OpenVPN able to connect, can browse to openwrt, but not LAN

Edrikk · March 12, 2022, 12:47am

Hi,

My apologies in advance, as I know this topic has been brought up a few times. I've searched both these forums, as well as Google, tried various tips/suggestions, but I've reached a place where I'm losing track of what my issue might be.

In short, I'm trying to:

Use iOS OpenVPN client to connect from outside (LTE, not Wifi - so no IP clashing issues), to Openwrt. This works. I connect fine.
Browse to router's Luci interface. This works.
Browse to any other service (e.g. Unraid's web UI, etc). This doesn't work in Openwrt. There are no internal firewalls at play. It works with the same keys using Tomato (different router). So my problem has to be my openwrt configuration.

My setup:

Running snapshot from a couple of days back. So recent snapshot. It is however a Kernel 5.15 build of Robimarko as the router is a Xioami AX3600.
I have based on instructions created an Unmanaged interface for the VPN. I have tried both putting this interface directly in the LAN zone, as well as (currently) in its own VPN zone, with a zone forwarding for vpn->LAN.
I have turned off masquerading as it was said to not be needed in a number of posts.
I have tried both ccd as well as without ccd
IPv6 is off across the board.
As mentioned above, the internal hosts I'm trying to reach don't have firewalls. And the same Client setup, but against a Tomato firmware OpenVPN Server results in a working iOs->LAN host connectivity.

Any help or tips would be really appreciated!

Server Conf

port 1194
dev tun1
#client-config-dir ccd
txqueuelen 1000
keepalive 15 60
verb 3
topology subnet
server 10.6.0.0 255.255.255.0
proto tcp4-server
resolv-retry infinite
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
cipher AES-256-GCM
push "route 192.168.0.0 255.255.252.0"
client-to-client
push "dhcp-option DNS 10.6.0.1"

ca PrivateVPN_ca.crt
dh PrivateVPN_dh.pem
cert PrivateVPN_server.crt
key PrivateVPN_server.key
status-version 2
status status 10

ccd file (when previously attempted)

iroute 10.6.0.0 255.255.255.0

Network Conf

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'REMOVED::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        option ipv6 '0'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '60'
        option netmask '255.255.252.0'
        option ipaddr '192.168.1.1'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'
        option peerdns '0'
        list dns '1.0.0.2'
        list dns '1.1.1.2'

config interface 'VPNTUN'
        option proto 'none'
        option device 'tun1'
        option auto '0'

Firewall Conf

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'VPNTUN'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'MODEM'
        option input 'DROP'
        option forward 'DROP'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config rule
        option name 'Allow-VPN-WAN'
        option src 'wan'
        option dest_port '1194'
        option target 'ACCEPT'

config rule
        option src 'lan'
        option dest 'wan'
        option target 'REJECT'
        list src_ip '192.168.0.0/25'
        option name 'IoT No Internet (192.168.0.0 to 127)'

config redirect
        option target 'DNAT'
        option src 'lan'
        option src_dport '53'
        option name 'DNS Intercept Requests'
        option reflection '0'
        option dest 'wan'

config redirect
        option target 'DNAT'
        option name 'NTP Intercept Requests'
        option src 'lan'
        option src_dport '123'
        option reflection '0'
        option dest 'wan'

config include 'qcanssecm'
        option type 'script'
        option path '/etc/firewall.d/qca-nss-ecm'
        option family 'any'
        option reload '1'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config forwarding
        option src 'vpn'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'vpn'

Thanks again!

EDIT: If nothing jumps out, is it possible that this could be a fw4 issue?

psherman · March 12, 2022, 2:20am

try tun0 in both the firewall and the openvpn config.

Edrikk · March 12, 2022, 2:57am

I updated the openvpn server config to tun0.
Updated the interface (in the "interfaces") to tun0.
restarted router. Same behaviour.

I don't have the direct interface defined anywhere in firewall. "Covered Devices" for all items is unspecified so covering all...

Forgot to add: iOS OpenVPN Client log:

2022-03-11 21:50:12 Session is ACTIVE

2022-03-11 21:50:12 EVENT: GET_CONFIG

2022-03-11 21:50:12 Sending PUSH_REQUEST to server...

2022-03-11 21:50:12 OPTIONS:
0 [route] [192.168.0.0] [255.255.252.0]
1 [route-gateway] [10.6.0.1]
2 [topology] [subnet]
3 [ping] [15]
4 [ping-restart] [60]
5 [ifconfig] [10.6.0.2] [255.255.255.0]
6 [peer-id] [0]
7 [cipher] [AES-256-GCM]
8 [block-ipv6]


2022-03-11 21:50:12 PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: NONE
compress: NONE
peer ID: 0

2022-03-11 21:50:12 EVENT: ASSIGN_IP
2022-03-11 21:50:12 NIP: preparing TUN network settings
2022-03-11 21:50:12 NIP: init TUN network settings with endpoint: <<<CORRECT EXTERNAL ADDRESS>>>
2022-03-11 21:50:12 NIP: adding IPv4 address to network settings 10.6.0.2/255.255.255.0
2022-03-11 21:50:12 NIP: adding (included) IPv4 route 10.6.0.0/24
2022-03-11 21:50:12 NIP: adding (included) IPv4 route 192.168.0.0/22
2022-03-11 21:50:12 NIP: blocking all IPv6 traffic
2022-03-11 21:50:12 Connected via NetworkExtensionTUN
2022-03-11 21:50:12 EVENT: CONNECTED <<<CORRECT EXTERNAL ADDRESS>>>:1194 (<<<CORRECT EXTERNAL ADDRESS>>>) via /TCPv4 on NetworkExtensionTUN/10.6.0.2/ gw=[/]

psherman · March 12, 2022, 3:36am

what operating system(s) run on the hosts on your lan? Some local firewalls will block connections from other subnets -- particularly windows. You may need to adjust the firewall on those hosts.

Edrikk · March 12, 2022, 5:57am

Linux as well as Windows.

As I noted however, I am able to connect if swapping the OpenWRT for a R7000 that I have which runs Tomato firmware. Can connect to Linux web interfaces, and RDP to Windows machines.

ie The firewalls are open.

psherman · March 12, 2022, 5:59am

You might try running an official version of OpenWrt (21.02.2 as of now).... see if it works. If it does, that would suggest that there is an issue with the version you are using. You could also reach out to the maintainer of that build to see if there are any known issues or ideas for resolution.

Edrikk · March 12, 2022, 1:00pm

Thanks. I’m afraid this router is not yet supported in stable.

If the settings all seem right, I wonder if it’s a firewall4 issue.

Edrikk · March 13, 2022, 7:04pm

There was a post (I can't remember the user) that seems to have been deleted now.
There was one specific item which I hadn't tried or seen elsewhere, which when I tried, immediately resulted in the VPN to work as intended.

Specifically: All the guides that I've seen call for setup of a dummy interface to then assign to the firewall.
Instead, within firewall section of Luci, I adjusted the vpn server's rule to not be tied to an interface (e.g. "Covered Networks" is now unspecified), but rather under "Advanced" tab select the specific tunnel for the VPN in the "Covered Devices" dropdown.

With this change, I could connect to my other LAN devices.
DNS resolution wasn't working (e.g. connect by hostname), but a simple addition to the VPN Server config resolved that:

push "dhcp-option DNS 10.6.0.1"

Thank you for that tip!

system · March 23, 2022, 7:04pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.