OpenVPN on a Dumb Access Point

I have recently setup a Linksys EA7300 as a dumb access point following this tutorial. I would like for this (now) dumb access point to run an OpenVPN server, and I have followed this tutorial to setup OpenVPN. However, I am not able to

  • access the internet when connecting to this VPN from my LAN using an OpenVPN client with the .ovpn file that the server provides.
  • access the OpenVPN server from outside of my LAN.

I have also setup an OpenVPN server on a (Linux) machine that is connected to this dumb access point, and I have had no problems accessing this OpenVPN server from outside of the LAN (and I am not having to use any port forwarding). I would appreciate any help determining why I cannot access the OpenVPN server on the dumb access point outside of my LAN.

I will be glad to post copies of configuration files when I know which files are needed.

Thank you in advance!

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
cat /etc/config/openvpn

We also need to see the main router's port forwarding config.

root@OpenWrt:~# ubus call system board
{
	"kernel": "5.15.134",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "Linksys EA7300 v2",
	"board_name": "linksys,ea7300-v2",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.0",
		"revision": "r23497-6637af95aa",
		"target": "ramips/mt7621",
		"description": "OpenWrt 23.05.0 r23497-6637af95aa"
	}
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxx:xxxx:xxxx::/xx'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'tun0'
	list ports 'wan'

config device
	option name 'lan1'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config device
	option name 'lan2'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config device
	option name 'lan3'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config device
	option name 'lan4'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.2'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'

config device
	option name 'wan'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
root@OpenWrt:~# cat /etc/config/firewall 

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list device 'tun+'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'xxxx::/xx'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule 'ovpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '1194'
	option proto 'udp'
	option target 'ACCEPT'
root@OpenWrt:~# cat /etc/config/openvpn
config openvpn 'foo_VPN'
	option port '1194'
	option proto 'udp'
	option dev 'tun'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/server.crt'
	option key '/etc/openvpn/server.key'
	option dh '/etc/openvpn/dh2048.pem'
	option server '10.8.0.0 255.255.255.0'
	option ifconfig_pool_persist '/tmp/ipp.txt'
	option keepalive '10 120'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option status '/tmp/openvpn-status.log'
	option verb '3'

As I said, I am not forwarding and ports on the main router, but a (Linux) machine attached to the main router (actually through this dumb access point) is also running an OpenVPN server, and I am able to access this server from outside of the LAN with no problem.

Is the main router running OpenWrt?

You must be forwarding ports from the internet > linux OpenVPN server. Otherwise you wouldn't be able to connect from the wan/internet.

A partial (although less ideal -- see below) fix for your routing issue is to adjust the firewall... remove tun+ from the lan zone, create a new zone for the vpn with masquerading enabled, and then setup forwarding from vpn > lan.

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone 'vpn'
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'tun+'
	option masq '1'

config forwarding
	option src 'vpn'
	option dest 'lan'

Better, though, is to add a static route to the main router:

10.8.0.0/24 via 192.168.1.2

This won't help your external access issue, though -- you need to port forward from the main router in order for this to work. That is to say that you need to forward:

UDP port 1194 @ wan > 192.168.1.2 port 1194

If your existing OpenVPN server is using port 1194, you could use another port, but if you plan to use port 1194 incoming, yoou must choose one or the other to be the active server.

I verified that I was not port forwarding 1194 to the Linux machine, and yet the OpenVPN was accessible outside of my LAN. Furthermore, I setup a port forward in the main router (just in case) to the dumb access point, and I am still not able to access the the OpenVPN server.

As for removing tun+ from the LAN zone, I have the firewall completely disabled (as per the instructions for setting up the dumb access point).

I don't understand how that is possible (unless maybe you have a "DMZ" set, or similar). If you are able to connect from the wan (i.e. the internet) without port forwarding, that would be very unusual... and, IMO, concerning!

You need to have the firewall active for this to work (assuming you're using masquerading).

And can you point me to where it says that the firewall should be disabled? This is not something I personally recommend.... I'd love to see what the reasons are presented in the documentation about why it should be disabled.

I changed the remote 192.168.1.2 1194 udp to remote xxx.xxx.xxx.xxx 1194 udp in the .ovpn file, and I am now able to connect to the OpenVPN server from outside of the LAN. However, I do not have internet access when connected to the VPN. The problem is NOT with DNS as trying to access WAN IP addresses fails as well.

I have re-enabled the firewall, but I would appreciate help getting internet access working. I, apparently, need help with setting up a static route and/or firewall rules.

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'VPN'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	list device 'tun0'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list device 'tun+'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

Here is the quote from the tutorial:

"To save resources on the wireless AP router, disable unneeded services. Navigate to System → Startup. Disable the services labeled firewall, dnsmasq and odhcpd. (Perhaps ironically, click Enable to toggle.)"

remove tun+ from here:

Add forwarding from VPN > lan:

config forwarding
	option src 'VPN'
	option dest 'lan'

Thanks. My personal opinion is that disabling the firewall and dnsmasq is an unnecessary step. It does note that this should not be done if you plan to add a guest network (which is correct since the firewall and dnsmasq are needed at that point), but it fails to account for other situations like yours where the firewall is also needed.

I made these changes and restarted the firewall, and I still do not have internet access.

do you have the redirect-gateway def1 directive in your client configuration? It's not in your server currently... personally, I push that directive to the client from the server, but it can be done either way.

Without having tun+, how will the VPN zone know about 10.8.0.0 or the tunnel?

you had tun+ in the lan zone and tun0 in the VPN zone. The comment about removing tun+ was from the lan zone... the VPN zone should be left as is.

I just tried that, and that does not seem to work either.

let's review the latest configs (network and firewall), as well as the client conf file.

I found that my OpenVPN server was running on 192.168.9.0 (instead of 10.8.0.0), and so I changed that accordingly. Also, I am running this OpenVPN on UDP port 1195 (so as to not conflict with my other server), and the port forwarding on the main router is configured accordingly.

root@OpenWrt:~# cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxx:xxxx:xxxx::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'tun0'
	list ports 'wan'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config device
	option name 'lan1'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config device
	option name 'lan2'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config device
	option name 'lan3'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config device
	option name 'lan4'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.2'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'

config device
	option name 'wan'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
root@OpenWrt:~# cat /etc/config/firewall 
config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'VPN'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	list device 'tun0'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'VPN'
	option dest 'lan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'xxxx::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule 'ovpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '1195'
	option proto 'udp'
	option target 'ACCEPT'
root@OpenWrt:~# cat /etc/openvpn/client.ovpn 
client
dev tun
proto udp
remote xx.xx.xx.xx 1195
resolv-retry infinite
nobind
persist-key
persist-tun
ignore-unknown-option block-outside-dns
push redirect-gateway def1
user nobody
group nogroup
auth-nocache
remote-cert-tls server
<tls-crypt-v2>
...

I'm assuming the network and firewall files were from the server side, and the openvpn client file is obviously from the client side...

Remove the tunnel from the bridge -- tunnels must be routed, they cannot be part of a bridge.

Remove the wan device from wan6. It's part of the bridge, so it should not be used here:

remove masquerading from the VPN zone and put it on the lan zone like this:

config zone
	option name 'VPN'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'tun0'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option masq '1'

This can be deleted... it's not necessary:

Since this is the client side, push directives don't do anything.

remove the push part of that line, but keep the redirect-gateway def1 part.

Reboot both devices and try again.

Unfortunately, it's still a "no go". Are there system logs that can help debugging?

Let’s see the network and firewall files from the client side.

I'm using the OpenVPN Connect client app on Android