Open VPN on ChaosCalmer behind ISP modem

Hi, I currently have setup as descibed in attached files. OPenVPN connection works, but I can only have access to interfaces (192.168.3.2 and 192.168.3.3) of OpenWRT device. Other devices in LAN (for example 192.136.3.4) are not accessible from client connected through OpenPVN . Server config is:

/etc/config/openvpn
config openvpn 'vpnserver'
        option enabled '1'
        option dev_type 'tun'
        option dev 'ovpns0'
        option port '1194'
        option proto 'udp'
        option comp_lzo 'yes'
        option keepalive '10 120'
        option persist_key '1'
        option persist_tun '1'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/my-server.crt'
        option key '/etc/openvpn/my-server.key'
        option dh '/etc/openvpn/dh2048.pem'
        option tls_auth '/etc/openvpn/tls-auth.key 0'
        option mode 'server'
        option tls_server '1'
        option server '192.168.200.0 255.255.255.0'
        option topology 'subnet'
        option route_gateway 'dhcp'
        option client_to_client '1'
        list push 'comp-lzo yes'
        list push 'persist-key'
        list push 'persist-tun'
        list push 'topology subnet'
        list push 'route-gateway dhcp'
        list push 'redirect-gateway def1'
        list push 'route 192.168.200.0 255.255.255.0'
        list push 'dhcp-option DNS 192.168.3.2'

Client config is:

  client
  dev tun
  proto udp
  fast-io
  remote <XXX.XXX.XXX.XXX> 1194
  remote-cert-tls server
  nobind
  persist-key
  persist-tun
  comp-lzo no
  verb 3
  key-direction 1

Frankly - I am not sure if it is network configuration on OpenWRT issue, or something should be fixed in OpenVPN config.

I don't understand "192.168.3.3 (defined as LAN)". What's connected to LAN on OpenWrt and why does LAN use the same subnet as WAN?

I have done this successfully -- you'll need to make a few changes to get things working.

There are some pre-reqs -- the firewall in the OpenWRT system must be modified a bit since, by default, it will block new incoming traffic into its WAN port -- you're going to need to open a few ports for this specific process to work.

In the firewall, make sure you've added a traffic rule for 'any UDP from any host in any zone to any IP at port 1194'
The rule will look like this in /etc/config/firewall:

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '1194'
	option name 'Allow-UDP1194-Inbound'
	option src '*'

Also in your firewall config, be sure to have forwarding from your VPN zone > WAN... something like this:

config forwarding
	option dest 'wan'
	option src 'vpn'

Similarly, you may wish to do this with ssh (TCP 22) and http (TCP 80) to make it easy to connect to your OpenWRT router from its WAN port for ssh and LuCI admin (if you don't do this, you'll need to connect a computer to the OpenWRT LAN port in order to connect). It should be noted that these two should pretty much never be opened when the OpenWRT router is directly facing the internet, but here the WAN port on your OpenWRT router is part of your normal LAN which should be protected by your ISP modem/router.

Now, based on the fact that your ISP has the LAN on 192.168.3.0/24, your OpenWRT device must have its LAN set to something else -- let's say 192.168.4.0/24. Restrict your DHCP pool on the OpenWRT LAN to say .10 - .50. It won't really be necessary anyway.

Normally, the OpenVPN server must be on a different subnet than any LAN it will connect to, but In my experience, I've been able to use an overlapping subnet. So try using:
option server '192.198.4.208 255.255.255.240'

Change the route and dchp-option directives in your file to match this:

	list push 'route 192.168.3.0 255.255.255.0'
	list push 'dhcp-option DNS 192.168.3.1'

You can handle the OpenWRT WAN port IP address by either setting it as a static IP in the OpenWRT Network config (be sure to also include the gateway 192.168.3.1 and DNS of either 192.168.3.1 or external ones like 8.8.8.8), or possibly better is to set it to use DHCP and set the ISP router to provide a DHCP reservation (also known as static DHCP, DHCP mapping, etc) of 192.168.3.2 to your OpenWRT (be sure to use the MAC address of the OpenWRT WAN port when defining that DHCP reservation)

Now, connect your main LAN to the WAN port of your OpenWRT device.

Make sure you're ISP router's firewall is set to forward UDP 1194 > 192.168.3.2 and that your OpenWRT router is working at that address (ping, try connecting via LuCI and/or ssh.

Now try connecting from outside your network and see if you can reach your server.

If you have difficulty, please post your firewall, network, DHCP, and openvpn config files.

Basicaly, my ISP allows only to configure DHCP range at my router side. After applying config I have ISP ruter/modem acting as LAN DHCP server with range of IP leases for clients. X.X.X.1/24 address is assigned to Router/Modem LAN and it is a gateway for all LAN devices. I didn't find option to configure this router in any other way - like for example for two separate networks at LAN side.

Almost everything I was suggesting was to be performed on your LEDE device (behind your ISP router).

The only thing you must be able to do with the ISP router are the following things:

1. determine the subnet and IP address of the router (this is easy, just look at your DHCP assigned address and gateway for any device attached).
2. Ideally set a static DHCP assignment for your LEDE device so that it always has the same address behind your ISP router. If this is not possible, you'll want to be able to assign the LEDE device a static IP, so you need to know the range of DHCP addresses so you can avoid a conflict.
3. Setup port-forwarding from the internet --> LEDE device for UDP port 1194. If you cannot do port forwarding, your OpenVPN server will probably never work, but most routers do allow you to do this.

Everything else is on the LEDE device -- including those firewall rules I provided. That is because you're going to be connecting to the WAN port of the LEDE device (ISP router LAN port --> LEDE router WAN port), so you need to make sure you open the relevant ports.

It looks like you're well on your way to getting things up and going!

As soon as you get to a good "stopping point", I'd strongly recommend upgrading to a currently patched version of OpenWRT.

While the configuration approaches are generally the same between ChaosCalmer and LEDE 17.01 and the forthcoming OpenWRT 18.06, getting onto at least the current LEDE 17.01 is highly recommended for security reasons, especially with the recent revelations around aggressive attacks on SOHO routers. Being over two years old and based on Linux, busybox, and other, third-party, embedded-system utilities, ChaosCalmer most likely has significant security weaknesses in the wireless implementation, kernel, and utilities.

+1 to @jeff 's suggestion regarding upgrading to LEDE 17.01 (.4) -- much more recent and likely to be safer.

With OpenVPN servers on LEDE 17.01.x, there are a few threads about the fact that it will not work properly until after performing a service restart... it turns out that this is due to a sequencing issue where the LEDE router's clock has not yet been updated at the time of OpenVPN services starting, which in turn causes problems when trying to connect. The solution is to delay service start until NTP has successfully set the time. There are a few ways to do this, but keep it in mind for when you switch to LEDE 17.01.4.

Thank @psherman!
It all works now perfectly!
I wonder how routing is realized. Basically i can understand that my Windows 10 client has all the routing pushed thorough OpenVPN server:

route print:

Destination - 0.0.0.0
Netmask - 128.0.0.0
Gateway - 192.168.4.209
Interface - 192.168.4.210
Metric - 291

I wonder also what if I put VPN server on another port, and with TCP protocol (instead of UDP) to be able to get when using some more secured networks?
Any best practices in that matter?

And for last, I think I can not upgrade to LEDE 17.01.x, as my router is TP-Link TL-WR1043N/ND v2.