Header Shadow Image


Samba on Mac OS and Win 10: Can’t mount SMB share, permission denied.

So you're getting this:

permission denied

When trying to mount an SMB file share on a Mac OS or Win 10?  You're likely running into the UPN limitation with users such as sam@domain.com.   Though this is a single user, the Mac OS CLI interprets this as a <user>@<host>  , which is not the case.  No escaping is possible using the @ sign, not even in passwords.  

So you'll need to use user maps to solve this one.  Keep reading.

Read the rest of this entry »

create_local_token failed: NT_STATUS_NO_MEMORY

Getting this?

   pid_to_procid: messaging_dgm_get_unique failed: No such file or directory
  Failed to fetch domain sid for XYZ
  Failed to check for local Administrators membership (NT_STATUS_INVALID_PARAMETER_MIX)
  Failed to check for local Guests membership (NT_STATUS_INVALID_PARAMETER_MIX)
  create_local_token failed: NT_STATUS_NO_MEMORY
  ERROR: failed to setup guest info.

 

while having samba leverage SSSD?

[global]
        realm = MDS.XYZ
        workgroup = XYZ
        security = ads
        kerberos method = secrets and keytab
        template homedir = /n/%d/%u
        idmap config * : backend = tdb
        idmap config * : range = 10000-199999
        idmap config MDS : backend = sss
        idmap config MDS : range = 200000-2147483647
        passdb backend = tdbsam

        load printers = yes
        printing = cups
        printcap name = cups
        cups options = raw
        log level = 4
        max protocol = SMB3
        min protocol = NT1
        local master = no
        disable spoolss = yes

Then you need to run:

# yum install sssd-libwbclient

Cheers,
TK

INTERNAL ERROR: Signal 11 in pid 27594 (4.7.1)

Samba core dump-ed?

[2020/02/23 12:57:52.147460,  1] ../source3/smbd/smbd_cleanupd.c:99(smbd_cleanupd_unlock)
  smbd_cleanupd_unlock: Cleaning up brl and lock database after unclean shutdown
[2020/02/23 12:57:53.151160,  3] ../lib/util/access.c:361(allow_access)
  Allowed connection from 192.168.0.125 (192.168.0.125)
[2020/02/23 12:57:53.151612,  3] ../source3/smbd/oplock.c:1329(init_oplocks)
  init_oplocks: initializing messages.
[2020/02/23 12:57:53.152027,  3] ../source3/smbd/process.c:1959(process_smb)
  Transaction 0 of length 216 (0 toread)
[2020/02/23 12:57:53.152139,  3] ../source3/smbd/process.c:1539(switch_message)
  switch message SMBnegprot (pid 27594) conn 0x0
[2020/02/23 12:57:53.152242,  4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) – sec_ctx_stack_ndx = 0
[2020/02/23 12:57:53.154120,  3] ../source3/smbd/negprot.c:612(reply_negprot)
  Requested protocol [PC NETWORK PROGRAM 1.0]
[2020/02/23 12:57:53.154203,  3] ../source3/smbd/negprot.c:612(reply_negprot)
  Requested protocol [MICROSOFT NETWORKS 1.03]
[2020/02/23 12:57:53.154253,  3] ../source3/smbd/negprot.c:612(reply_negprot)
  Requested protocol [MICROSOFT NETWORKS 3.0]
[2020/02/23 12:57:53.154304,  3] ../source3/smbd/negprot.c:612(reply_negprot)
  Requested protocol [LANMAN1.0]
[2020/02/23 12:57:53.154412,  3] ../source3/smbd/negprot.c:612(reply_negprot)
  Requested protocol [LM1.2X002]
[2020/02/23 12:57:53.154859,  3] ../source3/smbd/negprot.c:612(reply_negprot)
  Requested protocol [DOS LANMAN2.1]
[2020/02/23 12:57:53.155002,  3] ../source3/smbd/negprot.c:612(reply_negprot)
  Requested protocol [LANMAN2.1]
[2020/02/23 12:57:53.155086,  3] ../source3/smbd/negprot.c:612(reply_negprot)
  Requested protocol [Samba]
[2020/02/23 12:57:53.155181,  3] ../source3/smbd/negprot.c:612(reply_negprot)
  Requested protocol [NT LANMAN 1.0]
[2020/02/23 12:57:53.155245,  3] ../source3/smbd/negprot.c:612(reply_negprot)
  Requested protocol [NT LM 0.12]
[2020/02/23 12:57:53.155314,  3] ../source3/smbd/negprot.c:612(reply_negprot)
  Requested protocol [SMB 2.002]
[2020/02/23 12:57:53.155371,  3] ../source3/smbd/negprot.c:612(reply_negprot)
  Requested protocol [SMB 2.???]
[2020/02/23 12:57:53.155695,  4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) – sec_ctx_stack_ndx = 0
[2020/02/23 12:57:53.155933,  3] ../source3/smbd/smb2_negprot.c:290(smbd_smb2_request_process_negprot)
  Selected protocol SMB2_FF
[2020/02/23 12:57:53.158526,  3] ../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'gssapi_spnego' registered
[2020/02/23 12:57:53.158686,  3] ../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'gssapi_krb5' registered
[2020/02/23 12:57:53.158748,  3] ../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'gssapi_krb5_sasl' registered
[2020/02/23 12:57:53.158846,  3] ../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'spnego' registered
[2020/02/23 12:57:53.158997,  3] ../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'schannel' registered
[2020/02/23 12:57:53.159104,  3] ../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'naclrpc_as_system' registered
[2020/02/23 12:57:53.159166,  3] ../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'sasl-EXTERNAL' registered
[2020/02/23 12:57:53.159237,  3] ../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'ntlmssp' registered
[2020/02/23 12:57:53.159312,  3] ../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'ntlmssp_resume_ccache' registered
[2020/02/23 12:57:53.159411,  3] ../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'http_basic' registered
[2020/02/23 12:57:53.159528,  3] ../auth/gensec/gensec_start.c:977(gensec_register)
  GENSEC backend 'http_ntlm' registered
[2020/02/23 12:57:53.162354,  0] ../lib/util/fault.c:78(fault_report)
  ===============================================================
[2020/02/23 12:57:53.162627,  0] ../lib/util/fault.c:79(fault_report)
  INTERNAL ERROR: Signal 11 in pid 27594 (4.7.1)
  Please read the Trouble-Shooting section of the Samba HOWTO
[2020/02/23 12:57:53.162786,  0] ../lib/util/fault.c:81(fault_report)
  ===============================================================
[2020/02/23 12:57:53.162946,  0] ../source3/lib/util.c:804(smb_panic_s3)
  PANIC (pid 27594): internal error
[2020/02/23 12:57:53.165113,  0] ../source3/lib/util.c:915(log_stack_trace)
  BACKTRACE: 37 stack frames:
   #0 /lib64/libsmbconf.so.0(log_stack_trace+0x1a) [0x7f11c54c3a3a]
   #1 /lib64/libsmbconf.so.0(smb_panic_s3+0x20) [0x7f11c54c3b10]
   #2 /lib64/libsamba-util.so.0(smb_panic+0x2f) [0x7f11c75beeaf]
   #3 /lib64/libsamba-util.so.0(+0x250c6) [0x7f11c75bf0c6]
   #4 /lib64/libpthread.so.0(+0xf6d0) [0x7f11c7a266d0]
   #5 /usr/lib64/samba/libgse-samba4.so(+0x9530) [0x7f11bfb25530]
   #6 /usr/lib64/samba/libgse-samba4.so(gse_krb5_get_server_keytab+0xa5) [0x7f11bfb25f25]
   #7 /usr/lib64/samba/libgse-samba4.so(+0xc1d8) [0x7f11bfb281d8]
   #8 /usr/lib64/samba/libgensec-samba4.so(+0x19eba) [0x7f11bf90aeba]
   #9 /usr/lib64/samba/libgensec-samba4.so(gensec_start_mech_by_ops+0xc) [0x7f11bf90bcbc]
   #10 /usr/lib64/samba/libgensec-samba4.so(+0xac5c) [0x7f11bf8fbc5c]
   #11 /usr/lib64/samba/libgensec-samba4.so(+0xc214) [0x7f11bf8fd214]
   #12 /usr/lib64/samba/libgensec-samba4.so(gensec_update_ev+0x7f) [0x7f11bf90a6cf]
   #13 /usr/lib64/samba/libgensec-samba4.so(gensec_update+0x17) [0x7f11bf90a7c7]
   #14 /usr/lib64/samba/libsmbd-base-samba4.so(negprot_spnego+0xa9) [0x7f11c715ef09]
   #15 /usr/lib64/samba/libsmbd-base-samba4.so(smbd_smb2_request_process_negprot+0x2ca) [0x7f11c71d930a]
   #16 /usr/lib64/samba/libsmbd-base-samba4.so(smbd_smb2_request_dispatch+0x1bcc) [0x7f11c71d609c]
   #17 /usr/lib64/samba/libsmbd-base-samba4.so(smbd_smb2_process_negprot+0x370) [0x7f11c71d8ac0]
   #18 /usr/lib64/samba/libsmbd-base-samba4.so(reply_negprot+0x72e) [0x7f11c715fe7e]
   #19 /usr/lib64/samba/libsmbd-base-samba4.so(+0x19ec90) [0x7f11c71c0c90]
   #20 /usr/lib64/samba/libsmbd-base-samba4.so(+0x1a0a30) [0x7f11c71c2a30]
   #21 /usr/lib64/samba/libsmbd-base-samba4.so(+0x1a2111) [0x7f11c71c4111]
   #22 /lib64/libtevent.so.0(+0xaedb) [0x7f11c3ecfedb]
   #23 /lib64/libtevent.so.0(+0x92a7) [0x7f11c3ece2a7]
   #24 /lib64/libtevent.so.0(_tevent_loop_once+0x9d) [0x7f11c3eca0cd]
   #25 /lib64/libtevent.so.0(tevent_common_loop_wait+0x1b) [0x7f11c3eca2fb]
   #26 /lib64/libtevent.so.0(+0x9247) [0x7f11c3ece247]
   #27 /usr/lib64/samba/libsmbd-base-samba4.so(smbd_process+0x6e4) [0x7f11c71c5444]
   #28 /usr/sbin/smbd(+0xd1d4) [0x55dc9e23f1d4]
   #29 /lib64/libtevent.so.0(+0xaedb) [0x7f11c3ecfedb]
   #30 /lib64/libtevent.so.0(+0x92a7) [0x7f11c3ece2a7]
   #31 /lib64/libtevent.so.0(_tevent_loop_once+0x9d) [0x7f11c3eca0cd]
   #32 /lib64/libtevent.so.0(tevent_common_loop_wait+0x1b) [0x7f11c3eca2fb]
   #33 /lib64/libtevent.so.0(+0x9247) [0x7f11c3ece247]
   #34 /usr/sbin/smbd(main+0x1afe) [0x55dc9e23a25e]
   #35 /lib64/libc.so.6(__libc_start_main+0xf5) [0x7f11c3b1a445]
   #36 /usr/sbin/smbd(+0x8571) [0x55dc9e23a571]
[2020/02/23 12:57:53.166810,  0] ../source3/lib/dumpcore.c:315(dump_core)
  dumping core in /var/log/samba/cores/smbd
[2020/02/23 12:57:53.178604,  3] ../source3/smbd/server.c:872(remove_child_pid)
  ../source3/smbd/server.c:872 Unclean shutdown of pid 27594
[2020/02/23 12:57:53.178726,  1] ../source3/smbd/server.c:881(remove_child_pid)
  Scheduled cleanup of brl and lock database after unclean shutdown
[2020/02/23 12:58:13.198712,  1] ../source3/smbd/smbd_cleanupd.c:99(smbd_cleanupd_unlock)
  smbd_cleanupd_unlock: Cleaning up brl and lock database after unclean shutdown
[2020/02/23 13:00:29.876630,  4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) – sec_ctx_stack_ndx = 0
[2020/02/23 13:00:29.877861,  4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) – sec_ctx_stack_ndx = 0
[2020/02/23 13:00:29.877945,  4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) – sec_ctx_stack_ndx = 0
[2020/02/23 13:00:29.877995,  4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) – sec_ctx_stack_ndx = 0
[2020/02/23 13:00:29.879725,  3] ../source3/smbd/server_exit.c:248(exit_server_common)
  Server exit (termination signal)
[2020/02/23 13:00:30.020799,  3] ../source3/param/loadparm.c:3872(lp_load_ex)
  lp_load_ex: refreshing parameters
[2020/02/23 13:00:30.020947,  3] ../source3/param/loadparm.c:548(init_globals)
  Initialising global parameters
[2020/02/23 13:00:30.021188,  3] ../source3/param/loadparm.c:2786(lp_do_section)
  Processing section "[global]"
  doing parameter realm = MDS.XYZ
  doing parameter workgroup = MDS.XYZ
  doing parameter security = ads
  doing parameter kerberos method = secrets and keytab
  doing parameter template homedir = /n/%d/%u
  doing parameter idmap config * : backend = tdb
  doing parameter idmap config * : range = 10000 – 199999999999
  doing parameter idmap config MDS : backend = sss
  doing parameter idmap config MDS : range = 200000-2147483647
  doing parameter passdb backend = tdbsam
  doing parameter load printers = yes
  doing parameter printing = cups
  doing parameter printcap name = cups
  doing parameter cups options = raw
  doing parameter log level = 4
  doing parameter max protocol = SMB3
  doing parameter min protocol = NT1
  doing parameter local master = no
  doing parameter disable spoolss = yes
[2020/02/23 13:00:30.021871,  2] ../source3/param/loadparm.c:2803(lp_do_section)
  Processing section "[homes]"
  doing parameter comment = Home Directories
  doing parameter valid users = %S, %D%w%S
  doing parameter browseable = No
  doing parameter read only = No
  doing parameter inherit acls = Yes
[2020/02/23 13:00:30.022227,  2] ../source3/param/loadparm.c:2803(lp_do_section)
  Processing section "[printers]"
  doing parameter comment = All Printers
  doing parameter path = /var/tmp
  doing parameter printable = Yes
  doing parameter create mask = 0600
  doing parameter browseable = No
[2020/02/23 13:00:30.022460,  2] ../source3/param/loadparm.c:2803(lp_do_section)
  Processing section "[NFS-tom]"
  doing parameter comment = NFS Shared Storage – Tom
  doing parameter path = /n/mds.xyz/tom
  doing parameter valid users = tom@mds.xyz
  doing parameter public = no
  doing parameter writable = yes
  doing parameter read only = no
  doing parameter browseable = yes
  doing parameter guest ok = no
  doing parameter printable = no
  doing parameter write list = tom@mds.xyz
  doing parameter directory mask = 0775
  doing parameter create mask = 664
[2020/02/23 13:00:30.023044,  2] ../source3/param/loadparm.c:2803(lp_do_section)
  Processing section "[bob@mds.xyz]"
  doing parameter comment = NFS Shared Storage – Bob
  doing parameter path = /n/mds.xyz/bob
  doing parameter valid users = bob@mds.xyz
  doing parameter public = no
  doing parameter writable = yes
  doing parameter read only = no
  doing parameter browseable = yes
  doing parameter guest ok = yes
  doing parameter printable = no
  doing parameter write list = bob@mds.xyz
  doing parameter directory mask = 0775
  doing parameter create mask = 664
[2020/02/23 13:00:30.023553,  2] ../source3/param/loadparm.c:2803(lp_do_section)
  Processing section "[NFS-root]"
  doing parameter comment = NFS Shared Storage – root
  doing parameter path = /n
  doing parameter valid users = root
  doing parameter public = no
  doing parameter writable = yes
  doing parameter read only = no
  doing parameter browseable = yes
  doing parameter guest ok = no
  doing parameter printable = no
  doing parameter write list = root
  doing parameter directory mask = 0775
  doing parameter create mask = 664
[2020/02/23 13:00:30.024085,  2] ../source3/param/loadparm.c:2803(lp_do_section)
  Processing section "[print$]"
  doing parameter comment = Printer Drivers
  doing parameter path = /var/lib/samba/drivers
  doing parameter write list = @printadmin root
  doing parameter force group = @printadmin
  doing parameter create mask = 0664
  doing parameter directory mask = 0775
[2020/02/23 13:00:30.024440,  4] ../source3/param/loadparm.c:3914(lp_load_ex)
  pm_process() returned Yes
[2020/02/23 13:00:30.024567,  3] ../source3/param/loadparm.c:1621(lp_add_ipc)
  adding IPC service
[2020/02/23 13:00:30.026316,  2] ../source3/lib/interface.c:345(add_interface)
  added interface eth0 ip=192.168.0.80 bcast=192.168.0.80 netmask=255.255.255.255
[2020/02/23 13:00:30.026434,  2] ../source3/lib/interface.c:345(add_interface)
  added interface eth0 ip=192.168.0.125 bcast=192.168.0.255 netmask=255.255.255.0
[2020/02/23 13:00:30.026525,  3] ../source3/smbd/server.c:1810(main)
  loaded services
[2020/02/23 13:00:30.030177,  1] ../source3/profile/profile.c:51(set_profile_level)
  INFO: Profiling turned OFF from pid 27888
[2020/02/23 13:00:30.030296,  3] ../source3/smbd/server.c:1830(main)
  Standard input is not a socket, assuming -D option
[2020/02/23 13:00:30.030338,  3] ../source3/smbd/server.c:1842(main)
  Becoming a daemon.
[2020/02/23 13:00:30.031339,  2] ../source3/passdb/pdb_interface.c:161(make_pdb_method_name)
  No builtin backend found, trying to load plugin
[2020/02/23 13:00:30.034313,  3] ../lib/util/modules.c:167(load_module_absolute_path)
  load_module_absolute_path: Module '/usr/lib64/samba/pdb/tdbsam.so' loaded
[2020/02/23 13:00:30.042561,  3] ../source3/lib/util_procid.c:54(pid_to_procid)
  pid_to_procid: messaging_dgm_get_unique failed: No such file or directory
[2020/02/23 13:00:30.077473,  4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2020/02/23 13:00:30.077583,  4] ../source3/smbd/uid.c:558(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2020/02/23 13:00:30.077631,  4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) – sec_ctx_stack_ndx = 1
[2020/02/23 13:00:30.077924,  4] ../source3/passdb/pdb_tdb.c:558(tdbsam_open)
  tdbsam_open: successfully opened /var/lib/samba/private/passdb.tdb
[2020/02/23 13:00:30.078018,  4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
  pop_sec_ctx (0, 0) – sec_ctx_stack_ndx = 0
[2020/02/23 13:00:30.078072,  4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2020/02/23 13:00:30.078108,  4] ../source3/smbd/uid.c:558(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2020/02/23 13:00:30.078140,  4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) – sec_ctx_stack_ndx = 1
[2020/02/23 13:00:30.078352,  4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
  pop_sec_ctx (0, 0) – sec_ctx_stack_ndx = 0
[2020/02/23 13:00:30.085483,  4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2020/02/23 13:00:30.085569,  4] ../source3/smbd/uid.c:558(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2020/02/23 13:00:30.085632,  4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) – sec_ctx_stack_ndx = 1
[2020/02/23 13:00:30.085920,  3] ../source3/auth/token_util.c:681(finalize_local_nt_token)
  Failed to fetch domain sid for MDS.XYZ
[2020/02/23 13:00:30.086009,  4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
  pop_sec_ctx (0, 0) – sec_ctx_stack_ndx = 0
[2020/02/23 13:00:30.086101,  4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2020/02/23 13:00:30.086152,  4] ../source3/smbd/uid.c:558(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2020/02/23 13:00:30.086189,  4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) – sec_ctx_stack_ndx = 1
[2020/02/23 13:00:30.086316,  4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
  pop_sec_ctx (0, 0) – sec_ctx_stack_ndx = 0
[2020/02/23 13:00:30.086377,  3] ../source3/auth/token_util.c:708(finalize_local_nt_token)
  Failed to check for local Administrators membership (NT_STATUS_INVALID_PARAMETER_MIX)
[2020/02/23 13:00:30.086461,  4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2020/02/23 13:00:30.086512,  4] ../source3/smbd/uid.c:558(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2020/02/23 13:00:30.086551,  4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) – sec_ctx_stack_ndx = 1
[2020/02/23 13:00:30.086673,  4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
  pop_sec_ctx (0, 0) – sec_ctx_stack_ndx = 0
[2020/02/23 13:00:30.086749,  4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2020/02/23 13:00:30.086798,  4] ../source3/smbd/uid.c:558(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2020/02/23 13:00:30.086835,  4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) – sec_ctx_stack_ndx = 1
[2020/02/23 13:00:30.086970,  4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
  pop_sec_ctx (0, 0) – sec_ctx_stack_ndx = 0
[2020/02/23 13:00:30.087036,  3] ../source3/auth/token_util.c:780(finalize_local_nt_token)
  Failed to check for local Guests membership (NT_STATUS_INVALID_PARAMETER_MIX)
[2020/02/23 13:00:30.087099,  0] ../source3/auth/auth_util.c:1382(make_new_session_info_guest)
  create_local_token failed: NT_STATUS_NO_MEMORY
[2020/02/23 13:00:30.087802,  0] ../source3/smbd/server.c:2000(main)
  ERROR: failed to setup guest info.
^C
[root@nfs03 samba]#

 

Solve it by:

yum upgrade samba from 4.7.1. to 4.9.1 . 

Cheers,
TK

OSPF: [EC 134217740] Packet[DD]: Neighbor 192.168.0.1 Negotiation fails.

Getting this?

2020/02/15 20:58:07 OSPF: [EC 134217740] Packet[DD]: Neighbor 192.168.0.1 Negotiation fails.

Clear up some space:

root@INTERNET-ROUTER:/jffs/ospf# ls -altri
total 668396
      1 drwxr-xr-x    9 root     root             0 Dec 31  1969 ..
     20 drwxr-xr-x    2 root     root             0 Dec 31  1969 .
     21 -rw——-    1 root     root     684436856 Feb 15 20:56 ospf.log
root@INTERNET-ROUTER:/jffs/ospf# du -sh ospf.log
652.7M  ospf.log
root@INTERNET-ROUTER:/jffs/ospf# df -h .
Filesystem                Size      Used Available Use% Mounted on
/dev/mtdblock/4          96.0M     94.8M      1.2M  99% /jffs
root@INTERNET-ROUTER:/jffs/ospf# >ospf.log
root@INTERNET-ROUTER:/jffs/ospf# df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/root                26.1M     26.1M         0 100% /
/dev/mtdblock/4          96.0M      5.6M     90.4M   6% /jffs
/dev/sda                  3.8G     33.4M      3.5G   1% /opt
root@INTERNET-ROUTER:/jffs/ospf# df -h .
Filesystem                Size      Used Available Use% Mounted on
/dev/mtdblock/4          96.0M      5.3M     90.7M   6% /jffs
root@INTERNET-ROUTER:/jffs/ospf# uptime
 20:57:47 up 16:00,  load average: 3.74, 2.76, 2.65
root@INTERNET-ROUTER:/jffs/ospf#

And consider disabling debug logging:

# cat /tmp/ospfd.conf
!
! Zebra configuration saved from vty
!   2019/12/13 08:12:53
!
frr version 7.1
frr defaults traditional
!
hostname INTERNET-ROUTER
domainname
log file /jffs/ospf/ospf.log
!
!debug ospf ism
!debug ospf nsm
!debug ospf lsa
!debug ospf zebra
!debug ospf nssa
!debug ospf packet all

!
!
!
!
router ospf
 ospf router-id 192.168.0.6
 log-adjacency-changes
 network 192.168.0.0/24 area 0
!
line vty
!

 

If that doesn't work, the solution on this page might be of help?

Cheers,
TK

OpenVPN + DD-WRT: CCD files not restricting users VLAN access while OSPF is enabled.

Here's the scenario.  I've set up my OpenVPN on my DD-WRT Asus router. My OpenVPN network is 10.1.1.0 / 255.255.255.0 ( tun2 ). I can connect to my VPN Server remotely by tethering my laptop to my mobile phone ( On my Wireless Provider's Network ) then connecting over to my external ISP IP on which my OpenVPN server is residing on. I see the CCD files get applied to my User, as they should, restricting me to a specific VLAN ( 10.30.0.X ). My CCD config is:

CCD File:
push "route 10.30.0.0 255.255.255.0"

Now the router where my OpenVPN resides also has a local IP address from the local subnet that is my local network and an external one for my ISP. This local VLAN IP is on br0: 192.168.0.100 . My external ISP IP is on vlan2@eth0 : 123.123.123.100 .

Connecting to devices on 10.30.0.X, works fine, which is expected. But I can also connect to devices on my local network which is on 192.168.0.X . I should not be able too. When I check where I logged in from on the target machine, the IP listed is 192.168.0.100, which is the OpenVPN Server local IP, NOT my VPN IP 10.1.1.2 . Because of this, restricting traffic via F/W rules doesn't work against 10.1.1.0/24 .

Appears when I initiate an SSH connection from my laptop to a local machine on 192.168.0.X, for example, the OpenVPN server forwards those packets from tun2 over to br0 from which it then initiates a connection to the target machine. Since the connection appears to be routed through br0, which is on 192.168.0.100, the connection to other machines on the local subnet of course works.

This Asus router is also running OSPF. ( This is a routing protocol that establishes routes automatically. )

Including a visual of the setup.

https://i2.wp.com/www.microdevsys.com/WordPressImages/OpenVPN-Restricting-Connections.png?ssl=1

Notice above that traffic to the 10.30.0.101 IP works as it should. The configuration for the whole setup is as follows:

OpenVPN Server Settings:

dh /jffs/etc/openvpn/dh.pem
ca /jffs/etc/openvpn/ca.crt
cert /jffs/etc/openvpn/cert.pem
key /jffs/etc/openvpn/key.pem
tls-auth /jffs/etc/openvpn/ta.key 0
keepalive 10 120
verb 3
mute 3
syslog
writepid /var/run/openvpnd.pid
management 127.0.0.1 14
management-log-cache 100
topology subnet
script-security 2
port 11194
proto tcp4-server
cipher aes-256-cbc
auth sha256
client-connect /tmp/openvpn/clcon.sh
client-disconnect /tmp/openvpn/cldiscon.sh
client-config-dir /jffs/etc/openvpn/ccd
comp-lzo adaptive
tls-server
ifconfig-pool-persist /tmp/openvpn/ip-pool 86400
client-to-client
push "redirect-gateway def1"

tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
tcp-nodelay
tun-mtu 1500
mtu-disc yes
server 10.1.1.0 255.255.255.0
dev tun2
auth-nocache

OpenVPN Client Configuration:  

client
dev tun2
proto tcp
remote my.website.com 11194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert GuestUser.crt
key GuestUser.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
auth SHA256
comp-lzo
verb 3
auth-nocache

F/W Rules:

# ----------------------
# VPN Specific
# ----------------------
# Allow external connections to 11194
iptables -A INPUT -p tcp --dport 11194 -d $(nvram get wan_ipaddr) -j ACCEPT
iptables -A INPUT -p udp --dport 11194 -d $(nvram get wan_ipaddr) -j ACCEPT

# Allow Web Traffic
iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -j MASQUERADE

# Block VPN clients from accessing anything else on the local network.
iptables -A INPUT -s 10.1.1.0/24 -j REJECT --reject-with icmp-port-unreachable
iptables -A OUTPUT -s 10.1.1.0/24 -j REJECT --reject-with icmp-port-unreachable

Client CCD File:

push "route 10.3.0.0 255.255.255.0"

 

The Resolution

The resolution to this was much simpler then it appeared at first.  Turns out this line:

push "redirect-gateway def1"

was causing all traffic to pass through the default gateway, which in this case is 192.168.0.100.  So the CCD files were effectively ignored.  Removed the above line from the configuration and VLAN restriction based on CCD definition worked like a charm.

HTH,
TK

REF: https://community.openvpn.net/openvpn/wiki/RoutedLans
REF ( Own Post – OpenVPN ): https://forums.openvpn.net/viewtopic.php?f=4&t=29447
REF ( Own Post – DD-WRT ): https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1187018#1187018

Asus – AC68U , OSPF, DD-WRT, OpenVPN, F/W, r40854

Despite a few quirks, I wanted to post some highlights ( success story ) of using the r40854 firmware for the Asus AC68U and some of DD-WRT's capabilities with this firmware.  Took some time to try this with various firmware versions and this appears the most stable combination so far:

    OSPF works
    VPN Works, but only if configured manually.
        3 Issues:
                CA Cert can't be saved through UI.  Simply disappears when saving or applying.
                Network can't be saved through UI.  Simply disappears when saving or applying.
                TLS ta.key  has wrong permissions.  Fixing manually appears to be persistently changed through reboots.
    tcpdump works

    

Since OSPF works, pairing up with other Asus AC68U routers running OSPF or even other Cisco
routers such as Cisco 3750G or Cisco WS-C4948-10GE switches that run OSPF works perfectly.


Would be great to have these in the latest release for the firmware for the Asus-AC68U:

    Cron not working.  Need to use an external host with passless SSH keys to execute something periodically. 
    Fully working VPN settings page:  Fix saving CA cert and Network.  (Won't start without these features.)
    OSPF working as it does in this r40854.
    tcpdump works in this r40854 firmware.  Doesn't in others I've tried (see my earlier posts).  

    

Conclusion:

Both of my Asus AC68U is running this version and are set to OSPF Router instead of Gateway or simply Router.  I never want to go back to the previous setup.  It gives me the best network performance while supporting multiple VLANs for my equipment to isolate network noise.  Strongly recommend OSPF over Gateway.  

OSPF Config

!
! Zebra configuration saved from vty
!   2019/12/13 08:12:53
!
frr version 7.1
frr defaults traditional
!
hostname DD-WRT-INTERNET-ASUS
domainname 
log file /jffs/ospf/ospf.log
!
# debug ospf ism
# debug ospf nsm
# debug ospf lsa
# debug ospf zebra
# debug ospf nssa
# debug ospf packet all
!
!
!
!
router ospf
 ospf router-id 192.168.0.100
 log-adjacency-changes
 network 192.168.0.0/24 area 0
!
line vty
!

ZEBRA Config

!
! Zebra configuration saved from vty
!   2019/12/13 08:12:53
!
frr version 7.1
frr defaults traditional
!
hostname DD-WRT-INTERNET-ASUS
domainname 
!
!
!
!
!
!
!
line vty
!


FIREWALL Rules for OSPF / Zebra


# ———————-
# OSPF Port for exchanging routing database information.
# ———————-
iptables -A INPUT -p 89 -j ACCEPT
iptables -A OUTPUT -p 89 -j ACCEPT
# ———————-
# ICMP – Allow ICMP TYPE 0 – Echo reply from outside.
# ———————-
iptables -A INPUT -p icmp –icmp-type 3 -s $(nvram get wan_ipaddr) -d $(nvram get wan_ipaddr) -m state –state ESTABLISHED,RELATED -j ACCEPT

# ———————-
# ICMP – Allow ICMP TYPE 0 – Echo reply from outside.
# ———————-
iptables -A INPUT -p icmp –icmp-type 0 -d $(nvram get wan_ipaddr) -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT


# ———————————–
# NAT Rules (from Gateway Config)
# Needed for web access.  
# ———————————–
iptables -t nat -I POSTROUTING -s 192.168.45.0/24 -j SNAT –to $(nvram get wan_ipaddr)
iptables -t nat -I POSTROUTING -s 192.168.75.0/24 -j SNAT –to $(nvram get wan_ipaddr)
iptables -t nat -I POSTROUTING -s 10.0.0.0/24 -j SNAT –to $(nvram get wan_ipaddr)                    # Per VLAN
iptables -t nat -I POSTROUTING -s 10.10.0.0/24 -j SNAT –to $(nvram get wan_ipaddr)
iptables -t nat -I POSTROUTING -s 10.20.0.0/24 -j SNAT –to $(nvram get wan_ipaddr)
iptables -t nat -I POSTROUTING -s 10.30.0.0/24 -j SNAT –to $(nvram get wan_ipaddr)
iptables -t nat -I POSTROUTING -s 192.168.0.0/24 -j SNAT –to $(nvram get wan_ipaddr)
iptables -t nat -I POSTROUTING -m mark –mark 0x80000000/0x80000000 -j MASQUERADE

# ———————-
# ICMP – 10.0.0.X
# ———————-
iptables -A INPUT -p icmp –icmp-type 0 -s 10.0.0.0/24 -d 192.168.0.0/24 -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp –icmp-type 0 -s 192.168.0.0/24 -d 10.0.0.0/24 -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp –icmp-type 8 -s 10.0.0.0/24 -d 192.168.0.0/24 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp –icmp-type 8 -s 192.168.0.0/24 -d 10.0.0.0/24 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp –icmp-type 3 -s 10.0.0.0/24 -d 192.168.0.0/24 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp –icmp-type 3 -s 192.168.0.0/24 -d 10.0.0.0/24 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT


VPN Specific F/W Rules

# ———————-
# VPN Specific
# ———————-
iptables -A INPUT -p tcp –dport 11194 -j ACCEPT
iptables -A INPUT -p udp –dport 11194 -j ACCEPT
iptables -A OUTPUT -p tcp –dport 11194 -j ACCEPT
iptables -A OUTPUT -p udp –dport 11194 -j ACCEPT

iptables -A INPUT -s 10.1.1.0/24 -d 192.168.0.0/24 -dport 443 -j ACCEPT
iptables -A OUTPUT -d 10.1.1.0/24 -s 192.168.0.0/24 -j ACCEPT

iptables -I INPUT 1 -p tcp –-dport 11194 -j ACCEPT
iptables -I FORWARD 1 –-source 10.1.1.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -j MASQUERADE


VPN Specific Configuration

dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
keepalive 10 120
verb 3
mute 3
syslog
writepid /var/run/openvpnd.pid
management 127.0.0.1 14
management-log-cache 100
topology subnet
script-security 2
port 11194
proto tcp4-server
cipher aes-256-cbc
auth sha256
client-connect /tmp/openvpn/clcon.sh
client-disconnect /tmp/openvpn/cldiscon.sh
client-config-dir /jffs/etc/openvpn/ccd
comp-lzo adaptive
tls-server
ifconfig-pool-persist /tmp/openvpn/ip-pool 86400
client-to-client
push "redirect-gateway def1"
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
auth-nocache
tcp-nodelay
tun-mtu 1500
mtu-disc yes
server 10.1.1.0 255.255.255.0
dev tun2
tls-auth /tmp/openvpn/ta.key 0
push "dhcp-option DNS 192.168.0.150"
push "dhcp-option DNS 192.168.0.151"
push "dhcp-option DNS 192.168.0.152"
push "route 192.168.0.0 255.255.255.0"
push "route 10.0.0.0 255.255.255.0"
push "route 10.10.0.0 255.255.255.0"
push "route 10.20.0.0 255.255.255.0"
push "route 10.30.0.0 255.255.255.0"

OpenVPN Client Config ( Windows 10 )

# cat client.ovpn  | grep -Ev ";|#" | sed -e "/^$/d"
client
dev tun2
proto tcp
remote access.mysite.com 11194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert TomK.crt
key TomK.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
auth SHA256
comp-lzo
verb 3
auth-nocache

UI VPN Config Page:

https://i1.wp.com/www.microdevsys.com/WordPressImages/OpenVPN-GUI-Configuration-Page.JPG?ssl=1

Masquerade Configuration for the above page:

expand-hosts
interface=br0,tun2
listen-address=127.0.0.1,192.168.0.100,10.1.1.1

https://i2.wp.com/www.microdevsys.com/WordPressImages/OpenVPN-GUI-Masquerade-Configuration-Page.JPG?ssl=1

The rest of the VPN configuration is pretty much exactly what you find on the official page:

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795

CRONTAB (Remote Linux host, DD-WRT cron isn't working for me right now. )


# DD-WRT

# Block WEB traffic by MAC after a certain time.
*/10 * * * * scp -P 22022 /root/bin/rested.sh root@192.168.0.100:/jffs/; ssh -P 22022 root@192.168.0.100 "chmod 750 /jffs/rested.sh; /jffs/rested.sh";

# Reboot the router everyday near 5AM.
57 4 * * * ssh -P 22022 root@192.168.0.100 "startservice run_rc_shutdown; /sbin/reboot";

# VPN UI saving issue workaround.
* * * * * scp -P 22022 /root/bin/openvpn-conf.sh root@192.168.0.100:/jffs/; ssh root@192.168.0.100 -p 22022 "chmod 750 /jffs/openvpn-conf.sh; /jffs/openvpn-conf.sh; grep -Ei vpn /var/log/messages";


Block WEB traffic by device MAC ( parental controls – guess it sucks to have a dad who knows IT. ) :


# cat /root/bin/rested.sh
#!/bin/ash
#
# This scripts connects to the primary house router and executes blocking iPad's, TV's and Kids Laptops from accessing youtube.com
#
# Block youtube.com (ex).
#
#
# nslookup       172.217.1.174
# Name:      172.217.1.174
# Address 1: 172.217.1.174 yyz10s04-in-f14.1e100.net
#
# Name:      172.217.2.174
# Address 1: 172.217.2.174 yyz10s06-in-f14.1e100.net
#
# REF: http://io.sivuduuni.biz/block-youtube-with-iptables/
#
#

CHAIN="youtube.com";
CDATE=$(date +"%H%M%S");
MOI=$(basename $0);
TSTART=210000;
TSTOP=125959;
CDAY=$(date +%A);
DCOND=0;
DOW="Monday Tuesday Wednesday Thursday Friday";
# DOW="Sunday Monday Tuesday Wednesday Thursday Friday Saturday";
DESTIPL="172.217.2.174 172.217.2.174 172.217.0.0/16";
MACLIST="B4:1C:FF:59:95:13 A4:8D:3B:FF:55:A3 C4:1C:FF:F9:3C:C2 35:1D:FF:F9:9F:8E 78:34:BF:C7:9C:7E 01:71:CC:68:A2:1B F9:A9:61:72:4E:C5 40:C2:30:73:D6:9F B8:86:CD:D7:87:37 68:86:DD:D7:47:A8 38:B5:C7:32:8C:54 78:A5:B7:32:3C:B8";

# Alternate reject line.
CREJECT="-m state –state ESTABLISHED -j REJECT –reject-with icmp-port-unreachable;";

# DROP and ADD flag.  Indicates if a block already ran and skips future iterations.
FLAGF="/tmp/added-$MOI";

# Properly decipher the range between days.
if [[ $TSTART -gt $TSTOP ]]; then
        [[ $CDATE -gt $TSTART || $CDATE -lt $TSTOP ]] && DCOND=1;
else
        [[ $CDATE -gt $TSTART && $CDATE -lt $TSTOP ]] && DCOND=1;
fi

if [[ $DCOND -eq 1 ]] && echo "$DOW" | grep "$CDAY" 2>/dev/null; then

        if [[ ! -r $FLAGF ]]; then

                # Setup a chain that forwards all traffic from given MAC addresses to the named CHAIN.
                if ! iptables -nL $CHAIN; then
                        iptables -N $CHAIN;
                fi

                # FORWARD all listed MAC addresses to the named CHAIN;
                for MAC in $MACLIST; do
                        iptables -A FORWARD -m mac –mac-source $MAC -j $CHAIN;
                done;

                for IP in $DESTIPL; do
                        iptables -A $CHAIN -d $IP -j DROP;
                        iptables -A $CHAIN -s $IP -j DROP;
                done
                touch $FLAGF;
        else
                echo "No Action.  The provided IP's are already blocked.";
        fi

else

        if [[ -r $FLAGF ]]; then
                for IP in $DESTIPL; do
                        iptables -D $CHAIN -d $IP -j DROP;
                        iptables -D $CHAIN -s $IP -j DROP;
                        iptables -F $CHAIN;
                        iptables -X $CHAIN;
                done

                # FORWARD all listed MAC addresses to the named CHAIN;
                for MAC in $MACLIST; do
                        iptables -D FORWARD -m mac –mac-source $MAC -j $CHAIN;
                done;
                rm -f $FLAGF;
        else
                echo "No Action.  The provided IP's are already unblocked.";
        fi
fi

OpenVPN Code to configure and start OpenVPN Server on the DD-WRT router:

# cat /root/bin/openvpn-conf.sh

#!/bin/sh

/bin/cp /jffs/openvpn.conf /tmp/openvpn/
/bin/cp /jffs/ca.crt /tmp/openvpn/

if ps | grep -Ei "openvpn\.con[Ff]" 1>/dev/null 2>&1; then
        if ! grep "OpenVPN server is running" /var/log/messages; then
                echo $(date)" OpenVPN server is running." >> /var/log/messages;
        fi
else
        echo "No VPN running.  Starting a new instance.";
        openvpn –config /tmp/openvpn/openvpn.conf –up /tmp/openvpn/route-up.sh –down /tmp/openvpn/route-down.sh –daemon -v –mode server ;
fi

 

Cheers,
IM

Important Notes: The above is not 100% refined.  Tweaks and issues are certainly possible.  Please keep this in mind.

OpenVPN: WARNING: this configuration may cache passwords in memory — use the auth-nocache option to prevent this

Running into this?

OpenVPN: WARNING: this configuration may cache passwords in memory — use the auth-nocache option to prevent this

Fix it by adding this parameter to the OpenVPN config file:

# Don't save passwords when connected.
auth-nocache

Restart your OpenVPN connection.

Cheers,
TK

OpenVPN: An error occurred installing the TAP device driver. in Windows 10

Suffering from this in Windows 10?

OpenVPN: An error occurred installing the TAP device driver.  

or perhaps a variant of the above?

OpenVPN: Write to TUN/TAP : Unknown error (code=122)

Then install a new version of the OpenVPN client application.  You may still get the above so open up device manager.  Look under the Network Devices section.  An Unknown device should be listed.  Right-click it and let windows find an appropriate driver for it.

The end result should look like this:

https://i1.wp.com/www.microdevsys.com/WordPressImages/OpenVPN-error-installing-TAP-TUN-driver.JPG?ssl=1

Then again the above might not solve all the issues.  In case you get the error:

OpenVPN: Write to TUN/TAP : Unknown error (code=122)

It's likely due to this:

Sun Dec 29 19:10:49 2019 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1571', remote='link-mtu 1572'
Sun Dec 29 19:10:49 2019 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'

Then uncomment this:

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

Hope this helps!

Cheers,
JB

TLS Error: cannot locate HMAC in incoming packet from [AF_INET]

Getting this?

TLS Error: cannot locate HMAC in incoming packet from [AF_INET]192.168.0.76:65169

Solve it by ensuring these two lines match the server:

cipher AES-256-CBC
auth SHA256

And ensure they appear in the sever config as well as follows:

cipher aes-256-cbc
auth sha256

 

Cheers,
TK

TLS Error: reading acknowledgement record from packet

Getting this?

Dec 28 04:16:28 DD-WRT-INTERNET-ASUS daemon.notice openvpn[18115]: TCP connection established with [AF_INET]192.168.0.76:64101
Dec 28 04:16:29 DD-WRT-INTERNET-ASUS daemon.notice openvpn[18115]: 192.168.0.76:64101 TLS: Initial packet from [AF_INET]192.168.0.76:64101, sid=6624e5bc bebf0a81
Dec 28 04:16:29 DD-WRT-INTERNET-ASUS daemon.err openvpn[18115]: 192.168.0.76:64101 TLS Error: reading acknowledgement record from packet
Dec 28 04:16:29 DD-WRT-INTERNET-ASUS daemon.err openvpn[18115]: 192.168.0.76:64101 Fatal TLS error (check_tls_errors_co), restarting
Dec 28 04:16:29 DD-WRT-INTERNET-ASUS daemon.notice openvpn[18115]: 192.168.0.76:64101 SIGUSR1[soft,tls-error] received, client-instance restarting

Enable TLS on the server:

Copy paste the ta.key contents into the TLS Auth Key box of the DD-WRT router.  Ensure your .ovpn config file also contains this:

# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth ta.key 1

Ensure the ovpn.conf file on the DD-WRT router has the following config:

root@DD-WRT-INTERNET-ASUS:/tmp/openvpn# cat openvpn.conf
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
keepalive 10 120
verb 3
mute 3
syslog
writepid /var/run/openvpnd.pid
management 127.0.0.1 14
management-log-cache 100
topology subnet
script-security 2
port 1194
proto tcp4-server
cipher aes-256-cbc
auth sha256
client-connect /tmp/openvpn/clcon.sh
client-disconnect /tmp/openvpn/cldiscon.sh
client-config-dir /jffs/etc/openvpn/ccd
comp-lzo adaptive
tls-server
ifconfig-pool-persist /tmp/openvpn/ip-pool 86400
client-to-client
push "redirect-gateway def1"
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
tcp-nodelay
tun-mtu 1500
mtu-disc yes
server 10.1.1.0 255.255.255.0
dev tun2
tls-auth /tmp/openvpn/ta.key 0
push "dhcp-option DNS 192.168.0.224"
push "dhcp-option DNS 192.168.0.44"
push "dhcp-option DNS 192.168.0.154"
push "route 192.168.0.0 255.255.255.0"
root@DD-WRT-INTERNET-ASUS:/tmp/openvpn#

 

Cheers,
TK

 


     
  Copyright © 2003 - 2013 Tom Kacperski (microdevsys.com). All rights reserved.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 Unported License