OpenVPN / Client / Server

Mawu · June 2, 2019, 10:08am

Hi WRT-Experts,

I have a linksys wrt3200 with OpenWRT 18.06.2 since februar.

My biggest/first (:-D) problem which I can´t solve - I had spent a lot of time but I think I'm too stupid ...

OpenVPN ...

VPN Client = Protonvpn - works!
VPN Server = OpenVPN for my phones / this is only working if the vpn client is disabled!

So what did I wrong that I can´t connect to my privat-network with mobile-vpn ...

I attached:

vpn log / server / config + client
firewall
network

short VPN Log

Sun Jun  2 10:55:13 2019 OpenVPN 2.4.5 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sun Jun  2 10:55:13 2019 library versions: OpenSSL 1.0.2r  26 Feb 2019, LZO 2.10
Sun Jun  2 10:55:13 2019 Diffie-Hellman initialized with 4096 bit key
Sun Jun  2 10:55:13 2019 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun Jun  2 10:55:13 2019 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Jun  2 10:55:13 2019 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun Jun  2 10:55:13 2019 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Jun  2 10:55:13 2019 TUN/TAP device tun0 opened
Sun Jun  2 10:55:13 2019 TUN/TAP TX queue length set to 100
Sun Jun  2 10:55:13 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Jun  2 10:55:13 2019 /sbin/ifconfig tun0 192.168.8.1 netmask 255.255.255.0 mtu 1500 broadcast 192.168.8.255
Sun Jun  2 10:55:13 2019 Socket Buffers: R=[163840->163840] S=[163840->163840]
Sun Jun  2 10:55:13 2019 UDPv4 link local (bound): [AF_INET][undef]:1194
Sun Jun  2 10:55:13 2019 UDPv4 link remote: [AF_UNSPEC]
Sun Jun  2 10:55:13 2019 GID set to nogroup
Sun Jun  2 10:55:13 2019 UID set to nobody
Sun Jun  2 10:55:13 2019 MULTI: multi_init called, r=256 v=256
Sun Jun  2 10:55:13 2019 IFCONFIG POOL: base=192.168.8.2 size=252, ipv6=0
Sun Jun  2 10:55:13 2019 Initialization Sequence Completed
Sun Jun  2 10:55:19 2019 80.XXXXXXXX:14689 TLS: Initial packet from [AF_INET]80.XXXXXXXX:14689, sid=9ba1f2c4 331a0504
Sun Jun  2 10:55:20 2019 80.XXXXXXXX:14689 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1559465724) Sun Jun  2 10:55:24 2019 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sun Jun  2 10:55:20 2019 80.XXXXXXXX:14689 tls-crypt unwrap error: packet replay
Sun Jun  2 10:55:20 2019 80.XXXXXXXX:14689 TLS Error: tls-crypt unwrapping failed from [AF_INET]80.XXXXXXXX:14689
Sun Jun  2 10:55:21 2019 80.XXXXXXXX:14689 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1559465724) Sun Jun  2 10:55:24 2019 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sun Jun  2 10:55:21 2019 80.XXXXXXXX:14689 tls-crypt unwrap error: packet replay
Sun Jun  2 10:55:21 2019 80.XXXXXXXX:14689 TLS Error: tls-crypt unwrapping failed from [AF_INET]80.XXXXXXXX:14689
Sun Jun  2 10:55:22 2019 80.XXXXXXXX:14689 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1559465724) Sun Jun  2 10:55:24 2019 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sun Jun  2 10:55:22 2019 80.XXXXXXXX:14689 tls-crypt unwrap error: packet replay
Sun Jun  2 10:55:22 2019 80.XXXXXXXX:14689 TLS Error: tls-crypt unwrapping failed from [AF_INET]80.XXXXXXXX:14689
Sun Jun  2 10:55:23 2019 80.XXXXXXXX:14689 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1559465724) Sun Jun  2 10:55:24 2019 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sun Jun  2 10:55:23 2019 80.XXXXXXXX:14689 tls-crypt unwrap error: packet replay
Sun Jun  2 10:55:23 2019 80.XXXXXXXX:14689 TLS Error: tls-crypt unwrapping failed from [AF_INET]80.187.99.1:14689

VPN Server

verb 3
log '/etc/openvpn/openvpn.log'
user nobody
group nogroup
dev tun0
port 1194
proto udp4
auth SHA512
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 60 120
persist-tun
persist-key
push "dhcp-option DNS 176.9.62.58"
push "dhcp-option DOMAIN lan"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
-----BEGIN DH PARAMETERS-----

-----END DH PARAMETERS-----
</dh>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----
</tls-crypt>
<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----
</key>

VPN config / client

config openvpn 'WRTvpn'
	option config '/etc/openvpn/WRTvpn.conf'
	option enabled '1'

config openvpn 'protonvpnCZ'
	option auth_user_pass '/etc/openvpn/Proton/userpass_protonvpn.txt'
	option client '1'
	option resolv_retry 'infinite'
	option nobind '1'
	option cipher 'AES-256-CBC'
	option auth 'SHA512'
	option comp_lzo 'no'
	option verb '3'
	option tun_mtu '1500'
	option tun_mtu_extra '32'
	option ping '15'
	option ping_restart '0'
	option ping_timer_rem '1'
	option reneg_sec '0'
	option pull '1'
	option fast_io '1'
	option ca '/etc/openvpn/Proton/ca_protonvpn.crt'
	option tls_auth '/etc/openvpn/Proton/tlsauth_protonvpn.key'
	option remote_cert_tls 'server'
	option remote_random '1'
	option dev 'tun2'
	option mssfix '1450'
	option persist_key '1'
	option persist_tun '1'
	option key_direction '1'
	list remote 'cz.protonvpn.com'
	option port '1194'
	option proto 'udp'

config openvpn 'protonvpnCH'
	option auth_user_pass '/etc/openvpn/Proton/userpass_protonvpn.txt'
	option client '1'
	option resolv_retry 'infinite'
	option nobind '1'
	option cipher 'AES-256-CBC'
	option auth 'SHA512'
	option comp_lzo 'no'
	option verb '3'
	option tun_mtu '1500'
	option tun_mtu_extra '32'
	option ping '15'
	option ping_restart '0'
	option ping_timer_rem '1'
	option reneg_sec '0'
	option pull '1'
	option fast_io '1'
	option ca '/etc/openvpn/Proton/ca_protonvpn.crt'
	option tls_auth '/etc/openvpn/Proton/tlsauth_protonvpn.key'
	option remote_cert_tls 'server'
	option remote_random '1'
	option dev 'tun1'
	option mssfix '1450'
	option persist_key '1'
	option persist_tun '1'
	option key_direction '1'
	list remote 'ch.protonvpn.com'
	option enabled '1'
	option proto 'tcp-client'
	option port '443'

Firewall:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option network 'wan wan6'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule 'vpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '1194'
	option target 'ACCEPT'
	option family 'ipv4'
	option proto 'tcp udp'

config zone
	option output 'ACCEPT'
	option forward 'REJECT'
	option network 'vpn'
	option input 'REJECT'
	option name 'vpn_WRT'

config zone
	option name 'WRTg'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	option network 'WRTg'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'VPN-DNS'
	option src 'vpn_WRT'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '67-68'
	option name 'VPN-DHCP'
	option src 'vpn_WRT'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'WRTg-DNS'
	option src 'WRTg'

config rule
	option enabled '1'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '67-68'
	option name 'WRTg-DHCP'
	option src 'WRTg'

config zone
	option forward 'REJECT'
	option output 'ACCEPT'
	option input 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'VPNClient'
	option name 'vpn_PRO_CH'

config forwarding
	option src 'WRTg'
	option dest 'vpn_PRO_CH'

config zone
	option forward 'REJECT'
	option output 'ACCEPT'
	option input 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'vpnclient2'
	option name 'vpn_PRO_CZ'

config forwarding
	option src 'lan'
	option dest 'vpn_PRO_CH'

config forwarding
	option dest 'wan'
	option src 'vpn_WRT'

Network


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdf1:534c:5d15::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option delegate '0'
	option ifname 'eth0.1'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'static'
	option ipaddr '192.168.2.150'
	option netmask '255.255.255.0'
	option gateway '192.168.2.1'
	option delegate '0'
	option dns '176.9.62.58 176.9.62.62'

config interface 'wan6'
	option ifname 'eth1.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'

config interface 'WRTg'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

config interface 'vpn'
	option ifname 'tun0'
	option proto 'static'
	option ipaddr '192.168.8.1'
	option netmask '255.255.255.0'

config interface 'VPNClient'
	option proto 'none'
	option ifname 'tun1'

config interface 'vpnclient2'
	option proto 'none'
	option ifname 'tun2'

tectonic · June 2, 2019, 1:07pm

Sounds to me like the response to your VPN connection request (from your mobile device) is going back over ProtonVPN rather than your WAN connection.

I think you'll need to create the correct static route.

Mawu · June 2, 2019, 1:22pm

hi tectonic,

I do only this for " routing ":

can you please explain me how to route correct ?!

THANK U

stangri · June 2, 2019, 2:58pm

https://github.com/stangri/openwrt_packages/blob/master/vpn-policy-routing/files/README.md#example-policies -- there's an example of running an OpenVPN server on your server with the default routing thru a VPN tunnel.

Mawu · June 2, 2019, 7:08pm

I will try it - thank U

Mawu · June 8, 2019, 9:03am

Hi stangri,

same error ...

Service Status: Success: wan/192.168.2.1 vpn/192.168.8.1 VPNClient/10.7.1.1 vpnclient2/10.8.8.1

vpn-policy-CONFIG

config vpn-policy-routing 'config'
	option verbosity '2'
	option ipv6_enabled '0'
	option ipset_enabled '1'
	option dnsmasq_enabled '0'
	option strict_enforcement '1'
	option boot_timeout '30'
	option enabled '1'
	option append_local_rules '! -d 192.168.8.1/24'

config policy
	option name 'OpenVPN Server'
	option local_port '1194'
	option proto 'tcp udp'
	option chain 'OUTPUT'
	option interface 'wan'

OpenVPN-Log

Sat Jun  8 11:02:05 2019 xxxxxxxxxxxx:6458 TLS Error: tls-crypt unwrapping failed from [AF_INET]xxxxxxxxxxxx:6458
Sat Jun  8 11:02:06 2019 xxxxxxxxxxxx:6458 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1559984527) Sat Jun  8 11:02:07 2019 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sat Jun  8 11:02:06 2019 xxxxxxxxxxxx:6458 tls-crypt unwrap error: packet replay
Sat Jun  8 11:02:06 2019 xxxxxxxxxxxx:6458 TLS Error: tls-crypt unwrapping failed from [AF_INET]xxxxxxxxxxxx:6458
Sat Jun  8 11:02:07 2019 xxxxxxxxxxxx:6458 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1559984527) Sat Jun  8 11:02:07 2019 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sat Jun  8 11:02:07 2019 xxxxxxxxxxxx:6458 tls-crypt unwrap error: packet replay

Thank you for HELP!

Smim0 · January 21, 2020, 11:09am

Hello Mawu,

I have exactly the same issue as you, I am using Nordvpn and the server works only if shut down the client. Were you able to solve it?

Thanks