I'm trying to set up two OpenVPN connections in combination with pbr. The first I got to work so my whole network goes through the VPN1 now. When I set up the second I can't access the internet when I get on it.
My OVPN configs are like the following:
VPN1
client
dev tun
proto udp
remote 82.**.**.** 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-128-CBC
ignore-unknown-option block-outside-dns
block-outside-dns
verb 3
VPN2
client
dev tun1
proto udp
remote 109.**.**.** 1195
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
block-outside-dns
verb 3
I created two interfaces. tun0 and tun1 both are identical to each other.Unmanaged and zone set to wan.
My server config:
VPN1
local 82.**.**.**
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
status openvpn-status.log
client-to-client
push "route 10.8.0.0 255.255.255.0"
push "route 192.168.1.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
route 192.168.1.0 255.255.255.0
keepalive 10 120
cipher AES-128-CBC
user nobody
group nogroup
persist-key
persist-tun
verb 3
crl-verify crl.pem
explicit-exit-notify
client-config-dir client-config
VPN2
local 109.**.**.**
port 1195
proto udp
dev tun1
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.9.0.0 255.255.255.0
status openvpn-status.log
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
client-to-client
push "route 10.9.0.0 255.255.255.0"
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
route 192.168.1.0 255.255.255.0
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
verb 3
crl-verify crl.pem
explicit-exit-notify
client-config-dir client-config
Tracert reaches 10.9.0.2 but goes nowhere after that. "Desination unreachable" while it should be going to the internet from there.
wan/eth0 works perfectly. So does tun0. But once I connect to tun1 I have no internet connection.
Tracert result:
1 <1 ms <1 ms <1 ms OpenWrt.lan [192.168.1.1]
2 37 ms 39 ms 38 ms 10.9.0.1
3 * * * Request timed out.
4 * * ^C
Is it right for me to set VPN1 on dev tun and VPN2 on dev tun1? I'm not sure if that name should be changed there. I did add interface tun1 but I did not know how else to let OVPN2 know that it should connect to tun1. Am I supposed to have different settings on the tun1 interface maybe?
You certainly need to declare both VPN network interfaces and assign them to the WAN firewall zone.
Also specify each device name with explicitly numbered suffix in the OpenVPN configs.
vpn1 is now set as dev tun0 and vpn2 is set as tun1 on both client and server side but unfortunately still no luck. Both interfaces are assigned to the wan zone.
Thu Dec 9 10:15:55 2021 Oyster/84.**.**.**:40801 MULTI: Learn: 10.9.0.2 -> Oyster/84.**.**.**:40801
Thu Dec 9 10:15:55 2021 Oyster/84.**.**.**:40801 MULTI: primary virtual IP for Oyster/84.**.**.**:40801: 10.9.0.2
Thu Dec 9 10:15:56 2021 Oyster/84.**.**.**:40801 PUSH: Received control message: 'PUSH_REQUEST'
Am I supposed to open that port? I configured port 1195 what is port 40801? Could that be something?
In the case of VPN2 the other end is responding on the traceroute, therefore you need to verify why isn't server2 forwarding the packets further down. Maybe you have not applied masquerading?
Good point. I also expected the problem to be on the server side since it can reach the server. But the server doesn't seem to direct the call towards the internet. I did check all the settings I know I can check and I will post the configs below.
iptables --list-rules:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -p udp -m udp --dport 1195 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.9.0.0/24 -j ACCEPT
# Generated by iptables-save v1.8.4 on Thu Dec 9 12:48:29 2021
*filter
:INPUT ACCEPT [5988:942101]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5442:707483]
[32382:5285342] -A INPUT -p udp -m udp --dport 1195 -j ACCEPT
[0:0] -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
[27572:3241586] -A FORWARD -s 10.9.0.0/24 -j ACCEPT
COMMIT
# Completed on Thu Dec 9 12:48:29 2021
# Generated by iptables-save v1.8.4 on Thu Dec 9 12:48:29 2021
*nat
:PREROUTING ACCEPT [9284:1004602]
:INPUT ACCEPT [1520:340726]
:OUTPUT ACCEPT [30:2800]
:POSTROUTING ACCEPT [7791:666400]
[0:0] -A PREROUTING -i ens192 -p tcp -m tcp --dport 44158 -j DNAT --to-destination 10.9.0.2:44158
[0:0] -A PREROUTING -i ens192 -p tcp -m tcp --dport 44158 -j DNAT --to-destination 10.9.0.2:44158
[0:0] -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to-source 109.228.40.81
COMMIT
# Completed on Thu Dec 9 12:48:29 2021
1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
The last POSTROUTING looks wrong. How can I change it? Should be 10.9.0.0 right?
Is the following command correct? (I don't want to mess it up and I'm not linux guru like you guys are) iptables -A POSTROUTING -s 10.9.0.0/24 ! -d 10.9.0.0/24 -j SNAT --to-source 109.228.40.81