Hi everyone,
I configured an OpenVPN server using this guide:
The connection works, but the client won't browse or even ping 192.168.8.1 (the server), while from the server I can ping 192.16.8.2 (the client).
Here are my configurations:
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdd8:ac67:135f::/48'
option packet_steering '2'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
config interface 'lan'
option device 'br-lan.10'
option proto 'static'
option ipaddr '192.168.10.254'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '192.168.10.254'
list dns_search 'linux.pg'
option ipv6 '0'
config interface 'wan'
option device 'eth1.835'
option proto 'pppoe'
option username 'aliceadsl'
option password 'aliceadsl'
option ipv6 '0'
config device
option type '8021q'
option ifname 'eth1'
option vid '835'
option name 'eth1.835'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'lan1:u*'
list ports 'lan2'
list ports 'lan3:t'
config bridge-vlan
option device 'br-lan'
option vlan '11'
list ports 'lan3:t'
list ports 'lan4:u*'
list ports 'lan5'
config interface 'iot'
option proto 'static'
option device 'br-lan.11'
option ipaddr '192.168.11.254'
option netmask '255.255.255.0'
list dns '192.168.11.254'
list dns_search 'linux.pg'
option ipv6 '0'
config interface 'guest'
option proto 'static'
option device 'br-lan.9'
option ipaddr '192.168.9.254'
option netmask '255.255.255.0'
list dns '192.168.9.254'
list dns_search 'linux.pg'
option ipv6 '0'
config bridge-vlan
option device 'br-lan'
option vlan '9'
list ports 'lan3:t'
config device
option type 'bridge'
option name 'recovery'
option bridge_empty '1'
config interface 'recovery'
option proto 'static'
option device 'recovery'
option ipaddr '192.168.2.254'
option netmask '255.255.255.0'
option ipv6 '0'
config interface 'wg0'
option proto 'wireguard'
option private_key 'xxxx+6T5kyJiSyb1zWRFLfhVM='
option listen_port '51820'
option ipv6 '0'
list addresses '10.0.0.1/32'
config wireguard_wg0
option description 'Cell'
option public_key 'xxx='
option private_key 'xxxx+5KJ6HUt9DCGUHIW5V0='
option persistent_keepalive '25'
list allowed_ips '10.0.0.2/32'
option route_allowed_ips '1'
config wireguard_wg0
option description 'Raspberry '
option public_key 'eggmSsPYfhQCUGTzR7uW8='
option private_key 'xxxx='
option persistent_keepalive '25'
list allowed_ips '10.0.0.3/32'
option route_allowed_ips '1'
config interface 'ont'
option proto 'static'
option device 'eth1'
option ipaddr '192.168.1.2'
option netmask '255.255.255.0'
option ipv6 '0'
config interface 'dlna_relay'
option proto 'relay'
option ipaddr '0.0.0.0'
list network 'iot'
list network 'lan'
list network 'tun0'
config wireguard_wg0
option public_key 'xxxx='
option private_key 'xxxx/dWRqFzWeqrN52E='
list allowed_ips '10.0.0.4/32'
option description 'Mi Box'
config interface 'tun0'
option proto 'none'
cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wg0'
config zone
option name 'OpenVPN'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'tun0'
option masq '1'
option mtu_fix '1'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'ont'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
option enabled '0'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option enabled '0'
config zone
option name 'iot'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'iot'
config forwarding
option src 'iot'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'iot'
config zone
option name 'guest'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config forwarding
option src 'guest'
option dest 'wan'
config zone
option name 'recovery'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'recovery'
config rule
option src 'wan'
option name 'Allow WireGuard'
option dest_port '51820'
option target 'ACCEPT'
option family 'ipv4'
list proto 'udp'
option log '1'
config zone
option name 'wg'
option input 'REJECT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'wg0'
config forwarding
option src 'wg'
option dest 'lan'
config forwarding
option src 'wg'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'wg'
config forwarding
option src 'OpenVPN'
option dest 'wan'
config forwarding
option src 'OpenVPN'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'OpenVPN'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'GL-Home Assistant'
option family 'ipv4'
list proto 'udp'
option src 'wan'
option src_dport '8123'
option dest_ip '192.168.10.2'
option dest_port '8123'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'GL-DSFile'
option family 'ipv4'
list proto 'tcp'
option src 'wan'
option src_dport '5001'
option dest_ip '192.168.10.2'
option dest_port '5001'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'GL-Torrent'
option family 'ipv4'
list proto 'tcp'
option src 'wan'
option src_dport '33160'
option dest_ip '192.168.10.2'
option dest_port '33160'
config rule
option src 'wan'
option name 'Allow OpenVPN'
list proto 'udp'
option dest_port '1194'
option target 'ACCEPT'
option family 'ipv4'
config rule
option src 'guest'
option dest 'lan'
option name 'Block guest to LAN'
option target 'DROP'
config rule
option src 'iot'
option dest 'lan'
option name 'Allow-SSDP-LAN11-to-LAN10'
list proto 'udp'
option dest_port '1900'
option target 'ACCEPT'
list dest_ip '192.168.10.2'
option family 'ipv4'
config rule
option src 'OpenVPN'
option dest 'lan'
option name 'Allow-SSDP-OpenVPN-to-LAN10'
list proto 'udp'
option dest_port '1900'
option target 'ACCEPT'
list dest_ip '192.168.10.2'
option family 'ipv4'
config rule
option src 'iot'
option dest 'lan'
option name 'Allow-IoT-To-Synology'
list proto 'tcp'
option dest_port '50001 50002'
option target 'ACCEPT'
list dest_ip '192.168.10.2'
option family 'ipv4'
config rule
option src 'OpenVPN'
option dest 'lan'
option name 'Allow-OpenVpn-To-Synology'
list proto 'tcp'
option dest_port '50001 50002'
option target 'ACCEPT'
list dest_ip '192.168.10.2'
option family 'ipv4'
config rule
option src 'iot'
option dest 'lan'
option name 'Block iot to LAN'
option target 'DROP'
option proto 'all'
option log '1'
option limit '5/second'
config rule
option name 'Allow guest DNS'
option src 'guest'
option dest_port '53'
option proto 'tcp udp'
option target 'ACCEPT'
config rule
option name 'Allow guest DHCP'
option src 'guest'
option proto 'udp'
option src_port '68'
option dest_port '67'
option target 'ACCEPT'
config rule
option name 'Block all guest to router'
option src 'guest'
option proto 'all'
option target 'DROP'
config rule
option name 'Allow IoT DNS'
option src 'iot'
option dest_port '53'
option proto 'tcp udp'
option target 'ACCEPT'
config rule
option name 'Allow IoT DHCP'
option src 'iot'
option proto 'udp'
option src_port '68'
option dest_port '67'
option target 'ACCEPT'
config rule
option src 'iot'
option name 'Allow IoT to Mail'
list proto 'tcp'
option dest_port '25'
option target 'ACCEPT'
config rule
option name 'Block all IoT to router'
option src 'iot'
option proto 'all'
option target 'DROP'
user nobody
group nogroup
dev tun
port 1194
proto udp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
#push "dhcp-option DNS 192.168.8.1"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DOMAIN linux.pg"
push "route 192.168.8.0 255.255.255.0"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
#verb 11
<dh>
-----BEGIN DH PARAMETERS-----
user nobody
group nogroup
dev tun
nobind
client
remote xx.xx.xx.xx 1194 udp
auth-nocache
remote-cert-tls server
<tls-crypt-v2>
-----BEGIN OpenVPN tls-crypt-v2 client key-----
Can you help me?
Thanks