OpenVPN issue/question

Back to my problem ...

On my 'old' router - a WNDR3700 - I had OpenVPN running under OpenWRT 12,09. The R7800 is an upgraded router/upgraded firmware.

My WNDR3700 had a virtually identical set of config files - I added new auth/cipher.

Going into my old router, the only changes I see are:
the NEW router has a Network Interface set up called VPN which is set up in /etc/config/network as:

config interface 'vpn'
option ifname 'tun0'
option proto 'none'

But has no other 'vpn' 'stuff' that I can find.

The OLD router's firewall.user reads:

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Main OpenVPN server (in router)
iptables -t nat -A prerouting_wan -p udp --dport 1194 -j ACCEPT
iptables -A input_wan -p udp --dport 1194 -j ACCEPT

iptables -I INPUT -i tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT

The current router has NO firewall.user entries.

So, there seems to be 3 differences, and I don't have the knowledge to fix the issue.

  1. The new machine has a Network Interface and I don't know what to do with/about it - I followed a set of instructions to put it there
  2. The new machine seems to throw an error pushing the route -add command which should have given me an IP in my home network
  3. My new machine doesn't have the firewall.user settings (which in theory allowed my VPN to work) and I don't know how to translate those to the new 'lingo' of the new router settings; compound that with the advice here that I don't need this at all.

I'm happy to start over (even blanking the router) to get this to work. My problem is that most of the howto's are outdated or written so that I can't follow them. I'm happy to edit any file in nano and follow a script .

Help?

Andrew

uci set firewall.@zone[0].device="tun+"
uci -q delete firewall.vpn
uci set firewall.vpn="rule"
uci set firewall.vpn.name="Allow-OpenVPN"
uci set firewall.vpn.src="wan"
uci set firewall.vpn.dest_port="1194"
uci set firewall.vpn.proto="udp"
uci set firewall.vpn.target="ACCEPT"
uci commit firewall
service firewall restart

Just copy-paste the code and you will get it.
What is the problem?

vgaetara,

Thanks for your reply. You have ignored the tun+ commands, which I think were as important as the 1194 port accept.

Do I need the tun+ 'stuff' too?

Andrew

A more efficient method to achieve the same result is assigning VPN-interface to LAN-zone.

Thanks for this. Openvpn client for Android does support TAP without root and is advertised as such (but I beleive they are actually using TUN with funky routing scripts to create a TAP experiance)

According to this article, OpenVPN on Android does not support tap.

1 Like

Still no client to client.

I have OpenVPN correctly installed.

Could someone post a server/client config which allows me to browse shares inside my home network along with any Network/Interface, firewall or other settings.

I'm getting piecemeal advice which I'm following, but still no success.

Thanks.

Andrew

You obviously do not have the skill to configure it yourself from scratch.
So, could you explain why you are ignoring the working and tested guide?

I have configured it from scratch in the past. I've had it working for 5 years untouched - and forgotten a lot during the interim.

I need a 'simplified' installation, which includes not using password/secrets because I am also connecting Yealink deskphones which don't support certain features.

I'm also generating my certificates on a separate linux machine, so some of the guide also doesn't work.

So, what I'll do is use the first part of the guide (firewall setup), and rejigger the conf file based on what the howto would generate.

Not a lot that I can see which is different in the howto versus what I have set up. I'll look to see what the exact differences are (topology subnet is one difference).

Andrew

please post the latest versions of the following files:

/etc/config/network
/etc/config/firewall
/etc/firewall.user
/etc/config/openvpn
the client side vpn config file

and also how you are testing the connectivity (it it from within the LAN or outside the lan such as cellular or a remote network; what device(s) are you using to test connectivity, have you tried simple ping or trace route tests, etc.).

1 Like

The firewall config is inside of the guide, feel free to use it.
If you still experience issues, provide troubleshooting information.
Follow the guide troubleshooting section.

That explains why your configuration has at least 4 attack vectors:

  • MITM - missing proper EKU-check, ns-cert-type is deprecated
  • VORACLE - comp-lzo, deprecated
  • DoS/TLS/Privacy - missing tls-crypt or tls-auth
  • Resource exhaustion - log and log-append

psherman - here we go:

contents of firewall.

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport 'XXXX'
	option dest_ip '192.168.40.29'
	option dest_port 'XXXX'
	option name 'PortKnock1'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport 'AAAA'
	option dest_ip '192.168.40.29'
	option dest_port 'AAAA'
	option name 'PortKnock2'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport 'CCCC'
	option dest_ip '192.168.40.29'
	option dest_port 'CCCC'
	option name 'PortKnock3'
# ( and then more port knocking)
config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp udp'
	option src_dport '4569'
	option dest_ip '192.168.40.29'
	option dest_port '4569'
	option name 'IAX2'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp udp'
	option src_dport '5060-5069'
	option dest_ip '192.168.40.29'
	option dest_port '5060-5069'
	option name 'SIP to PBX'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp udp'
	option src_dport '15001-20000'
	option dest_ip '192.168.40.29'
	option dest_port '15001-20000'
	option name 'RTP to SIP'

config zone
	option name 'GUEST'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'Guest'
	option input 'REJECT'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'Guest DNS'
	option src 'GUEST'

config rule
	option enabled '1'
	option target 'ACCEPT'
	option dest_port '67-68'
	option name 'Guest DHCP'
	option proto 'udp'
	option src 'GUEST'

config rule
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '1194'
	option proto 'udp'
	option target 'ACCEPT'

contents of /etc/config/network:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdad:e3f1:7851::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.40.1'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0t'

config interface 'Guest'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.45.1'
	option netmask '255.255.255.0'

config interface 'VPN'
	option ifname 'tun0'
	option proto '

contents of /etc/firewall.user

  • there are no entries

OpenVPN is called from rc.local via:

openvpn /etc/openvpn/openvpn.conf >/dev/null 2>&1 &

Contents of /etc/openvpn/openvpn.conf (at present):

mode server
tls-server
port 1194
proto udp
dev tun
cipher AES-256-CBC
auth SHA256
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem
server 10.0.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.40.1"
push "route 192.168.40.0 255.255.255.0"
client-to-client
comp-lzo
persist-key
persist-tun
verb 3
keepalive 20 60
log /etc/openvpn/openvpn.log
log-append /etc/openvpn/openvpn.log

Client .conf file:

client
persist-tun
persist-key
cipher AES-256-CBC
auth SHA256
tls-client
ns-cert-type server
remote MYDDNSADDRESS
nobind
port 1194
proto udp
dev tun
comp-lzo
verb 3
ca ca.crt
cert LapTop_01.crt
key Laptop_01.key

local network is 192.168.40.x. router is .1

Presently trying to connect via OpenVPN on iPhone with wifi turned off (cellular only). whatismyip.com reports non-home IP in use on phone.

Here are a few things to look at:

Not sure if the proto line was truncated when you posted, but it should be:
option proto 'none'

You do not have a firewall zone for your VPN, and therefore no forwarding configured... try something like this:

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option network 'vpn'

config forwarding
	option dest 'wan'
	option src 'vpn'

config forwarding
	option dest 'lan'
	option src 'vpn'

Then try to connect using your iPhone (on cellular) and see if you have connectivity.
If you don't already have a network utility app with trace route and/or ping utilities on your iPhone, check the app store -- there are a bunch of good options (I really like Scanny and Nice Trace). Ping or trace route the following to test connectivity:

  1. Network gateway on the VPN side (192.168.40.1 in your case)
  2. An IP address on your LAN (something on 192.168.40.0/24)
  3. An IP address on the internet (maybe 8.8.8.8)
  4. A domain name on the internet (say google.com).

EDIT: Also, you should remove your comp-lzo directive, at least while you are debugging. If you wish to use compression, see this article (comp-lzo has been deprecated)

EDIT 2: in the /etc/config/network file, you should also change your VPN network to lowercase (vpn) -- I'm not sure if it really maters, but it is a standard thing for the networks to be lowercase.

psherman,

I added the code block to /etc/config/firewall. Hopefully it doesn't go in /etc/config/network
The code was truncated and 'none' was present.

Andrew

Yes, the code block I provided was for /etc/config/firewall.

Don't forget to restart the firewall and network (/etc/init.d/network restart; /etc/init.d/firewall restart), or just restart the whole router if you want.

The best I'm able to get is a connection from outside to the router (192.168.40.1) and I can make changes to the openwrt settings (ie I'm in).

I can't get past the router, however, into the rest of the network.

I think I'm going to blank out all of my VPN-based changes and follow the edited howto (ie no 'stuff' which my phone system won't support) and see if I get access.

I'll archive all the files used up to now so that I could go back.

I'll keep everyone apprised. Given I'm moving from a working system and only changing ciphers (and getting a much faster router), this really shouldn't be so hard.

Andrew

So I started working from the openvpn/basic page. I removed all the key/client generation.

My openvpn conf file now reads:

mode server
verb 3
'# user nobody - no quote in file - it shows as bold here without
'# group nobody - same, no quote prefix in file
dev tun
port 1194
server 10.0.0.0 255.255.255.0
proto udp
topology subnet
keepalive 10 120
persist-tun
persist-key
push "dhcp-option DNS 192.168.40.1"
push "dhcp-option DOMAIN lan"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"config rule 'vpn'
cipher BF-CBC
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem
push "redirect-gateway def1"
client-to-client
comp-lzo
log /etc/openvpn/openvpn.log
log-append /etc/openvpn/openvpn.log

I set the firewall file to include

config rule 'vpn'
        option name 'Allow-OpenVPN'
        option src 'wan'
        option dest_port '1194'
        option proto 'udp'
        option target 'ACCEPT'

restarting OpenVPN lets me connect from my phone and read local shares, config the PBX from it's webpage, etc.

Several things seem 'off', however:

  1. I don't have any settings in my interface for the VPN - which most other guides seem to require. So there is no 'tun' configured in the /etc/config/network file.

  2. The lines "user nobody" and "group nobody" cause OpenVPN to error out and crash; I've commented them out and I guess I'm running at as root. Changes?

I don't yet know if I will be able to connect the phones and configure them remotely (ie they have an accessible IP in the 192.168.40 range) - we'll see.

Is there any reason to amend the openvpn conf file with any additional commands?
Is there any reason to amend the network or firewall settings?
Where should I go to look for speed up/optimization settings which aren't yet included?

Thanks again.

Andrew

Why are you using group nobody instead of nogroup?

I had some typos in my last reply. My cut and paste skills drop off after a long day - I'm actually using a different cipher and my auth statement is different. Everything is working - including using the laptop tethered to my cell and OpenVPN running on the laptop (on the cell standalone it works as well).

As a lark I streamed a 720p movie from my Samba drive and it didn't skip a frame (for the 3 minute test).

I'll add I'll try editing the group/nobody lines and see if they fire off correctly.

Again, where should I look for optimizing the VPN? I will have at most 2 users max moving any volume (more likely 1).

Thanks.

Andrew

It's a bit outside of this forum scope, better ask on https://forums.openvpn.net/.