Need Help with openvpn server on OpenWrt

gosch2912 · November 2, 2019, 12:44pm

Hi,
I hope to get some help here. I am trying to access my homenet thru openvpn and have no more ideas.
In my house there are 3 floors. Downstairs comes my Internet there is installed a TP-Link Archer VR600. It has static LAN Adress 192.168.178.1 - called rooter) without dhcp.
My network cables go from there to some rooms like living room (basement), child1,child2,parents,(1st floor, there is nothing connected) an Rooftop.

In the livingroom there is a TP-Link TL-WDR4300 v1 with openWrt Image
OpenWrt 18.06.4 r7808-ef686b7292 / LuCI openwrt-18.06 branch (git-19.170.32094-4d6d8bc)
(called dhcp) with static adress 192.168.178.2 and serves dhcp to all clients who has no static adress, and WLAN.
I use adblock plugin.
Rooftop there is a fritzbox configuered as client, who serves WLAN und LAN .
The SSIDS are all the same.
I have no Problems at home.
But I am not able to access my Lan from outside thru openvpn.
I post my configs , and hope somebody finds what is going wrong.

root@dhcp:~# cat /etc/config/network



config globals 'globals'
	option ula_prefix 'fdf3:0c94:0518::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.178.2'
	option stp '1'
	option broadcast '192.168.178.0'
	option delegate '0'
	option gateway '192.168.178.1'
	option igmp_snooping '1'
	option ifname 'eth0 eth0.1 eth0.2  tun0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 2 3 4 5'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '2'
	option ports '0t 1'

config interface 'vpn0'
	option ifname 'tun0'
	option proto 'none'
	option auto '1'

root@dhcp:~# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option network 'lan'
	option forward 'ACCEPT'
	option masq '1'
	option mtu_fix '1'

config rule
	option name 'Allow-DHCP-Renew'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'
	option src 'lan'

config rule
	option name 'Allow-Ping'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'
	option src '*'
	option dest '*'

config rule
	option name 'Allow-IGMP'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'
	option src 'lan'

config rule
	option name 'Allow-IPSec-ESP'
	option proto 'esp'
	option target 'ACCEPT'
	option family 'ipv4'
	option src '*'
	option dest '*'

config rule
	option name 'Allow-ISAKMP'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option family 'ipv4'
	option src '*'
	option dest '*'

config include
	option path '/etc/firewall.user'

config rule
	option name 'Allow-OpenVPN-Inbound'
	option target 'ACCEPT'
	option src '*'
	option proto 'udp'
	option dest_port '1194'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'vpn0'

config forwarding
	option src 'vpn'
	option dest 'lan'

config redirect 'ovpn'
	option name 'Redirect-OpenVPN'
	option src 'lan'
	option src_dport '1194'
	option dest 'lan'
	option dest_ip '192.168.178.2'
	option family 'ipv4'
	option proto 'udp'
	option target 'DNAT'

config redirect 'adblock_dns_53'
	option name 'Adblock DNS, port 53'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'

config redirect 'adblock_dns_853'
	option name 'Adblock DNS, port 853'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '853'
	option dest_port '853'
	option target 'DNAT'

config redirect 'adblock_dns_5353'
	option name 'Adblock DNS, port 5353'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '5353'
	option dest_port '5353'
	option target 'DNAT'

root@dhcp:~# cat /etc/config/openvpn

config openvpn 'dhcp'
#	option reneg_sec '0'
	option persist_key '1'
	option verb '5'
	option port '1194'
	option dev_type 'tun'
	option dev 'tun0'
	option ca '/etc/openvpn/certs/ca.crt'
	option dh '/etc/openvpn/certs/dh.pem'
	option cert '/etc/openvpn/certs/server.crt'
	option key '/etc/openvpn/certs/server.key'
	option enabled '1'
	option log '/var/log/openvpn.log'
	option mode 'server'
	option client_to_client '1'
	option topology 'subnet'
	option server '10.10.10.0 255.255.255.0'
	option float '1'
#	option persist_tun '1'
	option keepalive '10 120'
	option tls_server '1'
	option cipher 'BF-CBC'
#	option local '192.168.178.2'
	list push 'route 192.168.178.0 255.255.255.0'
#	list push 'persist-tun'
#	list push 'persist-key'
#	list push 'compress lzo'

root@dhcp:~# ip route show


default via 192.168.178.1 dev br-lan 
10.10.10.0/24 via 192.168.178.2 dev br-lan 
192.168.178.0/24 dev br-lan scope link  src 192.168.178.2

Port 1194 at "rooter" (Downstairs/192.168.178.1) is forwarded to "dhcp" (livingroom/192.168.178.2)
static route at "rooter" is 10.10.10.0 gw 192.168.178.2
This text will be hidden
static route at fritzbox is static route at "rooter" is 10.10.10.0 gw 192.168.178.2

I tryed at "dhcp":

ip route add 10.10.10.0 via 192.168.178.2 dev tun0

and got

ip: RTNETLINK answers: Network unreachable

so I did

ip route add 10.10.10.0 via 192.168.178.2

some more info...

root@dhcp:~# netstat -tulpe | grep openvpn
udp        0      0 0.0.0.0:openvpn         0.0.0.0:*                           24191/openvpn

is that right?
Im such confused . thank you for help.

trendy · November 2, 2019, 6:31pm

For a start this is wrong. Delete it, as it is calculated automatically.

Why is this redirect?

config redirect 'ovpn'
	option name 'Redirect-OpenVPN'
	option src 'lan'
	option src_dport '1194'
	option dest 'lan'
	option dest_ip '192.168.178.2'
	option family 'ipv4'
	option proto 'udp'
	option target 'DNAT'

This is not needed, you have already allowed everything in LAN zone.

config rule
	option name 'Allow-OpenVPN-Inbound'
	option target 'ACCEPT'
	option src '*'
	option proto 'udp'
	option dest_port '1194'

This is also wrong, as it should be routed via dev tun0.

Also this is not needed, because you are NATing on the LAN zone.

I suggest you follow the guide, adjusting it you your needs, since you only have lan and not wan.
https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic

psherman · November 2, 2019, 7:37pm

+1 to @trendy's comments.

But my addition -- have you added port forwarding from the main router (connected to the internet -- I believe the one that is 192.168.178.1)? You need to port forward UDP 1194 to 192.168.178.2.

trendy · November 2, 2019, 7:45pm

It is, he mentioned it after the routes.

gosch2912 · November 3, 2019, 10:46am

Thank you for you help. I thougt about very often about the no WAN "problem" and the site you posted I read again and again. I change the config like you posted. Maybe you can give me a Info where I have to look special https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic?
thx a lot.

trendy · November 3, 2019, 7:57pm

Firewall seems to be fine, if you removed the redirect. I would start by building the configuration file for the server and the clients.