Hello all,
I've set up my Archer C7 as an openvpn server following this tutorial: https://openwrt.org/docs/guide-user/services/vpn/openvpn/server.setup
When finished, I was able to establish a connection from a remote location, and even ssh in to my router using its LAN ip (10.233.1.1) Unfortunately, though, I can't directly access anything else on my LAN from the VPN. I've gone through a bunch of threads on the forum that seemed similar and tried a number of options, but none of them have worked, and I think I must have something just fundamentally set up wrong.
My goal is to create a class-C VPN in the 10.234.1.x range which connects back to my LAN which is on the 10.233.1.x range. It's not necessary to be able for clients to be able to connect to the WAN via the VPN (maybe in the future as an optional thing, but my main goal right now is just to be able to access devices on my home network remotely via the VPN). Aside from OpenVPN, the only other non-vanilla services I have installed are adblock and dyndns.
config/network:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd36:67d5:f338::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth1.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '10.233.1.1'
option dns '1.1.1.1 75.75.75.75'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
option hostname 'router'
option type 'bridge'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6t'
config interface 'vpnserver'
option proto 'none'
option auto '1'
option ifname 'eth1.1 ovpns0'
config/firewall
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type '-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type '-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config include
option path '/etc/firewall.user'
config redirect 'adblock_dns_53'
option name 'Adblock DNS, port 53'
option src 'lan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
config redirect 'adblock_dns_853'
option name 'Adblock DNS, port 853'
option src 'lan'
option proto 'tcp udp'
option src_dport '853'
option dest_port '853'
option target 'DNAT'
config redirect 'adblock_dns_5353'
option name 'Adblock DNS, port 5353'
option src 'lan'
option proto 'tcp udp'
option src_dport '5353'
option dest_port '5353'
option target 'DNAT'
config rule
option name 'Allow-OpenVPN-Inbound'
option target 'ACCEPT'
option src '*'
option proto 'tcpudp'
option dest_port '1194'
config zone
option name 'vpnserver'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'vpnserver'
option forward 'ACCEPT'
option masq '1'
config forwarding
option src 'vpnserver'
option dest 'lan'
config forwarding
option dest 'vpnserver'
option src 'lan'
config/openvpn:
config openvpn 'vpnserver'
option enabled '1'
option dev_type 'tun'
option dev 'ovpns0'
option port '1194'
option topology 'subnet'
option tls_server '1'
option mode 'server'
option server '10.234.1.0 255.255.255.0'
option compress 'lzo'
option keepalive '10 120'
option persist_key '1'
option persist_tun '1'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/my-server.crt'
option key '/etc/openvpn/my-server.key'
option dh '/etc/openvpn/dh2048.pem'
option tls_auth '/etc/openvpn/tls-auth.key 0'
option client_to_client '1'
option log '/tmp/openvpn.log'
list push 'topology subnet'
list push 'route-gateway dhcp'
list push 'route 10.234.1.0 255.255.255.0'
list push 'dhcp-option DNS 10.233.1.1'
list push 'compress lzo'
list push 'persist-key'
list push 'persist-tun'
list push 'DOMAIN lan'
option route_gateway '10.233.1.1'
Here's what my client config currently looks like, though I've gone through lots of permutations of pushing routes from the server vs triggering them from the client:
client
dev myhost-tun
dev-type tun
proto udp
remote myhost.net 1194
comp-lzo
resolv-retry infinite
nobind
persist-tun
persist-key
keepalive 10 60
fast-io
route-nopull
route 10.234.1.0 255.255.255.0
route 10.233.1.0 255.255.255.0
remote-cert-tls server
verb 3
key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
...
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
...
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
And while I don't think it's a client-side routing problem, here's what my client routing table looks like after the VPN connection has been established:
default 172.a.b.c 0.0.0.0 UG 600 0 0 wlp3s0
10.234.1.0 * 255.255.255.0 U 0 0 0 myhost-tun
10.233.1.0 10.234.1.1 255.255.255.0 UG 0 0 0 myhost-tun
link-local * 255.255.0.0 U 1000 0 0 g711-tun
172.20.10.0 * 255.255.255.240 U 600 0 0 wlp3s0
Among other things I've tried (based on other threads) is adding "type: "bridge" to the vpnserver network interface and bridging to my eth1.1 interface (which seems like it should have been the right thing to do, but when I did that I was not only unable to reach the LAN, but I was also unable to reach the router anymore (though the VPN did still connect just fine, the packets simply didn't seem to go anywhere).
Any suggestions for what to try next?
Thanks!