Can someone help out w/ some VPN settings?

[hungarianhc]

Hi there!

First of all, here's my goal... I want to be able to administer the NAS / Plex box / router at my parents' house remotely from my house. I'm setting them up with a new AC68P next week, and I have my own AC68 at home. I'm trying to get VPN working at my house in advance of getting it setup at their house.

I've set up two separate VPNs... PPTP and OpenVPN. For PPTP, I'm using the built-in Apple VPN client in Network Preferences. For the OpenVPN, I'm using Tunnelblick as a client. I'm using the Asus DDNS service to be able to connect to my network remotely.

So first off, PPTP... It works! I can connect to my network, and I can access my router settings at 192.168.1.1. I'm at my Asus settings. No problem. All good. However, my NAS is at 192.168.1.120, and I cannot connect to that IP. It just hangs. I thought this might be a limitation with PPTP or something so I tried with Tunnelblick / OpenVPN.

Despite PPTP working great, OpenVPN doesn't seem to be working. I'm getting a TLS authentication issue.

2015-06-24 13:54:36 TLS_ERROR: BIO read tls_read_plaintext error: error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small
2015-06-24 13:54:36 TLS Error: TLS object -> incoming plaintext read error
2015-06-24 13:54:36 TLS Error: TLS handshake failed

Can anyone help here? I'm just trying to be able to access all of my local LAN IP addresses remotely. THANKS!

Edit: I have changed my settings so that my VPN client is on 192.168.1.X as well, but this still isn't allowing me to connect to the local IPs.

 

[RMerlin]

As your error message states, your problem is the DH is too weak. Blame the OpenSSL developers for making their latest openssl library refuse to use any DH that's below 768-bits, rather than leave such decisions to the client applications. This decision is breaking a lot of existing OpenVPN server configuration, especially those in low-powered devices that were using a weaker DH for performance reasons (generating a 1024-bit DH on an RT-N66U for instance could take up to 15-20 minutes). It's also breaking some existing mail servers. And since the issue has to be resolved server-side, it means client users have no control over the situation in many cases (for instance when it's a destination's mailserver that's configured with a weak DH).

You will have to manually generate and enter a 1024-bit DH on your OpenVPN server configuration, under Keys & Certificates:

http://www.snbforums.com/threads/asuswrt-merlin-378-54_2-is-now-available.24902/page-12#post-188238

 

[hungarianhc]

Does that explain why PPTP doesn't work?

 

[RMerlin]

Does that explain why PPTP doesn't work?

No, PPTP does not use Diffie-Hellman. Your other issue is probably a network range conflict, if both networks use the 192.168.1.0/24 network. When using a client, you have to tell that client to redirect all local traffic through that server to be able to reach the other network segment (under Windows this is called "Use remote gateway as default").

 

[hungarianhc]

No, PPTP does not use Diffie-Hellman. Your other issue is probably a network range conflict, if both networks use the 192.168.1.0/24 network. When using a client, you have to tell that client to redirect all local traffic through that server to be able to reach the other network segment (under Windows this is called "Use remote gateway as default").

Yah I have the "Send all traffic over VPN connection" box checked in OS X. Odd that I can access 192.168.1.1 but not 192.168.1.120...

 

[hungarianhc]

Merlin, THANK YOU!

The issue was definitely that my work network was on the 192.168.1.X range.

The solution was to change my home network to 192.168.2.X. It was a bit of a pain to find all the hard-wired things and change them, but it's all done now, and VPN works great! THANKS!