OPENVPN as Client Please HELP ** URGENT

Hi Guys,

Wondering if you can help me. I'm fairly new to OpenWRT so please bare with me.

I currently have a BT HomeHub 5 Type A with OpenWRT installed. This works great. I have installed openVPN from the package lists and configured the sample_client to connect to my OpenVPN Server. It has connected successfully and shows as a connected device on the OpenVPN Server. So no problems there.

However, I'm trying to get this to be a whole-site VPN so that ALL traffic on my LAN side can communicate through the VPN. It seems that no LAN devices can ping the openVPN server nor can the router. I went to the 'Diagnostics' tab in OpenWRT and tried to ping the host '10.1.10.1' of the OpenVPN server. This received NO RESPONSE and 100% packet loss.

I suppose what i'm trying to ask if why if there no 'Interface' linked to the VPN & how do i go about doing this. I have also created a static route to send all 10.1.10.0/24 traffic through the gateway of the VPN connection which is 10.120.0.1

Any help would be appreciated!

If you have any questions just ask!

Thanks in advance.

uci show network
uci show firewall

Your network configuration is missing that interface.

uci set network.vpn0="interface"
uci set network.vpn0.ifname="tun0"
uci set network.vpn0.proto="none"
uci commit network
service network restart
service openvpn restart

https://openwrt.org/docs/guide-user/services/vpn/openvpn/start

Hi,

I did the commands you mentioned, everything rebooted. However, still getting 100% packet loss when pinging any remote hosts.

PING 10.1.10.1 (10.1.10.1): 56 data bytes

--- 10.1.10.1 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

However, I do now have an interface called VPN0

service log restart; service openvpn restart
sleep 10; logread -e openvpn; pgrep -f -a openvpn

Thu Nov  8 16:51:34 2018 daemon.err openvpn(sample_client)[16022]: event_wait : Interrupted system call (code=4)
Thu Nov  8 16:51:34 2018 daemon.notice openvpn(sample_client)[16022]: /sbin/route del -net 10.1.10.0 netmask 255.255.255.0
Thu Nov  8 16:51:34 2018 daemon.warn openvpn(sample_client)[16022]: ERROR: Linux route delete command failed: external program exited with error status: 1
Thu Nov  8 16:51:34 2018 daemon.notice openvpn(sample_client)[16022]: Closing TUN/TAP interface
Thu Nov  8 16:51:34 2018 daemon.notice openvpn(sample_client)[16022]: /sbin/ifconfig tun0 0.0.0.0
Thu Nov  8 16:51:34 2018 daemon.warn openvpn(sample_client)[16022]: Linux ip addr del failed: external program exited with error status: 1
Thu Nov  8 16:51:34 2018 daemon.notice openvpn(sample_client)[16022]: SIGTERM[hard,] received, process exiting
Thu Nov  8 16:51:35 2018 daemon.notice openvpn(sample_client)[16330]: OpenVPN 2.4.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Thu Nov  8 16:51:35 2018 daemon.notice openvpn(sample_client)[16330]: library versions: OpenSSL 1.0.2p  14 Aug 2018, LZO 2.10
Thu Nov  8 16:51:35 2018 daemon.notice openvpn(sample_client)[16330]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Nov  8 16:51:35 2018 daemon.notice openvpn(sample_client)[16330]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Nov  8 16:51:35 2018 daemon.notice openvpn(sample_client)[16330]: TCP/UDP: Preserving recently used remote address: [AF_INET]82.29.59.174:1194
Thu Nov  8 16:51:35 2018 daemon.notice openvpn(sample_client)[16330]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Thu Nov  8 16:51:35 2018 daemon.notice openvpn(sample_client)[16330]: UDP link local: (not bound)
Thu Nov  8 16:51:35 2018 daemon.notice openvpn(sample_client)[16330]: UDP link remote: [AF_INET]82.29.59.174:1194
Thu Nov  8 16:51:35 2018 daemon.notice openvpn(sample_client)[16330]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Thu Nov  8 16:51:35 2018 daemon.notice openvpn(sample_client)[16330]: TLS: Initial packet from [AF_INET]82.29.59.174:1194, sid=6b977c04 28a94bd8
Thu Nov  8 16:51:35 2018 daemon.warn openvpn(sample_client)[16330]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Nov  8 16:51:35 2018 daemon.notice openvpn(sample_client)[16330]: VERIFY OK: depth=1, C=GB, ST=Cheshire, L=Runcorn, O=ThomasFamily Network, emailAddress=callumthomas@mail.com, CN=internal-ca
Thu Nov  8 16:51:35 2018 daemon.notice openvpn(sample_client)[16330]: VERIFY KU OK
Thu Nov  8 16:51:35 2018 daemon.notice openvpn(sample_client)[16330]: Validating certificate extended key usage
Thu Nov  8 16:51:35 2018 daemon.notice openvpn(sample_client)[16330]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Nov  8 16:51:35 2018 daemon.notice openvpn(sample_client)[16330]: VERIFY EKU OK
Thu Nov  8 16:51:35 2018 daemon.notice openvpn(sample_client)[16330]: VERIFY OK: depth=0, C=GB, ST=Cheshire, L=Runcorn, O=ThomasFamily Network, emailAddress=callumthomas@mail.com, CN=Thomasfamily.Local
Thu Nov  8 16:51:35 2018 daemon.warn openvpn(sample_client)[16330]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1557'
Thu Nov  8 16:51:35 2018 daemon.warn openvpn(sample_client)[16330]: WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Thu Nov  8 16:51:35 2018 daemon.notice openvpn(sample_client)[16330]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Thu Nov  8 16:51:35 2018 daemon.notice openvpn(sample_client)[16330]: [Thomasfamily.Local] Peer Connection Initiated with [AF_INET]82.29.59.174:1194
Thu Nov  8 16:51:36 2018 daemon.notice openvpn(sample_client)[16330]: SENT CONTROL [Thomasfamily.Local]: 'PUSH_REQUEST' (status=1)
Thu Nov  8 16:51:36 2018 daemon.notice openvpn(sample_client)[16330]: PUSH: Received control message: 'PUSH_REPLY,route 10.1.10.0 255.255.255.0,dhcp-option DOMAIN ThomasFamily.Local,dhcp-option DNS 10.1.10.2,dhcp-option DNS 10.1.10.1,block-outside-dns,register-dns,dhcp-option NTP 83.231.219.49,route-gateway 10.120.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.120.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Thu Nov  8 16:51:36 2018 daemon.err openvpn(sample_client)[16330]: Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:5: block-outside-dns (2.4.5)
Thu Nov  8 16:51:36 2018 daemon.err openvpn(sample_client)[16330]: Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:6: register-dns (2.4.5)
Thu Nov  8 16:51:36 2018 daemon.notice openvpn(sample_client)[16330]: OPTIONS IMPORT: timers and/or timeouts modified
Thu Nov  8 16:51:36 2018 daemon.notice openvpn(sample_client)[16330]: OPTIONS IMPORT: --ifconfig/up options modified
Thu Nov  8 16:51:36 2018 daemon.notice openvpn(sample_client)[16330]: OPTIONS IMPORT: route options modified
Thu Nov  8 16:51:36 2018 daemon.notice openvpn(sample_client)[16330]: OPTIONS IMPORT: route-related options modified
Thu Nov  8 16:51:36 2018 daemon.notice openvpn(sample_client)[16330]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Nov  8 16:51:36 2018 daemon.notice openvpn(sample_client)[16330]: OPTIONS IMPORT: peer-id set
Thu Nov  8 16:51:36 2018 daemon.notice openvpn(sample_client)[16330]: OPTIONS IMPORT: adjusting link_mtu to 1625
Thu Nov  8 16:51:36 2018 daemon.notice openvpn(sample_client)[16330]: OPTIONS IMPORT: data channel crypto options modified
Thu Nov  8 16:51:36 2018 daemon.notice openvpn(sample_client)[16330]: Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Nov  8 16:51:36 2018 daemon.notice openvpn(sample_client)[16330]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Nov  8 16:51:36 2018 daemon.notice openvpn(sample_client)[16330]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Nov  8 16:51:36 2018 daemon.notice openvpn(sample_client)[16330]: TUN/TAP device tun0 opened
Thu Nov  8 16:51:36 2018 daemon.notice openvpn(sample_client)[16330]: TUN/TAP TX queue length set to 100
Thu Nov  8 16:51:36 2018 daemon.notice openvpn(sample_client)[16330]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Nov  8 16:51:36 2018 daemon.notice openvpn(sample_client)[16330]: /sbin/ifconfig tun0 10.120.0.2 netmask 255.255.255.0 mtu 1500 broadcast 10.120.0.255
Thu Nov  8 16:51:37 2018 daemon.notice openvpn(sample_client)[16330]: /sbin/route add -net 10.1.10.0 netmask 255.255.255.0 gw 10.120.0.1
Thu Nov  8 16:51:37 2018 daemon.notice openvpn(sample_client)[16330]: UID set to nobody
Thu Nov  8 16:51:37 2018 daemon.notice openvpn(sample_client)[16330]: Initialization Sequence Completed
Thu Nov  8 16:51:37 2018 daemon.err openvpn(sample_client)[16330]: write UDP: Operation not permitted (code=1)
16330 /usr/sbin/openvpn --syslog openvpn(sample_client) --status /var/run/openvpn.sample_client.status --cd /var/etc --config openvpn-sample_client.conf

See above....

Any further help is appreciated

@CalTommo, on your OpenWRT router, what is the output from 'ifconfig' and 'netstat -nr'? Is the OpenVPN server new, or is it already supporting other OpenVPN clients similar to the one you set up on OpenWRT? Do you have access to the OpenVPN server?

It sounds like your OpenWRT has been assigned VPN (tun0) address 10.120.0.2, while the OpenVPN address is 10.120.0.1. From OpenWRT, can you ping 10.120.0.1? From the OpenVPN server, can you ping 10.120.0.2?

From your description, it appears that there is a 10.1.10.0/24 network behind the OpenVPN server. Is this network directly connected to the OpenVPN server?

I recently set up a travel router where all traffic from the router and from devices connected to the router would be sent down the OpenVPN tunnel to the OpenVPN server that would then route traffic to the Internet or other OpenVPN clients. It took a while to get the routing correct.

Regards, Norbert

Hi Norbert,

Thanks for your response! I have attached the outputs of those commands in a post below. My OpenVPN server is running on a PfSense Box which does all the routing for my home network. I have only used it in the past for connecting clients via the OpenVPN windows client you can download. This has worked great in the past.

However, the purpose of connecting OpenWRT to this is to create a Site-To-Site VPN from another site to the PfSense network running the OpenVPN Server. I want to use the OpenWRT router to route all traffic through to that and create one big LAN which all the devices can communicate. The OpenVPN server has never been used for site-to-site connections before and has only just had 2/3 clients connected using the windows GUI.

The OpenVPN server is fully accessible and I can make any changes required to this. The OpenVPN server is set to assign clients IP addresses in the range of 10.120.0.x although whilst the PfSense LAN network is on the 10.1.10.x subnet. It may make more sense if i change this so that everything is on the same IP range. I get no response when pinging 10.120.0.1 from OpenWRT and no response when pinging 10.120.0.2 from PfSense (OpenVPN Server).

If you need any more information just let me know

I look forward to your reply! Thanks,
Callum

@CalTommo, I am no expert at OpenVPN and have not used a lot of the options that you seem to be pushing to the OpenVPN client on your OpenWRT router.

OpenVPN needs to have a different IP range than your PfSense LAN range - it is the range used for the unencrypted traffic between the OpenVPN clients and the OpenVPN server. If you run tcpdump on the tun0 interface on either end, you should see the unencrypted 10.120.0.x traffic.

The first thing I would check is whether the OpenVPN client on OpenWRT is actually able to successfully start the tunnel to your OpenVPN server. The last line in your OpenVPN log "Thu Nov 8 16:51:37 2018 daemon.err openvpn(sample_client)[16330]: write UDP: Operation not permitted (code=1)" might be a clue, especially if it is repeated. I am not seeing that error on another OpenVPN client running UDP. I also do not see "UID set to nobody" but I am running OpenVPN 2.3.7 on the server and OpenVPN 2.4.0 on the client.

I installed OpenVPN on my OpenWRT router using the instructions from https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic. I created new certificates and generated a combined .ovpn file that I uploaded to OpenWRT. The only issue I had was that 'uci set openvpn.vpnclient.config" cannot be set to the ovpn file but must point to /etc/openvpn/vpnclient.ovpn. I created a ccd file for OpenWRT with "push "redirect-gateway"
since I wanted all traffic from OpenWRT to be sent down the OpenVPN tunnel. I had no problem pinging the OpenVPN server address since the source IP and destination IPs were on the tun0 interface address range, so routing was not involved.

If your OpenVPN server supports TCP, you might try switching to that to see if that provides better diagnostic information. Also, bring up one of your Windows OpenVPN clients and compare the IP addressing and routing to your OpenWRT setup.

My suspicion is some sort of a firewall problem on the OpenWRT side. Following the Basic OpenVPN setup, the following additions were made to /etc/config/firewall

config zone
        option name 'vpnclient'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'                       
        option mtu_fix '1'
        option network 'vpnclient'

config forwarding
        option src 'lan'

If you cannot see any reason why 10.120.0.2 cannot ping 10.120.0.1, you can run tcpdump on tun0 in one window and on br-lan in another (filtering out ssh traffic) while you ping 10.120.0.1. You should see the ping packets on tun0, and matching encrypted packets sent to your OpenVPN server.

Once your OpenVPN tunnel is up and functional, I will post the changes I needed so that clients on the OpenWRT router could use the OpenVPN tunnel.

Regards, Norbert

Hi Nortbert,

I appreciate your help with this. Would it be easier for you to remote on this evening using teamviewer and you could have a look at the config. I can also get you access to the PfSense so you can look at the config on that end. If not, no problem i'll keep troubleshooting with the steps you gave me.

Thanks,
Callum

Hi Callum, unfortunately, I have a couple of project deadlines at the moment. I also have never had to debug an OpenVPN client that would not connect, so it would involve a lot of trial and error that can quickly eat up the hours. I may be able to free up some time later in the week.

Increasing log verbosity on the OpenVPN client and server might help reveal a problem. I would also suggest creating a very basic ovpn configuration for OpenWRT and double-check any configuration settings that you are pushing from the OpenVPN server.

I just had a closer look at your ifconfig - your tun0 IP is the same as your P-t-P address (mine are different) and your 'netstat -nr' also looks different. Are you using 'topology subnet'? I am still using 'topology net30' that is the default on OpenVPN 2.3, which may be the explanation. I have no experience configuring OpenVPN for topology subnet.

The important thing is to do all your testing logged directly logged into the OpenWRT device, so that the source IP of any pings is your 10.120.0.2 address.

Regards, Norbert