Help, please, to configure VPN server to access internet through it

Installing and Using OpenWrt Network and Wireless Configuration
1

I installed OpenWrt as a guest machine behind NAT, installed and configured OpenVPN server on it. Guest machine can ping any domain. I'm connecting to the OpenVPN server from Keenetic and the connect is established, but nothing in traceroute on the davice that connected to Keenetic and can use only VPN connetcion, only 192.168.1.1 > 10.8.0.1 > timedout.

root@OpenWrt:/# cat /etc/openvpn/server.conf 
port 1194
proto tcp 
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/openvpn-server.crt
key /etc/openvpn/keys/openvpn-server.key
dh /etc/openvpn/keys/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log-append /etc/openvpn/logs/openvpn.log
verb 5 

root@OpenWrt:/# tail -f /etc/openvpn/logs/openvpn.log 

2025-01-13 13:51:55 us=747957 MULTI: multi_create_instance called
2025-01-13 13:51:55 us=748079 Re-using SSL/TLS context
2025-01-13 13:51:55 us=748211 Control Channel MTU parms [ L:1623 D:1210 EF:40 EB:0 ET:0 EL:3 ]
2025-01-13 13:51:55 us=748246 Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
2025-01-13 13:51:55 us=748304 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
2025-01-13 13:51:55 us=748323 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
2025-01-13 13:51:55 us=748355 TCP connection established with [AF_INET]37.113.54.4:42663
2025-01-13 13:51:55 us=748375 TCPv4_SERVER link local: (not bound)
2025-01-13 13:51:55 us=748394 TCPv4_SERVER link remote: [AF_INET]37.113.54.4:42663
R2025-01-13 13:51:55 us=751646 37.113.54.4:42663 TLS: Initial packet from [AF_INET]37.113.54.4:42663, sid=db462178 dad2eeae
WRWWWWRRRWR2025-01-13 13:51:56 us=136829 37.113.54.4:42663 VERIFY OK: depth=1, CN=Easy-RSA CA
2025-01-13 13:51:56 us=136952 37.113.54.4:42663 VERIFY OK: depth=0, CN=openvpn-client
WR2025-01-13 13:51:56 us=137232 37.113.54.4:42663 peer info: IV_VER=2.6.7
2025-01-13 13:51:56 us=137300 37.113.54.4:42663 peer info: IV_PLAT=linux
2025-01-13 13:51:56 us=137344 37.113.54.4:42663 peer info: IV_TCPNL=1
2025-01-13 13:51:56 us=137362 37.113.54.4:42663 peer info: IV_MTU=1600
2025-01-13 13:51:56 us=137379 37.113.54.4:42663 peer info: IV_NCP=2
2025-01-13 13:51:56 us=137410 37.113.54.4:42663 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
2025-01-13 13:51:56 us=137426 37.113.54.4:42663 peer info: IV_PROTO=990
2025-01-13 13:51:56 us=137443 37.113.54.4:42663 peer info: IV_LZO_STUB=1
2025-01-13 13:51:56 us=137460 37.113.54.4:42663 peer info: IV_COMP_STUB=1
2025-01-13 13:51:56 us=137477 37.113.54.4:42663 peer info: IV_COMP_STUBv2=1
2025-01-13 13:51:56 us=137502 37.113.54.4:42663 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1559', remote='link-mtu 1543'
2025-01-13 13:51:56 us=137527 37.113.54.4:42663 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
WRR2025-01-13 13:51:56 us=276200 37.113.54.4:42663 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2025-01-13 13:51:56 us=276267 37.113.54.4:42663 [openvpn-client] Peer Connection Initiated with [AF_INET]37.113.54.4:42663
2025-01-13 13:51:56 us=276296 openvpn-client/37.113.54.4:42663 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
2025-01-13 13:51:56 us=276342 openvpn-client/37.113.54.4:42663 MULTI: Learn: 10.8.0.6 -> openvpn-client/37.113.54.4:42663
2025-01-13 13:51:56 us=276363 openvpn-client/37.113.54.4:42663 MULTI: primary virtual IP for openvpn-client/37.113.54.4:42663: 10.8.0.6
2025-01-13 13:51:56 us=276386 openvpn-client/37.113.54.4:42663 Data Channel: using negotiated cipher 'AES-256-GCM'
2025-01-13 13:51:56 us=276412 openvpn-client/37.113.54.4:42663 Data Channel MTU parms [ L:1551 D:1450 EF:51 EB:406 ET:0 EL:3 ]
2025-01-13 13:51:56 us=276486 openvpn-client/37.113.54.4:42663 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2025-01-13 13:51:56 us=276508 openvpn-client/37.113.54.4:42663 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2025-01-13 13:51:56 us=276542 openvpn-client/37.113.54.4:42663 SENT CONTROL [openvpn-client]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
WRRRRRRRRRRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwWRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwrWRwRwrWRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwWRwRwRwRwRwRwRwRwRwRwRwRw2025-01-13 13:52:27 us=685306 openvpn-client/37.113.54.4:42663 Connection reset, restarting [0]
2025-01-13 13:52:27 us=685380 openvpn-client/37.113.54.4:42663 SIGUSR1[soft,connection-reset] received, client-instance restarting
2025-01-13 13:52:27 us=685762 TCP/UDP: Closing socket
^C
root@OpenWrt:/# cat /etc/openvpn/logs/openvpn.log 

2025-01-13 13:51:55 us=747957 MULTI: multi_create_instance called
2025-01-13 13:51:55 us=748079 Re-using SSL/TLS context
2025-01-13 13:51:55 us=748211 Control Channel MTU parms [ L:1623 D:1210 EF:40 EB:0 ET:0 EL:3 ]
2025-01-13 13:51:55 us=748246 Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
2025-01-13 13:51:55 us=748304 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
2025-01-13 13:51:55 us=748323 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
2025-01-13 13:51:55 us=748355 TCP connection established with [AF_INET]37.113.54.4:42663
2025-01-13 13:51:55 us=748375 TCPv4_SERVER link local: (not bound)
2025-01-13 13:51:55 us=748394 TCPv4_SERVER link remote: [AF_INET]37.113.54.4:42663
R2025-01-13 13:51:55 us=751646 37.113.54.4:42663 TLS: Initial packet from [AF_INET]37.113.54.4:42663, sid=db462178 dad2eeae
WRWWWWRRRWR2025-01-13 13:51:56 us=136829 37.113.54.4:42663 VERIFY OK: depth=1, CN=Easy-RSA CA
2025-01-13 13:51:56 us=136952 37.113.54.4:42663 VERIFY OK: depth=0, CN=openvpn-client
WR2025-01-13 13:51:56 us=137232 37.113.54.4:42663 peer info: IV_VER=2.6.7
2025-01-13 13:51:56 us=137300 37.113.54.4:42663 peer info: IV_PLAT=linux
2025-01-13 13:51:56 us=137344 37.113.54.4:42663 peer info: IV_TCPNL=1
2025-01-13 13:51:56 us=137362 37.113.54.4:42663 peer info: IV_MTU=1600
2025-01-13 13:51:56 us=137379 37.113.54.4:42663 peer info: IV_NCP=2
2025-01-13 13:51:56 us=137410 37.113.54.4:42663 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
2025-01-13 13:51:56 us=137426 37.113.54.4:42663 peer info: IV_PROTO=990
2025-01-13 13:51:56 us=137443 37.113.54.4:42663 peer info: IV_LZO_STUB=1
2025-01-13 13:51:56 us=137460 37.113.54.4:42663 peer info: IV_COMP_STUB=1
2025-01-13 13:51:56 us=137477 37.113.54.4:42663 peer info: IV_COMP_STUBv2=1
2025-01-13 13:51:56 us=137502 37.113.54.4:42663 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1559', remote='link-mtu 1543'
2025-01-13 13:51:56 us=137527 37.113.54.4:42663 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
WRR2025-01-13 13:51:56 us=276200 37.113.54.4:42663 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2025-01-13 13:51:56 us=276267 37.113.54.4:42663 [openvpn-client] Peer Connection Initiated with [AF_INET]37.113.54.4:42663
2025-01-13 13:51:56 us=276296 openvpn-client/37.113.54.4:42663 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
2025-01-13 13:51:56 us=276342 openvpn-client/37.113.54.4:42663 MULTI: Learn: 10.8.0.6 -> openvpn-client/37.113.54.4:42663
2025-01-13 13:51:56 us=276363 openvpn-client/37.113.54.4:42663 MULTI: primary virtual IP for openvpn-client/37.113.54.4:42663: 10.8.0.6
2025-01-13 13:51:56 us=276386 openvpn-client/37.113.54.4:42663 Data Channel: using negotiated cipher 'AES-256-GCM'
2025-01-13 13:51:56 us=276412 openvpn-client/37.113.54.4:42663 Data Channel MTU parms [ L:1551 D:1450 EF:51 EB:406 ET:0 EL:3 ]
2025-01-13 13:51:56 us=276486 openvpn-client/37.113.54.4:42663 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2025-01-13 13:51:56 us=276508 openvpn-client/37.113.54.4:42663 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2025-01-13 13:51:56 us=276542 openvpn-client/37.113.54.4:42663 SENT CONTROL [openvpn-client]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
WRRRRRRRRRRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwWRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwrWRwRwrWRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwWRwRwRwRwRwRwRwRwRwRwRwRw2025-01-13 13:52:27 us=685306 openvpn-client/37.113.54.4:42663 Connection reset, restarting [0]
2025-01-13 13:52:27 us=685380 openvpn-client/37.113.54.4:42663 SIGUSR1[soft,connection-reset] received, client-instance restarting
2025-01-13 13:52:27 us=685762 TCP/UDP: Closing socket

Closing socket - manual closed connetcion after tried traceroute from device connected to Keenetic.

root@OpenWrt:/# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config interface 'lan'
        option ifname 'eth0'
        option proto 'dhcp'

config interface 'vpn0'
        option ifname 'tun0'
        option proto 'none'
        option auto '1'

root@OpenWrt:/# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'Allow_OpenVPN_Inbound'
        option target 'ACCEPT'
        option src '*'
        option proto 'tcp'
        option dest_port '1194'

config forwarding 'vpn_forwarding_wan'
        option src 'vpn'
        option dest 'wan'

config zone 'vpn'
        option name 'vpn'
        option network 'vpn0'
        option input 'ACCEPT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option masq '1'

but the firewall is stopped

root@OpenWrt:/# /etc/init.d/firewall status
inactive

What's wrong?

2

The firewall must be active because you need masquerading. The question is in which zone.

I don't see any wan interface in the posted network configuration and the lan interface protocol is set to dhcp.

If the device uses the lan interface to access the internet, you need to enable masquerading in the lan zone (disable it in the vpn zone) and change the forwarding as follows:

config forwarding 'vpn_forwarding'
    option src 'vpn'
    option dest 'lan'

This syntax is ancient. What is the OpenWrt version?

3 Likes
3

There is no wan network here, so the path from a VPN client to the Internet is lan. Set a firewall allow forward vpn->lan. Enable masquerade on lan but do not set masquerade on vpn. Masquerade works on the outgoing zone.

3 Likes
4

Firewall is stopped in guest machine OpenWRT. In host machine it is on and the rule is added for masquerading. I also started firewall in quest machine and change these configs in sections you said, now that how they configured:

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'

config forwarding
        option src 'vpn'
        option dest 'lan'

config forwarding 'vpn_forwarding_wan'
        option src 'vpn'
        option dest 'lan'

config zone 'vpn'
        option name 'vpn'
        option network 'vpn0'
        option input 'ACCEPT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option masq '0'

And that worked for me! Thanks a lot! And it also works from the android device connected directly in OpenVPN app. Great!

Only one problem: when keenetic is conneted to OpenVPN server android device conflicts with keenetic VPN connetion and can't connect directly from the app. I can solve it if I make new client config connecion, right?

5

Thanks for your answer too. Now I understand that you said the same as commentator above, but his answer has more details, so it was easier to apply for me.

6

The right way would be to generate individual certificate&key pairs for each client.
Alternatively, you could add duplicate-cn to the openvpn server config file.

2 Likes
7

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.