Help with OpenVPN config


#1

Folks, would someone do me the favor of casting their eye over my OpenVPN config. This was working until a month or so ago then when I did a rebuild from master and a sysupgrade it suddenly stopped working and also does not work on my latest 18.06 rc1 build. There are no errors reported anywhere, just a complete lack of traffic flowing in either direction which would suggest a firewall issue - but alas I can't see the issue.

OpenWrt 18.06.0-rc1, r7090-d2aa3a1b62
Package: openvpn-openssl
Version: 2.4.5-3
Depends: libc, kmod-tun, liblzo, libopenssl
Provides: openvpn, openvpn-crypto
Status: install user installed
Architecture: arm_cortex-a9_vfpv3
Conffiles:
/etc/config/openvpn d0b1ba14d918cbef81695ec590efbc9a67c94dd09cb84a2c478f05e5a698c723
Installed-Time: 1529662977

/etc/conf/openvpn

config openvpn 'vpnserver'
        option status '/tmp/openvpn-udp-status.log'
        option enabled '1'
        option dev_type 'tun'
        option dev 'ovpns0'
        option port '1194'
        option proto 'udp'
        option keepalive '10 120'
        option persist_key '1'
        option persist_tun '1'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/my-server.crt'
        option key '/etc/openvpn/my-server.key'
        option dh '/etc/openvpn/dh2048.pem'
        option tls_auth '/etc/openvpn/tls-auth.key 0'
        option mode 'server'
        option tls_server '1'
        option server '192.168.200.0 255.255.255.0'
        option topology 'subnet'
        option client_to_client '1'
        option route_gateway 'dhcp'
        option verb '5'
        list push 'persist-key'
        list push 'persist-tun'
        list push 'topology subnet'
        list push 'redirect-gateway def1'
        list push 'route-gateway dhcp'
        list push 'route 192.168.200.0 255.255.255.0'
        list push 'route 192.168.1.0 255.255.255.0'
        list push 'dhcp-option DNS 192.168.1.1'
        list push 'dhcp-option DOMAIN lan'

/etc/conf/network



config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd99:6cb2:719c::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'guest'
        option proto 'static'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'

config interface 'wan'
        option ifname 'eth1.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth1.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '1 2 3 5t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'
        option vid '2'

config interface 'vpnserver'
        option proto 'none'
        option ifname 'ovpns0'
        option auto '1'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '0 5t'
        option vid '103'

/etc/conf/firewall

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config include
        option path '/etc/firewall.user'

config zone
        option name 'guest'
        option network 'guest'
        option input 'REJECT'
        option forward 'REJECT'
        option output 'ACCEPT'

config forwarding
        option src 'guest'
        option dest 'wan'

config rule
        option name 'Allow DNS Queries'
        option src 'guest'
        option dest_port '53'
        option proto 'tcp udp'
        option target 'ACCEPT'

config rule
        option name 'Allow DHCP request'
        option src 'guest'
        option src_port '67-68'
        option dest_port '67-68'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Allow-OpenVPN-Inbound'
        option target 'ACCEPT'
        option src '*'
        option proto 'tcp udp'
        option dest_port '1194'

config zone
        option name 'vpnserver'
        option input 'ACCEPT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option masq '1'
        option network 'vpnserver'

config forwarding
        option dest 'lan'
        option src 'vpnserver'

config forwarding
        option dest 'wan'
        option src 'vpnserver'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

Thanks.


OpenVPN wiki article: server push config
[GCC 7.2 BUILD] Optimized TP-Link Archer C7 V2 AC1750 LEDE Firmware
#2

Try removing the quoted lines.

Also try a service restart- if openvpn starts before NTP completes, that can also cause issues.

I’m not sure you want masq enabled for the vpn firewall rule. I don’t have it enabled and things work perfectly for me.


#3

There's is/was an issue with 18.06 and OpenVPN... utilize the forum search functionality to see if it's been resolved.

Masquerade is only to be utilized on interfaces receiving a WAN IP... utilizing it on non-WAN interfaces will result in issues.


#4

@JW0914 - I've been following (and contributing to) some of the threads lately on OpenVPN issues, but I haven't seen/noticed anything to suggest that the issues have been directly related to 18.06.x (as compared to other general configuration issues). Did I miss an interesting/important post/thread? If so, would you mind pointing me in the right direction.

Thanks!


#5

@psherman I could have sworn I came across two threads regarding OpenVPN not starting or having issues on 18.06... perhaps I'm mistaken.


#6

@JW0914 - there have been several threads here lately in general, but it seems most have had working resolutions while using either 17.01.x or 18.06.0RC1.

Interestingly, though, some of the resolutions have been the result of removing some of the push directives (see my earlier reply in this post). These are recommended in the OpenVPN tutorials, so I'm wondering what the differences are between the wiki authors' configs and those of the people saying that things are not working. The advice I have been giving to remove those lines has led to a resolution in a bunch of cases, and my advice is consistent with my personal setup (but I haven't yet had time to experiment with adding the push directives to see if it 'breaks' my setup)... any thoughts?


#7

Thanks for the advice folks. My issue appears to have been the order in which things were starting. Restarting OpenVPN seems to fix.


#8

I updated the OpenVPN (Server Setup) & OpenVPN Server (Comprehensive) wikis with the new compression values, since comp-lzo has been depreciated as of OpenVPN 2.4.

As to pushed values, certain values shouldn't be pushed, as certain options are connection dependent (i.e. they can't be pushed until connected to the VPN server, however the connection relies on those connection dependent options in order to establish & complete the connection)

  • I'm not altogether sure why this would be pushed: 'dhcp-option DOMAIN lan', as OSes deal with the local domain in different ways (Windows, for instance, doesn't have a place to specify the local domain, instead the work group name must be set as the local domain name).
    • The main reasons for utilizing the local domain are for network shares and accessing local devices via their hostname.localdomain
      • I.E. instead of navigating to https://192.168.1.1, one could navigate to https://openwrt.lan
        • Usually this requires the extra step of also specifying the route in the hosts file as:
          <IP> <hostname> <hostname.localdomain>

#9

If your problem is solved, please consider marking this topic as [Solved]. (Click the pencil behind the topic...)