OpenVPN client connects, but no internet connection

3rd3 · October 13, 2018, 2:40pm

Network diagram:

OpenVPN Client <-> Internet <-> DSL-Router (local: 192.167.178.1, public: 46.92.251.173) <-> OpenVPN Host (local: 192.167.178.201, exposed on UDP port 1194, OpenVPN network: 192.168.200.1)

Problem:

I've used this guide to set up OpenVPN and adapted it a bit for my purpose:

https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic

The client connects successfully and I can ping the VPN host (192.167.200.1) in the VPN network, but the routes are misconfigured such that no internet traffic is routed out from the VPN via the DSL Router (e.g. ping to 8.8.8.8 fails). I suspect I'm misunderstanding something about the routing.

I also cannot ping the DSL-Router from within the VPN (192.168.178.1), so DNS lookups fail too. I don't need the DSL-Router to act as DNS server (relay) if there are other simpler options.

#############################################

root@LEDE:~# cat /etc/config/openvpn

config openvpn 'vpnserver'
	option enabled '1'
	option verb '3'
	option dev 'tun0'
	option topology 'subnet'
	option proto 'udp'
	option port '1194'
	option server '192.168.200.0 255.255.255.0'
	option client_to_client '1'
	option compress 'lzo'
	option keepalive '10 120'
	option persist_tun '1'
	option persist_key '1'
	option tls_crypt '/etc/openvpn/tc.psk'
	option dh '/etc/openvpn/dh.pem'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/vpnserver.crt'
	option key '/etc/openvpn/vpnserver.key'
	list push 'redirect-gateway def1'
	list push 'route 192.168.178.1 255.255.255.0'
	list push 'dhcp-option DNS 192.168.178.1'
	list push 'compress lzo'
	list push 'persist-tun'
	list push 'persist-key'
	list push 'dhcp-option DOMAIN lan'

###########################################

root@LEDE:~# cat /etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.178.201'
	option gateway '192.168.178.1'
	option dns '192.168.178.1'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 8t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 8t'

config interface 'vpnserver'
	option ifname 'tun0'
	option proto 'none'

#########################################

root@LEDE:~# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config rule
	option target 'ACCEPT'
	option family 'ipv4'
	option proto 'tcp udp'
	option src '*'
	option dest_port '5000'
	option name 'Allow Forwarded VPN Request -> <device>'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '1194'
	option proto 'tcp udp'
	option target 'ACCEPT'

config rule
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '1194'
	option proto 'tcp udp'
	option target 'ACCEPT'

config zone
	option name 'vpnserver'
	list network 'vpnserver'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding
	option src 'vpnserver'
	option dest 'wan'

config forwarding
	option src 'vpnserver'
	option dest 'lan'


###################################

VPN Client:

2018-10-13 15:46:11 /sbin/ifconfig utun1 192.168.200.2 192.168.200.2 netmask 255.255.255.0 mtu 1500 up
2018-10-13 15:46:11 /sbin/route add -net 192.168.200.0 192.168.200.2 255.255.255.0
                                        add net 192.168.200.0: gateway 192.168.200.2
2
                                        DNS servers '192.168.178.1' will be used for DNS queries when the VPN is active
                                        NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
2018-10-13 15:46:15 /sbin/route add -net 46.92.251.173 192.168.0.1 255.255.255.255
                                        add net 46.92.251.173: gateway 192.168.0.1
2018-10-13 15:46:15 /sbin/route add -net 0.0.0.0 192.168.200.1 128.0.0.0
                                        add net 0.0.0.0: gateway 192.168.200.1
2018-10-13 15:46:15 /sbin/route add -net 128.0.0.0 192.168.200.1 128.0.0.0
                                        add net 128.0.0.0: gateway 192.168.200.1
2018-10-13 15:46:15 MANAGEMENT: >STATE:1539438375,ADD_ROUTES,,,,,,
2018-10-13 15:46:15 /sbin/route add -net 192.168.178.1 192.168.200.1 255.255.255.0
                                        add net 192.168.178.1: gateway 192.168.200.1
2018-10-13 15:46:15 Initialization Sequence Completed
2018-10-13 15:46:15 MANAGEMENT: >STATE:1539438375,CONNECTED,SUCCESS,192.168.200.2,46.92.251.173,1194,,
2

vgaetera · October 13, 2018, 2:56pm

Either one or another, but the first option is preferable:

Add route to 192.168.200.0/24 via 192.167.178.201 on 192.167.178.1.
Enable masquerading for LAN-network on 192.167.178.201.

3rd3 · October 13, 2018, 3:04pm

Could you write the particular uci commands for option 1?

vgaetera · October 13, 2018, 3:05pm

Does DSL-Router also run OpenWrt?

3rd3 · October 13, 2018, 3:09pm

No, unfortunately not.

vgaetera · October 13, 2018, 3:11pm

You need to add static route on DSL-Router.

3rd3 · October 13, 2018, 3:15pm

Why though? I can access the OpenWRT machine and that machine can access the internet via the DSL router.

vgaetera · October 13, 2018, 3:17pm

DSL-Router doesn't know route to the VPN-network.

3rd3 · October 13, 2018, 3:22pm

Why does it need to if the OpenWRT knows how to access the internet?

vgaetera · October 13, 2018, 3:27pm

That's how the routing works.
If there's no static route, it will send traffic to VPN-network using default route.
And by default all traffic is routed to the internet.

3rd3 · October 13, 2018, 3:32pm

Oh I see, and it works! Sorry for the doubts and thanks for the help and explanation.

tmomas · October 14, 2018, 3:14pm

If your problem is solved, please consider marking this topic as [Solved]. (Click the pencil behind the topic...)

You can also mark the reply that solved your problem:
grafik

system · October 24, 2018, 3:15pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.