OpenVPN no routing

Installing and Using OpenWrt Network and Wireless Configuration
1

I have installed OpenVPN now.
And now i a, trying to make routing beetwin 2 local subnets
192.168.22.1 server local subnet

(192.168.22.1)<----->192.168.8.1---(192.168.10.22<--->192.168.10.44)----192.168.8.2<----->(192.168.44.1)

trying to add route to 44.0 subnet on server (192.168.22.1)

root@Open22Wrt:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.10.1    0.0.0.0         UG    0      0        0 eth0.4
192.168.8.0     *               255.255.255.0   U     0      0        0 tun0
192.168.10.0    *               255.255.255.0   U     0      0        0 eth0.4
192.168.22.0    *               255.255.255.0   U     0      0        0 br-lan
root@Open22Wrt:~# route add 192.168.44.0/24 dev tun0
route: netmask 000000ff and host route conflict

trying to add gateway via IP which is on ppp0

root@Open22Wrt:~# ip route add 192.168.44.0/24 192.168.8.1
ip: either "to" is duplicate, or "192.168.8.1" is garbage

A what?

trying to traceroute

root@Open22Wrt:~# traceroute 192.168.44.1
traceroute to 192.168.44.1 (192.168.44.1), 30 hops max, 38 byte packets
 1  *  *  *
 2  *  *  *
 3  *  *  *

Traceroute from client to server local subnet

traceroute to 192.168.22.55 (192.168.22.55), 30 hops max, 38 byte packets
 1  192.168.8.1 (192.168.8.1)  2.910 ms  3.400 ms  2.751 ms
 2  192.168.22.55 (192.168.22.55)  5.222 ms  *  4.048 ms

Route on client i added route to 22.0 subnet but maybe i dont need it

root@Open44Wrt:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.8.1     128.0.0.0       UG    0      0        0 tun0
default         192.168.10.1    0.0.0.0         UG    0      0        0 eth0.4
128.0.0.0       192.168.8.1     128.0.0.0       UG    0      0        0 tun0
192.168.8.0     *               255.255.255.0   U     0      0        0 tun0
192.168.10.0    *               255.255.255.0   U     0      0        0 eth0.4
192.168.10.10   *               255.255.255.255 UH    0      0        0 eth0.4
192.168.22.0    *               255.255.255.0   U     0      0        0 tun0
192.168.44.0    *               255.255.255.0   U     0      0        0 br-lan

ifconfig on client

root@Open44Wrt:~# ifconfig
br-lan    Link encap:Ethernet  HWaddr D8:6C:E9:63:D2:49
          inet addr:192.168.44.1  Bcast:192.168.44.255  Mask:255.255.255.0
          inet6 addr: fe80::da6c:e9ff:fe63:d249/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:139 errors:0 dropped:0 overruns:0 frame:0
          TX packets:129 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:10993 (10.7 KiB)  TX bytes:21867 (21.3 KiB)

eth0      Link encap:Ethernet  HWaddr D8:6C:E9:63:D2:47
          inet6 addr: fe80::da6c:e9ff:fe63:d247/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1850 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1094 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:237645 (232.0 KiB)  TX bytes:176182 (172.0 KiB)

eth0.1    Link encap:Ethernet  HWaddr D8:6C:E9:63:D2:47
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:139 errors:0 dropped:0 overruns:0 frame:0
          TX packets:129 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:10993 (10.7 KiB)  TX bytes:21867 (21.3 KiB)

eth0.4    Link encap:Ethernet  HWaddr D8:6C:E9:63:D2:41
          inet addr:192.168.10.44  Bcast:192.168.10.255  Mask:255.255.255.0
          inet6 addr: fe80::da6c:e9ff:fe63:d241/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1693 errors:0 dropped:0 overruns:0 frame:0
          TX packets:945 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:192506 (187.9 KiB)  TX bytes:145344 (141.9 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:44 errors:0 dropped:0 overruns:0 frame:0
          TX packets:44 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3491 (3.4 KiB)  TX bytes:3491 (3.4 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:192.168.8.2  P-t-P:192.168.8.2  Mask:255.255.255.0
          inet6 addr: fe80::1f3c:1c7e:659a:aad2/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:737 errors:0 dropped:0 overruns:0 frame:0
          TX packets:691 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:65222 (63.6 KiB)  TX bytes:75537 (73.7 KiB)

wlan0     Link encap:Ethernet  HWaddr D8:6C:E9:63:D2:45
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ifconfig on client

root@Open22Wrt:~# ifconfig
br-lan    Link encap:Ethernet  HWaddr 68:15:90:E7:59:FA
          inet addr:192.168.22.1  Bcast:192.168.22.255  Mask:255.255.255.0
          inet6 addr: fe80::6a15:90ff:fee7:59fa/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:11038 errors:0 dropped:3 overruns:0 frame:0
          TX packets:10195 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1904010 (1.8 MiB)  TX bytes:5938281 (5.6 MiB)

eth0      Link encap:Ethernet  HWaddr 68:15:90:E7:59:FB
          inet6 addr: fe80::6a15:90ff:fee7:59fb/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:22299 errors:0 dropped:0 overruns:0 frame:0
          TX packets:20518 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:8266363 (7.8 MiB)  TX bytes:8091765 (7.7 MiB)

eth0.1    Link encap:Ethernet  HWaddr 68:15:90:E7:59:FB
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:11038 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10195 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1904010 (1.8 MiB)  TX bytes:5938281 (5.6 MiB)

eth0.4    Link encap:Ethernet  HWaddr 68:15:90:E7:59:FD
          inet addr:192.168.10.10  Bcast:192.168.10.255  Mask:255.255.255.0
          inet6 addr: fe80::6a15:90ff:fee7:59fd/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:11234 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10156 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:5958072 (5.6 MiB)  TX bytes:2013019 (1.9 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:252 errors:0 dropped:0 overruns:0 frame:0
          TX packets:252 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:34304 (33.5 KiB)  TX bytes:34304 (33.5 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:192.168.8.1  P-t-P:192.168.8.1  Mask:255.255.255.0
          inet6 addr: fe80::ba7:c003:e2cf:f58c/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:1490 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1593 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:226296 (220.9 KiB)  TX bytes:141382 (138.0 KiB)
2

root@Open22Wrt:~# route add 192.168.44.0/24 dev tun0

This is a network, not a host. You should add option -net

route add -net 192.168.44.0/24 gw 192.168.8.2

On the other side:

route add -net 192.168.22.0/24 gw 192.168.8.1

1 Like
3

Don't add routes manually, it's a bad idea.

Set up static address allocation on the server:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/extras#static_addresses

Then configure a site-to-site connection:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/extras#site-to-site

And disable gateway redirection:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/extras#default_gateway

2 Likes
4

I know , I plane to do that but first I wanna see how much speed do I get with my 333Mhz router , on pptp it gave me 4 Mbits/s with encryption and 7Mbits with no encryption , ppp proccess took up to 50% and there was some strange proccess that took 30% all the time used 0% memory, but anyway what is wrong with me manual adding

1 Like
5 
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.10.1    0.0.0.0         UG    0      0        0 eth0.4
192.168.8.0     *               255.255.255.0   U     0      0        0 tun0
192.168.10.0    *               255.255.255.0   U     0      0        0 eth0.4
192.168.22.0    *               255.255.255.0   U     0      0        0 br-lan
192.168.44.0    192.168.8.2     255.255.255.0   UG    0      0        0 tun0

added routers but no luck , the same things,
And the strange thing is I can ping a host in server local subnet from client

6

If you use it for testing, then fine, the correct syntax is like this:

ip route add 192.168.44.0/24 via 192.168.8.1 dev tun0

Also note that OpenVPN running with the topology subnet utilizes its own internal routing.
This means it requires the iroute directive specified in the config.
Otherwise, you won't be able to access the client side subnet from the server/peers.

1 Like
7

all right and how to manage this iroute?
to file server.conf ?
i found how to add route to client so it knows server local subnet
push "route 192.168.22.0 255.255.255.0"
so i added and this route appears on client in route table.
But there is no route on server to 44.0 so i added it manually wotn work anyway ,
maybe i need to add some more in server config ?

8

You can add the iroute option to the client config.
Or, to the CCD config on the server as mentioned above.

1 Like
9

Thank you it works now I did like this and now
It works I don't know why it didn't work with usually adding but I guess openvpn ignores route table or sellective

cat << EOF >> /etc/openvpn/ccd/client
iroute 192.168.2.0 255.255.255.0
push-remove redirect-gateway
EOF
cat << EOF >> /etc/openvpn/server.conf
route 192.168.2.0 255.255.255.0 192.168.8.2
push "route 192.168.1.0 255.255.255.0"
EOF
/etc/init.d/openvpn restart

i tried to add cipher none in server config but it looks like encription is not disabled :roll_eyes:
Can't find anywhere how to disable encryption
and also my log
Options error: Unrecognized option or missing or extra parameter(s) in /etc/openvpn/server.conf:17: chipher (2.4.7)

1 Like
10

Typo, the proper option:

Apply it to both server and client.

1 Like
11

i added cipher none to server.config and client.config and restart server and reboot client
after the connection established i cheked max speed it was the same like before without editing
and the log says somthing strange

daemon.notice openvpn(sample_server)[1680]: OpenVPN 2.4.7 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
daemon.notice openvpn(sample_server)[1680]: library versions: OpenSSL 1.1.1j  16 Feb 2021, LZO 2.10
daemon.err openvpn(sample_server)[1680]: OpenSSL: error:02001002:lib(2):func(1):reason(2)
daemon.err openvpn(sample_server)[1680]: OpenSSL: error:2006D080:lib(32):func(109):reason(128)
daemon.err openvpn(sample_server)[1680]: Cannot open /etc/openvpn/dh1024.pem for DH parameters
daemon.notice openvpn(sample_server)[1680]: Exiting due to fatal error
12

That service instance should be unrelated:

uci set openvpn.sample_server.enabled="0"
uci commit openvpn
/etc/init.d/openvpn restart
1 Like
13

so that sample server is not the server i ran ?

all i try is get more speed on the same router CPU. Now i see on client that cipher is off (warnings) so it means no cipher but the speed the same the CPU up to 97% for openvpn proccess also i see this on the client

daemon.warn openvpn(client)[1066]: WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause                          restarts to fail

on the server log i got

envpn(server)[1050]: Initialization Sequence Completed
envpn(server)[1050]: 192.168.10.44:38768 peer info: IV_VER=2.4.7
envpn(server)[1050]: 192.168.10.44:38768 peer info: IV_PLAT=linux
envpn(server)[1050]: 192.168.10.44:38768 peer info: IV_PROTO=2
envpn(server)[1050]: 192.168.10.44:38768 peer info: IV_NCP=2
envpn(server)[1050]: 192.168.10.44:38768 peer info: IV_LZ4=1
penvpn(server)[1050]: 192.168.10.44:38768 peer info: IV_LZ4v2=1
envpn(server)[1050]: 192.168.10.44:38768 peer info: IV_LZO=1
envpn(server)[1050]: 192.168.10.44:38768 peer info: IV_COMP_STUB=1
envpn(server)[1050]: 192.168.10.44:38768 peer info: IV_COMP_STUBv2=1
envpn(server)[1050]: 192.168.10.44:38768 peer info: IV_TCPNL=1
envpn(server)[1050]: 192.168.10.44:38768 [client] Peer Connection Initiated with [AF_INET]192.168.10.44:38768
envpn(server)[1050]: client/192.168.10.44:38768 MULTI_sva: pool returned IPv4=192.168.8.2, IPv6=(Not enabled)

what can i disable so i will have more perfomance but let certificate auntification be

14

You can try different ports and protocols TCP/UDP, but this question is too specific.
I'm afraid that optimizing OpenVPN performance is outside the scope of the OpenWrt forum.
You may have a better chance of getting a positive reply on the official OpenVPN forum.

Perhaps you should try OpenConnect and/or WireGuard as well.
Although encryption cannot be disabled, WireGuard works in kernel-space.
This can grant significant performance advantage over user-space solutions like OpenVPN.

1 Like
15

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.