OpenVPN interface - only has TX no RX

jufer · August 24, 2021, 12:45pm

Hi all

I got a problem when setting up the router (OpenWRT) with OpenVPN (ExpressVPN). only has TX, no RX.

Here is the situation

WAN <-- Router A (192.168.1.1) <-- Router B (192.168.2.1). And I am setting up a new Router C (OpenWRT with OpenVPN, 192.168.3.1) attaching to Router B,

here is my configuration

Router C
/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd60:3dfa:5969::/48'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.3.1'
	option force_link '0'
	option delegate '0'

config device 'lan_eth0_dev'
	option name 'eth0'
	option macaddr '60:32:b1:06:cf:74'

config interface 'wan'
	option proto 'dhcp'
	option hostname 'OpenWrt'
	option ifname 'eth0'
	option delegate '0'

config interface 'OVPN_I'
	option proto 'none'
	option delegate '0'
	option ifname 'tun0'

firewall configuration
/etc/config/firewal


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan6'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'OVPN_FW'
	option forward 'REJECT'
	option output 'ACCEPT'
	option input 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'OVPN_I'

config forwarding
	option dest 'OVPN_FW'
	option src 'lan'

OpenVPN configuration
/etc/config/openvpn

config openvpn 'sample_client'
	option client '1'
	option proto 'udp'
	option resolv_retry 'infinite'
	option nobind '1'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option cert '/etc/openvpn/client.crt'
	option key '/etc/openvpn/client.key'
	option verb '3'
	list remote 'xxx.xxx.xxx.xxx 1195'
	option auth_user_pass '/etc/openvpn/pws'
	option ca '/etc/openvpn/ca2.crt'
	option dev_type 'tun'
	option cipher 'AES-128-CBC'
	option ns_cert_type 'server'
	option remote_random '1'
	option tls_client '1'
	option auth 'SHA512'
	option dev 'tun0'
	option port '1195'
	option tls_auth '/etc/openvpn/ta.key 1'
	option enabled '1'
	option comp_lzo 'no'
	option fast_io '1'
	option pull '1'
	option keysize '256'
	option key_direction '1'
	option route_delay '2'
	option sndbuf '524288'
	option rcvbuf '524288'

ip route

/etc$ ip route
0.0.0.0/1 via 10.137.0.105 dev tun0 
default via 192.168.2.1 dev eth0  src 192.168.2.118 
10.137.0.1 via 10.137.0.105 dev tun0 
10.137.0.105 dev tun0 scope link  src 10.137.0.106 
45.61.69.49 via 192.168.2.1 dev eth0 
45.61.69.205 via 192.168.2.1 dev eth0 
45.61.76.201 via 192.168.2.1 dev eth0 
128.0.0.0/1 via 10.137.0.105 dev tun0 
192.168.2.0/24 dev eth0 scope link  src 192.168.2.118 
192.168.3.0/24 dev wlan0 scope link  src 192.168.3.1

ifconfig

/etc$ ifconfig
eth0      Link encap:Ethernet  HWaddr 60:32:B1:06:CF:74  
          inet addr:192.168.2.118  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::6232:b1ff:fe06:cf74/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:54071 errors:0 dropped:0 overruns:0 frame:0
          TX packets:32178 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:30287522 (28.8 MiB)  TX bytes:5850723 (5.5 MiB)
          Interrupt:5 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:7846 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7846 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:740668 (723.3 KiB)  TX bytes:740668 (723.3 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.87.0.186  P-t-P:10.87.0.185  Mask:255.255.255.255
          inet6 addr: fe80::d222:eee4:bdd5:946c/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10244 errors:0 dropped:27 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:1020902 (996.9 KiB)

wlan0     Link encap:Ethernet  HWaddr 60:32:B1:06:CF:74  
          inet addr:192.168.3.1  Bcast:192.168.3.255  Mask:255.255.255.0
          inet6 addr: fe80::6232:b1ff:fe06:cf74/64 Scope:Link
          inet6 addr: fd60:3dfa:5969::1/60 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:37366 errors:0 dropped:0 overruns:0 frame:0
          TX packets:35219 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:5582000 (5.3 MiB)  TX bytes:31113220 (29.6 MiB)

tun0 RX= 0, appreciate if any one could offer some help..

kukulo · August 24, 2021, 12:54pm

Most likely your firewall drops the incoming packets. Change your firewall rule like this:

config zone
	option name 'OVPN_FW'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option input 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	list network 'OVPN_I'

config forwarding
	option dest 'OVPN_FW'
	option src 'lan'
	
config forwarding
	option dest 'wan'
	option src 'OVPN_FW'

jufer · August 24, 2021, 1:54pm

thx, tried but does not work.