OpenVPN ok - But can only access SOME local devices? *frustrating*

Installing and Using OpenWrt Network and Wireless Configuration
1

Dear community
After try&error for almost 2 days I hope to find a solution with your help here.

I got a working VPN Server on a OpenWrt [18.06.1 r7258-5eb055306f / LuCI openwrt-18.06 branch (git-18.228.31946-f64b152)], connecting with OpenVPN for Android. I did disalbe TLSAuth, as I didn't get this working for now...

But the main problem is... I can ping / access only some devices from my local network (same IP range), from within that network I can ping/access all devices...

Here some details and configs:

Networks:
VPN: 192.168.10.0
Private Network: 192.168.5.0
Accessible devices: 192.168.5.1 (Router with OpenVPN) / 192.168.5.11 (NAS) / 192.168.5.4 (Switch) / 192.168.5.162 (Home PC)
Inaccessible devices: 192.168.5.16 (Home Server)

My /etc/config/openvpn

config openvpn 'myvpn'
        option enabled '1'
        option proto 'udp4'
        option log '/tmp/openvpn.log'
        option verb '3'
        option ca '/etc/openvpn/certs/ca.crt'
        option cert '/etc/openvpn/certs/server.crt'
        option key '/etc/openvpn/certs/server.key'
        option dh '/etc/openvpn/certs/dh4096.pem'
        option server '192.168.10.0 255.255.255.0'
        option cipher 'AES-256-CBC'
        option auth 'SHA512'
#       option tls_auth '/etc/openvpn/certs/tlsauth.key 0'
#       option tls_cipher 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-12
        option port '1194'
        option keepalive '10 120'
#       option tls_server '1'
#       option tls_version_min '1.2'
        list push 'redirect-gateway def1'
        list push 'route 192.168.5.0 255.255.255.0'
        list push 'dhcp-option DNS 192.168.5.16'
        list push 'dhcp-option DNS 8.8.8.8'
        list push 'block-outside-dns'
        option dev 'tun0'
#       option route_gateway '192.168.5.1'

My /etc/config/network (only vpn part)

config interface 'VPN0'
        option proto 'none'
        option auto '1'
        option ifname 'tun0'
        option delegate '0'

My /etc/config/firewall

config rule
        option name 'Allow-OpenVPN-Inbound'
        option target 'ACCEPT'
        option dest_port '1194'
        option src '*'
        option proto 'udp'
        
        config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'VPN0'
        option forward 'REJECT'

config forwarding
        option src 'vpn'
        option dest 'wan'

config forwarding
        option src 'vpn'
        option dest 'lan'

Here is the openvpn log:

Fri Jul 12 10:09:21 2019 OpenVPN 2.4.5 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Fri Jul 12 10:09:21 2019 library versions: OpenSSL 1.0.2r  26 Feb 2019, LZO 2.10
Fri Jul 12 10:09:21 2019 Diffie-Hellman initialized with 4096 bit key
Fri Jul 12 10:09:21 2019 TUN/TAP device tun0 opened
Fri Jul 12 10:09:21 2019 TUN/TAP TX queue length set to 100
Fri Jul 12 10:09:21 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Fri Jul 12 10:09:21 2019 /sbin/ifconfig tun0 192.168.10.1 pointopoint 192.168.10.2 mtu 1500
Fri Jul 12 10:09:21 2019 /sbin/route add -net 192.168.10.0 netmask 255.255.255.0 gw 192.168.10.2
Fri Jul 12 10:09:21 2019 Socket Buffers: R=[163840->163840] S=[163840->163840]
Fri Jul 12 10:09:21 2019 UDPv4 link local (bound): [AF_INET][undef]:1194
Fri Jul 12 10:09:21 2019 UDPv4 link remote: [AF_UNSPEC]
Fri Jul 12 10:09:21 2019 MULTI: multi_init called, r=256 v=256
Fri Jul 12 10:09:21 2019 IFCONFIG POOL: base=192.168.10.4 size=62, ipv6=0
Fri Jul 12 10:09:21 2019 Initialization Sequence Completed
Fri Jul 12 10:09:29 2019 178.197.224.212:26870 TLS: Initial packet from [AF_INET]178.197.224.212:26870, sid=5242a29a d8fb36ff
Fri Jul 12 10:09:30 2019 178.197.224.212:26870 VERIFY OK: depth=1, C=CH, ST=AG, L=XXX, O=Home, OU=Private, CN=Home CA, name=EasyRSA, emailAddress=XXX
Fri Jul 12 10:09:30 2019 178.197.224.212:26870 VERIFY OK: depth=0, C=CH, ST=AG, L=XXX, O=Home, OU=Private, CN=dave, name=EasyRSA, emailAddress=XXX
Fri Jul 12 10:09:31 2019 178.197.224.212:26870 peer info: IV_VER=2.5_master
Fri Jul 12 10:09:31 2019 178.197.224.212:26870 peer info: IV_PLAT=android
Fri Jul 12 10:09:31 2019 178.197.224.212:26870 peer info: IV_PROTO=2
Fri Jul 12 10:09:31 2019 178.197.224.212:26870 peer info: IV_NCP=2
Fri Jul 12 10:09:31 2019 178.197.224.212:26870 peer info: IV_LZ4=1
Fri Jul 12 10:09:31 2019 178.197.224.212:26870 peer info: IV_LZ4v2=1
Fri Jul 12 10:09:31 2019 178.197.224.212:26870 peer info: IV_LZO=1
Fri Jul 12 10:09:31 2019 178.197.224.212:26870 peer info: IV_COMP_STUB=1
Fri Jul 12 10:09:31 2019 178.197.224.212:26870 peer info: IV_COMP_STUBv2=1
Fri Jul 12 10:09:31 2019 178.197.224.212:26870 peer info: IV_TCPNL=1
Fri Jul 12 10:09:31 2019 178.197.224.212:26870 peer info: IV_GUI_VER=de.blinkt.openvpn_0.7.8
Fri Jul 12 10:09:31 2019 178.197.224.212:26870 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1601', remote='link-mtu 1541'
Fri Jul 12 10:09:31 2019 178.197.224.212:26870 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
Fri Jul 12 10:09:31 2019 178.197.224.212:26870 WARNING: 'auth' is used inconsistently, local='auth SHA512', remote='auth SHA1'
Fri Jul 12 10:09:31 2019 178.197.224.212:26870 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Fri Jul 12 10:09:31 2019 178.197.224.212:26870 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Fri Jul 12 10:09:31 2019 178.197.224.212:26870 [dave] Peer Connection Initiated with [AF_INET]178.197.224.212:26870
Fri Jul 12 10:09:31 2019 dave/178.197.224.212:26870 MULTI_sva: pool returned IPv4=192.168.10.6, IPv6=(Not enabled)
Fri Jul 12 10:09:31 2019 dave/178.197.224.212:26870 MULTI: Learn: 192.168.10.6 -> dave/178.197.224.212:26870
Fri Jul 12 10:09:31 2019 dave/178.197.224.212:26870 MULTI: primary virtual IP for dave/178.197.224.212:26870: 192.168.10.6
Fri Jul 12 10:09:32 2019 dave/178.197.224.212:26870 PUSH: Received control message: 'PUSH_REQUEST'
Fri Jul 12 10:09:32 2019 dave/178.197.224.212:26870 SENT CONTROL [dave]: 'PUSH_REPLY,redirect-gateway def1,route 192.168.5.0 255.255.255.0,dhcp-option DNS 192.168.5.16,dhcp-option DNS 8.8.8.8,block-outside-dns,route 192.168.10.1,topology net30,ping 10,ping-restart 120,ifconfig 192.168.10.6 192.168.10.5,peer-id 0,cipher AES-256-GCM' (status=1)
Fri Jul 12 10:09:32 2019 dave/178.197.224.212:26870 Data Channel: using negotiated cipher 'AES-256-GCM'
Fri Jul 12 10:09:32 2019 dave/178.197.224.212:26870 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Jul 12 10:09:32 2019 dave/178.197.224.212:26870 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

I am also able to ping the Server (192.168.5.16) from the OpenWRT Diagnostics Site to see if there is any iptables rule on the server preventing access from 192.168.5.1 (OpenVPN Server). The inaccessible server is a Ubuntu 16.04 server with several services...

Any idea what I could be missing or doing wrong??

Thanks a lot for your help.
Dave

2

What does this mean?

  • Are you saying that your LAN and VPN network have the same numbering (i.e. 192.168.5.0/24)?
  • If so, fix this.
  • Do these devices have 192.168.5.1 as their gateway?
1 Like
3

Is the firewall on those devices configured to accept connections from the VPN address range?

2 Likes