Hello all,
I have followed this tutorial (part: Routing client traffic transparently) to configure OpenVpn client in tap mode on my OpenWrt router. But the internet connexion does not work.
https://oldwiki.archive.openwrt.org/doc/howto/vpn.client.openvpn.tap.
My private OpenVpn in tap mode works well on client side using OpenVPN GUI on my Windows laptop. My intention is to setup OpenVpn client directly on my OpenWrt router to connect all devices using 'Routing client traffic transparently' with 'tap'.
May i request you some help to find and correct the issue?
My setup is:
- Local router linksys WRT3200ACM with OpenWrt 18.06.4 (192.168.111.1) connected to ISP provider with ethernet cable (192.168.1.254):
- Remote ISP: 192.168.0.1
- Remote Raspberry PI 3 B+ connected to ISP: 192.168.0.57 (Openvpn server in TAP installed)
Openvpn client log
root@Router:~# logread -e openvpn
Thu Nov 21 22:09:34 2019 user.notice openvpn: hometest.conf is disabled in /etc/config/openvpn
Thu Nov 21 22:09:35 2019 daemon.notice openvpn(hometest)[4176]: OpenVPN 2.4.5 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Thu Nov 21 22:09:35 2019 daemon.notice openvpn(hometest)[4176]: library versions: OpenSSL 1.0.2t 10 Sep 2019, LZO 2.10
Thu Nov 21 22:09:35 2019 daemon.notice openvpn(hometest)[4176]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Thu Nov 21 22:09:35 2019 daemon.notice openvpn(hometest)[4176]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Nov 21 22:09:35 2019 daemon.notice openvpn(hometest)[4176]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Thu Nov 21 22:09:35 2019 daemon.notice openvpn(hometest)[4176]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Nov 21 22:09:35 2019 daemon.notice openvpn(hometest)[4176]: TCP/UDP: Preserving recently used remote address: [AF_INET]XX.XXX.XXX.XXX:1194
Thu Nov 21 22:09:35 2019 daemon.notice openvpn(hometest)[4176]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Thu Nov 21 22:09:35 2019 daemon.notice openvpn(hometest)[4176]: UDP link local: (not bound)
Thu Nov 21 22:09:35 2019 daemon.notice openvpn(hometest)[4176]: UDP link remote: [AF_INET]XX.XXX.XXX.XXX:1194
Thu Nov 21 22:09:35 2019 daemon.notice openvpn(hometest)[4176]: TLS: Initial packet from [AF_INET]XX.XXX.XXX.XXX:1194, sid=53dc8c74 369b7430
Thu Nov 21 22:09:35 2019 daemon.notice openvpn(hometest)[4176]: VERIFY OK: depth=1, CN=ChangeMe
Thu Nov 21 22:09:35 2019 daemon.notice openvpn(hometest)[4176]: VERIFY KU OK
Thu Nov 21 22:09:35 2019 daemon.notice openvpn(hometest)[4176]: Validating certificate extended key usage
Thu Nov 21 22:09:35 2019 daemon.notice openvpn(hometest)[4176]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Nov 21 22:09:35 2019 daemon.notice openvpn(hometest)[4176]: VERIFY EKU OK
Thu Nov 21 22:09:35 2019 daemon.notice openvpn(hometest)[4176]: VERIFY X509NAME OK: CN=server_XxxxxxxxX
Thu Nov 21 22:09:35 2019 daemon.notice openvpn(hometest)[4176]: VERIFY OK: depth=0, CN=server_XxxxxxxxX
Thu Nov 21 22:09:36 2019 daemon.notice openvpn(hometest)[4176]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit EC, curve: prime256v1
Thu Nov 21 22:09:36 2019 daemon.notice openvpn(hometest)[4176]: [server_XxxxxxxxX] Peer Connection Initiated with [AF_INET]XX.XXX.XXX.XXX:1194
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: SENT CONTROL [server_XxxxxxxxX]: 'PUSH_REQUEST' (status=1)
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,block-outside-dns,redirect-gateway def1,route-gateway 192.168.0.57,ping 1800,ping-restart 3600,ifconfig 192.168.0.128 255.255.255.0,peer-id 1,cipher AES-256-GCM'
Thu Nov 21 22:09:37 2019 daemon.err openvpn(hometest)[4176]: Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:3: block-outside-dns (2.4.5)
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: OPTIONS IMPORT: timers and/or timeouts modified
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: OPTIONS IMPORT: --ifconfig/up options modified
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: OPTIONS IMPORT: route options modified
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: OPTIONS IMPORT: route-related options modified
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: OPTIONS IMPORT: peer-id set
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: OPTIONS IMPORT: adjusting link_mtu to 1656
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: OPTIONS IMPORT: data channel crypto options modified
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: TUN/TAP device tap0 opened
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: TUN/TAP TX queue length set to 100
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: /sbin/ifconfig tap0 192.168.0.128 netmask 255.255.255.0 mtu 1500 broadcast 192.168.0.255
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: /sbin/route add -net XX.XXX.XXX.XXX netmask 255.255.255.255 gw 192.168.1.254
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 192.168.0.57
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 192.168.0.57
Thu Nov 21 22:09:37 2019 daemon.notice openvpn(hometest)[4176]: Initialization Sequence Completed
Openvpn client .conf
client
dev tap
proto udp
remote xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server_xxx name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
-----BEGIN CERTIFICATE-----
xxxx
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
xxx
-----END PRIVATE KEY-----
2048 bit OpenVPN static key
-----BEGIN OpenVPN Static key V1-----
xxx
-----END OpenVPN Static key V1-----
#user nobody
#group nogroup
#dev tun
Network config
root@Router:~# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fda8:d320:6af4::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.111.1'
config interface 'wan'
option ifname 'eth1.2'
option proto 'dhcp'
option peerdns '0'
option dns '8.8.8.8 8.8.4.4'
config interface 'wan6'
option ifname 'eth1.2'
option proto 'dhcpv6'
option peerdns '0'
option dns '2001:4860:4860::8888 2001:4860:4860::8844'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
config interface 'VPN_client'
option proto 'none'
option ifname 'tap0'
Firewall config
root@Router:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone 'wan'
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list device 'tun0'
config forwarding 'lan_wan'
option src 'lan'
option dest 'wan'
config zone
option name 'VPN_client'
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
option network 'VPN_client'
config forwarding
option dest 'lan'
option src 'VPN_client'
config forwarding
option dest 'VPN_client'
option src 'lan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
ifconfig
root@Router:~# ifconfig
br-lan Link encap:Ethernet HWaddr 26:F5:A2:C4:2F:B0
inet addr:192.168.111.1 Bcast:192.168.111.255 Mask:255.255.255.0
inet6 addr: fe80::24f5:a2ff:fec4:2fb0/64 Scope:Link
inet6 addr: fda8:d320:6af4::1/60 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:286831 errors:0 dropped:0 overruns:0 frame:0
TX packets:347001 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:34443093 (32.8 MiB) TX bytes:403574263 (384.8 MiB)
eth0 Link encap:Ethernet HWaddr 26:F5:A2:C4:2F:B0
inet6 addr: fe80::24f5:a2ff:fec4:2fb0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:350 errors:0 dropped:0 overruns:0 frame:0
TX packets:1265 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:532
RX bytes:31160 (30.4 KiB) TX bytes:143542 (140.1 KiB)
Interrupt:37
eth0.1 Link encap:Ethernet HWaddr 26:F5:A2:C4:2F:B0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:596 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:72300 (70.6 KiB)
eth1 Link encap:Ethernet HWaddr 24:F5:A2:C4:2F:B0
inet6 addr: fe80::26f5:a2ff:fec4:2fb0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:432381 errors:0 dropped:0 overruns:0 frame:0
TX packets:306841 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:532
RX bytes:470006504 (448.2 MiB) TX bytes:44078773 (42.0 MiB)
Interrupt:36
eth1.2 Link encap:Ethernet HWaddr 24:F5:A2:C4:2F:B0
inet addr:192.168.1.49 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::26f5:a2ff:fec4:2fb0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:338769 errors:0 dropped:0 overruns:0 frame:0
TX packets:277796 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:395006360 (376.7 MiB) TX bytes:37751263 (36.0 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:13444 errors:0 dropped:0 overruns:0 frame:0
TX packets:13444 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1305129 (1.2 MiB) TX bytes:1305129 (1.2 MiB)
tap0 Link encap:Ethernet HWaddr FE:C6:E3:92:F6:4E
inet addr:192.168.0.128 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::fcc6:e3ff:fe92:f64e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:28 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:284 (284.0 B) TX bytes:1971 (1.9 KiB)
wlan0 Link encap:Ethernet HWaddr 24:F5:A2:C4:2F:B2
inet6 addr: fe80::26f5:a2ff:fec4:2fb2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:286830 errors:0 dropped:0 overruns:0 frame:0
TX packets:381696 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:38458707 (36.6 MiB) TX bytes:413111943 (393.9 MiB)
wlan1 Link encap:Ethernet HWaddr 24:F5:A2:C4:2F:B1
inet6 addr: fe80::26f5:a2ff:fec4:2fb1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:592 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:82148 (80.2 KiB)
Ping remote raspberry
root@Router:~# ping 192.168.0.57
PING 192.168.0.57 (192.168.0.57): 56 data bytes
64 bytes from 192.168.0.57: seq=0 ttl=64 time=29.213 ms
64 bytes from 192.168.0.57: seq=1 ttl=64 time=29.215 ms
64 bytes from 192.168.0.57: seq=2 ttl=64 time=28.966 ms
64 bytes from 192.168.0.57: seq=3 ttl=64 time=28.445 ms
64 bytes from 192.168.0.57: seq=4 ttl=64 time=29.095 ms
64 bytes from 192.168.0.57: seq=5 ttl=64 time=28.544 ms
^C
--- 192.168.0.57 ping statistics ---
7 packets transmitted, 6 packets received, 14% packet loss
round-trip min/avg/max = 28.445/28.913/29.215 ms