Hi WRT-Experts,
I have a linksys wrt3200 with OpenWRT 18.06.2 since februar.
My biggest/first (:-D) problem which I can´t solve - I had spent a lot of time but I think I'm too stupid ...
OpenVPN ...
VPN Client = Protonvpn - works!
VPN Server = OpenVPN for my phones / this is only working if the vpn client is disabled!
So what did I wrong that I can´t connect to my privat-network with mobile
-vpn ...
I attached:
- vpn log / server / config + client
- firewall
- network
short VPN Log
Sun Jun 2 10:55:13 2019 OpenVPN 2.4.5 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sun Jun 2 10:55:13 2019 library versions: OpenSSL 1.0.2r 26 Feb 2019, LZO 2.10
Sun Jun 2 10:55:13 2019 Diffie-Hellman initialized with 4096 bit key
Sun Jun 2 10:55:13 2019 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun Jun 2 10:55:13 2019 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Jun 2 10:55:13 2019 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun Jun 2 10:55:13 2019 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Jun 2 10:55:13 2019 TUN/TAP device tun0 opened
Sun Jun 2 10:55:13 2019 TUN/TAP TX queue length set to 100
Sun Jun 2 10:55:13 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Jun 2 10:55:13 2019 /sbin/ifconfig tun0 192.168.8.1 netmask 255.255.255.0 mtu 1500 broadcast 192.168.8.255
Sun Jun 2 10:55:13 2019 Socket Buffers: R=[163840->163840] S=[163840->163840]
Sun Jun 2 10:55:13 2019 UDPv4 link local (bound): [AF_INET][undef]:1194
Sun Jun 2 10:55:13 2019 UDPv4 link remote: [AF_UNSPEC]
Sun Jun 2 10:55:13 2019 GID set to nogroup
Sun Jun 2 10:55:13 2019 UID set to nobody
Sun Jun 2 10:55:13 2019 MULTI: multi_init called, r=256 v=256
Sun Jun 2 10:55:13 2019 IFCONFIG POOL: base=192.168.8.2 size=252, ipv6=0
Sun Jun 2 10:55:13 2019 Initialization Sequence Completed
Sun Jun 2 10:55:19 2019 80.XXXXXXXX:14689 TLS: Initial packet from [AF_INET]80.XXXXXXXX:14689, sid=9ba1f2c4 331a0504
Sun Jun 2 10:55:20 2019 80.XXXXXXXX:14689 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1559465724) Sun Jun 2 10:55:24 2019 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sun Jun 2 10:55:20 2019 80.XXXXXXXX:14689 tls-crypt unwrap error: packet replay
Sun Jun 2 10:55:20 2019 80.XXXXXXXX:14689 TLS Error: tls-crypt unwrapping failed from [AF_INET]80.XXXXXXXX:14689
Sun Jun 2 10:55:21 2019 80.XXXXXXXX:14689 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1559465724) Sun Jun 2 10:55:24 2019 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sun Jun 2 10:55:21 2019 80.XXXXXXXX:14689 tls-crypt unwrap error: packet replay
Sun Jun 2 10:55:21 2019 80.XXXXXXXX:14689 TLS Error: tls-crypt unwrapping failed from [AF_INET]80.XXXXXXXX:14689
Sun Jun 2 10:55:22 2019 80.XXXXXXXX:14689 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1559465724) Sun Jun 2 10:55:24 2019 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sun Jun 2 10:55:22 2019 80.XXXXXXXX:14689 tls-crypt unwrap error: packet replay
Sun Jun 2 10:55:22 2019 80.XXXXXXXX:14689 TLS Error: tls-crypt unwrapping failed from [AF_INET]80.XXXXXXXX:14689
Sun Jun 2 10:55:23 2019 80.XXXXXXXX:14689 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1559465724) Sun Jun 2 10:55:24 2019 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sun Jun 2 10:55:23 2019 80.XXXXXXXX:14689 tls-crypt unwrap error: packet replay
Sun Jun 2 10:55:23 2019 80.XXXXXXXX:14689 TLS Error: tls-crypt unwrapping failed from [AF_INET]80.187.99.1:14689
VPN Server
verb 3
log '/etc/openvpn/openvpn.log'
user nobody
group nogroup
dev tun0
port 1194
proto udp4
auth SHA512
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 60 120
persist-tun
persist-key
push "dhcp-option DNS 176.9.62.58"
push "dhcp-option DOMAIN lan"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
-----BEGIN DH PARAMETERS-----
-----END DH PARAMETERS-----
</dh>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-crypt>
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
VPN config / client
config openvpn 'WRTvpn'
option config '/etc/openvpn/WRTvpn.conf'
option enabled '1'
config openvpn 'protonvpnCZ'
option auth_user_pass '/etc/openvpn/Proton/userpass_protonvpn.txt'
option client '1'
option resolv_retry 'infinite'
option nobind '1'
option cipher 'AES-256-CBC'
option auth 'SHA512'
option comp_lzo 'no'
option verb '3'
option tun_mtu '1500'
option tun_mtu_extra '32'
option ping '15'
option ping_restart '0'
option ping_timer_rem '1'
option reneg_sec '0'
option pull '1'
option fast_io '1'
option ca '/etc/openvpn/Proton/ca_protonvpn.crt'
option tls_auth '/etc/openvpn/Proton/tlsauth_protonvpn.key'
option remote_cert_tls 'server'
option remote_random '1'
option dev 'tun2'
option mssfix '1450'
option persist_key '1'
option persist_tun '1'
option key_direction '1'
list remote 'cz.protonvpn.com'
option port '1194'
option proto 'udp'
config openvpn 'protonvpnCH'
option auth_user_pass '/etc/openvpn/Proton/userpass_protonvpn.txt'
option client '1'
option resolv_retry 'infinite'
option nobind '1'
option cipher 'AES-256-CBC'
option auth 'SHA512'
option comp_lzo 'no'
option verb '3'
option tun_mtu '1500'
option tun_mtu_extra '32'
option ping '15'
option ping_restart '0'
option ping_timer_rem '1'
option reneg_sec '0'
option pull '1'
option fast_io '1'
option ca '/etc/openvpn/Proton/ca_protonvpn.crt'
option tls_auth '/etc/openvpn/Proton/tlsauth_protonvpn.key'
option remote_cert_tls 'server'
option remote_random '1'
option dev 'tun1'
option mssfix '1450'
option persist_key '1'
option persist_tun '1'
option key_direction '1'
list remote 'ch.protonvpn.com'
option enabled '1'
option proto 'tcp-client'
option port '443'
Firewall:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option network 'wan wan6'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule 'vpn'
option name 'Allow-OpenVPN'
option src 'wan'
option dest_port '1194'
option target 'ACCEPT'
option family 'ipv4'
option proto 'tcp udp'
config zone
option output 'ACCEPT'
option forward 'REJECT'
option network 'vpn'
option input 'REJECT'
option name 'vpn_WRT'
config zone
option name 'WRTg'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
option network 'WRTg'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'VPN-DNS'
option src 'vpn_WRT'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '67-68'
option name 'VPN-DHCP'
option src 'vpn_WRT'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'WRTg-DNS'
option src 'WRTg'
config rule
option enabled '1'
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '67-68'
option name 'WRTg-DHCP'
option src 'WRTg'
config zone
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'VPNClient'
option name 'vpn_PRO_CH'
config forwarding
option src 'WRTg'
option dest 'vpn_PRO_CH'
config zone
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'vpnclient2'
option name 'vpn_PRO_CZ'
config forwarding
option src 'lan'
option dest 'vpn_PRO_CH'
config forwarding
option dest 'wan'
option src 'vpn_WRT'
Network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdf1:534c:5d15::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option delegate '0'
option ifname 'eth0.1'
config interface 'wan'
option ifname 'eth1.2'
option proto 'static'
option ipaddr '192.168.2.150'
option netmask '255.255.255.0'
option gateway '192.168.2.1'
option delegate '0'
option dns '176.9.62.58 176.9.62.62'
config interface 'wan6'
option ifname 'eth1.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
config interface 'WRTg'
option proto 'static'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
config interface 'vpn'
option ifname 'tun0'
option proto 'static'
option ipaddr '192.168.8.1'
option netmask '255.255.255.0'
config interface 'VPNClient'
option proto 'none'
option ifname 'tun1'
config interface 'vpnclient2'
option proto 'none'
option ifname 'tun2'