OpenVPN clients cannot access Internet

atux_null · September 26, 2022, 7:41am

I am trying to configure an OpenVPN server into my router. I have followed the guide from the wiki. I have created two users (client1, client2) and each one can connect to the VPN and see the remote network hosted into the router. i do not want to have all the traffic through the VPN for the clients, so i added into their .ovpn file pull-filter ignore redirect-gateway.
The problem is that the remote users cannot access nothing else apart from the remote network. Even if i delete the option pull-filter ignore redirect-gateway, still the problem exists. if i do a tracert from the clinet (Windows 10) to 8.8.8.8, i am reaching the default gateway IP of the tunnel, but that's it. no further progrss and then i am getting a destination protocol unreachable

if i do a logread -f /var/log/lastlog then i am getting a lot of entries Mon Sep 26 12:46:19 2022 daemon.err openvpn(client)[6004]: Options error: You must define TUN/TAP device (--dev) Mon Sep 26 12:46:19 2022 daemon.warn openvpn(client)[6004]: Use --help for more information. Mon Sep 26 12:46:24 2022 daemon.warn openvpn(client)[6005]: Cipher negotiation is disabled since neither P2MP client nor server mode is enabled
although if i do an 'ifconfig' i am getting

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:192.168.32.1  P-t-P:192.168.32.1  Mask:255.255.255.0
          inet6 addr: fe80::b0d8:38b8:ffb4:9ffe/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:229 errors:0 dropped:0 overruns:0 frame:0
          TX packets:233 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:12921 (12.6 KiB)  TX bytes:14618 (14.2 KiB)

I do not want them to connect to OpenVPN and browse the Internet from the VPN, rather have Internet access from their local DSL and be able to see the remote network when connected to OpenVPN. How could i fix this, please?

atux_null · September 26, 2022, 12:12pm

In Openwrt if i try to ping with source the tun0 it fails


root@OpenWrt-APU:~# ping -I tun0 www.google.gr
PING www.google.gr (142.250.74.195): 56 data bytes

any ideas, please?

kukulo · September 27, 2022, 6:34pm

Options error: You must define TUN/TAP device (--dev)

in the wiki there is dev tun, is this missing from your config?:

OVPN_CONF="${OVPN_DIR}/${OVPN_ID}.conf"
cat << EOF > ${OVPN_CONF} ;;
user nobody
group nogroup
dev tun
port ${OVPN_PORT}
proto ${OVPN_PROTO}

Check your config for errors.

atux_null · September 28, 2022, 7:44am

i had the aforementioned config, but something was not working. So i had to start from scratch and it seems to work. But when i try to connect from the client, it shows:

Wed Sep 28 10:26:22 2022 NOTE: --user option is not implemented on Windows
Wed Sep 28 10:26:22 2022 NOTE: --group option is not implemented on Windows
Wed Sep 28 10:26:22 2022 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.

kukulo · September 28, 2022, 7:51am

On Windows the user and group options are not available, only on *nix environments.
With cipher you can specify the cipher used for communication. The available ciphers vary among the openvpn versions, so be careful here. Just be sure to use same cipher option in both server and client configs.

atux_null · September 28, 2022, 8:18am

lost it completely. What do i have to do?

kukulo · September 28, 2022, 8:32am

On your server run following command:

openvpn --show-ciphers

root@OpenWrt:~# openvpn --show-ciphers
AES-128-CBC  (128 bit key, 128 bit block)
AES-128-CFB  (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-CFB1  (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-CFB8  (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-GCM  (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-OFB  (128 bit key, 128 bit block, TLS client/server mode only)
AES-192-CBC  (192 bit key, 128 bit block)
AES-192-CFB  (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-CFB1  (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-CFB8  (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-GCM  (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-OFB  (192 bit key, 128 bit block, TLS client/server mode only)
AES-256-CBC  (256 bit key, 128 bit block)
AES-256-CFB  (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-CFB1  (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-CFB8  (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-GCM  (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-OFB  (256 bit key, 128 bit block, TLS client/server mode only)
CHACHA20-POLY1305  (256 bit key, stream cipher, TLS client/server mode only)

The following ciphers have a block size of less than 128 bits, 
and are therefore deprecated.  Do not use unless you have to.

BF-CBC  (128 bit key by default, 64 bit block)
BF-CFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
BF-OFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
CAST5-CBC  (128 bit key by default, 64 bit block)
CAST5-CFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
CAST5-OFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
DES-CBC  (64 bit key, 64 bit block)
DES-CFB  (64 bit key, 64 bit block, TLS client/server mode only)
DES-CFB1  (64 bit key, 64 bit block, TLS client/server mode only)
DES-CFB8  (64 bit key, 64 bit block, TLS client/server mode only)
DES-EDE-CBC  (128 bit key, 64 bit block)
DES-EDE-CFB  (128 bit key, 64 bit block, TLS client/server mode only)
DES-EDE-OFB  (128 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-CBC  (192 bit key, 64 bit block)
DES-EDE3-CFB  (192 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-CFB1  (192 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-CFB8  (192 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-OFB  (192 bit key, 64 bit block, TLS client/server mode only)
DES-OFB  (64 bit key, 64 bit block, TLS client/server mode only)
DESX-CBC  (192 bit key, 64 bit block)
RC2-40-CBC  (40 bit key by default, 64 bit block)
RC2-64-CBC  (64 bit key by default, 64 bit block)
RC2-CBC  (128 bit key by default, 64 bit block)
RC2-CFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
RC2-OFB  (128 bit key by default, 64 bit block, TLS client/server mode only)

If you choose for instance AES-256-GCM, then you need to the config (both server and client):

option cipher 'AES-256-GCM'

And restart openvpn instance either from Luci or from command line.

system · October 8, 2022, 8:33am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.