OpenVPN Connect from iOS - LEDE blocking internet or LAN access

Hello,

I've seen many threads on the same issue with slightly different scenarios, and I've tried a lot of things to get the iOS "OpenVPN Connect" app to work. I got the iOS app to establish a VPN connection successfuly after getting past some TLS certificate and cipher config issues (iOS did not support some TLS ciphers and tap interface, it only uses tun).

After the phone connects, the router still appears to be blocking access to LAN and WAN.

I'm sure this is probably an easy routing or firewall rule fix but I've been up way too late and had way too little sleep to figure out the way to configure this on LEDE. Please help!

Router uci configs:

Note: I left the "sample_*" default OpenVPN configs disabled and created one called "vega_ethbridge". Originally thinking I could use tap interface and bridge ethernet. However, the iOS app only supports tun interface, so I reconfigured and left the name alone.

root@vega:~# uci show network; uci show firewall; uci show dhcp; uci show openvpn

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdc5:8b89:9846::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.wan=interface
network.wan.ifname='eth1'
network.wan.proto='dhcp'
network.wan.hostname='vega'
network.wan.macaddr='XX:XX:XX:XX:XX:XX'
network.wan6=interface
network.wan6.ifname='eth1'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='0 1 2 3 5'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='4 6'
network.vega_ethbridge_vpn=interface
network.vega_ethbridge_vpn.ifname='tun0'
network.vega_ethbridge_vpn.proto='none'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].drop_invalid='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].masq='1'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='vpn'
firewall.@zone[1].input='ACCEPT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].masq='1'
firewall.@zone[1].network='vega_ethbridge_vpn'
firewall.@zone[1].forward='ACCEPT'
firewall.@zone[2]=zone
firewall.@zone[2].name='wan'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].masq='1'
firewall.@zone[2].mtu_fix='1'
firewall.@zone[2].network='wan wan6'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='vpn'
firewall.@forwarding[1].dest='wan'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].src='vpn'
firewall.@forwarding[2].dest='lan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'

firewall.@rule[9]=rule
firewall.@rule[9].target='ACCEPT'
firewall.@rule[9].src='wan'
firewall.@rule[9].proto='udp'
firewall.@rule[9].dest_port='1194'
firewall.@rule[9].name='Allow-OpenVPN-UDP'
firewall.@rule[10]=rule
firewall.@rule[10].target='ACCEPT'
firewall.@rule[10].src='wan'
firewall.@rule[10].proto='udp'
firewall.@rule[10].dest_port='1194'
firewall.@rule[10].name='Allow-OpenVPN-UDP-IPv6'
firewall.@rule[10].family='ipv6'
firewall.@rule[11]=rule
firewall.@rule[11].target='ACCEPT'
firewall.@rule[11].src='wan'
firewall.@rule[11].proto='tcp'
firewall.@rule[11].dest_port='1194'
firewall.@rule[11].name='Allow-OpenVPN-TCP'
firewall.@rule[12]=rule
firewall.@rule[12].target='ACCEPT'
firewall.@rule[12].src='wan'
firewall.@rule[12].proto='tcp'
firewall.@rule[12].dest_port='1194'
firewall.@rule[12].name='Allow-OpenVPN-TCP-IPv6'
firewall.@rule[12].family='ipv6'

dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].boguspriv='1'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].nonwildcard='0'
dhcp.@dnsmasq[0].local='/local/'
dhcp.@dnsmasq[0].domain='local'

dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'

openvpn.custom_config=openvpn
openvpn.custom_config.config='/etc/openvpn/my-vpn.conf'
openvpn.sample_server=openvpn
openvpn.sample_server.port='1194'
openvpn.sample_server.proto='udp'
openvpn.sample_server.dev='tun'
openvpn.sample_server.ca='/etc/openvpn/ca.crt'
openvpn.sample_server.cert='/etc/openvpn/server.crt'
openvpn.sample_server.key='/etc/openvpn/server.key'
openvpn.sample_server.dh='/etc/openvpn/dh1024.pem'
openvpn.sample_server.server='10.8.0.0 255.255.255.0'
openvpn.sample_server.ifconfig_pool_persist='/tmp/ipp.txt'
openvpn.sample_server.keepalive='10 120'
openvpn.sample_server.compress='lzo'
openvpn.sample_server.persist_key='1'
openvpn.sample_server.persist_tun='1'
openvpn.sample_server.user='nobody'
openvpn.sample_server.status='/tmp/openvpn-status.log'
openvpn.sample_server.verb='3'
openvpn.sample_client=openvpn
openvpn.sample_client.client='1'
openvpn.sample_client.dev='tun'
openvpn.sample_client.proto='udp'
openvpn.sample_client.remote='my_server_1 1194'
openvpn.sample_client.resolv_retry='infinite'
openvpn.sample_client.nobind='1'
openvpn.sample_client.persist_key='1'
openvpn.sample_client.persist_tun='1'
openvpn.sample_client.user='nobody'
openvpn.sample_client.ca='/etc/openvpn/ca.crt'
openvpn.sample_client.cert='/etc/openvpn/client.crt'
openvpn.sample_client.key='/etc/openvpn/client.key'
openvpn.sample_client.compress='lzo'
openvpn.sample_client.verb='3'

openvpn.vega_ethbridge=openvpn
openvpn.vega_ethbridge.mode='server'
openvpn.vega_ethbridge.port='1194'
openvpn.vega_ethbridge.user='nobody'
openvpn.vega_ethbridge.group='nogroup'
openvpn.vega_ethbridge.server='10.8.0.0 255.255.255.0'
openvpn.vega_ethbridge.proto='tcp'
openvpn.vega_ethbridge.ifconfig_pool_persist='/tmp/ipp.txt'
openvpn.vega_ethbridge.keepalive='10 60'
openvpn.vega_ethbridge.comp_lzo='yes'
openvpn.vega_ethbridge.tun_ipv6='1'
openvpn.vega_ethbridge.ca='/etc/luci-uploads/cbid.openvpn.vega_ethbridge.ca'
openvpn.vega_ethbridge.pkcs12='/etc/luci-uploads/cbid.openvpn.vega_ethbridge.pkcs12'
openvpn.vega_ethbridge.enabled='1'
openvpn.vega_ethbridge.tls_server='1'
openvpn.vega_ethbridge.tls_version_min='1.2'
openvpn.vega_ethbridge.dh='/etc/openvpn/dhparam-secure-4096.pem'
openvpn.vega_ethbridge.auth='SHA256'
openvpn.vega_ethbridge.push='redirect-gateway autolocal' 'route 192.168.1.0 255.255.255.0' 'dhcp-option DNS 192.168.1.1' 'route-gateway dhcp'
openvpn.vega_ethbridge.cipher='AES-256-CBC'
openvpn.vega_ethbridge.tls_cipher='TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:!LOW:!EXP:!SRP'
openvpn.vega_ethbridge.persist_tun='1'
openvpn.vega_ethbridge.persist_key='1'
openvpn.vega_ethbridge.verb='4'
openvpn.vega_ethbridge.dev='tun'


root@vega:~# ip a; ip r; ip ru

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP group default qlen 532
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 532
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet 73.229.24.45/23 brd 73.229.25.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 2001:558:6040:3:6d93:f47f:c1d8:db68/128 scope global noprefixroute dynamic
       valid_lft 154130sec preferred_lft 154130sec
    inet6 fe80::9610:3eff:fe02:ef03/64 scope link
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 2601:280:4a00:66d5::1/64 scope global noprefixroute dynamic
       valid_lft 154130sec preferred_lft 154130sec
    inet6 fdc5:8b89:9846::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::9610:3eff:fe01:1e04/64 scope link
       valid_lft forever preferred_lft forever
8: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet6 fe80::225:9cff:fe13:3c05/64 scope link
       valid_lft forever preferred_lft forever
9: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet6 fe80::225:9cff:fe13:3c06/64 scope link
       valid_lft forever preferred_lft forever
49: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever


default via 123.45.6.1 dev eth1  proto static  src 123.45.6.7
10.8.0.0/24 via 10.8.0.2 dev tun0
10.8.0.2 dev tun0  proto kernel  scope link  src 10.8.0.1
123.45.6.0/23 dev eth1  proto kernel  scope link  src 123.45.6.7
123.45.6.1 dev eth1  proto static  scope link  src 123.45.6.7
192.168.1.0/24 dev br-lan  proto kernel  scope link  src 192.168.1.1


0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default

Router config files:

In case these are easier to read:

Network Config:

root@vega:~# cat /etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdc5:8b89:9846::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'
	option hostname 'vega'
	option macaddr 'XX:XX:XX:XX:XX:XX'

config interface 'wan6'
	option ifname 'eth1'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6'

config interface 'vega_ethbridge_vpn'
	option ifname 'tun0'
	option proto 'none'

Firewall Config:

root@vega:~# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

root@vega:~# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option drop_invalid '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option network 'lan'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option masq '1'
	option network 'vega_ethbridge_vpn'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'vpn'
	option dest 'wan'

config forwarding
	option src 'vpn'
	option dest 'lan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option dest_port '1194'
	option name 'Allow-OpenVPN-UDP'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option dest_port '1194'
	option name 'Allow-OpenVPN-UDP-IPv6'
	option family 'ipv6'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'tcp'
	option dest_port '1194'
	option name 'Allow-OpenVPN-TCP'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'tcp'
	option dest_port '1194'
	option name 'Allow-OpenVPN-TCP-IPv6'
	option family 'ipv6'

OpenVPN Server Configs:

root@vega:~# cat /etc/config/openvpn

config openvpn 'custom_config'
	option config '/etc/openvpn/my-vpn.conf'

config openvpn 'sample_server'
	option port '1194'
	option proto 'udp'
	option dev 'tun'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/server.crt'
	option key '/etc/openvpn/server.key'
	option dh '/etc/openvpn/dh1024.pem'
	option server '10.8.0.0 255.255.255.0'
	option ifconfig_pool_persist '/tmp/ipp.txt'
	option keepalive '10 120'
	option compress 'lzo'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option status '/tmp/openvpn-status.log'
	option verb '3'

config openvpn 'sample_client'
	option client '1'
	option dev 'tun'
	option proto 'udp'
	list remote 'my_server_1 1194'
	option resolv_retry 'infinite'
	option nobind '1'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/client.crt'
	option key '/etc/openvpn/client.key'
	option compress 'lzo'
	option verb '3'

config openvpn 'vega_ethbridge'
	option mode 'server'
	option port '1194'
	option user 'nobody'
	option group 'nogroup'
	option server '10.8.0.0 255.255.255.0'
	option proto 'tcp'
	option ifconfig_pool_persist '/tmp/ipp.txt'
	option keepalive '10 60'
	option comp_lzo 'yes'
	option tun_ipv6 '1'
	option ca '/etc/luci-uploads/cbid.openvpn.vega_ethbridge.ca'
	option pkcs12 '/etc/luci-uploads/cbid.openvpn.vega_ethbridge.pkcs12'
	option enabled '1'
	option tls_server '1'
	option tls_version_min '1.2'
	option dh '/etc/openvpn/dhparam-secure-4096.pem'
	option auth 'SHA256'
#	list push 'redirect-gateway def1'
	list push 'redirect-gateway autolocal'
	list push 'route 192.168.1.0 255.255.255.0'
	list push 'dhcp-option DNS 192.168.1.1'
	list push 'route-gateway dhcp'
	option cipher 'AES-256-CBC'
	option tls_cipher 'TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:!LOW:!EXP:!SRP'
	option persist_tun '1'
	option persist_key '1'
	option verb '4'
	option dev 'tun'
root@vega:~# cat /var/etc/openvpn-vega_ethbridge.conf
persist-key
persist-tun
tls-server
tun-ipv6
auth SHA256
ca /etc/luci-uploads/cbid.openvpn.vega_ethbridge.ca
cipher AES-256-CBC
comp-lzo yes
dev tun
dh /etc/openvpn/dhparam-secure-4096.pem
group nogroup
ifconfig-pool-persist /tmp/ipp.txt
keepalive 10 60
mode server
pkcs12 /etc/luci-uploads/cbid.openvpn.vega_ethbridge.pkcs12
port 1194
proto tcp
push "redirect-gateway autolocal"
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.1"
push "route-gateway dhcp"
server 10.8.0.0 255.255.255.0
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:!LOW:!EXP:!SRP
tls-version-min 1.2
user nobody
verb 4

OpenVPN Client Config (iOS "OpenVPN Connect" App)

client
tls-client
dev tun
proto tcp
remote myledeserver.scrubbed.com 1194
tun-mtu 6000
# fragment 0 can be used to improve performance in some instances but
# breaks compatibility with some Android apps
# fragment 0
mssfix 0
resolv-retry infinite
compress lzo
nobind
persist-key
persist-tun
mute-replay-warnings
#ns-cert-type server
# New option for OpenVPN >= v2.5
remote-cert-tls server
verb 3
# Route all traffic through OpenVPN
#redirect-gateway def1
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
auth SHA256
cipher AES-256-CBC
# TLS auth key direction for client
# Couldn't get this to work yet...
#key-direction 1
#<tls-auth>
#
# 2048 bit OpenVPN static key
#
# -----BEGIN OpenVPN Static key V1-----
# [...SNIP...]
# </tls-auth>
<ca>
-----BEGIN CERTIFICATE-----
[...SNIP...]
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
[...SNIP...]
    Signature Algorithm: sha256WithRSAEncryption
[...SNIP...]
-----BEGIN CERTIFICATE-----
[...SNIP...]
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
[...SNIP...]
-----END RSA PRIVATE KEY-----
</key>

# Hand generated configuration file from vega.local LEDE Reboot 17.01.4 r3560-79f57e422d arm_cortex-a9_vfpv3 mvebu/generic
# Wed Jul 03 11:17:00 UTC 2017 MCF1

2 Likes

Symptoms:

  • iOS OpenVPN Connect app is able to establish connection successfully
  • No network connectivity to LAN or WAN
  • Traceroute and Ping from "Mocha Ping Lite" iOS app fail with timeout on all of: 8.8.8.8, 192.168.1.1, 10.8.0.1
  • iOS Chrome Web browser shows timeout when trying to access web services on local LAN IPs without DNS

Looks like some routing or firewall issue? I've not been able to think clearly enough to debug this further, and am quickly running out of time (flight leaving soon) and energy (not enough sleep) to keep banging my head on this without some help.

The tested connection from iOS was done over it’s cell network LTE data connection to the WAN IP of the OpenWrt router. I turned off the cell phone’s WiFi to ensure it routed out to the WAN side. Once connected, it was expected to tunnel all traffic to both LAN and internet through the VPN connection as a secure tunnel.

Here is the OpenVPN Client connection log from the iOS app:

OpenVPN Client Logs:

2019-07-04 16:01:09 Client terminated, restarting in 2000 ms...

2019-07-04 16:01:11 EVENT: RECONNECTING

2019-07-04 16:01:11 EVENT: RESOLVE

2019-07-04 16:01:11 Contacting [123.45.6.7]:1194/TCP via TCP

2019-07-04 16:01:11 EVENT: WAIT

2019-07-04 16:01:12 Connecting to [myledeserver.scrubbed.com]:1194 (123.45.6.7) via TCPv4

2019-07-04 16:01:12 EVENT: CONNECTING

2019-07-04 16:01:12 Tunnel Options:V4,dev-type tun,link-mtu 6072,tun-mtu 6000,proto TCPv4_CLIENT,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client

2019-07-04 16:01:12 Creds: UsernameEmpty/PasswordEmpty

2019-07-04 16:01:12 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 3.0.2-894
IV_VER=3.2
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_AUTO_SESS=1


2019-07-04 16:01:12 VERIFY OK : depth=1
cert. version     : 3
serial number     : XX:XX:XX:XX:XX:XX:XX:XX
issuer name       : C=US, ST=Colorado, L=Broomfield, O=LyraPhase, OU=DevOps, CN=Easy-RSA CA, emailAddress=admin@myledeserver.scrubbed.com
subject name      : C=US, ST=Colorado, L=Broomfield, O=LyraPhase, OU=DevOps, CN=Easy-RSA CA, emailAddress=admin@myledeserver.scrubbed.com
issued  on        : 2017-07-31 08:42:23
expires on        : 2027-07-29 08:42:23
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=true
key usage         : Key Cert Sign, CRL Sign


2019-07-04 16:01:12 VERIFY OK : depth=0
cert. version     : 3
serial number     : XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
issuer name       : C=US, ST=Colorado, L=Broomfield, O=LyraPhase, OU=DevOps, CN=Easy-RSA CA
subject name      : C=US, ST=Colorado, L=Broomfield, O=LyraPhase, OU=DevOps, CN=myledeserver.scrubbed.com, emailAddress=admin@myledeserver.scrubbed.com
issued  on        : 2019-07-04 04:44:53
expires on        : 2029-07-01 04:44:53
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=false
subject alt name  : myledeserver.scrubbed.com
key usage         : Digital Signature, Key Encipherment
ext key usage     : TLS Web Server Authentication


2019-07-04 16:01:12 SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384

2019-07-04 16:01:12 Session is ACTIVE

2019-07-04 16:01:12 EVENT: GET_CONFIG

2019-07-04 16:01:12 Sending PUSH_REQUEST to server...

2019-07-04 16:01:12 OPTIONS:
0 [redirect-gateway] [autolocal] 
1 [route] [192.168.1.0] [255.255.255.0] 
2 [dhcp-option] [DNS] [192.168.1.1] 
3 [route-gateway] [dhcp] 
4 [route] [10.8.0.1] 
5 [topology] [net30] 
6 [ping] [10] 
7 [ping-restart] [60] 
8 [ifconfig] [10.8.0.6] [10.8.0.5] 
9 [peer-id] [0] 
10 [cipher] [AES-256-GCM] 


2019-07-04 16:01:12 PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: SHA256
  compress: COMP_STUB
  peer ID: 0

2019-07-04 16:01:12 EVENT: ASSIGN_IP

2019-07-04 16:01:12 NIP: preparing TUN network settings

2019-07-04 16:01:12 NIP: init TUN network settings with endpoint: 123.45.6.7

2019-07-04 16:01:12 NIP: adding IPv4 address to network settings 10.8.0.6/255.255.255.252

2019-07-04 16:01:12 NIP: adding (included) IPv4 route 10.8.0.4/30

2019-07-04 16:01:12 NIP: adding (included) IPv4 route 192.168.1.0/24

2019-07-04 16:01:12 NIP: adding (included) IPv4 route 10.8.0.1/32

2019-07-04 16:01:12 NIP: redirecting all IPv4 traffic to TUN interface

2019-07-04 16:01:12 NIP: adding DNS 192.168.1.1

2019-07-04 16:01:12 NIP: setting MTU to 6000

2019-07-04 16:01:12 Connected via NetworkExtensionTUN

2019-07-04 16:01:12 LZO-ASYM init swap=0 asym=1

2019-07-04 16:01:12 Comp-stub init swap=1

2019-07-04 16:01:12 EVENT: CONNECTED myledeserver.scrubbed.com:1194 (123.45.6.7) via /TCPv4 on NetworkExtensionTUN/10.8.0.6/ gw=[/]

OpenVPN Server Logs

Thu Jul  4 22:01:12 2019 daemon.notice openvpn(vega_ethbridge)[1062]: MULTI: multi_create_instance called
Thu Jul  4 22:01:12 2019 daemon.notice openvpn(vega_ethbridge)[1062]: Re-using SSL/TLS context
Thu Jul  4 22:01:12 2019 daemon.notice openvpn(vega_ethbridge)[1062]: LZO compression initializing
Thu Jul  4 22:01:12 2019 daemon.notice openvpn(vega_ethbridge)[1062]: Control Channel MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Thu Jul  4 22:01:12 2019 daemon.notice openvpn(vega_ethbridge)[1062]: Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Thu Jul  4 22:01:12 2019 daemon.notice openvpn(vega_ethbridge)[1062]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
Thu Jul  4 22:01:12 2019 daemon.notice openvpn(vega_ethbridge)[1062]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
Thu Jul  4 22:01:12 2019 daemon.notice openvpn(vega_ethbridge)[1062]: TCP connection established with [AF_INET]172.58.63.104:35833
Thu Jul  4 22:01:12 2019 daemon.notice openvpn(vega_ethbridge)[1062]: TCPv4_SERVER link local: (not bound)
Thu Jul  4 22:01:12 2019 daemon.notice openvpn(vega_ethbridge)[1062]: TCPv4_SERVER link remote: [AF_INET]172.58.63.104:35833
Thu Jul  4 22:01:12 2019 daemon.notice openvpn(vega_ethbridge)[1062]: 172.58.63.104:35833 TLS: Initial packet from [AF_INET]172.58.63.104:35833, sid=f03865f5 0d9325e1
Thu Jul  4 22:01:12 2019 daemon.notice openvpn(vega_ethbridge)[1062]: 172.58.63.104:35833 VERIFY OK: depth=1, C=US, ST=Colorado, L=Broomfield, O=LyraPhase, OU=DevOps, CN=Easy-RSA CA, emailAddress=admin@myledeserver.scrubbed.com
Thu Jul  4 22:01:12 2019 daemon.notice openvpn(vega_ethbridge)[1062]: 172.58.63.104:35833 VERIFY OK: depth=0, C=US, ST=Colorado, L=Broomfield, O=LyraPhase, OU=DevOps, CN=xPhone, emailAddress=admin@myledeserver.scrubbed.com
Thu Jul  4 22:01:12 2019 daemon.notice openvpn(vega_ethbridge)[1062]: 172.58.63.104:35833 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.0.2-894
Thu Jul  4 22:01:12 2019 daemon.notice openvpn(vega_ethbridge)[1062]: 172.58.63.104:35833 peer info: IV_VER=3.2
Thu Jul  4 22:01:12 2019 daemon.notice openvpn(vega_ethbridge)[1062]: 172.58.63.104:35833 peer info: IV_PLAT=ios
Thu Jul  4 22:01:12 2019 daemon.notice openvpn(vega_ethbridge)[1062]: 172.58.63.104:35833 peer info: IV_NCP=2
Thu Jul  4 22:01:12 2019 daemon.notice openvpn(vega_ethbridge)[1062]: 172.58.63.104:35833 peer info: IV_TCPNL=1
Thu Jul  4 22:01:12 2019 daemon.notice openvpn(vega_ethbridge)[1062]: 172.58.63.104:35833 peer info: IV_PROTO=2
Thu Jul  4 22:01:12 2019 daemon.notice openvpn(vega_ethbridge)[1062]: 172.58.63.104:35833 peer info: IV_LZO_STUB=1
Thu Jul  4 22:01:12 2019 daemon.notice openvpn(vega_ethbridge)[1062]: 172.58.63.104:35833 peer info: IV_COMP_STUB=1
Thu Jul  4 22:01:12 2019 daemon.notice openvpn(vega_ethbridge)[1062]: 172.58.63.104:35833 peer info: IV_COMP_STUBv2=1
Thu Jul  4 22:01:12 2019 daemon.notice openvpn(vega_ethbridge)[1062]: 172.58.63.104:35833 peer info: IV_AUTO_SESS=1
Thu Jul  4 22:01:12 2019 daemon.warn openvpn(vega_ethbridge)[1062]: 172.58.63.104:35833 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1572', remote='link-mtu 6072'
Thu Jul  4 22:01:12 2019 daemon.warn openvpn(vega_ethbridge)[1062]: 172.58.63.104:35833 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 6000'
Thu Jul  4 22:01:12 2019 daemon.notice openvpn(vega_ethbridge)[1062]: 172.58.63.104:35833 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA384, 2048 bit RSA
Thu Jul  4 22:01:12 2019 daemon.notice openvpn(vega_ethbridge)[1062]: 172.58.63.104:35833 [xPhone] Peer Connection Initiated with [AF_INET]172.58.63.104:35833
Thu Jul  4 22:01:12 2019 daemon.notice openvpn(vega_ethbridge)[1062]: xPhone/172.58.63.104:35833 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Thu Jul  4 22:01:12 2019 daemon.notice openvpn(vega_ethbridge)[1062]: xPhone/172.58.63.104:35833 MULTI: Learn: 10.8.0.6 -> xPhone/172.58.63.104:35833
Thu Jul  4 22:01:12 2019 daemon.notice openvpn(vega_ethbridge)[1062]: xPhone/172.58.63.104:35833 MULTI: primary virtual IP for xPhone/172.58.63.104:35833: 10.8.0.6
Thu Jul  4 22:01:12 2019 daemon.notice openvpn(vega_ethbridge)[1062]: xPhone/172.58.63.104:35833 PUSH: Received control message: 'PUSH_REQUEST'
Thu Jul  4 22:01:12 2019 daemon.notice openvpn(vega_ethbridge)[1062]: xPhone/172.58.63.104:35833 SENT CONTROL [xPhone]: 'PUSH_REPLY,redirect-gateway autolocal,route 192.168.1.0 255.255.255.0,dhcp-option DNS 192.168.1.1,route-gateway dhcp,route 10.8.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Thu Jul  4 22:01:12 2019 daemon.notice openvpn(vega_ethbridge)[1062]: xPhone/172.58.63.104:35833 Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Jul  4 22:01:12 2019 daemon.notice openvpn(vega_ethbridge)[1062]: xPhone/172.58.63.104:35833 Data Channel MTU parms [ L:1552 D:1450 EF:52 EB:406 ET:0 EL:3 ]
Thu Jul  4 22:01:12 2019 daemon.notice openvpn(vega_ethbridge)[1062]: xPhone/172.58.63.104:35833 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jul  4 22:01:12 2019 daemon.notice openvpn(vega_ethbridge)[1062]: xPhone/172.58.63.104:35833 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jul  4 22:03:13 2019 daemon.notice openvpn(vega_ethbridge)[1062]: xPhone/172.58.63.104:35833 [xPhone] Inactivity timeout (--ping-restart), restarting
Thu Jul  4 22:03:13 2019 daemon.notice openvpn(vega_ethbridge)[1062]: xPhone/172.58.63.104:35833 SIGUSR1[soft,ping-restart] received, client-instance restarting
Thu Jul  4 22:03:13 2019 daemon.notice openvpn(vega_ethbridge)[1062]: TCP/UDP: Closing socket
Thu Jul  4 22:03:19 2019 daemon.notice openvpn(vega_ethbridge)[1062]: MULTI: multi_create_instance called
1 Like