378.53 - OpenVPN Server - Ignores ccd files - Possible bug?

[gmx-smallnetbuilder]

Hi everyone,

I'm trying to use the ccd files on the openvpn server running asuswrt-merlin version 378.53.
I have the feeling that the ccd files are ignored by the OpenVPN server. Could someone please check or confirm that the ccd files are used by the OpenVPN server on the asuswrt build?

On my side:
I configured the OpenVPN server to have the redirect-traffic enabled. This works fine and I can successfully connect the clients and test that the routing goes over the openvpn server.

However, I need a few users to connect to this openvpn server and not redirect all the traffic to it. In the old router (OpenWRT with OpenVPN) I was able to use the ccd files and specify this exception for a few users.

On the new router: I tried to use the same in the AsusWrt, so I enabled jffs and I created the path

/jffs/configs/openvpn/ccd1​

Inside I copied a file named as the CN of the user that should not redirect the traffic. The contents of the file are as following:

push-reset
push "route-metric 350"
push "route 192.168.2.0 255.255.255.0"

However, when I try to connect to the OpenVPN server using the certificate of this user the default gateway is still pushed to the client.

This is what I get in the openvpn client log. It looks to me that the ccd file is not processed:

Mon May 25 16:57:17 2015 SENT CONTROL [VPN-Server]: 'PUSH_REQUEST' (status=1)
Mon May 25 16:57:17 2015 PUSH: Received control message: 'PUSH_REPLY,route 0.0.0.0 255.255.255.255 net_gateway,dhcp-option DNS 192.168.2.1,route-gateway 192.168.2.1,redirect-gateway def1,route-gateway dhcp,ping 15,ping-restart 60'
Mon May 25 16:57:17 2015 OPTIONS IMPORT: timers and/or timeouts modified
Mon May 25 16:57:17 2015 OPTIONS IMPORT: route options modified
Mon May 25 16:57:17 2015 OPTIONS IMPORT: route-related options modified
Mon May 25 16:57:17 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon May 25 16:57:17 2015 open_tun, tt->ipv6=0
Mon May 25 16:57:17 2015 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{A8BAA595-5649-4742-8520-7019575CE916}.tap
Mon May 25 16:57:17 2015 TAP-Windows Driver Version 9.21
Mon May 25 16:57:17 2015 Successful ARP Flush on interface [23] {A8BAA595-5649-4742-8520-7019575CE916}
Mon May 25 16:57:17 2015 Extracted DHCP router address: 192.168.2.1
Mon May 25 16:57:18 2015 Extracted DHCP router address: 192.168.2.1
Mon May 25 16:57:22 2015 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Mon May 25 16:57:22 2015 C:\WINDOWS\system32\route.exe ADD <OpenVPN public IP> MASK 255.255.255.255 192.168.1.1
Mon May 25 16:57:22 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Mon May 25 16:57:22 2015 Route addition via IPAPI succeeded [adaptive]
Mon May 25 16:57:22 2015 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 192.168.2.1
Mon May 25 16:57:22 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Mon May 25 16:57:22 2015 Route addition via IPAPI succeeded [adaptive]
Mon May 25 16:57:22 2015 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 192.168.2.1
Mon May 25 16:57:22 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Mon May 25 16:57:22 2015 Route addition via IPAPI succeeded [adaptive]
Mon May 25 16:57:22 2015 MANAGEMENT: >STATE:1432562242,ADD_ROUTES,,,
Mon May 25 16:57:22 2015 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 255.255.255.255 192.168.1.1
Mon May 25 16:57:22 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Mon May 25 16:57:22 2015 Route addition via IPAPI succeeded [adaptive]
Mon May 25 16:57:22 2015 Initialization Sequence Completed
Mon May 25 16:57:22 2015 MANAGEMENT: >STATE:1432562242,CONNECTED,SUCCESS,,<OpenVPN public IP>

Many thanks!

 

[john9527]

Did you set 'Manage Client-Specific Options ' to Yes?

 

[gmx-smallnetbuilder]

Did you set 'Manage Client-Specific Options ' to Yes?

No. I could give it a go. On my side it opened a few more options when I chose 'Yes' there so I left it to No. Will be back with an update.
Thanks for the quick reply!

 

[john9527]

When I did a search in github, I got a hit on on a wiki entry that says it's required...worth a try.
https://github.com/RMerl/asuswrt-merlin/wiki/Configuring-OpenVPN

 

[gmx-smallnetbuilder]

No. I could give it a go. On my side it opened a few more options when I chose 'Yes' there so I left it to No. Will be back with an update.
Thanks for the quick reply!

I tested it with:
Manage Client-Specific Options > Yes
Allow Client <-> Client > Yes

The result is the same...

 

[RMerlin]

I tested it with:
Manage Client-Specific Options > Yes
Allow Client <-> Client > Yes

The result is the same...

I just tested it and it's working fine for me. My client only pushed the 192.168.2.0 route that I entered in the ccd file.

Note that the default gateway is NOT set by a route, but by the "redirect-gateway def1" config setting. You will have to disable the option to redirect Internet traffic on the webui to remove that setting. After that, check your router's syslog. Here's how it looks like here:

May 25 22:57:25 openvpn[12483]: Merlin/69.111.222.123:55578 OPTIONS IMPORT: reading client specific options from: ccd/Merlin
May 25 22:57:27 openvpn[12483]: Merlin/69.111.222.123:55578 SENT CONTROL [Merlin]: 'PUSH_REPLY,route-metric 350,route 192.168.2.0 255.255.255.0,ifconfig 10.8.0.6 10.8.0.5' (status=1)

The first line confirms that there was a match between the CN and an existing ccd file. The second one shows only the pushed route as entered in the ccd.

Finally, don't forget to restart the VPN server after you modify the ccd1/CN file. And that CN file is case sensitive.

 

[gmx-smallnetbuilder]

Thanks guys for the input! I restarted the openvpn server and it works on my side as well!