I have an openvpn (PiVPN) server set up remotely which I would love to be able to connect to with my openwrt router (Pi 4).
The eventual use case would be to make a TV route through the remote site.
Unfortunately, I'm stuck on the first hurdle. I'm initially trying to just get openvpn working on the whole network (before worrying about VPN-policy routing), by following the openvpn client instructions here: https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci
However, all I get is traceroute: bad address 'openwrt.org', and can not access the internet at all. (I can access my LAN, however.)
The system log shows connection to the server and agreement on protocols etc.
I'm using a file created from the server for openVPN settings, which works when testing on a windows client.
Any hints on what I can do to troubleshoot this would be really appreciated. Many thanks!
One thing to note that I may have messed up on is remote site is on 192.168.1.1 as well as my home network. Does that complicate / make it impossible?
OpenVPN conf
client
dev tun
proto udp
remote <REDACTED> 4250
resolv-retry infinite
nobind
remote-cert-tls server
tls-version-min 1.2
verify-x509-name <REDACTED> name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
<ca>
-----BEGIN CERTIFICATE-----
<REDACTED>
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
<REDACTED>
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
<REDACTED>
-----END PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
<REDACTED>
-----END OpenVPN Static key V1-----
</tls-crypt>
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '<REDACTED>'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'WAN'
option proto 'dhcp'
option device 'eth1'
config interface 'wg0'
option proto 'wireguard'
option private_key '<REDACTED>'
option listen_port '51820'
list addresses '192.168.9.1/24'
config wireguard_wg0 'wgclient'
option description 'A21s'
option route_allowed_ips '1'
option public_key '<REDACTED>'
list allowed_ips '192.168.9.2/32'
config wireguard_wg0
option description 'legion'
option route_allowed_ips '1'
option public_key '<REDACTED>'
list allowed_ips '192.168.9.3/32'
config interface 'tun0'
option device 'tun0'
option proto 'none'
option defaultroute '0'
/etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'WAN'
list network 'tun0'
config forwarding 'lan_wan'
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'wg'
option input 'ACCEPT'
option output 'ACCEPT'
list network 'wg0'
option forward 'DROP'
config forwarding
option src 'wg'
option dest 'lan'
config forwarding
option src 'wg'
option dest 'wan'
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option start '100'
option limit '150'
option force '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option name 'a21s'
option dns '1'
option mac '<REDACTED>'
option ip '192.168.1.185'
config host
option name 'legion-linux'
option dns '1'
option mac '<REDACTED>'
option ip '192.168.1.172'
Version
{
"kernel": "5.4.154",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 3",
"model": "Raspberry Pi 4 Model B Rev 1.4",
"board_name": "raspberrypi,4-model-b",
"release": {
"distribution": "OpenWrt",
"version": "21.02.1",
"revision": "r16325-88151b8303",
"target": "bcm27xx/bcm2711",
"description": "OpenWrt 21.02.1 r16325-88151b8303"
}
}
System log
Thu Dec 23 00:38:20 2021 daemon.err openvpn(elBollo)[1958]: RESOLVE: Cannot resolve host address: <Sever domain redacted>:4250 (Try again)
Thu Dec 23 00:38:20 2021 daemon.notice openvpn(elBollo)[1958]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Thu Dec 23 00:38:20 2021 daemon.notice openvpn(elBollo)[1958]: UDP link local: (not bound)
Thu Dec 23 00:38:20 2021 daemon.notice openvpn(elBollo)[1958]: UDP link remote: [AF_INET]<VPN server redacted>:4250
Thu Dec 23 00:38:20 2021 daemon.notice openvpn(elBollo)[1958]: TLS: Initial packet from [AF_INET]<VPN server redacted>:4250, sid=<unsure redacted>
Thu Dec 23 00:38:20 2021 daemon.notice openvpn(elBollo)[1958]: VERIFY OK: depth=1, CN=ChangeMe
Thu Dec 23 00:38:20 2021 daemon.notice openvpn(elBollo)[1958]: VERIFY KU OK
Thu Dec 23 00:38:20 2021 daemon.notice openvpn(elBollo)[1958]: Validating certificate extended key usage
Thu Dec 23 00:38:20 2021 daemon.notice openvpn(elBollo)[1958]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Dec 23 00:38:20 2021 daemon.notice openvpn(elBollo)[1958]: VERIFY EKU OK
Thu Dec 23 00:38:20 2021 daemon.notice openvpn(elBollo)[1958]: VERIFY X509NAME OK: CN=<Sever name redacted>
Thu Dec 23 00:38:20 2021 daemon.notice openvpn(elBollo)[1958]: VERIFY OK: depth=0, CN=<Sever name redacted>
Thu Dec 23 00:38:20 2021 daemon.notice openvpn(elBollo)[1958]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bit EC, curve prime256v1, signature: ecdsa-with-SHA256
Thu Dec 23 00:38:20 2021 daemon.notice openvpn(elBollo)[1958]: [<Sever name redacted>] Peer Connection Initiated with [AF_INET]<VPN server redacted>:4250
Thu Dec 23 00:40:05 2021 daemon.notice openvpn(elBollo)[1958]: SENT CONTROL [<Sever name redacted>]: 'PUSH_REQUEST' (status=1)
Thu Dec 23 00:40:05 2021 daemon.notice openvpn(elBollo)[1958]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.8.0.1,block-outside-dns,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 120,ifconfig 10.8.0.7 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Thu Dec 23 00:40:05 2021 daemon.err openvpn(elBollo)[1958]: Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:2: block-outside-dns (2.5.3)
Thu Dec 23 00:40:05 2021 daemon.notice openvpn(elBollo)[1958]: OPTIONS IMPORT: timers and/or timeouts modified
Thu Dec 23 00:40:05 2021 daemon.notice openvpn(elBollo)[1958]: OPTIONS IMPORT: --ifconfig/up options modified
Thu Dec 23 00:40:05 2021 daemon.notice openvpn(elBollo)[1958]: OPTIONS IMPORT: route options modified
Thu Dec 23 00:40:05 2021 daemon.notice openvpn(elBollo)[1958]: OPTIONS IMPORT: route-related options modified
Thu Dec 23 00:40:05 2021 daemon.notice openvpn(elBollo)[1958]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Dec 23 00:40:05 2021 daemon.notice openvpn(elBollo)[1958]: OPTIONS IMPORT: peer-id set
Thu Dec 23 00:40:05 2021 daemon.notice openvpn(elBollo)[1958]: OPTIONS IMPORT: adjusting link_mtu to 1624
Thu Dec 23 00:40:05 2021 daemon.notice openvpn(elBollo)[1958]: OPTIONS IMPORT: data channel crypto options modified
Thu Dec 23 00:40:05 2021 daemon.notice openvpn(elBollo)[1958]: Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Dec 23 00:40:05 2021 daemon.notice openvpn(elBollo)[1958]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Dec 23 00:40:05 2021 daemon.notice openvpn(elBollo)[1958]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Dec 23 00:40:05 2021 daemon.notice openvpn(elBollo)[1958]: net_route_v4_best_gw query: dst 0.0.0.0
Thu Dec 23 00:40:05 2021 daemon.notice openvpn(elBollo)[1958]: net_route_v4_best_gw result: via <ISP gateway redacted> dev eth1
Thu Dec 23 00:40:05 2021 daemon.notice openvpn(elBollo)[1958]: TUN/TAP device tun0 opened
Thu Dec 23 00:40:05 2021 daemon.notice openvpn(elBollo)[1958]: net_iface_mtu_set: mtu 1500 for tun0
Thu Dec 23 00:40:05 2021 daemon.notice openvpn(elBollo)[1958]: net_iface_up: set tun0 up
Thu Dec 23 00:40:05 2021 daemon.notice netifd: Network device 'tun0' link is up
Thu Dec 23 00:40:05 2021 daemon.notice netifd: Interface 'tun0' has link connectivity
Thu Dec 23 00:40:05 2021 daemon.notice openvpn(elBollo)[1958]: net_addr_v4_add: 10.8.0.7/24 dev tun0
Thu Dec 23 00:40:05 2021 daemon.notice openvpn(elBollo)[1958]: /usr/libexec/openvpn-hotplug up elBollo tun0 1500 1552 10.8.0.7 255.255.255.0 init
Thu Dec 23 00:40:05 2021 daemon.notice openvpn(elBollo)[1958]: net_route_v4_add: <VPN server redacted>/32 via <ISP gateway redacted> dev [NULL] table 0 metric -1
Thu Dec 23 00:40:05 2021 daemon.notice openvpn(elBollo)[1958]: net_route_v4_add: 0.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1
Thu Dec 23 00:40:05 2021 daemon.notice openvpn(elBollo)[1958]: net_route_v4_add: 128.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1
Thu Dec 23 00:40:05 2021 daemon.notice openvpn(elBollo)[1958]: Initialization Sequence Completed
Thu Dec 23 00:40:17 2021 daemon.info dnsmasq-dhcp[2479]: DHCPDISCOVER(br-lan) <? MAC redacted>
Thu Dec 23 00:40:17 2021 daemon.info dnsmasq-dhcp[2479]: DHCPOFFER(br-lan) 192.168.1.101 <? MAC redacted>
Thu Dec 23 00:40:17 2021 daemon.info dnsmasq-dhcp[2479]: DHCPREQUEST(br-lan) 192.168.1.101 <? MAC redacted>
Thu Dec 23 00:40:17 2021 daemon.info dnsmasq-dhcp[2479]: DHCPACK(br-lan) 192.168.1.101 <? MAC redacted>
Thu Dec 23 00:40:18 2021 daemon.info dnsmasq[2479]: read /etc/hosts - 4 addresses
Thu Dec 23 00:40:18 2021 daemon.info dnsmasq[2479]: read /tmp/hosts/odhcpd - 1 addresses
Thu Dec 23 00:40:18 2021 daemon.info dnsmasq[2479]: read /tmp/hosts/dhcp.cfg01411c - 4 addresses
Thu Dec 23 00:40:18 2021 daemon.info dnsmasq-dhcp[2479]: read /etc/ethers - 0 addresses
Thu Dec 23 00:40:18 2021 daemon.info dnsmasq[2479]: read /etc/hosts - 4 addresses
Thu Dec 23 00:40:18 2021 daemon.info dnsmasq[2479]: read /tmp/hosts/odhcpd - 1 addresses
Thu Dec 23 00:40:18 2021 daemon.info dnsmasq[2479]: read /tmp/hosts/dhcp.cfg01411c - 4 addresses
Thu Dec 23 00:40:18 2021 daemon.info dnsmasq-dhcp[2479]: read /etc/ethers - 0 addresses