OpenVPN connect to router but not local subnet

Installing and Using OpenWrt Network and Wireless Configuration
1

I have this exact same implementation on 6 different other routers that I service. Everything is exactly the same and all OpenVPN servers are running on 18.6.4.

I was setting up a new one yesterday with 19.07.3 and with installing openvpn-openssl and making the following configuration changes as I have done on all other routers, I find this one is not working like the others. If I sign onto the 192.168.7.1 OpenVPN server directly, I can ping all devices on the 192.168.7.x subnet and can FTP, access internal web servers, etc. However if I open a VPN tunnel into this router, I can only access the 192.168.7.1 address on the subnet which is the router itself.

I don't have network training nor do I understand routing tables but can anyone guide me to a simple fix? Was something changed in the OpenVPN package that would make this setup stop working that I have been using for years or did I get a bad piece of hardware?

Configuration files: (works on ally 18.6.4 servers but not on 19.07.3 new server)

***** Updated after testing with option masq '1' and option mtu_fix '1' test which does not fix the problem

OPENVPN SERVER

IP: 192.168.7.1


====================
FILE: /etc/config/ddns ......

(configured for dydns and is working properly)

====================
FILE: /etc/config/firewall ......

# begin of DJ add
config rule
	option name  Allow-OpenVPN-Inbound 
	option target  ACCEPT 
	option src  * 
	option proto  udp 
	option dest_port  1194 

config zone
	option name 'vpn'
	option input 'ACCEPT'
#https://forum.openwrt.org/t/cant-run-ping-under-diagnostics-with-openvpn-client-active/59977/7
#	option forward 'ACCEPT'  <-- changing this doesn't fix problem
	option forward 'REJECT'
	option output 'ACCEPT'
  	option network 'vpn0'
#    note adding or removing the following two lines 
#    does not resolve the problem
	option masq '1' 
	option mtu_fix '1'


config forwarding
	option src  vpn 
	option dest  wan 

config forwarding
        option src  vpn 
        option dest  lan 

config forwarding
        option src  lan 
        option dest  vpn 

# end of DJ add

====================
FILE: /etc/config/network ......

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
#	option ipaddr '192.168.1.1'
# begin of DJ add
	option ipaddr '192.168.7.1'
# end of DJ add
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth0.2'
#	option proto 'dhcp'
# begin of DJ add
	option proto 'pppoe'
	option username 'myISPid'
	option password 'myISPpassword'
	option ipv6 'auto'
# end of DJ add


# begin of DJ add

config interface 'vpn0'
	option ifname 'tun0'
	option proto 'none'
	option auto '1'

# end of DJ add

====================
FILE: /etc/config/openvpn ......

config openvpn 'myvpn'
	option enabled '1'
	option verb '3'
	option port '1194'
	option proto 'udp'
	option dev 'tun'
	option server '10.8.0.0 255.255.255.0'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/server.crt'
	option key '/etc/openvpn/server.key'
	option dh '/etc/openvpn/dh2048.pem'
	option keepalive '10 120'
	option status '/var/log/openvpn-status.log'
	list push 'route 192.168.7.0 255.255.255.0'
	list push 'redirect-gateway def1'
	list push 'dhcp-option DNS 192.168.7.1'

====================

FILE: Windows Client OpenVPN 
(config file openvpn.opvn)

client
dev tun
proto udp
remote-cert-tls server
remote dydnsclient.dydns.com 1194
ca client.crt
cert user1.crt
key user1.key
ns-cert-type server
verb 3

====================
2

Everything looks good, from my quick read-through. Is there anything interesting in the logs (can you post them here -- both sides ideally)?

Have you tried rebooting the router? I know that's a silly one, but sometimes can help if something didn't actually get applied properly.

How are you testing -- what network are you on when you activate OpenVPN? Is it the same network as the OpenWrt router or a different/remote network (i.e. cellular or a different location)? What is the subnet of your test system (i.e. is it on the 192.168.7.0/24 network even if it is not the same network as the OpenWrt router in question)? Have you tried with another system -- a mobile phone or another PC or a Mac?

1 Like
3

What's the output of ip -4 addr ; ip -4 ro li tab all ; ip -4 ru when the tunnel's up?

1 Like
4

retracted IP address

5

OK, I made a serious mistake, the cable to one device I was testing had come loose but that still does not address the second issue which I will describe in a moment. After reseating the cable to the Android box, I find I can indeed ping that device while I still cannot ping the OpenWRT device I am using as a server.

I normally have 2 devices on this router, one is an Android TV box and the other is router that I am using as a Samba server and the way it is hooked up is that I have disabled DHCP in this router and assigned a static address to the LAN and I have the LAN of this SAMBA server attached to the LAN of the OpenVPN router. On the SAMBA router I have done as I have with other setups exactly like this and on those I set the SAMBA server LAN IP outside of the range of the DHCP of the OpenVPN router and I disabled the DHCP server in the SAMBA (OpenWRT base) server.

Now what is occurring is that I can indeed access the Android box from the OpenVPN router while tunneled in but I cannot access the LAN of the secondary router (SAMBA server) which does not use the WAN port but I am attempting to access it via the LAN port as I have done over the years with many devices running OpenWRT..

Again, I have this setup in one on other location but the routers are running the 18.06.4 version of OpenWRT and not the 19.x. With them I have always been able to use the routers as additional access points and SAMBA servers but something I am now assuming that is inside the SAMBA router is blocking incoming ping and connect requests over the LAN. In the past, a OpenWRT enabled router could be used as an access point, server, etc and the LAN ports can be used as if the device was a device on a switch and other appliances on that same subnet could also be used to connect via that switch.

Now that this router has 19.07.3, I can't access it as a normal LAN appliance like I have done with other OpenWRT routers with previous versions of firmware.

**** OK .. news flash. I plugged in more appliances into the various LAN ports of the (openWRT) SAMBA server, so the server is what is blocking incoming packets and not the outgoing OpenVPN server. This is while tunneled in.

6

I am closing this and opening another problem now that I have discovered the issue is not the OpenVPN router but instead the OpenWRT router I am using as a simple LAN server appliance.

Thanks everyone who helped.

7

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.