Openvpn on OpenWrt connects but no ping

PacketMan · May 27, 2018, 7:37pm

Hi all, cross post between lede forum and openvpn form, I'm having a likely routing issue with openvpn/openwrt

Server is openvpn 2.4.5 on OpenWrt 18.06-SNAPSHOT r6984-fa0275bd90 on a netgear r7800.
Clients are android 7.1.2 and android 8, openvpn connect 3.0.5(1816) though both clients have the same config file (except the keys) and exact same errors and problem.

Config files below

[oconf=etc-config-firewall, using - as forward slash not allowed in ovpn config code]
config zone
	option name 'vpnserver'
	option network 'vpnserver'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option masq '1'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'
	option forward 'ACCEPT'

config redirect
	option target 'DNAT'
	option src 'wan'
	option src_dport '443'
	option dest_ip '192.168.1.1'
	option dest_port '443'
	option name 'vpn'
	option proto 'udp'
	option dest 'lan'

config forwarding
	option dest 'lan'
	option src 'vpnserver'

config forwarding
	option dest 'wan'
	option src 'vpnserver'

config fowarding
	option dest 'vpnserver'
	option src 'lan'
[/oconf]

[oconf=etc-config-network - to set the interface]
config interface 'vpnserver'
	option proto 'none'
	option auto '1'
	option ifname 'tun0'
[/oconf]

[oconf=etc-openvpn-openvpn.conf - the server config]
port 443
proto udp4
dev tun0
server 192.168.5.0 255.255.255.0
push "redirect-gateway def1"
client-to-client
push "dhcp-option DNS 192.168.1.1"
compress
keepalive 10 60
log /tmp/log/openvpn.log
verb 7 # for now...
user nobody
group nogroup
persist-key
persist-tun
# crypto settings
cipher AES-256-GCM
auth SHA512
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
<inlined certs & keys>
[/oconf]

[oconf=android client config]
remote 192.168.1.1 443
client 
remote-cert-tls server
dev tun0 
resolv-retry infinite 
nobind 
persist-key 
persist-tun 
float 
compress
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
cipher AES-256-GCM
auth SHA512
<inlined certs & keys> 
[/oconf]

The clients can connect to the VPN server/router but can't ping anything or surf the web. I've enabled ip forwarding, tweaked the /etc/config/firewall and interfaces, but the devices still can't connect or reachout once on the VPN, though when they're not on they are fine. I've read through several tutorials, and specfically https://openwrt.org/docs/guide-user/services/vpn/openvpn/server.setup.

Any suggestions - thanks!

JW0914 · May 28, 2018, 4:18am

VPN Configs

remote 192.168.1.1 443
- If you're utilizing this for Gateway Redirect, this is likely correct, but if not
  - It should be: remote your.ddns.com port#
push "redirect-gateway def1"
- While I know it's in many wikis/tutorials, is not required on OpenWrt if not using Gateway Redirect
  - Most other Unix based distros, yes, but OpenWrt, no; unless you're looking to utilize it for Gateway Redirect, which secures a local network behind the router from another network also behind the router
port 443
- A port >1025 should be utilized for the VPN, however a non-standard port (i.e. not 1194) is recommended to limit firewall logging from unauthorized connections attempts to the default OpenVPN port (generally hundreds a day, however I've seen it as high as a few thousand)
  - 443 should not be the VPN port unless you're passing through an extremely restrictive firewall in front of your router.
    - As it currently stands, you're likely allowing thousands of untrusted inbound connections from WAN -> LAN, which is extremely concerning.
cipher AES-256-GCM & tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
- While I also know many wikis/tutorials provide the maximum cipher settings (I too did the same until recently), there's no practical purpose for doing so unless you're the potential target of a nation state.
  - As it currently stands, AES128 will remain uncrackable until at least 2030.
  - I'd recommend the SSL and TLS ciphers I updated the OpenVPN Server (Comprehensive) wiki with (under VPN Server [Config] & VPN Clients [Config])

Firewall Config

option masq '1'
- Masquerade needs to be removed from the vpnserver firewall zone
  - Masquerade is only to be used on zones containing interfaces receiving a WAN IP (i.e. only the wan interface).
The required firewall rules for the vpnserver zone are missing... see Firewall [Rules]

PacketMan · May 28, 2018, 4:48pm

@JW0914 - thanks for the pointers, still no dice though.

VPN stuff;
I actually have a remote my.ddns.com port# entry (and do use the redirect-gateway) which I tried; I use the VPN both internally and externally - still no pinging on either
port 443 - I may change this at some point but I do sometimes encounter restrictive firewalls and I'd like to get it working first
cipher - no target on my back, but no real performance loss either; as a side note I wish we could attach a message onto any packet/flow that said something like "please don't read this" and people would respect that. Unfortunately our world doesn't work like that.

Firewall stuff;
I removed option masq 1 from vpnserver zone

I added the following rules to my /etc/config/firewall, taken from https://openwrt.org/docs/guide-user/services/vpn/openvpn/server.comprehensive#tab__rules and slightly modified for my config (udp only, vpn network is 192.168.5.0/24)

config rule                                     
        option name 'Allow-OpenVPN-Inbound' 
        option family 'ipv4'          
        option target 'ACCEPT'                                           
        option src '*'                      
        option dest_port '443'              
        option proto 'udp' 

config rule                                                
        option target 'ACCEPT'                             
        option family 'ipv4'                               
        option proto 'udp'                                 
        option src 'vpnserver'                             
        option src_ip '192.168.5.0/24'                     
        option dest_ip '192.168.1.0/24'                    
        option name 'Allow OpenVPN -> LAN'                 
                                                                                                                      
config rule                                                
        option target 'ACCEPT'                             
        option family 'ipv4'                               
        option proto 'udp'                                 
        option src 'vpnserver'             
        option dest *                      
        option name 'Allow Forwarded OpenVPN -> <device>'
                                                         
config rule                                              
    option  target          'ACCEPT'                     
    option  family          'ipv4'                       
    option  proto           'icmp'                       
    option  src             'vpnserver'                  
    option  src_ip          '192.168.1.0/24'             
    option  dest            'lan'                        
    option  name            'Allow OpenVPN (ICMP) -> LAN'
                                                         
config rule                                              
    option  target          'ACCEPT'                     
    option  family          'ipv4'                       
    option  proto           'icmp'                       
    list    icmp_type       'echo-request'               
    option  src             'vpnserver'                  
    option  src_ip          '192.168.5.0/24'             
    option  dest            'wan'                        
    option  name            'Allow OpenVPN (ICMP 8: echo-request) -> WAN'

Restarted the firewall, openvpn server, and even the network stack - still can't surf the web or ping anything - same results as before. Anything else?

JW0914 · May 28, 2018, 5:20pm

There's a substantial hit on throughput performance, which you can see with openssl speed

The higher the encryption, the slower the throughput, and since there is zero added benefit for going with anything higher than AES-128, there's not a point to utilizing a higher encryption setting, unless one is a potential target of a nation state.
- Cracking the encryption on an arbitrary data block would require resources only a nation state has, and even then is futile since the default setting is to re-key every 60min... at that point, a far better solution would be re-keying every 10min versus raising the encryption level

Allow OpenVPN (ICMP) -> LAN has the incorrect subnet listed as src, should be 192.168.5.0/24

Reboot your router, and if you still have an issue, please perform the steps in Troubleshooting for your next post.

Please place all code, config, and log output within code boxes... please see this post for the three ways to do so