it-to-lock-up-is-this-an-mtu-problem

https://openvpn.net/vpn-server-resources/troubleshooting-client-vpn-tunnel-connectivity/
https://openvpn.net/faq/tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-
network-connectivity/
https://wiki.ipfire.org/configuration/services/openvpn/troubles

Last edited by egc 26-4-2021 10

Addendum 1 example of /jfss/etc/smb.conf

192.168.1.1/24 is the routers subnet, 10.4.0.0/24 is WG subnet 10.8.0.0/24 is OpenVPN server

subnet depending on your setup this is not needed to add.
Adding interfaces vlan2 and eth0 is probably also not necessary
[global]
log level = 1
netbios name = R6400v2
server string = R6400v2s
syslog = 10
encrypt passwords = true
preferred master = yes
use sendfile = yes
aio read size = 2048
aio write size = 2048
large readwrite = yes
security = user
oplocks = yes
mangled names = no
max stat cache size = 64
workgroup = home
bind interfaces only = yes
guest account = nobody
map to guest = Bad User
smb passwd file = /var/samba/smbpasswd
private dir = /var/samba
passdb backend = smbpasswd
log file = /var/smbd.log
max log size = 1000
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=262144 SO_RCVBUF=262144
read raw = yes
write raw = yes
max xmit = 65536
dead time = 15
getwd cache = yes
lpq cache time = 30
min protocol = NT1
max protocol = SMB3_11
printing = none
load printers = No
usershare allow guests = Yes
smb3 encryption = no
hosts allow = 192.168.1.1/24, 10.4.0.0/24, 10.8.0.0/24
interfaces = br0, oet1, tun2, vlan2, eth0
[data]
comment = data
path = /mnt/sda1/
read only = no
guest ok = yes

force user = root

[jffs]
comment = jffs
path = /jffs/
read only = no
guest ok = yes

force user = root

[opt]
comment = opt
path = /opt/
read only = no
guest ok = yes

force user = root

Last edited by egc 26-4-2021 11