I'm upgrading to OpenWrt 21.02.0-rc1 recently. The same OpenVPN client configuration works in 19.07 but not working on 21.02-rc1 for certain reason. I can confirm the port is open and connect but it doesn't transfer any data.
However, if I add mtu to the routing (ex. ip route add 10.197.3.0/24 via $route_vpn_gateway dev tun3 mtu 500). I can get some data but not everything. Does anyone has any idea on what's going on here it?
root@OpenWrt-Dev:~# curl 10.197.3.173
<!doctype html>
<html lang="en" dir="ltr" prefix="fb: //www.facebook.com/2008/fbml">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<!-- Google Tag Manager -->
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-WLM***');</script>
<!-- End Google Tag Manager -->
<meta name="referrer" content="no-referrer-when-downgrade">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link rel="shortcut icon" href="http://10.197.3.173/files/favicon.ico" type="image/vnd.microsoft.icon" />
curl: (56) Recv failure: Connection reset by peer
I'm using openVPN on a daily basis and it works well. Nevertheless, I made a complete new setup when installing on 21.02, and I remember that some tiny changes were needed from 19.07. I would recommend a clean setup.
I'm using all fresh configuration and tried everything I can think of, routing, MASQUERADE, tcp window size, and TCPMSS. I'm still thinking some thing is wrong with the 21.01-rc1 version. I even tried the snapshot copy on virtual machine and they all have the same issue. It could be the mtu or tcp mss issue that dropped the fragmented TCP packages somewhere.
There're definitely issues with OpenVPN client on OpenWrt 21.02 rc and snapshots. I'm not sure about udp but tcp setup is not working. I eventually got my openvpn client setup working but have to set a very low tcpmss at 59 :(.
iptables -t mangle -A POSTROUTING -o tun3 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: VPN Tunnel MTU fixing" -j TCPMSS --set-mss 59
uci set network.vpn0="interface"
uci set network.vpn0.ifname="tun0"
uci set network.vpn0.proto="none"
uci set network.vpn0.auto="1"
uci commit network
than
uci add firewall rule
uci set firewall.@rule[-1].name="Allow-OpenVPN"
uci set firewall.@rule[-1].target="ACCEPT"
uci set firewall.@rule[-1].src="wan"
uci set firewall.@rule[-1].proto="udp"
uci set firewall.@rule[-1].dest_port="1194"
uci add firewall zone
uci set firewall.@zone[-1].name="vpn"
uci set firewall.@zone[-1].input="ACCEPT"
uci set firewall.@zone[-1].forward="ACCEPT"
uci set firewall.@zone[-1].output="ACCEPT"
uci set firewall.@zone[-1].masq="1"
uci set firewall.@zone[-1].network="vpn0"
uci add firewall forwarding
uci set firewall.@forwarding[-1].src="vpn"
uci set firewall.@forwarding[-1].dest="wan"
uci add firewall rule
uci set firewall.@rule[-1].name="Allow-OpenVPN"
uci set firewall.@rule[-1].target="ACCEPT"
uci set firewall.@rule[-1].src="wan"
uci set firewall.@rule[-1].proto="udp"
uci set firewall.@rule[-1].dest_port="1194"
uci add firewall zone
uci set firewall.@zone[-1].name="vpn"
uci set firewall.@zone[-1].input="ACCEPT"
uci set firewall.@zone[-1].forward="ACCEPT"
uci set firewall.@zone[-1].output="ACCEPT"
uci set firewall.@zone[-1].masq="1"
uci set firewall.@zone[-1].network="vpn0"
uci add firewall forwarding
uci set firewall.@forwarding[-1].src="vpn"
uci set firewall.@forwarding[-1].dest="wan"
uci add firewall forwarding
uci set firewall.@forwarding[-1].src="vpn"
uci set firewall.@forwarding[-1].dest="lan"
uci commit firewall
/etc/init.d/network reload
/etc/init.d/firewall reload
uci commit firewall
/etc/init.d/network reload
/etc/init.d/firewall reload
I have deleted the access to LAN as I don't need it (latest firewall forwarding)
Also try to use UDP instead of TCP.
I think you have a DSA “thing” if you have used the 19.07 settings. As you say the tunnel is alive but the tun3 interface isn’t actually connected anywhere if I read the configs right.
And you gave a lot of bridges.
It is almost impossible to use old configs for 21.02, you need to have new origins, configs and manually reconfig the whole thing to make everything work in 21.02.
I used succesfully Open VPN, but I never manage to use wireguard in a reliable way. Others claim that wiregard works very well, so I assume that I did a faulty setup. I don't despair to find the solution. So keep faith in openVPN, you'll find.
I have used a tutorial to install OpenVPN, and gave the url. As the result works, I can assure that openVPN works on 21.02 (subject of the topic), but I don't have much experience to share. I can't garantee that "my" installation fits any purpose or is security proof. What can I do more ?
I run it as a ovpn server and it works, but as mentioned earlier something is little different. I have a strong feeling tun0 device was put in LAN interface before but written to firewall and now the UCI put it in firewall config🤔
So I strongly recommend making a new setup for 21.02 so everything is placed right.
I agree, that's what I've done : clean install over 21.02.
I have noticed some tiny changes in 21.02 (over 19.07) as OpenVPN has upgraded (2.4 to 2.5). There are some minor changes to be expected (default crypto algorithm for example) in the install. I have corrected several issues by studying the error log while connecting.
I have recreated the configuration also followed the instructions at https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci to setup the VPN client. Your settings are similar to it too. It's still not working. I think it's because the different protocols are used. My company VPN server is using TCP instead of UDP.
Actually my settings are working now but I have to set the TCPMSS to 59 instead of something bigger like 1472 which impacts the performance. This also indicated that the problem is not on routing but TCP packet fragments.
Beside debugging to make sure the problem is on 21.02RC. I actually use custom script to setup the routing for special needs.
#!/bin/sh
# The script can be called by openvpn up/down settings or OpenWrt /etc/openvpn.user
postrouting_rule=postrouting_rule
forwarding_rule=forwarding_rule
[ -z "$ACTION" ]&&ACTION=$1
IFS='
'
add_route(){
net=$1
#logger "$cmd route $net gw $route_vpn_gateway"
ip route add $net via $route_vpn_gateway dev $dev
}
rule(){
if [ "$1" = "up" ]; then
echo 'add postroute'
iptables -t nat -S $postrouting_rule|grep $dev > /dev/null|| iptables -t nat -A $postrouting_rule -o $dev -m comment --comment "!fw3 Company VPN" -j MASQUERADE
iptables -S $forwarding_rule|grep $dev >/dev/null|| iptables -A $forwarding_rule -i br-lan -o $dev -m comment --comment "Allow Company VPN Forward" -j ACCEPT
for cmd in $(iptables -t mangle -S|grep $dev|sed 's/-A//'); do
eval "iptables -t mangle -D $cmd"
done
##### regular -clamp-mss-to-pmtu is not working and have to set TCPMSS to 59 for now on OpenWRT 21.02RC
#iptables -t mangle -A POSTROUTING -o $dev -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: OpenVPN tunnel MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A POSTROUTING -o $dev -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: OpenVPN tunnel MTU fixing" -j TCPMSS --set-mss 59
else
iptables -t nat -S $postrouting_rule|grep $dev|sed 's/^-A//'|xargs -r iptables -t nat -D
iptables -S $forwarding_rule|grep $dev|sed 's/^-A//'|xargs -r iptables -D
for cmd in $(iptables -t mangle -S|grep $dev|sed 's/-A//'); do
eval "iptables -t mangle -D $cmd"
done
fi
}
routes(){
#add_route "10.192.0.0/13"
#admin
add_route 10.192.0.0/16
add_route 10.193.0.0/16
add_route 10.194.0.0/16
add_route 10.195.0.0/16
add_route 10.196.0.0/16
add_route 10.197.0.0/16
add_route 10.198.0.0/16
add_route 10.176.0.0/16
add_route 172.31.0.0/16
add_route 10.191.0.0/18
add_route 10.177.0.0/18
}
case "$ACTION" in
up)
routes
rule up
;;
down)
rule down
;;
esac
exit 0
I followed this instructions to setup WireGuard on OpenWrt. It works on both 19.07 and 21.02 without changing the config. The tricky part is that you need make sure you phone ip is in the range you defined.
solution
use .ovpn and password.txt file store in openvpn folder then setup tun0 in network interface then reboot router it works any openwrt version 19 or 21.
check this vedio step by step https://www.youtube.com/watch?v=uHpI2e2NjPc