OpenVpn client in bridge mode, OpenWrt configuration issue

Hello all,

I have followed this tutorial (part: Routing client traffic transparently) to configure OpenVpn client in tap mode on my OpenWrt router. But the internet connexion does not work.
https://oldwiki.archive.openwrt.org/doc/howto/vpn.client.openvpn.tap.

My private OpenVpn in tap mode works well on client side using OpenVPN GUI on my Windows laptop. My intention is to setup OpenVpn client directly on my OpenWrt router to connect all devices using 'Routing client traffic transparently' with 'tap'.

May i request you some help to find and correct the issue?

My setup is:

  • Local router linksys WRT3200ACM with OpenWrt 18.06.4 (192.168.111.1) connected to ISP provider with ethernet cable (192.168.1.254):
  • Remote ISP: 192.168.0.1
  • Remote Raspberry PI 3 B+ connected to ISP: 192.168.0.57 (Openvpn server in TAP installed)

Openvpn client log


root@Router:~# logread -e openvpn
Thu Nov 21 22:09:34 2019 user.notice openvpn: hometest.conf is disabled in /etc/config/openvpn
Thu Nov 21 22:09:35 2019 daemon.notice openvpn(hometest)[4176]: OpenVPN 2.4.5 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Thu Nov 21 22:09:35 2019 daemon.notice openvpn(hometest)[4176]: library versions: OpenSSL 1.0.2t 10 Sep 2019, LZO 2.10
Thu Nov 21 22:09:35 2019 daemon.notice openvpn(hometest)[4176]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Thu Nov 21 22:09:35 2019 daemon.notice openvpn(hometest)[4176]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Nov 21 22:09:35 2019 daemon.notice openvpn(hometest)[4176]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Thu Nov 21 22:09:35 2019 daemon.notice openvpn(hometest)[4176]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Nov 21 22:09:35 2019 daemon.notice openvpn(hometest)[4176]: TCP/UDP: Preserving recently used remote address: [AF_INET]XX.XXX.XXX.XXX:1194
Thu Nov 21 22:09:35 2019 daemon.notice openvpn(hometest)[4176]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Thu Nov 21 22:09:35 2019 daemon.notice openvpn(hometest)[4176]: UDP link local: (not bound)
Thu Nov 21 22:09:35 2019 daemon.notice openvpn(hometest)[4176]: UDP link remote: [AF_INET]XX.XXX.XXX.XXX:1194
Thu Nov 21 22:09:35 2019 daemon.notice openvpn(hometest)[4176]: TLS: Initial packet from [AF_INET]XX.XXX.XXX.XXX:1194, sid=53dc8c74 369b7430
Thu Nov 21 22:09:35 2019 daemon.notice openvpn(hometest)[4176]: VERIFY OK: depth=1, CN=ChangeMe
Thu Nov 21 22:09:35 2019 daemon.notice openvpn(hometest)[4176]: VERIFY KU OK
Thu Nov 21 22:09:35 2019 daemon.notice openvpn(hometest)[4176]: Validating certificate extended key usage
Thu Nov 21 22:09:35 2019 daemon.notice openvpn(hometest)[4176]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Nov 21 22:09:35 2019 daemon.notice openvpn(hometest)[4176]: VERIFY EKU OK
Thu Nov 21 22:09:35 2019 daemon.notice openvpn(hometest)[4176]: VERIFY X509NAME OK: CN=server_XxxxxxxxX
Thu Nov 21 22:09:35 2019 daemon.notice openvpn(hometest)[4176]: VERIFY OK: depth=0, CN=server_XxxxxxxxX
Thu Nov 21 22:09:36 2019 daemon.notice openvpn(hometest)[4176]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit EC, curve: prime256v1
Thu Nov 21 22:09:36 2019 daemon.notice openvpn(hometest)[4176]: [server_XxxxxxxxX] Peer Connection Initiated with [AF_INET]XX.XXX.XXX.XXX:1194
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: SENT CONTROL [server_XxxxxxxxX]: 'PUSH_REQUEST' (status=1)
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,block-outside-dns,redirect-gateway def1,route-gateway 192.168.0.57,ping 1800,ping-restart 3600,ifconfig 192.168.0.128 255.255.255.0,peer-id 1,cipher AES-256-GCM'
Thu Nov 21 22:09:37 2019 daemon.err openvpn(hometest)[4176]: Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:3: block-outside-dns (2.4.5)
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: OPTIONS IMPORT: timers and/or timeouts modified
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: OPTIONS IMPORT: --ifconfig/up options modified
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: OPTIONS IMPORT: route options modified
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: OPTIONS IMPORT: route-related options modified
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: OPTIONS IMPORT: peer-id set
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: OPTIONS IMPORT: adjusting link_mtu to 1656
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: OPTIONS IMPORT: data channel crypto options modified
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: TUN/TAP device tap0 opened
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: TUN/TAP TX queue length set to 100
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: /sbin/ifconfig tap0 192.168.0.128 netmask 255.255.255.0 mtu 1500 broadcast 192.168.0.255
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: /sbin/route add -net XX.XXX.XXX.XXX netmask 255.255.255.255 gw 192.168.1.254
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 192.168.0.57
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 192.168.0.57
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: Initialization Sequence Completed

Openvpn client .conf

    client
    dev tap
    proto udp
    remote xxx 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    remote-cert-tls server
    tls-version-min 1.2
    verify-x509-name server_xxx name
    cipher AES-256-CBC
    auth SHA256
    auth-nocache
    verb 3
    -----BEGIN CERTIFICATE-----
    xxxx
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    xxx
    -----END CERTIFICATE-----
    -----BEGIN PRIVATE KEY-----
    xxx
    -----END PRIVATE KEY-----
    2048 bit OpenVPN static key
    -----BEGIN OpenVPN Static key V1-----
    xxx
    -----END OpenVPN Static key V1-----
    #user nobody
    #group nogroup
    #dev tun

Network config

root@Router:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda8:d320:6af4::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.111.1'

config interface 'wan'
        option ifname 'eth1.2'
        option proto 'dhcp'
        option peerdns '0'
        option dns '8.8.8.8 8.8.4.4'

config interface 'wan6'
        option ifname 'eth1.2'
        option proto 'dhcpv6'
        option peerdns '0'
        option dns '2001:4860:4860::8888 2001:4860:4860::8844'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'

config interface 'VPN_client'
        option proto 'none'
        option ifname 'tap0'

Firewall config

root@Router:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone 'wan'
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list device 'tun0'

config forwarding 'lan_wan'
        option src 'lan'
        option dest 'wan'

config zone
        option name 'VPN_client'
        option input 'ACCEPT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option network 'VPN_client'

config forwarding
        option dest 'lan'
        option src 'VPN_client'

config forwarding
        option dest 'VPN_client'
        option src 'lan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

ifconfig

root@Router:~# ifconfig
br-lan    Link encap:Ethernet  HWaddr 26:F5:A2:C4:2F:B0
          inet addr:192.168.111.1  Bcast:192.168.111.255  Mask:255.255.255.0
          inet6 addr: fe80::24f5:a2ff:fec4:2fb0/64 Scope:Link
          inet6 addr: fda8:d320:6af4::1/60 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:286831 errors:0 dropped:0 overruns:0 frame:0
          TX packets:347001 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:34443093 (32.8 MiB)  TX bytes:403574263 (384.8 MiB)

eth0      Link encap:Ethernet  HWaddr 26:F5:A2:C4:2F:B0
          inet6 addr: fe80::24f5:a2ff:fec4:2fb0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:350 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1265 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:532
          RX bytes:31160 (30.4 KiB)  TX bytes:143542 (140.1 KiB)
          Interrupt:37

eth0.1    Link encap:Ethernet  HWaddr 26:F5:A2:C4:2F:B0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:596 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:72300 (70.6 KiB)

eth1      Link encap:Ethernet  HWaddr 24:F5:A2:C4:2F:B0
          inet6 addr: fe80::26f5:a2ff:fec4:2fb0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:432381 errors:0 dropped:0 overruns:0 frame:0
          TX packets:306841 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:532
          RX bytes:470006504 (448.2 MiB)  TX bytes:44078773 (42.0 MiB)
          Interrupt:36

eth1.2    Link encap:Ethernet  HWaddr 24:F5:A2:C4:2F:B0
          inet addr:192.168.1.49  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::26f5:a2ff:fec4:2fb0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:338769 errors:0 dropped:0 overruns:0 frame:0
          TX packets:277796 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:395006360 (376.7 MiB)  TX bytes:37751263 (36.0 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:13444 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13444 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1305129 (1.2 MiB)  TX bytes:1305129 (1.2 MiB)

tap0      Link encap:Ethernet  HWaddr FE:C6:E3:92:F6:4E
          inet addr:192.168.0.128  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::fcc6:e3ff:fe92:f64e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4 errors:0 dropped:0 overruns:0 frame:0
          TX packets:28 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:284 (284.0 B)  TX bytes:1971 (1.9 KiB)

wlan0     Link encap:Ethernet  HWaddr 24:F5:A2:C4:2F:B2
          inet6 addr: fe80::26f5:a2ff:fec4:2fb2/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:286830 errors:0 dropped:0 overruns:0 frame:0
          TX packets:381696 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:38458707 (36.6 MiB)  TX bytes:413111943 (393.9 MiB)

wlan1     Link encap:Ethernet  HWaddr 24:F5:A2:C4:2F:B1
          inet6 addr: fe80::26f5:a2ff:fec4:2fb1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:592 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:82148 (80.2 KiB)

Ping remote raspberry

root@Router:~# ping 192.168.0.57
PING 192.168.0.57 (192.168.0.57): 56 data bytes
64 bytes from 192.168.0.57: seq=0 ttl=64 time=29.213 ms
64 bytes from 192.168.0.57: seq=1 ttl=64 time=29.215 ms
64 bytes from 192.168.0.57: seq=2 ttl=64 time=28.966 ms
64 bytes from 192.168.0.57: seq=3 ttl=64 time=28.445 ms
64 bytes from 192.168.0.57: seq=4 ttl=64 time=29.095 ms
64 bytes from 192.168.0.57: seq=5 ttl=64 time=28.544 ms
^C
--- 192.168.0.57 ping statistics ---
7 packets transmitted, 6 packets received, 14% packet loss
round-trip min/avg/max = 28.445/28.913/29.215 ms

It cannot work because you have not enabled masquerade in VPN_client firewall zone.
Unless you didn't want to do NAT, so you forgot to bridge the tap with the lan, which will also not work because you are using different addresses.

Is there a specific reason you want tap instead of tun? Tun can work fine for internet sharing, without all this mess.

Thank you for your answer, does it mean i have to add:"option masq '1' ?

config zone
	option name 'VPN_client'
	option masq '1' #here
	option input 'ACCEPT'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'VPN_client'

I want to have my network transparently with TAP like if i was in remote location. Gaming application launched on my computer detected that i used a VPN openvpn in tun mode.

Then try with the masq and mtu_fix, like you have in wan zone.

Thank you very much trendy, it works well.


I have edited because after some checks, OpenWRT configuration is still not like what i want.

Here is traceroute on my windows computer with OpenVPN launched on my OpenWrt router:

C:\Users\Clément>tracert google.com

Détermination de l’itinéraire vers google.com [216.58.213.14]
avec un maximum de 30 sauts :

  1     1 ms    <1 ms    <1 ms  Router.lan [192.168.111.1] # I want this not visible
  2    28 ms     *       27 ms  192.168.0.57
  3    29 ms    28 ms    29 ms  192.168.0.1
  4    37 ms    35 ms    33 ms  sr15.bllon.isp.sky.com [90.208.114.216]
  5    39 ms    45 ms    36 ms  ip-89-200-131-254.ov.easynet.net [89.200.131.254]
  6    37 ms    36 ms    34 ms  027ff1bb.bb.sky.com [2.127.241.187]
  7     *        *        *     Délai d’attente de la demande dépassé.
  8    38 ms    36 ms    36 ms  172.253.66.86
  9    64 ms    35 ms    37 ms  74.125.242.83
 10    40 ms    36 ms    36 ms  216.239.59.77
 11    37 ms    36 ms    37 ms  216.239.58.2
 12    37 ms    36 ms    44 ms  108.170.246.129
 13    37 ms    36 ms    39 ms  172.253.65.209
 14    34 ms    37 ms    36 ms  ber01s14-in-f14.1e100.net [216.58.213.14]

and same traceroute using OpenVPN GUI directly on my Windows computer with OpenWrt wifi connexion and OpenVPN not launched into:

C:\Users\Clément>tracert google.com

Détermination de l’itinéraire vers google.com [216.58.210.46]
avec un maximum de 30 sauts :

  1     *       28 ms    29 ms  raspberrypi [192.168.0.57]
  2    28 ms    29 ms    29 ms  SkyRouter.Home [192.168.0.1]
  3    35 ms    33 ms    33 ms  sr15.bllon.isp.sky.com [90.208.114.216]
  4    34 ms    33 ms    35 ms  ip-89-200-131-254.ov.easynet.net [89.200.131.254]
  5    33 ms    33 ms    33 ms  74.125.49.150
  6    32 ms    33 ms    32 ms  108.170.246.129
  7    36 ms    32 ms   291 ms  108.170.232.103
  8   594 ms    96 ms   105 ms  lhr25s11-in-f46.1e100.net [216.58.210.46]

I want to have same traceroute than above.

Could you help me to configure my OpenWRT router in that way?

1 Like

Then use the OpenVPN gui directly from your windows. You cannot bridge two different LANs, when there are 2 DHCP servers running, you have 2 gateways to the internet etc.

I already do this but this is not what i want to do.
Really? i am surprised there is no solution

If you are so desperate you could try to bridge tap0 and eth0.1 under the lan interface.
I don't know if it will work well with a static IP/mask already assigned on the interface, so you might need to change protocol to 'none'. That way you'll lose management from lan, so you need to have some OutOfBand connection, e.g from wan.
You also need to switch of the DHCP server, your hosts will have to acquire their settings from the remote RPi3. This means that all traffic will go out of RPi3 and also that if the connection is down all your network will be off.
I don't recommend even thinking of such a solution, I am just telling you that it is possible but useless.