Openvpn Configuration on Dumb AP device

Hi,

i am trying for hours now to modify my Openvpn configuration to work on a device used as dumb ap only.

WAN -> ROUTER with portforwarding to OpenWRT device -> OpenWRT device running OpenVPN Server.

It worked fine before as i configured according the tutorial and the device was used as router.
For several reasons i am no longer able to use openwrt as main router.
I have configured the port forwarding to the openwrt device.

What works now is:
OpenVPN connection is established.

What doesn't work:
I cannot ping any machine. Not even the openwrt device.

Can somebody help me to modify the default configuration?

Dumbap Configuration was done like this:
https://openwrt.org/docs/guide-user/network/wifi/dumbap

For Openvpn i used this:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/comprehensive

Thank you

Please show diagnostics information:

ip a; ip r
uci show network
uci show firewall
uci show openvpn

Of course

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    link/ether 14:cc:20:47:25:27 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::16cc:20ff:fe47:2527/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP qlen 1000
    link/ether 14:cc:20:47:25:26 brd ff:ff:ff:ff:ff:ff
6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
    link/[65534] 
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 14:cc:20:47:25:27 brd ff:ff:ff:ff:ff:ff
    inet 192.168.72.2/24 brd 192.168.72.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fde7:660e:1f81::1/60 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::16cc:20ff:fe47:2527/64 scope link 
       valid_lft forever preferred_lft forever
8: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 14:cc:20:47:25:27 brd ff:ff:ff:ff:ff:ff
9: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP qlen 1000
    link/ether 14:cc:20:47:25:24 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::16cc:20ff:fe47:2524/64 scope link 
       valid_lft forever preferred_lft forever
10: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 14:cc:20:47:25:25 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::16cc:20ff:fe47:2525/64 scope link 
       valid_lft forever preferred_lft forever
default via 192.168.72.1 dev br-lan 
192.168.72.0/24 dev br-lan  src 192.168.72.2 
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fde7:660e:1f81::/48'
network.lan=interface
network.lan.force_link='1'
network.lan.type='bridge'
network.lan.proto='static'
network.lan.ipaddr='192.168.72.2'
network.lan.netmask='255.255.255.0'
network.lan.gateway='192.168.72.1'
network.lan.ip6assign='60'
network.lan._orig_ifname='eth1 wlan0 wlan1'
network.lan._orig_bridge='true'
network.lan.ifname='eth0.1 eth1'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='0 1 2 3 4 5'
network.@switch_vlan[0].vid='1'
network.vpn0=interface
network.vpn0.ifname='tun0'
network.vpn0.proto='none'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='DROP'
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].drop_invalid='1'
firewall.@rule[0]=rule
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[0].proto='tcp udp'
firewall.@rule[0].src='*'
firewall.@rule[0].dest_port='443'
firewall.@rule[0].name='Allow Forwarded VPN Request -> <device>'
firewall.@rule[1]=rule
firewall.@rule[1].target='ACCEPT'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].proto='tcp udp'
firewall.@rule[1].src='*'
firewall.@rule[1].src_ip='10.11.0.0/28'
firewall.@rule[1].dest_ip='192.168.72.0/24'
firewall.@rule[1].name='Allow VPN0 -> LAN'
firewall.@rule[2]=rule
firewall.@rule[2].target='ACCEPT'
firewall.@rule[2].proto='tcp udp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].src='*'
firewall.@rule[2].src_ip='10.11.0.0/28'
firewall.@rule[2].dest='*'
firewall.@rule[2].dest_ip='192.168.72.0/24'
firewall.@rule[2].name='Allow Forwarded VPN0 -> LAN'
firewall.@rule[3]=rule
firewall.@rule[3].target='ACCEPT'
firewall.@rule[3].proto='icmp'
firewall.@rule[3].icmp_type='echo-request'
firewall.@rule[3].src='*'
firewall.@rule[3].src_ip='10.11.0.0/28'
firewall.@rule[3].dest='lan'
firewall.@rule[3].name='Allow VPN0 (ICMP 8) -> <device> '
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='DROP'
firewall.@zone[1]=zone
firewall.@zone[1].name='vpn'
firewall.@zone[1].network='vpn0'
firewall.@zone[1].input='ACCEPT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='ACCEPT'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest='vpn'
firewall.@forwarding[0].src='lan'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='lan'
firewall.@forwarding[1].src='vpn'
openvpn.vpnconfig=openvpn
openvpn.vpnconfig.enable='1'
openvpn.vpnconfig.port='443'
openvpn.vpnconfig.proto='tcp'
openvpn.vpnconfig.dev='tun'
openvpn.vpnconfig.client_to_client='1'
openvpn.vpnconfig.keepalive='10 120'
openvpn.vpnconfig.comp_lzo='yes'
openvpn.vpnconfig.persist_key='1'
openvpn.vpnconfig.persist_tun='1'
openvpn.vpnconfig.verb='3'
openvpn.vpnconfig.mute='20'
openvpn.vpnconfig.user='nobody'
openvpn.vpnconfig.group='nogroup'
openvpn.vpnconfig.status='/tmp/openvpn-status.log'
openvpn.vpnconfig.ca='/etc/easy-rsa/keys/ca.crt'
openvpn.vpnconfig.cert='/etc/easy-rsa/keys/server.crt'
openvpn.vpnconfig.key='/etc/easy-rsa/keys/server.key'
openvpn.vpnconfig.dh='/etc/easy-rsa/keys/dh1024.pem'
openvpn.vpnconfig.server='10.11.0.0 255.255.255.0'
openvpn.vpnconfig.push='route 192.168.72.0 255.255.255.0' 'dhcp-option DNS 192.168.72.1' 'dhcp-option DOMAIN 192.168.72.1'

Hi,

it's 2 weeks now. Has nobody an idea?

Thanks

I suspect VPN-client deletes/overrides some IPv4-routes.
Try to access OpenWRT via IPv6.

I think you need a static route on your main router for the vpn network, 10.11.0.0/24, via 192.168.72.2. Otherwise it doesn't know where to send the return traffic to the VPN clients.The alternative is to enable masquerade on the lan zone of the dumb AP. (uci set firewall.@zone[0].masq=1)

Thanks, masquerading the lan zone did the trick :slight_smile:
It works now!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.