I am trying to connect from local PC (in 192.168 network) to my external open-vpn server which is not on the router. It worked perfectly with default asus firmware.
Lan to wan traffic is not blocked by default. And from what I can see you have not messed with the firewall, so it is not blocked there.
Install tcpdump first opkg update; opkg install tcpdump
Then run on one ssh window tcpdump -i eth0.2 -evn udp port 51194
On another ssh window run logread -f
Fire up the Openvpn connection from the PC and paste her the output from the 2 windows.
This is indeed very strange thing. In tcpdump window there are packets like this
21:21:01.117576 <mac1> > <mac2>, ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl 56, id 31765, offset 0, flags [DF], proto UDP (17), length 68)
<my_openvpn_server_ip>.51194 > <my_local_ip>.32849: UDP, length 40
21:21:11.143149 <mac1> > <mac2>, ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl 56, id 32600, offset 0, flags [DF], proto UDP (17), length 68)
<my_openvpn_server_ip>.51194 > <my_local_ip>.32849: UDP, length 40
21:21:21.272845 <mac1> > <mac2>, ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl 56, id 33889, offset 0, flags [DF], proto UDP (17), length 68)
<my_openvpn_server_ip>.51194 > <my_local_ip>.32849: UDP, length 40
21:21:31.405310 <mac1> > <mac2>, ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl 56, id 34130, offset 0, flags [DF], proto UDP (17), length 68)
<my_openvpn_server_ip>.51194 > <my_local_ip>.32849: UDP, length 40
21:21:41.758317 <mac1> > <mac2>, ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl 56, id 35700, offset 0, flags [DF], proto UDP (17), length 68)
<my_openvpn_server_ip>.51194 > <my_local_ip>.32849: UDP, length 40
In logread -f window there were nothing (was running it from another ssh session from the router). I even checked my open-vpn server logs, seems like i was connected, and in addition to that my network manager icon showed me that i am connected (small lock icon, i am using arch-linux). The most bad part that after i disconnect from that broken vpn connection (because i have not internet) i can't access any 80 or 443 port via router (just freezing on connection), BUT i can use ssh 22 port from my local PC in 192 network
Looks like you have some problem with client and/or server configuration.
Your issue doesn't seem to be related to OpenWrt.
But it was working perfectly fine, before i started using openwrt firmware + that port blocking after disconnecting from "broken" vpn connection is clearly router issue, i had nothing near that previously
Activate the VPN connection and collect the diagnostics from your PC:
PAGER= nmcli connection show id VPN_CON; \
ip address show; ip route show; ip rule show; \
ip route get 1; ip route get 1::; \
grep -e ^hosts /etc/nsswitch.conf; \
grep -v -e ^# -e ^$ /etc/resolv.conf; \
resolvectl query example.org; \
resolvectl dns; resolvectl domain; \
ping -w 3 8.8.8.8; ping -w 3 example.org; \
nslookup example.org 8.8.8.8; nslookup example.org
You can post it to pastebin.com.
So i solved first issue, which was loss of dns after i was disconnecting from VPN, by enabling systemd-resolved service, it wasn't somehow disabled, but anyway when VPN is connected, nothing of below works resulting in 100% packet loss or timeout
resolvectl query openwrt.org
ping -w 3 openwrt.org
ping -w 3 8.8.8.8
nslookup openwrt.org 8.8.8.8
nslookup openwrt.org
resolvectl domain; resolvectl dns
Global:
Link 2 (enp30s0):
Link 3 (br-1469495459e8):
Link 4 (br-35c745066029):
Link 5 (docker0):
Link 6 (br-baeb43c59b81):
Link 25 (tun0): ~.
Global: 8.8.8.8 8.8.4.4
Link 2 (enp30s0):
Link 3 (br-1469495459e8):
Link 4 (br-35c745066029):
Link 5 (docker0):
Link 6 (br-baeb43c59b81):
Link 25 (tun0): 8.8.8.8 8.8.4.4
ip route get 1; ip route get 1::;
1.0.0.0 via 192.168.255.5 dev tun0 src 192.168.255.6 uid 1000
cache
RTNETLINK answers: Network is unreachable
I will check that out, in addition to that, i am getting timeout doing nslookup openwrt.org
on normal connection state, without VPN connected
grep -e ^hosts /etc/nsswitch.conf; \
ls -l /etc/resolv.conf; \
grep -v -e ^# -e ^$ /etc/resolv.conf; \
resolvectl dns; resolvectl domain
grep -e ^hosts /etc/nsswitch.conf; \
> ls -l /etc/resolv.conf; \
> grep -v -e ^# -e ^$ /etc/resolv.conf; \
> resolvectl dns; resolvectl domain
hosts: files mymachines myhostname resolve [!UNAVAIL=return] dns
-rw-r--r-- 1 root root 30 окт 31 02:17 /etc/resolv.conf
Global:
Link 2 (enp30s0):
Link 3 (br-1469495459e8):
Link 4 (br-35c745066029):
Link 5 (docker0):
Link 6 (br-baeb43c59b81):
Global:
Link 2 (enp30s0):
Link 3 (br-1469495459e8):
Link 4 (br-35c745066029):
Link 5 (docker0):
Link 6 (br-baeb43c59b81):
Post your main connection config:
PAGER= nmcli connection show id MAIN_CONNECTION
And fix resolver:
sudo ln -f -r -s /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
Ye, resolver is ok now from wired connection, but not from vpn. Config here https://pastebin.com/F95uc3kX
Check both the VPN server and client logs for clues.
I have no idea at all. Journalctl is clean, i am 90% sure the problem is in router\openwrt firewall, because everything was working okay yesterday on this pc with all this settings (and even switched off resolvectl service) with default asus firmware. OpenVPN server logs are clean too, it is allowing me to connect + networkmanager icon is showing that i am connected. And after that connection nothing is working, unable to nslookup, ping, e.t.c, like something is blocking all the traffic.
Is this okay that tun interface are getting 192.168.255.* local address the same that router LAN network is in? Is this okay that iptables -S on the router showing rejection of all tcp traffic by default?
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
How can i completely disable firewall and allow everything to everything ?
Your LAN is:
Ye, i was meaning same network in terms of another prive subnet e.g. (172. , 10.)
Anyway i tried to change LAN to 192.168.0.1 - and it did not worked
It doesn't affect it, they are in different subnets.
Post here the client and server configurations and logs.
Ok, this is getting worse, i flushed back the original Asus firmware, and vpn is not working either But it clearly was working a day ago, so openwrt was not the case, i'll try find the problem, thx a lot.
UP. Vpn IS working on open-wrt from another device in the network PLUS it is working from target pc using raw cmd openvpn ~/my-config.ovpn
, so this is clearly network-manager issue