Issue with OpenVPN client

etcher · April 5, 2019, 4:19pm

Hi guys !

I'm trying to use OpenWRT on a WRT54GL to act as a VPN end-point, using NordVPN commercial service to encrypt all traffic between my LAN and the internet, and increase my privacy when browsing the Internet.

I found many guides online, I read all I could find on the subject from the official documentation, but I keep running on the same issue again and again.

Here's an overview of my current setup:

Setting up the tunnel works fine. I'm able to ping any Internet destination from the Tun interface.
However, when the tunnel is active, I'm unable to get out of the LAN through it.

The following command works:

ping 1.1.1.1

It's using the tunnel interface IP as source.

However, the following command fails:

ping -I 10.0.0.1 1.1.1.1

With the tunnel active, the routing table looks like this:

root@OpenWrt:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
REDACTED   192.168.1.1     255.255.255.255 UGH   0      0        0 eth0.1
192.168.1.0     0.0.0.0         255.255.255.240 U     0      0        0 eth0.1
10.0.0.0        0.0.0.0         255.255.255.224 U     0      0        0 br-lan
10.8.8.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
0.0.0.0         10.8.8.1        128.0.0.0       UG    0      0        0 tun0
128.0.0.0       10.8.8.1        128.0.0.0       UG    0      0        0 tun0
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0.1

To the best of my understanding, this should be fine. I have taken no steps to customize it.

Since the bare "ping 1.1.1.1" works (using the tunnel interface IP address as a source), I'm assuming that my ISP modem/router isn't interfering and that the NAT is working as expected.

The most obvious possible culprit, to my limited understanding, would be the firewall. To make things simple, I added the tunnel interface to the WAN zone (as recommended in the OpenWRT documentation).

I've also tried setting everything temporarily to "ACCEPT" for debugging purpose, but it did not help.

I do not know how to debug packet filtering/routing in real-time, which would help.

The OpenVPN configuration file looks like this:

client
dev tun
proto udp
remote REDACTED
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no
ca /etc/openvpn/ca.cert
tls-auth /etc/openvpn/ta.key 1
redirect-gateway def1

remote-cert-tls server

auth-user-pass /etc/openvpn/secret
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512

key-direction 1

And the /etc/openvpn file pointing to it:

config 'openvpn' 'nordvpn'
	option 'config' '/etc/openvpn/custom.ovpn'

Here's the firewall setup:


config 'defaults'
	option 'syn_flood' '1'
	option 'input' 'ACCEPT'
	option 'output' 'ACCEPT'
	option 'drop_invalid' '1'
	option 'forward' 'DROP'

config 'zone'
	option 'name' 'lan'
	option 'network' 'lan'
	option 'input' 'ACCEPT'
	option 'output' 'ACCEPT'
	option 'forward' 'ACCEPT'

config 'zone'
	option 'name' 'wan'
	option 'output' 'ACCEPT'
	option 'network' 'openvpn wan'
	option 'masq' '1'
	option 'mtu_fix' '1'
	option 'input' 'DROP'
	option 'forward' 'DROP'

config 'include'
	option 'path' '/etc/firewall.user'

config 'forwarding'
	option 'dest' 'wan'
	option 'src' 'lan'

The network config:


config 'switch' 'eth0'
	option 'enable' '1'

config 'switch_vlan' 'eth0_0'
	option 'device' 'eth0'
	option 'vlan' '0'
	option 'ports' '0 1 2 3 5'

config 'switch_vlan' 'eth0_1'
	option 'device' 'eth0'
	option 'vlan' '1'
	option 'ports' '4 5'

config 'interface' 'loopback'
	option 'ifname' 'lo'
	option 'proto' 'static'
	option 'ipaddr' '127.0.0.1'
	option 'netmask' '255.0.0.0'

config 'interface' 'lan'
	option 'type' 'bridge'
	option 'ifname' 'eth0.0'
	option 'proto' 'static'
	option 'dns' '1.1.1.1'
	option 'ipaddr' '10.0.0.1'
	option 'netmask' '255.255.255.224'
	option 'gateway' '192.168.1.1'

config 'interface' 'wan'
	option 'ifname' 'eth0.1'
	option '_orig_ifname' 'eth0.1'
	option '_orig_bridge' 'false'
	option 'proto' 'static'
	option 'netmask' '255.255.255.240'
	option 'ipaddr' '192.168.1.2'
	option 'gateway' '192.168.1.1'
	option 'peerdns' '0'
	list 'dns' '1.1.1.1'
	list 'dns' REDACTED
	list 'dns' REDACTED
	option 'metric' '0'

config 'interface' 'openvpn'
	option 'proto' 'none'
	option 'ifname' 'tun1'
	option 'auto' '1'

Note: I'm using 1.1.1.1 as a DNS server for the time being for debugging reasons.

Would anyone have an idea what I have missed? Any help would be greatly appreciated!

(edit: routing table formatting)

anon50098793 · April 5, 2019, 4:49pm

Your firewall ain't right.....

config zone
	option name 'vpnfirewall'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option network 'nordvpntun' < YOURINTERFACENAME = openvpn?

config forwarding
	option src 'lan'
	option dest 'vpnfirewall'

It's the forwarding that gets your lan out....

Setting all to accept still doesn't enable masquerade.... and in openwrt...

I can't find any references to your VPN in the firewall....

Did you add a manual masquerade entry in firewall.user or somethin?

The other glaring thing is the double nat.... and possible a need to modify a port forward or something on the true gateway for that.... do a web search plenty of into online about "openvpn behind double nat"....

avoid it if you can...

etcher · April 5, 2019, 4:54pm

Thank you for your reply.

It seems to be working for the WAN interface, and the same rules are applied to the VPN.

Forwarding from LAN to WAN (and back) looks okay to me, so uneducated me assumed it would work for the VPN as well.

I've also tried setting all options to "ACCEPT" temporarily, for debugging purpose, and it did not help.

What do you think I should do to fix the issue ?

etcher · April 5, 2019, 5:05pm

I posted my reply too fast, your post wasn't completed yet. Apologies.

I removed some part of the config to declutter it a little.

In the firewall config, the vpn interface is here:

config 'zone'
        ....
	option 'network' 'openvpn wan'
        ....

For that zone, masquerade is turned on:

option 'masq' '1'

Are those what you meant ?

etcher · April 5, 2019, 5:08pm

I was afraid of the double NAT as well. I tried with a different firewall zone, disabling masquerade for the VPN, without success.

The tunnel itself seems to work fine. Going through the log, I can see no significant error, and I'm able to ping outside from the tunnel interface, which is the reason I assumed a routing problem at first.

I will look the "double NAT" issue up and document myself.

Thank you again for your replies !

anon50098793 · April 5, 2019, 5:09pm

The wan zone.... is for the wan interface.....

You need a separate zone.... for your "vpn" interface. Which runs "OVER" the wan interface.... so that must be left as originally configured.

A cheat way to get around double nat... if you can access the edge router is to enable a "DMZ" feature... and enter 192.168.1.2.... that would make your life easier....

Alternatively.... just bridge the thing

I know.... ISP's got the world locked down these days....

My first criteria when choosing one.....

etcher · April 5, 2019, 5:11pm

I tried the double-zone approach first, unfortunately with the same results.

I went for the single-zone approach after reading https://openwrt.org/docs/guide-user/services/vpn/openvpn/client, which states:

1. Firewall

To minimize firewall setup consider VPN-network as public and assign VPN-interface to WAN-zone.

# Configure firewall
uci set firewall.@zone[1].device="tun0"
uci commit firewall
service firewall restart

Did I misunderstand the intend?

etcher · April 5, 2019, 5:12pm

I have indeed set up 192.168.1.2 as the DMZ on the ISP router =)

anon50098793 · April 5, 2019, 5:13pm

Maybe your right.... never seen that way.

openvpn wan != tun1 != tun0

Your wan interface is not attached to the wan zone at all?

Your default config didn't have something like;


config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6' < !!!

Best to reset the thing and start with clean configs....

mk24 · April 5, 2019, 5:14pm

Impressive that you're running OpenVPN at all on that hardware.

I could never wrap my head around how the VPN would completely replacing the WAN (except, somehow, for the link to the VPN server) so I would set up another separate network and firewall zone for VPN users.

etcher · April 5, 2019, 5:16pm

I initially wanted to do just that, but the router provided by my ISP has very limited configuration options, so it appears that I'm stuck with using the /30 in between for the time being.

etcher · April 5, 2019, 5:21pm

Well, things are getting worse on a daily basis for regular Internet users in my opinion. I want to protect myself and my family as much as possible.

So far, I've been using the software solution of NordVPN to protect individual devices, and an OpenVPN server on a Pi to connect to my LAN remotely.

However, it is somewhat silly to open so many tunnels from inside the WAN, when a single device acting as a gateway could redirect all traffic through a single tunnel, so I decided to give it a try.

It's probably a silly mistake I made somewhere, and I'm sorry to have to come here and beg for help, but I spent a lot of time trying to figure it out on my own and am now simply out of ideas... =/

anon50098793 · April 5, 2019, 5:34pm

No problem!!!

Having a go is what it is all about, that's where the brain kicks in

This might get you started with some logging ideas ( don't save em.... just paste.... so you can reboot if things go wrong....

vgaetera · April 5, 2019, 5:44pm

Inside the vpnclient.conf you should use exactly the same device name which is in the firewall configuration:

Or use tun+ for the firewall to match any tun interface.
If you follow the guide, this will be fixed automatically:

Most likely your IP is not 10.0.0.1:

ip -4 addr show dev tun0

etcher · April 5, 2019, 5:56pm

That fixed it.

EDIT: for clarity purpose in case someone stumbles upon this, here is what I had to do to fix my issue:

In the openvpn config file:

client
dev tun
proto udp
remote REDACTED
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
...

I changed this:

dev tun

to this:

dev tun1

to match the interface name defined in:

config 'interface' 'openvpn'
	option 'proto' 'none'
	option 'ifname' 'tun1'
	option 'auto' '1'

Gosh do I feel dumb ... it's always the smallest thing =)

Apr  5 17:51:45 OpenWrt daemon.notice openvpn(nordvpn_belgium)[3667]: Initialization Sequence Completed
Apr  5 17:51:47 OpenWrt user.notice ifup: Enabling Router Solicitations on openvpn (tun1)
Apr  5 17:51:48 OpenWrt user.info firewall: adding openvpn (tun1) to zone wan

And there we go, now it's working exactly like I wanted.

I feel humbled by all of you taking the time to read through all my config files and figuring it all out for some random stranger on the Internet. I appreciate it a lot, and I thank everyone in this thread very, very much.

Cheers !

system · April 15, 2019, 5:56pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.