OpenVPN Connected but No Internet

Installing and Using OpenWrt Network and Wireless Configuration
1

Hey, I followed this guide exactly: https://openwrt.org/docs/guide-user/services/vpn/openvpn/server.setup

But I am unable to successfully connect.

Here is my tmp/openvpn.log

Fri Aug 24 21:01:11 2018 us=424333 OpenVPN 2.4.5 arm-openwrt-linux-gnu [SSL (mbed TLS)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Fri Aug 24 21:01:11 2018 us=424407 library versions: mbed TLS 2.12.0, LZO 2.10
Fri Aug 24 21:01:11 2018 us=424757 Diffie-Hellman initialized with 2048 bit key
Fri Aug 24 21:01:11 2018 us=426144 WARNING: failed to personalise random
Fri Aug 24 21:01:11 2018 us=426387 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Aug 24 21:01:11 2018 us=426438 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Aug 24 21:01:11 2018 us=426487 TLS-Auth MTU parms [ L:1624 D:1182 EF:68 EB:0 ET:0 EL:3 ]
Fri Aug 24 21:01:11 2018 us=427386 TUN/TAP device ovpns0 opened
Fri Aug 24 21:01:11 2018 us=427593 TUN/TAP TX queue length set to 100
Fri Aug 24 21:01:11 2018 us=427660 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Fri Aug 24 21:01:11 2018 us=427731 /sbin/ifconfig ovpns0 192.168.200.1 netmask 255.255.255.0 mtu 1500 broadcast 192.168.200.255
Fri Aug 24 21:01:11 2018 us=432721 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Fri Aug 24 21:01:11 2018 us=432818 Could not determine IPv4/IPv6 protocol. Using AF_INET
Fri Aug 24 21:01:11 2018 us=432872 Socket Buffers: R=[87380->87380] S=[16384->16384]
Fri Aug 24 21:01:11 2018 us=432925 Listening for incoming TCP connection on [AF_INET][undef]:1194
Fri Aug 24 21:01:11 2018 us=432973 TCPv4_SERVER link local (bound): [AF_INET][undef]:1194
Fri Aug 24 21:01:11 2018 us=433011 TCPv4_SERVER link remote: [AF_UNSPEC]
Fri Aug 24 21:01:11 2018 us=433052 MULTI: multi_init called, r=256 v=256
Fri Aug 24 21:01:11 2018 us=433111 IFCONFIG POOL: base=192.168.200.2 size=252, ipv6=0
Fri Aug 24 21:01:11 2018 us=433190 MULTI: TCP INIT maxclients=1024 maxevents=1028
Fri Aug 24 21:01:11 2018 us=433303 Initialization Sequence Completed
Options error: Unrecognized option or missing or extra parameter(s) in openvpn-VPNserver.conf:16: pkcs12 (2.4.5)
Use --help for more information.

Here is my client log (using Tunnelblick on MacOS):

*Tunnelblick: OS X 10.13.6; Tunnelblick 3.7.6a (build 5080); Admin user
git commit 6fdd1f713d2f62963325336c09e74808321191cb


Configuration Nicknamelan

"Sanitized" condensed configuration file for /Library/Application Support/Tunnelblick/Shared/Nicknamelan.tblk:

client
dev tun
proto udp
fast-io
remote xx.xxx.xx.xx 1194
remote-cert-tls server
nobind
persist-key
persist-tun
compress lzo
verb 3
key-direction 1
pull-filter ignore "block-outside-dns"
<ca>
[Security-related line(s) omitted]
</ca>
<cert>
[Security-related line(s) omitted]
</cert>
<key>
[Security-related line(s) omitted]
</key>
<tls-auth>
[Security-related line(s) omitted]
</tls-auth>


================================================================================

Non-Apple kexts that are loaded:

================================================================================

There are no unusual files in Nicknamelan.tblk

================================================================================

Configuration preferences:

-notOKToCheckThatIPAddressDidNotChangeAfterConnection = 0
-loggingLevel = 7
-lastConnectionSucceeded = 0

================================================================================

Wildcard preferences:

-notOKToCheckThatIPAddressDidNotChangeAfterConnection = 0

================================================================================

Program preferences:

launchAtNextLogin = 1
tunnelblickVersionHistory = (
    "3.7.6a (build 5080)"
)
lastLaunchTime = 556862591.8539391
lastLanguageAtLaunchWasRTL = 0
connectionWindowDisplayCriteria = showWhenConnecting
maxLogDisplaySize = 102400
keyboardShortcutIndex = 1
updateCheckAutomatically = 1
NSWindow Frame ConnectingWindow = 525 518 389 187 0 0 1440 878 
detailsWindowFrameVersion = 5080
detailsWindowFrame = {{191, 286}, {920, 468}}
detailsWindowLeftFrame = {{0, 0}, {165, 350}}
detailsWindowViewIndex = 0
detailsWindowConfigurationsTabIdentifier = log
leftNavSelectedDisplayName = Nicknamelan
AdvancedWindowTabIdentifier = connectingAndDisconnecting
haveDealtWithOldTunTapPreferences = 1
haveDealtWithOldLoginItem = 1
haveDealtWithAfterDisconnect = 1
SUEnableAutomaticChecks = 1
SUScheduledCheckInterval = 86400
SULastCheckTime = 2018-08-25 04:03:12 +0000
SUHasLaunchedBefore = 1
WebKitDefaultFontSize = 16
WebKitStandardFont = Times

================================================================================

Tunnelblick Log:

*Tunnelblick: OS X 10.13.6; Tunnelblick 3.7.6a (build 5080)
2018-08-24 21:03:53 *Tunnelblick: Attempting connection with Nicknamelan; Set nameserver = 1793; monitoring connection
2018-08-24 21:03:53 *Tunnelblick: openvpnstart start Nicknamelan.tblk 60499 1793 0 3 0 1065264 -ptADGNWradsgnw 2.4.6-openssl-1.0.2o
2018-08-24 21:03:53 NOTE: debug verbosity (--verb 7) is enabled but this build lacks debug support.
2018-08-24 21:03:53 NOTE: debug verbosity (--verb 7) is enabled but this build lacks debug support.
2018-08-24 21:03:53 us=981867 Current Parameter Settings:
2018-08-24 21:03:53 us=981921   config = '/Library/Application Support/Tunnelblick/Shared/Nicknamelan.tblk/Contents/Resources/config.ovpn'
2018-08-24 21:03:53 us=981941   mode = 0
2018-08-24 21:03:53 us=981956   show_ciphers = DISABLED
2018-08-24 21:03:53 us=981970   show_digests = DISABLED
2018-08-24 21:03:53 us=981984   show_engines = DISABLED
2018-08-24 21:03:53 us=981997   genkey = DISABLED
2018-08-24 21:03:53 us=982011   key_pass_file = '[UNDEF]'
2018-08-24 21:03:53 us=982025   show_tls_ciphers = DISABLED
2018-08-24 21:03:53 us=982038   connect_retry_max = 0
2018-08-24 21:03:53 us=982052 Connection profiles [0]:
2018-08-24 21:03:53 us=982066   proto = udp
2018-08-24 21:03:53 us=982079   local = '[UNDEF]'
2018-08-24 21:03:53 us=982093   local_port = '[UNDEF]'
2018-08-24 21:03:53 us=982106   remote = 'xx.xxx.xx.xx'
2018-08-24 21:03:53 us=982120   remote_port = '1194'
2018-08-24 21:03:53 us=982134   remote_float = DISABLED
2018-08-24 21:03:53 us=982147   bind_defined = DISABLED
2018-08-24 21:03:53 us=982161   bind_local = DISABLED
2018-08-24 21:03:53 us=982174   bind_ipv6_only = DISABLED
2018-08-24 21:03:53 us=982187   connect_retry_seconds = 5
2018-08-24 21:03:53 us=982201   connect_timeout = 120
2018-08-24 21:03:53 us=982215   xormethod = 0
2018-08-24 21:03:53 us=982228   xormask = ''
2018-08-24 21:03:53 us=982242   xormasklen = 0
2018-08-24 21:03:53 us=982255   socks_proxy_server = '[UNDEF]'
2018-08-24 21:03:53 us=982269   socks_proxy_port = '[UNDEF]'
2018-08-24 21:03:53 us=982283   tun_mtu = 1500
2018-08-24 21:03:53 us=982296   tun_mtu_defined = ENABLED
2018-08-24 21:03:53 us=982309   link_mtu = 1500
2018-08-24 21:03:53 us=982323   link_mtu_defined = DISABLED
2018-08-24 21:03:53 us=982336   tun_mtu_extra = 0
2018-08-24 21:03:53 us=982350   tun_mtu_extra_defined = DISABLED
2018-08-24 21:03:53 us=982363   mtu_discover_type = -1
2018-08-24 21:03:53 us=982377   fragment = 0
2018-08-24 21:03:53 us=982390   mssfix = 1450
2018-08-24 21:03:53 us=982403   explicit_exit_notification = 0
2018-08-24 21:03:53 us=982417 Connection profiles END
2018-08-24 21:03:53 us=982430   remote_random = DISABLED
2018-08-24 21:03:53 us=982444   ipchange = '[UNDEF]'
2018-08-24 21:03:53 us=982457   dev = 'tun'
2018-08-24 21:03:53 us=982471   dev_type = '[UNDEF]'
2018-08-24 21:03:53 us=982484   dev_node = '[UNDEF]'
2018-08-24 21:03:53 us=982498   lladdr = '[UNDEF]'
2018-08-24 21:03:53 us=982511   topology = 1
2018-08-24 21:03:53 us=982524   ifconfig_local = '[UNDEF]'
2018-08-24 21:03:53 us=982538   ifconfig_remote_netmask = '[UNDEF]'
2018-08-24 21:03:53 us=982551   ifconfig_noexec = DISABLED
2018-08-24 21:03:53 us=982565   ifconfig_nowarn = DISABLED
2018-08-24 21:03:53 us=982578   ifconfig_ipv6_local = '[UNDEF]'
2018-08-24 21:03:53 us=982591   ifconfig_ipv6_netbits = 0
2018-08-24 21:03:53 us=982605   ifconfig_ipv6_remote = '[UNDEF]'
2018-08-24 21:03:53 us=982618   shaper = 0
2018-08-24 21:03:53 us=982631   mtu_test = 0
2018-08-24 21:03:53 us=982644   mlock = DISABLED
2018-08-24 21:03:53 us=982657   keepalive_ping = 0
2018-08-24 21:03:53 us=982671   keepalive_timeout = 0
2018-08-24 21:03:53 us=982683   inactivity_timeout = 0
2018-08-24 21:03:53 us=982696   ping_send_timeout = 0
2018-08-24 21:03:53 us=982709   ping_rec_timeout = 0
2018-08-24 21:03:53 us=982723   ping_rec_timeout_action = 0
2018-08-24 21:03:53 us=982735   ping_timer_remote = DISABLED
2018-08-24 21:03:53 us=982749   remap_sigusr1 = 0
2018-08-24 21:03:53 us=982762   persist_tun = ENABLED
2018-08-24 21:03:53 us=982775   persist_local_ip = DISABLED
2018-08-24 21:03:53 us=982817   persist_remote_ip = DISABLED
2018-08-24 21:03:53 us=982838   persist_key = ENABLED
2018-08-24 21:03:53 us=982853   passtos = DISABLED
2018-08-24 21:03:53 us=982866   resolve_retry_seconds = 1000000000
2018-08-24 21:03:53 us=982880   resolve_in_advance = DISABLED
2018-08-24 21:03:53 us=982893   username = '[UNDEF]'
2018-08-24 21:03:53 us=982906   groupname = '[UNDEF]'
2018-08-24 21:03:53 us=982919   chroot_dir = '[UNDEF]'
2018-08-24 21:03:53 us=982933   cd_dir = '/Library/Application Support/Tunnelblick/Shared/Nicknamelan.tblk/Contents/Resources'
2018-08-24 21:03:53 us=982947   writepid = '[UNDEF]'
2018-08-24 21:03:53 us=982960   up_script = '/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw'
2018-08-24 21:03:53 us=982974   down_script = '/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw'
2018-08-24 21:03:53 us=982987   down_pre = DISABLED
2018-08-24 21:03:53 us=983000   up_restart = DISABLED
2018-08-24 21:03:53 us=983039   up_delay = DISABLED
2018-08-24 21:03:53 us=983053   daemon = ENABLED
2018-08-24 21:03:53 us=983066   inetd = 0
2018-08-24 21:03:53 us=983079   log = ENABLED
2018-08-24 21:03:53 us=983092   suppress_timestamps = DISABLED
2018-08-24 21:03:53 us=983106   machine_readable_output = DISABLED
2018-08-24 21:03:53 us=983119   nice = 0
2018-08-24 21:03:53 us=983132   verbosity = 7
2018-08-24 21:03:53 us=983145   mute = 0
2018-08-24 21:03:53 us=983159   status_file = '[UNDEF]'
2018-08-24 21:03:53 us=983172   status_file_version = 1
2018-08-24 21:03:53 us=983185   status_file_update_freq = 60
2018-08-24 21:03:53 us=983198   occ = ENABLED
2018-08-24 21:03:53 us=983212   rcvbuf = 0
2018-08-24 21:03:53 us=983225   sndbuf = 0
2018-08-24 21:03:53 us=983238   sockflags = 0
2018-08-24 21:03:53 us=983260   fast_io = ENABLED
2018-08-24 21:03:53 us=983274   comp.alg = 2
2018-08-24 21:03:53 us=983287   comp.flags = 0
2018-08-24 21:03:53 us=983303   route_script = '[UNDEF]'
2018-08-24 21:03:53 us=983317   route_default_gateway = '[UNDEF]'
2018-08-24 21:03:53 us=983331   route_default_metric = 0
2018-08-24 21:03:53 us=983345   route_noexec = DISABLED
2018-08-24 21:03:53 us=983359   route_delay = 0
2018-08-24 21:03:53 us=983373   route_delay_window = 30
2018-08-24 21:03:53 us=983387   route_delay_defined = DISABLED
2018-08-24 21:03:53 us=983402   route_nopull = DISABLED
2018-08-24 21:03:53 us=983416   route_gateway_via_dhcp = DISABLED
2018-08-24 21:03:53 us=983430   allow_pull_fqdn = DISABLED
2018-08-24 21:03:53 us=983444   Pull filters:
2018-08-24 21:03:53 us=983458     ignore "block-outside-dns"
2018-08-24 21:03:53 us=983471   management_addr = '127.0.0.1'
2018-08-24 21:03:53 us=983485   management_port = '60499'
2018-08-24 21:03:53 us=983499   management_user_pass = '/Library/Application Support/Tunnelblick/bbpgcegiaikmcpdfgokkapbhdallpenkebbipnie.mip'
2018-08-24 21:03:53 us=983513   management_log_history_cache = 250
2018-08-24 21:03:53 us=983527   management_echo_buffer_size = 100
2018-08-24 21:03:53 us=983541   management_write_peer_info_file = '[UNDEF]'
2018-08-24 21:03:53 us=983557   management_client_user = '[UNDEF]'
2018-08-24 21:03:53 us=983571   management_client_group = '[UNDEF]'
2018-08-24 21:03:53 us=983585   management_flags = 6
2018-08-24 21:03:53 us=983598   shared_secret_file = '[UNDEF]'
2018-08-24 21:03:53 us=983619   key_direction = 1
2018-08-24 21:03:53 us=983633   ciphername = 'BF-CBC'
2018-08-24 21:03:53 us=983646   ncp_enabled = ENABLED
2018-08-24 21:03:53 us=983660   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
2018-08-24 21:03:53 us=983675   authname = 'SHA1'
2018-08-24 21:03:53 us=983689   prng_hash = 'SHA1'
2018-08-24 21:03:53 us=983704   prng_nonce_secret_len = 16
2018-08-24 21:03:53 us=983739   keysize = 0
2018-08-24 21:03:53 us=983753   engine = DISABLED
2018-08-24 21:03:53 us=983767   replay = ENABLED
2018-08-24 21:03:53 us=983785   mute_replay_warnings = DISABLED
2018-08-24 21:03:53 us=983800   replay_window = 64
2018-08-24 21:03:53 us=983814   replay_time = 15
2018-08-24 21:03:53 us=983834   packet_id_file = '[UNDEF]'
2018-08-24 21:03:53 us=983853   use_iv = ENABLED
2018-08-24 21:03:53 us=983867   test_crypto = DISABLED
2018-08-24 21:03:53 us=983881   tls_server = DISABLED
2018-08-24 21:03:53 us=983895   tls_client = ENABLED
2018-08-24 21:03:53 us=983908   key_method = 2
2018-08-24 21:03:53 us=983925   ca_file = '[[INLINE]]'
2018-08-24 21:03:53 us=983939   ca_path = '[UNDEF]'
2018-08-24 21:03:53 us=983978   dh_file = '[UNDEF]'
2018-08-24 21:03:53 us=983993   cert_file = '[[INLINE]]'
2018-08-24 21:03:53 us=984006   extra_certs_file = '[UNDEF]'
2018-08-24 21:03:53 us=984109   priv_key_file = '[[INLINE]]'
2018-08-24 21:03:53 us=984160   pkcs12_file = '[UNDEF]'
2018-08-24 21:03:53 us=984174   cipher_list = '[UNDEF]'
2018-08-24 21:03:53 us=984186   tls_cert_profile = '[UNDEF]'
2018-08-24 21:03:53 us=984197   tls_verify = '[UNDEF]'
2018-08-24 21:03:53 us=984213   tls_export_cert = '[UNDEF]'
2018-08-24 21:03:53 us=984225   verify_x509_type = 0
2018-08-24 21:03:53 us=984240   verify_x509_name = '[UNDEF]'
2018-08-24 21:03:53 us=984252   crl_file = '[UNDEF]'
2018-08-24 21:03:53 us=984263   ns_cert_type = 0
2018-08-24 21:03:53 us=984281   remote_cert_ku[i] = 65535
2018-08-24 21:03:53 us=984292   remote_cert_ku[i] = 0
2018-08-24 21:03:53 us=984303   remote_cert_ku[i] = 0
2018-08-24 21:03:53 us=984350   remote_cert_ku[i] = 0
2018-08-24 21:03:53 us=984387   remote_cert_ku[i] = 0
2018-08-24 21:03:53 us=984412   remote_cert_ku[i] = 0
2018-08-24 21:03:53 us=984437   remote_cert_ku[i] = 0
2018-08-24 21:03:53 us=984448   remote_cert_ku[i] = 0
2018-08-24 21:03:53 us=984459   remote_cert_ku[i] = 0
2018-08-24 21:03:53 us=984469   remote_cert_ku[i] = 0
2018-08-24 21:03:53 us=984479   remote_cert_ku[i] = 0
2018-08-24 21:03:53 us=984489   remote_cert_ku[i] = 0
2018-08-24 21:03:53 us=984500   remote_cert_ku[i] = 0
2018-08-24 21:03:53 us=984510   remote_cert_ku[i] = 0
2018-08-24 21:03:53 us=984521   remote_cert_ku[i] = 0
2018-08-24 21:03:53 us=984531   remote_cert_ku[i] = 0
2018-08-24 21:03:53 us=984542   remote_cert_eku = 'TLS Web Server Authentication'
2018-08-24 21:03:53 us=984553   ssl_flags = 0
2018-08-24 21:03:53 us=984563   tls_timeout = 2
2018-08-24 21:03:53 us=984574   renegotiate_bytes = -1
2018-08-24 21:03:53 us=984585   renegotiate_packets = 0
2018-08-24 21:03:53 us=984595   renegotiate_seconds = 3600
2018-08-24 21:03:53 us=984606   handshake_window = 60
2018-08-24 21:03:53 us=984616   transition_window = 3600
2018-08-24 21:03:53 us=984627   single_session = DISABLED
2018-08-24 21:03:53 us=984637   push_peer_info = DISABLED
2018-08-24 21:03:53 us=984647   tls_exit = DISABLED
2018-08-24 21:03:53 us=984658   tls_auth_file = '[[INLINE]]'
2018-08-24 21:03:53 us=984668   tls_crypt_file = '[UNDEF]'
2018-08-24 21:03:53 us=984679   pkcs11_protected_authentication = DISABLED
2018-08-24 21:03:53 us=984690   pkcs11_protected_authentication = DISABLED
2018-08-24 21:03:53 us=984700   pkcs11_protected_authentication = DISABLED
2018-08-24 21:03:53 us=984710   pkcs11_protected_authentication = DISABLED
2018-08-24 21:03:53 us=984721   pkcs11_protected_authentication = DISABLED
2018-08-24 21:03:53 us=984731   pkcs11_protected_authentication = DISABLED
2018-08-24 21:03:53 us=984742   pkcs11_protected_authentication = DISABLED
2018-08-24 21:03:53 us=984752   pkcs11_protected_authentication = DISABLED
2018-08-24 21:03:53 us=984762   pkcs11_protected_authentication = DISABLED
2018-08-24 21:03:53 us=984805   pkcs11_protected_authentication = DISABLED
2018-08-24 21:03:53 us=984816   pkcs11_protected_authentication = DISABLED
2018-08-24 21:03:53 us=984827   pkcs11_protected_authentication = DISABLED
2018-08-24 21:03:53 us=984838   pkcs11_protected_authentication = DISABLED
2018-08-24 21:03:53 us=984848   pkcs11_protected_authentication = DISABLED
2018-08-24 21:03:53 us=984858   pkcs11_protected_authentication = DISABLED
2018-08-24 21:03:53 us=984869   pkcs11_protected_authentication = DISABLED
2018-08-24 21:03:53 us=984879   pkcs11_private_mode = 00000000
2018-08-24 21:03:53 us=984890   pkcs11_private_mode = 00000000
2018-08-24 21:03:53 us=984900   pkcs11_private_mode = 00000000
2018-08-24 21:03:53 us=984911   pkcs11_private_mode = 00000000
2018-08-24 21:03:53 us=984922   pkcs11_private_mode = 00000000
2018-08-24 21:03:53 us=984934   pkcs11_private_mode = 00000000
2018-08-24 21:03:53 us=984950   pkcs11_private_mode = 00000000
2018-08-24 21:03:53 us=984973   pkcs11_private_mode = 00000000
2018-08-24 21:03:53 us=984992   pkcs11_private_mode = 00000000
2018-08-24 21:03:53 us=985005   pkcs11_private_mode = 00000000
2018-08-24 21:03:53 us=985027   pkcs11_private_mode = 00000000
2018-08-24 21:03:53 us=985039   pkcs11_private_mode = 00000000
2018-08-24 21:03:53 us=985071   pkcs11_private_mode = 00000000
2018-08-24 21:03:53 us=985137   pkcs11_private_mode = 00000000
2018-08-24 21:03:53 us=985169   pkcs11_private_mode = 00000000
2018-08-24 21:03:53 us=985204   pkcs11_private_mode = 00000000
2018-08-24 21:03:53 us=985217   pkcs11_cert_private = DISABLED
2018-08-24 21:03:53 us=985247   pkcs11_cert_private = DISABLED
2018-08-24 21:03:53 us=985269   pkcs11_cert_private = DISABLED
2018-08-24 21:03:53 us=985286   pkcs11_cert_private = DISABLED
2018-08-24 21:03:53 us=985311   pkcs11_cert_private = DISABLED
2018-08-24 21:03:53 us=985328   pkcs11_cert_private = DISABLED
2018-08-24 21:03:53 us=985344   pkcs11_cert_private = DISABLED
2018-08-24 21:03:53 us=985360   pkcs11_cert_private = DISABLED
2018-08-24 21:03:53 us=985387   pkcs11_cert_private = DISABLED
2018-08-24 21:03:53 us=985413   pkcs11_cert_private = DISABLED
2018-08-24 21:03:53 us=985430   pkcs11_cert_private = DISABLED
2018-08-24 21:03:53 us=985446   pkcs11_cert_private = DISABLED
2018-08-24 21:03:53 us=985462   pkcs11_cert_private = DISABLED
2018-08-24 21:03:53 us=985478   pkcs11_cert_private = DISABLED
2018-08-24 21:03:53 us=985494   pkcs11_cert_private = DISABLED
2018-08-24 21:03:53 us=985543   pkcs11_cert_private = DISABLED
2018-08-24 21:03:53 us=985560   pkcs11_pin_cache_period = -1
2018-08-24 21:03:53 us=985577   pkcs11_id = '[UNDEF]'
2018-08-24 21:03:53 us=985594   pkcs11_id_management = DISABLED
2018-08-24 21:03:53 us=985855   server_network = 0.0.0.0
2018-08-24 21:03:53 us=985874   server_netmask = 0.0.0.0
2018-08-24 21:03:53 us=985901   server_network_ipv6 = ::
2018-08-24 21:03:53 us=985914   server_netbits_ipv6 = 0
2018-08-24 21:03:53 us=985926   server_bridge_ip = 0.0.0.0
2018-08-24 21:03:53 us=985938   server_bridge_netmask = 0.0.0.0
2018-08-24 21:03:53 us=985950   server_bridge_pool_start = 0.0.0.0
2018-08-24 21:03:53 us=985961   server_bridge_pool_end = 0.0.0.0
2018-08-24 21:03:53 us=985987   ifconfig_pool_defined = DISABLED
2018-08-24 21:03:53 us=986016   ifconfig_pool_start = 0.0.0.0
2018-08-24 21:03:53 us=986037   ifconfig_pool_end = 0.0.0.0
2018-08-24 21:03:53 us=986057   ifconfig_pool_netmask = 0.0.0.0
2018-08-24 21:03:53 us=986075   ifconfig_pool_persist_filename = '[UNDEF]'
2018-08-24 21:03:53 us=986092   ifconfig_pool_persist_refresh_freq = 600
2018-08-24 21:03:53 us=986109   ifconfig_ipv6_pool_defined = DISABLED
2018-08-24 21:03:53 us=986128   ifconfig_ipv6_pool_base = ::
2018-08-24 21:03:53 us=986146   ifconfig_ipv6_pool_netbits = 0
2018-08-24 21:03:53 us=986196   n_bcast_buf = 256
2018-08-24 21:03:53 us=986214   tcp_queue_limit = 64
2018-08-24 21:03:53 us=986230   real_hash_size = 256
2018-08-24 21:03:53 us=986247   virtual_hash_size = 256
2018-08-24 21:03:53 us=986264   client_connect_script = '[UNDEF]'
2018-08-24 21:03:53 us=986280   learn_address_script = '[UNDEF]'
2018-08-24 21:03:53 us=986297   client_disconnect_script = '[UNDEF]'
2018-08-24 21:03:53 us=986314   client_config_dir = '[UNDEF]'
2018-08-24 21:03:53 us=986330   ccd_exclusive = DISABLED
2018-08-24 21:03:53 us=986347   tmp_dir = '/var/folders/z7/r_6mhwfj11q5mg3d50thw9dw0000gn/T/'
2018-08-24 21:03:53 us=986364   push_ifconfig_defined = DISABLED
2018-08-24 21:03:53 us=986382   push_ifconfig_local = 0.0.0.0
2018-08-24 21:03:53 us=986400   push_ifconfig_remote_netmask = 0.0.0.0
2018-08-24 21:03:53 us=986416   push_ifconfig_ipv6_defined = DISABLED
2018-08-24 21:03:53 us=986435   push_ifconfig_ipv6_local = ::/0
2018-08-24 21:03:53 us=986452   push_ifconfig_ipv6_remote = ::
2018-08-24 21:03:53 us=986468   enable_c2c = DISABLED
2018-08-24 21:03:53 us=986489   duplicate_cn = DISABLED
2018-08-24 21:03:53 us=986503   cf_max = 0
2018-08-24 21:03:53 us=986514   cf_per = 0
2018-08-24 21:03:53 us=986525   max_clients = 1024
2018-08-24 21:03:53 us=986535   max_routes_per_client = 256
2018-08-24 21:03:53 us=986546   auth_user_pass_verify_script = '[UNDEF]'
2018-08-24 21:03:53 us=986557   auth_user_pass_verify_script_via_file = DISABLED
2018-08-24 21:03:53 us=986567   auth_token_generate = DISABLED
2018-08-24 21:03:53 us=986577   auth_token_lifetime = 0
2018-08-24 21:03:53 us=986588   port_share_host = '[UNDEF]'
2018-08-24 21:03:53 us=986598   port_share_port = '[UNDEF]'
2018-08-24 21:03:53 us=986608   client = ENABLED
2018-08-24 21:03:53 us=986619   pull = ENABLED
2018-08-24 21:03:53 us=986629   auth_user_pass_file = '[UNDEF]'
2018-08-24 21:03:53 us=986645 OpenVPN 2.4.6 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Jun 25 2018
2018-08-24 21:03:53 us=986727 library versions: OpenSSL 1.0.2o  27 Mar 2018, LZO 2.10
2018-08-24 21:03:53 us=989276 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:60499
2018-08-24 21:03:53 us=989755 Need hold release from management interface, waiting...
2018-08-24 21:03:53 *Tunnelblick: openvpnstart starting OpenVPN
2018-08-24 21:03:54 *Tunnelblick: openvpnstart log:
     OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
     
          /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.6-openssl-1.0.2o/openvpn
          --daemon
          --log
          /Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-SNicknamelan.tblk-SContents-SResources-Sconfig.ovpn.1793_0_3_0_1065264.60499.openvpn.log
          --cd
          /Library/Application Support/Tunnelblick/Shared/Nicknamelan.tblk/Contents/Resources
          --setenv
          IV_GUI_VER
          "net.tunnelblick.tunnelblick 5080 3.7.6a (build 5080)"
          --verb
          7
          --config
          /Library/Application Support/Tunnelblick/Shared/Nicknamelan.tblk/Contents/Resources/config.ovpn
          --verb
          7
          --cd
          /Library/Application Support/Tunnelblick/Shared/Nicknamelan.tblk/Contents/Resources
          --management
          127.0.0.1
          60499
          /Library/Application Support/Tunnelblick/bbpgcegiaikmcpdfgokkapbhdallpenkebbipnie.mip
          --management-query-passwords
          --management-hold
          --script-security
          2
          --up
          /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
          --down
          /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw

2018-08-24 21:03:54 *Tunnelblick: Established communication with OpenVPN
2018-08-24 21:03:54 us=66800 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:60499
2018-08-24 21:03:54 us=99669 MANAGEMENT: CMD 'pid'
2018-08-24 21:03:54 us=100171 MANAGEMENT: CMD 'state on'
2018-08-24 21:03:54 us=100555 MANAGEMENT: CMD 'state'
2018-08-24 21:03:54 us=100838 MANAGEMENT: CMD 'bytecount 1'
2018-08-24 21:03:54 us=101816 MANAGEMENT: CMD 'hold release'
2018-08-24 21:03:54 us=103095 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2018-08-24 21:03:54 us=112616 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-08-24 21:03:54 us=112916 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-08-24 21:03:54 us=113124 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 28 bytes
2018-08-24 21:03:54 us=113331 LZO compression initializing
2018-08-24 21:03:54 us=114515 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
2018-08-24 21:03:54 us=114892 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
2018-08-24 21:03:54 us=115140 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
2018-08-24 21:03:54 us=115346 calc_options_string_link_mtu: link-mtu 1622 -> 1542
2018-08-24 21:03:54 us=115567 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
2018-08-24 21:03:54 us=115841 calc_options_string_link_mtu: link-mtu 1622 -> 1542
2018-08-24 21:03:54 us=116070 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
2018-08-24 21:03:54 us=116280 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
2018-08-24 21:03:54 us=116474 TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xxx.xx.xx:1194
2018-08-24 21:03:54 us=116700 Socket Buffers: R=[196724->196724] S=[9216->9216]
2018-08-24 21:03:54 us=116891 UDP link local: (not bound)
2018-08-24 21:03:54 us=117078 UDP link remote: [AF_INET]xx.xxx.xx.xx:1194
2018-08-24 21:03:54 us=117313 MANAGEMENT: >STATE:1535169834,WAIT,,,,,,
2018-08-24 21:03:54 us=117673 UDP WRITE [42] to [AF_INET]xx.xxx.xx.xx:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0
2018-08-24 21:03:56 us=270877 UDP WRITE [42] to [AF_INET]xx.xxx.xx.xx:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ ] pid=0 DATA len=0
2018-08-24 21:04:00 us=709239 UDP WRITE [42] to [AF_INET]xx.xxx.xx.xx:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #3 ] [ ] pid=0 DATA len=0
2018-08-24 21:04:08 us=965567 UDP WRITE [42] to [AF_INET]xx.xxx.xx.xx:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #4 ] [ ] pid=0 DATA len=0
2018-08-24 21:04:24 us=198292 UDP WRITE [42] to [AF_INET]xx.xxx.xx.xx:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #5 ] [ ] pid=0 DATA len=0
2018-08-24 21:04:54 us=164434 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2018-08-24 21:04:54 us=164998 TLS Error: TLS handshake failed
2018-08-24 21:04:54 us=169924 TCP/UDP: Closing socket
2018-08-24 21:04:54 us=175990 SIGUSR1[soft,tls-error] received, process restarting
2018-08-24 21:04:54 us=176312 MANAGEMENT: >STATE:1535169894,RECONNECTING,tls-error,,,,,
2018-08-24 21:04:54 us=188833 MANAGEMENT: CMD 'hold release'
2018-08-24 21:04:54 us=189207 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2018-08-24 21:04:54 us=190865 Re-using SSL/TLS context
2018-08-24 21:04:54 us=192157 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 28 bytes
2018-08-24 21:04:54 us=193526 LZO compression initializing
2018-08-24 21:04:54 us=194855 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
2018-08-24 21:04:54 us=196396 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
2018-08-24 21:04:54 us=198907 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
2018-08-24 21:04:54 us=199185 calc_options_string_link_mtu: link-mtu 1622 -> 1542
2018-08-24 21:04:54 us=199421 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
2018-08-24 21:04:54 us=199652 calc_options_string_link_mtu: link-mtu 1622 -> 1542
2018-08-24 21:04:54 us=199904 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
2018-08-24 21:04:54 us=200097 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
2018-08-24 21:04:54 us=200313 TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xxx.xx.xx:1194
2018-08-24 21:04:54 us=200542 Socket Buffers: R=[196724->196724] S=[9216->9216]
2018-08-24 21:04:54 us=200737 UDP link local: (not bound)
2018-08-24 21:04:54 us=200968 UDP link remote: [AF_INET]xx.xxx.xx.xx:1194
2018-08-24 21:04:54 us=201325 MANAGEMENT: >STATE:1535169894,WAIT,,,,,,
2018-08-24 21:04:54 us=201612 UDP WRITE [42] to [AF_INET]xx.xxx.xx.xx:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0
2018-08-24 21:04:54 us=202040 MANAGEMENT: CMD 'hold release'
2018-08-24 21:04:56 us=478409 UDP WRITE [42] to [AF_INET]xx.xxx.xx.xx:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ ] pid=0 DATA len=0
2018-08-24 21:05:01 us=39132 UDP WRITE [42] to [AF_INET]xx.xxx.xx.xx:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #3 ] [ ] pid=0 DATA len=0
2018-08-24 21:05:09 us=263669 UDP WRITE [42] to [AF_INET]xx.xxx.xx.xx:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #4 ] [ ] pid=0 DATA len=0
2018-08-24 21:05:17 *Tunnelblick: Disconnecting; VPN Details… window disconnect button pressed
2018-08-24 21:05:17 *Tunnelblick: No 'pre-disconnect.sh' script to execute
2018-08-24 21:05:17 *Tunnelblick: Disconnecting using 'kill'
2018-08-24 21:05:17 us=475289 event_wait : Interrupted system call (code=4)
2018-08-24 21:05:17 us=481222 TCP/UDP: Closing socket
2018-08-24 21:05:17 us=482134 SIGTERM[hard,] received, process exiting
2018-08-24 21:05:17 us=482454 MANAGEMENT: >STATE:1535169917,EXITING,SIGTERM,,,,,
2018-08-24 21:05:17 us=483990 PKCS#11: Terminating openssl
2018-08-24 21:05:17 us=484267 PKCS#11: Removing providers
2018-08-24 21:05:17 us=484482 PKCS#11: Releasing sessions
2018-08-24 21:05:17 us=484686 PKCS#11: Marking as uninitialized
2018-08-24 21:05:18 *Tunnelblick: No 'post-disconnect.sh' script to execute
2018-08-24 21:05:18 *Tunnelblick: Expected disconnection occurred.

================================================================================

"Sanitized" full configuration file

  client
  dev tun
  proto udp
  fast-io
  remote xx.xxx.xx.xx 1194
  remote-cert-tls server
  nobind
  persist-key
  persist-tun
  compress lzo
  verb 3
  key-direction 1
  pull-filter ignore "block-outside-dns"
<ca>
 [Security-related line(s) omitted]
</ca>
<cert>
 [Security-related line(s) omitted]
</cert>
<key>
 [Security-related line(s) omitted]
</key>
<tls-auth>
 [Security-related line(s) omitted]
</tls-auth>
2

I changed vpnserver proto to udp after changing it from the troubleshooting settings and it works. However, I can only connect to the router GUI, the rest of the internet does not work. Any thoughts?

3

Is my issue, any idea how I can push DNS to the OpenVPN client without adding the windows-only line?

Removing block-outside-dns from my client config did not do the trick. And the DNS server showing up in my client network config is 192.168.1.1, so I'm not sure why it isn't working.

Even stranger is nslookup on the client works and gives me the ipaddress of google, but when I type that ip in the browser it does not work.

https://tunnelblick.net/cConnectedBut.html#if-openvpn-is-connected-to-the-server-but-you-cant-access-the-internet suggests I don't have a DNS problem. When I try

ping google.com
PING google.com (172.217.5.206): 56 data bytes
92 bytes from 192.168.200.1: Destination Port Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 6238   0 0000  3f  01 de1e 192.168.200.2  172.217.5.206

edit: found this https://superuser.com/questions/1314480/openvpn-in-openwrt-connection-to-the-vpn-succeeds-can-ping-lan-cant-ping-ou

I think this is my issue, but I don't know how to fix problem 2: The DNS IP specified had a different subnet from the IP assigned via VPN, and it did not work

Anyone know how to fix this? Does it have to do with changing 192.168.1.200?

4

Could you post the contents of these files from your OpenWRT device?

  • /etc/config/openvpn
  • /etc/config/network
  • /etc/config/firewall

The symptom you describe suggests a routing or firewall problem. The above three files should assist with troubleshooting.

5

@yaravawiba Please perform the steps listed within Troubleshooting for your next post.

  • Please post separate code blocks for each log and config file, as combining them into a single code block muddles everything.
6

Thanks. @JW0914 the original files I had followed those troubleshooting steps, including posing the client and server logs. Am I missing something?

/etc/config/openvpn

config openvpn 'vpnserver'
        option enabled '1'
        option dev_type 'tun'
        option dev 'ovpns0'
        option port '1194'
        option topology 'subnet'
        option tls_server '1'
        option mode 'server'
        option server '192.168.200.0 255.255.255.0'
        option route_gateway 'dhcp'
        option compress 'lzo'
        option keepalive '10 120'
        option persist_key '1'
        option persist_tun '1'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/my-server.crt'
        option key '/etc/openvpn/my-server.key'
        option dh '/etc/openvpn/dh2048.pem'
        option tls_auth '/etc/openvpn/tls-auth.key 0'
        option client_to_client '1'
        option log '/tmp/openvpn.log'
        list push 'topology subnet'
        list push 'redirect-gateway def1'
        list push 'route-gateway dhcp'
        list push 'route 192.168.200.0 255.255.255.0'
        list push 'dhcp-option DNS 192.168.1.1'
        list push 'compress lzo'
        list push 'persist-key'
        list push 'persist-tun'
        list push 'DOMAIN lan'
        option verb '5'
        option proto 'udp'

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdce:743c:37a6::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option dns '1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001'

config interface 'wan'
        option ifname 'eth1.2'
        option proto 'dhcp'
        option peerdns '0'
        option dns '1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4'

config interface 'wan6'
        option ifname 'eth1.2'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        option dns '2606:4700:4700::1111 2606:4700:4700::1001 2001:4860:4860::8888 2001:4860:4860::8844'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'

config interface 'vpnserver'
        option proto 'none'
        option ifname 'ovpns0'
        option auto '1'

/etc/config/firewall


config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option dest_port 'xxxx'
        option name 'BitTorrent'
        option proto 'tcp'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config rule
        option name 'Allow-OpenVPN-Inbound'
        option target 'ACCEPT'
        option src '*'
        option proto 'tcpudp'
        option dest_port '1194'

config zone
        option name 'vpnserver'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option masq '1'
        option network 'vpnserver'
        option forward 'REJECT'

config forwarding
        option src 'vpnserver'
        option dest 'wan'

config forwarding
        option src 'vpnserver'
        option dest 'lan'
7

Your verb values weren't changed and you still haven't changed your proto values to tcp... please follow the troubleshooting steps and then re-post with every log and config file requested in the troubleshooting section, after performing all the steps in the troubleshooting section.

8

Your OpenVPN configuration does not push a route for the DNS server to the clients. It's not necessary to push a route for the VPN subnet; the VPN subnet is already connected.

9

oh, sorry.

/tmp/openvpn.log

Sat Aug 25 10:47:13 2018 us=992534 OpenVPN 2.4.5 arm-openwrt-linux-gnu [SSL (mbed TLS)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Aug 25 10:47:13 2018 us=993143 library versions: mbed TLS 2.12.0, LZO 2.10
Sat Aug 25 10:47:13 2018 us=994536 Diffie-Hellman initialized with 2048 bit key
Sat Aug 25 10:47:13 2018 us=999919 WARNING: failed to personalise random
Sat Aug 25 10:47:14 2018 us=514 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Aug 25 10:47:14 2018 us=568 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Aug 25 10:47:14 2018 us=618 TLS-Auth MTU parms [ L:1624 D:1182 EF:68 EB:0 ET:0 EL:3 ]
Sat Aug 25 10:47:14 2018 us=1539 TUN/TAP device ovpns0 opened
Sat Aug 25 10:47:14 2018 us=1863 TUN/TAP TX queue length set to 100
Sat Aug 25 10:47:14 2018 us=1956 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Aug 25 10:47:14 2018 us=2088 /sbin/ifconfig ovpns0 192.168.200.1 netmask 255.255.255.0 mtu 1500 broadcast 192.168.200.255
Sat Aug 25 10:47:14 2018 us=8658 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Sat Aug 25 10:47:14 2018 us=8746 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sat Aug 25 10:47:14 2018 us=8801 Socket Buffers: R=[87380->87380] S=[16384->16384]
Sat Aug 25 10:47:14 2018 us=8852 Listening for incoming TCP connection on [AF_INET][undef]:1194
Sat Aug 25 10:47:14 2018 us=8901 TCPv4_SERVER link local (bound): [AF_INET][undef]:1194
Sat Aug 25 10:47:14 2018 us=8941 TCPv4_SERVER link remote: [AF_UNSPEC]
Sat Aug 25 10:47:14 2018 us=8992 MULTI: multi_init called, r=256 v=256
Sat Aug 25 10:47:14 2018 us=9063 IFCONFIG POOL: base=192.168.200.2 size=252, ipv6=0
Sat Aug 25 10:47:14 2018 us=9149 MULTI: TCP INIT maxclients=1024 maxevents=1028
Sat Aug 25 10:47:14 2018 us=9243 Initialization Sequence Completed
Sat Aug 25 10:52:32 2018 us=577087 MULTI: multi_create_instance called
Sat Aug 25 10:52:32 2018 us=577238 Re-using SSL/TLS context
Sat Aug 25 10:52:32 2018 us=577298 LZO compression initializing
Sat Aug 25 10:52:32 2018 us=578030 Control Channel MTU parms [ L:1624 D:1182 EF:68 EB:0 ET:0 EL:3 ]
Sat Aug 25 10:52:32 2018 us=578131 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Sat Aug 25 10:52:32 2018 us=578229 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Sat Aug 25 10:52:32 2018 us=578270 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Sat Aug 25 10:52:32 2018 us=578343 TCP connection established with [AF_INET]xx.xx.x.x:53160
Sat Aug 25 10:52:32 2018 us=578386 TCPv4_SERVER link local: (not bound)
Sat Aug 25 10:52:32 2018 us=578430 TCPv4_SERVER link remote: [AF_INET]xx:53160
RSat Aug 25 10:52:33 2018 us=622105 xx.xx.x.x:53160 TLS: Initial packet from [AF_INET]xx.xx.x.x:53160, sid=20bd3ed7 f6255b82
WRRWWRRWRWRSat Aug 25 10:52:36 2018 us=86005 xx.xx.x.x:53160 VERIFY OK: depth=1, C=GB, ST=London, O=WWW Ltd.
Sat Aug 25 10:52:36 2018 us=86331 xx.xx.x.x:53160 VERIFY OK: depth=0, CN=my-client
WRSat Aug 25 10:52:36 2018 us=217537 xx.xx.x.x:53160 peer info: IV_VER=2.4.6
Sat Aug 25 10:52:36 2018 us=217622 xx.xx.x.x:53160 peer info: IV_PLAT=mac
Sat Aug 25 10:52:36 2018 us=217668 xx.xx.x.x:53160 peer info: IV_PROTO=2
Sat Aug 25 10:52:36 2018 us=217706 xx.xx.x.x:53160 peer info: IV_NCP=2
Sat Aug 25 10:52:36 2018 us=217742 xx.xx.x.x:53160 peer info: IV_LZ4=1
Sat Aug 25 10:52:36 2018 us=217777 xx.xx.x.x:53160 peer info: IV_LZ4v2=1
Sat Aug 25 10:52:36 2018 us=217812 xx.xx.x.x:53160 peer info: IV_LZO=1
Sat Aug 25 10:52:36 2018 us=217847 xx.xx.x.x:53160 peer info: IV_COMP_STUB=1
Sat Aug 25 10:52:36 2018 us=217894 xx.xx.x.x:53160 peer info: IV_COMP_STUBv2=1
Sat Aug 25 10:52:36 2018 us=217931 xx.xx.x.x:53160 peer info: IV_TCPNL=1
Sat Aug 25 10:52:36 2018 us=217970 xx.xx.x.x:53160 peer info: IV_GUI_VER="net.tunnelblick.tunnelblick_5080_3.7.6a__build_5080)"
WRSat Aug 25 10:52:36 2018 us=299336 xx.xx.x.x:53160 Control Channel: TLSv1.2, cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384, 4096 bit key
Sat Aug 25 10:52:36 2018 us=299427 xx.xx.x.x:53160 [my-client] Peer Connection Initiated with [AF_INET]xx.xx.x.x:53160
Sat Aug 25 10:52:36 2018 us=299503 my-client/xx.xx.x.x:53160 MULTI_sva: pool returned IPv4=192.168.200.2, IPv6=(Not enabled)
Sat Aug 25 10:52:36 2018 us=299648 my-client/xx.xx.x.x:53160 MULTI: Learn: 192.168.200.2 -> my-client/xx.xx.x.x:53160
Sat Aug 25 10:52:36 2018 us=299695 my-client/xx.xx.x.x:53160 MULTI: primary virtual IP for my-client/xx.xx.x.x:53160: 192.168.200.2
RSat Aug 25 10:52:37 2018 us=560177 my-client/xx.xx.x.x:53160 PUSH: Received control message: 'PUSH_REQUEST'
Sat Aug 25 10:52:37 2018 us=560360 my-client/xx.xx.x.x:53160 SENT CONTROL [my-client]: 'PUSH_REPLY,topology subnet,redirect-gateway def1,route-gateway dhcp,route 192.168.200.0 255.255.255.0,dhcp-option DNS 192.168.1.1,compress lzo,persist-key,persist-tun,DOMAIN lan,route-gateway 192.168.200.1,topology subnet,ping 10,ping-restart 120,ifconfi$
Sat Aug 25 10:52:37 2018 us=560407 my-client/xx.xx.x.x:53160 Data Channel: using negotiated cipher 'AES-256-GCM'
Sat Aug 25 10:52:37 2018 us=560456 my-client/xx.xx.x.x:53160 Data Channel MTU parms [ L:1552 D:1450 EF:52 EB:406 ET:0 EL:3 ]
Sat Aug 25 10:52:37 2018 us=560692 my-client/xx.xx.x.x:53160 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Aug 25 10:52:37 2018 us=560737 my-client/xx.xx.x.x:53160 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
WWWRRRwrWRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwrWrWrWrWrWrWrWrWrWrWRwRwRwRwrWrWrWrWrWrWrWrWrWrWrWrWRwRwrWrWRwRwRwRwRwRwRwRwRwRwRwRwRwRwrWrWrWrWrWrWrWrWrWrWrWrWrWrWRwRwRwrWrWrWRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWRwRwRwRwRwRwRwRwRwRwrWrWrWRwRwRwRwRwRwrWrWRwRwRwRwRwRwRwRwRwrWrWrWrWrWrWrWrWrWRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwR$
Sat Aug 25 10:53:50 2018 us=820483 my-client/xx.xx.x.x:53160 SIGUSR1[soft,connection-reset] received, client-instance restarting
Sat Aug 25 10:53:50 2018 us=820679 TCP/UDP: Closing socket
PNserver.conf:16: pkcs12 (2.4.5)
Use --help for more information.
Options error: Unrecognized option or missing or extra parameter(s) in openvpn-VPNserver.conf:16: pkcs12 (2.4.5)
Use --help for more information.
Options error: Unrecognized option or missing or extra parameter(s) in openvpn-VPNserver.conf:16: pkcs12 (2.4.5)
Use --help for more information.
Options error: Unrecognized option or missing or extra parameter(s) in openvpn-VPNserver.conf:16: pkcs12 (2.4.5)
Use --help for more information.
Options error: Unrecognized option or missing or extra parameter(s) in openvpn-VPNserver.conf:16: pkcs12 (2.4.5)
Use --help for more information.
Options error: Unrecognized option or missing or extra parameter(s) in openvpn-VPNserver.conf:16: pkcs12 (2.4.5)
Use --help for more information.
Options error: Unrecognized option or missing or extra parameter(s) in openvpn-VPNserver.conf:16: pkcs12 (2.4.5)
Use --help for more information.
Options error: Unrecognized option or missing or extra parameter(s) in openvpn-VPNserver.conf:16: pkcs12 (2.4.5)
Use --help for more information.

tunnelblick client log

*Tunnelblick: OS X 10.13.6; Tunnelblick 3.7.6a (build 5080)
2018-08-25 10:52:31 *Tunnelblick: Attempting connection with Netnetnet; Set nameserver = 1793; monitoring connection
2018-08-25 10:52:31 *Tunnelblick: openvpnstart start Netnetnet.tblk 63364 1793 0 3 0 1065264 -ptADGNWradsgnw 2.4.6-openssl-1.0.2o
2018-08-25 10:52:31 *Tunnelblick: openvpnstart starting OpenVPN
2018-08-25 10:52:32 *Tunnelblick: openvpnstart log:
     OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
     
          /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.6-openssl-1.0.2o/openvpn
          --daemon
          --log

                    *Tunnelblick: Some entries have been removed because the log is too long

                                        **********************************************
                                        Start of output from client.up.tunnelblick.sh
2018-08-25 10:52:41 us=867001 /sbin/route add -net xx.xxx.xx.xxx xx.xx.x.x 255.255.255.255
                                        add net xx.xxx.xx.xxx: gateway xx.xx.x.x
2018-08-25 10:52:41 us=877157 /sbin/route add -net 0.0.0.0 192.168.200.1 128.0.0.0
                                        add net 0.0.0.0: gateway 192.168.200.1
2018-08-25 10:52:41 us=881691 /sbin/route add -net 128.0.0.0 192.168.200.1 128.0.0.0
                                        add net 128.0.0.0: gateway 192.168.200.1
2018-08-25 10:52:41 us=887462 MANAGEMENT: >STATE:1535219561,ADD_ROUTES,,,,,,
2018-08-25 10:52:41 us=887883 /sbin/route add -net 192.168.200.0 192.168.200.1 255.255.255.0
                                        route: writing to routing socket: File exists
                                        add net 192.168.200.0: gateway 192.168.200.1: File exists
2018-08-25 10:52:41 us=892246 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2018-08-25 10:52:41 us=892499 Initialization Sequence Completed
2018-08-25 10:52:41 us=892742 MANAGEMENT: >STATE:1535219561,CONNECTED,SUCCESS,192.168.200.2,xx.xxx.xx.xxx,11xx,172.20.10.2,58366
2018-08-25 10:52:41 us=893169 TCP_CLIENT WRITE [50] to [AF_INET]xx.xxx.xx.xxx:1194: P_ACK_V1 kid=0 pid=[ #11 ] [ 5 ]
2018-08-25 10:52:41 us=893574 TCP_CLIENT READ [384] from [AF_INET]xx.xxx.xx.xxx:1194: P_CONTROL_V1 kid=0 pid=[ #10 ] [ ] pid=5 DATA len=342
WRITE [91] to [AF_INET]xx.xxx.xx.xxx:1194: P_DATA_V2 kid=0 DATA len=90
2018-08-25 10:52:42 us=830010 TCP_CLIENT WRITE [110] to [AF_INET]xx.xxx.xx.xxx:1194: P_DATA_V2 kid=0 DATA len=109
2018-08-25 10:52:42 us=830594 TCP_CLIENT WRITE [111] to [AF_INET]xx.xxx.xx.xxx:1194: P_DATA_V2 kid=0 DATA len=110
2018-08-25 10:52:41 us=893863 TCP_CLIENT WRITE [50] to

/etc/config/openvpn

config openvpn 'vpnserver'
        option enabled '1'
        option dev_type 'tun'
        option dev 'ovpns0'
        option port '1194'
        option topology 'subnet'
        option tls_server '1'
        option mode 'server'
        option server '192.168.200.0 255.255.255.0'
        option route_gateway 'dhcp'
        option compress 'lzo'
        option keepalive '10 120'
        option persist_key '1'
        option persist_tun '1'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/my-server.crt'
        option key '/etc/openvpn/my-server.key'
        option dh '/etc/openvpn/dh2048.pem'
        option tls_auth '/etc/openvpn/tls-auth.key 0'
        option client_to_client '1'
        option log '/tmp/openvpn.log'
        list push 'topology subnet'
        list push 'redirect-gateway def1'
        list push 'route-gateway dhcp'
        list push 'route 192.168.200.0 255.255.255.0'
        list push 'dhcp-option DNS 192.168.1.1'
        list push 'compress lzo'
        list push 'persist-key'
        list push 'persist-tun'
        list push 'DOMAIN lan'
        option verb '5'
        option proto 'tcp'

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdce:743c:37a6::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option dns '1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001'

config interface 'wan'
        option ifname 'eth1.2'
        option proto 'dhcp'
        option peerdns '0'
        option dns '1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4'

config interface 'wan6'
        option ifname 'eth1.2'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        option dns '2606:4700:4700::1111 2606:4700:4700::1001 2001:4860:4860::8888 2001:4860:4860::8844'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'

config interface 'vpnserver'
        option proto 'none'
        option ifname 'ovpns0'
        option auto '1'

/etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config rule
        option name 'Allow-OpenVPN-Inbound'
        option target 'ACCEPT'
        option src '*'
        option proto 'tcp udp'
        option dest_port '1194'

config zone
        option name 'vpnserver'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option masq '1'
        option network 'vpnserver'
        option forward 'REJECT'

config forwarding
        option src 'vpnserver'
        option dest 'wan'

config forwarding
        option src 'vpnserver'
        option dest 'lan'

Thanks, but I'm not sure what that means. Do I need to change something if I don't need to push the route?

10

Yes.

The "push route" directive is how the OpenVPN server tells any clients, "Want to talk to this subnet? Go through the VPN."

At the moment your DNS is hosted on 192.168.1.1, which is not part of the VPN subnet. Anything which sits in the VPN subnet can be reached by the VPN clients. Anything which does not sit in the VPN subnet needs a route pushed to the clients for it to be reachable. But your VPN server is not pushing a route for 192.168.1.0/24 to the clients.

Change list push 'route 192.168.200.0 255.255.255.0' to list push 'route 192.168.1.0 255.255.255.0'.

11

Thanks. I changed that but I'm having the same problem. Also note the guide here mandates the push route as 192.168.200.0

Do you want me to post the logs again?

12

I'm not convinced that guide is entirely accurate, but I haven't had a chance to go through it step-by-step to proofread it. At least, in all of my working OpenVPN configurations I don't push the VPN subnet's own route to the client; it doesn't make sense to do so. But I could very well be wrong; the config file syntax has changed over the years since I first started using OpenVPN.

Tomorrow or Monday (it's a public holiday here) I should have a chance to go through that guide and test it.

In the meantime, additional logs can't hurt. You might spot something which triggers an "aha!" lightbulb moment.

13

I used that guide and it worked for me. I am however using the OpenVPN client for Windows.

14

In addition to the changes above, removing

uci add_list openvpn.vpnserver.push='route-gateway dhcp'

finally fixed it. I can now access external internet as well. I think the guide needs to be changed.

Thanks everyone!

15

Yes, according to this it is only supported by Windows: https://secure-computing.net/wiki/index.php/OpenVPN/Supporting_"route-gateway_dhcp"_on_non-Windows_platforms

16

It does. But not by much overall.

The main thing that the author should do is to add some expository information for context, to explain what each part does, as well as how and why. As it stands, in its current form it's simply a cargo-cult monkey see, monkey do exercise in copy and paste. This is fine if everything works, but if it doesn't then the reader isn't given any information to assist with investigating the problem. If the reader is a novice, this can cause frustration.

In addition, the guide is predicated on the assumption that the reader has not changed the OpenWRT settings from the defaults. If the reader has, then some modification to the process is needed (see below).

As promised, I went through the guide to see if it would work in its current form. I used OpenWRT 18.06.1, Windows 10, and Ubuntu 18.04.1 (server as well as Desktop). I set everything up in VMware, and it looks like this:

image
image745×356 30.3 KB

For this test I removed the option gateway '192.168.10.1' line from /etc/config/network on OpenWRT 2. This cut off OpenWRT 2 and everything behind it from the rest of the network and the Internet. The only possible communication from OpenWRT 2 and its devices would be to 192.168.10.1 and 192.168.10.3, but not beyond either one. If I could establish a VPN connection to OpenWRT 3 - which does have Internet access - then that would provide Internet connectivity for the VPN client behind OpenWRT 2.

I set up OpenVPN Server on OpenWRT 3, following the guide.

The first hurdle was some changes introduced in OpenWRT 18.06 (or possibly 18.06.1). The guide's author notes that the guide has been tested against LEDE 17.01.4, so some differences are not unexpected.

The certificate-generation step does not initially work:

# cd /tmp && wget https://openwrt.org/_export/code/docs/guide-user/services/vpn/openvpn/server.setup?codeblock=3
wget: SSL support not available, please install one of the libustream-.*[ssl|tls] packages as well as the ca-bundle and ca-certificates packages.

The fix is straightforward: opkg install libustream-openssl ca-bundle ca-certificates. Then the above step will work.

As can be seen in the diagram, OpenWRT 3's LAN interface is 192.168.13.1. The guide configures the OpenVPN server to push 192.168.1.1 as the DNS resolver to all clients. OpenWRT's DNS resolver dnsmasq listens on the LAN interface. If the LAN IP address has not been changed from the defaults then 192.168.1.1 is fine. If the LAN IP address has been changed - as in this test - then the line uci add_list openvpn.vpnserver.push='dhcp-option DNS 192.168.1.1' should be changed to match, for example uci add_list openvpn.vpnserver.push='dhcp-option DNS 192.168.13.1'.

Copying the entire "create-ovpn.sh" section into the terminal in one go did not work. The "EOF" in the middle of the section is intended to terminate creation of the file /etc/openvpn/my-server.ovpn, but this does not happen in practice. Instead, the file /etc/openvpn/my-server.ovpn is created, but goes on to contain all the following lines literally, rather than the certificates which those lines are intended to append.

The workaround is straightforward: copy everything up to and including the "EOF" into the terminal. Press Return for the "EOF" to take effect and return control to the shell. Then copy and paste the remainder of the lines in that section. Alternately, create a complete script called create-ovpn.sh, based on the method near the top of the guide, and run the script from the shell.

The guide contains the line uci add_list openvpn.vpnserver.push='compress lzo' but then the subsequent illustration of the contents of /etc/config/openvpn shows list push 'compress lz4'. The guide mentions "lz4" in passing as a possible compression option, but the illustrative examples should correspond to the preceding instructions.

The guide includes a Windows-specific entry: block-outside-dns. This will cause the Linux OpenVPN client to crash with the error Options error: Unrecognized option or missing or extra parameter(s) in my-server.ovpn:13: block-outside-dns (2.4.4). This option is used to force clients to use the DNS server specified by the OpenVPN server, and the Linux equivalent involves calling /etc/openvpn/update-resolv-conf upon the establishment and tear-down of the VPN tunnel.

The guide also includes an entry which will not work on Windows: fast-io. Fortunately the Windows OpenVPN client merely skips past the unrecognised option without crashing, and displays a note to the user to that effect.

The guide's author does not mention the Windows-only and non-Windows aspects, leaving it to the reader to know about it already.

So, in a nutshell, the guide is a good starting point to the subject, and most of it works as intended. But it requires some additional knowledge on the part of the reader, for the details which aren't explicitly covered.

1 Like
17

iplaywithtoys

You rock! Is anyone able to edit the wiki or only the original author, or are you just being considerate? I think it would be good to clarify some elements of it after all.

18

It's a wiki, everybody who is logged in can edit it.

19

I started a thread to discuss the potential changes to the wiki OpenVPN article, as I have seen (and assisted) users having the same issues described here. I have not wanted to change the Wiki without a discussion about it first for a few reasons -- mainly since it is an opportunity to learn (what has worked for me and for those I've helped may be a narrow slice, maybe there is something I don't know or haven't thought about) and as a courtesy to the original author and subsequent contributors so we don't end up having debates/discussions after certain changes take place.

20

It functions perfectly fine if copied into a terminal (or downloaded as a script)... I know because I extensively tested those script blocks when I converted @stangri's code blocks into downloadable scripts.

  • [root@ACS] ~ $ cd /tmp && mkdir openvpn
[root@ACS] /tmp $ #!/bin/sh
[root@ACS] /tmp $
[root@ACS] /tmp $ source /lib/functions/network.sh
[root@ACS] /tmp $ network_find_wan wanIf
[root@ACS] /tmp $ network_get_ipaddrs wanIP $wanIf
[root@ACS] /tmp $ # wanIP="dynamic.dns.name"
[root@ACS] /tmp $
[root@ACS] /tmp $ OVPN_FILE="/tmp/openvpn/my-server.ovpn"
[root@ACS] /tmp $
[root@ACS] /tmp $ cat >> ${OVPN_FILE} <<EOF
>   client
>   dev tun
>   proto udp
>   fast-io
>   remote $wanIP 1194
>   remote-cert-tls server
>   nobind
>   persist-key
>   persist-tun
>   compress lzo
>   verb 3
>   key-direction 1
>   block-outside-dns
> EOF
[root@ACS] /tmp $
[root@ACS] /tmp $ echo '<ca>'         >> ${OVPN_FILE}
[root@ACS] /tmp $ cat                 >> ${OVPN_FILE} < /tmp/openvpn/ca.crt
-ash: cant open /tmp/openvpn/ca.crt: no such file
[root@ACS] /tmp $ echo '</ca>'        >> ${OVPN_FILE}
[root@ACS] /tmp $
[root@ACS] /tmp $ echo '<cert>'       >> ${OVPN_FILE}
[root@ACS] /tmp $ cat                 >> ${OVPN_FILE} < /tmp/openvpn/my-client.crt
-ash: cant open /tmp/openvpn/my-client.crt: no such file
[root@ACS] /tmp $ echo '</cert>'      >> ${OVPN_FILE}
[root@ACS] /tmp $
[root@ACS] /tmp $ echo '<key>'        >> ${OVPN_FILE}
[root@ACS] /tmp $ cat                 >> ${OVPN_FILE} < /tmp/openvpn/my-client.key
-ash: cant open /tmp/openvpn/my-client.key: no such file
[root@ACS] /tmp $ echo '</key>'       >> ${OVPN_FILE}
[root@ACS] /tmp $
[root@ACS] /tmp $ echo '<tls-auth>'   >> ${OVPN_FILE}
[root@ACS] /tmp $ cat                 >> ${OVPN_FILE} < /tmp/openvpn/tls-auth.key
-ash: cant open /tmp/openvpn/tls-auth.key: no such file
[root@ACS] /tmp $ echo '</tls-auth>'  >> ${OVPN_FILE}
[root@ACS] /tmp $
[root@ACS] /tmp $ # Display the generated OVPN_FILE
[root@ACS] /tmp $   printf "----- Generated .ovpn file ------\n\n"
----- Generated .ovpn file ------

[root@ACS] /tmp $   cat ${OVPN_FILE}
  client
  dev tun
  proto udp
  fast-io
  remote 192.168.200.60 1194
  remote-cert-tls server
  nobind
  persist-key
  persist-tun
  compress lzo
  verb 3
  key-direction 1
  block-outside-dns
<ca>
</ca>
<cert>
</cert>
<key>
</key>
<tls-auth>
</tls-auth>
[root@ACS] /tmp $
[root@ACS] /tmp $ printf "\n\n\n  . . .  DONE  . . .  \n\n\n"



  . . .  DONE  . . .

This is literally impossible to have occur... see cat --help or cat's man page

This was added by @stueh, and is what occurs when config changes are made to a wiki without consulting the man page.

This is simply a typo and needs to be changed from lzo to lz4 in /etc/config/openvpn.

  • While OpenVPN recommends lzo for 2.4, it creates a major issue on Macs, so Stan changed it back to lz4 a few weeks ago.