Network diagram:
OpenVPN Client <-> Internet <-> DSL-Router (local: 192.167.178.1, public: 46.92.251.173) <-> OpenVPN Host (local: 192.167.178.201, exposed on UDP port 1194, OpenVPN network: 192.168.200.1)
Problem:
I've used this guide to set up OpenVPN and adapted it a bit for my purpose:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic
The client connects successfully and I can ping the VPN host (192.167.200.1) in the VPN network, but the routes are misconfigured such that no internet traffic is routed out from the VPN via the DSL Router (e.g. ping to 8.8.8.8 fails). I suspect I'm misunderstanding something about the routing.
I also cannot ping the DSL-Router from within the VPN (192.168.178.1), so DNS lookups fail too. I don't need the DSL-Router to act as DNS server (relay) if there are other simpler options.
#############################################
root@LEDE:~# cat /etc/config/openvpn
config openvpn 'vpnserver'
option enabled '1'
option verb '3'
option dev 'tun0'
option topology 'subnet'
option proto 'udp'
option port '1194'
option server '192.168.200.0 255.255.255.0'
option client_to_client '1'
option compress 'lzo'
option keepalive '10 120'
option persist_tun '1'
option persist_key '1'
option tls_crypt '/etc/openvpn/tc.psk'
option dh '/etc/openvpn/dh.pem'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/vpnserver.crt'
option key '/etc/openvpn/vpnserver.key'
list push 'redirect-gateway def1'
list push 'route 192.168.178.1 255.255.255.0'
list push 'dhcp-option DNS 192.168.178.1'
list push 'compress lzo'
list push 'persist-tun'
list push 'persist-key'
list push 'dhcp-option DOMAIN lan'
###########################################
root@LEDE:~# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.178.201'
option gateway '192.168.178.1'
option dns '192.168.178.1'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 8t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 8t'
config interface 'vpnserver'
option ifname 'tun0'
option proto 'none'
#########################################
root@LEDE:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'tcp udp'
option src '*'
option dest_port '5000'
option name 'Allow Forwarded VPN Request -> <device>'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule
option name 'Allow-OpenVPN'
option src 'wan'
option dest_port '1194'
option proto 'tcp udp'
option target 'ACCEPT'
config rule
option name 'Allow-OpenVPN'
option src 'wan'
option dest_port '1194'
option proto 'tcp udp'
option target 'ACCEPT'
config zone
option name 'vpnserver'
list network 'vpnserver'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config forwarding
option src 'vpnserver'
option dest 'wan'
config forwarding
option src 'vpnserver'
option dest 'lan'
###################################
VPN Client:
2018-10-13 15:46:11 /sbin/ifconfig utun1 192.168.200.2 192.168.200.2 netmask 255.255.255.0 mtu 1500 up
2018-10-13 15:46:11 /sbin/route add -net 192.168.200.0 192.168.200.2 255.255.255.0
add net 192.168.200.0: gateway 192.168.200.2
2
DNS servers '192.168.178.1' will be used for DNS queries when the VPN is active
NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
2018-10-13 15:46:15 /sbin/route add -net 46.92.251.173 192.168.0.1 255.255.255.255
add net 46.92.251.173: gateway 192.168.0.1
2018-10-13 15:46:15 /sbin/route add -net 0.0.0.0 192.168.200.1 128.0.0.0
add net 0.0.0.0: gateway 192.168.200.1
2018-10-13 15:46:15 /sbin/route add -net 128.0.0.0 192.168.200.1 128.0.0.0
add net 128.0.0.0: gateway 192.168.200.1
2018-10-13 15:46:15 MANAGEMENT: >STATE:1539438375,ADD_ROUTES,,,,,,
2018-10-13 15:46:15 /sbin/route add -net 192.168.178.1 192.168.200.1 255.255.255.0
add net 192.168.178.1: gateway 192.168.200.1
2018-10-13 15:46:15 Initialization Sequence Completed
2018-10-13 15:46:15 MANAGEMENT: >STATE:1539438375,CONNECTED,SUCCESS,192.168.200.2,46.92.251.173,1194,,
2