OpenVPN issue/question

I have installed OpenVPN on my R7800 (Nighthawk) router; I'm running OpenWrt 18.06.2, r7676-cddd7b4c77 and OpenVPN version is OpenVPN 2.4.5 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] library versions: OpenSSL 1.0.2q 20 Nov 2018, LZO 2.10

My local network is 192.168.40.X and .1 is the router

I'd like to have the VPN machine connect to my home network and be able to browse/share resources - this is how it has always worked, but now I connect, but can't access any local machine.

I believe my problem is within the router settings for networking, etc. (I'll get to that at the end).

My Server Config file reads:

mode server
tls-server
port 1194
proto udp
dev tun
cipher AES-256-CBC
auth SHA256
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem
server 10.0.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.40.1"
client-to-client
comp-lzo
persist-key
persist-tun
verb 3
keepalive 20 60
log /etc/openvpn/openvpn.log
log-append /etc/openvpn/openvpn.log

My laptop's config file reads:

client
persist-tun
persist-key
cipher AES-256-CBC
auth SHA256
tls-client
ns-cert-type server
remote MYREMOTEDDNSADDRESS
nobind
port 1194
proto udp
dev tun
comp-lzo
verb 3
ca ca.crt
cert LapTop_01.crt
key Laptop_01.key

In the VPN log file (openvpn.log) I show all the connection info and that the remote machine has been assigned 10.0.0.6 (for example).

In my "Network", "Interfaces" I have an interface called VPN which shows up with "Error: Network device not present"
Under "Physical Settings" it is 'tun0'
Under "Firewall Settings" it has an icon showing lan: 3 icons vpn: 1 icon (I don't know what these icons are).

I don't know/remember any other settings

/etc/config/network has this set of lines
config interface 'vpn'
option ifname 'tun0'
option proto 'none'

Here's what I'd like -
the remote machine to have a 192.168.40.x address (if possible) and to be able to grab files/use resources on the network. For example, the file server is 192.168.40.28/Workfiles - I should be able to save/retrieve/etc.

I don't need all traffic to be pushed through the home machine when I browse; it's likely much slower to do that, so I don't care. If it does, so be it (I only use the VPN to make config changes on the router/server/retrieve and save files while working).

All of this worked perfectly on my old DDWRT router. I upgraded for better throughput and Wifi speed. My config files are virtually identical (except in the locations I'm apparently not looking).

So, what am I doing wrong?

Andrew

You shouldn't have the issue if you follow the guide:

uci show firewall

Your vpn configuration needs to be a tap and not tun, so that your vpn connection will be a bridge to your main network. Your existing confgiuration has created another subnet 10.0.0.x in the router. IP stuff should work fine, but do not expect things like boujour or network discovery to work as it must be in the same subnet mask.

I disagree with this entirely. There are a lot of reasons to use tun over tap, but I'm not going to get into those here. I use TUN and have full access to the network behind my OpenVPN server.

Assuming that there are no firewall issues, the one major thing missing is in the server config...
add the following to your OpenVPN server config file so that your remote device(s) routing table is updated with the correct route for the LAN on the server side:
push "route 192.168.40.0 255.255.255.0"

EDIT: changed the quote style in the push directive.

My current .conf file mimics the old, working file with new Auth and ciphers - I'm missing something.

Added the push "route ... " line; did not change anything else.
I didn't get access to local shares.

The log at startup reads:
OpenVPN 2.4.5 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
library versions: OpenSSL 1.0.2q 20 Nov 2018, LZO 2.10
NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you co$
Diffie-Hellman initialized with 2048 bit key
TUN/TAP device tun0 opened
TUN/TAP TX queue length set to 100
do_ifconfig, tt->did_ifconfig_ipv6_setup=0
/sbin/ifconfig tun0 10.0.0.1 pointopoint 10.0.0.2 mtu 1500
/sbin/route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.2
route: SIOCADDRT: File exists
ERROR: Linux route add command failed: external program exited with error status: 1
Could not determine IPv4/IPv6 protocol. Using AF_INET
Socket Buffers: R=[163840->163840] S=[163840->163840]
TCP/UDP: Socket bind failed on local address [AF_INET][undef]:1194: Address in use (errno=98)
Exiting due to fatal error
Closing TUN/TAP interface
/sbin/ifconfig tun0 0.0.0.0

The client does connect even though the log seems to say otherwise.

What is the route -add error?

So, what is still wrong, and what networking issues might I still have that are blocking me out?

Thanks so much for the help.

Do I need to add this line:

iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE

and if so, where/how?

Andrew

Those sorts of lines, if/when needed, typically get added to the /etc/firewall.user file. You can also run those kinds of lines directly on the command line, but if you do, that rule will get wiped out the next time you reload the firewall or reboot the router.

How are you testing your connection? What is the up address of your laptop prior to making the OpenVPN connection?

Can you get into this here? Currently utilize both.

No, there's no need for masquerading.
And no need for raw iptables commands either.

Sure... I have 3 major reasons for selecting TUN over TAP:

1. platform support. TAP is not supported on iOS and IIRC also Android (possibly other platforms, too). TUN is supported on all platforms that have OpenVPN.
2. Efficiency/overhead. Since TAP is essentially an L2 'extension' of your network, it becomes part of the same broadcast domain, which means that all of the LAN broadcast traffic traverses the tunnel. Most of the time this is not just unnecessary, but also wasteful of bandwidth.
3. OpenVPN, as a collective (the developers) recommend TUN most cases. TAP really is more of a hack that the team put into place to satisfy some rare situations that really can't be L3 routed such as non IP traffic. That said, I'm having difficulty finding an article to support that, so it is possible I'm wrong about this point.

For the general pros/cons of each, OpenVPN has a support page

Back to my problem ...

On my 'old' router - a WNDR3700 - I had OpenVPN running under OpenWRT 12,09. The R7800 is an upgraded router/upgraded firmware.

My WNDR3700 had a virtually identical set of config files - I added new auth/cipher.

Going into my old router, the only changes I see are:
the NEW router has a Network Interface set up called VPN which is set up in /etc/config/network as:

config interface 'vpn'
option ifname 'tun0'
option proto 'none'

But has no other 'vpn' 'stuff' that I can find.

The OLD router's firewall.user reads:

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Main OpenVPN server (in router)
iptables -t nat -A prerouting_wan -p udp --dport 1194 -j ACCEPT
iptables -A input_wan -p udp --dport 1194 -j ACCEPT

iptables -I INPUT -i tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT

The current router has NO firewall.user entries.

So, there seems to be 3 differences, and I don't have the knowledge to fix the issue.

1. The new machine has a Network Interface and I don't know what to do with/about it - I followed a set of instructions to put it there
2. The new machine seems to throw an error pushing the route -add command which should have given me an IP in my home network
3. My new machine doesn't have the firewall.user settings (which in theory allowed my VPN to work) and I don't know how to translate those to the new 'lingo' of the new router settings; compound that with the advice here that I don't need this at all.

I'm happy to start over (even blanking the router) to get this to work. My problem is that most of the howto's are outdated or written so that I can't follow them. I'm happy to edit any file in nano and follow a script .

Help?

Andrew

uci set firewall.@zone[0].device="tun+"
uci -q delete firewall.vpn
uci set firewall.vpn="rule"
uci set firewall.vpn.name="Allow-OpenVPN"
uci set firewall.vpn.src="wan"
uci set firewall.vpn.dest_port="1194"
uci set firewall.vpn.proto="udp"
uci set firewall.vpn.target="ACCEPT"
uci commit firewall
service firewall restart

Just copy-paste the code and you will get it.
What is the problem?

vgaetara,

Thanks for your reply. You have ignored the tun+ commands, which I think were as important as the 1194 port accept.

Do I need the tun+ 'stuff' too?

Andrew

A more efficient method to achieve the same result is assigning VPN-interface to LAN-zone.

Thanks for this. Openvpn client for Android does support TAP without root and is advertised as such (but I beleive they are actually using TUN with funky routing scripts to create a TAP experiance)

According to this article, OpenVPN on Android does not support tap.

Still no client to client.

I have OpenVPN correctly installed.

Could someone post a server/client config which allows me to browse shares inside my home network along with any Network/Interface, firewall or other settings.

I'm getting piecemeal advice which I'm following, but still no success.

Thanks.

Andrew

You obviously do not have the skill to configure it yourself from scratch.
So, could you explain why you are ignoring the working and tested guide?

I have configured it from scratch in the past. I've had it working for 5 years untouched - and forgotten a lot during the interim.

I need a 'simplified' installation, which includes not using password/secrets because I am also connecting Yealink deskphones which don't support certain features.

I'm also generating my certificates on a separate linux machine, so some of the guide also doesn't work.

So, what I'll do is use the first part of the guide (firewall setup), and rejigger the conf file based on what the howto would generate.

Not a lot that I can see which is different in the howto versus what I have set up. I'll look to see what the exact differences are (topology subnet is one difference).

Andrew