Openvpn not redirecting to LAN

BackON · February 10, 2020, 10:36pm

Hello

I have a small issue with a openvpn server on a Unifi ac lite AP. the AP works as AP only (No dhcp and routing) the address is static 192.168.1.10 but my gateway is on 192.168.1.1.
The AP only have LAN network

I configured the VPN as TUN but the issue is that i cant access to the LAN network (I can access 192.168.1.10 but not the rest of the network ) . in the openvpn has the route to be pushed via server (route 192.168.1.0 255.255.255.0 and dhcp-option DNS 192.168.1.1)

i configured the vPN network (192.168.8.1) the firewall has all the forwadings in accept but i can see where is the problem that i cant access to the network

i have another vpn server configured as tap and it work wells but i need to work on TUN mode because i want acces it via Android phone

 cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd01:3f01:b24d::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.10'
        option gateway '192.168.1.1'
        list dns '1.1.1.1'
        option ifname 'eth0  tap0'

config interface 'tun1'
        option ifname 'tun1'
        option proto 'none'

cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone 'wan'
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option forward 'ACCEPT'
        option input 'ACCEPT'
        option network 'wan wan6'

config forwarding 'lan_wan'
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config forwarding
        option dest 'lan'
        option src 'vpn'

config forwarding
        option dest 'vpn'
        option src 'lan'

config zone
        option network 'tun1'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option name 'vpn'
        option output 'ACCEPT'

cat /etc/config/openvpn

config openvpn 'TAPserver'
        option enabled '1'
        option config '/etc/openvpn/vpnserver.conf'

config openvpn 'TunServer'
        option enabled '1'
        option verb '11'
        option log '/var/log/openvpn/openvpn.log'
        option log_append '/var/log/openvpn/openvpn.log'
        option port '1999'
        option client_to_client '1'
        option compress 'lzo'
        option keepalive '10 120'
        option persist_tun '1'
        option persist_key '1'
        option dh '/etc/openvpn/lan/dh.pem'
        option tls_crypt '/etc/openvpn/lan/tc.pem'
        option ca '/etc/openvpn/lan/ca.crt'
        option cert '/etc/openvpn/lan/lanvpnserver.crt'
        option key '/etc/openvpn/lan/lanvpnserver.key'
        list push 'route 192.168.1.0 255.255.255.0'
        list push 'dhcp-option DNS 192.168.1.1'
        list push 'compress lzo'
        list push 'persist-tun'
        list push 'persist-key'
        option dev 'tun1'
        option proto 'udp'
        option server '192.168.8.0 255.255.255.0'

thanks

ulmwind · February 10, 2020, 11:32pm

What is IP 192.168.2.2?
What is output of traceroute 192.168.1.1 from connected client?

BackON · February 11, 2020, 12:14am

sorry i made a mistake writing numbers. i corrected it.

>tracert 192.168.1.110

Traza a 192.168.1.110 sobre caminos de 30 saltos como máximo.

  1   143 ms    22 ms    22 ms  192.168.8.1
  2     *        *        *     Tiempo de espera agotado para esta solicitud.
  3     *        *        *     Tiempo de espera agotado para esta solicitud.

ulmwind · February 11, 2020, 7:46am

OK, however it goes via correct interface. Please, check, that name of interface on server is tun1 exactly (it is specified in your config), not tun0.

BackON · February 12, 2020, 9:12am

finally i solved the issue

i made this changes.

make a Traffic rule on firewall to foward from VPN 192.168.8.0/24 to LAN 192.168.1.0/24

ulmwind · February 12, 2020, 9:17am

Masquerading on LAN is not critical. Forwarding has already been set.

BackON · February 12, 2020, 9:23am

ok i have disabled the masquerading and still works

ulmwind · February 12, 2020, 1:06pm

OK, I thought, masquerading is essential, if devices in lan don't have route to VPN-network.

BackON · February 13, 2020, 8:11pm

yes finally i enabled it because after 2 hour stops to work . but now i have another problem .

Windows computer openvpn client access to all LAN network but IOS or Android client i cant access .

ulmwind · February 13, 2020, 8:18pm

Can you access VPN-server by its LAN IP?

BackON · February 13, 2020, 10:12pm

in android or ios Phone i cant access anything

BackON · February 14, 2020, 1:19am

I fixed it. The issue with android and IOS is the LZO compression. so i disabled it on the server and profile and its working well!
The masquerading its on LAN interface because its a Dumb AP

Thanks

system · February 24, 2020, 1:19am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.