Lost internet connectivity on lan port after openvpn implementation

examiner · January 13, 2023, 6:30pm

Hello, complete noob here, my setup is my belkin rt3200 openwrt router running the latest 23.03.3 is behind my main router. I have 1 device connected to physical LAN 1 port which is an obihai obi200 device that provides VOIP service. I implemented openvpn for remote devices to dial into the belkin which works fine. However the obihai device no longer has internet connectivity. Before implementing openvpn, it was working fine but not now. Is there something wrong with my settings? I can't see the obihai device anywhere in luci to give it outside access. If you see any other problems with the openvpn, please feel free to point out. I don't/will not use the wireless as my main router provides 802.11ax. Thanks in advance!

Here are my config files:

etc/config/network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd29:xxxx:xxxx::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option proto 'dhcp'
	option device 'wan'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'

config device
	option name 'lan1'

etc/config/dhcp:

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	option start '100'
	option limit '150'
	option leasetime '12h'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

etc/config/firewall:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone 'lan'
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'tun+'

config zone 'wan'
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule 'ovpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option target 'ACCEPT'

trendy · January 13, 2023, 8:05pm

Do other devices connected to lan ports or the wifi as part of the lan network work fine?
As it is, I don't see anything wrong and I think you used the guide from the wiki to setup the vpn server, right?

examiner · January 13, 2023, 8:41pm

Yep I used the wiki guide and this tutorial: https://www.youtube.com/watch?v=P8JZnmXlzBw

Well so I plugged out the obihai device and plugged in my laptop into LAN 1 and then tried wifi from the belkin and it always had internet. And now after plugging the obihai device back in, it's connecting and fine. I don't know what the issue was but it seems finicky. As long as my settings look good I guess. I will play with it some more.

Also while I have your attention, I got an error during setup for key management section when I ran this line:

export EASYRSA_CERT_EXPIRE="3650" # Increases the client cert expiry from the default of 825 days to match the CA expiry

Is there somewhere I can check to see if it ran properly?

trendy · January 14, 2023, 7:53am

echo $EASYRSA_CERT_EXPIRE

examiner · January 14, 2023, 5:59pm

Thanks, I ran this in putty terminal and it just returns me a blank line. Is there a specific directory or place I have to run this command? You have to ELI5 please lol

trendy · January 14, 2023, 9:18pm

root@barracuda:[~]#export EASYRSA_CERT_EXPIRE="3650"
root@barracuda:[~]#echo $EASYRSA_CERT_EXPIRE
3650

examiner · January 14, 2023, 11:11pm

Thank you very much! I got the same result so should be good!

examiner · January 16, 2023, 7:06pm

Looks like I am having this problem again. Overnight, somehow, the obihai device looses internet connectivty. If I plug it into other LAN ports, it still doesn't have connectivity. If I reboot the device however, it reconnects and has connectivity. Is this a port forwarding issue with the main router to which the openwrt router is connected and then the obihai voip device? I never needed ports forwarded when the obihai device was directly connected to the main router.

trendy · January 16, 2023, 7:56pm

This problem is not connected to the OpenVPN server.
Other devices connected to the router have internet connectivity when you experience the outage with the obihai?
There is also no port forwarding, and usually none is needed for voip. They connect to the voip server outbound and pierce the firewall.

examiner · January 17, 2023, 8:57pm

The issue has been tough to pinpoint. After the last post, the obihai voip device has been up for the past couple days. Thanks for your help!

system · January 27, 2023, 8:57pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.