Hello,
I followed the great guide about setting up an openvpn server on my openwrt routerhttps://openwrt.org/docs/guide-user/services/vpn/openvpn/server
The server works quite well, client can connect to it and recieve their ip address.
Unfortunately, the client can't reach any deviece of the LAN. Not even the openvpn router.
LAN is 192.168.10.0/24
VPN is 10.8.0.0/24
VPN server 10.8.0.1
VPN client 10.8.0.2
From the client, ping to 10.8.0.1 is successful.
Ping to 192.168.10.1 (router LAN address) does not work.
None of 192.168.10.0/24 hosts can be reached.
I have already tried to add some forward rules between the tun0 interface and br-lan but without any success.
Anyone to help?
Thanks!
Did you add device 'tun+' to the lan zone as indicated in the guide?
Remove these rules.
Followed the guide once again (including the firewall part).
Deleted the foward rules.
Same result.
Client can connect to the VPN, ping the VPN server through the VPN network but unable to ping the LAN.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/firewall
If you are sure that everything is by the book, check the client routing table.
Here are the outputs
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd6f:dbc4:fc29::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.10.1'
list dns '1.1.1.1'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
option peerdns '0'
list dns '1.1.1.1'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
option auto '0'
option reqaddress 'try'
option reqprefix 'auto'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6t'
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list device 'tun+'
config zone 'wan'
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'luke'
option src 'wan'
option src_ip 'xxx'
option src_dport 'xxx'
option dest_ip '192.168.10.2'
option dest_port 'xxx'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'yoda'
option src 'wan'
option src_dport 'xxx'
option dest_ip '192.168.10.3'
option dest_port 'xxx'
option enabled '0'
config rule 'ovpn'
option name 'Allow-OpenVPN'
option src 'wan'
option dest_port '1194'
option proto 'udp'
option target 'ACCEPT'
Nothing appears to be wrong in the config files.
Add the following to your OpenVPN server configuration
UCI formatted:
list push 'route 192.168.10.0 255.255.255.0'
Or, if working with native openvpn config file:
push "route 192.168.10.0 255.255.255.0"
Added the "push route" option.
Restarted server and client.
No changes. Still unable to reach the lan.
Let's see the openvpn server config (be sure to redact any sensitive info).
This is the basic config provided in the guide.
Except the push route option.
root@OpenWrt:~# cat /etc/openvpn/server.conf
user nobody
group nogroup
dev tun
port my_port
proto udp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "route 192.168.10.0 255.255.255.0"
push "dhcp-option DNS 192.168.8.1"
push "dhcp-option DOMAIN lan"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
</dh>
<tls-crypt-v2>
</tls-crypt-v2>
<key>
</key>
<cert>
</cert>
<ca>
</ca>
The client config (Windows)
dev tun
dev-node home
nobind
client
remote my_hostname my_port udp
auth-nocache
remote-cert-tls server
What is the operating system on the hosts you are trying to reach on the lan? If windows, you might be dealing with a windows firewall issue.
Can your OpenVPN clients reach the internet via this connection?
Currently I am only trying to reach devices such as IP cameras, printers, Raspberry Pi... without any kind of firewall.
If I'm right, with the config in my previous messages. Client should recieve a the public IP address from the VPN server. I mean when browsing the web, the IP seen by webservers should be the public IP of my VPN?
Well, it is not the case. Browsing a "what's my ip" site returns the client public IP.
yes, you're right that you should see the public IP of the OpenVPN server returned as the apparent address of the client devices.
Let's look at the logs... post the logs of the complete connection process.
Server
Mon Jun 6 22:33:38 2022 daemon.warn openvpn(server)[24336]: --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
Mon Jun 6 22:33:38 2022 daemon.notice openvpn(server)[24336]: OpenVPN 2.5.3 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Mon Jun 6 22:33:38 2022 daemon.notice openvpn(server)[24336]: library versions: OpenSSL 1.1.1n 15 Mar 2022, LZO 2.10
Mon Jun 6 22:33:38 2022 daemon.warn openvpn(server)[24336]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Jun 6 22:33:38 2022 daemon.notice openvpn(server)[24336]: TUN/TAP device tun0 opened
Mon Jun 6 22:33:38 2022 daemon.notice openvpn(server)[24336]: net_iface_mtu_set: mtu 1500 for tun0
Mon Jun 6 22:33:38 2022 daemon.notice openvpn(server)[24336]: net_iface_up: set tun0 up
Mon Jun 6 22:33:38 2022 daemon.notice openvpn(server)[24336]: net_addr_v4_add: 192.168.8.1/24 dev tun0
Mon Jun 6 22:33:38 2022 daemon.notice openvpn(server)[24336]: /usr/libexec/openvpn-hotplug up server tun0 1500 1621 192.168.8.1 255.255.255.0 init
Mon Jun 6 22:33:38 2022 daemon.warn openvpn(server)[24336]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Mon Jun 6 22:33:38 2022 daemon.notice openvpn(server)[24336]: UDPv4 link local (bound): [AF_INET][undef]:1194
Mon Jun 6 22:33:38 2022 daemon.notice openvpn(server)[24336]: UDPv4 link remote: [AF_UNSPEC]
Mon Jun 6 22:33:38 2022 daemon.notice openvpn(server)[24336]: GID set to nogroup
Mon Jun 6 22:33:38 2022 daemon.notice openvpn(server)[24336]: UID set to nobody
Mon Jun 6 22:33:38 2022 daemon.notice openvpn(server)[24336]: Initialization Sequence Completed
Mon Jun 6 22:34:19 2022 daemon.notice openvpn(server)[24336]: xxx:51769 peer info: IV_VER=2.5.6
Mon Jun 6 22:34:19 2022 daemon.notice openvpn(server)[24336]: xxx:51769 peer info: IV_PLAT=win
Mon Jun 6 22:34:19 2022 daemon.notice openvpn(server)[24336]: xxx:51769 peer info: IV_PROTO=6
Mon Jun 6 22:34:19 2022 daemon.notice openvpn(server)[24336]: xxx:51769 peer info: IV_NCP=2
Mon Jun 6 22:34:19 2022 daemon.notice openvpn(server)[24336]: xxx:51769 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM
Mon Jun 6 22:34:19 2022 daemon.notice openvpn(server)[24336]: xxx:51769 peer info: IV_LZ4=1
Mon Jun 6 22:34:19 2022 daemon.notice openvpn(server)[24336]: xxx:51769 peer info: IV_LZ4v2=1
Mon Jun 6 22:34:19 2022 daemon.notice openvpn(server)[24336]: xxx:51769 peer info: IV_LZO=1
Mon Jun 6 22:34:19 2022 daemon.notice openvpn(server)[24336]: xxx:51769 peer info: IV_COMP_STUB=1
Mon Jun 6 22:34:19 2022 daemon.notice openvpn(server)[24336]: xxx:51769 peer info: IV_COMP_STUBv2=1
Mon Jun 6 22:34:19 2022 daemon.notice openvpn(server)[24336]: xxx:51769 peer info: IV_TCPNL=1
Mon Jun 6 22:34:19 2022 daemon.notice openvpn(server)[24336]: xxx:51769 peer info: IV_GUI_VER=OpenVPN_GUI_11
Mon Jun 6 22:34:19 2022 daemon.notice openvpn(server)[24336]: xxx:51769 peer info: IV_SSO=openurl,crtext
Mon Jun 6 22:34:19 2022 daemon.notice openvpn(server)[24336]: xxx:51769 [client] Peer Connection Initiated with [AF_INET]xxx:51769
Mon Jun 6 22:34:19 2022 daemon.notice openvpn(server)[24336]: client/xxx:51769 MULTI_sva: pool returned IPv4=192.168.8.2, IPv6=(Not enabled)
Mon Jun 6 22:39:13 2022 user.info : luci: accepted login on / for root from 192.168.8.2
Mon Jun 6 22:40:32 2022 authpriv.info dropbear[24130]: Exit (root) from <192.168.8.2:53600>: Keepalive timeout
Mon Jun 6 22:40:50 2022 authpriv.info dropbear[25340]: Child connection from 192.168.8.2:54346
Mon Jun 6 22:40:55 2022 authpriv.notice dropbear[25340]: Password auth succeeded for 'root' from 192.168.8.2:54346
Mon Jun 6 22:48:37 2022 authpriv.info dropbear[24249]: Exit (root) from <192.168.8.2:63348>: Keepalive timeout
Client
Mon Jun 6 22:34:21 2022 NOTE: --user option is not implemented on Windows
Mon Jun 6 22:34:21 2022 NOTE: --group option is not implemented on Windows
Mon Jun 6 22:34:21 2022 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
Mon Jun 6 22:34:21 2022 OpenVPN 2.5.6 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 16 2022
Mon Jun 6 22:34:21 2022 Windows version 10.0 (Windows 10 or greater) 64bit
Mon Jun 6 22:34:21 2022 library versions: OpenSSL 1.1.1n 15 Mar 2022, LZO 2.10
Mon Jun 6 22:34:22 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx:xxx
Mon Jun 6 22:34:22 2022 UDP link local: (not bound)
Mon Jun 6 22:34:22 2022 UDP link remote: [AF_INET]xxx:xxx
Mon Jun 6 22:34:22 2022 [server] Peer Connection Initiated with [AF_INET]xxx:xxx
Mon Jun 6 22:34:22 2022 open_tun
Mon Jun 6 22:34:22 2022 tap-windows6 device [home] opened
Mon Jun 6 22:34:22 2022 Set TAP-Windows TUN subnet mode network/local/netmask = 192.168.8.0/192.168.8.2/255.255.255.0 [SUCCEEDED]
Mon Jun 6 22:34:22 2022 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.8.2/255.255.255.0 on interface {96F06B65-FDA1-45D0-8697-B0183A92C3DA} [DHCP-serv: 192.168.8.0, lease-time: 31536000]
Mon Jun 6 22:34:22 2022 Successful ARP Flush on interface [14] {96F06B65-FDA1-45D0-8697-B0183A92C3DA}
Mon Jun 6 22:34:22 2022 IPv4 MTU set to 1500 on interface 14 using service
Mon Jun 6 22:34:27 2022 Initialization Sequence Completed
What is the local IP address of the Windows (client) machine? Is it in either the 192.168.8.0/24 or 192.168.10.0/24 subnets?
No, the client is on another subnet. 192.168.178.0/24.
Everything seems good to me.
This is why I talked about forward rules in my first message. I tough it was a misconfigiration in the firewall.
Do you have another system you can use to try your OpenVPN configuration? iOS, Android, MacOS, Linux? Basically anything but Windows.
Well... I don't know why I haven't tried that before...
It is working very well on an Android device.
The client can access the LAN and browses the web with the VPN public IP address.
So, it's a misconfiguration on the Windows client.
Tried to start the GUI in administrator mode. No results.
Either that, or another Windows specific issue (similar to how Windows firewall, by default, will prevent inter-VLAN connections, making it seem like the router's configuration is to blame when really it is Windows).
Ok thanks!
Maybe I should ask on the openvpn forum then...