Hi,
I installed openwrt on my Asus tuf AX-4200 (23.05.5 240924 / LuCI openwrt-23.05 branch git-24.264.56413-c7a3562) creating an openvpn server on it. I can connect perfectly to the server through the openvpn app on my android smartphone when I am on the internal network. However, outside of it, it is impossible to establish a connection with the server.
I suppose it's something related to the firewall because when I disable the firewall I can now access the server from outside.
Any suggestions would be appreciated
Note: I don´t have any ISP router behind. The ONT from my ISP connects directly to WAN port of my Asus router.
.Preformatted text
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'tun+'
list network 'lan'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
config zone
option name 'wg0'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'wg0'
config forwarding
option src 'wg0'
option dest 'lan'
config forwarding
option src 'wg0'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'wg0'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'wg'
option src 'wan'
option src_dport '61820'
option dest_ip '192.168.2.1'
option dest_port '61820'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config forwarding
option src 'guest'
option dest 'wan'
config rule
option name 'guest'
option src 'guest'
option dest_port '53 67 68'
option target 'ACCEPT'
config rule
option name 'Allow wireguard'
list proto 'udp'
option src 'wan'
option dest_port '61820'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'openvpn'
option src 'wan'
option src_dport '1194'
option dest_ip '192.168.2.1'
option dest_port '1194'
list proto 'udp'
config rule 'ovpn'
option name 'Allow-OpenVPN'
option src 'wan'
option dest_port '1194'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'openvpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'openvpn'
config forwarding
option src 'openvpn'
option dest 'lan'
config forwarding
option src 'openvpn'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'openvpn'
root@OpenWrt:~# ^C
root@OpenWrt:~#
Does your WG server works when trying to access from the internet?
(that way we know that you have a public WAN IP address)
You can delete these rules as a simple allow rule should suffice:
If the WG server works, please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
ip rule show
for ovpn in $(ls /etc/openvpn/*.ovpn);do echo $ovpn; cat $ovpn; echo;done
logread | grep openvpn
Hi and thanks for the feedback. When i arrive at home I will post the outocome of commands.
But I can confirm wireguard always work well from first day inside and outside network. I have a public IP redirect for my no-ip domain.
root@OpenWrt:~# ubus call system board
{
"kernel": "5.15.167",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "ASUS TUF-AX4200",
"board_name": "asus,tuf-ax4200",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.5",
"revision": "r24106-10cc5fcd00",
"target": "mediatek/filogic",
"description": "23.05.5 240924"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxxxxxx'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config device
option name 'lan1'
option macaddr 'xxxxxxxx'
config device
option name 'lan2'
option macaddr 'xxxxxxx'
config device
option name 'lan3'
option macaddr 'xxxxxxx'
config device
option name 'lan4'
option macaddr 'xxxxxxx'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'eth1'
option macaddr 'xxxxxx'
config interface 'wan'
option device 'eth1.12'
option proto 'dhcp'
option peerdns '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
config device
option type '8021q'
option ifname 'eth1'
option vid '12'
option name 'eth1.12'
config interface 'wg0'
option proto 'wireguard'
option private_key 'yyyyyyyyyyyyyyyyyyyyyyyyy'
option listen_port '61820'
list addresses '10.20.30.1/24'
config wireguard_wg0
option description '8t'
option public_key 'xxxxxxxxxxxxxxxxxxxxxxx='
option private_key 'xxxxxxxxxxxxxxxxxxxxxxx'
list allowed_ips '10.20.30.2/32'
option endpoint_port '61820'
option persistent_keepalive '25'
option endpoint_host 'aaaaaa.ddns.net'
option route_allowed_ips '1'
config wireguard_wg0
option public_key 'xxxxxxxxxxxxxxxxxxxxxx'
option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxx='
option description '2t'
list allowed_ips '10.20.30.3/32'
option endpoint_host 'aaaaaaaaaa.ddns.net'
option endpoint_port '61820'
option persistent_keepalive '25'
option route_allowed_ips '1'
config device
option type 'bridge'
option name 'br-guest'
option bridge_empty '1'
config interface 'guest'
option proto 'static'
option device 'br-guest'
option ipaddr '10.20.30.40'
option netmask '255.255.255.0'
config interface 'openvpn'
option proto 'none'
option device 'tun0'
config route
option interface 'openvpn'
option target '0.0.0.0/0'
option gateway '0.0.0.0'
option metric '30'
option table 'main'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'tun+'
list network 'lan'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
config zone
option name 'wg0'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'wg0'
config forwarding
option src 'wg0'
option dest 'lan'
config forwarding
option src 'wg0'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'wg0'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'wg'
option src 'wan'
option src_dport '61820'
option dest_ip '192.168.2.1'
option dest_port '61820'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config forwarding
option src 'guest'
option dest 'wan'
config rule
option name 'guest'
option src 'guest'
option dest_port '53 67 68'
option target 'ACCEPT'
config rule
option name 'Allow wireguard'
list proto 'udp'
option src 'wan'
option dest_port '61820'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'openvpn'
option src 'wan'
option src_dport '1194'
option dest_ip '192.168.2.1'
option dest_port '1194'
list proto 'udp'
config rule 'ovpn'
option name 'Allow-OpenVPN'
option src 'wan'
option dest_port '1194'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'openvpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'openvpn'
config forwarding
option src 'openvpn'
option dest 'lan'
config forwarding
option src 'openvpn'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'openvpn'
root@OpenWrt:~# ip route show
default via xxxxxx dev eth1.12 proto static src xxxxxxx
default dev tun0 proto static scope link metric 30
10.20.30.0/24 dev br-guest proto kernel scope link src 10.20.30.40
10.20.30.0/24 dev wg0 proto kernel scope link src 10.20.30.1
10.20.30.2 dev wg0 proto static scope link
10.20.30.3 dev wg0 proto static scope link
xxxxxxx dev eth1.12 proto kernel scope link src xxxxx
192.168.2.0/24 dev br-lan proto kernel scope link src 192.168.2.1
192.168.9.0/24 dev tun0 proto kernel scope link src 192.168.9.1
root@OpenWrt:~# ip rule show
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
root@OpenWrt:~# for ovpn in $(ls /etc/openvpn/*.ovpn);do echo $ovpn; cat $ovpn;
echo;done
/etc/openvpn/client.ovpn
user nobody
group nogroup
dev tun
nobind
client
remote aaaaaaaaaa 1194 udp
auth-nocache
remote-cert-tls server
<tls-crypt-v2>
-----BEGIN OpenVPN tls-crypt-v2 client key-----
-----END OpenVPN tls-crypt-v2 client key-----
</tls-crypt-v2>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
root@OpenWrt:~# logread | grep openvpn
Sat Nov 9 15:01:16 2024 daemon.warn openvpn(asusserver)[20629]: Use --help for more information.
Sat Nov 9 15:01:21 2024 daemon.warn openvpn(asusserver)[20630]: WARNING: Compre ssion for receiving enabled. Compression has been used in the past to break encr yption. Sent packets are not compressed unless "allow-compression yes" is also s et.
Sat Nov 9 15:01:21 2024 daemon.err openvpn(asusserver)[20630]: Options error: U nrecognized option or missing or extra parameter(s) in openvpn-asusserver.conf:9 : server (2.5.8)
Sat Nov 9 15:01:21 2024 daemon.warn openvpn(asusserver)[20630]: Use --help for more information.
Sat Nov 9 15:01:26 2024 daemon.warn openvpn(asusserver)[20631]: WARNING: Compre ssion for receiving enabled. Compression has been used in the past to break encr yption. Sent packets are not compressed unless "allow-compression yes" is also s et.
Sat Nov 9 15:01:26 2024 daemon.err openvpn(asusserver)[20631]: Options error: U nrecognized option or missing or extra parameter(s) in openvpn-asusserver.conf:9 : server (2.5.8)
Sat Nov 9 15:01:26 2024 daemon.warn openvpn(asusserver)[20631]: Use --help for more information.
Sat Nov 9 15:01:31 2024 daemon.warn openvpn(asusserver)[20632]: WARNING: Compre ssion for receiving enabled. Compression has been used in the past to break encr yption. Sent packets are not compressed unless "allow-compression yes" is also s et.
Sat Nov 9 15:01:31 2024 daemon.err openvpn(asusserver)[20632]: Options error: U nrecognized option or missing or extra parameter(s) in openvpn-asusserver.conf:9 : server (2.5.8)
Sat Nov 9 15:01:31 2024 daemon.warn openvpn(asusserver)[20632]: Use --help for more information.
Sat Nov 9 15:01:36 2024 daemon.warn openvpn(asusserver)[20633]: WARNING: Compre ssion for receiving enabled. Compression has been used in the past to break encr yption. Sent packets are not compressed unless "allow-compression yes" is
Hi!
I'm not an expert in networks, hence my request for help. I certainly have a lot to learn. My main goal is to test openvpn as a server on the router and try to learn a little more, being able to access my internal network via my smartphone.
I think I didn't quite understand your last comment
As I understand, the client.ovpn that you refer was the first client created when i setup the openvpn server. This client.ovpn as like server.conf are in etc/openvpn folder.
/etc/config/openvpn has all the settings so you can look into it and edit the file (WinSCP, or nano from command line ) or just empty the file from the command line: > /etc/config/openvpn
possibilities other than a configuration problem at your end:
a lot of internet service providers don't actually provide a customer with a unique IP address, they use what they call CGNAT and many customers are sharing an IP
in that case you either ask the ISP to provide you with a unique IP or use some kind of circumventing process to get around the problem. I'm not sure exactly how you would do this with openvpn. It may also be possible to use ipv6 instead of ipv4, since most providers only use CGNAT because of addressing limitations and the same problem doesn't exist with ipv6.
also, your isp might have provided you with a unique IP, but they might be blocking certain ports, it's rare but possible they are blocking access to port 1194
in that case there's usually some way to turn off port blocking in your account settings
Hi!
When i run the following command, logread | grep openvpn, i obtain this result when conected to my internal network:
Sun Nov 10 11:23:54 2024 daemon.notice openvpn(server)[13789]: 192.168.2.xxx:48411 peer info: IV_VER=3.10.1
Sun Nov 10 11:23:54 2024 daemon.notice openvpn(server)[13789]: 192.168.2.xxx:48411 peer info: IV_PLAT=android
Sun Nov 10 11:23:54 2024 daemon.notice openvpn(server)[13789]: 192.168.2.xxx:48411 peer info: IV_NCP=2
Sun Nov 10 11:23:54 2024 daemon.notice openvpn(server)[13789]: 192.168.2.xxx:48411 peer info: IV_TCPNL=1
Sun Nov 10 11:23:54 2024 daemon.notice openvpn(server)[13789]: 192.168.2.xxx:48411 peer info: IV_PROTO=2974
Sun Nov 10 11:23:54 2024 daemon.notice openvpn(server)[13789]: 192.168.2.xxx:48411 peer info: IV_MTU=1600
Sun Nov 10 11:23:54 2024 daemon.notice openvpn(server)[13789]: 192.168.2.xxx:48411 peer info: IV_CIPHERS=AES-128-yyyyyyy-GCM:xxx
Sun Nov 10 11:23:54 2024 daemon.notice openvpn(server)[13789]: 192.168.2.xxx:48411 peer info: IV_AUTO_SESS=1
Sun Nov 10 11:23:54 2024 daemon.notice openvpn(server)[13789]: 192.168.2.xxx:48411 peer info: IV_GUI_VER=net.openvpn.connect.android_3.5.1-10255
Sun Nov 10 11:23:54 2024 daemon.notice openvpn(server)[13789]: 192.168.2.xxx:48411 peer info: IV_SSO=webauth,crtext
Sun Nov 10 11:23:54 2024 daemon.notice openvpn(server)[13789]: 192.168.2.xxx:48411 peer info: IV_BS64DL=1
Sun Nov 10 11:23:54 2024 daemon.notice openvpn(server)[13789]: 192.168.2.xxx:48411 [client] Peer Connection Initiated with [AF_INET]192.168.2.xxx:48411
Sun Nov 10 11:23:54 2024 daemon.notice openvpn(server)[13789]: client/192.168.2.xxx:48411 MULTI_sva: pool returned IPv4=192.168.9.2, IPv6=(Not enabled)
root@OpenWrt:~#
Openvpn client works well on my android phone when connected to my asus openvpn server and i can acess my internal devices and navegate on internet.
When i disable wifi from my internal network and turn on my mobile phone data, the openvpn client on my phone goes down:
Sun Nov 10 11:37:29 2024 daemon.err openvpn(server)[13789]: 87.196.81.yyy:32066 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Nov 10 11:37:29 2024 daemon.err openvpn(server)[13789]: 87.196.81.yyy:32066 TLS Error: TLS handshake failed
Sun Nov 10 11:37:39 2024 daemon.err openvpn(server)[13789]: 87.196.81.yyy:32079 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Nov 10 11:37:39 2024 daemon.err openvpn(server)[13789]: 87.196.81.yyy:32079 TLS Error: TLS handshake failed
When i run the following commands:
cat /etc/config/openvpn
for vpn in $(ls /tmp/etc/openvpn*.conf);do echo $vpn;cat $vpn;echo;done
I obtain this:
root@OpenWrt:~# cat /etc/config/openvpn
root@OpenWrt:~# for vpn in $(ls /tmp/etc/openvpn*.conf);do echo $vpn;cat $vpn;echo;done
ls: /tmp/etc/openvpn*.conf: No such file or directory
root@OpenWrt:~#
On etc/config/openvpn, the file "openvpn" are empty! This is normal?
