Configuring OpenVPN Server

I am having trouble getting an OpenVPN server configured on an OpenWRT router. I am able to connect to the OpenVPN server, but am not able to access any resources behind the VPN. When I connect to the VPN server from the client, a tun0 device is created and given an IP address of 192.168.104.6, which I expect. If I then ping 192.168.104.1, I get nothing. On the OpenWRT router, I don't see any obvious issues in the logs.

I am running OpenWRT SNAPSHOT r22651-8f427f1a05 on a NanoPi R5S and trying to connect from a Linux client using NetworkManager.

On the NanoPi:

logread -e openvpn
Sun Jul  9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: XXX.XXX.XXX.XXX:1065 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:1065, sid=8c7dabe0 43b5e32e
Sun Jul  9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: XXX.XXX.XXX.XXX:1065 VERIFY OK: depth=1, CN=Easy-RSA CA
Sun Jul  9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: XXX.XXX.XXX.XXX:1065 VERIFY OK: depth=0, CN=trogdor
Sun Jul  9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: XXX.XXX.XXX.XXX:1065 peer info: IV_VER=2.6.5
Sun Jul  9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: XXX.XXX.XXX.XXX:1065 peer info: IV_PLAT=linux
Sun Jul  9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: XXX.XXX.XXX.XXX:1065 peer info: IV_TCPNL=1
Sun Jul  9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: XXX.XXX.XXX.XXX:1065 peer info: IV_MTU=1600
Sun Jul  9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: XXX.XXX.XXX.XXX:1065 peer info: IV_NCP=2
Sun Jul  9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: XXX.XXX.XXX.XXX:1065 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
Sun Jul  9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: XXX.XXX.XXX.XXX:1065 peer info: IV_PROTO=990
Sun Jul  9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: XXX.XXX.XXX.XXX:1065 peer info: IV_LZO_STUB=1
Sun Jul  9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: XXX.XXX.XXX.XXX:1065 peer info: IV_COMP_STUB=1
Sun Jul  9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: XXX.XXX.XXX.XXX:1065 peer info: IV_COMP_STUBv2=1
Sun Jul  9 18:33:38 2023 daemon.warn openvpn(MyVPN)[12821]: XXX.XXX.XXX.XXX:1065 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1541'
Sun Jul  9 18:33:38 2023 daemon.warn openvpn(MyVPN)[12821]: XXX.XXX.XXX.XXX:1065 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Sun Jul  9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: XXX.XXX.XXX.XXX:1065 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Sun Jul  9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: XXX.XXX.XXX.XXX:1065 [trogdor] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:1065
Sun Jul  9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: MULTI: new connection by client 'trogdor' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Sun Jul  9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: MULTI_sva: pool returned IPv4=192.168.104.6, IPv6=(Not enabled)
Sun Jul  9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: MULTI: Learn: 192.168.104.6 -> trogdor/XXX.XXX.XXX.XXX:1065
Sun Jul  9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: MULTI: primary virtual IP for trogdor/XXX.XXX.XXX.XXX:1065: 192.168.104.6
Sun Jul  9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: Data Channel: using negotiated cipher 'AES-256-GCM'
Sun Jul  9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jul  9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jul  9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: SENT CONTROL [trogdor]: 'PUSH_REPLY,route 192.168.104.1,topology net30,ping 10,ping-restart 60,ifconfig 192.168.104.6 192.168.104.5,peer-id 1,cipher AES-256-GCM' (status=1)
Sun Jul  9 18:33:39 2023 daemon.notice openvpn(MyVPN)[12821]: trogdor/XXX.XXX.XXX.XXX:1065 PUSH: Received control message: 'PUSH_REQUEST'

# cat /etc/config/openvpn
        config openvpn 'MyVPN'
        option dev 'tun0'
        option comp_lzo 'yes'
        option keepalive '10 60'
        option verb '3'
        option server '192.168.104.0 255.255.255.0'
        option ca '/etc/openvpn/ca.crt'
        option dh '/etc/openvpn/dh.pem'
        option cert '/etc/openvpn/my.crt'
        option key '/etc/openvpn/my.key'
        option enabled '1'
        list push route '192.168.101.0 255.255.255.0'

# cat /etc/config/firewall 

config defaults
	option input 'REJECT'
	option output 'REJECT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'lan'

config zone
	option name 'guest'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config zone
	option name 'IoT'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'IoT'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	list network 'vpn'
	option masq6 '1'

config zone 'docker'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option name 'docker'
	list network 'docker'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'guest'
	option dest 'wan'

config forwarding
	option src 'IoT'
	option dest 'wan'

config forwarding
	option src 'vpn'
	option dest 'wan'

config forwarding
	option src 'vpn'
	option dest 'lan'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0' SNAPSHOT r22651-8f427f1a05
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Allow-OpenVPN-Inbound'
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option dest_port '1194'

# cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fded:7fb6:2bdf::/48'

config device
	option name 'eth0'
	option macaddr 'b2:26:ad:6e:62:e0'

config device
	option name 'eth1'
	option macaddr 'b2:26:ad:6e:62:e1'

config device
	option name 'eth2'
	option macaddr 'b2:26:ad:6e:62:e1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'eth2'

config device
	option name 'docker0'
	option type 'bridge'

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'eth1'
	list ports 'eth2'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'eth1:t'
	list ports 'eth2:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '4'
	list ports 'eth1:t'
	list ports 'eth2:t'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'

config interface 'lan'
	option device 'br-lan.2'
	option proto 'static'
	option ipaddr '192.168.101.1'
	option netmask '255.255.255.0'

config interface 'guest'
	option device 'br-lan.3'
	option proto 'static'
	option ipaddr '192.168.102.1'
	option netmask '255.255.255.0'

config interface 'IoT'
	option device 'br-lan.4'
	option proto 'static'
	option ipaddr '192.168.103.1'
	option netmask '255.255.255.0'

config interface 'vpn'
	option proto 'none'
	option device 'tun0'

config interface 'docker'
	option device 'docker0'
	option proto 'none'
	option auto '0'

On the Linux client the

[vpn]
ca=ca.crt
cert=my.crt
cert-pass-flags=0
connection-type=tls
dev=tun
key=my.key
remote=XXX.XXX.XXX.XXX:1194
remote-cert-tls=server
service-type=org.freedesktop.NetworkManager.openvpn

$ ip route list
default via 192.168.104.5 dev tun0 proto static metric 50 
default via 192.168.144.211 dev wlp0s20f3 proto dhcp src 192.168.144.70 metric 600 
XXX.XXX.XXX.XXX via 192.168.144.211 dev wlp0s20f3 proto static metric 50 
192.168.104.1 via 192.168.104.5 dev tun0 proto static metric 50 
192.168.104.5 dev tun0 proto kernel scope link src 192.168.104.6 metric 50 
192.168.144.0/24 dev wlp0s20f3 proto kernel scope link src 192.168.144.70 metric 600 
192.168.144.211 dev wlp0s20f3 proto static scope link metric 50 

let's see your network config file, too.

Just added the network config for the router and the routing table for the client.

Your routing table shows that the OpenVPN gateway is at .5, not .1.

This is normal if you don't have a topology subnet directive in your server configuration; it defaults to a /30 allocation.

That is good to know, but ping 192.168.104.5 does not return anything either.

That should be 104.1 instead. Then the server holds .1 in the tunnel and the tunnel is a /24.

Check with ip addr show dev tun0 on the server router. Also the server router's routes should have been altered during OpenVPN startup include an entry for 192.168.104.0/24 through the tunnel.

Defining an interface like this is no longer necessary. Instead use list device tun0 in the vpn firewall zone to directly attach a device to a zone.

That causes an error
Options error: --server directive network/netmask combination is invalid

Not sure what to make of it

# ip addr show dev tun0
22: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none 
    inet 192.168.104.1 peer 192.168.104.2/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::f785:fa53:4fb6:4162/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

I will try and clean things up once I get it running.

I disagree here. My (working) OpenVPN server is setup as a /24 with .0 as the last octet. AFAIK, when the server starts, it will look at the subnet and the network ID and then take the first available address (in this case 192.168.104.1/24) and will subsequently issue the rest of the addresses to the clients.

Is there anything going on in PBR?

What happens if you ping 192.168.101.1 or 8.8.8.8?

It did not look like there was anything in PBR so I removed it from the firewall settings.

When connected to the VPN I cannot ping 192.168.101.1 or 8.8.8.8, but I can ping google.com (but that shows up as an IPv6 address).

If I look at traceroute for both 192.168.101.1 and 8.8.8.8 I get nothing when connected to the VPN. When not connected, the route looks reasonable.

I’ll have to think about what else could cause your issue. But, is there any reason that you must use OpenVPN specifically? I’d recommend trying wireguard - it is far easier to configure and much more modern and performant.

Are you sure you are actually connected ?

What does the client log show?

Some small remarks which might not be related, although wrong compression settings could cause a connection but no traffic:
I would use topology subnet which is the default in recent OpenVPN.
Furthermore remove the compression (comp-lzo)

+1 for WireGuard

+1 here for WireGuard, too. I have and use both OpenVPN and WireGuard. I prefer WireGuard. It's faster, and it's easier.

Look at the client routes and as noted, whether OpenVPN actually connected at all.

This is to be expected since this configuration doesn't have any IPv6 routes, it goes direct over the client's local IPv6 connection. You will need to disable IPv6 on the client to prevent such "leakage".

Stupid compression. The client and the server need to have the same compression settings. I naively assumed the server would have pushed that setting, but adding compression to the client OR removing compression from the server fixed the issue.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.