Multiple problems with openvpn

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi everyone,
since five days I'm pretty much stuck with a couple of problems. My goal is to add a second gateway to my local network that features VPN encryption via a hoster like Cyberghost, ProtonVPN, ExpressVPN or anyone else.
For most clients I want to keep the standard gateway as i don't need the encryption for my TV and most smarthome components for example. For my PCs i want to change the gateway manually so their traffic is being encrypted.

Currently my network consists of a Fritzbox(Gateway1) and an Archer C7 running OpenWrts latest RC 19.07.0. The networks of both devices are connected wireless via relayd. All client IPs are part of the same subnet. Nothing special so far.

routing2
routing2747×592 46.3 KB

That is what i would like to achive. The secondary gateway is running on OpenWrt and accessing the Internet via Fritzbox and VPN hoster.

The problems start with openvpn. The *.ovpn config seems to run fine. I checked by using it with a openvpn client for windows. Testing the config on OpenWrt returns "Initialization Sequence Completed". After uploading the *.ovpn (love the new ovpn upload functionality btw), enabling and activating the instance it shows up as active but when trying to ping any IP from tun0 (local or internet) I won't get any response.

root@OpenWrt:~# ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.12.0.78  P-t-P:10.12.0.77  Mask:255.255.255.255
          inet6 addr: fe80::29ab:255:5df1:ba8a/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:1 errors:0 dropped:0 overruns:0 frame:0
          TX packets:25 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:105 (105.0 B)  TX bytes:1864 (1.8 KiB)


root@OpenWrt:~# traceroute -i tun0 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 38 byte packets
 1  10.12.0.1 (10.12.0.1)  1046.900 ms  58.149 ms  57.790 ms
 2  *  *  *

There are many howtos available that all follow the same basic steps and claim tun0 would be able to ping any address at this point. The only difference I see is most openvpn applications are running on a device, which is directly connected to internet. What am I missing out here?

Firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan wwan LANrelayd BRIDGErelayd tun0'

config include
        option path '/etc/firewall.user'

config zone
        option network 'vpn tun0'
        option name 'vpn'
        option mtu_fix '1'
        option masq '1'
        option output 'ACCEPT'
        option input 'REJECT'
        option forward 'REJECT'

config forwarding
        option dest 'vpn'
        option src 'lan'

Interfaces

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdb2:2f58:2cb6::/48'

config interface 'lan'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device 'wan_dev'
        option name 'eth0.2'
        option macaddr 'b0:be:76:77:a6:0c'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '2'
        option ports '0t 2 3 4 5'

config interface 'wwan'
        option proto 'dhcp'

config interface 'LANrelayd'
        option proto 'static'
        option ifname 'eth0.2'
        option type 'bridge'

config interface 'BRIDGErelayd'
        option proto 'relay'
        list network 'LANrelayd'
        list network 'wwan'

config interface 'tun0'
        option ifname 'tun0'
        option proto 'none'

Thanks for reading this far. I would really appreciate any kind of help.

2

I'm not sure how the two gateways within the same network would work. What I have done is make an entirely separate network for VPN users.

You need two new firewall zones one for VPN users and one for the VPN tunnel. The vpnuser zone forwards to vpntun. vpntun has masq enabled so that the VPN users are all NATted via the one 10. IP that you get from the VPN server.

3

Thanks for your reply. I'm pretty sure it would work but don't know how to implement it completely yet :wink:
There are various examples of Raspberry Pis acting as a second gateway doing exactly what I would like to accomplish with OpenWrt: https://www.instructables.com/id/Raspberry-Pi-VPN-Gateway/
A seperate network/subnet is no real option for me as I want to be able to keep connection to every other IP in my network.

The main problem still is the tun0 device which can't ping anything except itself...

4

Still struggling.
That's the routing table openvpn creates on startup. Looks plausible to me.

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.12.1.233     128.0.0.0       UG    0      0        0 tun0
default         192.168.178.1   0.0.0.0         UG    0      0        0 wlan1
10.12.0.1       10.12.1.233     255.255.255.255 UGH   0      0        0 tun0
10.12.1.233     *               255.255.255.255 UH    0      0        0 tun0
***VPN-IP***    192.168.178.1   255.255.255.255 UGH   0      0        0 wlan1
128.0.0.0       10.12.1.233     128.0.0.0       UG    0      0        0 tun0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0.1
192.168.178.0   *               255.255.255.0   U     0      0        0 wlan1

But still I can't ping any of the tun0 IPs (10.12.0.1 or 10.12.1.233) from my normal network (192.168.178.0) or vice versa. What am I missing here?

5

fwiw, LAN devices on 192.168.178.x subnet won't not be able to use the VPN tunnel because of the relay bridge config.

Try configuring a device with static IP on 192.168.1.x subnet, to gateway 192.168.1.1 (LAN IP of 2nd router?), and DNS 8.8.8.8, connected to SSID2. See if it is able to utilise the VPN tunnel.

(Or on 2nd router, remove the relay bridge config and turn on DHCP server)

6

No connection to the internet at all though I am able to ping 192.168.1.1 and 192.168.178.1.

7

fwiw, as a test, I would suggest you factory reset Gateway 2 and configure openvpn client with ethernet cable connection to Gateway 1, to confirm it works with your VPN provider. (Keep LAN IP 192.168.1.1 and add DNS resolver settings to LAN interface) Refer to section 'Alternative for openvpn client with LuCI' which does describe using an openvpn client router with a separate ISP facing router.
https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci

Then convert Gateway 2 from ethernet to a 'wireless client' mode, and do NOT use relay bridge protocol and package which I think may be the cause of your problems.

8

It works! myip.com shows me the IP from my VPN-Provider. The only downside is that I'm not able to do it via WiFi. Nevermind - wireless is working now.
But I don't see how I can combine this with my Network without another subnet...

9

Post deleted after you subsequently reported wireless is now working presumably between gateway 1 (ISP router) and gateway 2 (openvpn client router).

fwiw, "Connect to client wifi network"
https://openwrt.org/docs/guide-user/network/wifi/connect_client_wifi

10

VPN is working just fine with wireless connection. But how can I connect devices to the OpenWrt-Router and keep their traffic from being encrypted/going through the VPN-tunnel?

11

You probably have to investigate "Policy Based Routing" if you wish to selectively decide which devices should use the VPN or just connect straight to the internet when using one router.

Sorry, I can't help with that subject. I personally have separate routers for simplicity (VPN or non-VPN) because the routers I own aren't particularly powerful.

12

That's an option you set directly in openVPN config isn't it?

13

https://forum.openwrt.org/t/vpn-policy-based-routing-web-ui-discussion/10389

14

I will have a look at it. Thanks for your support and patience!

15

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.