OpenVPN client config - connected but no internet access from LAN

jonathan.holvey · October 27, 2018, 5:45am

Hi,

I've followed the steps in the OpenVPN Client wiki guide to configure my OpenWrt router as an OpenVPN client. The OpenVPN service connects to the server successfully, but devices on the LAN aren't able to access the internet while it's running.

I'm assuming there is a misconfiguration in my firewall or routing, but I don't know how to fix it.

Here is the client log:

# logread -e openvpn
Sat Oct 27 15:40:34 2018 daemon.notice openvpn(vpnclient)[3269]: TCP_CLIENT WRITE [41] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=40
Sat Oct 27 15:40:34 2018 daemon.notice openvpn(vpnclient)[3269]: TCP_CLIENT READ [41] from [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=40
Sat Oct 27 15:40:35 2018 daemon.err openvpn(vpnclient)[3269]: event_wait : Interrupted system call (code=4)
Sat Oct 27 15:40:35 2018 daemon.notice openvpn(vpnclient)[3269]: TCP/UDP: Closing socket
Sat Oct 27 15:40:35 2018 daemon.notice openvpn(vpnclient)[3269]: Closing TUN/TAP interface
Sat Oct 27 15:40:35 2018 daemon.notice openvpn(vpnclient)[3269]: /sbin/ifconfig tun0 x.x.x.x
Sat Oct 27 15:40:35 2018 daemon.notice openvpn(vpnclient)[3269]: SIGTERM[hard,] received, process exiting
Sat Oct 27 15:40:36 2018 daemon.notice openvpn(vpnclient)[3428]: OpenVPN 2.4.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Oct 27 15:40:36 2018 daemon.notice openvpn(vpnclient)[3428]: library versions: OpenSSL 1.0.2p  14 Aug 2018, LZO 2.10
Sat Oct 27 15:40:36 2018 daemon.notice openvpn(vpnclient)[3428]: LZO compression initializing
Sat Oct 27 15:40:36 2018 daemon.notice openvpn(vpnclient)[3428]: Control Channel MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Sat Oct 27 15:40:36 2018 daemon.notice openvpn(vpnclient)[3428]: Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Sat Oct 27 15:40:36 2018 daemon.notice openvpn(vpnclient)[3428]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 68 bytes
Sat Oct 27 15:40:36 2018 daemon.notice openvpn(vpnclient)[3428]: calc_options_string_link_mtu: link-mtu 1624 -> 1572
Sat Oct 27 15:40:36 2018 daemon.notice openvpn(vpnclient)[3428]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 68 bytes
Sat Oct 27 15:40:36 2018 daemon.notice openvpn(vpnclient)[3428]: calc_options_string_link_mtu: link-mtu 1624 -> 1572
Sat Oct 27 15:40:36 2018 daemon.notice openvpn(vpnclient)[3428]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
Sat Oct 27 15:40:36 2018 daemon.notice openvpn(vpnclient)[3428]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
Sat Oct 27 15:40:36 2018 daemon.notice openvpn(vpnclient)[3428]: TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:443
Sat Oct 27 15:40:36 2018 daemon.notice openvpn(vpnclient)[3428]: Socket Buffers: R=[87380->87380] S=[16384->16384]
Sat Oct 27 15:40:36 2018 daemon.notice openvpn(vpnclient)[3428]: Attempting to establish TCP connection with [AF_INET]x.x.x.x:443 [nonblock]
Sat Oct 27 15:40:37 2018 daemon.notice openvpn(vpnclient)[3428]: TCP connection established with [AF_INET]x.x.x.x:443
Sat Oct 27 15:40:37 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT link local: (not bound)
Sat Oct 27 15:40:37 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT link remote: [AF_INET]x.x.x.x:443
Sat Oct 27 15:40:37 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [14] to [AF_INET]x.x.x.x:443: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Sat Oct 27 15:40:37 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT READ [26] from [AF_INET]x.x.x.x:443: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0
Sat Oct 27 15:40:37 2018 daemon.notice openvpn(vpnclient)[3428]: TLS: Initial packet from [AF_INET]x.x.x.x:443, sid=24109957 9b7382fc
Sat Oct 27 15:40:37 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [22] to [AF_INET]x.x.x.x:443: P_ACK_V1 kid=0 [ 0 ]
Sat Oct 27 15:40:37 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [108] to [AF_INET]x.x.x.x:443: P_CONTROL_V1 kid=0 [ ] pid=1 DATA len=94
Sat Oct 27 15:40:37 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT READ [1196] from [AF_INET]x.x.x.x:443: P_CONTROL_V1 kid=0 [ 1 ] pid=1 DATA len=1170
Sat Oct 27 15:40:37 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [22] to [AF_INET]x.x.x.x:443: P_ACK_V1 kid=0 [ 1 ]
Sat Oct 27 15:40:37 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT READ [1184] from [AF_INET]x.x.x.x:443: P_CONTROL_V1 kid=0 [ ] pid=2 DATA len=1170
Sat Oct 27 15:40:37 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [22] to [AF_INET]x.x.x.x:443: P_ACK_V1 kid=0 [ 2 ]
Sat Oct 27 15:40:37 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT READ [1052] from [AF_INET]x.x.x.x:443: P_CONTROL_V1 kid=0 [ ] pid=3 DATA len=1038
Sat Oct 27 15:40:37 2018 daemon.notice openvpn(vpnclient)[3428]: VERIFY OK:
Sat Oct 27 15:40:37 2018 daemon.notice openvpn(vpnclient)[3428]: VERIFY X509NAME OK:
Sat Oct 27 15:40:37 2018 daemon.notice openvpn(vpnclient)[3428]: VERIFY OK:
Sat Oct 27 15:40:38 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [368] to [AF_INET]x.x.x.x:443: P_CONTROL_V1 kid=0 [ 3 ] pid=2 DATA len=342
Sat Oct 27 15:40:38 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT READ [101] from [AF_INET]x.x.x.x:443: P_CONTROL_V1 kid=0 [ 2 ] pid=4 DATA len=75
Sat Oct 27 15:40:38 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [479] to [AF_INET]x.x.x.x:443: P_CONTROL_V1 kid=0 [ 4 ] pid=3 DATA len=453
Sat Oct 27 15:40:38 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT READ [287] from [AF_INET]x.x.x.x:443: P_CONTROL_V1 kid=0 [ 3 ] pid=5 DATA len=261
Sat Oct 27 15:40:38 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [22] to [AF_INET]x.x.x.x:443: P_ACK_V1 kid=0 [ 5 ]
Sat Oct 27 15:40:38 2018 daemon.notice openvpn(vpnclient)[3428]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sat Oct 27 15:40:38 2018 daemon.notice openvpn(vpnclient)[3428]: [example.com] Peer Connection Initiated with [AF_INET]x.x.x.x:443
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: SENT CONTROL [example.com]: 'PUSH_REQUEST' (status=1)
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [83] to [AF_INET]x.x.x.x:443: P_CONTROL_V1 kid=0 [ ] pid=4 DATA len=69
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT READ [22] from [AF_INET]x.x.x.x:443: P_ACK_V1 kid=0 [ 4 ]
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT READ [323] from [AF_INET]x.x.x.x:443: P_CONTROL_V1 kid=0 [ ] pid=6 DATA len=309
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS x.x.x.x,dhcp-option DNS x.x.x.x,explicit-exit-notify 5,comp-lzo no,route-gateway x.x.x.x,topology subnet,ping 20,ping-restart 40,ifconfig x.x.x.x x.x.x.x,peer-id 0,cipher AES-256-GCM'
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: OPTIONS IMPORT: timers and/or timeouts modified
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: OPTIONS IMPORT: compression parms modified
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: OPTIONS IMPORT: --ifconfig/up options modified
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: OPTIONS IMPORT: route options modified
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: OPTIONS IMPORT: route-related options modified
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: OPTIONS IMPORT: peer-id set
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: OPTIONS IMPORT: adjusting link_mtu to 1627
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: OPTIONS IMPORT: data channel crypto options modified
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: Data Channel: using negotiated cipher 'AES-256-GCM'
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 48 bytes
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: Data Channel MTU parms [ L:1555 D:1450 EF:55 EB:406 ET:0 EL:3 ]
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TUN/TAP device tun0 opened
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TUN/TAP TX queue length set to 100
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: /sbin/ifconfig tun0 x.x.x.x netmask x.x.x.x mtu 1500 broadcast x.x.x.x
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: /sbin/route add -net x.x.x.x netmask x.x.x.x gw x.x.x.x
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: /sbin/route add -net x.x.x.x netmask x.x.x.x gw x.x.x.x
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: /sbin/route add -net x.x.x.x netmask x.x.x.x gw x.x.x.x
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: Initialization Sequence Completed
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [22] to [AF_INET]x.x.x.x:443: P_ACK_V1 kid=0 [ 6 ]
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [101] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=100
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [101] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=100
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:39 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:40 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:40 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [101] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=100
Sat Oct 27 15:40:40 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:40 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:40 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:41 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:41 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:42 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:42 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [89] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=88
Sat Oct 27 15:40:42 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [89] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=88
Sat Oct 27 15:40:42 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT READ [147] from [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=146
Sat Oct 27 15:40:42 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT READ [147] from [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=146
Sat Oct 27 15:40:42 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [175] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=174
Sat Oct 27 15:40:43 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [93] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=92
Sat Oct 27 15:40:43 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:43 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT READ [133] from [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=132
Sat Oct 27 15:40:45 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:46 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:51 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:53 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:53 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:54 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:54 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64
Sat Oct 27 15:40:56 2018 daemon.notice openvpn(vpnclient)[3428]: TCP_CLIENT WRITE [65] to [AF_INET]x.x.x.x:443: P_DATA_V2 kid=0 DATA len=64

Here's the firewall config

# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option forward 'REJECT'
	option output 'ACCEPT'
	option name 'vpn'
	option input 'REJECT'
	option masq '1'
	option network 'vpnclient'

config forwarding
	option src 'lan'
	option dest 'vpnclient'

Here's the OpenVPN config:

# cat /etc/config/openvpn

config openvpn 'vpnclient'
	option enabled '1'
	option config '/etc/openvpn/client.ovpn'

# cat /etc/openvpn/client.ovpn 
client
dev tun0
proto tcp
remote example.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
persist-remote-ip
ca client.crt
verify-x509-name example.com name
auth-user-pass client.auth
comp-lzo
verb 7
auth SHA256
cipher AES-256-CBC
tls-cipher TLS-...-SHA
auth-nocache

vgaetera · October 27, 2018, 10:24am

uci set firewall.@zone[-1].name="vpnclient"
uci set firewall.@zone[-1].mtu_fix="1"
uci commit firewall
service firewall restart

Diagnostics from OpenWrt router after establishing VPN-connection:

ping -c3 8.8.8.8
ping -c3 google.com
nslookup google.com 8.8.8.8
nslookup google.com

And repeat from one of the LAN-clients.

jonathan.holvey · October 27, 2018, 11:35am

Thanks for that. I must have overlooked the mtu_fix option when I was setting it up.

JW0914 · October 27, 2018, 12:05pm

Just a few FYIs:

You don't need aes-256-cbc, as AES128 will remain uncrackable until at least 2030.
- If you're the potential target of a nation state, lower the rekey value to 5 or 10 min.
Are you in control of the server, as the server is utilizing an extremely old, and unsupported, version of OpenVPN if you're utilizing comp-lzo (<v2.4).
- OpenVPN 2.4 was released around 2 years ago, and it depreciated the comp-lzo option and it's now compress lzo or compress lz4 [preferred].
TLS ciphers should be utilizing SHA256, instead of SHA, and tls-cipher cannot be specified in the client (it must be specified in the server config).
- Specifying it in the client config does nothing and can potentially cause issues with the connection.
The connection lacks HMAC authentication, thereby preventing PFS (Perfect Forward Secrecy), as it's not utilizing tls-crypt [preferred] or tls-auth
- This opens the possibility for a MITM attack.

cd38 · January 13, 2019, 8:24am

hello i try to install openvpn but i'm a newb and have a lot of question i try to isntall from openvpn guide dor exmple : wget --no-check-certificate -O /etc/openvpn/vpnclient.ovpn "https://vpn.provider.com/profile.ovpn"

"https://vpn.provider.com/profile.ovpn" i have to modify this with my file.ovpn ?

regards

vgaetera · January 13, 2019, 8:54am

Yes, save your VPN-profile to /etc/openvpn/vpnclient.ovpn.

cd38 · January 13, 2019, 12:08pm

Thanks for your reply..
i'm on w10 ans i tru to copie it with Cmder but i have this error :

λ scp c:\VPN\ca1.tcp.zoogvpn.ovpn root@192.168.1.1:/etc/openvpn/ca1.tcp.zoogvpn.ovpn
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:T6Tt4PrjL3dmCjfQYGV/epSqwo06Aon6SiHUKu8u1+k.
Please contact your system administrator.
Add correct host key in C:\\Users\\daroc/.ssh/known_hosts to get rid of this message.
Offending RSA key in C:\\Users\\daroc/.ssh/known_hosts:2
RSA host key for 192.168.1.1 has changed and you have requested strict checking.
Host key verification failed.
lost connection

what does it mean ?

vgaetera · January 13, 2019, 12:30pm

del /f /q "%USERPROFILE%\.ssh\known_hosts"

cd38 · January 13, 2019, 3:07pm

Thanks a lot ! with you syntax I could copy it

C:\Users\daroc\Downloads\cmder
λ del /f /q "%USERPROFILE%\.ssh\known_hosts"

C:\Users\daroc\Downloads\cmder
λ scp c:\VPN\ca1.tcp.zoogvpn.ovpn root@192.168.1.1:/etc/openvpn/ca1.tcp.zoogvpn.ovpn
The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.
RSA key fingerprint is SHA256:T6Tt4PrjL3dmCjfQYGV/epSqwo06Aon6SiHUKu8u1+k.
Are you sure you want to continue connecting (yes/no)?
Warning: Permanently added '192.168.1.1' (RSA) to the list of known hosts.
ca1.tcp.zoogvpn.ovpn                                                                  100% 4468     4.4KB/s   00:00

i have continued the tutorial

Package openvpn-openssl (2.4.5-4.2) installed in root is up to date.
Package luci-app-openvpn (git-19.011.54896-1f423b1-1) installed in root is up to                                                                                                                                date.
Package openssl-util (1.0.2p-1) installed in root is up to date.
root@OpenWrt:~# uci set network.vpnclient="interface"
root@OpenWrt:~# uci set network.vpnclient.ifname="tun0"
root@OpenWrt:~# uci set network.vpnclient.proto="none"
root@OpenWrt:~# uci commit network && service network restart
root@OpenWrt:~# uci add firewall zone
cfg11dc81
root@OpenWrt:~# uci set firewall.@zone[-1].name="vpnclient"
root@OpenWrt:~# uci add_list firewall.@zone[-1].network="vpnclient"
root@OpenWrt:~# uci set firewall.@zone[-1].input="REJECT"
root@OpenWrt:~# uci set firewall.@zone[-1].output="ACCEPT"
root@OpenWrt:~# uci set firewall.@zone[-1].forward="REJECT"
root@OpenWrt:~# uci set firewall.@zone[-1].masq="1"
root@OpenWrt:~# uci set firewall.@zone[-1].mtu_fix="1"
root@OpenWrt:~# uci add firewall forwarding
cfg12ad58
root@OpenWrt:~# uci set firewall.@forwarding[-1].src="lan"
root@OpenWrt:~# uci set firewall.@forwarding[-1].dest="vpnclient"
root@OpenWrt:~# ci commit firewall && service firewall restart
-ash: ci: not found
root@OpenWrt:~# uci commit firewall && service firewall restart
Warning: Unable to locate ipset utility, disabling ipset support
 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv6 filter table
 * Flushing IPv6 mangle table
 * Flushing conntrack table ...
 * Populating IPv4 filter table
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Forward 'lan' -> 'wan'
   * Forward 'lan' -> 'vpnclient'
   * Forward 'lan' -> 'vpnclient'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpnclient'
   * Zone 'vpnclient'
 * Populating IPv4 nat table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpnclient'
   * Zone 'vpnclient'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpnclient'
   * Zone 'vpnclient'
 * Populating IPv6 filter table
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Forward 'lan' -> 'wan'
   * Forward 'lan' -> 'vpnclient'
   * Forward 'lan' -> 'vpnclient'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpnclient'
   * Zone 'vpnclient'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpnclient'
   * Zone 'vpnclient'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'
root@OpenWrt:~# uci set openvpn.vpnclient="openvpn"
root@OpenWrt:~# uci set openvpn.vpnclient.enabled="1"
root@OpenWrt:~# uci set openvpn.vpnclient.config="/etc/openvpn/ca1.tcp.zoogvpn.o
vpn"
root@OpenWrt:~# uci commit openvpn && service openvpn restart
root@OpenWrt:~# sed -r -i "
> s:^(auth-user-pass).*:\1 /etc/openvpn/vpnclient.auth\nauth-nocache:
> s:^(redirect-gateway).*:\1 def1:
> " /etc/openvpn/ca1.tcp.zoogvpn.ovpn
root@OpenWrt:~# cat << "EOF" > /etc/openvpn/vpnclient.auth && chmod 600 /etc/ope
nvpn/vpnclient.auth
> my user vpn 
> my password vpn
> EOF
root@OpenWrt:~# service openvpn restart

but when i try Ensure OpenVPN Client service is running
i have a lot of errors like

root@OpenWrt:~# ps | grep [o]penvpn; echo && logread -e openvpn

Sun Jan 13 14:39:07 2019 daemon.err openvpn(vpnclient)[10870]: Options error: In                                                                                                                                [CMD-LINE]:1: Error opening configuration file: openvpn-vpnclient.conf
Sun Jan 13 14:39:07 2019 daemon.warn openvpn(vpnclient)[10870]: Use --help for m

and in the web interface i have on ovenvpn service à connection vpn enabled but not started.
The pb can be from my vpn provider ? (zoogVPN)

one more time thanks a lot !

vgaetera · January 13, 2019, 3:19pm

mv -f /etc/openvpn/ca1.tcp.zoogvpn.ovpn /etc/openvpn/vpnclient.ovpn
uci set openvpn.vpnclient.config="/etc/openvpn/vpnclient.ovpn"
uci commit openvpn
service openvpn restart

cd38 · January 13, 2019, 6:08pm

Thanks i had efectivly made a mistake on the name i fix it but the are the same error (i change the file ca1.tcp.zoogvpn.ovpn by ca1.udp.zoogvpn.ovpn)

root@OpenWrt:~# mv -f /etc/openvpn/ca1.udp.zoogvpn.ovpn /etc/openvpn/vpnclient.ovpn
root@OpenWrt:~# ls /etc/openvpn
vpnclient.auth  vpnclient.ovpn
root@OpenWrt:~# uci commit openvpn
root@OpenWrt:~# service openvpn restart
root@OpenWrt:~# ps | grep [o]penvpn; echo && logread -e openvpn


Sun Jan 13 17:45:22 2019 daemon.warn openvpn(vpnclient)[15648]: Use --help for more information.
Sun Jan 13 17:45:27 2019 daemon.err openvpn(vpnclient)[15649]: Options error: In [CMD-LINE]:1: Error opening configuration file: openvpn-vpnclient.conf

where can i find the file openvpn-vpnclient.conf ?

mk24 · January 13, 2019, 6:57pm

OpenVPN will automatically try to parse all files in /etc/openvpn that end in .conf.

You usually do NOT want that to happen, so it is conventional to name OpenVPN configuration files .ovpn instead.

When you use a commercial VPN service, they usually provide a suggested .ovpn file. Copy this file to your router then point the UCI configuration to it. Some small changes will likely be needed to the .ovpn file to make it work in the OpenWrt environment.

cd38 · January 13, 2019, 7:52pm

After your helps i retry from beguening and it's works thanks a lot for all your help.

I have a last question The vpn works by lan and wifi or we can chose only wifi or only lan ?

regards

system · January 23, 2019, 7:52pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.