Openvpn can't access lan devices

tiagopraz · February 17, 2024, 9:01pm

Hello! I really need help because I'm not having success accessing devices on the LAN through the VPN.
I configured it faithfully following these procedures: https://openwrt.org/docs/guide-user/services/vpn/openvpn/server.

When connecting the computer to the VPN, I cannot access the devices that are on the LAN but I can access the device connected to the VPN from LAN.

I'm using the OpenWrt version:
OpenWrt 23.05.2 r23630-842932a63d / LuCI openwrt-23.05 branch git-24.040.70644-45b9e79
Raspberry Pi 4 Model B Rev 1.2

OpenWrt address: 192.168.1.2
OpenVpn tun0 interface address: 192.168.9.1

Using a completely external network in the range 192.168.0.0 and a Windows machine, I carried out the tests and connected normally to the VPN. I got the address 192.168.9.2. In this test I tried to access a web server on the lan side of OpenWrt which has the address 192.168.1.3 but I was unsuccessful. Not even ping works. I also tried to access other devices but without success. I can only ping addresses 192.168.1.2 and 192.168.9.1.

So I tried performing the reverse test. I used a machine on the lan side of OpenWrt with address 192.168.1.120 and from that machine I was able to ping normally on the machine connected to the VPN with address 192.168.9.2.

I checked the routing table on the machine that is connected to the VPN and it contains the network 192.168.1.0, that is, there is a route normally.

I would be very grateful if you could help me.

The firewall configuration follows:

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'tun+'
	list network 'lan'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'WAN'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option family 'ipv4'
	option target 'ACCEPT'
	list icmp_type 'echo-request'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule 'ovpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option target 'ACCEPT'
	option family 'ipv4'
	list proto 'tcp'
	list proto 'udp'
	option src_port '8443'
	option dest_port '8443'

VPN configuration follows:

user nobody
group nogroup
dev tun
port 8443
proto tcp
server 192.168.9.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "dhcp-option DNS 192.168.9.1"
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DOMAIN lan"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
client-config-dir /etc/openvpn/ccd

<dh>
</dh>
<tls-crypt-v2>
</tls-crypt-v2>
<key>
</key>
<cert>
</cert>
<ca>
</ca>

Routing table in OpenWrt:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         ----100-231-7.d 0.0.0.0         UG    0      0        0 pppoe-WAN
---.100.231.7   *               255.255.255.255 UH    0      0        0 pppoe-WAN
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.9.0     *               255.255.255.0   U     0      0        0 tun0

psherman · February 17, 2024, 9:10pm

So this is not the primary router, right?

In that case, you need to either create route on the main router

192.168.9.0/24 via 192.168.1.2

or move the tunnel to a different firewall zone, enable masquerading on the lan firewall zone for this device, and then setup forwarding, like this:

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	list network 'lan'

config zone 'lan'
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'tun+'

config forwarding
	option src 'vpn'
	option dest 'lan'

If that doesn't work, we need to see the network config file and a basic topology diagram.