Hello,
I followed the steps on the documentation page and after inserting the firewall rules I was able to connect to the vpn server from the wan interface but the local network cannot access the internet any more. DNS is working but there is no trafic. Any suggestions ?
Thanks in advance !
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; uci export ocserv; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
root@OpenWrt:~# ubus call system board; \
> uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; uci export ocserv; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
{
"kernel": "4.14.180",
"hostname": "OpenWrt",
"system": "MediaTek MT7620A ver:2 eco:6",
"model": "TP-Link Archer C2 v1",
"board_name": "tplink,c2-v1",
"release": {
"distribution": "OpenWrt",
"version": "19.07.3",
"revision": "r11063-85e04e9f46",
"target": "ramips/mt7620",
"description": "OpenWrt 19.07.3 r11063-85e04e9f46"
}
}
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdc1:da88:8013::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.1.1'
config device 'lan_eth0_1_dev'
option name 'eth0.1'
option macaddr '18:d6:c7:ab:d3:a7'
config interface 'wan'
option ifname 'eth0.2'
option proto 'pppoe'
option password 'kPbFgrr4hq'
option ipv6 'auto'
option username 'removed'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr '00:00:00:00:00:00'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch1'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch1'
option vlan '1'
option ports '1 2 3 4 6t'
config switch_vlan
option device 'switch1'
option vlan '2'
option ports '0 6t'
package wireless
config wifi-device 'radio0'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
option htmode 'VHT80'
option disabled '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option key 'removed'
option ssid 'wifi'
option encryption 'psk-mixed'
config wifi-device 'radio1'
option type 'mac80211'
option hwmode '11g'
option path 'platform/10180000.wmac'
option htmode 'HT20'
option channel '2'
option disabled '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option key 'removed'
option ssid 'wifi'
option encryption 'psk-mixed'
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
uci: Parse error (invalid command) at line 201, byte 1
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
package ocserv
config ocserv 'config'
option port '4443'
option dpd '180'
option max_clients '8'
option max_same '2'
option zone 'lan'
option enable '1'
option auth 'plain'
option _ca '-----BEGIN CERTIFICATE-----
--removed---
-----END CERTIFICATE-----
'
option ipaddr '192.168.1.100'
option netmask '255.255.255.253'
config dns
option ip '8.8.8.8'
config ocservusers
option name 'VpnUser'
option password ''
config ocservusers
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
13: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN group default qlen 3
inet 123.123.123.123 peer 10.0.0.1/32 scope global pppoe-wan
valid_lft forever preferred_lft forever
default via 10.0.0.1 dev pppoe-wan table 201
default via 10.0.0.1 dev pppoe-wan proto static
10.0.0.1 dev pppoe-wan proto kernel scope link src 123.123.123.123
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
local 123.123.123.123 dev pppoe-wan table local proto kernel scope host src 123.123.123.123
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
0: from all lookup local
32765: from all fwmark 0x10000/0xff0000 lookup 201
32766: from all lookup main
32767: from all lookup default
lrwxrwxrwx 1 root root 16 May 16 18:32 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r-- 1 root root 32 Oct 8 15:33 /tmp/resolv.conf
-rw-r--r-- 1 root root 66 Oct 8 15:33 /tmp/resolv.conf.auto
-rw-r--r-- 1 root root 50 Oct 8 15:33 /tmp/resolv.conf.ppp
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver 193.231.252.1
nameserver 213.154.124.1
==> /tmp/resolv.conf.ppp <==
nameserver 193.231.252.1
nameserver 213.154.124.1
root@OpenWrt:~#
There is something wrong with your firewall configuration file:
uci: Parse error (invalid command) at line 201, byte 1
Maybe it is malformed?
Try to read it like this: cat /etc/config/firewall
Thanks for the support,
it was a typo in the /etc/conf/firewall file.
However there is an issue with the tutorial because enabling the proxy arp using net.ipv4.conf.all.proxy_arp=1 made a lot of mess on my providers network and they banned me.
Proxy arp must be enabled only in /etc/config/ocserv
Ok, did you update the post with the configs?
Maybe @tmomas can investigate and update the guide? It is anyway 10 years old and I would take it with a pinch of salt.
If there is no specific reason for you to use OpenConnect, there are more modern and better documented solutions like OpenVPN and WireGuard.
I'd prefer if someone with OpenConnect running could update the guide and verify its correctness.
problem was solved by using this guide
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.