OpenVPN created and connected to, but tunnelling and LAN browsing not working

jfromeo · August 4, 2017, 8:50am

I have a Linksys WRT1900ACS with LEDE 17.01.2 on it.

I have created an OpenVPN server via TUN following the "OpenVPN setup for beginners tutorial" on OpenWRT and I got it running.

However, I cannot go to internet through the private tunnel (my WAN IP is the same as before connecting to openVPN) and I cannot see the rest of the LAN machines (I can only access to router via the VPN IP (10.8.0.1), not the LAN IP (192.168.13.1)). The openvpn.log seems fine during the connection.

I double cheked I allowed the traffic from VPN to LAN and viceversa and from VPN to WAN.

VPN --> LAN

uci set firewall.vpn_forwarding_lan_in=forwarding
uci set firewall.vpn_forwarding_lan_in.src=vpn
uci set firewall.vpn_forwarding_lan_in.dest=lan

LAN --> VPN

uci set firewall.vpn_forwarding_lan_out=forwarding
uci set firewall.vpn_forwarding_lan_out.src=lan
uci set firewall.vpn_forwarding_lan_out.dest=vpn

VPN --> WAN

uci set firewall.vpn_forwarding_wan=forwarding
uci set firewall.vpn_forwarding_wan.src=vpn
uci set firewall.vpn_forwarding_wan.dest=wan

I got the this output info from the following commands, leaving only the vpn-related lines:

/etc/config/network

config interface 'vpn'
option ifname 'tun'
option proto 'none'
option auto '1'

/etc/config/firewall

config rule 'Allow_OpenVPN_Inbound'
option target 'ACCEPT'
option src '*'
option proto 'udp'
option dest_port '1194'

config zone 'vpn'
option name 'vpn'
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
option masq '1'
option network 'vpn'

config forwarding 'vpn_forwarding_lan_in'
option src 'vpn'
option dest 'lan'

config forwarding 'vpn_forwarding_lan_out'
option src 'lan'
option dest 'vpn'

config forwarding 'vpn_forwarding_wan'
option src 'vpn'
option dest 'wan'

/etc/config/openvpn

config openvpn 'myvpn'
option enabled '1'
option verb '3'
option port '1194'
option proto 'udp'
option dev 'tun'
option server '10.8.0.0 255.255.255.0'
option keepalive '10 120'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/olmos13vpnserver.crt'
option key '/etc/openvpn/olmos13vpnserver.key'
option dh '/etc/openvpn/dh2048.pem'
list push 'route 192.168.13.0 255.255.255.0'
list push 'redirect-gateway def1'
option client_to_client '1'

Thanks in advance.

jow · August 4, 2017, 9:40am

In /etc/config/network, remove config interface vpn and in /etc/config/firewall replace option network 'vpn' with option device 'tun0'.

jfromeo · August 4, 2017, 11:47am

Thanks for the help.

I removed the config interface vpn in network, and replaced option device 'tun0' in firewall but still I cannot tunnel or access LAN machines through VPN.

In Realtime Traffic under tun0 I got no traffic. Also, I lost the VPN under the interfaces (I guess because of the config interface vpn removal). In the official android OpenVPN app, everything seems ok. I attach several screenshots in the following messages (I am limited to 1 image per post)

EDIT: I am finding big trouble to share the screenshots. Forum system says they were flagged as spam by the community and I got a warning in my PMs (?)

jfromeo · August 4, 2017, 11:49am

(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)

jfromeo · August 4, 2017, 11:49am

(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)

jfromeo · August 4, 2017, 11:51am

jfromeo · August 4, 2017, 4:18pm

jfromeo · August 4, 2017, 4:20pm

psherman · August 4, 2017, 6:18pm

One interesting thing is that I don't see the vpn network interface in your screenshot of interfaces -- so maybe it is not properly defined...

your network file should have the interface defined as follows:

config interface 'vpn'
option proto 'none'
option ifname 'tun0'

firewall (remove all vpn related rules and add the following):

config zone
option name 'vpn'
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
option network 'vpn'

config forwarding
option dest 'wan'
option src 'vpn'

and your openvpn config file should have

option dev 'tun0'

also try adding to openvpn:

list push 'dhcp-option DNS 192.168.13.1'

jfromeo · August 4, 2017, 9:59pm

Thank you so much.

Now I got traffic under the tun0 graph whenever I connect a client (Android phone in my case), and the VPN interface shows up in the network tab

But I still cannot navigate through the tunnel. Now all the sites say they cannot be DNS resolved (maybe it was because of the last command llist push 'dhcp-option DNS 192.168.13.1'). Before I made the changes, I could navigate but not through the VPN but with the mobile data.

Best part is that I could get into the router by typing the LAN IP (192.168.13.1), apart from the VPN subnet one (10.8.01), but the rest of the services I got (NAS, IPCam...) say connection refused instantly.

psherman · August 4, 2017, 10:58pm

If this is your main router, I think that you may need a few other firewall rules... in my case, my VPN endpoint is actually a device behind my main router, so I forgot to suggest them earlier.

try adding:

config forwarding
option dest 'lan'
option src 'vpn'

and

config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option src '*'

psherman · August 4, 2017, 11:23pm

BTW, I believe that the latest problems are explained as follows:

cannot resolve DNS: Since adding the dhcp-option DNS, the VPN client is sending the DNS requests to the oruter... but the router is not accepting DNS requests from the VPN. So adding a rule to allow port 53 from the VPN should solve the problem. I suggested src '*' which will ensure that DNS will be allowed from any interface (might be bad to allow from WAN, though, so you might want to change that to src 'vpn' instead).

Because you have redirect gateway def1 enabled, once the DNS issue is resolved, the traffic should, in theory, have a path through the VPN tunnel.

Cannot access any other LAN resources: the firewall only was configured to forward from VPN > WAN. Adding VPN > LAN should fix that issue.

psherman · August 7, 2017, 3:12am

@jfromeo - did you get things working? Did my last suggestions help?

jfromeo · August 24, 2017, 9:04am

Sorry for not posting in a while, I was out of home.

I tried it but I could not get it to work in any way. The rules and forwarding were included in the guide, but I cannot access anything but the router.

Now I am following step by step the updated guide (the one without the easy-rsa part) but I am getting trouble at the CA creation. I guess I will open a new post.

Thank you so much for all the help.

r43k3n · September 11, 2017, 8:46pm

Did you fixed it?
I configured the whole thing identical as in OpenWRT, yet it doesn't work for LEDE.
The tunnel itself is working but I can't access anything inside LAN.

jfromeo · September 28, 2017, 1:45am

Yeah. I got it working like a charm following the extensive guide, and using the openssl.conf to generate the certificates instead of the easy-rsa package.

https://wiki.openwrt.org/doc/howto/openvpn-streamlined-server-setup

It has quite a lot more steps, but I followed them and got it working now