Cannot connect client to site-to-site VPN (openvpn)

weasel · May 28, 2020, 9:05am

Hello,
Please help me to solve this issue, i have little networking knowledge but somehow i have managed to setup 2 routers with their lans connected into site-to-site VPN.
Site A router has VPN server 192.168.7.0/24
Site A LAN 192.168.2.0/24

Site B router is VPN client
Site B LAN 192.168.8.0/24
Site B client CCD file (iroute 192.168.8.0 255.255.255.0)
These two sites can see and communicate with each other.

I have mobile devices which i want to connect to Site A VPN server and to have access to Site A LAN and Site B LAN. Now my mobile device is connecting to Site A VPN server, but i cannot access any Sites IP's. Please help me to solve issue with mobile clients, i can't find clear information what to do..

See below my server conf:

uci show openvpn
openvpn.custom_config=openvpn
openvpn.custom_config.config='/etc/openvpn/my-vpn.conf'
=openvpn
.port='1194'
.dev='tun'
.ca='/etc/openvpn/ca.crt'
.server='192.168.7.0 255.255.255.0'
.ifconfig_pool_persist='/tmp/ipp.txt'
.keepalive='10 120'
.compress='lzo'
.persist_key='1'
.persist_tun='1'
.user='nobody'
.status='/tmp/openvpn-status.log'
.verb='3'
.dh='/etc/openvpn/dh.pem'
.client_to_client='1'
.enabled='1'
.client_config_dir='/etc/openvpn/ccd'
.tls_server='1'
.cert='/etc/openvpn/antakalnis.crt'
.key='/etc/openvpn/antakalnis.key'
.tls_crypt='/etc/openvpn/ta.key'
.route='192.168.8.0 255.255.255.0'
.push='route 192.168.2.0 255.255.255.0'

This is mobile client openvpn connecting log:

2020-05-28 11:56:51 ----- OpenVPN Start -----
OpenVPN core 3.git::f225fcd0 ios arm64 64-bit PT_PROXY built on Mar  5 2020 13:46:31
2020-05-28 11:56:51 OpenVPN core 3.git::f225fcd0 ios arm64 64-bit PT_PROXY built on Mar  5 2020 13:46:31
2020-05-28 11:56:51 Frame=512/2048/512 mssfix-ctrl=1250

2020-05-28 11:56:51 UNUSED OPTIONS
5 [nobind] 
6 [resolv-retry] [infinite] 
7 [persist-key] 
8 [persist-tun] 

2020-05-28 11:56:51 EVENT: RESOLVE
2020-05-28 11:56:51 Contacting [xxxxx]:1194/UDP via UDP
2020-05-28 11:56:51 EVENT: WAIT
2020-05-28 11:56:51 Connecting to [xxxxx]:1194 (xxxxx) via UDPv4
2020-05-28 11:56:51 EVENT: CONNECTING
2020-05-28 11:56:51 Tunnel Options:V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client
2020-05-28 11:56:51 Creds: UsernameEmpty/PasswordEmpty

2020-05-28 11:56:51 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 3.1.2-3096
IV_VER=3.git::f225fcd0
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_AUTO_SESS=1
IV_BS64DL=1

2020-05-28 11:56:52 VERIFY OK : depth=0
cert. version     : 3
serial number     : xxxxxxx
:5A:17:B5
issuer name       : CN=xxxxx
subject name      : CN=xxxxx
issued  on        : 2020-05-21 18:08:41
expires on        : 2023-05-06 18:08:41
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=false
subject alt name  : xxxxxx
key usage         : Digital Signature, Key Encipherment
ext key usage     : TLS Web Server Authentication

2020-05-28 11:56:52 SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
2020-05-28 11:56:52 Session is ACTIVE
2020-05-28 11:56:52 EVENT: GET_CONFIG
2020-05-28 11:56:52 Sending PUSH_REQUEST to server...

2020-05-28 11:56:52 OPTIONS:
0 [route] [192.168.2.0] [255.255.255.0] 
1 [route] [192.168.7.0] [255.255.255.0] 
2 [topology] [net30] 
3 [ping] [10] 
4 [ping-restart] [120] 
5 [ifconfig] [192.168.7.10] [192.168.7.9] 
6 [peer-id] [4] 
7 [cipher] [AES-256-GCM] 

2020-05-28 11:56:52 PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: SHA1
  compress: NONE
  peer ID: 4
2020-05-28 11:56:52 EVENT: ASSIGN_IP
2020-05-28 11:56:52 NIP: preparing TUN network settings
2020-05-28 11:56:52 NIP: init TUN network settings with endpoint: xxxxxx
2020-05-28 11:56:52 NIP: adding IPv4 address to network settings 192.168.7.10/255.255.255.252
2020-05-28 11:56:52 NIP: adding (included) IPv4 route 192.168.7.8/30
2020-05-28 11:56:52 NIP: adding (included) IPv4 route 192.168.2.0/24
2020-05-28 11:56:52 NIP: adding (included) IPv4 route 192.168.7.0/24
2020-05-28 11:56:52 Connected via NetworkExtensionTUN
2020-05-28 11:56:52 EVENT: CONNECTED xxxxx:1194 (xxxxxx) via /UDPv4 on NetworkExtensionTUN/192.168.7.10/ gw=[/]

ulmwind · May 28, 2020, 9:10am

Start with ordinary PC, connected to VPN server. Could it access any site?

krazeh · May 28, 2020, 9:12am

The mobile client config doesn't appear to include a route to LAN B (192.168.8.0). You'll need to add that into the config.

weasel · May 28, 2020, 9:44am

You mean to add route 192.168.8.0 255.255.255.0 to mobile Client ccd file?

krazeh · May 28, 2020, 9:45am

If that's the way to do it. I'll be honest, it's been a long time since I've used openvpn so I'm not 100% sure on how you add the route. May as well give it a try and see what happens.

weasel · May 28, 2020, 11:02am

No, it was not working. Also tried push "route 192.168.8.0 255.255.255.0". but still not possible to access LAN

krazeh · May 28, 2020, 11:05am

Hopefully someone with more recent openvpn knowledge will be able to come along with details of the correct way to add the route. Personally I'd swap out openvpn for wireguard, is definitely faster and much simpler all round imo.

weasel · May 28, 2020, 11:09am

Hello, not it cannot. Here is tunnelblick log:

2020-05-28 14:04:14.470797 *Tunnelblick: macOS 10.13.6 (17G12034); Tunnelblick 3.8.2a (build 5481); prior version 3.8.2 (build 5480)
2020-05-28 14:04:14.763268 *Tunnelblick: Attempting connection with vilkas-pc using shadow copy; Set nameserver = 769; monitoring connection
2020-05-28 14:04:14.763712 *Tunnelblick: openvpnstart start vilkas-pc.tblk 61102 769 0 1 0 1098032 -ptADGNWradsgnw 2.4.9-openssl-1.1.1e
2020-05-28 14:04:14.797430 *Tunnelblick: openvpnstart starting OpenVPN
2020-05-28 14:04:15.151386 OpenVPN 2.4.9 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May 22 2020
2020-05-28 14:04:15.151493 library versions: OpenSSL 1.1.1e  17 Mar 2020, LZO 2.10
2020-05-28 14:04:15.152713 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:61102
2020-05-28 14:04:15.152755 Need hold release from management interface, waiting...
2020-05-28 14:04:15.387036 *Tunnelblick: openvpnstart log:
     OpenVPN started successfully.
     Command used to start OpenVPN (one argument per displayed line):
          /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.9-openssl-1.1.1e/openvpn
          --daemon
          --log /Library/Application Support/Tunnelblick/Logs/-SUsers-SVilkas-SLibrary-SApplication Support-STunnelblick-SConfigurations-Svilkas--pc.tblk-SContents-SResources-Sconfig.ovpn.769_0_1_0_1098032.61102.openvpn.log
          --cd /Library/Application Support/Tunnelblick/Users/Vilkas/vilkas-pc.tblk/Contents/Resources
          --machine-readable-output
          --setenv IV_GUI_VER "net.tunnelblick.tunnelblick 5481 3.8.2a (build 5481)"
          --verb 3
          --config /Library/Application Support/Tunnelblick/Users/Vilkas/vilkas-pc.tblk/Contents/Resources/config.ovpn
          --setenv TUNNELBLICK_CONFIG_FOLDER /Library/Application Support/Tunnelblick/Users/Vilkas/vilkas-pc.tblk/Contents/Resources
          --verb 3
          --cd /Library/Application Support/Tunnelblick/Users/Vilkas/vilkas-pc.tblk/Contents/Resources
          --management 127.0.0.1 61102 /Library/Application Support/Tunnelblick/dlegbjocihhgmagfabcblmhcckfoibedpfchhhll.mip
          --management-query-passwords
          --management-hold
          --script-security 2
          --route-up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
          --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
2020-05-28 14:04:15.388110 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:61102
2020-05-28 14:04:15.393610 MANAGEMENT: CMD 'pid'
2020-05-28 14:04:15.393709 MANAGEMENT: CMD 'auth-retry interact'
2020-05-28 14:04:15.393759 MANAGEMENT: CMD 'state on'
2020-05-28 14:04:15.393787 MANAGEMENT: CMD 'state'
2020-05-28 14:04:15.393840 MANAGEMENT: CMD 'bytecount 1'
2020-05-28 14:04:15.393930 *Tunnelblick: Established communication with OpenVPN
2020-05-28 14:04:15.394740 *Tunnelblick: >INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
2020-05-28 14:04:15.395846 MANAGEMENT: CMD 'hold release'
2020-05-28 14:04:15.396044 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2020-05-28 14:04:15.399198 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2020-05-28 14:04:15.399249 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2020-05-28 14:04:15.399269 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2020-05-28 14:04:15.399288 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2020-05-28 14:04:15.399528 TCP/UDP: Preserving recently used remote address: [AF_INET]78.56.57.142:1194
2020-05-28 14:04:15.399583 Socket Buffers: R=[196724->196724] S=[9216->9216]
2020-05-28 14:04:15.399602 UDP link local: (not bound)
2020-05-28 14:04:15.399619 UDP link remote: [AF_INET]xxxxxxxx:1194
2020-05-28 14:04:15.399653 MANAGEMENT: >STATE:1590663855,WAIT,,,,,,
2020-05-28 14:04:15.427445 MANAGEMENT: >STATE:1590663855,AUTH,,,,,,
2020-05-28 14:04:15.427502 TLS: Initial packet from [AF_INET]xxxxxxxx:1194, sid=a1345435 07e4c969
2020-05-28 14:04:15.562499 VERIFY OK: depth=1, CN=xxxxxx
2020-05-28 14:04:15.562896 VERIFY KU OK
2020-05-28 14:04:15.562920 Validating certificate extended key usage
2020-05-28 14:04:15.562936 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2020-05-28 14:04:15.562950 VERIFY EKU OK
2020-05-28 14:04:15.562963 VERIFY OK: depth=0, CN=xxxxx
2020-05-28 14:04:15.623527 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1542'
2020-05-28 14:04:15.623744 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
2020-05-28 14:04:15.623969 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 2048 bit RSA
2020-05-28 14:04:15.624057 [xxxxxx] Peer Connection Initiated with [AF_INET]78.56.57.142:1194
2020-05-28 14:04:16.634638 MANAGEMENT: >STATE:1590663856,GET_CONFIG,,,,,,
2020-05-28 14:04:16.634777 SENT CONTROL [xxxxxx]: 'PUSH_REQUEST' (status=1)
2020-05-28 14:04:16.728624 PUSH: Received control message: 'PUSH_REPLY,route 192.168.2.0 255.255.255.0,route 192.168.7.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 192.168.7.14 192.168.7.13,peer-id 0,cipher AES-256-GCM'
2020-05-28 14:04:16.728731 OPTIONS IMPORT: timers and/or timeouts modified
2020-05-28 14:04:16.728750 OPTIONS IMPORT: --ifconfig/up options modified
2020-05-28 14:04:16.728764 OPTIONS IMPORT: route options modified
2020-05-28 14:04:16.728777 OPTIONS IMPORT: peer-id set
2020-05-28 14:04:16.728791 OPTIONS IMPORT: adjusting link_mtu to 1624
2020-05-28 14:04:16.728803 OPTIONS IMPORT: data channel crypto options modified
2020-05-28 14:04:16.728817 Data Channel: using negotiated cipher 'AES-256-GCM'
2020-05-28 14:04:16.728937 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2020-05-28 14:04:16.728958 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2020-05-28 14:04:16.729290 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2020-05-28 14:04:16.729433 Opened utun device utun1
2020-05-28 14:04:16.729475 MANAGEMENT: >STATE:1590663856,ASSIGN_IP,,192.168.7.14,,,,
2020-05-28 14:04:16.729500 /sbin/ifconfig utun1 delete
                           ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2020-05-28 14:04:16.735216 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2020-05-28 14:04:16.735326 /sbin/ifconfig utun1 192.168.7.14 192.168.7.13 mtu 1500 netmask 255.255.255.255 up
2020-05-28 14:04:16.739497 MANAGEMENT: >STATE:1590663856,ADD_ROUTES,,,,,,
2020-05-28 14:04:16.739555 /sbin/route add -net 192.168.2.0 192.168.7.13 255.255.255.0
                           add net 192.168.2.0: gateway 192.168.7.13
2020-05-28 14:04:16.744828 /sbin/route add -net 192.168.7.0 192.168.7.13 255.255.255.0
                           add net 192.168.7.0: gateway 192.168.7.13
                           14:04:16 *Tunnelblick:  **********************************************
                           14:04:16 *Tunnelblick:  Start of output from client.up.tunnelblick.sh
                           14:04:18 *Tunnelblick:  NOTE: No network configuration changes need to be made.
                           14:04:18 *Tunnelblick:  WARNING: Will NOT monitor for other network configuration changes.
                           14:04:18 *Tunnelblick:  WARNING: Will NOT disable IPv6 settings.
                           14:04:18 *Tunnelblick:  DNS servers '8.8.8.8 8.8.4.4' were set manually
                           14:04:18 *Tunnelblick:  DNS servers '8.8.8.8 8.8.4.4' will be used for DNS queries when the VPN is active
                           14:04:19 *Tunnelblick:  The DNS servers include only free public DNS servers known to Tunnelblick.
                           14:04:19 *Tunnelblick:  Flushed the DNS cache via dscacheutil
                           14:04:19 *Tunnelblick:  /usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
                           14:04:19 *Tunnelblick:  Notified mDNSResponder that the DNS cache was flushed
                           14:04:19 *Tunnelblick:  Not notifying mDNSResponderHelper that the DNS cache was flushed because it is not running
                           14:04:19 *Tunnelblick:  End of output from client.up.tunnelblick.sh
                           14:04:19 *Tunnelblick:  **********************************************
2020-05-28 14:04:19.120971 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2020-05-28 14:04:19.121041 Initialization Sequence Completed
2020-05-28 14:04:19.121107 MANAGEMENT: >STATE:1590663859,CONNECTED,SUCCESS,192.168.7.14,xxxxxxx,1194,,
2020-05-28 14:04:19.332907 *Tunnelblick: Warning: DNS server Address 8.8.4.4 is a known public DNS server but is not being routed through the VPN
2020-05-28 14:04:19.438815 *Tunnelblick: Warning: DNS server Address 8.8.8.8 is a known public DNS server but is not being routed through the VPN
2020-05-28 14:04:25.806495 *Tunnelblick: This computer's apparent public IP address (xxxxxxxx) was unchanged after the connection was made

ulmwind · May 28, 2020, 11:27am

Have you configured interface in /etc/config/network, and zone in /etc/config/firewall?

P. S. Please, use </> tag for code, output, example:
2020-05-28 14:04:25.806495 *Tunnelblick: This computer's apparent public IP address (xxxxxxxx) was unchanged after the connection was made

weasel · May 28, 2020, 11:33am

Hello, here is openVPN server firewall and network config:

uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.lan=zone
firewall.lan.name='lan'
firewall.lan.input='ACCEPT'
firewall.lan.output='ACCEPT'
firewall.lan.forward='ACCEPT'
firewall.lan.network='lan VPN'
firewall.lan.device='tun0'
firewall.lan.masq='1'
firewall.wan=zone
firewall.wan.name='wan'
firewall.wan.network='wan' 'wan6'
firewall.wan.input='REJECT'
firewall.wan.output='ACCEPT'
firewall.wan.forward='REJECT'
firewall.wan.mtu_fix='1'
firewall.wan.masq='1'
firewall.lan_wan=forwarding
firewall.lan_wan.src='lan'
firewall.lan_wan.dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[2]=zone
firewall.@zone[2].name='VPN'
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='ACCEPT'
firewall.@zone[2].masq='1'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='lan'
firewall.@forwarding[1].src='VPN'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].dest='VPN'
firewall.@forwarding[2].src='lan'
firewall.ovpn=rule
firewall.ovpn.name='Allow-OpenVPN'
firewall.ovpn.src='wan'
firewall.ovpn.dest_port='1194'
firewall.ovpn.proto='udp'
firewall.ovpn.target='ACCEPT'
firewall.@rule[10]=rule
firewall.@rule[10].dest_port='80'
firewall.@rule[10].src='VPN'
firewall.@rule[10].name='allow luci'
firewall.@rule[10].target='ACCEPT'
firewall.@rule[10].src_port='80'
firewall.@rule[11]=rule
firewall.@rule[11].dest_port='22'
firewall.@rule[11].src='VPN'
firewall.@rule[11].name='allow ssh'
firewall.@rule[11].target='ACCEPT'
firewall.@rule[11].src_port='22'

Here is network config:

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fddd:5b84:13da::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.2.1'
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.ifname='eth0.2'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='2 3 4 5 0t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='1 0t'
network.VPN=interface
network.VPN.ifname='tun0'
network.VPN.proto='none'

ulmwind · May 28, 2020, 11:55am

weasel:

firewall.lan=zone
firewall.lan.name='lan'
firewall.lan.input='ACCEPT'
firewall.lan.output='ACCEPT'
firewall.lan.forward='ACCEPT'
firewall.lan.network='lan VPN'
firewall.lan.device='tun0'
firewall.lan.masq='1'

I don't like reading output of uci show, unlike @trendy
Make separate zone for tun interface, don't mix it with lan. Why have you set lan.masq=1? Where have you seen example with device in /etc/config/firewall?

weasel · May 28, 2020, 12:14pm

Not sure what actually you asking me to change here?

ulmwind · May 28, 2020, 12:17pm

I recommend you to start from scratch, and do it editing corresponding files. You should:

Create interface in /etc/config/network
Create zone in /etc/config/firewall, add corresponding forwardings.

krazeh · May 28, 2020, 12:18pm

Does the mobile device have a route to 192.168.8.0/24 yet? If not then changing the network interface or firewall zone isn't going to solve it.

ulmwind · May 28, 2020, 12:20pm

The problem is not in routes now, it is in basic network, and firewall configuration.

krazeh · May 28, 2020, 12:21pm

Except none of the output he's posted demonstrates the route has been added.

weasel · May 28, 2020, 12:25pm

I have added push "route 192.168.8.0 255.255.255.0" to mobile client ccd file, but there is no result. Please see client connection log:

2020-05-28 15:20:38 1
2020-05-28 15:20:38 ----- OpenVPN Start -----
OpenVPN core 3.git::f225fcd0 ios arm64 64-bit PT_PROXY built on Mar  5 2020 13:46:31
2020-05-28 15:20:38 OpenVPN core 3.git::f225fcd0 ios arm64 64-bit PT_PROXY built on Mar  5 2020 13:46:31
2020-05-28 15:20:38 Frame=512/2048/512 mssfix-ctrl=1250
2020-05-28 15:20:38 UNUSED OPTIONS
5 [nobind] 
6 [resolv-retry] [infinite] 
7 [persist-key] 
8 [persist-tun] 

2020-05-28 15:20:38 EVENT: RESOLVE
2020-05-28 15:20:38 Contacting [xxxxxxx]:1194/UDP via UDP
2020-05-28 15:20:38 EVENT: WAIT
2020-05-28 15:20:38 Connecting to [xxxxxxx]:1194 (78.56.57.142) via UDPv4
2020-05-28 15:20:39 EVENT: CONNECTING
2020-05-28 15:20:39 Tunnel Options:V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client
2020-05-28 15:20:39 Creds: UsernameEmpty/PasswordEmpty
2020-05-28 15:20:39 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 3.1.2-3096
IV_VER=3.git::f225fcd0
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_AUTO_SESS=1
IV_BS64DL=1

2020-05-28 15:20:39 VERIFY OK : depth=0
cert. version     : 3
serial number     : E3:39:3A:74:C3:C7:9B:08:D5:9B:AE:5A:7A:5A:17:B5
issuer name       : CN=xxxx
subject name      : CN=xxxxx
issued  on        : 2020-05-21 18:08:41
expires on        : 2023-05-06 18:08:41
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=false
subject alt name  : xxxxxx
key usage         : Digital Signature, Key Encipherment
ext key usage     : TLS Web Server Authentication

2020-05-28 15:20:39 SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
2020-05-28 15:20:39 Session is ACTIVE
2020-05-28 15:20:39 EVENT: GET_CONFIG
2020-05-28 15:20:39 Sending PUSH_REQUEST to server...
2020-05-28 15:20:39 OPTIONS:
0 [route] [192.168.2.0] [255.255.255.0] 
1 [route] [192.168.7.0] [255.255.255.0] 
2 [topology] [net30] 
3 [ping] [10] 
4 [ping-restart] [120] 
5 [route] [192.168.8.0] [255.255.255.0] 
6 [ifconfig] [192.168.7.10] [192.168.7.9] 
7 [peer-id] [0] 
8 [cipher] [AES-256-GCM] 

2020-05-28 15:20:39 PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: SHA1
  compress: NONE
  peer ID: 0
2020-05-28 15:20:39 EVENT: ASSIGN_IP
2020-05-28 15:20:39 NIP: preparing TUN network settings
2020-05-28 15:20:39 NIP: init TUN network settings with endpoint: xxxxxx
2020-05-28 15:20:39 NIP: adding IPv4 address to network settings 192.168.7.10/255.255.255.252
2020-05-28 15:20:39 NIP: adding (included) IPv4 route 192.168.7.8/30
2020-05-28 15:20:39 NIP: adding (included) IPv4 route 192.168.2.0/24
2020-05-28 15:20:39 NIP: adding (included) IPv4 route 192.168.7.0/24
2020-05-28 15:20:39 NIP: adding (included) IPv4 route 192.168.8.0/24
2020-05-28 15:20:39 Connected via NetworkExtensionTUN
2020-05-28 15:20:39 EVENT: CONNECTED xxxxxxxx:1194 (xxxxxxxx) via /UDPv4 on NetworkExtensionTUN/192.168.7.10/ gw=[/]

mk24 · May 28, 2020, 12:27pm

Client to client option must be set in the VPN server for two clients to link to each other. That occurs entirely within OpenVPN, the firewall and routing of the machine running OpenVPN server is not involved.

Also as everyone else said, the mobile has to have a route to 192.168.8.0/24 via the VPN server as gateway 192.168.7.13.

weasel · May 28, 2020, 12:36pm

Its done exactly, but mobile client cannot access any site to site LAN's.

weasel · May 28, 2020, 12:37pm

I have followed the instructions in https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic
Still not sure where is my mistake..