OpenVPN issue/question

please post the latest versions of the following files:

/etc/config/network
/etc/config/firewall
/etc/firewall.user
/etc/config/openvpn
the client side vpn config file

and also how you are testing the connectivity (it it from within the LAN or outside the lan such as cellular or a remote network; what device(s) are you using to test connectivity, have you tried simple ping or trace route tests, etc.).

1 Like

The firewall config is inside of the guide, feel free to use it.
If you still experience issues, provide troubleshooting information.
Follow the guide troubleshooting section.

That explains why your configuration has at least 4 attack vectors:

  • MITM - missing proper EKU-check, ns-cert-type is deprecated
  • VORACLE - comp-lzo, deprecated
  • DoS/TLS/Privacy - missing tls-crypt or tls-auth
  • Resource exhaustion - log and log-append

psherman - here we go:

contents of firewall.

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport 'XXXX'
	option dest_ip '192.168.40.29'
	option dest_port 'XXXX'
	option name 'PortKnock1'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport 'AAAA'
	option dest_ip '192.168.40.29'
	option dest_port 'AAAA'
	option name 'PortKnock2'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport 'CCCC'
	option dest_ip '192.168.40.29'
	option dest_port 'CCCC'
	option name 'PortKnock3'
# ( and then more port knocking)
config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp udp'
	option src_dport '4569'
	option dest_ip '192.168.40.29'
	option dest_port '4569'
	option name 'IAX2'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp udp'
	option src_dport '5060-5069'
	option dest_ip '192.168.40.29'
	option dest_port '5060-5069'
	option name 'SIP to PBX'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp udp'
	option src_dport '15001-20000'
	option dest_ip '192.168.40.29'
	option dest_port '15001-20000'
	option name 'RTP to SIP'

config zone
	option name 'GUEST'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'Guest'
	option input 'REJECT'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'Guest DNS'
	option src 'GUEST'

config rule
	option enabled '1'
	option target 'ACCEPT'
	option dest_port '67-68'
	option name 'Guest DHCP'
	option proto 'udp'
	option src 'GUEST'

config rule
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '1194'
	option proto 'udp'
	option target 'ACCEPT'

contents of /etc/config/network:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdad:e3f1:7851::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.40.1'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0t'

config interface 'Guest'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.45.1'
	option netmask '255.255.255.0'

config interface 'VPN'
	option ifname 'tun0'
	option proto '

contents of /etc/firewall.user

  • there are no entries

OpenVPN is called from rc.local via:

openvpn /etc/openvpn/openvpn.conf >/dev/null 2>&1 &

Contents of /etc/openvpn/openvpn.conf (at present):

mode server
tls-server
port 1194
proto udp
dev tun
cipher AES-256-CBC
auth SHA256
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem
server 10.0.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.40.1"
push "route 192.168.40.0 255.255.255.0"
client-to-client
comp-lzo
persist-key
persist-tun
verb 3
keepalive 20 60
log /etc/openvpn/openvpn.log
log-append /etc/openvpn/openvpn.log

Client .conf file:

client
persist-tun
persist-key
cipher AES-256-CBC
auth SHA256
tls-client
ns-cert-type server
remote MYDDNSADDRESS
nobind
port 1194
proto udp
dev tun
comp-lzo
verb 3
ca ca.crt
cert LapTop_01.crt
key Laptop_01.key

local network is 192.168.40.x. router is .1

Presently trying to connect via OpenVPN on iPhone with wifi turned off (cellular only). whatismyip.com reports non-home IP in use on phone.

Here are a few things to look at:

Not sure if the proto line was truncated when you posted, but it should be:
option proto 'none'

You do not have a firewall zone for your VPN, and therefore no forwarding configured... try something like this:

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option network 'vpn'

config forwarding
	option dest 'wan'
	option src 'vpn'

config forwarding
	option dest 'lan'
	option src 'vpn'

Then try to connect using your iPhone (on cellular) and see if you have connectivity.
If you don't already have a network utility app with trace route and/or ping utilities on your iPhone, check the app store -- there are a bunch of good options (I really like Scanny and Nice Trace). Ping or trace route the following to test connectivity:

  1. Network gateway on the VPN side (192.168.40.1 in your case)
  2. An IP address on your LAN (something on 192.168.40.0/24)
  3. An IP address on the internet (maybe 8.8.8.8)
  4. A domain name on the internet (say google.com).

EDIT: Also, you should remove your comp-lzo directive, at least while you are debugging. If you wish to use compression, see this article (comp-lzo has been deprecated)

EDIT 2: in the /etc/config/network file, you should also change your VPN network to lowercase (vpn) -- I'm not sure if it really maters, but it is a standard thing for the networks to be lowercase.

psherman,

I added the code block to /etc/config/firewall. Hopefully it doesn't go in /etc/config/network
The code was truncated and 'none' was present.

Andrew

Yes, the code block I provided was for /etc/config/firewall.

Don't forget to restart the firewall and network (/etc/init.d/network restart; /etc/init.d/firewall restart), or just restart the whole router if you want.

The best I'm able to get is a connection from outside to the router (192.168.40.1) and I can make changes to the openwrt settings (ie I'm in).

I can't get past the router, however, into the rest of the network.

I think I'm going to blank out all of my VPN-based changes and follow the edited howto (ie no 'stuff' which my phone system won't support) and see if I get access.

I'll archive all the files used up to now so that I could go back.

I'll keep everyone apprised. Given I'm moving from a working system and only changing ciphers (and getting a much faster router), this really shouldn't be so hard.

Andrew

So I started working from the openvpn/basic page. I removed all the key/client generation.

My openvpn conf file now reads:

mode server
verb 3
'# user nobody - no quote in file - it shows as bold here without
'# group nobody - same, no quote prefix in file
dev tun
port 1194
server 10.0.0.0 255.255.255.0
proto udp
topology subnet
keepalive 10 120
persist-tun
persist-key
push "dhcp-option DNS 192.168.40.1"
push "dhcp-option DOMAIN lan"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"config rule 'vpn'
cipher BF-CBC
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem
push "redirect-gateway def1"
client-to-client
comp-lzo
log /etc/openvpn/openvpn.log
log-append /etc/openvpn/openvpn.log

I set the firewall file to include

config rule 'vpn'
        option name 'Allow-OpenVPN'
        option src 'wan'
        option dest_port '1194'
        option proto 'udp'
        option target 'ACCEPT'

restarting OpenVPN lets me connect from my phone and read local shares, config the PBX from it's webpage, etc.

Several things seem 'off', however:

  1. I don't have any settings in my interface for the VPN - which most other guides seem to require. So there is no 'tun' configured in the /etc/config/network file.

  2. The lines "user nobody" and "group nobody" cause OpenVPN to error out and crash; I've commented them out and I guess I'm running at as root. Changes?

I don't yet know if I will be able to connect the phones and configure them remotely (ie they have an accessible IP in the 192.168.40 range) - we'll see.

Is there any reason to amend the openvpn conf file with any additional commands?
Is there any reason to amend the network or firewall settings?
Where should I go to look for speed up/optimization settings which aren't yet included?

Thanks again.

Andrew

Why are you using group nobody instead of nogroup?

I had some typos in my last reply. My cut and paste skills drop off after a long day - I'm actually using a different cipher and my auth statement is different. Everything is working - including using the laptop tethered to my cell and OpenVPN running on the laptop (on the cell standalone it works as well).

As a lark I streamed a 720p movie from my Samba drive and it didn't skip a frame (for the 3 minute test).

I'll add I'll try editing the group/nobody lines and see if they fire off correctly.

Again, where should I look for optimizing the VPN? I will have at most 2 users max moving any volume (more likely 1).

Thanks.

Andrew

It's a bit outside of this forum scope, better ask on https://forums.openvpn.net/.