Wondering if you can help me. I'm fairly new to OpenWRT so please bare with me.
I currently have a BT HomeHub 5 Type A with OpenWRT installed. This works great. I have installed openVPN from the package lists and configured the sample_client to connect to my OpenVPN Server. It has connected successfully and shows as a connected device on the OpenVPN Server. So no problems there.
However, I'm trying to get this to be a whole-site VPN so that ALL traffic on my LAN side can communicate through the VPN. It seems that no LAN devices can ping the openVPN server nor can the router. I went to the 'Diagnostics' tab in OpenWRT and tried to ping the host '10.1.10.1' of the OpenVPN server. This received NO RESPONSE and 100% packet loss.
I suppose what i'm trying to ask if why if there no 'Interface' linked to the VPN & how do i go about doing this. I have also created a static route to send all 10.1.10.0/24 traffic through the gateway of the VPN connection which is 10.120.0.1
uci set network.vpn0="interface"
uci set network.vpn0.ifname="tun0"
uci set network.vpn0.proto="none"
uci commit network
service network restart
service openvpn restart
@CalTommo, on your OpenWRT router, what is the output from 'ifconfig' and 'netstat -nr'? Is the OpenVPN server new, or is it already supporting other OpenVPN clients similar to the one you set up on OpenWRT? Do you have access to the OpenVPN server?
It sounds like your OpenWRT has been assigned VPN (tun0) address 10.120.0.2, while the OpenVPN address is 10.120.0.1. From OpenWRT, can you ping 10.120.0.1? From the OpenVPN server, can you ping 10.120.0.2?
From your description, it appears that there is a 10.1.10.0/24 network behind the OpenVPN server. Is this network directly connected to the OpenVPN server?
I recently set up a travel router where all traffic from the router and from devices connected to the router would be sent down the OpenVPN tunnel to the OpenVPN server that would then route traffic to the Internet or other OpenVPN clients. It took a while to get the routing correct.
Thanks for your response! I have attached the outputs of those commands in a post below. My OpenVPN server is running on a PfSense Box which does all the routing for my home network. I have only used it in the past for connecting clients via the OpenVPN windows client you can download. This has worked great in the past.
However, the purpose of connecting OpenWRT to this is to create a Site-To-Site VPN from another site to the PfSense network running the OpenVPN Server. I want to use the OpenWRT router to route all traffic through to that and create one big LAN which all the devices can communicate. The OpenVPN server has never been used for site-to-site connections before and has only just had 2/3 clients connected using the windows GUI.
The OpenVPN server is fully accessible and I can make any changes required to this. The OpenVPN server is set to assign clients IP addresses in the range of 10.120.0.x although whilst the PfSense LAN network is on the 10.1.10.x subnet. It may make more sense if i change this so that everything is on the same IP range. I get no response when pinging 10.120.0.1 from OpenWRT and no response when pinging 10.120.0.2 from PfSense (OpenVPN Server).
@CalTommo, I am no expert at OpenVPN and have not used a lot of the options that you seem to be pushing to the OpenVPN client on your OpenWRT router.
OpenVPN needs to have a different IP range than your PfSense LAN range - it is the range used for the unencrypted traffic between the OpenVPN clients and the OpenVPN server. If you run tcpdump on the tun0 interface on either end, you should see the unencrypted 10.120.0.x traffic.
The first thing I would check is whether the OpenVPN client on OpenWRT is actually able to successfully start the tunnel to your OpenVPN server. The last line in your OpenVPN log "Thu Nov 8 16:51:37 2018 daemon.err openvpn(sample_client)[16330]: write UDP: Operation not permitted (code=1)" might be a clue, especially if it is repeated. I am not seeing that error on another OpenVPN client running UDP. I also do not see "UID set to nobody" but I am running OpenVPN 2.3.7 on the server and OpenVPN 2.4.0 on the client.
I installed OpenVPN on my OpenWRT router using the instructions from https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic. I created new certificates and generated a combined .ovpn file that I uploaded to OpenWRT. The only issue I had was that 'uci set openvpn.vpnclient.config" cannot be set to the ovpn file but must point to /etc/openvpn/vpnclient.ovpn. I created a ccd file for OpenWRT with "push "redirect-gateway"
since I wanted all traffic from OpenWRT to be sent down the OpenVPN tunnel. I had no problem pinging the OpenVPN server address since the source IP and destination IPs were on the tun0 interface address range, so routing was not involved.
If your OpenVPN server supports TCP, you might try switching to that to see if that provides better diagnostic information. Also, bring up one of your Windows OpenVPN clients and compare the IP addressing and routing to your OpenWRT setup.
My suspicion is some sort of a firewall problem on the OpenWRT side. Following the Basic OpenVPN setup, the following additions were made to /etc/config/firewall
If you cannot see any reason why 10.120.0.2 cannot ping 10.120.0.1, you can run tcpdump on tun0 in one window and on br-lan in another (filtering out ssh traffic) while you ping 10.120.0.1. You should see the ping packets on tun0, and matching encrypted packets sent to your OpenVPN server.
Once your OpenVPN tunnel is up and functional, I will post the changes I needed so that clients on the OpenWRT router could use the OpenVPN tunnel.
I appreciate your help with this. Would it be easier for you to remote on this evening using teamviewer and you could have a look at the config. I can also get you access to the PfSense so you can look at the config on that end. If not, no problem i'll keep troubleshooting with the steps you gave me.
Hi Callum, unfortunately, I have a couple of project deadlines at the moment. I also have never had to debug an OpenVPN client that would not connect, so it would involve a lot of trial and error that can quickly eat up the hours. I may be able to free up some time later in the week.
Increasing log verbosity on the OpenVPN client and server might help reveal a problem. I would also suggest creating a very basic ovpn configuration for OpenWRT and double-check any configuration settings that you are pushing from the OpenVPN server.
I just had a closer look at your ifconfig - your tun0 IP is the same as your P-t-P address (mine are different) and your 'netstat -nr' also looks different. Are you using 'topology subnet'? I am still using 'topology net30' that is the default on OpenVPN 2.3, which may be the explanation. I have no experience configuring OpenVPN for topology subnet.
The important thing is to do all your testing logged directly logged into the OpenWRT device, so that the source IP of any pings is your 10.120.0.2 address.