Connected to VPN but no internet connection

galxy_star · October 27, 2021, 7:32pm

implemented all the changes but it still doesnt work pffff
I dont understand why..
/etc/config/openvpn

config openvpn 'movil'
	option config '/etc/openvpn/movil.ovpn'
	option enabled '1'

psherman · October 27, 2021, 7:38pm

Can you post the contents of the referenced file:

etc/openvpn/movil.ovpn

galxy_star · October 27, 2021, 7:39pm

/etc/openvpn/movil.ovpn

client
proto udp
explicit-exit-notify
remote 82.165.2.238 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_16mFh07n4H6c7Tp8 name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
dev tun20
route-nopull
route-noexec
script-security 2
up /etc/openvpn/ovpn-connected.sh
verb 3
<ca>
...

in the server it shows as connected but i dont know
/etc/var/log/openvpn/status.log

OpenVPN CLIENT LIST
Updated,Wed Oct 27 19:48:31 2021
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
mobile,188.26.223.54:46523,6593,6110,Wed Oct 27 19:34:05 2021
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.8.0.2,mobile,188.26.223.54:46523,Wed Oct 27 19:34:05 2021
GLOBAL STATS
Max bcast/mcast queue length,1
END

psherman · October 27, 2021, 7:50pm

I would recommend removing the script and pushing the key config parameters from the server (this also means removing the route-nopull and route-noexec directives).

galxy_star · October 27, 2021, 7:54pm

I edited the last comment and pasted the /etc/var/log/openvpn/status.log

this is the /var/log/openvpn.log if it helps

Wed Oct 27 19:32:27 2021 mobile/188.26.223.54:37091 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Wed Oct 27 19:32:27 2021 mobile/188.26.223.54:37091 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Wed Oct 27 19:33:43 2021 mobile/188.26.223.54:37091 SIGTERM[soft,remote-exit] received, client-instance exiting
Wed Oct 27 19:34:05 2021 188.26.223.54:46523 TLS: Initial packet from [AF_INET]188.26.223.54:46523, sid=a9e3e1c9 e49f8b90
Wed Oct 27 19:34:05 2021 188.26.223.54:46523 VERIFY OK: depth=1, CN=cn_Zxd1NYcZBfG9Z7T9
Wed Oct 27 19:34:05 2021 188.26.223.54:46523 VERIFY OK: depth=0, CN=mobile
Wed Oct 27 19:34:05 2021 188.26.223.54:46523 peer info: IV_VER=2.5.3
Wed Oct 27 19:34:05 2021 188.26.223.54:46523 peer info: IV_PLAT=linux
Wed Oct 27 19:34:05 2021 188.26.223.54:46523 peer info: IV_PROTO=6
Wed Oct 27 19:34:05 2021 188.26.223.54:46523 peer info: IV_NCP=2
Wed Oct 27 19:34:05 2021 188.26.223.54:46523 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM
Wed Oct 27 19:34:05 2021 188.26.223.54:46523 peer info: IV_LZ4=1
Wed Oct 27 19:34:05 2021 188.26.223.54:46523 peer info: IV_LZ4v2=1
Wed Oct 27 19:34:05 2021 188.26.223.54:46523 peer info: IV_LZO=1
Wed Oct 27 19:34:05 2021 188.26.223.54:46523 peer info: IV_COMP_STUB=1
Wed Oct 27 19:34:05 2021 188.26.223.54:46523 peer info: IV_COMP_STUBv2=1
Wed Oct 27 19:34:05 2021 188.26.223.54:46523 peer info: IV_TCPNL=1
Wed Oct 27 19:34:05 2021 188.26.223.54:46523 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit EC, curve: prime256v1
Wed Oct 27 19:34:05 2021 188.26.223.54:46523 [mobile] Peer Connection Initiated with [AF_INET]188.26.223.54:46523
Wed Oct 27 19:34:05 2021 mobile/188.26.223.54:46523 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Wed Oct 27 19:34:05 2021 mobile/188.26.223.54:46523 MULTI: Learn: 10.8.0.2 -> mobile/188.26.223.54:46523
Wed Oct 27 19:34:05 2021 mobile/188.26.223.54:46523 MULTI: primary virtual IP for mobile/188.26.223.54:46523: 10.8.0.2
Wed Oct 27 19:34:06 2021 mobile/188.26.223.54:46523 PUSH: Received control message: 'PUSH_REQUEST'
Wed Oct 27 19:34:06 2021 mobile/188.26.223.54:46523 SENT CONTROL [mobile]: 'PUSH_REPLY,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-128-GCM' (status=1)
Wed Oct 27 19:34:06 2021 mobile/188.26.223.54:46523 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Wed Oct 27 19:34:06 2021 mobile/188.26.223.54:46523 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Wed Oct 27 19:45:17 2021 event_wait : Interrupted system call (code=4)
Wed Oct 27 19:45:17 2021 OpenVPN CLIENT LIST
Wed Oct 27 19:45:17 2021 Updated,Wed Oct 27 19:45:17 2021
Wed Oct 27 19:45:17 2021 Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
Wed Oct 27 19:45:17 2021 mobile,188.26.223.54:46523,5833,5350,Wed Oct 27 19:34:05 2021
Wed Oct 27 19:45:17 2021 ROUTING TABLE
Wed Oct 27 19:45:17 2021 Virtual Address,Common Name,Real Address,Last Ref
Wed Oct 27 19:45:17 2021 10.8.0.2,mobile,188.26.223.54:46523,Wed Oct 27 19:34:05 2021
Wed Oct 27 19:45:17 2021 GLOBAL STATS
Wed Oct 27 19:45:17 2021 Max bcast/mcast queue length,1
Wed Oct 27 19:45:17 2021 END

psherman · October 27, 2021, 10:13pm

I'm going to give you an example of my own OpenVPN server and client configurations. Obviously there are going to be differences, but take a look at the push directives, in particular.

To make it clear, I am demonstrating this using two OpenWrt devices -- the Server is connected to my home network (in my case, it sits behind my main firewall) and the Client which is a travel router that sets up the tunnel back to my home so I have a seamless experience with all of my devices.

OpenVPN Sever Configuration

config openvpn 'OVPN'
	option proto 'udp'
	option port '1194'
	option dev 'tun0'
	option server '10.0.23.0 255.255.255.0'
	option ca '/etc/openvpn/ServerKeys/ca.crt'
	option cert '/etc/openvpn/ServerKeys/vpnserver.crt'
	option key '/etc/openvpn/ServerKeys/vpnserver.key'
	option dh '/etc/openvpn/ServerKeys/vpnserver_dh.pem'
	option verb '4'
	option passtos '1'
	option auth 'SHA256'
	option cipher 'AES-256-CBC'
	option mute '5'
	option tun_ipv6 '1'
	option tun_mtu '1500'
	option keepalive '10 120'
	option tls_server '1'
	option client_to_client '1'
	option duplicate_cn '1'
	option persist_key '1'
	option persist_tun '1'
	list push 'route 10.0.1.0 255.255.255.0'
	list push 'dhcp-option DNS 10.0.1.1'
    option remote_cert_tls 'client'
	option enabled '1'

Server Firewall (OpenWrt 21.02; relevant sections)

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list device 'tun0'

config forwarding
	option src 'vpn'
	option dest 'wan'

OpenVPN Client Configuration

client
remote REDACTED
proto udp
port 1194
dev tun
cipher AES-256-CBC
auth SHA256
ca /etc/openvpn/ClientKeys/ca.crt
cert /etc/openvpn/ClientKeys/VPNClient.crt
key /etc/openvpn/ClientKeys/VPN.key
remote-cert-tls server
redirect-gateway def1
verb 3

Client Network Configuration (OpenWrt 21.02; relevant section)

config interface 'OpenVPN'
	option proto 'none'
	option device 'tun0'

Client Firewall Configuration (OpenWrt 21.02; relevant sections)

config zone
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option name 'vpn'
	list network 'OpenVPN'

config forwarding
	option src 'lan'
	option dest 'vpn'

psherman · October 27, 2021, 10:16pm

Another thing to consider is that you do need to consider the routing of the VPN traffic. If your linux box (Server) simply NATs/masquerades this to the main network, you should be fine. However, if not, you need to add routes to your main router so that the router knows where to send the traffic that is destined for the remote VPN devices.