GL-iNet 1300M OVPN Problem

Hi,

I try to make a openvpn connection on GL-iNet GL-B1300 fw 3.027 as client

the ovpn config runs without problem on a raspbian pi

on openwrt I can open the vpn connection but I can not send any paket through it:
config files:

any ideas, what can be wrong?

I guess it's a problem in the firewall setting, but I don't know

Setup
compnay net - ovpn gateway - Internet - wlan openwrt as dhcp - lan openwrt - local network

[/etc/config/networks]

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd52:0ba2:c80b::/48'

config interface 'lan'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option hostname 'GL-B1300-dc8-5G'
        option ieee1905managed '1'
        option ipaddr '10.49.222.1'
        option ifname 'eth1'

config interface 'wan'
        option proto 'dhcp'
        option hostname 'GL-B1300-dc8-5G'
        option ifname 'eth0'

config interface 'wan6'
        option ifname 'eth0'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 1 2 3 4'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 5'

config switch_ext
        option device 'switch0'
        option name 'QosPtMode'
        option port_id '1'
        option mode 'dscp'
        option status 'enable'

config switch_ext
        option device 'switch0'
        option name 'QosPtMode'
        option port_id '2'
        option mode 'dscp'
        option status 'enable'

config switch_ext
        option device 'switch0'
        option name 'QosPtMode'
        option port_id '3'
        option mode 'dscp'
        option status 'enable'

config switch_ext
        option device 'switch0'
        option name 'QosPtMode'
        option port_id '4'
        option mode 'dscp'
        option status 'enable'

config switch_ext
        option device 'switch0'
        option name 'QosPtMode'
        option port_id '5'
        option mode 'dscp'
        option status 'enable'

config interface 'guest'
        option ifname 'guest'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.9.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wwan'
        option proto 'dhcp'
        option metric '20'
        option ifname 'wlan-sta0'

[/etc/config/firewall]

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option disabled '0'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option device 'tun+'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6 wwan'

config forwarding
        option src 'lan'
        option dest 'wan'
        option enabled '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'


config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fe80::/10'
        option src_port '547'
        option dest_ip 'fe80::/10'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'
        option reload '1'

config rule
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'glservice_rule'
        option name 'glservice'
        option dest_port '83'
        option proto 'tcp udp'
        option src 'wan'
        option target 'ACCEPT'
        option enabled '0'

config include 'qcanssecm'
        option type 'script'
        option path '/etc/firewall.d/qca-nss-ecm'
        option family 'any'
        option reload '0'

config include 'gls2s'
        option type 'script'
        option path '/var/etc/gls2s.include'
        option reload '1'


config include 'glfw'
        option type 'script'
        option path '/usr/bin/glfw.sh'
        option reload '1'

config include 'glqos'
        option type 'script'
        option path '/usr/sbin/glqos.sh'
        option reload '1'

config include 'mwan3'
        option type 'script'
        option path '/var/etc/mwan3.include'
        option reload '1'

config zone 'guestzone'
        option name 'guestzone'
        option network 'guest'
        option forward 'REJECT'
        option output 'ACCEPT'
        option input 'REJECT'

config forwarding 'guestzone_fwd'
        option src 'guestzone'
        option dest 'wan'
        option enabled '1'

config rule 'guestzone_dhcp'
        option name 'guestzone_DHCP'
        option src 'guestzone'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67-68'

config rule 'guestzone_dns'
        option name 'guestzone_DNS'
        option src 'guestzone'
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'

config forwarding 'forwarding_wan'
        option src 'wan'
        option dest 'lan'

[openvpn config file client]
client
dev tun
proto udp
remote [remote-server] 5001
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
auth SHA256
verb 3


GL-inet forum would be the better place to ask, because their firmware differs from the stock OpenWrt.

1 Like

I guess, here it's better.
I made the topic there as well. No any answer yet.
it's better in case I put normal OpenWrt Firmware to the router?
then it would be possible?

I believe that the GL.iNet firmware for the GL-B1300 and GL-M1300 use the QSDK, so there may be some performance advantages there, as well as the GL.iNet GUI and utilities, which many people find of value.

Configuring the OpenVPN connection through the GL.iNet GUI would be my first approach. It will then be where the GL.iNet utilities expect it to be and in the form needed. It will also be consistent with the GL.iNet VPN-management utilities, including start and stop.


I'm working with one of their devices under OEM firmware and intentionally configuring it manually for consistency with my OpenWrt testing.

You may need to explicitly enable the OpenVPN service and start it (as I believe the OEM firmware uses some kind of VPN manager, which I have never used myself).

/etc/init.d/openvpn enable
/etc/init.d/openvpn start

My own config puts the client definition into /etc/config/openvpn for all of the devices I've been testing -- this may or may not be "right", but it "works for me".

config openvpn 'Test'
        option dev 'tun'
        option nobind '1'
        option verb '3'
        list remote '10.0.0.2'
        option secret '/etc/openvpn/static.key'
        option enabled '1'
        option ifconfig '172.16.1.1 172.16.1.2'

I start the ovpn connection by hand by now for testing.
with openvpn --config [openvpn-file]
in case I use vpn manager of GLiNet it works just in one direction not site to site.

on a raspberry pi 4 it works in both directions
the questin is, someone has it running with GL-iNet and site to site openvpn

looks like the connection made by gui uses nat for the vpn connection

For routed site-to-site (I see "tun" in the OpenVPN config, not "tap"), you probably need to put the tunnel interface into its own firewall zone so that it is straightforward to manage the firewall rules related to forwarding. Given the description of the behavior, I would guess that it is in something that looks/works like the "WAN" zone with NAT and with inbound traffic blocked by default.

yes, I think it's because of firewall.
but to tell the truth, I have no ideas about the firewall concept of openwrt yet.
iptables I know, somehow...
can you give me a hint to change firewall for it maybe will work?
or give a link, where I can find information how to do it?