Hi,
I have the following setup:
-
vpn-server: openwrt (gargoyle v. 13 on wndr3700) openvpn server setup
connected to wan via fddi -> "server-router" -
vpn-client: openwrt (v. 21.02.2 on wndr4300) openvpn client setup
connected to wan via LTE-stick -> "client-router"
The problem:
when vpn-client on client-router is not started, LAN on client-router works ok: internet access on LAN clients and client-router works, also wifi clients have internet access.
when vpn ist running on client-router, only the router can access internet and LAN clients on vpn-server, LAN clients on client-router can not access anything
client-router can be accessed from from server-router and LAN clients on server LAN, but no access to LAN clients on client LAN
So, it seems, that all LAN clients on client-router are disconnected completly when vpn is running.
When stopping vpn on client-router, routes are resetted, but network has to be restarted to gain access by the clients on client-router network again.
checking firewall status: no change on firewall rules takes place when starting/stopping vpn-client
Here my setup:
vpn-server:
typmode server
port 1194
proto udp
tls-server
ifconfig 10.8.0.1 255.255.255.0
topology subnet
client-config-dir /etc/openvpn/ccd
client-to-client
cipher AES-256-CBC
dev tun
keepalive 25 180
status /var/run/openvpn_status
verb 3
dh /etc/openvpn/dh1024.pem
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
tls-auth /etc/openvpn/ta.key 0
persist-key
persist-tun
comp-lzo
push "topology subnet"
push "route-gateway 10.8.0.1"
route 192.168.2.0 255.255.255.0 10.8.0.3
route 192.168.2.0 255.255.255.0 10.8.0.6
crl-verify /etc/openvpn/crl.pem
down /etc/openvpn.down
script-security 2
tls-verify "/usr/lib/gargoyle/ovpn-cn-check.sh /etc/openvpn/verified-userlist"
up /etc/openvpn.up
client vpn setup
client
remote mydns-network-entry 1194
dev tun
proto udp
status current_status
resolv-retry infinite
remote-cert-tls server
topology subnet
verb 3
data-ciphers-fallback AES-256-CBC
pull-filter ignore redirect-gateway
nobind
persist-key
persist-tun
comp-lzo
<ca>
-----BEGIN CERTIFICATE-----
...................
</ca>
<cert>
...................
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
.................
.................
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
....................
-----END OpenVPN Static key V1-----
</tls-auth>
network setup on client-router:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'f...........::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'eth0.2'
option macaddr '.........................'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 0t'
config interface 'LAN2'
option proto 'dhcp'
option device '@lan'
option auto '0'
config interface 'wan_LTE'
option proto 'ncm'
option device '/dev/ttyUSB2'
option mode 'preferlte'
option pdptype 'IP'
option apn 'myapn'
option ipv6 '0'
option delay '5'
firewall setup on client-router:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'LAN2'
list device 'tun+'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'wan_LTE'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'xxxx::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Fortype or paste code hereward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Fernwartung_ssh'
option src 'wan'
option src_dport 'xxxx'
option dest_ip '192.168.2.1'
option dest_port '22'
routes w/o vpn on client-router:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default xx.xx.xx.xx 0.0.0.0 UG 0 0 0 wwan0
xx.xx.xx.xx * 255.0.0.0 U 0 0 0 wwan0
routes with vpn on client-router running:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default xx.xx.xx.xx 0.0.0.0 UG 0 0 0 wwan0
10.8.0.0 * 255.255.255.0 U 0 0 0 tun0
xx.xx.xx.xx * 255.0.0.0 U 0 0 0 wwan0
192.168.2.0 10.8.0.1 255.255.255.0 UG 0 0 0 tun0
192.168.129.0 10.8.0.1 255.255.255.0 UG 0 0 0 tun0
I invested already many hours to find the cause, without success. Maybe I oversee an important configuration option ...
The setup has worked for a long time, the problem came essential with upgrading openwrt.
Please help!
Best regards,
woec