Hello! I would like to use openvpn client on openwrt, the server side is a frsense box. I installed openvpn-openssl, and luci-app-openvpn, I configured it, the connection is working, the tun0 interface has ip, I can see it also on the pfsense, I added an interface for the tun0, and added a firewall rule. The routing table is also point through the vpn interface, but there is no internet. If I use that config from a windows machine, it is working, so I think the problem is not at the pfsense. What can be the problem?
/etc/config/firewall
config zone
option name 'vpnfirewall'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option network 'nordvpntun'
config forwarding
option src 'lan'
option dest 'vpnfirewall'
/etc/config/network
config interface 'nordvpntun'
option proto 'none'
option ifname 'tun0'
I have this is my config, and it's not working.
If everything you say is true, your problem is at the other end of the connection or encapsulation ( mss etc. )
Please post here the output of the following command, all in one line
cat /etc/config/network; cat /etc/config/firewall; cat /etc/config/wireless ; cat /etc/config/dhcp ; ip -4 addr ; ip -4 ro ; ip -4 ru
Please use "Preformatted text </>" for logs, scripts, configs and general console output.
Are you using the same subnet as your LAN for your VPN? When I set mine up it defaulted to different and I had the same problem. Once I changed to use my LAN subnet I was fine.
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd0d:d51d:7a84::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.100.1'
config device 'lan_dev'
option name 'eth0.1'
option macaddr '70:4f:57:af:06:a6'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config device 'wan_dev'
option name 'eth0.2'
option macaddr '70:4f:57:af:06:a7'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 0t'
config interface 'VPN_2'
option proto 'none'
option ifname 'tun0'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option forward 'REJECT'
option output 'ACCEPT'
option name 'VPN_wan'
option masq '1'
option network 'VPN_2'
option input 'REJECT'
config forwarding
option dest 'VPN_wan'
option src 'lan'
config wifi-device 'radio0'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'platform/qca956x_wmac'
option htmode 'HT20'
option disabled '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
list dhcp_option '6,8.8.8.8,8.8.4.4'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
6: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state U P qlen 1000
inet 192.168.1.104/24 brd 192.168.1.255 scope global eth0.2
valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qle n 1000
inet 192.168.100.1/24 brd 192.168.100.255 scope global br-lan
valid_lft forever preferred_lft forever
9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
inet 192.168.3.26/29 brd 192.168.3.31 scope global tun0
valid_lft forever preferred_lft forever
0.0.0.0/1 via 192.168.3.25 dev tun0
default via 192.168.1.1 dev eth0.2 src 192.168.1.104
78.131.56.85 via 192.168.1.1 dev eth0.2
128.0.0.0/1 via 192.168.3.25 dev tun0
192.168.1.0/24 dev eth0.2 scope link src 192.168.1.104
192.168.3.24/29 dev tun0 scope link src 192.168.3.26
192.168.100.0/24 dev br-lan scope link src 192.168.100.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
No, my lan subnet is 192.168.100.0/24 and the vpn subnet is 192.168.3.24/29.
Looks fine, so could you post the openvpn config (usually /etc/config/openvpn or /etc/openvpn/) as well as any logs from openvpn?
config openvpn 'erdeifamily'
option dev 'tun'
option reneg_sec '0'
option verb '3'
option persist_key '1'
option nobind '1'
option persist_tun '1'
option float '1'
option client '1'
option remote_cert_tls 'server'
option tls_client '1'
option resolv_retry 'infinite'
list remote 'x.x.x.x'
option proto 'udp'
option port '1196'
option ca '/etc/luci-uploads/cbid.openvpn.teszt.ca'
option cert '/etc/luci-uploads/cbid.openvpn.teszt.cert'
option key '/etc/luci-uploads/cbid.openvpn.teszt.key'
option enabled '1'
option auth 'SHA256'
option cipher 'AES-256-CBC'
option link_mtu '1570'
and the log
Mon Jun 10 18:39:56 2019 daemon.notice openvpn(changed)[1978]: OpenVPN 2.4.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Mon Jun 10 18:39:56 2019 daemon.notice openvpn(changed)[1978]: library versions: OpenSSL 1.0.2s 28 May 2019, LZO 2.10
Mon Jun 10 18:39:56 2019 daemon.warn openvpn(changed)[1978]: WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1379)
Mon Jun 10 18:39:56 2019 daemon.notice openvpn(changed)[1978]: TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1196
Mon Jun 10 18:39:56 2019 daemon.notice openvpn(changed)[1978]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Mon Jun 10 18:39:56 2019 daemon.notice openvpn(changed)[1978]: UDP link local: (not bound)
Mon Jun 10 18:39:56 2019 daemon.notice openvpn(changed)[1978]: UDP link remote: [AF_INET]x.x.x.x:1196
Mon Jun 10 18:39:56 2019 daemon.notice openvpn(changed)[1978]: TLS: Initial packet from [AF_INET]x.x.x.x:1196, sid=f38c3f89 00443c0b
Mon Jun 10 18:39:56 2019 daemon.notice openvpn(changed)[1978]: VERIFY OK: depth=1, C=HU, ST=Budapest, L=Budapest, O=changed, emailAddress=info@changed.hu, CN=changedvpn-ca
Mon Jun 10 18:39:56 2019 daemon.notice openvpn(changed)[1978]: VERIFY KU OK
Mon Jun 10 18:39:56 2019 daemon.notice openvpn(changed)[1978]: Validating certificate extended key usage
Mon Jun 10 18:39:56 2019 daemon.notice openvpn(changed)[1978]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Jun 10 18:39:56 2019 daemon.notice openvpn(changed)[1978]: VERIFY EKU OK
Mon Jun 10 18:39:56 2019 daemon.notice openvpn(changed)[1978]: VERIFY OK: depth=0, C=HU, ST=Budapest, L=Budapest, O=changed, emailAddress=info@changed.hu, CN=vpn.changed.hu
Mon Jun 10 18:39:57 2019 daemon.warn openvpn(changed)[1978]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1500', remote='link-mtu 1570'
Mon Jun 10 18:39:57 2019 daemon.warn openvpn(changed)[1978]: WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1379', remote='tun-mtu 1500'
Mon Jun 10 18:39:57 2019 daemon.warn openvpn(changed)[1978]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Mon Jun 10 18:39:57 2019 daemon.notice openvpn(changed)[1978]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Jun 10 18:39:57 2019 daemon.notice openvpn(changed)[1978]: [vpn.changed.hu] Peer Connection Initiated with [AF_INET]x.x.x.x:1196
Mon Jun 10 18:39:58 2019 daemon.notice openvpn(changed)[1978]: SENT CONTROL [vpn.changed.hu]: 'PUSH_REQUEST' (status=1)
Mon Jun 10 18:39:58 2019 daemon.notice openvpn(changed)[1978]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,route-gateway 192.168.3.25,topology subnet,ping 10,ping-restart 60,ifconfig 192.168.3.26 255.255.255.248,peer-id 0'
Mon Jun 10 18:39:58 2019 daemon.notice openvpn(changed)[1978]: OPTIONS IMPORT: timers and/or timeouts modified
Mon Jun 10 18:39:58 2019 daemon.notice openvpn(changed)[1978]: OPTIONS IMPORT: --ifconfig/up options modified
Mon Jun 10 18:39:58 2019 daemon.notice openvpn(changed)[1978]: OPTIONS IMPORT: route options modified
Mon Jun 10 18:39:58 2019 daemon.notice openvpn(changed)[1978]: OPTIONS IMPORT: route-related options modified
Mon Jun 10 18:39:58 2019 daemon.notice openvpn(changed)[1978]: OPTIONS IMPORT: peer-id set
Mon Jun 10 18:39:58 2019 daemon.warn openvpn(changed)[1978]: OPTIONS IMPORT: WARNING: peer-id set, but link-mtu fixed by config - reducing tun-mtu to 1376, expect MTU problems
Mon Jun 10 18:39:58 2019 daemon.notice openvpn(changed)[1978]: Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Jun 10 18:39:58 2019 daemon.notice openvpn(changed)[1978]: Outgoing Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Jun 10 18:39:58 2019 daemon.notice openvpn(changed)[1978]: Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Jun 10 18:39:58 2019 daemon.notice openvpn(changed)[1978]: Incoming Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Jun 10 18:39:58 2019 daemon.notice netifd: Interface 'VPN_2' is enabled
Mon Jun 10 18:39:58 2019 daemon.notice netifd: Network device 'tun0' link is up
Mon Jun 10 18:39:58 2019 daemon.notice netifd: Interface 'VPN_2' has link connectivity
Mon Jun 10 18:39:58 2019 daemon.notice netifd: Interface 'VPN_2' is setting up now
Mon Jun 10 18:39:58 2019 daemon.notice netifd: Interface 'VPN_2' is now up
Mon Jun 10 18:39:58 2019 daemon.notice openvpn(changed)[1978]: TUN/TAP device tun0 opened
Mon Jun 10 18:39:58 2019 daemon.notice openvpn(changed)[1978]: TUN/TAP TX queue length set to 100
Mon Jun 10 18:39:58 2019 daemon.notice openvpn(changed)[1978]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Jun 10 18:39:58 2019 daemon.notice openvpn(changed)[1978]: /sbin/ifconfig tun0 192.168.3.26 netmask 255.255.255.248 mtu 1428 broadcast 192.168.3.31
Mon Jun 10 18:39:58 2019 daemon.notice openvpn(changed)[1978]: /sbin/route add -net x.x.x.x netmask 255.255.255.255 gw 192.168.1.1
Mon Jun 10 18:39:58 2019 daemon.notice openvpn(changed)[1978]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 192.168.3.25
Mon Jun 10 18:39:58 2019 daemon.notice openvpn(changed)[1978]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 192.168.3.25
Mon Jun 10 18:39:58 2019 daemon.warn openvpn(changed)[1978]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Jun 10 18:39:58 2019 daemon.notice openvpn(changed)[1978]: Initialization Sequence Completed
Mon Jun 10 18:39:58 2019 user.notice firewall: Reloading firewall due to ifup of VPN_2 (tun0)
Mon Jun 10 18:40:08 2019 daemon.err openvpn(changed)[1978]: write to TUN/TAP : Invalid argument (code=22)
Mon Jun 10 18:40:19 2019 daemon.err openvpn(changed)[1978]: write to TUN/TAP : Invalid argument (code=22)
Mon Jun 10 18:40:29 2019 daemon.err openvpn(changed)[1978]: write to TUN/TAP : Invalid argument (code=22)
Mon Jun 10 18:40:35 2019 daemon.err openvpn(changed)[1978]: event_wait : Interrupted system call (code=4)
Mon Jun 10 18:40:35 2019 daemon.notice openvpn(changed)[1978]: /sbin/route del -net x.x.x.x netmask 255.255.255.255
Mon Jun 10 18:40:35 2019 daemon.notice openvpn(changed)[1978]: /sbin/route del -net 0.0.0.0 netmask 128.0.0.0
Mon Jun 10 18:40:35 2019 daemon.notice openvpn(changed)[1978]: /sbin/route del -net 128.0.0.0 netmask 128.0.0.0
Mon Jun 10 18:40:35 2019 daemon.notice openvpn(changed)[1978]: Closing TUN/TAP interface
Mon Jun 10 18:40:35 2019 daemon.notice openvpn(changed)[1978]: /sbin/ifconfig tun0 0.0.0.0
Mon Jun 10 18:40:35 2019 daemon.notice netifd: Network device 'tun0' link is down
Mon Jun 10 18:40:35 2019 daemon.notice netifd: Interface 'VPN_2' has link connectivity loss
Mon Jun 10 18:40:35 2019 daemon.notice netifd: Interface 'VPN_2' is now down
Mon Jun 10 18:40:35 2019 daemon.notice openvpn(changed)[1978]: SIGTERM[hard,] received, process exiting
Mon Jun 10 18:40:35 2019 daemon.notice netifd: Interface 'VPN_2' is disabled
Mon Jun 10 18:41:03 2019 daemon.err openvpn(changed)[2333]: Options error: only one of --tun-mtu or --link-mtu may be defined (note that --ifconfig implies --link-mtu 1500)
Mon Jun 10 18:41:03 2019 daemon.warn openvpn(changed)[2333]: Use --help for more information.
Mon Jun 10 18:42:10 2019 daemon.notice openvpn(changed)[2539]: OpenVPN 2.4.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Mon Jun 10 18:42:10 2019 daemon.notice openvpn(changed)[2539]: library versions: OpenSSL 1.0.2s 28 May 2019, LZO 2.10
Mon Jun 10 18:42:10 2019 daemon.warn openvpn(changed)[2539]: WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1449)
Mon Jun 10 18:42:10 2019 daemon.notice openvpn(changed)[2539]: TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1196
Mon Jun 10 18:42:10 2019 daemon.notice openvpn(changed)[2539]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Mon Jun 10 18:42:10 2019 daemon.notice openvpn(changed)[2539]: UDP link local: (not bound)
Mon Jun 10 18:42:10 2019 daemon.notice openvpn(changed)[2539]: UDP link remote: [AF_INET]x.x.x.x:1196
I changed the ip address to x.x.x.x and the domain name to changed, because of security reasons.
I solved it, the problem was at the pfsense side, but now I have a new problem: If I set the firewall rules, I can use the vpn with the lan subnet, but I want to use it on another interface, which is a vlan, but if I set the firewall rules, and connect to the vpn, there is no internet on the lan interface, if I disconnect the vpn it works.
2 Likes
You'll have to post again the configurations to see what is the problem.
The configuration was not changed, because the problem was at the pfsense side.
Then you don't explain properly what you want to achieve.
Where is that other interface in the configuration?
1 Like