Hi !
I followed this guide: https://openwrt.org/docs/guide-user/services/vpn/openvpn/client
As I see in the logs, it seems to connect, but I cannot reach the WAN.
My setup:
Alfa121U with external Wifi-card (UPLINK)
Ideally, I would only like WIFI clients to use the VPN, Connections though LAN-Port should not (PS4, too much lag).
Here a paste of the requested infos:
Big thanks in advance for anyone willing to help !!
OS: OpenWrt 18.06.1
root@b0x:~# uci show firewall; echo && uci show network; echo && uci show openvpn; echo && logread -e openvpn
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan wan6 Uplink'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[2]=zone
firewall.@zone[2].name='vpnclient'
firewall.@zone[2].network='vpnclient'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].masq='1'
firewall.@zone[2].mtu_fix='1'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='lan'
firewall.@forwarding[1].dest='vpnclient'
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd0c:3a5a:c902::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.gateway='192.168.1.1'
network.wan=interface
network.wan.ifname='eth1'
network.wan.proto='dhcp'
network.wan.auto='0'
network.wan6=interface
network.wan6.ifname='eth1'
network.wan6.proto='dhcpv6'
network.wan6.auto='0'
network.Uplink=interface
network.Uplink.proto='static'
network.Uplink.ipaddr='192.168.0.11'
network.Uplink.netmask='255.255.255.0'
network.Uplink.gateway='192.168.0.1'
network.Uplink.broadcast='192.168.0.255'
network.Uplink.ip6assign='64'
network.Uplink.dns='8.8.8.8'
network.vpnclient=interface
network.vpnclient.ifname='tun0'
network.vpnclient.proto='none'
openvpn.custom_config=openvpn
openvpn.custom_config.config='/etc/openvpn/my-vpn.conf'
openvpn.sample_server=openvpn
openvpn.sample_server.port='1194'
openvpn.sample_server.proto='udp'
openvpn.sample_server.dev='tun'
openvpn.sample_server.ca='/etc/openvpn/ca.crt'
openvpn.sample_server.cert='/etc/openvpn/server.crt'
openvpn.sample_server.key='/etc/openvpn/server.key'
openvpn.sample_server.dh='/etc/openvpn/dh1024.pem'
openvpn.sample_server.server='10.8.0.0 255.255.255.0'
openvpn.sample_server.ifconfig_pool_persist='/tmp/ipp.txt'
openvpn.sample_server.keepalive='10 120'
openvpn.sample_server.compress='lzo'
openvpn.sample_server.persist_key='1'
openvpn.sample_server.persist_tun='1'
openvpn.sample_server.user='nobody'
openvpn.sample_server.status='/tmp/openvpn-status.log'
openvpn.sample_server.verb='3'
openvpn.sample_client=openvpn
openvpn.sample_client.client='1'
openvpn.sample_client.dev='tun'
openvpn.sample_client.proto='udp'
openvpn.sample_client.remote='my_server_1 1194'
openvpn.sample_client.resolv_retry='infinite'
openvpn.sample_client.nobind='1'
openvpn.sample_client.persist_key='1'
openvpn.sample_client.persist_tun='1'
openvpn.sample_client.user='nobody'
openvpn.sample_client.ca='/etc/openvpn/ca.crt'
openvpn.sample_client.cert='/etc/openvpn/client.crt'
openvpn.sample_client.key='/etc/openvpn/client.key'
openvpn.sample_client.compress='lzo'
openvpn.sample_client.verb='3'
openvpn.vpnclient=openvpn
openvpn.vpnclient.config='/etc/openvpn/vpnclient.ovpn'
openvpn.vpnclient.enabled='1'
Tue Dec 4 13:29:26 2018 daemon.err uhttpd[1288]: luci: accepted login on /admin/services/openvpn for root from 192.168.1.101
Tue Dec 4 13:29:39 2018 daemon.notice openvpn(vpnclient)[11533]: OpenVPN 2.4.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Tue Dec 4 13:29:39 2018 daemon.notice openvpn(vpnclient)[11533]: library versions: OpenSSL 1.0.2p 14 Aug 2018, LZO 2.10
Tue Dec 4 13:29:39 2018 daemon.notice openvpn(vpnclient)[11533]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Dec 4 13:29:39 2018 daemon.notice openvpn(vpnclient)[11533]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Dec 4 13:29:39 2018 daemon.notice openvpn(vpnclient)[11533]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Dec 4 13:29:39 2018 daemon.notice openvpn(vpnclient)[11533]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Dec 4 13:29:39 2018 daemon.notice openvpn(vpnclient)[11533]: TCP/UDP: Preserving recently used remote address: [AF_INET]185.xx.xxx.100:1194
Tue Dec 4 13:29:39 2018 daemon.notice openvpn(vpnclient)[11533]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Tue Dec 4 13:29:39 2018 daemon.notice openvpn(vpnclient)[11533]: UDP link local: (not bound)
Tue Dec 4 13:29:39 2018 daemon.notice openvpn(vpnclient)[11533]: UDP link remote: [AF_INET]185.xx.xxx.100:1194
Tue Dec 4 13:29:39 2018 daemon.notice openvpn(vpnclient)[11533]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Tue Dec 4 13:29:40 2018 daemon.notice openvpn(vpnclient)[11533]: TLS: Initial packet from [AF_INET]185.xx.xxx.100:1194, sid=cb29637e ec2a41c8
Tue Dec 4 13:29:40 2018 daemon.notice openvpn(vpnclient)[11533]: VERIFY OK: depth=1, C=xx, ST=xx, L=xx, O=xx.xx, OU=OU, CN=xxxxx.xxx CA, name=EasyRSA, emailAddress=admin@xxx.xxx
Tue Dec 4 13:29:40 2018 daemon.notice openvpn(vpnclient)[11533]: VERIFY KU OK
Tue Dec 4 13:29:40 2018 daemon.notice openvpn(vpnclient)[11533]: Validating certificate extended key usage
Tue Dec 4 13:29:40 2018 daemon.notice openvpn(vpnclient)[11533]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Dec 4 13:29:40 2018 daemon.notice openvpn(vpnclient)[11533]: VERIFY EKU OK
Tue Dec 4 13:29:40 2018 daemon.notice openvpn(vpnclient)[11533]: VERIFY OK: depth=0, C=xx, ST=xx, L=xx, O=xxxx.xxx, OU=OU, CN=server, name=EasyRSA, emailAddress=admin@xxx.xxx
Tue Dec 4 13:29:47 2018 daemon.notice openvpn(vpnclient)[11533]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Tue Dec 4 13:29:47 2018 daemon.notice openvpn(vpnclient)[11533]: [server] Peer Connection Initiated with [AF_INET]185.22.172.100:1194
Tue Dec 4 13:29:48 2018 daemon.notice openvpn(vpnclient)[11533]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Dec 4 13:29:48 2018 daemon.notice openvpn(vpnclient)[11533]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 185.xx.xxx.100,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
Tue Dec 4 13:29:48 2018 daemon.notice openvpn(vpnclient)[11533]: OPTIONS IMPORT: timers and/or timeouts modified
Tue Dec 4 13:29:48 2018 daemon.notice openvpn(vpnclient)[11533]: OPTIONS IMPORT: --ifconfig/up options modified
Tue Dec 4 13:29:48 2018 daemon.notice openvpn(vpnclient)[11533]: OPTIONS IMPORT: route options modified
Tue Dec 4 13:29:48 2018 daemon.notice openvpn(vpnclient)[11533]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Dec 4 13:29:48 2018 daemon.notice openvpn(vpnclient)[11533]: OPTIONS IMPORT: peer-id set
Tue Dec 4 13:29:48 2018 daemon.notice openvpn(vpnclient)[11533]: OPTIONS IMPORT: adjusting link_mtu to 1624
Tue Dec 4 13:29:48 2018 daemon.notice openvpn(vpnclient)[11533]: OPTIONS IMPORT: data channel crypto options modified
Tue Dec 4 13:29:48 2018 daemon.notice openvpn(vpnclient)[11533]: Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Dec 4 13:29:48 2018 daemon.notice openvpn(vpnclient)[11533]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Dec 4 13:29:48 2018 daemon.notice openvpn(vpnclient)[11533]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Dec 4 13:29:50 2018 daemon.notice openvpn(vpnclient)[11533]: TUN/TAP device tun0 opened
Tue Dec 4 13:29:50 2018 daemon.notice openvpn(vpnclient)[11533]: TUN/TAP TX queue length set to 100
Tue Dec 4 13:29:50 2018 daemon.notice openvpn(vpnclient)[11533]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Dec 4 13:29:50 2018 daemon.notice openvpn(vpnclient)[11533]: /sbin/ifconfig tun0 10.8.0.6 pointopoint 10.8.0.5 mtu 1500
Tue Dec 4 13:29:52 2018 daemon.notice openvpn(vpnclient)[11533]: /sbin/route add -net 185.22.172.100 netmask 255.255.255.255 gw 192.168.0.1
Tue Dec 4 13:29:52 2018 daemon.notice openvpn(vpnclient)[11533]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.0.5
Tue Dec 4 13:29:52 2018 daemon.notice openvpn(vpnclient)[11533]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.0.5
Tue Dec 4 13:29:52 2018 daemon.notice openvpn(vpnclient)[11533]: /sbin/route add -net 10.8.0.1 netmask 255.255.255.255 gw 10.8.0.5
Tue Dec 4 13:29:52 2018 daemon.notice openvpn(vpnclient)[11533]: GID set to nogroup
Tue Dec 4 13:29:52 2018 daemon.notice openvpn(vpnclient)[11533]: UID set to nobody
Tue Dec 4 13:29:52 2018 daemon.warn openvpn(vpnclient)[11533]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Dec 4 13:29:52 2018 daemon.notice openvpn(vpnclient)[11533]: Initialization Sequence Completed