fabfour
September 28, 2018, 9:04am
1
Hi,
i am trying for hours now to modify my Openvpn configuration to work on a device used as dumb ap only.
WAN -> ROUTER with portforwarding to OpenWRT device -> OpenWRT device running OpenVPN Server.
It worked fine before as i configured according the tutorial and the device was used as router.
For several reasons i am no longer able to use openwrt as main router.
I have configured the port forwarding to the openwrt device.
What works now is:
OpenVPN connection is established.
What doesn't work:
I cannot ping any machine. Not even the openwrt device.
Can somebody help me to modify the default configuration?
Dumbap Configuration was done like this:
https://openwrt.org/docs/guide-user/network/wifi/dumbap
For Openvpn i used this:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/comprehensive
Thank you
Please show diagnostics information:
ip a; ip r
uci show network
uci show firewall
uci show openvpn
fabfour
September 28, 2018, 12:26pm
3
Of course
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
link/ether 14:cc:20:47:25:27 brd ff:ff:ff:ff:ff:ff
inet6 fe80::16cc:20ff:fe47:2527/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP qlen 1000
link/ether 14:cc:20:47:25:26 brd ff:ff:ff:ff:ff:ff
6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
link/[65534]
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether 14:cc:20:47:25:27 brd ff:ff:ff:ff:ff:ff
inet 192.168.72.2/24 brd 192.168.72.255 scope global br-lan
valid_lft forever preferred_lft forever
inet6 fde7:660e:1f81::1/60 scope global
valid_lft forever preferred_lft forever
inet6 fe80::16cc:20ff:fe47:2527/64 scope link
valid_lft forever preferred_lft forever
8: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
link/ether 14:cc:20:47:25:27 brd ff:ff:ff:ff:ff:ff
9: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP qlen 1000
link/ether 14:cc:20:47:25:24 brd ff:ff:ff:ff:ff:ff
inet6 fe80::16cc:20ff:fe47:2524/64 scope link
valid_lft forever preferred_lft forever
10: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
link/ether 14:cc:20:47:25:25 brd ff:ff:ff:ff:ff:ff
inet6 fe80::16cc:20ff:fe47:2525/64 scope link
valid_lft forever preferred_lft forever
default via 192.168.72.1 dev br-lan
192.168.72.0/24 dev br-lan src 192.168.72.2
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fde7:660e:1f81::/48'
network.lan=interface
network.lan.force_link='1'
network.lan.type='bridge'
network.lan.proto='static'
network.lan.ipaddr='192.168.72.2'
network.lan.netmask='255.255.255.0'
network.lan.gateway='192.168.72.1'
network.lan.ip6assign='60'
network.lan._orig_ifname='eth1 wlan0 wlan1'
network.lan._orig_bridge='true'
network.lan.ifname='eth0.1 eth1'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='0 1 2 3 4 5'
network.@switch_vlan[0].vid='1'
network.vpn0=interface
network.vpn0.ifname='tun0'
network.vpn0.proto='none'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='DROP'
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].drop_invalid='1'
firewall.@rule[0]=rule
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[0].proto='tcp udp'
firewall.@rule[0].src='*'
firewall.@rule[0].dest_port='443'
firewall.@rule[0].name='Allow Forwarded VPN Request -> <device>'
firewall.@rule[1]=rule
firewall.@rule[1].target='ACCEPT'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].proto='tcp udp'
firewall.@rule[1].src='*'
firewall.@rule[1].src_ip='10.11.0.0/28'
firewall.@rule[1].dest_ip='192.168.72.0/24'
firewall.@rule[1].name='Allow VPN0 -> LAN'
firewall.@rule[2]=rule
firewall.@rule[2].target='ACCEPT'
firewall.@rule[2].proto='tcp udp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].src='*'
firewall.@rule[2].src_ip='10.11.0.0/28'
firewall.@rule[2].dest='*'
firewall.@rule[2].dest_ip='192.168.72.0/24'
firewall.@rule[2].name='Allow Forwarded VPN0 -> LAN'
firewall.@rule[3]=rule
firewall.@rule[3].target='ACCEPT'
firewall.@rule[3].proto='icmp'
firewall.@rule[3].icmp_type='echo-request'
firewall.@rule[3].src='*'
firewall.@rule[3].src_ip='10.11.0.0/28'
firewall.@rule[3].dest='lan'
firewall.@rule[3].name='Allow VPN0 (ICMP 8) -> <device> '
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='DROP'
firewall.@zone[1]=zone
firewall.@zone[1].name='vpn'
firewall.@zone[1].network='vpn0'
firewall.@zone[1].input='ACCEPT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='ACCEPT'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest='vpn'
firewall.@forwarding[0].src='lan'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='lan'
firewall.@forwarding[1].src='vpn'
openvpn.vpnconfig=openvpn
openvpn.vpnconfig.enable='1'
openvpn.vpnconfig.port='443'
openvpn.vpnconfig.proto='tcp'
openvpn.vpnconfig.dev='tun'
openvpn.vpnconfig.client_to_client='1'
openvpn.vpnconfig.keepalive='10 120'
openvpn.vpnconfig.comp_lzo='yes'
openvpn.vpnconfig.persist_key='1'
openvpn.vpnconfig.persist_tun='1'
openvpn.vpnconfig.verb='3'
openvpn.vpnconfig.mute='20'
openvpn.vpnconfig.user='nobody'
openvpn.vpnconfig.group='nogroup'
openvpn.vpnconfig.status='/tmp/openvpn-status.log'
openvpn.vpnconfig.ca='/etc/easy-rsa/keys/ca.crt'
openvpn.vpnconfig.cert='/etc/easy-rsa/keys/server.crt'
openvpn.vpnconfig.key='/etc/easy-rsa/keys/server.key'
openvpn.vpnconfig.dh='/etc/easy-rsa/keys/dh1024.pem'
openvpn.vpnconfig.server='10.11.0.0 255.255.255.0'
openvpn.vpnconfig.push='route 192.168.72.0 255.255.255.0' 'dhcp-option DNS 192.168.72.1' 'dhcp-option DOMAIN 192.168.72.1'
Hi,
it's 2 weeks now. Has nobody an idea?
Thanks
I suspect VPN-client deletes/overrides some IPv4-routes.
Try to access OpenWRT via IPv6.
mikma
October 12, 2018, 8:51am
6
I think you need a static route on your main router for the vpn network, 10.11.0.0/24, via 192.168.72.2. Otherwise it doesn't know where to send the return traffic to the VPN clients.The alternative is to enable masquerade on the lan zone of the dumb AP. (uci set firewall.@zone[0].masq=1
)
Thanks, masquerading the lan zone did the trick
It works now!
system
Closed
October 22, 2018, 9:53am
8
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.