Hello there,
LAN: 192.168.137.1/24
connection over WAN works perfectly fine and if i enter the route manual oiver ssh with
route add default gw 172.64.0.5 tun0
connection works just fine but after a reboot the route is deleted.
if someone can help to configure the rout in Web-Gui or set a auto-run-skript to execute the command above
Thanks in advance: Flo
Check the server configuration. Does it push any routes to the clients?
1 Like
Yes i should, Windows and Android working just fine
floshi707:
172.64.0.1/16
By the way, that's not an RFC 1918 address. Has it been allocated to you for your use?
1 Like
The Routs for the Server-Network(to access internal services) is configured correctly only Internet-Access isnt there
What are the contents of /etc/config/network, /etc/config/dhcp, and /etc/config/firewall on OpenWRT? Redact any passwords/keys.
Also, what are the contents of the .ovpn file on the Raspberry Pi? Again, redact any passwords/keys.
Lastly, what are the contents of the .ovpn file on the server? Once more, redact any passwords/keys.
Yes, I know, it wasn't my decision, but if that's the problem, I have to ask if another area is free
I've just looked up the IP address; it's allocated to Cloudflare. Is your VPN server hosted at Cloudflare? If so, then the IP address is fine. I asked the question because if you were hosting it inside your own network it would be inadvisable to use public IP addresses internally.
network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1<'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd65:e0f5:280a::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.137.1'
option gateway '172.64.0.5'
config interface 'wwan'
option proto 'dhcp'
option metric '20'
config interface 'vpnclient'
option device 'tun0'
option proto 'none'
option metric '10'
dhcp:
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option rebind_protection '0'
config dhcp 'lan'
option interface 'lan'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option start '10'
option limit '250'
option leasetime '1w'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option name 'fritz.lan'
option dns '1'
option mac '4E:5D:35:96:00:C7'
option ip '192.168.137.2'
firewall:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'vpnclient'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'vpnclient'
list device 'tun0'
option input 'REJECT'
config zone 'wan'
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option masq '1'
list device 'tun+'
list network 'wan'
list network 'wan6'
list network 'wwan'
option input 'REJECT'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config forwarding
option src 'lan'
option dest 'vpnclient'
config forwarding
option src 'lan'
option dest 'wan'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/pbr.firewall.include'
That's going to be challenging to make work.
Firstly, the LAN interface usually doesn't need to know about a gateway. The LAN interface is
Secondly any gateway, if configured, needs to be on the same subnet, otherwise communication is unlikely to occur.
floshi707:
list device 'tun+'
Pick a zone. The interface can't belong to multiple zones. One zone can have many interfaces. Each interface can have only one zone.
VPN-Client:
client
dev tun
port 1194
remote xxx.salzwerk-crew.org
proto udp
persist-tun
persist-key
verb 3
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----
</key>
askpass /etc/openvpn/SWCInet.auth
redirect-gateway def1
VPN-Server:
mode server
local 0.0.0.0
port 1194
proto udp
dev tun
#tls-server
#tls-auth "C:\\Projekte\\Services\\OpenVPN\\config\\pki\\ca.key" 0
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca "C:\\Projekte\\Services\\OpenVPN\\config\\pki\\ca.crt"
cert "C:\\Projekte\\Services\\OpenVPN\\config\\pki\\openvpn-salzserver.crt"
key "C:\\Projekte\\Services\\OpenVPN\\config\\pki\\openvpn-salzserver_unencrypted.key"
dh "C:\\Projekte\\Services\\OpenVPN\\config\\pki\\dh.pem"
mode server
server 172.64.0.0 255.255.0.0
duplicate-cn
push "route-gateway172.64.0.1"
push "route 0.0.0.0 0.0.0.0"
keepalive 10 120
persist-key
persist-tun
verb 3
route-delay 5
route-method exe
Needs a space between "y" and "1".
1 Like
So, I reckon the biggest obstacle is the syntax error in the server's push directive. Add one space where indicated and my guess is your problems will (probably) disappear.
However, the OpenWRT configuration also ought to be tidied up. Get rid of the unnecessary gateway directive for the LAN interface, and also take the tun+ entry out of the WAN firewall zone.
See how you get on from there.
yes is, sorry cp mistake from terminal
Forgot to ask: what's the routing table from OpenWRT when the VPN tunnel is active? Either route -n or ip route will suffice.
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.16.0.1 0.0.0.0 UG 0 0 0 wlan0
85.10.247.54 172.16.0.1 255.255.255.255 UGH 0 0 0 wlan0
172.16.0.0 0.0.0.0 255.255.0.0 U 20 0 0 wlan0
172.64.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.137.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
This stands out as the oddity.
Your server is (or appears to be) pushing 172.64.0.1 as the gateway for VPN clients, yet you've configured 172.64.0.5 as the default route. Was that on instructions from Cloudflare? It seems curious, is all.
Well i was wondering about that to, but as described in the first post, if i add 172.64.0.5 as gateway it works. wenn i use 172.64.0.1 it errors with out of reach
Did a bit more digging.
login-1.salzwerk-crew.org resolves to 85.10.247.54, which is operated by Hetzner.
However, 172.64.0.0/16 is operated by Cloudflare, a different company. Any public Internet router is going to send traffic for 172.64.0.0/16 towards Cloudflare's network, not Hetzner's.
I would recommend questioning whoever advised you that 172.64.0.0/16 should be used on a device inside Hetzner's network. It strikes me as rather strange.