I am having trouble getting an OpenVPN server configured on an OpenWRT router. I am able to connect to the OpenVPN server, but am not able to access any resources behind the VPN. When I connect to the VPN server from the client, a tun0 device is created and given an IP address of 192.168.104.6, which I expect. If I then ping 192.168.104.1, I get nothing. On the OpenWRT router, I don't see any obvious issues in the logs.
I am running OpenWRT SNAPSHOT r22651-8f427f1a05 on a NanoPi R5S and trying to connect from a Linux client using NetworkManager.
On the NanoPi:
logread -e openvpn
Sun Jul 9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: XXX.XXX.XXX.XXX:1065 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:1065, sid=8c7dabe0 43b5e32e
Sun Jul 9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: XXX.XXX.XXX.XXX:1065 VERIFY OK: depth=1, CN=Easy-RSA CA
Sun Jul 9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: XXX.XXX.XXX.XXX:1065 VERIFY OK: depth=0, CN=trogdor
Sun Jul 9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: XXX.XXX.XXX.XXX:1065 peer info: IV_VER=2.6.5
Sun Jul 9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: XXX.XXX.XXX.XXX:1065 peer info: IV_PLAT=linux
Sun Jul 9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: XXX.XXX.XXX.XXX:1065 peer info: IV_TCPNL=1
Sun Jul 9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: XXX.XXX.XXX.XXX:1065 peer info: IV_MTU=1600
Sun Jul 9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: XXX.XXX.XXX.XXX:1065 peer info: IV_NCP=2
Sun Jul 9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: XXX.XXX.XXX.XXX:1065 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
Sun Jul 9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: XXX.XXX.XXX.XXX:1065 peer info: IV_PROTO=990
Sun Jul 9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: XXX.XXX.XXX.XXX:1065 peer info: IV_LZO_STUB=1
Sun Jul 9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: XXX.XXX.XXX.XXX:1065 peer info: IV_COMP_STUB=1
Sun Jul 9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: XXX.XXX.XXX.XXX:1065 peer info: IV_COMP_STUBv2=1
Sun Jul 9 18:33:38 2023 daemon.warn openvpn(MyVPN)[12821]: XXX.XXX.XXX.XXX:1065 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1541'
Sun Jul 9 18:33:38 2023 daemon.warn openvpn(MyVPN)[12821]: XXX.XXX.XXX.XXX:1065 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Sun Jul 9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: XXX.XXX.XXX.XXX:1065 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Sun Jul 9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: XXX.XXX.XXX.XXX:1065 [trogdor] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:1065
Sun Jul 9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: MULTI: new connection by client 'trogdor' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Sun Jul 9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: MULTI_sva: pool returned IPv4=192.168.104.6, IPv6=(Not enabled)
Sun Jul 9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: MULTI: Learn: 192.168.104.6 -> trogdor/XXX.XXX.XXX.XXX:1065
Sun Jul 9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: MULTI: primary virtual IP for trogdor/XXX.XXX.XXX.XXX:1065: 192.168.104.6
Sun Jul 9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: Data Channel: using negotiated cipher 'AES-256-GCM'
Sun Jul 9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jul 9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jul 9 18:33:38 2023 daemon.notice openvpn(MyVPN)[12821]: SENT CONTROL [trogdor]: 'PUSH_REPLY,route 192.168.104.1,topology net30,ping 10,ping-restart 60,ifconfig 192.168.104.6 192.168.104.5,peer-id 1,cipher AES-256-GCM' (status=1)
Sun Jul 9 18:33:39 2023 daemon.notice openvpn(MyVPN)[12821]: trogdor/XXX.XXX.XXX.XXX:1065 PUSH: Received control message: 'PUSH_REQUEST'
# cat /etc/config/openvpn
config openvpn 'MyVPN'
option dev 'tun0'
option comp_lzo 'yes'
option keepalive '10 60'
option verb '3'
option server '192.168.104.0 255.255.255.0'
option ca '/etc/openvpn/ca.crt'
option dh '/etc/openvpn/dh.pem'
option cert '/etc/openvpn/my.crt'
option key '/etc/openvpn/my.key'
option enabled '1'
list push route '192.168.101.0 255.255.255.0'
# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'REJECT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'lan'
config zone
option name 'guest'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config zone
option name 'IoT'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'IoT'
config zone
option name 'vpn'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
list network 'vpn'
option masq6 '1'
config zone 'docker'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option name 'docker'
list network 'docker'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option src 'guest'
option dest 'wan'
config forwarding
option src 'IoT'
option dest 'wan'
config forwarding
option src 'vpn'
option dest 'wan'
config forwarding
option src 'vpn'
option dest 'lan'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/pbr.firewall.include'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0' SNAPSHOT r22651-8f427f1a05
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Allow-OpenVPN-Inbound'
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
option dest_port '1194'
# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fded:7fb6:2bdf::/48'
config device
option name 'eth0'
option macaddr 'b2:26:ad:6e:62:e0'
config device
option name 'eth1'
option macaddr 'b2:26:ad:6e:62:e1'
config device
option name 'eth2'
option macaddr 'b2:26:ad:6e:62:e1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
list ports 'eth2'
config device
option name 'docker0'
option type 'bridge'
config bridge-vlan
option device 'br-lan'
option vlan '2'
list ports 'eth1'
list ports 'eth2'
config bridge-vlan
option device 'br-lan'
option vlan '3'
list ports 'eth1:t'
list ports 'eth2:t'
config bridge-vlan
option device 'br-lan'
option vlan '4'
list ports 'eth1:t'
list ports 'eth2:t'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
config interface 'lan'
option device 'br-lan.2'
option proto 'static'
option ipaddr '192.168.101.1'
option netmask '255.255.255.0'
config interface 'guest'
option device 'br-lan.3'
option proto 'static'
option ipaddr '192.168.102.1'
option netmask '255.255.255.0'
config interface 'IoT'
option device 'br-lan.4'
option proto 'static'
option ipaddr '192.168.103.1'
option netmask '255.255.255.0'
config interface 'vpn'
option proto 'none'
option device 'tun0'
config interface 'docker'
option device 'docker0'
option proto 'none'
option auto '0'
On the Linux client the
[vpn]
ca=ca.crt
cert=my.crt
cert-pass-flags=0
connection-type=tls
dev=tun
key=my.key
remote=XXX.XXX.XXX.XXX:1194
remote-cert-tls=server
service-type=org.freedesktop.NetworkManager.openvpn
$ ip route list
default via 192.168.104.5 dev tun0 proto static metric 50
default via 192.168.144.211 dev wlp0s20f3 proto dhcp src 192.168.144.70 metric 600
XXX.XXX.XXX.XXX via 192.168.144.211 dev wlp0s20f3 proto static metric 50
192.168.104.1 via 192.168.104.5 dev tun0 proto static metric 50
192.168.104.5 dev tun0 proto kernel scope link src 192.168.104.6 metric 50
192.168.144.0/24 dev wlp0s20f3 proto kernel scope link src 192.168.144.70 metric 600
192.168.144.211 dev wlp0s20f3 proto static scope link metric 50