Openvpn config for accessing lan and internet?

gmytis · January 14, 2019, 8:01pm

Hi,
i just created openvpn with this guide: https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic
i can connect to vpn from outside, but no internet and i cant see any lan devices..
here is all configs:

firewall

 uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@rule[9]=rule
firewall.@rule[9].name='Allow-OpenVPN'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest_port='1194'
firewall.@rule[9].proto='tcp udp'
firewall.@rule[9].target='ACCEPT'
firewall.@zone[2]=zone
firewall.@zone[2].name='vpnserver'
firewall.@zone[2].network='vpnserver'
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='ACCEPT'
firewall.@zone[2].masq='1'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='vpnserver'
firewall.@forwarding[1].src='lan'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].dest='vpnserver'
firewall.@forwarding[2].src='wan'
firewall.@forwarding[3]=forwarding
firewall.@forwarding[3].dest='lan'
firewall.@forwarding[3].src='vpnserver'
firewall.@forwarding[4]=forwarding
firewall.@forwarding[4].dest='wan'
firewall.@forwarding[4].src='vpnserver'

network

uci show network
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.0.3'
network.lan.gateway='192.168.0.1'
network.lan.dns='192.168.0.1 8.8.8.8'
network.lan_dev=device
network.lan_dev.name='eth0.1'
network.lan_dev.macaddr='84:a4:23:13:0d:c4'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].vid='1'
network.@switch_vlan[0].ports='0 1 2 4 5 6t'
network.vpnserver=interface
network.vpnserver.ifname='tun0'
network.vpnserver.proto='none'

openvpn

uci show openvpn
openvpn.vpnserver=openvpn
openvpn.vpnserver.enabled='1'
openvpn.vpnserver.dev='tun0'
openvpn.vpnserver.topology='subnet'
openvpn.vpnserver.port='1194'
openvpn.vpnserver.server='192.168.200.0 255.255.255.0'
openvpn.vpnserver.client_to_client='1'
openvpn.vpnserver.compress='lzo'
openvpn.vpnserver.keepalive='10 120'
openvpn.vpnserver.persist_tun='1'
openvpn.vpnserver.persist_key='1'
openvpn.vpnserver.dh='/etc/openvpn/dh.pem'
openvpn.vpnserver.tls_crypt='/etc/openvpn/tc.pem'
openvpn.vpnserver.ca='/etc/openvpn/ca.crt'
openvpn.vpnserver.cert='/etc/openvpn/vpnserver.crt'
openvpn.vpnserver.key='/etc/openvpn/vpnserver.key'
openvpn.vpnserver.push='redirect-gateway def1' 'compress lzo' 'persist-tun' 'persist-key'
openvpn.vpnserver.verb='5'
openvpn.vpnserver.proto='tcp'

logread -l 250 -e openvpn
Mon Jan 14 19:42:03 2019 daemon.notice openvpn(vpnserver)[1430]: OpenVPN 2.4.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Mon Jan 14 19:42:03 2019 daemon.notice openvpn(vpnserver)[1430]: library versions: OpenSSL 1.0.2p  14 Aug 2018, LZO 2.10
Mon Jan 14 19:42:03 2019 daemon.warn openvpn(vpnserver)[1430]: NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Mon Jan 14 19:42:03 2019 daemon.notice openvpn(vpnserver)[1430]: Diffie-Hellman initialized with 2048 bit key
Mon Jan 14 19:42:04 2019 daemon.notice openvpn(vpnserver)[1430]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Mon Jan 14 19:42:04 2019 daemon.notice openvpn(vpnserver)[1430]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Jan 14 19:42:04 2019 daemon.notice openvpn(vpnserver)[1430]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Mon Jan 14 19:42:04 2019 daemon.notice openvpn(vpnserver)[1430]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Jan 14 19:42:04 2019 daemon.notice openvpn(vpnserver)[1430]: TLS-Auth MTU parms [ L:1624 D:1154 EF:96 EB:0 ET:0 EL:3 ]
Mon Jan 14 19:42:04 2019 daemon.notice openvpn(vpnserver)[1430]: TUN/TAP device tun0 opened
Mon Jan 14 19:42:04 2019 daemon.notice openvpn(vpnserver)[1430]: TUN/TAP TX queue length set to 100
Mon Jan 14 19:42:04 2019 daemon.notice openvpn(vpnserver)[1430]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Jan 14 19:42:04 2019 daemon.notice openvpn(vpnserver)[1430]: /sbin/ifconfig tun0 192.168.200.1 netmask 255.255.255.0 mtu 1500 broadcast 192.168.200.255
Mon Jan 14 19:42:04 2019 daemon.notice openvpn(vpnserver)[1430]: Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Mon Jan 14 19:42:04 2019 daemon.warn openvpn(vpnserver)[1430]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Mon Jan 14 19:42:04 2019 daemon.notice openvpn(vpnserver)[1430]: Socket Buffers: R=[87380->87380] S=[16384->16384]
Mon Jan 14 19:42:04 2019 daemon.notice openvpn(vpnserver)[1430]: Listening for incoming TCP connection on [AF_INET][undef]:1194
Mon Jan 14 19:42:04 2019 daemon.notice openvpn(vpnserver)[1430]: TCPv4_SERVER link local (bound): [AF_INET][undef]:1194
Mon Jan 14 19:42:04 2019 daemon.notice openvpn(vpnserver)[1430]: TCPv4_SERVER link remote: [AF_UNSPEC]
Mon Jan 14 19:42:04 2019 daemon.notice openvpn(vpnserver)[1430]: MULTI: multi_init called, r=256 v=256
Mon Jan 14 19:42:04 2019 daemon.notice openvpn(vpnserver)[1430]: IFCONFIG POOL: base=192.168.200.2 size=252, ipv6=0
Mon Jan 14 19:42:04 2019 daemon.notice openvpn(vpnserver)[1430]: MULTI: TCP INIT maxclients=1024 maxevents=1028
Mon Jan 14 19:42:04 2019 daemon.notice openvpn(vpnserver)[1430]: Initialization Sequence Completed
Mon Jan 14 19:44:58 2019 daemon.notice openvpn(vpnserver)[1430]: MULTI: multi_create_instance called
Mon Jan 14 19:44:58 2019 daemon.notice openvpn(vpnserver)[1430]: Re-using SSL/TLS context
Mon Jan 14 19:44:58 2019 daemon.notice openvpn(vpnserver)[1430]: LZO compression initializing
Mon Jan 14 19:44:58 2019 daemon.notice openvpn(vpnserver)[1430]: Control Channel MTU parms [ L:1624 D:1154 EF:96 EB:0 ET:0 EL:3 ]
Mon Jan 14 19:44:58 2019 daemon.notice openvpn(vpnserver)[1430]: Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Mon Jan 14 19:44:58 2019 daemon.notice openvpn(vpnserver)[1430]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Mon Jan 14 19:44:58 2019 daemon.notice openvpn(vpnserver)[1430]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Mon Jan 14 19:44:58 2019 daemon.notice openvpn(vpnserver)[1430]: TCP connection established with [AF_INET]94.197.121.245:29350
Mon Jan 14 19:44:58 2019 daemon.notice openvpn(vpnserver)[1430]: TCPv4_SERVER link local: (not bound)
Mon Jan 14 19:44:58 2019 daemon.notice openvpn(vpnserver)[1430]: TCPv4_SERVER link remote: [AF_INET]94.197.121.245:29350
Mon Jan 14 19:44:58 2019 daemon.notice openvpn(vpnserver)[1430]: 94.197.121.245:29350 TLS: Initial packet from [AF_INET]94.197.121.245:29350, sid=5bc8ddbe 25e93316
Mon Jan 14 19:45:00 2019 daemon.notice openvpn(vpnserver)[1430]: 94.197.121.245:29350 VERIFY OK: depth=1, C=GB, ST=London, O=WWW Ltd.
Mon Jan 14 19:45:00 2019 daemon.notice openvpn(vpnserver)[1430]: 94.197.121.245:29350 VERIFY OK: depth=0, CN=vpnclient
Mon Jan 14 19:45:00 2019 daemon.notice openvpn(vpnserver)[1430]: 94.197.121.245:29350 peer info: IV_GUI_VER=OC30Android
Mon Jan 14 19:45:00 2019 daemon.notice openvpn(vpnserver)[1430]: 94.197.121.245:29350 peer info: IV_VER=3.2
Mon Jan 14 19:45:00 2019 daemon.notice openvpn(vpnserver)[1430]: 94.197.121.245:29350 peer info: IV_PLAT=android
Mon Jan 14 19:45:00 2019 daemon.notice openvpn(vpnserver)[1430]: 94.197.121.245:29350 peer info: IV_NCP=2
Mon Jan 14 19:45:00 2019 daemon.notice openvpn(vpnserver)[1430]: 94.197.121.245:29350 peer info: IV_TCPNL=1
Mon Jan 14 19:45:00 2019 daemon.notice openvpn(vpnserver)[1430]: 94.197.121.245:29350 peer info: IV_PROTO=2
Mon Jan 14 19:45:00 2019 daemon.notice openvpn(vpnserver)[1430]: 94.197.121.245:29350 peer info: IV_LZO=1
Mon Jan 14 19:45:00 2019 daemon.notice openvpn(vpnserver)[1430]: 94.197.121.245:29350 peer info: IV_AUTO_SESS=1
Mon Jan 14 19:45:00 2019 daemon.notice openvpn(vpnserver)[1430]: 94.197.121.245:29350 peer info: IV_BS64DL=1
Mon Jan 14 19:45:00 2019 daemon.notice openvpn(vpnserver)[1430]: 94.197.121.245:29350 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Mon Jan 14 19:45:00 2019 daemon.notice openvpn(vpnserver)[1430]: 94.197.121.245:29350 [vpnclient] Peer Connection Initiated with [AF_INET]94.197.121.245:29350
Mon Jan 14 19:45:00 2019 daemon.notice openvpn(vpnserver)[1430]: vpnclient/94.197.121.245:29350 MULTI_sva: pool returned IPv4=192.168.200.2, IPv6=(Not enabled)
Mon Jan 14 19:45:00 2019 daemon.notice openvpn(vpnserver)[1430]: vpnclient/94.197.121.245:29350 MULTI: Learn: 192.168.200.2 -> vpnclient/94.197.121.245:29350
Mon Jan 14 19:45:00 2019 daemon.notice openvpn(vpnserver)[1430]: vpnclient/94.197.121.245:29350 MULTI: primary virtual IP for vpnclient/94.197.121.245:29350: 192.168.200.2
Mon Jan 14 19:45:00 2019 daemon.notice openvpn(vpnserver)[1430]: vpnclient/94.197.121.245:29350 PUSH: Received control message: 'PUSH_REQUEST'
Mon Jan 14 19:45:00 2019 daemon.notice openvpn(vpnserver)[1430]: vpnclient/94.197.121.245:29350 SENT CONTROL [vpnclient]: 'PUSH_REPLY,redirect-gateway def1,compress lzo,persist-tun,persist-key,route-gateway 192.168.200.1,topology subnet,ping 10,ping-restart 120,ifconfig 192.168.200.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Mon Jan 14 19:45:00 2019 daemon.notice openvpn(vpnserver)[1430]: vpnclient/94.197.121.245:29350 Data Channel: using negotiated cipher 'AES-256-GCM'
Mon Jan 14 19:45:00 2019 daemon.notice openvpn(vpnserver)[1430]: vpnclient/94.197.121.245:29350 Data Channel MTU parms [ L:1552 D:1450 EF:52 EB:406 ET:0 EL:3 ]
Mon Jan 14 19:45:00 2019 daemon.notice openvpn(vpnserver)[1430]: vpnclient/94.197.121.245:29350 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Jan 14 19:45:00 2019 daemon.notice openvpn(vpnserver)[1430]: vpnclient/94.197.121.245:29350 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Jan 14 19:45:00 2019 daemon.notice openvpn(vpnserver)[1430]: vpnclient/94.197.121.245:29350 MULTI: bad source address from client [100.89.177.180], packet dropped
Mon Jan 14 19:45:00 2019 daemon.notice openvpn(vpnserver)[1430]: vpnclient/94.197.121.245:29350 MULTI: bad source address from client [100.89.177.180], packet dropped
Mon Jan 14 19:45:01 2019 daemon.notice openvpn(vpnserver)[1430]: vpnclient/94.197.121.245:29350 MULTI: bad source address from client [100.89.177.180], packet dropped
Mon Jan 14 19:45:01 2019 daemon.notice openvpn(vpnserver)[1430]: vpnclient/94.197.121.245:29350 MULTI: bad source address from client [100.89.177.180], packet dropped
Mon Jan 14 19:45:02 2019 daemon.notice openvpn(vpnserver)[1430]: vpnclient/94.197.121.245:29350 MULTI: bad source address from client [100.89.177.180], packet dropped
Mon Jan 14 19:45:02 2019 daemon.notice openvpn(vpnserver)[1430]: vpnclient/94.197.121.245:29350 MULTI: bad source address from client [100.89.177.180], packet dropped
Mon Jan 14 19:45:03 2019 daemon.notice openvpn(vpnserver)[1430]: vpnclient/94.197.121.245:29350 MULTI: bad source address from client [100.89.177.180], packet dropped
Mon Jan 14 19:45:04 2019 daemon.notice openvpn(vpnserver)[1430]: vpnclient/94.197.121.245:29350 MULTI: bad source address from client [100.89.177.180], packet dropped
Mon Jan 14 19:45:06 2019 daemon.notice openvpn(vpnserver)[1430]: vpnclient/94.197.121.245:29350 MULTI: bad source address from client [100.89.177.180], packet dropped
Mon Jan 14 19:45:08 2019 daemon.notice openvpn(vpnserver)[1430]: vpnclient/94.197.121.245:29350 MULTI: bad source address from client [100.89.177.180], packet dropped
Mon Jan 14 19:45:11 2019 daemon.notice openvpn(vpnserver)[1430]: vpnclient/94.197.121.245:29350 MULTI: bad source address from client [100.89.177.180], packet dropped
Mon Jan 14 19:45:16 2019 daemon.notice openvpn(vpnserver)[1430]: vpnclient/94.197.121.245:29350 MULTI: bad source address from client [100.89.177.180], packet dropped
Mon Jan 14 19:45:21 2019 daemon.notice openvpn(vpnserver)[1430]: vpnclient/94.197.121.245:29350 MULTI: bad source address from client [100.89.177.180], packet dropped
Mon Jan 14 19:45:32 2019 daemon.notice openvpn(vpnserver)[1430]: vpnclient/94.197.121.245:29350 MULTI: bad source address from client [100.89.177.180], packet dropped
Mon Jan 14 19:45:40 2019 daemon.notice openvpn(vpnserver)[1430]: vpnclient/94.197.121.245:29350 MULTI: bad source address from client [100.89.177.180], packet dropped
Mon Jan 14 19:45:42 2019 daemon.notice openvpn(vpnserver)[1430]: vpnclient/94.197.121.245:29350 MULTI: bad source address from client [100.89.177.180], packet dropped
Mon Jan 14 19:46:25 2019 daemon.notice openvpn(vpnserver)[1430]: vpnclient/94.197.121.245:29350 MULTI: bad source address from client [100.89.177.180], packet dropped
Mon Jan 14 19:50:28 2019 daemon.notice openvpn(vpnserver)[1430]: vpnclient/94.197.121.245:29350 [vpnclient] Inactivity timeout (--ping-restart), restarting
Mon Jan 14 19:50:28 2019 daemon.notice openvpn(vpnserver)[1430]: vpnclient/94.197.121.245:29350 SIGUSR1[soft,ping-restart] received, client-instance restarting
Mon Jan 14 19:50:28 2019 daemon.notice openvpn(vpnserver)[1430]: TCP/UDP: Closing socket

ovpn client

cat /etc/openvpn/vpnclient.ovpn 
verb 7
nobind
dev tun
client
remote xxxxxxxxxx 1194 tcp
fast-io
compress lzo
auth-nocache
remote-cert-tls server
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
xxxxxxxxxx
-----END OpenVPN Static key V1-----
</tls-crypt>
<ca>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxx
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
xxxxxxxxx
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
xxxxxxxxx
-----END ENCRYPTED PRIVATE KEY-----
</key>

gmytis · January 14, 2019, 8:07pm

here is log from android client:

19:44:59.427 -- ----- OpenVPN Start -----

19:44:59.427 -- EVENT: CORE_THREAD_ACTIVE

19:44:59.442 -- Frame=512/2048/512 mssfix-ctrl=1250

19:44:59.443 -- UNUSED OPTIONS
0 [verb] [7] 
1 [nobind] 
5 [fast-io] 
7 [auth-nocache] 


19:44:59.443 -- EVENT: RESOLVE

19:44:59.716 -- Contacting xxxxxxxxxxx:1194 via TCP

19:44:59.717 -- EVENT: WAIT

19:44:59.799 -- Connecting to [xxxxxxxxxx]:1194 (xxxxxxxxxxx) via TCPv4

19:44:59.878 -- EVENT: CONNECTING

19:44:59.880 -- Tunnel Options:V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client

19:44:59.881 -- Creds: UsernameEmpty/PasswordEmpty

19:44:59.881 -- Peer Info:
IV_GUI_VER=OC30Android
IV_VER=3.2
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO=1
IV_AUTO_SESS=1
IV_BS64DL=1


19:45:01.396 -- VERIFY OK : depth=1
cert. version     : 3
serial number     : E0:5C:DF:FC:C0:86:C8:18
issuer name       : C=GB, ST=London, O=WWW Ltd.
subject name      : C=GB, ST=London, O=WWW Ltd.
issued  on        : 2019-01-14 17:42:28
expires on        : 2029-01-11 17:42:28
signed using      : RSA with SHA-256
RSA key size      : 4096 bits
basic constraints : CA=true


19:45:01.398 -- VERIFY OK : depth=0
cert. version     : 3
serial number     : 10:00
issuer name       : C=GB, ST=London, O=WWW Ltd.
subject name      : CN=vpnserver
issued  on        : 2019-01-14 17:43:23
expires on        : 2029-01-11 17:43:23
signed using      : RSA with SHA-256
RSA key size      : 4096 bits
key usage         : Digital Signature, Key Encipherment
ext key usage     : TLS Web Server Authentication


19:45:01.914 -- SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

19:45:01.917 -- Session is ACTIVE

19:45:01.918 -- EVENT: GET_CONFIG

19:45:01.926 -- Sending PUSH_REQUEST to server...

19:45:02.097 -- OPTIONS:
0 [redirect-gateway] [def1] 
1 [compress] [lzo] 
2 [persist-tun] 
3 [persist-key] 
4 [route-gateway] [192.168.200.1] 
5 [topology] [subnet] 
6 [ping] [10] 
7 [ping-restart] [120] 
8 [ifconfig] [192.168.200.2] [255.255.255.0] 
9 [peer-id] [0] 
10 [cipher] [AES-256-GCM] 


19:45:02.098 -- PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: SHA1
  compress: LZO
  peer ID: 0

19:45:02.099 -- EVENT: ASSIGN_IP

19:45:02.103 -- Google DNS fallback enabled

19:45:02.134 -- Connected via tun

19:45:02.135 -- LZO-ASYM init swap=0 asym=0

19:45:02.136 -- EVENT: CONNECTED info='@xxxxxxxxxxx:1194 (xxxxxxxxxx) via /TCPv4 on tun/192.168.200.2/ gw=[192.168.200.1/]' trans=TO_CONNECTED

19:46:29.992 -- TCP recv error: Software caused connection abort

19:46:29.998 -- Transport Error: Transport error on 'xxxxxxxxxx: NETWORK_RECV_ERROR

19:46:30.000 -- Client terminated, restarting in 5000 ms...

19:46:30.084 -- EVENT: PAUSE trans=TO_DISCONNECTED

vgaetera · January 14, 2019, 8:39pm

Looks like VPN-server is not on your main router.
If you want to access LAN-devices:

Disable masquerading on VPN-zone.
Add route to VPN-network via VPN-server on your main router.

Try to use this client: https://github.com/schwabe/ics-openvpn
And increase client side log level if the issue is not resolved.

trendy · January 14, 2019, 8:44pm

I don't think so, it is running on the Openwrt route.

As vgaetera mentioned, erase the masquerade on vpnserver firewall zone.
Also fix the zone forwardings, as you are allowing everything towards everywhere.
You need lan->wan, lan->vpn, vpn->lan and vpn->wan

gmytis · January 14, 2019, 8:46pm

yes its, not on a main router, main router is internet provider router without openwrt.
i just have spare router, where i want to setup openvpn for remote connection for my lan.

vgaetera · January 14, 2019, 9:00pm

Actually without WAN-network there's no point in WAN-zone and forwardings to it.

gmytis · January 14, 2019, 9:07pm

i disabled masqearading on vpnserver zone, and deleted wan zone on firewall completely.
the setup itself is simple openwrt with openvpn runs like dumb ap, connected through ethernet from main router. still i didnt achieved anything, no internet or lan access. any ideas?

vgaetera · January 14, 2019, 9:10pm

It should be possible to fix with option float on the server side.
However this is a bit suspicious...
Which client are you using?

gmytis · January 14, 2019, 9:14pm

i used official openvpn android client, and now switched to openvpn for android

vgaetera · January 14, 2019, 9:17pm

Yep, the one I've mentioned above should work fine.
Otherwise add option float:

uci set openvpn.vpnserver.float="1"
uci commit openvpn
service openvpn restart

gmytis · January 14, 2019, 9:21pm

log from client:

2019-01-14 21:15:16 official build 0.7.5 running on HUAWEI CLT-L09 (CLT), Android 8.1.0 (HUAWEICLT-L09) API 27, ABI arm64-v8a, (HUAWEI/CLT-L09/HWCLT:8.1.0/HUAWEICLT-L09/159(C782):user/release-keys)
2019-01-14 21:15:16 Building configuration…
2019-01-14 21:15:16 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START): 
2019-01-14 21:15:16 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START): 
2019-01-14 21:15:16 started Socket Thread
2019-01-14 21:15:16 Network Status: not connected
2019-01-14 21:15:16 Debug state info: not connected, pause: userPause, shouldbeconnected: false, network: PENDINGDISCONNECT 
2019-01-14 21:15:16 Debug state info: not connected, pause: userPause, shouldbeconnected: false, network: PENDINGDISCONNECT 
2019-01-14 21:15:16 Current Parameter Settings:
2019-01-14 21:15:16   config = '/data/user/0/de.blinkt.openvpn/cache/android.conf'
2019-01-14 21:15:16   mode = 0
2019-01-14 21:15:16   show_ciphers = DISABLED
2019-01-14 21:15:16   show_digests = DISABLED
2019-01-14 21:15:16   show_engines = DISABLED
2019-01-14 21:15:16 New OpenVPN Status (NONETWORK->LEVEL_NONETWORK): 
2019-01-14 21:15:16 New OpenVPN Status (NONETWORK->LEVEL_NONETWORK): 
2019-01-14 21:15:16   genkey = DISABLED
2019-01-14 21:15:16   key_pass_file = '[UNDEF]'
2019-01-14 21:15:16   show_tls_ciphers = DISABLED
2019-01-14 21:15:16   connect_retry_max = 0
2019-01-14 21:15:16 Connection profiles [0]:
2019-01-14 21:15:16   proto = tcp-client
2019-01-14 21:15:16   local = '[UNDEF]'
2019-01-14 21:15:16   local_port = '[UNDEF]'
2019-01-14 21:15:16   remote = 'xxxxxxxx'
2019-01-14 21:15:16   remote_port = '1194'
2019-01-14 21:15:16   remote_float = DISABLED
2019-01-14 21:15:16   bind_defined = DISABLED
2019-01-14 21:15:16   bind_local = DISABLED
2019-01-14 21:15:16   bind_ipv6_only = DISABLED
2019-01-14 21:15:16   connect_retry_seconds = 2
2019-01-14 21:15:16   connect_timeout = 120
2019-01-14 21:15:16   socks_proxy_server = '[UNDEF]'
2019-01-14 21:15:16   socks_proxy_port = '[UNDEF]'
2019-01-14 21:15:16   tun_mtu = 1500
2019-01-14 21:15:16   tun_mtu_defined = ENABLED
2019-01-14 21:15:16   link_mtu = 1500
2019-01-14 21:15:16   link_mtu_defined = DISABLED
2019-01-14 21:15:16   tun_mtu_extra = 0
2019-01-14 21:15:16   tun_mtu_extra_defined = DISABLED
2019-01-14 21:15:16   mtu_discover_type = -1
2019-01-14 21:15:16   fragment = 0
2019-01-14 21:15:16   mssfix = 1450
2019-01-14 21:15:16   explicit_exit_notification = 0
2019-01-14 21:15:16 Connection profiles END
2019-01-14 21:15:16   remote_random = DISABLED
2019-01-14 21:15:16   ipchange = '[UNDEF]'
2019-01-14 21:15:16   dev = 'tun'
2019-01-14 21:15:16   dev_type = '[UNDEF]'
2019-01-14 21:15:16   dev_node = '[UNDEF]'
2019-01-14 21:15:16   lladdr = '[UNDEF]'
2019-01-14 21:15:16   topology = 1
2019-01-14 21:15:16   ifconfig_local = '[UNDEF]'
2019-01-14 21:15:16   ifconfig_remote_netmask = '[UNDEF]'
2019-01-14 21:15:16   ifconfig_noexec = DISABLED
2019-01-14 21:15:16   ifconfig_nowarn = ENABLED
2019-01-14 21:15:16   ifconfig_ipv6_local = '[UNDEF]'
2019-01-14 21:15:16   ifconfig_ipv6_netbits = 0
2019-01-14 21:15:16   ifconfig_ipv6_remote = '[UNDEF]'
2019-01-14 21:15:16   shaper = 0
2019-01-14 21:15:16   mtu_test = 0
2019-01-14 21:15:16   mlock = DISABLED
2019-01-14 21:15:16   keepalive_ping = 0
2019-01-14 21:15:16   keepalive_timeout = 0
2019-01-14 21:15:17   inactivity_timeout = 0
2019-01-14 21:15:17   ping_send_timeout = 0
2019-01-14 21:15:17   ping_rec_timeout = 0
2019-01-14 21:15:17   ping_rec_timeout_action = 0
2019-01-14 21:15:17   ping_timer_remote = DISABLED
2019-01-14 21:15:17   remap_sigusr1 = 0
2019-01-14 21:15:17   persist_tun = DISABLED
2019-01-14 21:15:17   persist_local_ip = DISABLED
2019-01-14 21:15:17   persist_remote_ip = DISABLED
2019-01-14 21:15:17   persist_key = DISABLED
2019-01-14 21:15:17   passtos = DISABLED
2019-01-14 21:15:17   resolve_retry_seconds = 60
2019-01-14 21:15:17   resolve_in_advance = DISABLED
2019-01-14 21:15:17   username = '[UNDEF]'
2019-01-14 21:15:17   groupname = '[UNDEF]'
2019-01-14 21:15:17   chroot_dir = '[UNDEF]'
2019-01-14 21:15:17   cd_dir = '[UNDEF]'
2019-01-14 21:15:17   writepid = '[UNDEF]'
2019-01-14 21:15:17   up_script = '[UNDEF]'
2019-01-14 21:15:17   down_script = '[UNDEF]'
2019-01-14 21:15:17   down_pre = DISABLED
2019-01-14 21:15:17   up_restart = DISABLED
2019-01-14 21:15:17   up_delay = DISABLED
2019-01-14 21:15:17   daemon = DISABLED
2019-01-14 21:15:17   inetd = 0
2019-01-14 21:15:17   log = DISABLED
2019-01-14 21:15:17   suppress_timestamps = DISABLED
2019-01-14 21:15:17   machine_readable_output = ENABLED
2019-01-14 21:15:17   nice = 0
2019-01-14 21:15:17   verbosity = 4
2019-01-14 21:15:17   mute = 0
2019-01-14 21:15:17   gremlin = 0
2019-01-14 21:15:17   status_file = '[UNDEF]'
2019-01-14 21:15:17   status_file_version = 1
2019-01-14 21:15:17   status_file_update_freq = 60
2019-01-14 21:15:17   occ = ENABLED
2019-01-14 21:15:17   rcvbuf = 0
2019-01-14 21:15:17   sndbuf = 0
2019-01-14 21:15:17   sockflags = 0
2019-01-14 21:15:17   fast_io = ENABLED
2019-01-14 21:15:17   comp.alg = 2
2019-01-14 21:15:17   comp.flags = 0
2019-01-14 21:15:17   route_script = '[UNDEF]'
2019-01-14 21:15:17   route_default_gateway = '[UNDEF]'
2019-01-14 21:15:17   route_default_metric = 0
2019-01-14 21:15:17   route_noexec = DISABLED
2019-01-14 21:15:17   route_delay = 0
2019-01-14 21:15:17   route_delay_window = 30
2019-01-14 21:15:17   route_delay_defined = DISABLED
2019-01-14 21:15:17   route_nopull = DISABLED
2019-01-14 21:15:17   route_gateway_via_dhcp = DISABLED
2019-01-14 21:15:17   allow_pull_fqdn = DISABLED
2019-01-14 21:15:17   route 192.168.0.0/255.0.0.0/vpn_gateway/default (not set)
2019-01-14 21:15:17   management_addr = '/data/user/0/de.blinkt.openvpn/cache/mgmtsocket'
2019-01-14 21:15:17   management_port = 'unix'
2019-01-14 21:15:17   management_user_pass = '[UNDEF]'
2019-01-14 21:15:17   management_log_history_cache = 250
2019-01-14 21:15:17   management_echo_buffer_size = 100
2019-01-14 21:15:17   management_write_peer_info_file = '[UNDEF]'
2019-01-14 21:15:17   management_client_user = '[UNDEF]'
2019-01-14 21:15:17   management_client_group = '[UNDEF]'
2019-01-14 21:15:17   management_flags = 4390
2019-01-14 21:15:17   shared_secret_file = '[UNDEF]'
2019-01-14 21:15:17   key_direction = not set
2019-01-14 21:15:17   ciphername = 'BF-CBC'
2019-01-14 21:15:17   ncp_enabled = ENABLED
2019-01-14 21:15:17   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
2019-01-14 21:15:17   authname = 'SHA1'
2019-01-14 21:15:17   prng_hash = 'SHA1'
2019-01-14 21:15:17   prng_nonce_secret_len = 16
2019-01-14 21:15:17   keysize = 0
2019-01-14 21:15:17   engine = DISABLED
2019-01-14 21:15:17   replay = ENABLED
2019-01-14 21:15:17   mute_replay_warnings = DISABLED
2019-01-14 21:15:17   replay_window = 64
2019-01-14 21:15:17   replay_time = 15
2019-01-14 21:15:17   packet_id_file = '[UNDEF]'
2019-01-14 21:15:17   test_crypto = DISABLED
2019-01-14 21:15:17   tls_server = DISABLED
2019-01-14 21:15:17   tls_client = ENABLED
2019-01-14 21:15:17   key_method = 2
2019-01-14 21:15:17   ca_file = '[[INLINE]]'
2019-01-14 21:15:17   ca_path = '[UNDEF]'
2019-01-14 21:15:17   dh_file = '[UNDEF]'
2019-01-14 21:15:17   cert_file = '[[INLINE]]'
2019-01-14 21:15:17   extra_certs_file = '[UNDEF]'
2019-01-14 21:15:17   priv_key_file = '[[INLINE]]'
2019-01-14 21:15:17   pkcs12_file = '[UNDEF]'
2019-01-14 21:15:17   cipher_list = '[UNDEF]'
2019-01-14 21:15:17   tls_cert_profile = '[UNDEF]'
2019-01-14 21:15:17   tls_verify = '[UNDEF]'
2019-01-14 21:15:17   tls_export_cert = '[UNDEF]'
2019-01-14 21:15:17   verify_x509_type = 0
2019-01-14 21:15:17   verify_x509_name = '[UNDEF]'
2019-01-14 21:15:17   crl_file = '[UNDEF]'
2019-01-14 21:15:17   ns_cert_type = 0
2019-01-14 21:15:17   remote_cert_ku[i] = 65535
2019-01-14 21:15:17   remote_cert_ku[i] = 0
2019-01-14 21:15:17   remote_cert_ku[i] = 0
2019-01-14 21:15:17   remote_cert_ku[i] = 0
2019-01-14 21:15:17   remote_cert_ku[i] = 0
2019-01-14 21:15:17   remote_cert_ku[i] = 0
2019-01-14 21:15:17   remote_cert_ku[i] = 0
2019-01-14 21:15:17   remote_cert_ku[i] = 0
2019-01-14 21:15:17   remote_cert_ku[i] = 0
2019-01-14 21:15:17   remote_cert_ku[i] = 0
2019-01-14 21:15:17   remote_cert_ku[i] = 0
2019-01-14 21:15:17   remote_cert_ku[i] = 0
2019-01-14 21:15:17   remote_cert_ku[i] = 0
2019-01-14 21:15:17   remote_cert_ku[i] = 0
2019-01-14 21:15:17   remote_cert_ku[i] = 0
2019-01-14 21:15:17   remote_cert_ku[i] = 0
2019-01-14 21:15:17   remote_cert_eku = 'TLS Web Server Authentication'
2019-01-14 21:15:17   ssl_flags = 0
2019-01-14 21:15:17   tls_timeout = 2
2019-01-14 21:15:17   renegotiate_bytes = -1
2019-01-14 21:15:17   renegotiate_packets = 0
2019-01-14 21:15:17   renegotiate_seconds = 3600
2019-01-14 21:15:17   handshake_window = 60
2019-01-14 21:15:17   transition_window = 3600
2019-01-14 21:15:17   single_session = DISABLED
2019-01-14 21:15:17   push_peer_info = DISABLED
2019-01-14 21:15:17   tls_exit = DISABLED
2019-01-14 21:15:17   tls_auth_file = '[UNDEF]'
2019-01-14 21:15:17   tls_crypt_file = '[[INLINE]]'
2019-01-14 21:15:17   client = ENABLED
2019-01-14 21:15:17   pull = ENABLED
2019-01-14 21:15:17   auth_user_pass_file = '[UNDEF]'
2019-01-14 21:15:17 OpenVPN 2.5-icsopenvpn [git:v2.4_rc2-301-g14adf04a] arm64-v8a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May  3 2018
2019-01-14 21:15:17 library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
2019-01-14 21:15:17 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket
2019-01-14 21:15:17 MANAGEMENT: CMD 'version 2'
2019-01-14 21:15:27 Network Status: CONNECTED LTE to MOBILE three.co.uk
2019-01-14 21:15:27 MANAGEMENT: CMD 'hold release'
2019-01-14 21:15:27 Debug state info: CONNECTED LTE to MOBILE three.co.uk, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2019-01-14 21:15:27 MANAGEMENT: CMD 'bytecount 2'
2019-01-14 21:15:27 MANAGEMENT: CMD 'state on'
2019-01-14 21:15:27 MANAGEMENT: CMD 'proxy NONE'
2019-01-14 21:15:28 NOTE: --fast-io is disabled since we are not using UDP
2019-01-14 21:15:28 MANAGEMENT: CMD 'password [...]'
2019-01-14 21:15:28 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2019-01-14 21:15:28 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2019-01-14 21:15:28 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2019-01-14 21:15:28 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2019-01-14 21:15:28 New OpenVPN Status (RESOLVE->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2019-01-14 21:15:29 New OpenVPN Status (RESOLVE->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2019-01-14 21:15:28 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2019-01-14 21:15:29 LZO compression initializing
2019-01-14 21:15:29 Control Channel MTU parms [ L:1624 D:1154 EF:96 EB:0 ET:0 EL:3 ]
2019-01-14 21:15:29 MANAGEMENT: >STATE:1547500528,RESOLVE,,,,,,
2019-01-14 21:15:29 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
2019-01-14 21:15:29 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
2019-01-14 21:15:29 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
2019-01-14 21:15:29 TCP/UDP: Preserving recently used remote address: [AF_INET]xxxxxxx:1194
2019-01-14 21:15:29 Socket Buffers: R=[4194304->4194304] S=[524288->524288]
2019-01-14 21:15:29 Attempting to establish TCP connection with [AF_INET]xxxxxxx:1194 [nonblock]
2019-01-14 21:15:29 MANAGEMENT: >STATE:1547500529,TCP_CONNECT,,,,,,
2019-01-14 21:15:29 New OpenVPN Status (TCP_CONNECT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2019-01-14 21:15:29 New OpenVPN Status (TCP_CONNECT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2019-01-14 21:15:29 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2019-01-14 21:15:30 TCP connection established with [AF_INET]xxxxxxxx:1194
2019-01-14 21:15:30 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2019-01-14 21:15:30 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2019-01-14 21:15:30 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2019-01-14 21:15:30 TCP_CLIENT link local: (not bound)
2019-01-14 21:15:30 TCP_CLIENT link remote: [AF_INET]xxxxxxxx:1194
2019-01-14 21:15:30 MANAGEMENT: >STATE:1547500530,WAIT,,,,,,
2019-01-14 21:15:30 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2019-01-14 21:15:30 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2019-01-14 21:15:30 MANAGEMENT: >STATE:1547500530,AUTH,,,,,,
2019-01-14 21:15:30 TLS: Initial packet from [AF_INET]xxxxxx:1194, sid=7c994957 15d30de2
2019-01-14 21:15:31 VERIFY OK: depth=1, C=GB, ST=London, O=WWW Ltd.
2019-01-14 21:15:31 VERIFY KU OK
2019-01-14 21:15:31 Validating certificate extended key usage
2019-01-14 21:15:31 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2019-01-14 21:15:31 VERIFY EKU OK
2019-01-14 21:15:31 VERIFY OK: depth=0, CN=vpnserver
2019-01-14 21:15:32 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
2019-01-14 21:15:32 [vpnserver] Peer Connection Initiated with [AF_INET]xxxxxxxx:1194
2019-01-14 21:15:33 New OpenVPN Status (GET_CONFIG->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2019-01-14 21:15:33 New OpenVPN Status (GET_CONFIG->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2019-01-14 21:15:33 MANAGEMENT: >STATE:1547500533,GET_CONFIG,,,,,,
2019-01-14 21:15:33 SENT CONTROL [vpnserver]: 'PUSH_REQUEST' (status=1)
2019-01-14 21:15:33 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,compress lzo,persist-tun,persist-key,route 192.168.0.0 255.255.255.0,dhcp-option DNS 192.168.0.1,dhcp-option DOMAIN lan,route-gateway 192.168.200.1,topology subnet,ping 10,ping-restart 120,ifconfig 192.168.200.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
2019-01-14 21:15:33 OPTIONS IMPORT: timers and/or timeouts modified
2019-01-14 21:15:33 New OpenVPN Status (ASSIGN_IP->LEVEL_CONNECTING_SERVER_REPLIED): ,192.168.200.2,,,,
2019-01-14 21:15:33 New OpenVPN Status (ASSIGN_IP->LEVEL_CONNECTING_SERVER_REPLIED): ,192.168.200.2,,,,
2019-01-14 21:15:33 OPTIONS IMPORT: compression parms modified
2019-01-14 21:15:33 LZO compression initializing
2019-01-14 21:15:33 OPTIONS IMPORT: --persist options modified
2019-01-14 21:15:33 OPTIONS IMPORT: --ifconfig/up options modified
2019-01-14 21:15:33 OPTIONS IMPORT: route options modified
2019-01-14 21:15:33 OPTIONS IMPORT: route-related options modified
2019-01-14 21:15:33 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2019-01-14 21:15:33 OPTIONS IMPORT: peer-id set
2019-01-14 21:15:33 OPTIONS IMPORT: adjusting link_mtu to 1627
2019-01-14 21:15:33 OPTIONS IMPORT: data channel crypto options modified
2019-01-14 21:15:33 Data Channel: using negotiated cipher 'AES-256-GCM'
2019-01-14 21:15:33 Data Channel MTU parms [ L:1555 D:1450 EF:55 EB:406 ET:0 EL:3 ]
2019-01-14 21:15:33 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2019-01-14 21:15:33 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2019-01-14 21:15:33 New OpenVPN Status (ADD_ROUTES->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2019-01-14 21:15:33 New OpenVPN Status (ADD_ROUTES->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2019-01-14 21:15:33 Corrected route 192.168.0.0/8 to 192.0.0.0/8
2019-01-14 21:15:33 GDG: SIOCGIFHWADDR(lo) failed
2019-01-14 21:15:33 ROUTE_GATEWAY 127.100.103.119/255.0.0.0 IFACE=lo
2019-01-14 21:15:33 Opening tun interface:
2019-01-14 21:15:33 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2019-01-14 21:15:33 MANAGEMENT: >STATE:1547500533,ASSIGN_IP,,192.168.200.2,,,,
2019-01-14 21:15:33 MANAGEMENT: CMD 'needok 'IFCONFIG' ok'
2019-01-14 21:15:33 Local IPv4: 192.168.200.2/24 IPv6: null MTU: 1500
2019-01-14 21:15:33 DNS Server: 192.168.0.1, Domain: lan
2019-01-14 21:15:33 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2019-01-14 21:15:33 MANAGEMENT: >STATE:1547500533,ADD_ROUTES,,,,,,
2019-01-14 21:15:33 Routes: 0.0.0.0/0, 192.0.0.0/8, 192.168.0.0/24, 192.168.200.0/24 
2019-01-14 21:15:33 Routes excluded:  
2019-01-14 21:15:33 VpnService routes installed: 0.0.0.0/0 
2019-01-14 21:15:33 Disallowed VPN apps: 
2019-01-14 21:15:33 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2019-01-14 21:15:33 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2019-01-14 21:15:33 MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
2019-01-14 21:15:33 MANAGEMENT: CMD 'needok 'DNSDOMAIN' ok'
2019-01-14 21:15:33 MANAGEMENT: CMD 'needok 'PERSIST_TUN_ACTION' OPEN_BEFORE_CLOSE'
2019-01-14 21:15:33 New OpenVPN Status (CONNECTED->LEVEL_CONNECTED): SUCCESS,192.168.200.2,xxxxxxxxx,1194,100.73.192.177,38562
2019-01-14 21:15:33 New OpenVPN Status (CONNECTED->LEVEL_CONNECTED): SUCCESS,192.168.200.2,xxxxxxxx,1194,100.73.192.177,38562
2019-01-14 21:15:33 MANAGEMENT: CMD 'needok 'OPENTUN' ok'
2019-01-14 21:15:33 Initialization Sequence Completed
2019-01-14 21:15:33 MANAGEMENT: >STATE:1547500533,CONNECTED,SUCCESS,192.168.200.2,xxxxxxx,1194,100.73.192.177,38562
2019-01-14 21:15:33 Debug state info: CONNECTED LTE to MOBILE three.co.uk, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED

gmytis · January 14, 2019, 9:30pm

after a changes log from client:

2019-01-14 21:23:17 official build 0.7.5 running on HUAWEI CLT-L09 (CLT), Android 8.1.0 (HUAWEICLT-L09) API 27, ABI arm64-v8a, (HUAWEI/CLT-L09/HWCLT:8.1.0/HUAWEICLT-L09/159(C782):user/release-keys)
2019-01-14 21:23:17 Log cleared.
2019-01-14 21:23:23 MANAGEMENT: CMD 'hold release'
2019-01-14 21:23:23 MANAGEMENT: CMD 'bytecount 2'
2019-01-14 21:23:23 MANAGEMENT: CMD 'proxy NONE'
2019-01-14 21:23:23 Network Status: CONNECTED LTE to MOBILE three.co.uk
2019-01-14 21:23:23 Debug state info: CONNECTED LTE to MOBILE three.co.uk, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2019-01-14 21:23:23 MANAGEMENT: CMD 'state on'
2019-01-14 21:23:24 NOTE: --fast-io is disabled since we are not using UDP
2019-01-14 21:23:24 New OpenVPN Status (TCP_CONNECT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2019-01-14 21:23:24 New OpenVPN Status (TCP_CONNECT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2019-01-14 21:23:24 Re-using SSL/TLS context
2019-01-14 21:23:24 LZO compression initializing
2019-01-14 21:23:24 Control Channel MTU parms [ L:1624 D:1154 EF:96 EB:0 ET:0 EL:3 ]
2019-01-14 21:23:24 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
2019-01-14 21:23:24 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
2019-01-14 21:23:24 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
2019-01-14 21:23:24 TCP/UDP: Preserving recently used remote address: [AF_INET]xxxxxxxx:1194
2019-01-14 21:23:24 Socket Buffers: R=[4194304->4194304] S=[524288->524288]
2019-01-14 21:23:24 Attempting to establish TCP connection with [AF_INET]xxxxxxxx:1194 [nonblock]
2019-01-14 21:23:24 MANAGEMENT: >STATE:1547501004,TCP_CONNECT,,,,,,
2019-01-14 21:23:24 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2019-01-14 21:23:25 TCP connection established with [AF_INET]xxxxxxx:1194
2019-01-14 21:23:25 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2019-01-14 21:23:25 TCP_CLIENT link local: (not bound)
2019-01-14 21:23:25 TCP_CLIENT link remote: [AF_INET]xxxxxxx:1194
2019-01-14 21:23:25 MANAGEMENT: >STATE:1547501005,WAIT,,,,,,
2019-01-14 21:23:25 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2019-01-14 21:23:25 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2019-01-14 21:23:26 MANAGEMENT: >STATE:1547501006,AUTH,,,,,,
2019-01-14 21:23:26 TLS: Initial packet from [AF_INET]xxxxxxxx:1194, sid=6e8d1560 3e4b7b7c
2019-01-14 21:23:26 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2019-01-14 21:23:26 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2019-01-14 21:23:27 VERIFY OK: depth=1, C=GB, ST=London, O=WWW Ltd.
2019-01-14 21:23:27 VERIFY KU OK
2019-01-14 21:23:27 Validating certificate extended key usage
2019-01-14 21:23:27 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2019-01-14 21:23:27 VERIFY EKU OK
2019-01-14 21:23:27 VERIFY OK: depth=0, CN=vpnserver
2019-01-14 21:23:27 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
2019-01-14 21:23:27 [vpnserver] Peer Connection Initiated with [AF_INET]xxxxxxxx:1194
2019-01-14 21:23:28 MANAGEMENT: >STATE:1547501008,GET_CONFIG,,,,,,
2019-01-14 21:23:28 SENT CONTROL [vpnserver]: 'PUSH_REQUEST' (status=1)
2019-01-14 21:23:28 New OpenVPN Status (GET_CONFIG->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2019-01-14 21:23:28 New OpenVPN Status (GET_CONFIG->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2019-01-14 21:23:28 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,compress lzo,persist-tun,persist-key,route 192.168.0.0 255.255.255.0,dhcp-option DNS 192.168.0.1,dhcp-option DOMAIN lan,route-gateway 192.168.200.1,topology subnet,ping 10,ping-restart 120,ifconfig 192.168.200.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
2019-01-14 21:23:28 OPTIONS IMPORT: timers and/or timeouts modified
2019-01-14 21:23:28 OPTIONS IMPORT: compression parms modified
2019-01-14 21:23:28 LZO compression initializing
2019-01-14 21:23:28 OPTIONS IMPORT: --persist options modified
2019-01-14 21:23:28 New OpenVPN Status (ASSIGN_IP->LEVEL_CONNECTING_SERVER_REPLIED): ,192.168.200.2,,,,
2019-01-14 21:23:28 New OpenVPN Status (ASSIGN_IP->LEVEL_CONNECTING_SERVER_REPLIED): ,192.168.200.2,,,,
2019-01-14 21:23:28 New OpenVPN Status (ADD_ROUTES->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2019-01-14 21:23:28 New OpenVPN Status (ADD_ROUTES->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2019-01-14 21:23:28 OPTIONS IMPORT: --ifconfig/up options modified
2019-01-14 21:23:28 Corrected route 192.168.0.0/8 to 192.0.0.0/8
2019-01-14 21:23:28 OPTIONS IMPORT: route options modified
2019-01-14 21:23:28 OPTIONS IMPORT: route-related options modified
2019-01-14 21:23:28 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2019-01-14 21:23:28 OPTIONS IMPORT: peer-id set
2019-01-14 21:23:28 OPTIONS IMPORT: adjusting link_mtu to 1627
2019-01-14 21:23:28 OPTIONS IMPORT: data channel crypto options modified
2019-01-14 21:23:28 Data Channel: using negotiated cipher 'AES-256-GCM'
2019-01-14 21:23:28 Data Channel MTU parms [ L:1555 D:1450 EF:55 EB:406 ET:0 EL:3 ]
2019-01-14 21:23:28 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2019-01-14 21:23:28 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2019-01-14 21:23:28 GDG: SIOCGIFHWADDR(lo) failed
2019-01-14 21:23:28 ROUTE_GATEWAY 127.100.103.119/255.0.0.0 IFACE=lo
2019-01-14 21:23:28 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2019-01-14 21:23:28 MANAGEMENT: >STATE:1547501008,ASSIGN_IP,,192.168.200.2,,,,
2019-01-14 21:23:28 New OpenVPN Status (CONNECTED->LEVEL_CONNECTED): SUCCESS,192.168.200.2,xxxxxxxxx,1194,10.0.98.209,37448
2019-01-14 21:23:28 New OpenVPN Status (CONNECTED->LEVEL_CONNECTED): SUCCESS,192.168.200.2,xxxxxxxx,1194,10.0.98.209,37448
2019-01-14 21:23:28 MANAGEMENT: CMD 'needok 'IFCONFIG' ok'
2019-01-14 21:23:28 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2019-01-14 21:23:28 MANAGEMENT: >STATE:1547501008,ADD_ROUTES,,,,,,
2019-01-14 21:23:28 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2019-01-14 21:23:28 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2019-01-14 21:23:28 MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
2019-01-14 21:23:28 MANAGEMENT: CMD 'needok 'DNSDOMAIN' ok'
2019-01-14 21:23:28 MANAGEMENT: CMD 'needok 'PERSIST_TUN_ACTION' NOACTION'
2019-01-14 21:23:28 Initialization Sequence Completed
2019-01-14 21:23:28 MANAGEMENT: >STATE:1547501008,CONNECTED,SUCCESS,192.168.200.2,xxxxxxx,1194,10.0.98.209,37448
2019-01-14 21:24:14 read TCP_CLIENT []: Software caused connection abort (code=103)
2019-01-14 21:24:14 Connection reset, restarting [0]
2019-01-14 21:24:14 TCP/UDP: Closing socket
2019-01-14 21:24:14 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): connection-reset,,,,,
2019-01-14 21:24:14 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): connection-reset,,,,,
2019-01-14 21:24:14 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2
2019-01-14 21:24:14 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2
2019-01-14 21:24:14 Waiting 2s seconds between connection attempt
2019-01-14 21:24:14 SIGUSR1[soft,connection-reset] received, process restarting
2019-01-14 21:24:14 MANAGEMENT: >STATE:1547501054,RECONNECTING,connection-reset,,,,,
2019-01-14 21:24:14 Network Status: not connected
2019-01-14 21:24:14 Debug state info: not connected, pause: userPause, shouldbeconnected: false, network: PENDINGDISCONNECT 
2019-01-14 21:24:24 MANAGEMENT: CMD 'signal SIGINT'
2019-01-14 21:24:24 Sorry, deleting routes on Android is not possible. The VpnService API allows routes to be set on connect only.
2019-01-14 21:24:24 Sorry, deleting routes on Android is not possible. The VpnService API allows routes to be set on connect only.
2019-01-14 21:24:24 Closing TUN/TAP interface
2019-01-14 21:24:24 SIGINT[hard,init_instance] received, process exiting
2019-01-14 21:24:24 MANAGEMENT: >STATE:1547501064,EXITING,init_instance,,,,,
2019-01-14 21:24:24 MANAGEMENT: TCP send error: Broken pipe
2019-01-14 21:24:24 MANAGEMENT: Client disconnected
2019-01-14 21:24:24 MANAGEMENT: Triggering management exit
2019-01-14 21:24:24 New OpenVPN Status (NOPROCESS->LEVEL_NOTCONNECTED): No process running.
2019-01-14 21:24:24 New OpenVPN Status (NOPROCESS->LEVEL_NOTCONNECTED): No process running.
2019-01-14 21:24:24 Debug state info: not connected, pause: userPause, shouldbeconnected: false, network: PENDINGDISCONNECT

vgaetera · January 14, 2019, 9:44pm

192.0.0.0/8 doesn't look right, it shouldn't be here.
Netmask is wrong somewhere.

gmytis · January 14, 2019, 10:11pm

getting loads of them in router log:

Mon Jan 14 22:10:28 2019 daemon.notice openvpn(vpnserver)[1304]: vpnclient/188.29.165.51:11091 MULTI: bad source address from client [10.0.98.209], packet dropped
Mon Jan 14 22:10:29 2019 daemon.notice openvpn(vpnserver)[1304]: vpnclient/188.29.165.51:11091 MULTI: bad source address from client [10.0.98.209], packet dropped
Mon Jan 14 22:10:30 2019 daemon.notice openvpn(vpnserver)[1304]: vpnclient/188.29.165.51:11091 MULTI: bad source address from client [10.0.98.209], packet dropped
Mon Jan 14 22:10:31 2019 daemon.notice openvpn(vpnserver)[1304]: vpnclient/188.29.165.51:11091 MULTI: bad source address from client [10.0.98.209], packet dropped
Mon Jan 14 22:10:32 2019 daemon.notice openvpn(vpnserver)[1304]: vpnclient/188.29.165.51:11091 MULTI: bad source address from client [10.0.98.209], packet dropped
Mon Jan 14 22:10:34 2019 daemon.notice openvpn(vpnserver)[1304]: vpnclient/188.29.165.51:11091 MULTI: bad source address from client [10.0.98.209], packet dropped
Mon Jan 14 22:10:38 2019 daemon.notice openvpn(vpnserver)[1304]: vpnclient/188.29.165.51:11091 MULTI: bad source address from client [10.0.98.209], packet dropped
Mon Jan 14 22:10:46 2019 daemon.notice openvpn(vpnserver)[1304]: vpnclient/188.29.165.51:11091 MULTI: bad source address from client [10.0.98.209], packet dropped

vgaetera · January 14, 2019, 10:23pm

head -n -0 /var/etc/openvpn-*.conf
pgrep -f -a openvpn
ip -4 a; ip -4 r

gmytis · January 14, 2019, 10:26pm

head -n -0 /var/etc/openvpn-*.conf
client-to-client
float
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/vpnserver.crt
compress lzo
dev tun0
dh /etc/openvpn/dh.pem
keepalive 10 120
key /etc/openvpn/vpnserver.key
port 1194
proto tcp
push "redirect-gateway def1"
push "compress lzo"
push "persist-tun"
push "persist-key"
push "route 192.168.0.0 255.255.255.0"
push "dhcp-option DNS 192.168.0.1"
push "dhcp-option DOMAIN lan"
server 192.168.200.0 255.255.255.0
tls-crypt /etc/openvpn/tc.pem
topology subnet
verb 5

pgrep -f -a openvpn
1304 /usr/sbin/openvpn --syslog openvpn(vpnserver) --status /var/run/openvpn.vpnserver.status --cd /var/etc --config openvpn-vpnserver.conf

ip -4 a; ip -4 r
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.0.3/24 brd 192.168.0.255 scope global br-lan
       valid_lft forever preferred_lft forever
7: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
    inet 192.168.200.1/24 brd 192.168.200.255 scope global tun0
       valid_lft forever preferred_lft forever
default via 192.168.0.1 dev br-lan 
192.168.0.0/24 dev br-lan scope link  src 192.168.0.3 
192.168.200.0/24 dev tun0 scope link  src 192.168.200.1

mk24 · January 14, 2019, 11:14pm

Your client is putting packets into the tunnel using 10.0.98.209 as its address, it should have been assigned one in the 192.168.200.0/24 range.

vgaetera · January 14, 2019, 11:59pm

Do you have the route to the VPN-network on your main router?

As a last resort you can try to change subnet to prevent routing collision and enable masquerading for LAN-zone:

uci set openvpn.vpnserver.server="10.10.10.0 255.255.255.0"
uci commit openvpn
service openvpn restart
uci set firewall.@zone[0].masq="1"
uci commit firewall
service firewall restart

psherman · January 15, 2019, 6:08am

I have a secondary router as my VPN endpoint, and I did it a bit differently. My config works perfectly. I'll describe the broad strokes config -- if you need help implementing this, we'll go into the details.

First and most importantly, my VPN (i.e. secondary) router is actually connected via its WAN port to my LAN (so main router LAN > VPN router WAN.

The WAN on the VPN router has an IP within the main network LAN network (I have this assigned via DHCP with a static reservation on my primary router). The VPN router has a different network range for its LAN (this is mandatory), but the VPN router's LAN really isn't used for anything.

My OpenVPN server is configured with a smaller, but overlapping network relative to the VPN router's LAN, but I am careful to avoid conflicts. This part is admittedly unusual, but it works.

The OpenVPN server has a push directive to route to the main LAN. And the firewall allows forwarding from VPN > WAN in addition to opening the port(s) for the server as you would normally do.

For convenience sake, and because this is a device on the LAN side of my network, I have also allowed ssh and LuCI/web access over the WAN port of the VPN router. This is okay because my LAN is trusted, but normally you would never do this -- major security risk if it is directly internet accessible.

Now for some of the basic details:

Main LAN: 10.0.1.0/24
WAN of VPN router: DHCP from main LAN, has static reservation.
VPN router LAN: 10.0.2.0/24
DHCP of VPN router: 10.0.2.10-10.0.2.50 (this doesn't really ever get used)
OpenVPN server directive: server '10.0.2.208 255.255.255.240' (this is a /28 network with the server @ 10.0.2.241 and clients on 10.0.2.242-10.0.2.254; note that it does overlap the VPN router LAN but not the DHCP range for that LAN).
OpenVPN server push directives of note:
- push 'route 10.0.1.0 255.255.255.0' (this is pushing a route to my main LAN)
- push 'dhcp-option DNS 10.0.1.1' (my man router is this address, it serves my network's DNS)
Firewall notables:
- VPN zone input=accept, output=accept, forward=reject, masq disabled
- Forwarding: src=vpn, dest=wan

Hope this helps!

gmytis · January 15, 2019, 7:21am

i will try it tonight, and will post results
thanks everybody for a help!