Openvpn config for accessing lan and internet?

vgaetera · January 14, 2019, 9:00pm

Actually without WAN-network there's no point in WAN-zone and forwardings to it.

gmytis · January 14, 2019, 9:07pm

i disabled masqearading on vpnserver zone, and deleted wan zone on firewall completely.
the setup itself is simple openwrt with openvpn runs like dumb ap, connected through ethernet from main router. still i didnt achieved anything, no internet or lan access. any ideas?

vgaetera · January 14, 2019, 9:10pm

It should be possible to fix with option float on the server side.
However this is a bit suspicious...
Which client are you using?

gmytis · January 14, 2019, 9:14pm

i used official openvpn android client, and now switched to openvpn for android

vgaetera · January 14, 2019, 9:17pm

Yep, the one I've mentioned above should work fine.
Otherwise add option float:

uci set openvpn.vpnserver.float="1"
uci commit openvpn
service openvpn restart

gmytis · January 14, 2019, 9:21pm

log from client:

2019-01-14 21:15:16 official build 0.7.5 running on HUAWEI CLT-L09 (CLT), Android 8.1.0 (HUAWEICLT-L09) API 27, ABI arm64-v8a, (HUAWEI/CLT-L09/HWCLT:8.1.0/HUAWEICLT-L09/159(C782):user/release-keys)
2019-01-14 21:15:16 Building configuration…
2019-01-14 21:15:16 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START): 
2019-01-14 21:15:16 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START): 
2019-01-14 21:15:16 started Socket Thread
2019-01-14 21:15:16 Network Status: not connected
2019-01-14 21:15:16 Debug state info: not connected, pause: userPause, shouldbeconnected: false, network: PENDINGDISCONNECT 
2019-01-14 21:15:16 Debug state info: not connected, pause: userPause, shouldbeconnected: false, network: PENDINGDISCONNECT 
2019-01-14 21:15:16 Current Parameter Settings:
2019-01-14 21:15:16   config = '/data/user/0/de.blinkt.openvpn/cache/android.conf'
2019-01-14 21:15:16   mode = 0
2019-01-14 21:15:16   show_ciphers = DISABLED
2019-01-14 21:15:16   show_digests = DISABLED
2019-01-14 21:15:16   show_engines = DISABLED
2019-01-14 21:15:16 New OpenVPN Status (NONETWORK->LEVEL_NONETWORK): 
2019-01-14 21:15:16 New OpenVPN Status (NONETWORK->LEVEL_NONETWORK): 
2019-01-14 21:15:16   genkey = DISABLED
2019-01-14 21:15:16   key_pass_file = '[UNDEF]'
2019-01-14 21:15:16   show_tls_ciphers = DISABLED
2019-01-14 21:15:16   connect_retry_max = 0
2019-01-14 21:15:16 Connection profiles [0]:
2019-01-14 21:15:16   proto = tcp-client
2019-01-14 21:15:16   local = '[UNDEF]'
2019-01-14 21:15:16   local_port = '[UNDEF]'
2019-01-14 21:15:16   remote = 'xxxxxxxx'
2019-01-14 21:15:16   remote_port = '1194'
2019-01-14 21:15:16   remote_float = DISABLED
2019-01-14 21:15:16   bind_defined = DISABLED
2019-01-14 21:15:16   bind_local = DISABLED
2019-01-14 21:15:16   bind_ipv6_only = DISABLED
2019-01-14 21:15:16   connect_retry_seconds = 2
2019-01-14 21:15:16   connect_timeout = 120
2019-01-14 21:15:16   socks_proxy_server = '[UNDEF]'
2019-01-14 21:15:16   socks_proxy_port = '[UNDEF]'
2019-01-14 21:15:16   tun_mtu = 1500
2019-01-14 21:15:16   tun_mtu_defined = ENABLED
2019-01-14 21:15:16   link_mtu = 1500
2019-01-14 21:15:16   link_mtu_defined = DISABLED
2019-01-14 21:15:16   tun_mtu_extra = 0
2019-01-14 21:15:16   tun_mtu_extra_defined = DISABLED
2019-01-14 21:15:16   mtu_discover_type = -1
2019-01-14 21:15:16   fragment = 0
2019-01-14 21:15:16   mssfix = 1450
2019-01-14 21:15:16   explicit_exit_notification = 0
2019-01-14 21:15:16 Connection profiles END
2019-01-14 21:15:16   remote_random = DISABLED
2019-01-14 21:15:16   ipchange = '[UNDEF]'
2019-01-14 21:15:16   dev = 'tun'
2019-01-14 21:15:16   dev_type = '[UNDEF]'
2019-01-14 21:15:16   dev_node = '[UNDEF]'
2019-01-14 21:15:16   lladdr = '[UNDEF]'
2019-01-14 21:15:16   topology = 1
2019-01-14 21:15:16   ifconfig_local = '[UNDEF]'
2019-01-14 21:15:16   ifconfig_remote_netmask = '[UNDEF]'
2019-01-14 21:15:16   ifconfig_noexec = DISABLED
2019-01-14 21:15:16   ifconfig_nowarn = ENABLED
2019-01-14 21:15:16   ifconfig_ipv6_local = '[UNDEF]'
2019-01-14 21:15:16   ifconfig_ipv6_netbits = 0
2019-01-14 21:15:16   ifconfig_ipv6_remote = '[UNDEF]'
2019-01-14 21:15:16   shaper = 0
2019-01-14 21:15:16   mtu_test = 0
2019-01-14 21:15:16   mlock = DISABLED
2019-01-14 21:15:16   keepalive_ping = 0
2019-01-14 21:15:16   keepalive_timeout = 0
2019-01-14 21:15:17   inactivity_timeout = 0
2019-01-14 21:15:17   ping_send_timeout = 0
2019-01-14 21:15:17   ping_rec_timeout = 0
2019-01-14 21:15:17   ping_rec_timeout_action = 0
2019-01-14 21:15:17   ping_timer_remote = DISABLED
2019-01-14 21:15:17   remap_sigusr1 = 0
2019-01-14 21:15:17   persist_tun = DISABLED
2019-01-14 21:15:17   persist_local_ip = DISABLED
2019-01-14 21:15:17   persist_remote_ip = DISABLED
2019-01-14 21:15:17   persist_key = DISABLED
2019-01-14 21:15:17   passtos = DISABLED
2019-01-14 21:15:17   resolve_retry_seconds = 60
2019-01-14 21:15:17   resolve_in_advance = DISABLED
2019-01-14 21:15:17   username = '[UNDEF]'
2019-01-14 21:15:17   groupname = '[UNDEF]'
2019-01-14 21:15:17   chroot_dir = '[UNDEF]'
2019-01-14 21:15:17   cd_dir = '[UNDEF]'
2019-01-14 21:15:17   writepid = '[UNDEF]'
2019-01-14 21:15:17   up_script = '[UNDEF]'
2019-01-14 21:15:17   down_script = '[UNDEF]'
2019-01-14 21:15:17   down_pre = DISABLED
2019-01-14 21:15:17   up_restart = DISABLED
2019-01-14 21:15:17   up_delay = DISABLED
2019-01-14 21:15:17   daemon = DISABLED
2019-01-14 21:15:17   inetd = 0
2019-01-14 21:15:17   log = DISABLED
2019-01-14 21:15:17   suppress_timestamps = DISABLED
2019-01-14 21:15:17   machine_readable_output = ENABLED
2019-01-14 21:15:17   nice = 0
2019-01-14 21:15:17   verbosity = 4
2019-01-14 21:15:17   mute = 0
2019-01-14 21:15:17   gremlin = 0
2019-01-14 21:15:17   status_file = '[UNDEF]'
2019-01-14 21:15:17   status_file_version = 1
2019-01-14 21:15:17   status_file_update_freq = 60
2019-01-14 21:15:17   occ = ENABLED
2019-01-14 21:15:17   rcvbuf = 0
2019-01-14 21:15:17   sndbuf = 0
2019-01-14 21:15:17   sockflags = 0
2019-01-14 21:15:17   fast_io = ENABLED
2019-01-14 21:15:17   comp.alg = 2
2019-01-14 21:15:17   comp.flags = 0
2019-01-14 21:15:17   route_script = '[UNDEF]'
2019-01-14 21:15:17   route_default_gateway = '[UNDEF]'
2019-01-14 21:15:17   route_default_metric = 0
2019-01-14 21:15:17   route_noexec = DISABLED
2019-01-14 21:15:17   route_delay = 0
2019-01-14 21:15:17   route_delay_window = 30
2019-01-14 21:15:17   route_delay_defined = DISABLED
2019-01-14 21:15:17   route_nopull = DISABLED
2019-01-14 21:15:17   route_gateway_via_dhcp = DISABLED
2019-01-14 21:15:17   allow_pull_fqdn = DISABLED
2019-01-14 21:15:17   route 192.168.0.0/255.0.0.0/vpn_gateway/default (not set)
2019-01-14 21:15:17   management_addr = '/data/user/0/de.blinkt.openvpn/cache/mgmtsocket'
2019-01-14 21:15:17   management_port = 'unix'
2019-01-14 21:15:17   management_user_pass = '[UNDEF]'
2019-01-14 21:15:17   management_log_history_cache = 250
2019-01-14 21:15:17   management_echo_buffer_size = 100
2019-01-14 21:15:17   management_write_peer_info_file = '[UNDEF]'
2019-01-14 21:15:17   management_client_user = '[UNDEF]'
2019-01-14 21:15:17   management_client_group = '[UNDEF]'
2019-01-14 21:15:17   management_flags = 4390
2019-01-14 21:15:17   shared_secret_file = '[UNDEF]'
2019-01-14 21:15:17   key_direction = not set
2019-01-14 21:15:17   ciphername = 'BF-CBC'
2019-01-14 21:15:17   ncp_enabled = ENABLED
2019-01-14 21:15:17   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
2019-01-14 21:15:17   authname = 'SHA1'
2019-01-14 21:15:17   prng_hash = 'SHA1'
2019-01-14 21:15:17   prng_nonce_secret_len = 16
2019-01-14 21:15:17   keysize = 0
2019-01-14 21:15:17   engine = DISABLED
2019-01-14 21:15:17   replay = ENABLED
2019-01-14 21:15:17   mute_replay_warnings = DISABLED
2019-01-14 21:15:17   replay_window = 64
2019-01-14 21:15:17   replay_time = 15
2019-01-14 21:15:17   packet_id_file = '[UNDEF]'
2019-01-14 21:15:17   test_crypto = DISABLED
2019-01-14 21:15:17   tls_server = DISABLED
2019-01-14 21:15:17   tls_client = ENABLED
2019-01-14 21:15:17   key_method = 2
2019-01-14 21:15:17   ca_file = '[[INLINE]]'
2019-01-14 21:15:17   ca_path = '[UNDEF]'
2019-01-14 21:15:17   dh_file = '[UNDEF]'
2019-01-14 21:15:17   cert_file = '[[INLINE]]'
2019-01-14 21:15:17   extra_certs_file = '[UNDEF]'
2019-01-14 21:15:17   priv_key_file = '[[INLINE]]'
2019-01-14 21:15:17   pkcs12_file = '[UNDEF]'
2019-01-14 21:15:17   cipher_list = '[UNDEF]'
2019-01-14 21:15:17   tls_cert_profile = '[UNDEF]'
2019-01-14 21:15:17   tls_verify = '[UNDEF]'
2019-01-14 21:15:17   tls_export_cert = '[UNDEF]'
2019-01-14 21:15:17   verify_x509_type = 0
2019-01-14 21:15:17   verify_x509_name = '[UNDEF]'
2019-01-14 21:15:17   crl_file = '[UNDEF]'
2019-01-14 21:15:17   ns_cert_type = 0
2019-01-14 21:15:17   remote_cert_ku[i] = 65535
2019-01-14 21:15:17   remote_cert_ku[i] = 0
2019-01-14 21:15:17   remote_cert_ku[i] = 0
2019-01-14 21:15:17   remote_cert_ku[i] = 0
2019-01-14 21:15:17   remote_cert_ku[i] = 0
2019-01-14 21:15:17   remote_cert_ku[i] = 0
2019-01-14 21:15:17   remote_cert_ku[i] = 0
2019-01-14 21:15:17   remote_cert_ku[i] = 0
2019-01-14 21:15:17   remote_cert_ku[i] = 0
2019-01-14 21:15:17   remote_cert_ku[i] = 0
2019-01-14 21:15:17   remote_cert_ku[i] = 0
2019-01-14 21:15:17   remote_cert_ku[i] = 0
2019-01-14 21:15:17   remote_cert_ku[i] = 0
2019-01-14 21:15:17   remote_cert_ku[i] = 0
2019-01-14 21:15:17   remote_cert_ku[i] = 0
2019-01-14 21:15:17   remote_cert_ku[i] = 0
2019-01-14 21:15:17   remote_cert_eku = 'TLS Web Server Authentication'
2019-01-14 21:15:17   ssl_flags = 0
2019-01-14 21:15:17   tls_timeout = 2
2019-01-14 21:15:17   renegotiate_bytes = -1
2019-01-14 21:15:17   renegotiate_packets = 0
2019-01-14 21:15:17   renegotiate_seconds = 3600
2019-01-14 21:15:17   handshake_window = 60
2019-01-14 21:15:17   transition_window = 3600
2019-01-14 21:15:17   single_session = DISABLED
2019-01-14 21:15:17   push_peer_info = DISABLED
2019-01-14 21:15:17   tls_exit = DISABLED
2019-01-14 21:15:17   tls_auth_file = '[UNDEF]'
2019-01-14 21:15:17   tls_crypt_file = '[[INLINE]]'
2019-01-14 21:15:17   client = ENABLED
2019-01-14 21:15:17   pull = ENABLED
2019-01-14 21:15:17   auth_user_pass_file = '[UNDEF]'
2019-01-14 21:15:17 OpenVPN 2.5-icsopenvpn [git:v2.4_rc2-301-g14adf04a] arm64-v8a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May  3 2018
2019-01-14 21:15:17 library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
2019-01-14 21:15:17 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket
2019-01-14 21:15:17 MANAGEMENT: CMD 'version 2'
2019-01-14 21:15:27 Network Status: CONNECTED LTE to MOBILE three.co.uk
2019-01-14 21:15:27 MANAGEMENT: CMD 'hold release'
2019-01-14 21:15:27 Debug state info: CONNECTED LTE to MOBILE three.co.uk, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2019-01-14 21:15:27 MANAGEMENT: CMD 'bytecount 2'
2019-01-14 21:15:27 MANAGEMENT: CMD 'state on'
2019-01-14 21:15:27 MANAGEMENT: CMD 'proxy NONE'
2019-01-14 21:15:28 NOTE: --fast-io is disabled since we are not using UDP
2019-01-14 21:15:28 MANAGEMENT: CMD 'password [...]'
2019-01-14 21:15:28 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2019-01-14 21:15:28 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2019-01-14 21:15:28 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2019-01-14 21:15:28 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2019-01-14 21:15:28 New OpenVPN Status (RESOLVE->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2019-01-14 21:15:29 New OpenVPN Status (RESOLVE->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2019-01-14 21:15:28 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2019-01-14 21:15:29 LZO compression initializing
2019-01-14 21:15:29 Control Channel MTU parms [ L:1624 D:1154 EF:96 EB:0 ET:0 EL:3 ]
2019-01-14 21:15:29 MANAGEMENT: >STATE:1547500528,RESOLVE,,,,,,
2019-01-14 21:15:29 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
2019-01-14 21:15:29 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
2019-01-14 21:15:29 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
2019-01-14 21:15:29 TCP/UDP: Preserving recently used remote address: [AF_INET]xxxxxxx:1194
2019-01-14 21:15:29 Socket Buffers: R=[4194304->4194304] S=[524288->524288]
2019-01-14 21:15:29 Attempting to establish TCP connection with [AF_INET]xxxxxxx:1194 [nonblock]
2019-01-14 21:15:29 MANAGEMENT: >STATE:1547500529,TCP_CONNECT,,,,,,
2019-01-14 21:15:29 New OpenVPN Status (TCP_CONNECT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2019-01-14 21:15:29 New OpenVPN Status (TCP_CONNECT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2019-01-14 21:15:29 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2019-01-14 21:15:30 TCP connection established with [AF_INET]xxxxxxxx:1194
2019-01-14 21:15:30 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2019-01-14 21:15:30 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2019-01-14 21:15:30 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2019-01-14 21:15:30 TCP_CLIENT link local: (not bound)
2019-01-14 21:15:30 TCP_CLIENT link remote: [AF_INET]xxxxxxxx:1194
2019-01-14 21:15:30 MANAGEMENT: >STATE:1547500530,WAIT,,,,,,
2019-01-14 21:15:30 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2019-01-14 21:15:30 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2019-01-14 21:15:30 MANAGEMENT: >STATE:1547500530,AUTH,,,,,,
2019-01-14 21:15:30 TLS: Initial packet from [AF_INET]xxxxxx:1194, sid=7c994957 15d30de2
2019-01-14 21:15:31 VERIFY OK: depth=1, C=GB, ST=London, O=WWW Ltd.
2019-01-14 21:15:31 VERIFY KU OK
2019-01-14 21:15:31 Validating certificate extended key usage
2019-01-14 21:15:31 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2019-01-14 21:15:31 VERIFY EKU OK
2019-01-14 21:15:31 VERIFY OK: depth=0, CN=vpnserver
2019-01-14 21:15:32 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
2019-01-14 21:15:32 [vpnserver] Peer Connection Initiated with [AF_INET]xxxxxxxx:1194
2019-01-14 21:15:33 New OpenVPN Status (GET_CONFIG->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2019-01-14 21:15:33 New OpenVPN Status (GET_CONFIG->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2019-01-14 21:15:33 MANAGEMENT: >STATE:1547500533,GET_CONFIG,,,,,,
2019-01-14 21:15:33 SENT CONTROL [vpnserver]: 'PUSH_REQUEST' (status=1)
2019-01-14 21:15:33 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,compress lzo,persist-tun,persist-key,route 192.168.0.0 255.255.255.0,dhcp-option DNS 192.168.0.1,dhcp-option DOMAIN lan,route-gateway 192.168.200.1,topology subnet,ping 10,ping-restart 120,ifconfig 192.168.200.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
2019-01-14 21:15:33 OPTIONS IMPORT: timers and/or timeouts modified
2019-01-14 21:15:33 New OpenVPN Status (ASSIGN_IP->LEVEL_CONNECTING_SERVER_REPLIED): ,192.168.200.2,,,,
2019-01-14 21:15:33 New OpenVPN Status (ASSIGN_IP->LEVEL_CONNECTING_SERVER_REPLIED): ,192.168.200.2,,,,
2019-01-14 21:15:33 OPTIONS IMPORT: compression parms modified
2019-01-14 21:15:33 LZO compression initializing
2019-01-14 21:15:33 OPTIONS IMPORT: --persist options modified
2019-01-14 21:15:33 OPTIONS IMPORT: --ifconfig/up options modified
2019-01-14 21:15:33 OPTIONS IMPORT: route options modified
2019-01-14 21:15:33 OPTIONS IMPORT: route-related options modified
2019-01-14 21:15:33 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2019-01-14 21:15:33 OPTIONS IMPORT: peer-id set
2019-01-14 21:15:33 OPTIONS IMPORT: adjusting link_mtu to 1627
2019-01-14 21:15:33 OPTIONS IMPORT: data channel crypto options modified
2019-01-14 21:15:33 Data Channel: using negotiated cipher 'AES-256-GCM'
2019-01-14 21:15:33 Data Channel MTU parms [ L:1555 D:1450 EF:55 EB:406 ET:0 EL:3 ]
2019-01-14 21:15:33 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2019-01-14 21:15:33 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2019-01-14 21:15:33 New OpenVPN Status (ADD_ROUTES->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2019-01-14 21:15:33 New OpenVPN Status (ADD_ROUTES->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2019-01-14 21:15:33 Corrected route 192.168.0.0/8 to 192.0.0.0/8
2019-01-14 21:15:33 GDG: SIOCGIFHWADDR(lo) failed
2019-01-14 21:15:33 ROUTE_GATEWAY 127.100.103.119/255.0.0.0 IFACE=lo
2019-01-14 21:15:33 Opening tun interface:
2019-01-14 21:15:33 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2019-01-14 21:15:33 MANAGEMENT: >STATE:1547500533,ASSIGN_IP,,192.168.200.2,,,,
2019-01-14 21:15:33 MANAGEMENT: CMD 'needok 'IFCONFIG' ok'
2019-01-14 21:15:33 Local IPv4: 192.168.200.2/24 IPv6: null MTU: 1500
2019-01-14 21:15:33 DNS Server: 192.168.0.1, Domain: lan
2019-01-14 21:15:33 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2019-01-14 21:15:33 MANAGEMENT: >STATE:1547500533,ADD_ROUTES,,,,,,
2019-01-14 21:15:33 Routes: 0.0.0.0/0, 192.0.0.0/8, 192.168.0.0/24, 192.168.200.0/24 
2019-01-14 21:15:33 Routes excluded:  
2019-01-14 21:15:33 VpnService routes installed: 0.0.0.0/0 
2019-01-14 21:15:33 Disallowed VPN apps: 
2019-01-14 21:15:33 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2019-01-14 21:15:33 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2019-01-14 21:15:33 MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
2019-01-14 21:15:33 MANAGEMENT: CMD 'needok 'DNSDOMAIN' ok'
2019-01-14 21:15:33 MANAGEMENT: CMD 'needok 'PERSIST_TUN_ACTION' OPEN_BEFORE_CLOSE'
2019-01-14 21:15:33 New OpenVPN Status (CONNECTED->LEVEL_CONNECTED): SUCCESS,192.168.200.2,xxxxxxxxx,1194,100.73.192.177,38562
2019-01-14 21:15:33 New OpenVPN Status (CONNECTED->LEVEL_CONNECTED): SUCCESS,192.168.200.2,xxxxxxxx,1194,100.73.192.177,38562
2019-01-14 21:15:33 MANAGEMENT: CMD 'needok 'OPENTUN' ok'
2019-01-14 21:15:33 Initialization Sequence Completed
2019-01-14 21:15:33 MANAGEMENT: >STATE:1547500533,CONNECTED,SUCCESS,192.168.200.2,xxxxxxx,1194,100.73.192.177,38562
2019-01-14 21:15:33 Debug state info: CONNECTED LTE to MOBILE three.co.uk, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED

gmytis · January 14, 2019, 9:30pm

after a changes log from client:

2019-01-14 21:23:17 official build 0.7.5 running on HUAWEI CLT-L09 (CLT), Android 8.1.0 (HUAWEICLT-L09) API 27, ABI arm64-v8a, (HUAWEI/CLT-L09/HWCLT:8.1.0/HUAWEICLT-L09/159(C782):user/release-keys)
2019-01-14 21:23:17 Log cleared.
2019-01-14 21:23:23 MANAGEMENT: CMD 'hold release'
2019-01-14 21:23:23 MANAGEMENT: CMD 'bytecount 2'
2019-01-14 21:23:23 MANAGEMENT: CMD 'proxy NONE'
2019-01-14 21:23:23 Network Status: CONNECTED LTE to MOBILE three.co.uk
2019-01-14 21:23:23 Debug state info: CONNECTED LTE to MOBILE three.co.uk, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2019-01-14 21:23:23 MANAGEMENT: CMD 'state on'
2019-01-14 21:23:24 NOTE: --fast-io is disabled since we are not using UDP
2019-01-14 21:23:24 New OpenVPN Status (TCP_CONNECT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2019-01-14 21:23:24 New OpenVPN Status (TCP_CONNECT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2019-01-14 21:23:24 Re-using SSL/TLS context
2019-01-14 21:23:24 LZO compression initializing
2019-01-14 21:23:24 Control Channel MTU parms [ L:1624 D:1154 EF:96 EB:0 ET:0 EL:3 ]
2019-01-14 21:23:24 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
2019-01-14 21:23:24 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
2019-01-14 21:23:24 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
2019-01-14 21:23:24 TCP/UDP: Preserving recently used remote address: [AF_INET]xxxxxxxx:1194
2019-01-14 21:23:24 Socket Buffers: R=[4194304->4194304] S=[524288->524288]
2019-01-14 21:23:24 Attempting to establish TCP connection with [AF_INET]xxxxxxxx:1194 [nonblock]
2019-01-14 21:23:24 MANAGEMENT: >STATE:1547501004,TCP_CONNECT,,,,,,
2019-01-14 21:23:24 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2019-01-14 21:23:25 TCP connection established with [AF_INET]xxxxxxx:1194
2019-01-14 21:23:25 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2019-01-14 21:23:25 TCP_CLIENT link local: (not bound)
2019-01-14 21:23:25 TCP_CLIENT link remote: [AF_INET]xxxxxxx:1194
2019-01-14 21:23:25 MANAGEMENT: >STATE:1547501005,WAIT,,,,,,
2019-01-14 21:23:25 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2019-01-14 21:23:25 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2019-01-14 21:23:26 MANAGEMENT: >STATE:1547501006,AUTH,,,,,,
2019-01-14 21:23:26 TLS: Initial packet from [AF_INET]xxxxxxxx:1194, sid=6e8d1560 3e4b7b7c
2019-01-14 21:23:26 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2019-01-14 21:23:26 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2019-01-14 21:23:27 VERIFY OK: depth=1, C=GB, ST=London, O=WWW Ltd.
2019-01-14 21:23:27 VERIFY KU OK
2019-01-14 21:23:27 Validating certificate extended key usage
2019-01-14 21:23:27 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2019-01-14 21:23:27 VERIFY EKU OK
2019-01-14 21:23:27 VERIFY OK: depth=0, CN=vpnserver
2019-01-14 21:23:27 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
2019-01-14 21:23:27 [vpnserver] Peer Connection Initiated with [AF_INET]xxxxxxxx:1194
2019-01-14 21:23:28 MANAGEMENT: >STATE:1547501008,GET_CONFIG,,,,,,
2019-01-14 21:23:28 SENT CONTROL [vpnserver]: 'PUSH_REQUEST' (status=1)
2019-01-14 21:23:28 New OpenVPN Status (GET_CONFIG->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2019-01-14 21:23:28 New OpenVPN Status (GET_CONFIG->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2019-01-14 21:23:28 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,compress lzo,persist-tun,persist-key,route 192.168.0.0 255.255.255.0,dhcp-option DNS 192.168.0.1,dhcp-option DOMAIN lan,route-gateway 192.168.200.1,topology subnet,ping 10,ping-restart 120,ifconfig 192.168.200.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
2019-01-14 21:23:28 OPTIONS IMPORT: timers and/or timeouts modified
2019-01-14 21:23:28 OPTIONS IMPORT: compression parms modified
2019-01-14 21:23:28 LZO compression initializing
2019-01-14 21:23:28 OPTIONS IMPORT: --persist options modified
2019-01-14 21:23:28 New OpenVPN Status (ASSIGN_IP->LEVEL_CONNECTING_SERVER_REPLIED): ,192.168.200.2,,,,
2019-01-14 21:23:28 New OpenVPN Status (ASSIGN_IP->LEVEL_CONNECTING_SERVER_REPLIED): ,192.168.200.2,,,,
2019-01-14 21:23:28 New OpenVPN Status (ADD_ROUTES->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2019-01-14 21:23:28 New OpenVPN Status (ADD_ROUTES->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2019-01-14 21:23:28 OPTIONS IMPORT: --ifconfig/up options modified
2019-01-14 21:23:28 Corrected route 192.168.0.0/8 to 192.0.0.0/8
2019-01-14 21:23:28 OPTIONS IMPORT: route options modified
2019-01-14 21:23:28 OPTIONS IMPORT: route-related options modified
2019-01-14 21:23:28 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2019-01-14 21:23:28 OPTIONS IMPORT: peer-id set
2019-01-14 21:23:28 OPTIONS IMPORT: adjusting link_mtu to 1627
2019-01-14 21:23:28 OPTIONS IMPORT: data channel crypto options modified
2019-01-14 21:23:28 Data Channel: using negotiated cipher 'AES-256-GCM'
2019-01-14 21:23:28 Data Channel MTU parms [ L:1555 D:1450 EF:55 EB:406 ET:0 EL:3 ]
2019-01-14 21:23:28 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2019-01-14 21:23:28 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2019-01-14 21:23:28 GDG: SIOCGIFHWADDR(lo) failed
2019-01-14 21:23:28 ROUTE_GATEWAY 127.100.103.119/255.0.0.0 IFACE=lo
2019-01-14 21:23:28 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2019-01-14 21:23:28 MANAGEMENT: >STATE:1547501008,ASSIGN_IP,,192.168.200.2,,,,
2019-01-14 21:23:28 New OpenVPN Status (CONNECTED->LEVEL_CONNECTED): SUCCESS,192.168.200.2,xxxxxxxxx,1194,10.0.98.209,37448
2019-01-14 21:23:28 New OpenVPN Status (CONNECTED->LEVEL_CONNECTED): SUCCESS,192.168.200.2,xxxxxxxx,1194,10.0.98.209,37448
2019-01-14 21:23:28 MANAGEMENT: CMD 'needok 'IFCONFIG' ok'
2019-01-14 21:23:28 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2019-01-14 21:23:28 MANAGEMENT: >STATE:1547501008,ADD_ROUTES,,,,,,
2019-01-14 21:23:28 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2019-01-14 21:23:28 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2019-01-14 21:23:28 MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
2019-01-14 21:23:28 MANAGEMENT: CMD 'needok 'DNSDOMAIN' ok'
2019-01-14 21:23:28 MANAGEMENT: CMD 'needok 'PERSIST_TUN_ACTION' NOACTION'
2019-01-14 21:23:28 Initialization Sequence Completed
2019-01-14 21:23:28 MANAGEMENT: >STATE:1547501008,CONNECTED,SUCCESS,192.168.200.2,xxxxxxx,1194,10.0.98.209,37448
2019-01-14 21:24:14 read TCP_CLIENT []: Software caused connection abort (code=103)
2019-01-14 21:24:14 Connection reset, restarting [0]
2019-01-14 21:24:14 TCP/UDP: Closing socket
2019-01-14 21:24:14 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): connection-reset,,,,,
2019-01-14 21:24:14 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): connection-reset,,,,,
2019-01-14 21:24:14 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2
2019-01-14 21:24:14 New OpenVPN Status (CONNECTRETRY->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): 2
2019-01-14 21:24:14 Waiting 2s seconds between connection attempt
2019-01-14 21:24:14 SIGUSR1[soft,connection-reset] received, process restarting
2019-01-14 21:24:14 MANAGEMENT: >STATE:1547501054,RECONNECTING,connection-reset,,,,,
2019-01-14 21:24:14 Network Status: not connected
2019-01-14 21:24:14 Debug state info: not connected, pause: userPause, shouldbeconnected: false, network: PENDINGDISCONNECT 
2019-01-14 21:24:24 MANAGEMENT: CMD 'signal SIGINT'
2019-01-14 21:24:24 Sorry, deleting routes on Android is not possible. The VpnService API allows routes to be set on connect only.
2019-01-14 21:24:24 Sorry, deleting routes on Android is not possible. The VpnService API allows routes to be set on connect only.
2019-01-14 21:24:24 Closing TUN/TAP interface
2019-01-14 21:24:24 SIGINT[hard,init_instance] received, process exiting
2019-01-14 21:24:24 MANAGEMENT: >STATE:1547501064,EXITING,init_instance,,,,,
2019-01-14 21:24:24 MANAGEMENT: TCP send error: Broken pipe
2019-01-14 21:24:24 MANAGEMENT: Client disconnected
2019-01-14 21:24:24 MANAGEMENT: Triggering management exit
2019-01-14 21:24:24 New OpenVPN Status (NOPROCESS->LEVEL_NOTCONNECTED): No process running.
2019-01-14 21:24:24 New OpenVPN Status (NOPROCESS->LEVEL_NOTCONNECTED): No process running.
2019-01-14 21:24:24 Debug state info: not connected, pause: userPause, shouldbeconnected: false, network: PENDINGDISCONNECT

vgaetera · January 14, 2019, 9:44pm

192.0.0.0/8 doesn't look right, it shouldn't be here.
Netmask is wrong somewhere.

gmytis · January 14, 2019, 10:11pm

getting loads of them in router log:

Mon Jan 14 22:10:28 2019 daemon.notice openvpn(vpnserver)[1304]: vpnclient/188.29.165.51:11091 MULTI: bad source address from client [10.0.98.209], packet dropped
Mon Jan 14 22:10:29 2019 daemon.notice openvpn(vpnserver)[1304]: vpnclient/188.29.165.51:11091 MULTI: bad source address from client [10.0.98.209], packet dropped
Mon Jan 14 22:10:30 2019 daemon.notice openvpn(vpnserver)[1304]: vpnclient/188.29.165.51:11091 MULTI: bad source address from client [10.0.98.209], packet dropped
Mon Jan 14 22:10:31 2019 daemon.notice openvpn(vpnserver)[1304]: vpnclient/188.29.165.51:11091 MULTI: bad source address from client [10.0.98.209], packet dropped
Mon Jan 14 22:10:32 2019 daemon.notice openvpn(vpnserver)[1304]: vpnclient/188.29.165.51:11091 MULTI: bad source address from client [10.0.98.209], packet dropped
Mon Jan 14 22:10:34 2019 daemon.notice openvpn(vpnserver)[1304]: vpnclient/188.29.165.51:11091 MULTI: bad source address from client [10.0.98.209], packet dropped
Mon Jan 14 22:10:38 2019 daemon.notice openvpn(vpnserver)[1304]: vpnclient/188.29.165.51:11091 MULTI: bad source address from client [10.0.98.209], packet dropped
Mon Jan 14 22:10:46 2019 daemon.notice openvpn(vpnserver)[1304]: vpnclient/188.29.165.51:11091 MULTI: bad source address from client [10.0.98.209], packet dropped

vgaetera · January 14, 2019, 10:23pm

head -n -0 /var/etc/openvpn-*.conf
pgrep -f -a openvpn
ip -4 a; ip -4 r

gmytis · January 14, 2019, 10:26pm

head -n -0 /var/etc/openvpn-*.conf
client-to-client
float
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/vpnserver.crt
compress lzo
dev tun0
dh /etc/openvpn/dh.pem
keepalive 10 120
key /etc/openvpn/vpnserver.key
port 1194
proto tcp
push "redirect-gateway def1"
push "compress lzo"
push "persist-tun"
push "persist-key"
push "route 192.168.0.0 255.255.255.0"
push "dhcp-option DNS 192.168.0.1"
push "dhcp-option DOMAIN lan"
server 192.168.200.0 255.255.255.0
tls-crypt /etc/openvpn/tc.pem
topology subnet
verb 5

pgrep -f -a openvpn
1304 /usr/sbin/openvpn --syslog openvpn(vpnserver) --status /var/run/openvpn.vpnserver.status --cd /var/etc --config openvpn-vpnserver.conf

ip -4 a; ip -4 r
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.0.3/24 brd 192.168.0.255 scope global br-lan
       valid_lft forever preferred_lft forever
7: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
    inet 192.168.200.1/24 brd 192.168.200.255 scope global tun0
       valid_lft forever preferred_lft forever
default via 192.168.0.1 dev br-lan 
192.168.0.0/24 dev br-lan scope link  src 192.168.0.3 
192.168.200.0/24 dev tun0 scope link  src 192.168.200.1

mk24 · January 14, 2019, 11:14pm

Your client is putting packets into the tunnel using 10.0.98.209 as its address, it should have been assigned one in the 192.168.200.0/24 range.

vgaetera · January 14, 2019, 11:59pm

Do you have the route to the VPN-network on your main router?

As a last resort you can try to change subnet to prevent routing collision and enable masquerading for LAN-zone:

uci set openvpn.vpnserver.server="10.10.10.0 255.255.255.0"
uci commit openvpn
service openvpn restart
uci set firewall.@zone[0].masq="1"
uci commit firewall
service firewall restart

psherman · January 15, 2019, 6:08am

I have a secondary router as my VPN endpoint, and I did it a bit differently. My config works perfectly. I'll describe the broad strokes config -- if you need help implementing this, we'll go into the details.

First and most importantly, my VPN (i.e. secondary) router is actually connected via its WAN port to my LAN (so main router LAN > VPN router WAN.

The WAN on the VPN router has an IP within the main network LAN network (I have this assigned via DHCP with a static reservation on my primary router). The VPN router has a different network range for its LAN (this is mandatory), but the VPN router's LAN really isn't used for anything.

My OpenVPN server is configured with a smaller, but overlapping network relative to the VPN router's LAN, but I am careful to avoid conflicts. This part is admittedly unusual, but it works.

The OpenVPN server has a push directive to route to the main LAN. And the firewall allows forwarding from VPN > WAN in addition to opening the port(s) for the server as you would normally do.

For convenience sake, and because this is a device on the LAN side of my network, I have also allowed ssh and LuCI/web access over the WAN port of the VPN router. This is okay because my LAN is trusted, but normally you would never do this -- major security risk if it is directly internet accessible.

Now for some of the basic details:

Main LAN: 10.0.1.0/24
WAN of VPN router: DHCP from main LAN, has static reservation.
VPN router LAN: 10.0.2.0/24
DHCP of VPN router: 10.0.2.10-10.0.2.50 (this doesn't really ever get used)
OpenVPN server directive: server '10.0.2.208 255.255.255.240' (this is a /28 network with the server @ 10.0.2.241 and clients on 10.0.2.242-10.0.2.254; note that it does overlap the VPN router LAN but not the DHCP range for that LAN).
OpenVPN server push directives of note:
- push 'route 10.0.1.0 255.255.255.0' (this is pushing a route to my main LAN)
- push 'dhcp-option DNS 10.0.1.1' (my man router is this address, it serves my network's DNS)
Firewall notables:
- VPN zone input=accept, output=accept, forward=reject, masq disabled
- Forwarding: src=vpn, dest=wan

Hope this helps!

gmytis · January 15, 2019, 7:21am

i will try it tonight, and will post results
thanks everybody for a help!

gmytis · January 15, 2019, 9:12pm

i just tried that, its still exactly same.
i will try what psherman sugested in previous post.

psherman · January 17, 2019, 4:27am

@gmytis -

It should go without saying, but my description should be used as a general template but must be adapted for your use...

be sure you adapt the network scopes appropriately (if necessary) since the specific networks I used may be different than the ones you are using now or that you might want to use.
If you set your OpenVPN router's WAN port to be DHCP, you need to make sure you've set a static reservation from the main router so that its IP address is always known and consistent. If you set the WAN IP on the OpenVPN router manually, be sure to also setup the DNS and gateway addresses.
make sure you have port-forwarded the port(s) you'll be using for OpenVPN from your main router through to the IP of your OpenVPN router.
and verify that you have a firewall traffic rule on the OpenVPN router that accepts inbound connections (for the port(s) from #3) on its WAN.

gmytis · January 18, 2019, 7:18pm

Finally done it!
Thanks psherman for ideas.
everything is working now.
Did one modification. My requirement is, that when im connected from outside through vpn,
i would be able to see to all devices.
bridged wifi interfaces on vpn router with wan, now whoever connects through vpn router wifi will be on same ip range as main lan. and im able to see them.

psherman · January 18, 2019, 8:17pm

Glad it worked! I didn't realize you were also using this device as an AP, but it sounds like you got that working, too.

system · January 28, 2019, 8:17pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.