I am having difficulty accessing the local network from the openvpn client side. I have Openwrt 19.07 router running the server, in local network 192.168.x.0, delivering vpn 25.x.x.0 in a city. And an Orange PI zero running Openwrt 19.07 as Openvpn client, local network dhcp client IP 192.168.y.232, receiving vpn ip: 25.xx2 on the client's network the gateway is a tp-link router with original firmware, where there is a static route (destination 192.168.x.0, mask 255.255.255.0 and gateway 192.168.y.232). From the 192.168.y.0 network I access all ips from the 192.168.x.0 network. But from the 192.168.x.0 network I can only access ssh, http and others from the orange router pi zero openvpn client openvpn through the ip vpn 25.xx2, from this network 192.168.x.0, the 192.168.y.232 nor responds to the ping. What do I need to do to get network packets forwarded from tun0 (VPN) through ip 192.168.y.232 (organge pi zero which only has one network card) and redirected to 192.168.y.1, which is the tp-link router and from this it is redirected on the openvpn client's local network (192.168.y.0) ?. it is possible?
Google translate...., and a stroke of enter here and there.
2 Likes
Thanks for the information.
As I had mentioned the Orange PI zero has only one ethernet network card. I made the configurations according to the documentation but returns errors in the WAN configuration.
how can i fix this missing wan interface error?
root@A:~# uci del_list firewall.wan.device="tun+"
root@A:~# uci add_list firewall.lan.device="tun+"
root@A:~# uci commit firewall
root@A:~# /etc/init.d/firewall restart
Warning: Unable to locate ipset utility, disabling ipset support
Warning: Section 'wan' cannot resolve device of network 'wan'
Warning: Section 'wan' cannot resolve device of network 'wan6'
* Flushing IPv4 filter table
* Flushing IPv4 nat table
* Flushing IPv4 mangle table
* Flushing IPv6 filter table
* Flushing IPv6 mangle table
* Flushing conntrack table ...
* Populating IPv4 filter table
* Rule 'Allow-DHCP-Renew'
* Rule 'Allow-Ping'
* Rule 'Allow-IGMP'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Forward 'lan' -> 'wan'
* Zone 'lan'
* Zone 'wan'
* Populating IPv4 nat table
* Zone 'lan'
* Zone 'wan'
* Populating IPv4 mangle table
* Zone 'lan'
* Zone 'wan'
* Populating IPv6 filter table
* Rule 'Allow-DHCPv6'
* Rule 'Allow-MLD'
* Rule 'Allow-ICMPv6-Input'
* Rule 'Allow-ICMPv6-Forward'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Forward 'lan' -> 'wan'
* Zone 'lan'
* Zone 'wan'
* Populating IPv6 mangle table
* Zone 'lan'
* Zone 'wan'
* Set tcp_ecn to off
* Set tcp_syncookies to on
* Set tcp_window_scaling to on
* Running script '/etc/firewall.user
You can safely ignore those warnings.
Yes it's true I can just ignore the warnings. But that doesn't change the fact that I can't access the openvpn client-side network. Thank you for your attention. I will continue studying and looking for a solution.
Try to enable masquerading on the client side LAN firewall zone.
How to do this by command line? Because due to customizations on /www of the firmware I'm not able to access the settings page through the webgui openwrt.
uci set firewall.@zone[0].masq="1"
uci commit firewall
/etc/init.d/firewall restart
I performed the above commands, but still no client-side network access.
root@Awaycomand:~# ip addr list
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP qlen 1000
link/ether 02:42:7e:af:5b:14 brd ff:ff:ff:ff:ff:ff
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether 02:42:7e:af:5b:14 brd ff:ff:ff:ff:ff:ff
inet 192.168.20.232/24 brd 192.168.20.255 scope global br-lan
valid_lft forever preferred_lft forever
inet6 fe80::42:7eff:feaf:5b14/64 scope link
valid_lft forever preferred_lft forever
7: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
link/[65534]
inet 25.7.18.2/24 brd 25.7.18.255 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::484c:5a3d:5b94:6c70/64 scope link
valid_lft forever preferred_lft forever
root@Awaycomand:~# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd13:0b3e:4cd9::/48'
config interface 'lan'
option ifname 'eth0'
option type 'bridge'
option _orig_ifname 'eth0 br-lan'
option _orig_bridge 'true'
option proto 'dhcp'
config interface '3g'
option proto '3g'
option device '/dev/ttyUSB0'
option service 'umts_only'
option apn 'internet'
option defaultroute '1'
config interface 'tethering'
option ifname 'usb0'
option proto 'dhcp'
config interface '4g'
option ifname 'wwan0'
option proto 'ncm'
option apn 'internet'
config interface 'vpn'
option proto 'none'
option ifname 'tun0'
root@Awaycomand:~#
root@Awaycomand:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone 'lan'
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'tun+'
option masq '1'
config zone 'wan'
option name 'wan'
list network 'wan'
list network 'wan6'
list network 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
root@Awaycomand:~#
Is there an error in these settings files?
You must not use public IPs on the VPN interface.
The ip I'm using is not public. And yes class A/24. But is that the reason it doesn't work?
Reconnect the VPN client and post the relevant part of the server log.