OpenVPN Connected but No Internet

yaravawiba · August 25, 2018, 2:59pm

Thanks. @JW0914 the original files I had followed those troubleshooting steps, including posing the client and server logs. Am I missing something?

/etc/config/openvpn

config openvpn 'vpnserver'
        option enabled '1'
        option dev_type 'tun'
        option dev 'ovpns0'
        option port '1194'
        option topology 'subnet'
        option tls_server '1'
        option mode 'server'
        option server '192.168.200.0 255.255.255.0'
        option route_gateway 'dhcp'
        option compress 'lzo'
        option keepalive '10 120'
        option persist_key '1'
        option persist_tun '1'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/my-server.crt'
        option key '/etc/openvpn/my-server.key'
        option dh '/etc/openvpn/dh2048.pem'
        option tls_auth '/etc/openvpn/tls-auth.key 0'
        option client_to_client '1'
        option log '/tmp/openvpn.log'
        list push 'topology subnet'
        list push 'redirect-gateway def1'
        list push 'route-gateway dhcp'
        list push 'route 192.168.200.0 255.255.255.0'
        list push 'dhcp-option DNS 192.168.1.1'
        list push 'compress lzo'
        list push 'persist-key'
        list push 'persist-tun'
        list push 'DOMAIN lan'
        option verb '5'
        option proto 'udp'

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdce:743c:37a6::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option dns '1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001'

config interface 'wan'
        option ifname 'eth1.2'
        option proto 'dhcp'
        option peerdns '0'
        option dns '1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4'

config interface 'wan6'
        option ifname 'eth1.2'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        option dns '2606:4700:4700::1111 2606:4700:4700::1001 2001:4860:4860::8888 2001:4860:4860::8844'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'

config interface 'vpnserver'
        option proto 'none'
        option ifname 'ovpns0'
        option auto '1'

/etc/config/firewall


config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option dest_port 'xxxx'
        option name 'BitTorrent'
        option proto 'tcp'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config rule
        option name 'Allow-OpenVPN-Inbound'
        option target 'ACCEPT'
        option src '*'
        option proto 'tcpudp'
        option dest_port '1194'

config zone
        option name 'vpnserver'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option masq '1'
        option network 'vpnserver'
        option forward 'REJECT'

config forwarding
        option src 'vpnserver'
        option dest 'wan'

config forwarding
        option src 'vpnserver'
        option dest 'lan'

JW0914 · August 25, 2018, 3:02pm

Your verb values weren't changed and you still haven't changed your proto values to tcp... please follow the troubleshooting steps and then re-post with every log and config file requested in the troubleshooting section, after performing all the steps in the troubleshooting section.

iplaywithtoys · August 25, 2018, 3:16pm

Your OpenVPN configuration does not push a route for the DNS server to the clients. It's not necessary to push a route for the VPN subnet; the VPN subnet is already connected.

yaravawiba · August 25, 2018, 6:07pm

oh, sorry.

/tmp/openvpn.log

Sat Aug 25 10:47:13 2018 us=992534 OpenVPN 2.4.5 arm-openwrt-linux-gnu [SSL (mbed TLS)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Aug 25 10:47:13 2018 us=993143 library versions: mbed TLS 2.12.0, LZO 2.10
Sat Aug 25 10:47:13 2018 us=994536 Diffie-Hellman initialized with 2048 bit key
Sat Aug 25 10:47:13 2018 us=999919 WARNING: failed to personalise random
Sat Aug 25 10:47:14 2018 us=514 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Aug 25 10:47:14 2018 us=568 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Aug 25 10:47:14 2018 us=618 TLS-Auth MTU parms [ L:1624 D:1182 EF:68 EB:0 ET:0 EL:3 ]
Sat Aug 25 10:47:14 2018 us=1539 TUN/TAP device ovpns0 opened
Sat Aug 25 10:47:14 2018 us=1863 TUN/TAP TX queue length set to 100
Sat Aug 25 10:47:14 2018 us=1956 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Aug 25 10:47:14 2018 us=2088 /sbin/ifconfig ovpns0 192.168.200.1 netmask 255.255.255.0 mtu 1500 broadcast 192.168.200.255
Sat Aug 25 10:47:14 2018 us=8658 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Sat Aug 25 10:47:14 2018 us=8746 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sat Aug 25 10:47:14 2018 us=8801 Socket Buffers: R=[87380->87380] S=[16384->16384]
Sat Aug 25 10:47:14 2018 us=8852 Listening for incoming TCP connection on [AF_INET][undef]:1194
Sat Aug 25 10:47:14 2018 us=8901 TCPv4_SERVER link local (bound): [AF_INET][undef]:1194
Sat Aug 25 10:47:14 2018 us=8941 TCPv4_SERVER link remote: [AF_UNSPEC]
Sat Aug 25 10:47:14 2018 us=8992 MULTI: multi_init called, r=256 v=256
Sat Aug 25 10:47:14 2018 us=9063 IFCONFIG POOL: base=192.168.200.2 size=252, ipv6=0
Sat Aug 25 10:47:14 2018 us=9149 MULTI: TCP INIT maxclients=1024 maxevents=1028
Sat Aug 25 10:47:14 2018 us=9243 Initialization Sequence Completed
Sat Aug 25 10:52:32 2018 us=577087 MULTI: multi_create_instance called
Sat Aug 25 10:52:32 2018 us=577238 Re-using SSL/TLS context
Sat Aug 25 10:52:32 2018 us=577298 LZO compression initializing
Sat Aug 25 10:52:32 2018 us=578030 Control Channel MTU parms [ L:1624 D:1182 EF:68 EB:0 ET:0 EL:3 ]
Sat Aug 25 10:52:32 2018 us=578131 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Sat Aug 25 10:52:32 2018 us=578229 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Sat Aug 25 10:52:32 2018 us=578270 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Sat Aug 25 10:52:32 2018 us=578343 TCP connection established with [AF_INET]xx.xx.x.x:53160
Sat Aug 25 10:52:32 2018 us=578386 TCPv4_SERVER link local: (not bound)
Sat Aug 25 10:52:32 2018 us=578430 TCPv4_SERVER link remote: [AF_INET]xx:53160
RSat Aug 25 10:52:33 2018 us=622105 xx.xx.x.x:53160 TLS: Initial packet from [AF_INET]xx.xx.x.x:53160, sid=20bd3ed7 f6255b82
WRRWWRRWRWRSat Aug 25 10:52:36 2018 us=86005 xx.xx.x.x:53160 VERIFY OK: depth=1, C=GB, ST=London, O=WWW Ltd.
Sat Aug 25 10:52:36 2018 us=86331 xx.xx.x.x:53160 VERIFY OK: depth=0, CN=my-client
WRSat Aug 25 10:52:36 2018 us=217537 xx.xx.x.x:53160 peer info: IV_VER=2.4.6
Sat Aug 25 10:52:36 2018 us=217622 xx.xx.x.x:53160 peer info: IV_PLAT=mac
Sat Aug 25 10:52:36 2018 us=217668 xx.xx.x.x:53160 peer info: IV_PROTO=2
Sat Aug 25 10:52:36 2018 us=217706 xx.xx.x.x:53160 peer info: IV_NCP=2
Sat Aug 25 10:52:36 2018 us=217742 xx.xx.x.x:53160 peer info: IV_LZ4=1
Sat Aug 25 10:52:36 2018 us=217777 xx.xx.x.x:53160 peer info: IV_LZ4v2=1
Sat Aug 25 10:52:36 2018 us=217812 xx.xx.x.x:53160 peer info: IV_LZO=1
Sat Aug 25 10:52:36 2018 us=217847 xx.xx.x.x:53160 peer info: IV_COMP_STUB=1
Sat Aug 25 10:52:36 2018 us=217894 xx.xx.x.x:53160 peer info: IV_COMP_STUBv2=1
Sat Aug 25 10:52:36 2018 us=217931 xx.xx.x.x:53160 peer info: IV_TCPNL=1
Sat Aug 25 10:52:36 2018 us=217970 xx.xx.x.x:53160 peer info: IV_GUI_VER="net.tunnelblick.tunnelblick_5080_3.7.6a__build_5080)"
WRSat Aug 25 10:52:36 2018 us=299336 xx.xx.x.x:53160 Control Channel: TLSv1.2, cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384, 4096 bit key
Sat Aug 25 10:52:36 2018 us=299427 xx.xx.x.x:53160 [my-client] Peer Connection Initiated with [AF_INET]xx.xx.x.x:53160
Sat Aug 25 10:52:36 2018 us=299503 my-client/xx.xx.x.x:53160 MULTI_sva: pool returned IPv4=192.168.200.2, IPv6=(Not enabled)
Sat Aug 25 10:52:36 2018 us=299648 my-client/xx.xx.x.x:53160 MULTI: Learn: 192.168.200.2 -> my-client/xx.xx.x.x:53160
Sat Aug 25 10:52:36 2018 us=299695 my-client/xx.xx.x.x:53160 MULTI: primary virtual IP for my-client/xx.xx.x.x:53160: 192.168.200.2
RSat Aug 25 10:52:37 2018 us=560177 my-client/xx.xx.x.x:53160 PUSH: Received control message: 'PUSH_REQUEST'
Sat Aug 25 10:52:37 2018 us=560360 my-client/xx.xx.x.x:53160 SENT CONTROL [my-client]: 'PUSH_REPLY,topology subnet,redirect-gateway def1,route-gateway dhcp,route 192.168.200.0 255.255.255.0,dhcp-option DNS 192.168.1.1,compress lzo,persist-key,persist-tun,DOMAIN lan,route-gateway 192.168.200.1,topology subnet,ping 10,ping-restart 120,ifconfi$
Sat Aug 25 10:52:37 2018 us=560407 my-client/xx.xx.x.x:53160 Data Channel: using negotiated cipher 'AES-256-GCM'
Sat Aug 25 10:52:37 2018 us=560456 my-client/xx.xx.x.x:53160 Data Channel MTU parms [ L:1552 D:1450 EF:52 EB:406 ET:0 EL:3 ]
Sat Aug 25 10:52:37 2018 us=560692 my-client/xx.xx.x.x:53160 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Aug 25 10:52:37 2018 us=560737 my-client/xx.xx.x.x:53160 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
WWWRRRwrWRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwrWrWrWrWrWrWrWrWrWrWRwRwRwRwrWrWrWrWrWrWrWrWrWrWrWrWRwRwrWrWRwRwRwRwRwRwRwRwRwRwRwRwRwRwrWrWrWrWrWrWrWrWrWrWrWrWrWrWRwRwRwrWrWrWRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWRwRwRwRwRwRwRwRwRwRwrWrWrWRwRwRwRwRwRwrWrWRwRwRwRwRwRwRwRwRwrWrWrWrWrWrWrWrWrWRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwR$
Sat Aug 25 10:53:50 2018 us=820483 my-client/xx.xx.x.x:53160 SIGUSR1[soft,connection-reset] received, client-instance restarting
Sat Aug 25 10:53:50 2018 us=820679 TCP/UDP: Closing socket
PNserver.conf:16: pkcs12 (2.4.5)
Use --help for more information.
Options error: Unrecognized option or missing or extra parameter(s) in openvpn-VPNserver.conf:16: pkcs12 (2.4.5)
Use --help for more information.
Options error: Unrecognized option or missing or extra parameter(s) in openvpn-VPNserver.conf:16: pkcs12 (2.4.5)
Use --help for more information.
Options error: Unrecognized option or missing or extra parameter(s) in openvpn-VPNserver.conf:16: pkcs12 (2.4.5)
Use --help for more information.
Options error: Unrecognized option or missing or extra parameter(s) in openvpn-VPNserver.conf:16: pkcs12 (2.4.5)
Use --help for more information.
Options error: Unrecognized option or missing or extra parameter(s) in openvpn-VPNserver.conf:16: pkcs12 (2.4.5)
Use --help for more information.
Options error: Unrecognized option or missing or extra parameter(s) in openvpn-VPNserver.conf:16: pkcs12 (2.4.5)
Use --help for more information.
Options error: Unrecognized option or missing or extra parameter(s) in openvpn-VPNserver.conf:16: pkcs12 (2.4.5)
Use --help for more information.

tunnelblick client log

*Tunnelblick: OS X 10.13.6; Tunnelblick 3.7.6a (build 5080)
2018-08-25 10:52:31 *Tunnelblick: Attempting connection with Netnetnet; Set nameserver = 1793; monitoring connection
2018-08-25 10:52:31 *Tunnelblick: openvpnstart start Netnetnet.tblk 63364 1793 0 3 0 1065264 -ptADGNWradsgnw 2.4.6-openssl-1.0.2o
2018-08-25 10:52:31 *Tunnelblick: openvpnstart starting OpenVPN
2018-08-25 10:52:32 *Tunnelblick: openvpnstart log:
     OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
     
          /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.6-openssl-1.0.2o/openvpn
          --daemon
          --log

                    *Tunnelblick: Some entries have been removed because the log is too long

                                        **********************************************
                                        Start of output from client.up.tunnelblick.sh
2018-08-25 10:52:41 us=867001 /sbin/route add -net xx.xxx.xx.xxx xx.xx.x.x 255.255.255.255
                                        add net xx.xxx.xx.xxx: gateway xx.xx.x.x
2018-08-25 10:52:41 us=877157 /sbin/route add -net 0.0.0.0 192.168.200.1 128.0.0.0
                                        add net 0.0.0.0: gateway 192.168.200.1
2018-08-25 10:52:41 us=881691 /sbin/route add -net 128.0.0.0 192.168.200.1 128.0.0.0
                                        add net 128.0.0.0: gateway 192.168.200.1
2018-08-25 10:52:41 us=887462 MANAGEMENT: >STATE:1535219561,ADD_ROUTES,,,,,,
2018-08-25 10:52:41 us=887883 /sbin/route add -net 192.168.200.0 192.168.200.1 255.255.255.0
                                        route: writing to routing socket: File exists
                                        add net 192.168.200.0: gateway 192.168.200.1: File exists
2018-08-25 10:52:41 us=892246 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2018-08-25 10:52:41 us=892499 Initialization Sequence Completed
2018-08-25 10:52:41 us=892742 MANAGEMENT: >STATE:1535219561,CONNECTED,SUCCESS,192.168.200.2,xx.xxx.xx.xxx,11xx,172.20.10.2,58366
2018-08-25 10:52:41 us=893169 TCP_CLIENT WRITE [50] to [AF_INET]xx.xxx.xx.xxx:1194: P_ACK_V1 kid=0 pid=[ #11 ] [ 5 ]
2018-08-25 10:52:41 us=893574 TCP_CLIENT READ [384] from [AF_INET]xx.xxx.xx.xxx:1194: P_CONTROL_V1 kid=0 pid=[ #10 ] [ ] pid=5 DATA len=342
WRITE [91] to [AF_INET]xx.xxx.xx.xxx:1194: P_DATA_V2 kid=0 DATA len=90
2018-08-25 10:52:42 us=830010 TCP_CLIENT WRITE [110] to [AF_INET]xx.xxx.xx.xxx:1194: P_DATA_V2 kid=0 DATA len=109
2018-08-25 10:52:42 us=830594 TCP_CLIENT WRITE [111] to [AF_INET]xx.xxx.xx.xxx:1194: P_DATA_V2 kid=0 DATA len=110
2018-08-25 10:52:41 us=893863 TCP_CLIENT WRITE [50] to

/etc/config/openvpn

config openvpn 'vpnserver'
        option enabled '1'
        option dev_type 'tun'
        option dev 'ovpns0'
        option port '1194'
        option topology 'subnet'
        option tls_server '1'
        option mode 'server'
        option server '192.168.200.0 255.255.255.0'
        option route_gateway 'dhcp'
        option compress 'lzo'
        option keepalive '10 120'
        option persist_key '1'
        option persist_tun '1'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/my-server.crt'
        option key '/etc/openvpn/my-server.key'
        option dh '/etc/openvpn/dh2048.pem'
        option tls_auth '/etc/openvpn/tls-auth.key 0'
        option client_to_client '1'
        option log '/tmp/openvpn.log'
        list push 'topology subnet'
        list push 'redirect-gateway def1'
        list push 'route-gateway dhcp'
        list push 'route 192.168.200.0 255.255.255.0'
        list push 'dhcp-option DNS 192.168.1.1'
        list push 'compress lzo'
        list push 'persist-key'
        list push 'persist-tun'
        list push 'DOMAIN lan'
        option verb '5'
        option proto 'tcp'

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdce:743c:37a6::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option dns '1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001'

config interface 'wan'
        option ifname 'eth1.2'
        option proto 'dhcp'
        option peerdns '0'
        option dns '1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4'

config interface 'wan6'
        option ifname 'eth1.2'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        option dns '2606:4700:4700::1111 2606:4700:4700::1001 2001:4860:4860::8888 2001:4860:4860::8844'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'

config interface 'vpnserver'
        option proto 'none'
        option ifname 'ovpns0'
        option auto '1'

/etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config rule
        option name 'Allow-OpenVPN-Inbound'
        option target 'ACCEPT'
        option src '*'
        option proto 'tcp udp'
        option dest_port '1194'

config zone
        option name 'vpnserver'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option masq '1'
        option network 'vpnserver'
        option forward 'REJECT'

config forwarding
        option src 'vpnserver'
        option dest 'wan'

config forwarding
        option src 'vpnserver'
        option dest 'lan'

Thanks, but I'm not sure what that means. Do I need to change something if I don't need to push the route?

iplaywithtoys · August 25, 2018, 6:16pm

Yes.

The "push route" directive is how the OpenVPN server tells any clients, "Want to talk to this subnet? Go through the VPN."

At the moment your DNS is hosted on 192.168.1.1, which is not part of the VPN subnet. Anything which sits in the VPN subnet can be reached by the VPN clients. Anything which does not sit in the VPN subnet needs a route pushed to the clients for it to be reachable. But your VPN server is not pushing a route for 192.168.1.0/24 to the clients.

Change list push 'route 192.168.200.0 255.255.255.0' to list push 'route 192.168.1.0 255.255.255.0'.

yaravawiba · August 25, 2018, 10:11pm

Thanks. I changed that but I'm having the same problem. Also note the guide here mandates the push route as 192.168.200.0

Do you want me to post the logs again?

iplaywithtoys · August 25, 2018, 10:27pm

I'm not convinced that guide is entirely accurate, but I haven't had a chance to go through it step-by-step to proofread it. At least, in all of my working OpenVPN configurations I don't push the VPN subnet's own route to the client; it doesn't make sense to do so. But I could very well be wrong; the config file syntax has changed over the years since I first started using OpenVPN.

Tomorrow or Monday (it's a public holiday here) I should have a chance to go through that guide and test it.

In the meantime, additional logs can't hurt. You might spot something which triggers an "aha!" lightbulb moment.

Per · August 25, 2018, 10:44pm

I used that guide and it worked for me. I am however using the OpenVPN client for Windows.

yaravawiba · August 26, 2018, 3:16pm

In addition to the changes above, removing

uci add_list openvpn.vpnserver.push='route-gateway dhcp'

finally fixed it. I can now access external internet as well. I think the guide needs to be changed.

Thanks everyone!

Per · August 26, 2018, 4:39pm

Yes, according to this it is only supported by Windows: https://secure-computing.net/wiki/index.php/OpenVPN/Supporting_"route-gateway_dhcp"_on_non-Windows_platforms

iplaywithtoys · August 26, 2018, 6:45pm

It does. But not by much overall.

The main thing that the author should do is to add some expository information for context, to explain what each part does, as well as how and why. As it stands, in its current form it's simply a cargo-cult monkey see, monkey do exercise in copy and paste. This is fine if everything works, but if it doesn't then the reader isn't given any information to assist with investigating the problem. If the reader is a novice, this can cause frustration.

In addition, the guide is predicated on the assumption that the reader has not changed the OpenWRT settings from the defaults. If the reader has, then some modification to the process is needed (see below).

As promised, I went through the guide to see if it would work in its current form. I used OpenWRT 18.06.1, Windows 10, and Ubuntu 18.04.1 (server as well as Desktop). I set everything up in VMware, and it looks like this:

For this test I removed the option gateway '192.168.10.1' line from /etc/config/network on OpenWRT 2. This cut off OpenWRT 2 and everything behind it from the rest of the network and the Internet. The only possible communication from OpenWRT 2 and its devices would be to 192.168.10.1 and 192.168.10.3, but not beyond either one. If I could establish a VPN connection to OpenWRT 3 - which does have Internet access - then that would provide Internet connectivity for the VPN client behind OpenWRT 2.

I set up OpenVPN Server on OpenWRT 3, following the guide.

The first hurdle was some changes introduced in OpenWRT 18.06 (or possibly 18.06.1). The guide's author notes that the guide has been tested against LEDE 17.01.4, so some differences are not unexpected.

The certificate-generation step does not initially work:

# cd /tmp && wget https://openwrt.org/_export/code/docs/guide-user/services/vpn/openvpn/server.setup?codeblock=3
wget: SSL support not available, please install one of the libustream-.*[ssl|tls] packages as well as the ca-bundle and ca-certificates packages.

The fix is straightforward: opkg install libustream-openssl ca-bundle ca-certificates. Then the above step will work.

As can be seen in the diagram, OpenWRT 3's LAN interface is 192.168.13.1. The guide configures the OpenVPN server to push 192.168.1.1 as the DNS resolver to all clients. OpenWRT's DNS resolver dnsmasq listens on the LAN interface. If the LAN IP address has not been changed from the defaults then 192.168.1.1 is fine. If the LAN IP address has been changed - as in this test - then the line uci add_list openvpn.vpnserver.push='dhcp-option DNS 192.168.1.1' should be changed to match, for example uci add_list openvpn.vpnserver.push='dhcp-option DNS 192.168.13.1'.

Copying the entire "create-ovpn.sh" section into the terminal in one go did not work. The "EOF" in the middle of the section is intended to terminate creation of the file /etc/openvpn/my-server.ovpn, but this does not happen in practice. Instead, the file /etc/openvpn/my-server.ovpn is created, but goes on to contain all the following lines literally, rather than the certificates which those lines are intended to append.

The workaround is straightforward: copy everything up to and including the "EOF" into the terminal. Press Return for the "EOF" to take effect and return control to the shell. Then copy and paste the remainder of the lines in that section. Alternately, create a complete script called create-ovpn.sh, based on the method near the top of the guide, and run the script from the shell.

The guide contains the line uci add_list openvpn.vpnserver.push='compress lzo' but then the subsequent illustration of the contents of /etc/config/openvpn shows list push 'compress lz4'. The guide mentions "lz4" in passing as a possible compression option, but the illustrative examples should correspond to the preceding instructions.

The guide includes a Windows-specific entry: block-outside-dns. This will cause the Linux OpenVPN client to crash with the error Options error: Unrecognized option or missing or extra parameter(s) in my-server.ovpn:13: block-outside-dns (2.4.4). This option is used to force clients to use the DNS server specified by the OpenVPN server, and the Linux equivalent involves calling /etc/openvpn/update-resolv-conf upon the establishment and tear-down of the VPN tunnel.

The guide also includes an entry which will not work on Windows: fast-io. Fortunately the Windows OpenVPN client merely skips past the unrecognised option without crashing, and displays a note to the user to that effect.

The guide's author does not mention the Windows-only and non-Windows aspects, leaving it to the reader to know about it already.

So, in a nutshell, the guide is a good starting point to the subject, and most of it works as intended. But it requires some additional knowledge on the part of the reader, for the details which aren't explicitly covered.

yaravawiba · August 26, 2018, 8:55pm

iplaywithtoys

You rock! Is anyone able to edit the wiki or only the original author, or are you just being considerate? I think it would be good to clarify some elements of it after all.

tmomas · August 26, 2018, 10:12pm

It's a wiki, everybody who is logged in can edit it.

psherman · August 26, 2018, 10:20pm

I started a thread to discuss the potential changes to the wiki OpenVPN article, as I have seen (and assisted) users having the same issues described here. I have not wanted to change the Wiki without a discussion about it first for a few reasons -- mainly since it is an opportunity to learn (what has worked for me and for those I've helped may be a narrow slice, maybe there is something I don't know or haven't thought about) and as a courtesy to the original author and subsequent contributors so we don't end up having debates/discussions after certain changes take place.

JW0914 · August 26, 2018, 10:36pm

It functions perfectly fine if copied into a terminal (or downloaded as a script)... I know because I extensively tested those script blocks when I converted @stangri's code blocks into downloadable scripts.

[root@ACS] ~ $ cd /tmp && mkdir openvpn
[root@ACS] /tmp $ #!/bin/sh
[root@ACS] /tmp $
[root@ACS] /tmp $ source /lib/functions/network.sh
[root@ACS] /tmp $ network_find_wan wanIf
[root@ACS] /tmp $ network_get_ipaddrs wanIP $wanIf
[root@ACS] /tmp $ # wanIP="dynamic.dns.name"
[root@ACS] /tmp $
[root@ACS] /tmp $ OVPN_FILE="/tmp/openvpn/my-server.ovpn"
[root@ACS] /tmp $
[root@ACS] /tmp $ cat >> ${OVPN_FILE} <<EOF
>   client
>   dev tun
>   proto udp
>   fast-io
>   remote $wanIP 1194
>   remote-cert-tls server
>   nobind
>   persist-key
>   persist-tun
>   compress lzo
>   verb 3
>   key-direction 1
>   block-outside-dns
> EOF
[root@ACS] /tmp $
[root@ACS] /tmp $ echo '<ca>'         >> ${OVPN_FILE}
[root@ACS] /tmp $ cat                 >> ${OVPN_FILE} < /tmp/openvpn/ca.crt
-ash: cant open /tmp/openvpn/ca.crt: no such file
[root@ACS] /tmp $ echo '</ca>'        >> ${OVPN_FILE}
[root@ACS] /tmp $
[root@ACS] /tmp $ echo '<cert>'       >> ${OVPN_FILE}
[root@ACS] /tmp $ cat                 >> ${OVPN_FILE} < /tmp/openvpn/my-client.crt
-ash: cant open /tmp/openvpn/my-client.crt: no such file
[root@ACS] /tmp $ echo '</cert>'      >> ${OVPN_FILE}
[root@ACS] /tmp $
[root@ACS] /tmp $ echo '<key>'        >> ${OVPN_FILE}
[root@ACS] /tmp $ cat                 >> ${OVPN_FILE} < /tmp/openvpn/my-client.key
-ash: cant open /tmp/openvpn/my-client.key: no such file
[root@ACS] /tmp $ echo '</key>'       >> ${OVPN_FILE}
[root@ACS] /tmp $
[root@ACS] /tmp $ echo '<tls-auth>'   >> ${OVPN_FILE}
[root@ACS] /tmp $ cat                 >> ${OVPN_FILE} < /tmp/openvpn/tls-auth.key
-ash: cant open /tmp/openvpn/tls-auth.key: no such file
[root@ACS] /tmp $ echo '</tls-auth>'  >> ${OVPN_FILE}
[root@ACS] /tmp $
[root@ACS] /tmp $ # Display the generated OVPN_FILE
[root@ACS] /tmp $   printf "----- Generated .ovpn file ------\n\n"
----- Generated .ovpn file ------

[root@ACS] /tmp $   cat ${OVPN_FILE}
  client
  dev tun
  proto udp
  fast-io
  remote 192.168.200.60 1194
  remote-cert-tls server
  nobind
  persist-key
  persist-tun
  compress lzo
  verb 3
  key-direction 1
  block-outside-dns
<ca>
</ca>
<cert>
</cert>
<key>
</key>
<tls-auth>
</tls-auth>
[root@ACS] /tmp $
[root@ACS] /tmp $ printf "\n\n\n  . . .  DONE  . . .  \n\n\n"



  . . .  DONE  . . .

This is literally impossible to have occur... see cat --help or cat's man page

This was added by @stueh, and is what occurs when config changes are made to a wiki without consulting the man page.

@stangri's OpenVPN (Server Setup) wiki worked perfectly fine before users started modifying config options without consulting the Man Page.

This is simply a typo and needs to be changed from lzo to lz4 in /etc/config/openvpn.

While OpenVPN recommends lzo for 2.4, it creates a major issue on Macs, so Stan changed it back to lz4 a few weeks ago.

stueh · August 27, 2018, 10:04am

FFS. In my revision, I specifically put the block-outside-dns in a section of it's own under Clients \ Prevent DNS Windows Leaks for Windows Clients because the block-outside-dns option can only be used for Windows clients.

I even put in the todo:

(maybe) update the create-ovpn.sh script to create two .ovpn files - one for non-Windows clients, and one for Windows to ensure VPN DNS is used and NOT client's local/LAN DNS (simply create non-Windows .ovpc, then copy and add block-outside-dns into the .ovpn file in first section)

Is it possible to, oh, I don't know, not make changes to scripts on public wiki pages without testing them thoroughly on multiple platforms?

Sorry for being a douche. I'm being a douche.

JW0914 · August 27, 2018, 12:37pm

Right, but block_outside_dns is not the recommended solution for the DNS leak issue on Windows, as it will result with connection lag on systems with multiple network interfaces.

Recommend Solution:
- Modify the Windows TAP Adapter's IPv4 Settings -> Advanced...
  - Automatic Metric: Uncheck
  - Interface Metric: 1

Simply because an option exists in the OpenVPN man page doesn't mean it should be utilized:

The Man Page should always be consulted first, followed by search engine utilization to research the option.
- This ensures the option is being used in the correct manner, as well as to verify it's the recommended solution for the issue being faced, prior to adding it to a wiki.
  - Had this been done, the above solution would have been found.

stueh · August 27, 2018, 1:01pm

I don't see setting the metric as a viable or user friendly solution to the issue of DNS leaking, which the block-outside-dns options is trying to stop. When using the DNS metric method, if the primary DNS server (in this instance, the DNS address provided by the OpenDNS server) becomes unavailable, the Windows OpenVPN client will start using the next metric - the local DNS server - meaning that it will be leaking DNS likely without the user knowing.

That's why I don't use the recommended solution you mentioned, and that's why I wouldn't recommend it for anyone else. It's just plain not secure.

JW0914 · August 27, 2018, 1:05pm

Whether or not you personally find it "user friendly" or not, it is the recommended solution for the DNS leak issue.

As I previously mentioned, perhaps a google search is in order.

I'm not sure how changing a network interface's properties is not "user friendly", considering the whole point of a wiki is to walk a user through the steps for completion.

By your definition, the entire OpenWrt Wiki site is "not a user friendly solution".

It should be kept in mind wikis are not intended to serve the purposes of a single user or a single user's custom environment, but meant to serve 90% of users 90% of the time.

stangri · August 28, 2018, 1:42am

I'm vague on that, but I believe @stueh added a separate paragraph on the block_outside_dns and it was me who has integrated that option into the main instructions.

I don't have a Windows computer, so I personally don't have this option and I have not tested its impact on the non-Windows clients.

Probably the correct way forward would be to remove this option as a default and restore @stueh's paragraph on preventing DNS leaks on Windows indicating that this is one of the options with the link to the comprehensive guide for more options?