Client connected to OpenWrt openVPN server can't see LAN clients

g711 · August 31, 2018, 2:46am

Hello all,
I've set up my Archer C7 as an openvpn server following this tutorial: https://openwrt.org/docs/guide-user/services/vpn/openvpn/server.setup

When finished, I was able to establish a connection from a remote location, and even ssh in to my router using its LAN ip (10.233.1.1) Unfortunately, though, I can't directly access anything else on my LAN from the VPN. I've gone through a bunch of threads on the forum that seemed similar and tried a number of options, but none of them have worked, and I think I must have something just fundamentally set up wrong.

My goal is to create a class-C VPN in the 10.234.1.x range which connects back to my LAN which is on the 10.233.1.x range. It's not necessary to be able for clients to be able to connect to the WAN via the VPN (maybe in the future as an optional thing, but my main goal right now is just to be able to access devices on my home network remotely via the VPN). Aside from OpenVPN, the only other non-vanilla services I have installed are adblock and dyndns.

config/network:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd36:67d5:f338::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '10.233.1.1'
        option dns '1.1.1.1 75.75.75.75'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'
        option hostname 'router'
        option type 'bridge'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 6t'

config interface 'vpnserver'
        option proto 'none'
        option auto '1'
        option ifname 'eth1.1 ovpns0'

config/firewall

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type '-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type '-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config include
        option path '/etc/firewall.user'

config redirect 'adblock_dns_53'
        option name 'Adblock DNS, port 53'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'

config redirect 'adblock_dns_853'
        option name 'Adblock DNS, port 853'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '853'
        option dest_port '853'
        option target 'DNAT'

config redirect 'adblock_dns_5353'
        option name 'Adblock DNS, port 5353'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '5353'
        option dest_port '5353'
        option target 'DNAT'


config rule
        option name 'Allow-OpenVPN-Inbound'
        option target 'ACCEPT'
        option src '*'
        option proto 'tcpudp'
        option dest_port '1194'

config zone
        option name 'vpnserver'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'vpnserver'
        option forward 'ACCEPT'
        option masq '1'

config forwarding
        option src 'vpnserver'
        option dest 'lan'

config forwarding
        option dest 'vpnserver'
        option src 'lan'

config/openvpn:

config openvpn 'vpnserver'
        option enabled '1'
        option dev_type 'tun'
        option dev 'ovpns0'
        option port '1194'
        option topology 'subnet'
        option tls_server '1'
        option mode 'server'
        option server '10.234.1.0 255.255.255.0'
        option compress 'lzo'
        option keepalive '10 120'
        option persist_key '1'
        option persist_tun '1'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/my-server.crt'
        option key '/etc/openvpn/my-server.key'
        option dh '/etc/openvpn/dh2048.pem'
        option tls_auth '/etc/openvpn/tls-auth.key 0'
        option client_to_client '1'
        option log '/tmp/openvpn.log'
        list push 'topology subnet'
        list push 'route-gateway dhcp'
        list push 'route 10.234.1.0 255.255.255.0'
        list push 'dhcp-option DNS 10.233.1.1'
        list push 'compress lzo'
        list push 'persist-key'
        list push 'persist-tun'
        list push 'DOMAIN lan'
        option route_gateway '10.233.1.1'

Here's what my client config currently looks like, though I've gone through lots of permutations of pushing routes from the server vs triggering them from the client:

client
dev myhost-tun
dev-type tun

proto udp
remote myhost.net 1194
comp-lzo
resolv-retry infinite
nobind
persist-tun
persist-key
keepalive 10 60
fast-io

route-nopull
route 10.234.1.0 255.255.255.0
route 10.233.1.0 255.255.255.0

remote-cert-tls server
verb 3
key-direction 1

<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
...
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>

<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
...
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>

And while I don't think it's a client-side routing problem, here's what my client routing table looks like after the VPN connection has been established:

default         172.a.b.c     0.0.0.0         UG    600    0        0 wlp3s0
10.234.1.0       *               255.255.255.0   U     0      0        0 myhost-tun
10.233.1.0      10.234.1.1       255.255.255.0   UG    0      0        0 myhost-tun
link-local      *               255.255.0.0     U     1000   0        0 g711-tun
172.20.10.0     *               255.255.255.240 U     600    0        0 wlp3s0

Among other things I've tried (based on other threads) is adding "type: "bridge" to the vpnserver network interface and bridging to my eth1.1 interface (which seems like it should have been the right thing to do, but when I did that I was not only unable to reach the LAN, but I was also unable to reach the router anymore (though the VPN did still connect just fine, the packets simply didn't seem to go anywhere).

Any suggestions for what to try next?

Thanks!

psherman · August 31, 2018, 6:11am

Try the following:

Remove these lines from the server config:

Modify the next line (server config):

to be instead:
list push 'route 10.233.1.0 255.255.255.0'

Then remove the following lines from your client config:

In your firewall, the vpnserver zone forward option:

to this:
option forward 'REJECT'

and you can remove these:

HINT:
You can add this to the firewall to allow VPN > internet traffic:

config forwarding
	option dest 'wan'
	option src 'vpnserver'

Finally, in your network config, remove eth1.1 from your vpn's network ifname:

so it looks like this:
option ifname 'ovpns0'

EDIT ADDING: Also remove this line from your VPN zone in the firewall

g711 · August 31, 2018, 1:24pm

Hi psherman (from 42 Wallaby Way?),

Thanks so much for your detailed response. Unfortunately, even after making those changes I'm stuck in the same place - VPN connects and I'm able to reach the router via its LAN IP address, but I can't reach anything else on my LAN. To be sure I didn't make any mistakes, here are all of my configs again:

openvpn server config:

config openvpn 'vpnserver'
        option enabled '1'
        option dev_type 'tun'
        option dev 'ovpns0'
        option port '1194'
        option topology 'subnet'
        option tls_server '1'
        option mode 'server'
        option server '10.234.1.0 255.255.255.0'
        option compress 'lzo'
        option keepalive '10 120'
        option persist_key '1'
        option persist_tun '1'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/my-server.crt'
        option key '/etc/openvpn/my-server.key'
        option dh '/etc/openvpn/dh2048.pem'
        option tls_auth '/etc/openvpn/tls-auth.key 0'
        option client_to_client '1'
        option log '/tmp/openvpn.log'
        list push 'topology subnet'
        list push 'dhcp-option DNS 10.233.1.1'
        list push 'route 10.233.1.1 255.255.255.0'
        list push 'compress lzo'
        list push 'persist-key'
        list push 'persist-tun'

firewall config:

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config include
        option path '/etc/firewall.user'

config redirect 'adblock_dns_53'
        option name 'Adblock DNS, port 53'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'

config redirect 'adblock_dns_853'
        option name 'Adblock DNS, port 853'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '853'
        option dest_port '853'
        option target 'DNAT'

config redirect 'adblock_dns_5353'
        option name 'Adblock DNS, port 5353'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '5353'
        option dest_port '5353'
        option target 'DNAT'

config rule
        option name 'Allow-OpenVPN-Inbound'
        option target 'ACCEPT'
        option src '*'
        option proto 'tcpudp'
        option dest_port '1194'

config zone
        option name 'vpnserver'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'vpnserver'
        option forward 'REJECT'

network interfaces config:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd36:67d5:f338::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '10.233.1.1'
        option dns '1.1.1.1 75.75.75.75'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'
        option hostname 'myserver'
        option type 'bridge'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 6t'

config interface 'vpnserver'
        option proto 'none'
        option auto '1'
        option ifname 'ovpns0'

openvpn client config:

client
dev myserver-tun
dev-type tun

proto udp
remote myserver.net 1194
comp-lzo
resolv-retry infinite
nobind
persist-tun
persist-key
keepalive 10 60
fast-io

remote-cert-tls server
verb 3
key-direction 1

...
certificate stuff
...

The only interesting change is that this time on connect I see these errors in my terminal:

Fri Aug 31 09:05:34 2018 /sbin/ip link set dev myserver-tun up mtu 1500
Fri Aug 31 09:05:34 2018 /sbin/ip addr add dev myserver-tun 10.234.1.2/24 broadcast 10.234.1.255
Fri Aug 31 09:05:34 2018 /sbin/ip route add 10.233.1.1/24 via 10.234.1.1
RTNETLINK answers: Invalid argument
Fri Aug 31 09:05:34 2018 ERROR: Linux route add command failed: external program exited with error status: 2
Fri Aug 31 09:05:34 2018 Initialization Sequence Completed

Sure enough, it looks like the route didn't take when pushed from the server:

Routing table after VPN connect:

me@laptop:~$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         172.20.10.1     0.0.0.0         UG    600    0        0 wlp3s0
10.234.1.0       *               255.255.255.0   U     0      0        0 myserver-tun
link-local      *               255.255.0.0     U     1000   0        0 wlp3s0
172.20.10.0     *               255.255.255.240 U     600    0        0 wlp3s0

But I'm able to make it manually on the client-side anyway:

Routing table after running manual client-side route:

me@laptop:~$ sudo /sbin/ip route add 10.233.1.0/24 dev myserver-tun
me@laptop:~$ route

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         172.20.10.1     0.0.0.0         UG    600    0        0 wlp3s0
10.234.1.0       *               255.255.255.0   U     0      0        0 myserver-tun
10.233.1.0      *               255.255.255.0   U     0      0        0 myserver-tun
link-local      *               255.255.0.0     U     1000   0        0 wlp3s0
172.20.10.0     *               255.255.255.240 U     600    0        0 wlp3s0

Have I missed anything or made any errors in the above?

Thanks again for your help!

psherman · August 31, 2018, 2:49pm

This is pointing to a host 10.233.1.1 not a network 10.233.1.0... it should be
list push 'route 10.233.1.0 255.255.255.0'

If that doesn't work, you might try removing the following line, too (I'm not sure that it serves any purpose and I wonder if it could cause any conflicts/issues):

psherman · September 1, 2018, 9:30pm

@g711 - any luck?

g711 · September 2, 2018, 2:11am

Hi, yes, actually! I did make a typo on that route, but even after correcting it (at which point the push worked) and trying again after removing the subnet directive, I was still able to only reach my router's LAN address but no others. I then turned to this tutorial:

https://wiki.openwrt.org/doc/howto/openvpn-streamlined-server-setup#tab__rules

and made these changes to my firewall rules:


config rule
    option  target          'ACCEPT'
    option  family          'ipv4'
    option  proto           'tcp udp'
    option  src             '*'
    option  src_ip          '10.7.11.0/24'
    option  dest_ip         '10.111.1.0/28'
    option  name            'Allow VPN0 -> LAN'

config rule
    option  target          'ACCEPT'
    option  proto           'tcp udp'
    option  family          'ipv4'
    option  src             '*'
    option  src_ip          '10.7.11.0/24'
    option  dest            '*'
    option  dest_ip         '10.111.1.0/26'
    option  name            'Allow Forwarded VPN0 -> LAN'

config rule
    option  target          'ACCEPT'
    option  proto           'icmp'
    option  src             '*'
    option  src_ip          '10.7.11.0/24'
    option  dest            'lan'
    option  name            'Allow VPN0 (ICMP) -> LAN'

config zone
        option name 'vpnserver'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'vpnserver'
        option forward 'ACCEPT'

# LAN to VPN #    
config forwarding
    option  dest            'vpnserver'
    option  src             'lan'

# VPN to LAN #    
config forwarding
    option  dest            'lan'
    option  src             'vpnserver'

and now it works. Thanks so much for your help!

system · September 12, 2018, 2:16am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.