OpenVPN doesn't let clients to connect to WAN

Hi, I'm struggling with setting up routing for the OpenVPN server to let clients access WAN. I set it up by this manual: https://openwrt.org/ru/doc/howto/vpn.openvpn

The clients connect and are able to access LAN if I enable it. But no WAN whatsoever.

My setup is pretty simple: the router is connected to the ISP via L2TP. Local network is 192.168.3.0/24. OpenVPN network is 10.8.0.0/24.

Please let me understand what I do wrong.

Here's my network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd10:b8b8:4051::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option dns_metric '1'
	list dns '195.98.64.65'
	list dns '195.98.64.66'
	list dns '8.8.8.8'

config interface 'wan'
	option proto 'dhcp'
	option device 'wan'
	option dns '195.98.64.65'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'Freedom'
	option proto 'l2tp'
	option server 'l2tp.freedom'
	option username 'xxx'
	option password 'xxx'
	option ipv6 '0'
	option checkup_interval '10'
	option dns '195.98.64.65'

config interface 'wireguard'
	option proto 'wireguard'
	option private_key 'xxx'
	option listen_port '2021'
	list addresses '10.8.3.1/24'

config wireguard_peer
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option public_key 'xxx'
	option preshared_key 'xxx'
	list allowed_ips '10.8.3.2/32'

config interface 'vpn0'
	option proto 'none'
	option auto '1'
	option device 'tun0'

Here's firewall:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'Freedom'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wireguard'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule 'Allow_OpenVPN_Inbound'
	option target 'ACCEPT'
	option src '*'
	option dest_port '1195'
	option name 'OpenVPN'
	option proto 'tcp'

config wan_https_allow

config rule 'wan_https_allow'
	option name 'Allow HTTP, HTTPS from WAN'
	option src 'wan'
	option dest_port '80 443'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'

config wan_ssh_allow

config rule 'wan_ssh_allow'
	option name 'Allow SSH from WAN'
	option src 'wan'
	option proto 'tcp'
	option dest_port '22'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option dest_port '2021'
	option name 'Allow-Wireguard'
	option family 'ipv4'

config forwarding
	option src 'lan'
	option dest 'wan'

config zone 'vpn'
	option name 'vpn'
	option network 'vpn0'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option masq '1'

config forwarding 'vpn_forwarding_wan'
	option src 'vpn'
	option dest 'wan'

OpenVPN config:

port 1195
proto tcp-server
dev tun

ca /etc/openvpn/keys/ca.crt
key /etc/openvpn/keys/openwrt-ovpn-server.key
cert /etc/openvpn/keys/openwrt-ovpn-server.crt
dh /etc/openvpn/keys/dh.pem

server 10.8.0.0 255.255.255.0
topology subnet
keepalive 10 120
max-clients 20
client-config-dir /etc/openvpn/ccd
status /etc/openvpn/logs/openvpn-status.log
log-append /etc/openvpn/logs/openvpn.log
verb 4
mute 20
auth-nocache
tun-mtu 1500
cipher AES-256-GCM
push 'redirect-gateway def1'
push 'dhcp-option DNS 195.98.64.65'

OpenVPN log:

2024-11-12 11:13:41 us=510285 MULTI: multi_create_instance called
2024-11-12 11:13:41 us=511165 Re-using SSL/TLS context
2024-11-12 11:13:41 us=512282 Control Channel MTU parms [ L:1623 D:1210 EF:40 EB:0 ET:0 EL:3 ]
2024-11-12 11:13:41 us=512791 Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
2024-11-12 11:13:41 us=513467 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1551,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-server'
2024-11-12 11:13:41 us=513757 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1551,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client'
2024-11-12 11:13:41 us=514164 TCP connection established with [AF_INET]85.249.23.37:23563
2024-11-12 11:13:41 us=514457 TCPv4_SERVER link local: (not bound)
2024-11-12 11:13:41 us=514742 TCPv4_SERVER link remote: [AF_INET]85.249.23.37:23563
2024-11-12 11:13:41 us=521968 85.249.23.37:23563 TLS: Initial packet from [AF_INET]85.249.23.37:23563, sid=fd891a45 91b71d9f
2024-11-12 11:13:42 us=180953 85.249.23.37:23563 VERIFY OK: depth=1, CN=hogwarts
2024-11-12 11:13:42 us=185858 85.249.23.37:23563 VERIFY OK: depth=0, CN=client-1
2024-11-12 11:13:42 us=194992 85.249.23.37:23563 peer info: IV_VER=3.10_qa
2024-11-12 11:13:42 us=195810 85.249.23.37:23563 peer info: IV_PLAT=ios
2024-11-12 11:13:42 us=196171 85.249.23.37:23563 peer info: IV_NCP=2
2024-11-12 11:13:42 us=196440 85.249.23.37:23563 peer info: IV_TCPNL=1
2024-11-12 11:13:42 us=196708 85.249.23.37:23563 peer info: IV_PROTO=2974
2024-11-12 11:13:42 us=196977 85.249.23.37:23563 peer info: IV_MTU=1600
2024-11-12 11:13:42 us=197260 85.249.23.37:23563 peer info: IV_CIPHERS=AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
2024-11-12 11:13:42 us=197533 85.249.23.37:23563 peer info: IV_AUTO_SESS=1
2024-11-12 11:13:42 us=197887 85.249.23.37:23563 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.5.0-6000
2024-11-12 11:13:42 us=198440 85.249.23.37:23563 peer info: IV_SSO=webauth,crtext
2024-11-12 11:13:42 us=198886 85.249.23.37:23563 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1551', remote='link-mtu 1523'
2024-11-12 11:13:42 us=352463 85.249.23.37:23563 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2024-11-12 11:13:42 us=353258 85.249.23.37:23563 [client-1] Peer Connection Initiated with [AF_INET]85.249.23.37:23563
2024-11-12 11:13:42 us=353778 client-1/85.249.23.37:23563 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
2024-11-12 11:13:42 us=354576 client-1/85.249.23.37:23563 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/client-1
2024-11-12 11:13:42 us=355399 client-1/85.249.23.37:23563 MULTI: Learn: 10.8.0.2 -> client-1/85.249.23.37:23563
2024-11-12 11:13:42 us=355705 client-1/85.249.23.37:23563 MULTI: primary virtual IP for client-1/85.249.23.37:23563: 10.8.0.2
2024-11-12 11:13:42 us=357714 client-1/85.249.23.37:23563 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2024-11-12 11:13:42 us=358374 client-1/85.249.23.37:23563 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2024-11-12 11:13:42 us=359163 client-1/85.249.23.37:23563 SENT CONTROL [client-1]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 195.98.64.65,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
2024-11-12 11:13:42 us=369605 client-1/85.249.23.37:23563 PUSH: Received control message: 'PUSH_REQUEST'

I'm pretty sure there's something wrong with routing, but I can't figure out what.

Thanks!

option masq '1' is not necessary for an openvpn server, better remove that

Are you testing from outside e.g. with your phone on cellular?

Thanks! I removed the option. But it didn't help.

Yeah, I'm trying to test from my phone turning wifi off.

I assume you are testing the openvpn connection by browsing, right? Have you tried pinging the router wan IP or 8.8.8.8 from the client?

If it doesn't work, delete the vpn zone and vpn_forwarding_wan and add list device 'tun+' to the lan firewall zone to see if it makes a difference.

This looks like a private resolver serving only certain ISP subnets. You put it everywhere, even where it's not needed (eg the lan interface). Is it accessible from the Freedom interface or from the main wan?

For test purposes try pushing a public resolver to the vpn client.

Wow, thanks! Changing DNS actually helped. It didn't occur to me that this ISP's resolver is private.

Changed it and it works like a charm.

push 'dhcp-option DNS 8.8.8.8'

P.S. I added this private DNS everywhere because initially the router didn't resolve the ISP's L2TP gateway for some reason.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.