Hello, I am hoping someone can help me here because this is driving me crazy.
I have a VPS, which I have installed openvpn server on it using a one click script install. needless to say that I have many .ovpn profiles that work perfectly (certificates, not user pass) on openvpn connect on windows, linux, android and ios.
For modem I have an old one which has no wifi and only one LAN out, it is set to 192.168.1.254 . Next I have a raspberry pi 4b running rpi4.64-snapshot-29253-5.7.31-2-r19345. It receives from modem via LAN port and I provide internet via wireless.
Ok till now I am quite happy. But I continue loading a .ovpn profile and activating it till it says yes, then following https://youtu.be/PuBTE0xmdIk I go to interface, I create a tun0 profile (I see it because openvpn is showing 'yes') following the guide. I set the zone to 'wan' but I also tried creating new zones as some other guides suggested. At this point I am expecting my wifi connections go through openvpn but it doesn't. And I can't say why. Excluding the certificate and server ip, The settings on ovpn profile is shown as below.
client
dev tun
proto udp
remote ... 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
block-outside-dns
verb 3
Any help would be appreciated.
Are you sure the tunnel is up and running? Restart the service and check the logs.
/etc/init.d/log restart; /etc/init.d/openvpn restart; sleep 3; logread
All you have to do is assign the device tun+ to the wan zone.
uci add_list firewall.@zone[1].device="tun+"
uci commit firewall
/etc/init.d/firewall restart
Remove these two lines. The block-outside-dns option is only for Windows clients, so it's useless here.
2 Likes
Lines are removed. The tunnel is up as far as I can tell. I will share pictures of interface and logs while trying to save privacy. By tun+ I assume its just a name and in my tutorials I went with tun0, so I replaced '+' with '0' and tried the lines above. Still my wifi is not going through my VPS.
In 'tun0' I have seen on videos that immidiately after creation, it starts to recieve packets and the counter moves up, while on many times I created it is always on tx 4 and rx 0 (it is shown on image).
The picture that has less text is the one that .ovpn is stopped (not yes).
https://imgur.com/a/f0LNpwx
mk24
April 8, 2022, 4:09pm
4
There appears to be no IP address on tun0. That of course makes it impossible to route IP packets into the tunnel. OpenVPN client should set the IP based on settings pushed from the server.
I didn't try to read your screencaptured log. Please copy and paste the log into a code box here.
trendy
April 8, 2022, 4:27pm
5
Does the router have the correct time? In the screenshots it shows Saturday 2/4, while today is Friday 8/4.
1 Like
oh using ssh its possible to copy paste. ok. Regarding to tun0 having no IP, I have no idea what to do with that info.
Sat Apr 2 09:42:04 2022 daemon.err openvpn(newRasOVPN)[9785]: event_wait : Interrupted system call (code=4)
Sat Apr 2 09:42:04 2022 daemon.notice openvpn(newRasOVPN)[9785]: net_route_v4_del: ****/32 via 192.168.1.254 dev [NULL] table 0 metric -1
Sat Apr 2 09:42:04 2022 daemon.notice openvpn(newRasOVPN)[9785]: net_route_v4_del: 0.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1
Sat Apr 2 09:42:04 2022 daemon.notice openvpn(newRasOVPN)[9785]: net_route_v4_del: 128.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1
Sat Apr 2 09:42:04 2022 daemon.notice openvpn(newRasOVPN)[9785]: delete_route_ipv6(::/3)
Sat Apr 2 09:42:04 2022 daemon.notice openvpn(newRasOVPN)[9785]: net_route_v6_del: ::/3 via :: dev tun0 table 0 metric -1
Sat Apr 2 09:42:04 2022 daemon.notice openvpn(newRasOVPN)[9785]: delete_route_ipv6(2000::/4)
Sat Apr 2 09:42:04 2022 daemon.notice openvpn(newRasOVPN)[9785]: net_route_v6_del: 2000::/4 via :: dev tun0 table 0 metric -1
Sat Apr 2 09:42:04 2022 daemon.notice openvpn(newRasOVPN)[9785]: delete_route_ipv6(3000::/4)
Sat Apr 2 09:42:04 2022 daemon.notice openvpn(newRasOVPN)[9785]: net_route_v6_del: 3000::/4 via :: dev tun0 table 0 metric -1
Sat Apr 2 09:42:04 2022 daemon.notice openvpn(newRasOVPN)[9785]: delete_route_ipv6(fc00::/7)
Sat Apr 2 09:42:04 2022 daemon.notice openvpn(newRasOVPN)[9785]: net_route_v6_del: fc00::/7 via :: dev tun0 table 0 metric -1
Sat Apr 2 09:42:04 2022 daemon.notice openvpn(newRasOVPN)[9785]: Closing TUN/TAP interface
Sat Apr 2 09:42:04 2022 daemon.notice openvpn(newRasOVPN)[9785]: net_addr_v4_del: 10.8.0.22 dev tun0
Sat Apr 2 09:42:04 2022 daemon.notice openvpn(newRasOVPN)[9785]: net_addr_v6_del: fddd:1194:1194:1194::1014/64 dev tun0
Sat Apr 2 09:42:04 2022 daemon.notice netifd: Network device 'tun0' link is down
Sat Apr 2 09:42:04 2022 daemon.notice netifd: Interface 'tun0' has link connectivity loss
Sat Apr 2 09:42:04 2022 daemon.notice netifd: Interface 'tun0' is now down
Sat Apr 2 09:42:04 2022 daemon.notice netifd: Interface 'tun0' is disabled
Sat Apr 2 09:42:04 2022 daemon.notice openvpn(newRasOVPN)[9785]: /usr/libexec/openvpn-hotplug down newRasOVPN tun0 1500 1552 10.8.0.22 255.255.255.0 init
Sat Apr 2 09:42:04 2022 daemon.notice openvpn(newRasOVPN)[9785]: SIGTERM[hard,] received, process exiting
Sat Apr 2 09:42:04 2022 user.warn mwan3-hotplug[10855]: hotplug called on tun0 before mwan3 has been set up
Sat Apr 2 09:42:04 2022 daemon.warn openvpn(newRasOVPN)[11016]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Sat Apr 2 09:42:04 2022 daemon.notice openvpn(newRasOVPN)[11016]: OpenVPN 2.5.6 aarch64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Apr 2 09:42:04 2022 daemon.notice openvpn(newRasOVPN)[11016]: library versions: OpenSSL 1.1.1n 15 Mar 2022, LZO 2.10
Sat Apr 2 09:42:04 2022 daemon.warn openvpn(newRasOVPN)[11016]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Apr 2 09:42:04 2022 daemon.warn openvpn(newRasOVPN)[11016]: WARNING: Your certificate is not yet valid!
Sat Apr 2 09:42:04 2022 daemon.notice openvpn(newRasOVPN)[11016]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sat Apr 2 09:42:04 2022 daemon.notice openvpn(newRasOVPN)[11016]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sat Apr 2 09:42:04 2022 daemon.notice openvpn(newRasOVPN)[11016]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sat Apr 2 09:42:04 2022 daemon.notice openvpn(newRasOVPN)[11016]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sat Apr 2 09:42:04 2022 daemon.notice openvpn(newRasOVPN)[11016]: TCP/UDP: Preserving recently used remote address: [AF_INET]****:1194
Sat Apr 2 09:42:04 2022 daemon.notice openvpn(newRasOVPN)[11016]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Sat Apr 2 09:42:04 2022 daemon.notice openvpn(newRasOVPN)[11016]: UDP link local: (not bound)
Sat Apr 2 09:42:04 2022 daemon.notice openvpn(newRasOVPN)[11016]: UDP link remote: [AF_INET]****:1194
Sat Apr 2 09:42:04 2022 daemon.notice openvpn(newRasOVPN)[11016]: TLS: Initial packet from [AF_INET]****:1194, sid=c358145c a989cb1e
Sat Apr 2 09:42:04 2022 daemon.notice openvpn(newRasOVPN)[11016]: VERIFY OK: depth=1, CN=ChangeMe
Sat Apr 2 09:42:04 2022 daemon.notice openvpn(newRasOVPN)[11016]: VERIFY KU OK
Sat Apr 2 09:42:04 2022 daemon.notice openvpn(newRasOVPN)[11016]: Validating certificate extended key usage
Sat Apr 2 09:42:04 2022 daemon.notice openvpn(newRasOVPN)[11016]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Apr 2 09:42:04 2022 daemon.notice openvpn(newRasOVPN)[11016]: VERIFY EKU OK
Sat Apr 2 09:42:04 2022 daemon.notice openvpn(newRasOVPN)[11016]: VERIFY OK: depth=0, CN=server
Sat Apr 2 09:42:04 2022 daemon.notice openvpn(newRasOVPN)[11016]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Sat Apr 2 09:42:04 2022 daemon.notice openvpn(newRasOVPN)[11016]: [server] Peer Connection Initiated with [AF_INET]****:1194
Sat Apr 2 09:42:05 2022 daemon.notice openvpn(newRasOVPN)[11016]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sat Apr 2 09:42:06 2022 daemon.notice openvpn(newRasOVPN)[11016]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 ipv6 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,tun-ipv6,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig-ipv6 fddd:1194:1194:1194::1014/64 fddd:1194:1194:1194::1,ifconfig 10.8.0.22 255.255.255.0,peer-id 1,cipher AES-256-GCM'
Sat Apr 2 09:42:06 2022 daemon.notice openvpn(newRasOVPN)[11016]: OPTIONS IMPORT: timers and/or timeouts modified
Sat Apr 2 09:42:06 2022 daemon.notice openvpn(newRasOVPN)[11016]: OPTIONS IMPORT: --ifconfig/up options modified
Sat Apr 2 09:42:06 2022 daemon.notice openvpn(newRasOVPN)[11016]: OPTIONS IMPORT: route options modified
Sat Apr 2 09:42:06 2022 daemon.notice openvpn(newRasOVPN)[11016]: OPTIONS IMPORT: route-related options modified
Sat Apr 2 09:42:06 2022 daemon.notice openvpn(newRasOVPN)[11016]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Apr 2 09:42:06 2022 daemon.notice openvpn(newRasOVPN)[11016]: OPTIONS IMPORT: peer-id set
Sat Apr 2 09:42:06 2022 daemon.notice openvpn(newRasOVPN)[11016]: OPTIONS IMPORT: adjusting link_mtu to 1624
Sat Apr 2 09:42:06 2022 daemon.notice openvpn(newRasOVPN)[11016]: OPTIONS IMPORT: data channel crypto options modified
Sat Apr 2 09:42:06 2022 daemon.notice openvpn(newRasOVPN)[11016]: Data Channel: using negotiated cipher 'AES-256-GCM'
Sat Apr 2 09:42:06 2022 daemon.notice openvpn(newRasOVPN)[11016]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Apr 2 09:42:06 2022 daemon.notice openvpn(newRasOVPN)[11016]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Apr 2 09:42:06 2022 daemon.notice openvpn(newRasOVPN)[11016]: net_route_v4_best_gw query: dst 0.0.0.0
Sat Apr 2 09:42:06 2022 daemon.notice openvpn(newRasOVPN)[11016]: net_route_v4_best_gw result: via 192.168.1.254 dev br-lan
Sat Apr 2 09:42:06 2022 daemon.notice openvpn(newRasOVPN)[11016]: GDG6: remote_host_ipv6=n/a
Sat Apr 2 09:42:06 2022 daemon.notice openvpn(newRasOVPN)[11016]: net_route_v6_best_gw query: dst ::
Sat Apr 2 09:42:06 2022 daemon.warn openvpn(newRasOVPN)[11016]: sitnl_send: rtnl: generic error (-101): Network unreachable
Sat Apr 2 09:42:06 2022 daemon.notice openvpn(newRasOVPN)[11016]: TUN/TAP device tun0 opened
Sat Apr 2 09:42:06 2022 daemon.notice openvpn(newRasOVPN)[11016]: net_iface_mtu_set: mtu 1500 for tun0
Sat Apr 2 09:42:06 2022 daemon.notice openvpn(newRasOVPN)[11016]: net_iface_up: set tun0 up
Sat Apr 2 09:42:06 2022 daemon.notice openvpn(newRasOVPN)[11016]: net_addr_v4_add: 10.8.0.22/24 dev tun0
Sat Apr 2 09:42:06 2022 daemon.notice openvpn(newRasOVPN)[11016]: net_iface_mtu_set: mtu 1500 for tun0
Sat Apr 2 09:42:06 2022 daemon.notice netifd: Interface 'tun0' is enabled
Sat Apr 2 09:42:06 2022 daemon.notice openvpn(newRasOVPN)[11016]: net_iface_up: set tun0 up
Sat Apr 2 09:42:06 2022 daemon.notice openvpn(newRasOVPN)[11016]: net_addr_v6_add: fddd:1194:1194:1194::1014/64 dev tun0
Sat Apr 2 09:42:06 2022 daemon.notice netifd: Network device 'tun0' link is up
Sat Apr 2 09:42:06 2022 daemon.notice netifd: Interface 'tun0' has link connectivity
Sat Apr 2 09:42:06 2022 daemon.notice netifd: Interface 'tun0' is setting up now
Sat Apr 2 09:42:06 2022 daemon.notice openvpn(newRasOVPN)[11016]: /usr/libexec/openvpn-hotplug up newRasOVPN tun0 1500 1552 10.8.0.22 255.255.255.0 init
Sat Apr 2 09:42:06 2022 daemon.notice netifd: Interface 'tun0' is now up
Sat Apr 2 09:42:06 2022 daemon.notice openvpn(newRasOVPN)[11016]: net_route_v4_add: ****/32 via 192.168.1.254 dev [NULL] table 0 metric -1
Sat Apr 2 09:42:06 2022 daemon.notice openvpn(newRasOVPN)[11016]: net_route_v4_add: 0.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1
Sat Apr 2 09:42:06 2022 daemon.notice openvpn(newRasOVPN)[11016]: net_route_v4_add: 128.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1
Sat Apr 2 09:42:06 2022 daemon.notice openvpn(newRasOVPN)[11016]: add_route_ipv6(::/3 -> fddd:1194:1194:1194::1 metric -1) dev tun0
Sat Apr 2 09:42:06 2022 daemon.notice openvpn(newRasOVPN)[11016]: net_route_v6_add: ::/3 via :: dev tun0 table 0 metric -1
Sat Apr 2 09:42:06 2022 daemon.notice openvpn(newRasOVPN)[11016]: add_route_ipv6(2000::/4 -> fddd:1194:1194:1194::1 metric -1) dev tun0
Sat Apr 2 09:42:06 2022 daemon.notice openvpn(newRasOVPN)[11016]: net_route_v6_add: 2000::/4 via :: dev tun0 table 0 metric -1
Sat Apr 2 09:42:06 2022 daemon.notice openvpn(newRasOVPN)[11016]: add_route_ipv6(3000::/4 -> fddd:1194:1194:1194::1 metric -1) dev tun0
Sat Apr 2 09:42:06 2022 daemon.notice openvpn(newRasOVPN)[11016]: net_route_v6_add: 3000::/4 via :: dev tun0 table 0 metric -1
Sat Apr 2 09:42:06 2022 daemon.notice openvpn(newRasOVPN)[11016]: add_route_ipv6(fc00::/7 -> fddd:1194:1194:1194::1 metric -1) dev tun0
Sat Apr 2 09:42:06 2022 daemon.notice openvpn(newRasOVPN)[11016]: net_route_v6_add: fc00::/7 via :: dev tun0 table 0 metric -1
Sat Apr 2 09:42:06 2022 daemon.warn openvpn(newRasOVPN)[11016]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Apr 2 09:42:06 2022 daemon.notice openvpn(newRasOVPN)[11016]: Initialization Sequence Completed
Sat Apr 2 09:42:06 2022 user.warn mwan3-hotplug[11085]: hotplug called on tun0 before mwan3 has been set up
Sat Apr 2 09:42:06 2022 user.notice firewall: Reloading firewall due to ifup of tun0 (tun0)
Sat Apr 2 09:42:06 2022 user.notice nlbwmon: Reloading nlbwmon due to ifup of tun0 (tun0)
It had not. It is old and I never needed it. I fixed it now. Also VPS is in germany while I have around 3 hours time difference, So there is that.
Please post the output of
ip add show label tun\*; ip ro
Redact the public IP address of the VPS (if it is available in the routing table)
1 Like
ip add show label tun\*; ip ro
inet 10.8.0.22/24 scope global tun0
valid_lft forever preferred_lft forever
inet6 fddd:1194:1194:1194::1014/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::8acd:3667:745:1923/64 scope link stable-privacy
valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.8.0.1 dev tun0
default via 192.168.1.254 dev br-lan proto static
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.22
****(shows the VPS Here Currectly) via 192.168.1.254 dev br-lan
128.0.0.0/1 via 10.8.0.1 dev tun0
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
[root@dca632 / 49°]#
Try to ping 10.8.0.1.
If it works, run
wget http://ipecho.net/plain -O - -q ; echo
and check the returned public IP address.
1 Like
it works, returns 201.410 ms. and running that command returns my vps address currectly.
Currently the Pi acts more or less as a dumb AP. You should create a new interface in different IP subnet for the wireless network and move the wired interface to the wan zone.
2 Likes
ok, thanks for the help. I feel like I am doing everything right but there is some bug/anomaly is causing this.
The statement above is out of my skill level at the moment, I need to read about how to do that. I mostly hope that the issue is isolated to the version of the OS and can be solved by futures or older versions of openWRT on raspberry pi.
I also bricked my actual AP so right now this is my current access point and I am gonna hold on trying new roms till my new modem/router arrives.
Edit : The solution was to move wireless to a new inerface, as @pavelgl correctly identified and helped with the setup. It is very appreciated.
1 Like
system
April 19, 2022, 8:17am
14
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.