OpenVPN connection initialised but cannot ping

#1

I've spent a couple of hours trying to sort this, but while I'm sure I must have missed something I'm too fried to see what it is.

Devices can connect, and reach "Initialization phase complete", but there doesn't seem to be any traffic passing through, and the clients can't even ping the server.

The certificates are in order, I think I've got the inter-zone rules right, but not sure about the routes.

Internal network 192.168.0.0/24
VPN subnet 172.31.0.0/28

OpenWrt 18.06.2 r7676-cddd7b4c77
openvpn-openssl 2.4.5-4.2

/etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'
        option conntrack '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '80'
        option dest_ip '192.168.0.7'
        option dest_port '80'
        option name 'http'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '443'
        option dest_ip '192.168.0.7'
        option dest_port '443'
        option name 'https'

config rule
        option target 'ACCEPT'
        option family 'ipv4'
        option proto 'tcp udp'
        option src '*'
        option dest_port '5000'
        option name 'Allow Forwarded VPN Request -> <device>'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'vpn0'
        option forward 'ACCEPT'
        option conntrack '1'

config redirect
        option enabled '1'
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '22'
        option dest_ip '192.168.0.7'
        option dest_port '22'
        option name 'ssh'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config forwarding
        option dest 'wan'
        option src 'lan'

config forwarding
        option dest 'lan'
        option src 'vpn'

config forwarding
        option dest 'wan'
        option src 'vpn'

config forwarding
        option dest 'vpn'
        option src 'lan'

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdce:370a:56e7::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.1'
        option dns '192.168.0.7 192.168.0.8'
        option delegate '0'
        option ifname 'eth0.1'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config interface 'vpn0'
        option ifname 'tun0'
        option proto 'none'
        option auto '1'

config route
        option interface 'lan'
        option target '172.31.0.0'
        option netmask '255.255.255.240'
        option gateway '192.168.0.1'

config route
        option interface 'vpn0'
        option target '192.168.0.1'
        option netmask '255.255.255.0'
        option gateway '172.31.0.1'

/etc/config/openvpn

config openvpn 'vpnserver'
        option enabled '1'
        option proto 'tcp'
        option dev 'tun0'
        option topology 'subnet'
        option port '5000'
        option dh '/etc/ssl/openvpn/dh2048.pem'
        option cipher 'AES-128-CBC'
        option auth 'SHA512'
        option tls_auth '/etc/ssl/openvpn/tls-auth.key 0'
        option tls_server '1'
        option tls_version_min '1.2'
        option tls_cipher 'TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-
SHA256:TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:!aNULL:!eNULL:!LOW:!3DES:!MD5:!SHA:!EXP:!PSK:!SRP:!DSS:!RC4:!kRSA'
        option status '/tmp/openvpn-status.log'
        option log_append '/tmp/openvpn.log'
        option keepalive '10 120'
        option compress 'lzo'
        option client_to_client '1'
        option persist_key '1'
        option persist_tun '1'
        option sndbuf '393216'
        option rcvbuf '393216'
        option fragment '0'
        option mssfix '0'
        option tun_mtu '48000'
        option user 'nobody'
        option group 'nogroup'
        option ca '/etc/ssl/openvpn/ca.crt'
        option cert '/etc/ssl/openvpn/vpn-server.crt'
        option key '/etc/ssl/openvpn/private/vpn-server.key'
        option ifconfig '172.31.0.1 255.255.255.240'
        option server '172.31.0.0 255.255.255.240'
        list push 'route 192.168.0.0 255.255.255.0'
        list push 'dhcp-option    NTP 192.168.0.8'
        list push 'dhcp-option    NTP 192.168.0.7'
        list push 'dhcp-option    NTP 129.6.15.30'
        list push 'dhcp-option    DNS 192.168.0.8'
        list push 'dhcp-option    DNS 192.168.0.7'
        list push 'sndbuf 393216'
        list push 'rcvbuf 393216'
        list push 'redirect-gateway def1'
        option verb '5'

client.ovpn

client
dev tun
proto tcp
remote {Hostname redacted} 5000
mssfix 0
fragment 0
tun-mtu 48000
float
nobind
compress lzo
persist-key
persist-tun
resolv-retry infinite
auth SHA512
auth-nocache
cipher AES-128-CBC
key-direction 1
tls-version-min 1.2
remote-cert-eku "TLS Web Server Authentication"
# Crypto material trimmed
<tls-auth />
<ca />
<cert />
<key />
verb 5

openvpn.log

Fri Apr 19 01:42:57 2019 us=996258 OpenVPN 2.4.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Fri Apr 19 01:42:57 2019 us=996490 library versions: OpenSSL 1.0.2q  20 Nov 2018, LZO 2.10
Fri Apr 19 01:42:58 2019 us=5471 Diffie-Hellman initialized with 2048 bit key
Fri Apr 19 01:42:58 2019 us=6045 No valid translation found for TLS cipher '!aNULL'
Fri Apr 19 01:42:58 2019 us=6751 No valid translation found for TLS cipher '!eNULL'
Fri Apr 19 01:42:58 2019 us=7218 No valid translation found for TLS cipher '!3DES'
Fri Apr 19 01:42:58 2019 us=7618 No valid translation found for TLS cipher '!MD5'
Fri Apr 19 01:42:58 2019 us=8072 No valid translation found for TLS cipher '!SHA'
Fri Apr 19 01:42:58 2019 us=8540 No valid translation found for TLS cipher '!PSK'
Fri Apr 19 01:42:58 2019 us=9292 No valid translation found for TLS cipher '!DSS'
Fri Apr 19 01:42:58 2019 us=9950 No valid translation found for TLS cipher '!RC4'
Fri Apr 19 01:42:58 2019 us=14237 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Fri Apr 19 01:42:58 2019 us=14637 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Fri Apr 19 01:42:58 2019 us=14988 TLS-Auth MTU parms [ L:48124 D:1138 EF:112 EB:0 ET:0 EL:3 ]
Fri Apr 19 01:42:58 2019 us=58099 TUN/TAP device tun0 opened
Fri Apr 19 01:42:58 2019 us=58480 TUN/TAP TX queue length set to 100
Fri Apr 19 01:42:58 2019 us=58825 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Fri Apr 19 01:42:58 2019 us=59395 /sbin/ifconfig tun0 172.31.0.1 netmask 255.255.255.240 mtu 48000 broadcast 172.31.0.15
Fri Apr 19 01:42:58 2019 us=63499 Data Channel MTU parms [ L:48124 D:48124 EF:124 EB:8156 ET:0 EL:3 ]
Fri Apr 19 01:42:58 2019 us=65264 Could not determine IPv4/IPv6 protocol. Using AF_INET
Fri Apr 19 01:42:58 2019 us=65630 Socket Buffers: R=[87380->327680] S=[16384->327680]
Fri Apr 19 01:42:58 2019 us=65996 Listening for incoming TCP connection on [AF_INET][undef]:5000
Fri Apr 19 01:42:58 2019 us=66354 TCPv4_SERVER link local (bound): [AF_INET][undef]:5000
Fri Apr 19 01:42:58 2019 us=66669 TCPv4_SERVER link remote: [AF_UNSPEC]
Fri Apr 19 01:42:58 2019 us=66999 GID set to nogroup
Fri Apr 19 01:42:58 2019 us=67338 UID set to nobody
Fri Apr 19 01:42:58 2019 us=67664 MULTI: multi_init called, r=256 v=256
Fri Apr 19 01:42:58 2019 us=76117 IFCONFIG POOL: base=172.31.0.2 size=12, ipv6=0
Fri Apr 19 01:42:58 2019 us=76622 MULTI: TCP INIT maxclients=1024 maxevents=1028
Fri Apr 19 01:42:58 2019 us=86710 Initialization Sequence Completed
Fri Apr 19 01:42:58 2019 us=771734 MULTI: multi_create_instance called
Fri Apr 19 01:42:58 2019 us=772345 Re-using SSL/TLS context
Fri Apr 19 01:42:58 2019 us=772676 LZO compression initializing
Fri Apr 19 01:42:58 2019 us=796025 Control Channel MTU parms [ L:48124 D:1138 EF:112 EB:0 ET:0 EL:3 ]
Fri Apr 19 01:42:58 2019 us=819272 Data Channel MTU parms [ L:48124 D:48124 EF:124 EB:8156 ET:0 EL:3 ]
Fri Apr 19 01:42:58 2019 us=819829 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 48104,tun-mtu 48000,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA512,keysize 128,tls-auth,key-method 2,tls-server'
Fri Apr 19 01:42:58 2019 us=820143 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 48104,tun-mtu 48000,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA512,keysize 128,tls-auth,key-method 2,tls-client'
Fri Apr 19 01:42:58 2019 us=821760 TCP connection established with [AF_INET]{IP redacted}:2563
Fri Apr 19 01:42:58 2019 us=822079 TCPv4_SERVER link local: (not bound)
Fri Apr 19 01:42:58 2019 us=822413 TCPv4_SERVER link remote: [AF_INET]{IP redacted}:2563
RFri Apr 19 01:42:59 2019 us=701495 {IP redacted}:2563 TLS: Initial packet from [AF_INET]{IP redacted}:2563, sid=7cda20b5 da2b2b95
WRRWWWWRWRRRRWRWRWRWRFri Apr 19 01:43:00 2019 us=616200 {IP redacted}:2563 VERIFY OK: depth=2, {CA cert redacted}, CN={CA CN redacted}
Fri Apr 19 01:43:00 2019 us=625703 {IP redacted}:2563 VERIFY OK: depth=1, CN={ICA CN redacted}
Fri Apr 19 01:43:00 2019 us=630414 {IP redacted}:2563 VERIFY OK: depth=0, {Client cert redacted}, CN={CN redacted}
WRWRFri Apr 19 01:43:00 2019 us=833795 {IP redacted}:2563 peer info: IV_VER=2.5_master
Fri Apr 19 01:43:00 2019 us=834152 {IP redacted}:2563 peer info: IV_PLAT=android
Fri Apr 19 01:43:00 2019 us=834485 {IP redacted}:2563 peer info: IV_PROTO=2
Fri Apr 19 01:43:00 2019 us=834817 {IP redacted}:2563 peer info: IV_NCP=2
Fri Apr 19 01:43:00 2019 us=835202 {IP redacted}:2563 peer info: IV_LZ4=1
Fri Apr 19 01:43:00 2019 us=835536 {IP redacted}:2563 peer info: IV_LZ4v2=1
Fri Apr 19 01:43:00 2019 us=835868 {IP redacted}:2563 peer info: IV_LZO=1
Fri Apr 19 01:43:00 2019 us=836204 {IP redacted}:2563 peer info: IV_COMP_STUB=1
Fri Apr 19 01:43:00 2019 us=836541 {IP redacted}:2563 peer info: IV_COMP_STUBv2=1
Fri Apr 19 01:43:00 2019 us=836876 {IP redacted}:2563 peer info: IV_TCPNL=1
Fri Apr 19 01:43:00 2019 us=837222 {IP redacted}:2563 peer info: IV_GUI_VER=de.blinkt.openvpn_0.7.8
WRFri Apr 19 01:43:00 2019 us=899375 {IP redacted}:2563 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES128-GCM-SHA256, 4096 bit RSA
Fri Apr 19 01:43:00 2019 us=899828 {IP redacted}:2563 [{CN redacted}] Peer Connection Initiated with [AF_INET]{IP redacted}:2563
Fri Apr 19 01:43:00 2019 us=900316 {CN redacted}/{IP redacted}:2563 MULTI_sva: pool returned IPv4=172.31.0.2, IPv6=(Not enabled)
Fri Apr 19 01:43:00 2019 us=901305 {CN redacted}/{IP redacted}:2563 MULTI: Learn: 172.31.0.2 -> {CN redacted}/{IP redacted}:2563
Fri Apr 19 01:43:00 2019 us=901662 {CN redacted}/{IP redacted}:2563 MULTI: primary virtual IP for {CN redacted}/{IP redacted}:2563: 172.31.0.2
RFri Apr 19 01:43:02 2019 us=179581 {CN redacted}/{IP redacted}:2563 PUSH: Received control message: 'PUSH_REQUEST'
Fri Apr 19 01:43:02 2019 us=180243 {CN redacted}/{IP redacted}:2563 SENT CONTROL [{CN redacted}]: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,dhcp-option    NTP 192.168.0.8,dhcp-option    NTP 192.168.0.7,dhcp-option    NTP 129.6.15.30,dhcp-option    DNS 192.168.0.8,dhcp-option    DNS 192.168.0.7,sndbuf 393216,rcvbuf 393216,redirect-gateway def1,route-gateway 172.31.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 172.31.0.2 255.255.255.240,peer-id 0,cipher AES-256-GCM' (status=1)
Fri Apr 19 01:43:02 2019 us=180571 {CN redacted}/{IP redacted}:2563 Data Channel: using negotiated cipher 'AES-256-GCM'
Fri Apr 19 01:43:02 2019 us=180948 {CN redacted}/{IP redacted}:2563 Data Channel MTU parms [ L:48052 D:48052 EF:52 EB:8156 ET:0 EL:3 ]
Fri Apr 19 01:43:02 2019 us=181935 {CN redacted}/{IP redacted}:2563 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Apr 19 01:43:02 2019 us=182303 {CN redacted}/{IP redacted}:2563 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
WWRRwRwRwRwRwRwRwRwRwWRwRwRwRwRwRwRwRwWRwRwRwRwRwFri Apr 19 01:43:27 2019 us=211951 {CN redacted}/{IP redacted}:2563 Connection reset, restarting [0]
Fri Apr 19 01:43:27 2019 us=212292 {CN redacted}/{IP redacted}:2563 SIGUSR1[soft,connection-reset] received, client-instance restarting
Fri Apr 19 01:43:27 2019 us=214327 TCP/UDP: Closing socket
Fri Apr 19 01:43:30 2019 us=309558 MULTI: multi_create_instance called
Fri Apr 19 01:43:30 2019 us=310153 Re-using SSL/TLS context
Fri Apr 19 01:43:30 2019 us=310482 LZO compression initializing
Fri Apr 19 01:43:30 2019 us=326619 Control Channel MTU parms [ L:48124 D:1138 EF:112 EB:0 ET:0 EL:3 ]
Fri Apr 19 01:43:30 2019 us=336882 Data Channel MTU parms [ L:48124 D:48124 EF:124 EB:8156 ET:0 EL:3 ]
Fri Apr 19 01:43:30 2019 us=337442 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 48104,tun-mtu 48000,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA512,keysize 128,tls-auth,key-method 2,tls-server'
Fri Apr 19 01:43:30 2019 us=337761 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 48104,tun-mtu 48000,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA512,keysize 128,tls-auth,key-method 2,tls-client'
Fri Apr 19 01:43:30 2019 us=339415 TCP connection established with [AF_INET]{IP redacted}:2568
Fri Apr 19 01:43:30 2019 us=339736 TCPv4_SERVER link local: (not bound)
Fri Apr 19 01:43:30 2019 us=340074 TCPv4_SERVER link remote: [AF_INET]{IP redacted}:2568
RFri Apr 19 01:43:31 2019 us=257271 {IP redacted}:2568 TLS: Initial packet from [AF_INET]{IP redacted}:2568, sid=bf326c4f 704621bd
WRRWWWWRWRRRRWRWRWRWRFri Apr 19 01:43:31 2019 us=979600 {IP redacted}:2568 VERIFY OK: depth=2, {CA cert redacted}, CN={CA CN redacted}
Fri Apr 19 01:43:31 2019 us=994250 {IP redacted}:2568 VERIFY OK: depth=1, CN={ICA CN redacted}
Fri Apr 19 01:43:31 2019 us=998856 {IP redacted}:2568 VERIFY OK: depth=0, {Client cert redacted}, CN={CN redacted}
WRWRFri Apr 19 01:43:32 2019 us=181609 {IP redacted}:2568 peer info: IV_VER=2.5_master
Fri Apr 19 01:43:32 2019 us=181959 {IP redacted}:2568 peer info: IV_PLAT=android
Fri Apr 19 01:43:32 2019 us=182316 {IP redacted}:2568 peer info: IV_PROTO=2
Fri Apr 19 01:43:32 2019 us=182648 {IP redacted}:2568 peer info: IV_NCP=2
Fri Apr 19 01:43:32 2019 us=182981 {IP redacted}:2568 peer info: IV_LZ4=1
Fri Apr 19 01:43:32 2019 us=183313 {IP redacted}:2568 peer info: IV_LZ4v2=1
Fri Apr 19 01:43:32 2019 us=183645 {IP redacted}:2568 peer info: IV_LZO=1
Fri Apr 19 01:43:32 2019 us=183980 {IP redacted}:2568 peer info: IV_COMP_STUB=1
Fri Apr 19 01:43:32 2019 us=184318 {IP redacted}:2568 peer info: IV_COMP_STUBv2=1
Fri Apr 19 01:43:32 2019 us=184656 {IP redacted}:2568 peer info: IV_TCPNL=1
Fri Apr 19 01:43:32 2019 us=185003 {IP redacted}:2568 peer info: IV_GUI_VER=de.blinkt.openvpn_0.7.8
WRFri Apr 19 01:43:32 2019 us=258997 {IP redacted}:2568 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES128-GCM-SHA256, 4096 bit RSA
Fri Apr 19 01:43:32 2019 us=259471 {IP redacted}:2568 [{CN redacted}] Peer Connection Initiated with [AF_INET]{IP redacted}:2568
Fri Apr 19 01:43:32 2019 us=260067 {CN redacted}/{IP redacted}:2568 MULTI_sva: pool returned IPv4=172.31.0.2, IPv6=(Not enabled)
Fri Apr 19 01:43:32 2019 us=261060 {CN redacted}/{IP redacted}:2568 MULTI: Learn: 172.31.0.2 -> {CN redacted}/{IP redacted}:2568
Fri Apr 19 01:43:32 2019 us=261417 {CN redacted}/{IP redacted}:2568 MULTI: primary virtual IP for {CN redacted}/{IP redacted}:2568: 172.31.0.2
RFri Apr 19 01:43:33 2019 us=540193 {CN redacted}/{IP redacted}:2568 PUSH: Received control message: 'PUSH_REQUEST'
Fri Apr 19 01:43:33 2019 us=540851 {CN redacted}/{IP redacted}:2568 SENT CONTROL [{CN redacted}]: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,dhcp-option    NTP 192.168.0.8,dhcp-option    NTP 192.168.0.7,dhcp-option    NTP 129.6.15.30,dhcp-option    DNS 192.168.0.8,dhcp-option    DNS 192.168.0.7,sndbuf 393216,rcvbuf 393216,redirect-gateway def1,route-gateway 172.31.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 172.31.0.2 255.255.255.240,peer-id 0,cipher AES-256-GCM' (status=1)
Fri Apr 19 01:43:33 2019 us=541180 {CN redacted}/{IP redacted}:2568 Data Channel: using negotiated cipher 'AES-256-GCM'
Fri Apr 19 01:43:33 2019 us=541556 {CN redacted}/{IP redacted}:2568 Data Channel MTU parms [ L:48052 D:48052 EF:52 EB:8156 ET:0 EL:3 ]
Fri Apr 19 01:43:33 2019 us=542827 {CN redacted}/{IP redacted}:2568 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Apr 19 01:43:33 2019 us=543208 {CN redacted}/{IP redacted}:2568 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
WWRRwRwRwRwRwRwRwRwRwRwWRwRwRwRwRwRwRwWRwRwRwRwRwRwRwRwRwRwWRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwWRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwWRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwWRwRwRwRwRwRwRw

ip route show

default via {IP redacted} dev eth0.2  src {IP redacted}
{IP redacted}/22 dev eth0.2 scope link  src {IP redacted}
172.31.0.0/28 via 192.168.0.1 dev br-lan
172.31.0.0/28 dev tun0 scope link  src 172.31.0.1
192.168.0.0/24 dev br-lan scope link  src 192.168.0.1

As I say, I'm sure I'm missing something fairly obvious here but right now I can't see the wood for the trees.

#2

The routes looks odd. Having the router's own IP addresses as gateways may cause the network to become unreachable I guess. And the router shouldn't need the routes anyway since those networks are directly connected to interfaces on the router.

3 Likes
#3

What ping tests have you tried? Have you pinged the IP address of your VPN endpoint device (i.e. 192.168.0.1 and 172.31.0.1? How about pings for other devices on your network (like 192.168.0.7 and .8)? IP addresses on the internet (8.8.8.8) and finally hostnames on the internet (google.com)?

That will help identify what types of issues you've got and maybe narrow down some of the places to look for solutions.

Meanwhile...

Based on the log info, this line should probably be removed or fixed (the log has lots of complaints about the tls_cipher):

Remove this line, as it is unnecessary.

And as previously stated, this is unusual... remove this, too:

2 Likes
#4

What ping tests have you tried?
I didn't get ping responses full stop. Nothing from either of the endpoint's addresses, nothing from other devices on the network, and nothing from anything outside the network.

I've removed the routes, and now everything's working. Thanks to you both for your help. I've marked the first of the two as the solution, as apparently I can't mark both.

closed #5

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.