I successfully installed and configured openvpn on my openwrt 19.07.3. My problem now is that I cannot connect to the company openvpn server for instance because of the forwarding rule I have added. This is the relevant confs:
firewall
config zone
option name 'vpn'
option network 'vpn0'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
config rule
option name 'Allow-OpenVPN-Inbound'
option target 'ACCEPT'
option proto 'udp'
option dest_port '1194'
option src '*'
config forwarding
option src 'vpn'
option dest 'wan'
config forwarding
option src 'vpn'
option dest 'vlan10'
config redirect
option target 'DNAT'
option dest_port '1194'
option src_dport '1194'
option name 'Forward1194'
option dest 'vlan10'
option src 'vlan10'
option dest_ip '10.0.10.1'
When I disable the forwarding rule, of course I have no access to my openvpn server, but I have access to the company's openvpn server and vice versa. What am I missing here? and how can I fix this. I tried to add a second rules, but it's not working as I expect, since the handled packets are all for port 1194.
I don't see the point to opening the port 1194 to all zones. I guess you expect incoming connections from wan only.
Also I don't see the point for masquerading the vpn zone.
The port forward rule doesn't make any sense.
Better explain the situation you have there in more detail, including the whole configurations, especially the one with your company.
well we have at the company an openvpn server and I connect to it using my client configuration.
At home I installed openvpn on openwrt. The thing is without the forward rule I can't connect to my local openvpn server. Thus I can normally connect to the company's openvpn. When I enable the rule I suddenly can connect to my loacl openvpn, but not to the company's any more, I think because of the packet forwarding. Here is my config:
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'vlan10'
option network 'vlan10'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'eth0.10'
config zone
option name 'vlan20'
option network 'vlan20'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'vpn'
option network 'vpn0'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option proto 'esp'
option target 'ACCEPT'
option dest 'vlan10'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option dest 'vlan10'
config include
option path '/etc/firewall.user'
config rule
option name 'Allow-OpenVPN-Inbound'
option target 'ACCEPT'
option proto 'udp'
option dest_port '1194'
option src 'wan'
config forwarding
option src 'vpn'
option dest 'wan'
config forwarding
option src 'vpn'
option dest 'vlan10'
config redirect
option target 'DNAT'
option name 'Forward1194'
option dest_port '1194'
option src_dport '1194'
option src 'vlan10'
config rule
option src '*'
option name 'AllowMeWlan'
option dest '*'
option target 'ACCEPT'
list src_mac 'wireless MAC'
config rule
option src '*'
option name 'AllowMeLan'
option dest '*'
option target 'ACCEPT'
list src_mac 'EthernetMAC'
config rule
option name 'DenyAll'
option target 'DROP'
option dest 'vlan10'
option src 'vlan20'
config forwarding
option dest 'wan'
option src 'vlan10'
config forwarding
option dest 'wan'
option src 'vlan20'
config forwarding
option src 'vlan10'
option dest 'vlan20'
What I want to achieve it to connect to my openvpn server as well as to the company's server or any other public openvpn server without disabling and enabling the forward rule. I used to run a deticated openvpn server on Debian and the rule was of course needed, I thought it is not needed when I run openvpn on openwrt, but it turns out that I cannot connect without it. Here is my openvpn config:
openvpn
config openvpn 'homevpn'
option local '10.0.10.1'
option enabled '1'
option dev 'tun'
option port '1194'
option comp_lzo 'yes'
option mute '5'
option keepalive '10 120'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option group 'nogroup'
option ca '/etc/openvpn/easyrsa/pki/ca.crt'
option cert '/etc/openvpn/easyrsa/pki/issued/server.crt'
option key '/etc/openvpn/easyrsa/pki/private/server.key'
option dh '/etc/openvpn/easyrsa/pki/dh.pem'
option mode 'server'
option tls_server '1'
option server '10.8.0.0 255.255.255.0'
option route_gateway 'dhcp'
option client_to_client '1'
option tls_auth '/etc/openvpn/easyrsa/pki/private/ta.key 0'
option key_direction '0'
option duplicate_cn '1'
option sndbuf '393216'
option rcvbuf '393216'
option auth 'SHA256'
option cipher 'AES-256-CBC'
option verify_client_cert 'none'
option username_as_common_name '1'
option auth_nocache '1'
option verb '4'
option script_security '2'
option log '/etc/openvpn/log/openvpn.log'
option status '/etc/openvpn/log/openvpn_status.log'
option auth_user_pass_verify '/etc/openvpn/config/ovpnauth.sh via-file'
list push 'comp-lzo yes'
list push 'persist-key'
list push 'persist-tun'
list push 'user nobody'
list push 'group nogroup'
list push 'topology subnet'
list push 'route-gateway dhcp'
list push 'redirect-gateway def1 bypass-dhcp'
list push 'route 10.0.10.0 255.255.255.0'
list push 'dhcp-option DNS 10.0.10.1'
list push 'dhcp-option DNS 1.1.1.1'
list push 'sndbuf 393216'
list push 'rcvbuf 393216'
This forward doesn't make sense. You redirect packets from vlan10 going to 1194 and you send them to your OpenVPN server. Why? The OpenVPN clients will connect from wan, not lan.
This is not necessary if there is no forwarding from vlan20 to vlan10.
The OpenVPN to your company is running on the OpenWrt or some host in the lan?
The OpenVPN server in the company is a dedicated Debian server.
I edited every thing as you suggested and disabled the forward rule and tries to connect from my smartphone with through mobile data and wifi disabled, no success! Thus I can connect when it is enabled, even if it doesn't make sense.
My penvpn WAN IP is provided by a ddns service, this all used to work with my old openwrt config and a dedicated server.
Now I am getting more insight, the connection worked only when I am connected to wif (openwrt) because of the forwarding rule, but it never worked from WAN, I tested now from different devices in WAN and I cannot connect.
So now I am facing a another problem, trying to connect to openvpn from WAN, I setup the forwarding rule on the old setup just to be able to connect to my openvpn within LAN as well for testing purposes.
Here is my client conf:
###############################################################################
# OpenVPN Client Configuration for Remote Access VPN at Home
###############################################################################
# Specify that we are a client
client
remote my.ddns.domain 1194
# TUN server
dev tun
# VPN protocol
proto udp
# allow a remote peer to change it's IP address and/or port number
# Essentially, --float tells OpenVPN to accept authenticated packets
# from any address, not only the address which was specified in the --remote option.
float
# Set output verbosity to n (default=1).
verb 4
# Push additional information about the client to server.
push-peer-info
# Keep trying indefinitely to resolve the host name of the OpenVPN server. Very useful
resolv-retry infinite
# Most clients don't need to bind to a specific local port number.
nobind
# Downgrade privileges after initialization (uncomment for non-Windows only)
user nobody
group nogroup
# Try to preserve some state across restarts.
persist-key
persist-tun
# Enable compression on the VPN link. Don't enable this unless it is also enabled in the server config file.
comp-lzo
# Authentication with user/password on server depending on the module in use.
auth-user-pass
###########################################################################
# This script uses the resolvconf utility to update DNS information for Linux clients.
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
###########################################################################
# TLS-Settings for authentication of the connection from client to server
tls-client
remote-cert-tls server
# Encrypt data channel packets with cipher algorithm AES-128-CBC
cipher AES-256-CBC
# Authenticate packets with HMAC using message digest algorithm SHA256.
auth SHA256
key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
ca.crt
-----END CERTIFICATE-----
</ca>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
ta.key
-----END OpenVPN Static key V1-----
</tls-auth>
Just for the record, I can connect to my openvpn when I am connected to my LAN network and the forwarding rule is enabled.