Openvpn no access to client's lan

woec · May 8, 2022, 7:02am

Hi,

I have the following setup:

vpn-server: openwrt (gargoyle v. 13 on wndr3700) openvpn server setup
connected to wan via fddi -> "server-router"
vpn-client: openwrt (v. 21.02.2 on wndr4300) openvpn client setup
connected to wan via LTE-stick -> "client-router"

The problem:
when vpn-client on client-router is not started, LAN on client-router works ok: internet access on LAN clients and client-router works, also wifi clients have internet access.

when vpn ist running on client-router, only the router can access internet and LAN clients on vpn-server, LAN clients on client-router can not access anything
client-router can be accessed from from server-router and LAN clients on server LAN, but no access to LAN clients on client LAN

So, it seems, that all LAN clients on client-router are disconnected completly when vpn is running.

When stopping vpn on client-router, routes are resetted, but network has to be restarted to gain access by the clients on client-router network again.

checking firewall status: no change on firewall rules takes place when starting/stopping vpn-client

Here my setup:

vpn-server:

typmode                  server                                                                                                                  
port                  1194                                                                                                                    
proto                 udp                                                                                                                     
tls-server                                                                                                                                    
ifconfig              10.8.0.1 255.255.255.0                                                                                                  
topology              subnet                                                                                                                  
client-config-dir     /etc/openvpn/ccd                                                                                                        
client-to-client                                                                                                                              
                                                                                                                                              
cipher                AES-256-CBC                                                                                                             
                                   
dev                   tun                                              
keepalive             25 180
status                /var/run/openvpn_status
verb                  3

dh                    /etc/openvpn/dh1024.pem                                                                   
ca                    /etc/openvpn/ca.crt                                                                       
cert                  /etc/openvpn/server.crt                                                                   
key                   /etc/openvpn/server.key                                                                   
tls-auth              /etc/openvpn/ta.key 0  
                                   
persist-key                                             
persist-tun                                                            
comp-lzo                                                               
                                                                       
push "topology subnet"                                                 
push "route-gateway 10.8.0.1"                                          

route 192.168.2.0 255.255.255.0 10.8.0.3                                                                        
route 192.168.2.0 255.255.255.0 10.8.0.6                                                                        
                                   
crl-verify /etc/openvpn/crl.pem                         
down /etc/openvpn.down
script-security 2            
tls-verify "/usr/lib/gargoyle/ovpn-cn-check.sh /etc/openvpn/verified-userlist"                                                                                                                                                  
up /etc/openvpn.up

client vpn setup

client
remote          mydns-network-entry 1194
dev             tun
proto           udp
status          current_status
resolv-retry    infinite
remote-cert-tls server
topology        subnet
verb            3

data-ciphers-fallback          AES-256-CBC

pull-filter ignore redirect-gateway

nobind
persist-key
persist-tun
comp-lzo
<ca>
-----BEGIN CERTIFICATE-----
...................
</ca>
<cert>
...................
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
.................
.................
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
....................
-----END OpenVPN Static key V1-----
</tls-auth>

network setup on client-router:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'f...........::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0.2'
        option macaddr '.........................'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 0t'

config interface 'LAN2'
        option proto 'dhcp'
        option device '@lan'
        option auto '0'

config interface 'wan_LTE'
        option proto 'ncm'
        option device '/dev/ttyUSB2'
        option mode 'preferlte'
        option pdptype 'IP'
        option apn 'myapn'
        option ipv6 '0'
        option delay '5'

firewall setup on client-router:

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'LAN2'
        list device 'tun+'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'wan_LTE'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'xxxx::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Fortype or paste code hereward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Fernwartung_ssh'
        option src 'wan'
        option src_dport 'xxxx'
        option dest_ip '192.168.2.1'
        option dest_port '22'

routes w/o vpn on client-router:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         xx.xx.xx.xx        0.0.0.0         UG    0      0        0 wwan0
xx.xx.xx.xx        *               255.0.0.0       U     0      0        0 wwan0

routes with vpn on client-router running:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         xx.xx.xx.xx        0.0.0.0         UG    0      0        0 wwan0
10.8.0.0        *               255.255.255.0   U     0      0        0 tun0
xx.xx.xx.xx        *               255.0.0.0       U     0      0        0 wwan0
192.168.2.0     10.8.0.1        255.255.255.0   UG    0      0        0 tun0
192.168.129.0   10.8.0.1        255.255.255.0   UG    0      0        0 tun0

I invested already many hours to find the cause, without success. Maybe I oversee an important configuration option ...
The setup has worked for a long time, the problem came essential with upgrading openwrt.
Please help!
Best regards,
woec

psherman · May 8, 2022, 7:39am

Try moving tun+ from the lan zone into its own zone. Enable masquerading on the new vpn zone. Then setup zone forwarding as needed - usually lan > vpn.

woec · May 8, 2022, 8:19pm

Hi,
thank you for your recommondation.
I tried it, but it does not solve the problem.
Still no access to clietnt's LAN network and no internet acccess of LAN participants.
route table get's one more entry:

192.168.2.0     *               255.255.255.0   U     0      0        0 br-lan

More ideas?
Thanks.
woec

psherman · May 8, 2022, 8:23pm

Let's see the latest config files (firewall, network) as well as the OpenVPN related log entries on the client side.

woec · May 8, 2022, 8:34pm

Here the network config:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxxxxx::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0.2'
        option macaddr 'xxxxxxxx'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 0t'

config interface 'LAN2'
        option proto 'dhcp'
        option device '@lan'
        option auto '0'

config interface 'wan_LTE'
        option proto 'ncm'
        option device '/dev/ttyUSB2'
        option mode 'preferlte'
        option pdptype 'IP'
        option apn 'myapn'
        option ipv6 '0'
        option delay '5'

Here the firewall config:

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'LAN2'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'wan_LTE'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Fernwartung_ssh'
        option src 'wan'
        option src_dport 'xxxx'
        option dest_ip '192.168.2.1'
        option dest_port 'xx'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option masq '1'
        list network 'LAN2'
        list network 'lan'
        list device 'tun0'
        option forward 'ACCEPT'

config forwarding
        option src 'vpn'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'vpn'

And here the vpn start messages from logread:

Sun May  8 22:31:02 2022 daemon.warn openvpn(vpn_client)[7968]: WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Sun May  8 22:31:02 2022 daemon.notice openvpn(BS35_vpn_client)[7968]: OpenVPN 2.5.3 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sun May  8 22:31:02 2022 daemon.notice openvpn(BS35_vpn_client)[7968]: library versions: OpenSSL 1.1.1n  15 Mar 2022, LZO 2.10
Sun May  8 22:31:02 2022 daemon.warn openvpn(BS35_vpn_client)[7968]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun May  8 22:31:02 2022 daemon.notice openvpn(BS35_vpn_client)[7968]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun May  8 22:31:02 2022 daemon.notice openvpn(BS35_vpn_client)[7968]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun May  8 22:31:02 2022 daemon.notice openvpn(BS35_vpn_client)[7968]: TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xxx:1194
Sun May  8 22:31:02 2022 daemon.notice openvpn(BS35_vpn_client)[7968]: Socket Buffers: R=[180224->180224] S=[180224->180224]
Sun May  8 22:31:02 2022 daemon.notice openvpn(BS35_vpn_client)[7968]: UDP link local: (not bound)
Sun May  8 22:31:02 2022 daemon.notice openvpn(BS35_vpn_client)[7968]: UDP link remote: [AF_INET]xx.xx.xx.xxx:1194
Sun May  8 22:31:02 2022 daemon.notice openvpn(BS35_vpn_client)[7968]: TLS: Initial packet from [AF_INET]xx.xx.xx.xxx:1194, sid=82c61759 cfb25f8f
Sun May  8 22:31:02 2022 daemon.notice openvpn(BS35_vpn_client)[7968]: VERIFY OK: depth=1, C=??, ST=UnknownProvince, L=UnknownCity, O=UnknownOrg, OU=UnknownOrgUnit, CN=jcjcykhbuulznuq, name=jcjcykhbuulznuq, emailAddress=jcjcykhbuulznuq@jhslpbgkhrhvspx.com
Sun May  8 22:31:02 2022 daemon.notice openvpn(BS35_vpn_client)[7968]: VERIFY KU OK
Sun May  8 22:31:02 2022 daemon.notice openvpn(BS35_vpn_client)[7968]: Validating certificate extended key usage
Sun May  8 22:31:02 2022 daemon.notice openvpn(BS35_vpn_client)[7968]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun May  8 22:31:02 2022 daemon.notice openvpn(BS35_vpn_client)[7968]: VERIFY EKU OK
Sun May  8 22:31:02 2022 daemon.notice openvpn(BS35_vpn_client)[7968]: VERIFY OK: depth=0, C=??, ST=UnknownProvince, L=UnknownCity, O=UnknownOrg, OU=UnknownOrgUnit, CN=jcjcykhbuulznuq, name=jcjcykhbuulznuq, emailAddress=jcjcykhbuulznuq@jhslpbgkhrhvspx.com
Sun May  8 22:31:02 2022 daemon.notice openvpn(BS35_vpn_client)[7968]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 1024 bit RSA, signature: RSA-SHA256
Sun May  8 22:31:02 2022 daemon.notice openvpn(BS35_vpn_client)[7968]: [jcjcykhbuulznuq] Peer Connection Initiated with [AF_INET]xx.xx.xx.xxx:1194
Sun May  8 22:31:03 2022 daemon.notice openvpn(BS35_vpn_client)[7968]: SENT CONTROL [jcjcykhbuulznuq]: 'PUSH_REQUEST' (status=1)
Sun May  8 22:31:03 2022 daemon.notice openvpn(BS35_vpn_client)[7968]: PUSH: Received control message: 'PUSH_REPLY,topology subnet,route-gateway 10.8.0.1,ping 25,ping-restart 180,route 192.168.2.0 255.255.255.0 vpn_gateway,route 192.168.129.0 255.255.255.0 vpn_gateway,ifconfig 10.8.0.6 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Sun May  8 22:31:03 2022 daemon.notice openvpn(BS35_vpn_client)[7968]: OPTIONS IMPORT: timers and/or timeouts modified
Sun May  8 22:31:03 2022 daemon.notice openvpn(BS35_vpn_client)[7968]: OPTIONS IMPORT: --ifconfig/up options modified
Sun May  8 22:31:03 2022 daemon.notice openvpn(BS35_vpn_client)[7968]: OPTIONS IMPORT: route options modified
Sun May  8 22:31:03 2022 daemon.notice openvpn(BS35_vpn_client)[7968]: OPTIONS IMPORT: route-related options modified
Sun May  8 22:31:03 2022 daemon.notice openvpn(BS35_vpn_client)[7968]: OPTIONS IMPORT: peer-id set
Sun May  8 22:31:03 2022 daemon.notice openvpn(BS35_vpn_client)[7968]: OPTIONS IMPORT: adjusting link_mtu to 1625
Sun May  8 22:31:03 2022 daemon.notice openvpn(BS35_vpn_client)[7968]: OPTIONS IMPORT: data channel crypto options modified
Sun May  8 22:31:03 2022 daemon.notice openvpn(BS35_vpn_client)[7968]: Data Channel: using negotiated cipher 'AES-256-GCM'
Sun May  8 22:31:03 2022 daemon.notice openvpn(BS35_vpn_client)[7968]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun May  8 22:31:03 2022 daemon.notice openvpn(BS35_vpn_client)[7968]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun May  8 22:31:03 2022 daemon.notice openvpn(BS35_vpn_client)[7968]: net_route_v4_best_gw query: dst 0.0.0.0
Sun May  8 22:31:03 2022 daemon.notice openvpn(BS35_vpn_client)[7968]: net_route_v4_best_gw result: via yy.0.0.y dev wwan0
Sun May  8 22:31:03 2022 daemon.notice openvpn(BS35_vpn_client)[7968]: TUN/TAP device tun0 opened
Sun May  8 22:31:03 2022 daemon.notice openvpn(BS35_vpn_client)[7968]: net_iface_mtu_set: mtu 1500 for tun0
Sun May  8 22:31:03 2022 daemon.notice openvpn(BS35_vpn_client)[7968]: net_iface_up: set tun0 up
Sun May  8 22:31:03 2022 daemon.notice openvpn(BS35_vpn_client)[7968]: net_addr_v4_add: 10.8.0.6/24 dev tun0
Sun May  8 22:31:03 2022 daemon.notice openvpn(BS35_vpn_client)[7968]: /usr/libexec/openvpn-hotplug up vpn_client tun0 1500 1553 10.8.0.6 255.255.255.0 init
Sun May  8 22:31:03 2022 daemon.notice openvpn(BS35_vpn_client)[7968]: net_route_v4_add: 192.168.2.0/24 via 10.8.0.1 dev [NULL] table 0 metric -1
Sun May  8 22:31:03 2022 daemon.notice openvpn(BS35_vpn_client)[7968]: net_route_v4_add: 192.168.129.0/24 via 10.8.0.1 dev [NULL] table 0 metric -1
Sun May  8 22:31:03 2022 daemon.warn openvpn(BS35_vpn_client)[7968]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun May  8 22:31:03 2022 daemon.notice openvpn(BS35_vpn_client)[7968]: Initialization Sequence Completed

psherman · May 8, 2022, 8:40pm

These need to be removed from the vpn zone.

and remove this:

This seems to suggest that your OpenWrt server in installing an overlapping route.

Try removing the following from your server config

woec · May 8, 2022, 9:07pm

I did the changes you recommended.
No success.
When I remove the two routes from the vpn-server config, I loose access from the server's lan to the vpn-client.

In summary I am rather buzzled, because the the same configuration was running for a long time before I updated the openwrt on the client-side and changed the modem device for wan access from an UTMS device to a LTE capable one ...

psherman · May 8, 2022, 9:09pm

What is the WAN address on your client side router? is it an RFC1918 address?

woec · May 8, 2022, 9:25pm

No, the address of the client is not RFC1918, this address is reachable from the wan. I can log in onto the client-router from the server-router by ssh, regardless if vpn is running or not.

psherman · May 8, 2022, 9:28pm

Ok... I wanted to make sure we didn't have a routing conflict -- if the OpenVPN address was on the same subnet as the WAN's address, it would fail.

But it just occurred to me that you are asking about reaching the client's LAN from the server side... so you need to allow that in the forwarding configuration.

config forwarding
        option src 'vpn'
        option dest 'lan'

Try that... you might need to reinstate the routes you removed earlier.

woec · May 8, 2022, 9:59pm

So, I added the additional forwarding vpn -> lan. But still no access to the client's lan participants.
As described in my first entry, it seems that all client's lan participants are disconnected from client's lan as soon as the vpn channel is running.
The only client address I can reach from server side, is the client's base address. Even from the client, logged in by ssh, I can not reach one of the lan participants on the client side! But I can reach any internet site.

So, I am tired today an will go to bed.
Many thanks to you for your effort!
If you have any further ideas, please let me know.
Good night!

psherman · May 8, 2022, 10:19pm

On the client side:

can the LAN clients ping each other? (they should be able to... if they can't, something very odd is happening)
Can the LAN clients ping the client router? (again, they should be able to do this)
Can the LAN clients ping the OpenVPN server (10.8.0.1)
Can the LAN clients ping an internet IP like 8.8.8.8?
can the LAN clients ping an internet domain like google.com?

What is the subnet that is upstream of the OpenVPN server?

woec · May 9, 2022, 7:06am

Hi,

the answer to all of your questions is No!
As I said, as soon as vpn is up and running all vpn-client network clients are disconnected from their LAN! Looks like the vpn-client's lan subnet is broken in this situation.
If vpn is stopped and network restarted, all lan clients on vpn-client router work as expected.
So, something really odd happens when vpn is started. Up do now, I did not find any hint for the cause in the system logs.
clients route table is always the same - no difference if vpn is up or not. Here an example:

default                  _gateway                 0.0.0.0                   UG           20100    0    enp0s25
192.168.2.0          0.0.0.0                    255.255.255.0        U             100         0    enp0s25

psherman · May 9, 2022, 7:09am

If this isn't working, something is seriously wrong with your configuration, but I don't know what. The reason is that this doesn't involve the router at all... so if LAN devices cannot ping each other with the tunnel up (but can with the tunnel down), there is something else going on.

What about the router itself -- can it perform those pings?

And you didn't answer the question about the upstream network on the server side? I know that the OpenVPN server is using the 10.8.0.0/24 network... what about the network above that?

woec · May 9, 2022, 7:33am

If vpn is up, the client router also cannot ping it's lan-clients. He can connect wan and the client's on the vpn-server network.

vpn-server router has wan connection via fddi. There is a fdd-modem supplied from the provider in front of the router. The router is logged to the wan by pppoe (no double nat). Below it's routing table (with vpn up).
This configuration is already long time running, before my troubles with the vpn client came up.

Kernel IP routing table                                                                                    │
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface                              │
default         xx.x.x.xxx      0.0.0.0         UG    0      0        0 pppoe-wan                          │
xx.x.x.xxx      *               255.255.255.255 UH    0      0        0 pppoe-wan                          │
10.8.0.0        *               255.255.255.0   U     0      0        0 tun0                               │
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0.2                             │
192.168.2.0     10.8.0.6        255.255.255.0   UG    0      0        0 tun0                               │
192.168.2.0     10.8.0.3        255.255.255.0   UG    0      0        0 tun0                               │
192.168.129.0   *               255.255.255.0   U     0      0        0 br-lan                             │
r

psherman · May 9, 2022, 7:37am

Why is the same network (192.168.2.0/24) routing via 2 different gateways?

Is this the client side routing table? If so, those entries for 192.168.2.0/24 should not be there at all.

woec · May 9, 2022, 7:40am

No, that entries are in the server side routing table.

psherman · May 9, 2022, 7:41am

But why are there 2 entries for the same subnet?

woec · May 9, 2022, 7:56am

I don't know, these entries are created automatically by web-frontend configuration of vpn on server side.
But I removed one of them, vpn still working.
But no change in problem on client-router lan.

psherman · May 9, 2022, 7:59am

Those routes are being pushed by the server to the client and replacing the existing routes. They should not be there, or your client router should be using a different lan subnet.

If you remove both entries, does the client router at least have the ability to ping devices on its local lan?