Hi all, cross post between lede forum and openvpn form, I'm having a likely routing issue with openvpn/openwrt
Server is openvpn 2.4.5 on OpenWrt 18.06-SNAPSHOT r6984-fa0275bd90 on a netgear r7800.
Clients are android 7.1.2 and android 8, openvpn connect 3.0.5(1816) though both clients have the same config file (except the keys) and exact same errors and problem.
Config files below
[oconf=etc-config-firewall, using - as forward slash not allowed in ovpn config code]
config zone
option name 'vpnserver'
option network 'vpnserver'
option input 'ACCEPT'
option output 'ACCEPT'
option masq '1'
option forward 'ACCEPT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
option forward 'ACCEPT'
config redirect
option target 'DNAT'
option src 'wan'
option src_dport '443'
option dest_ip '192.168.1.1'
option dest_port '443'
option name 'vpn'
option proto 'udp'
option dest 'lan'
config forwarding
option dest 'lan'
option src 'vpnserver'
config forwarding
option dest 'wan'
option src 'vpnserver'
config fowarding
option dest 'vpnserver'
option src 'lan'
[/oconf]
[oconf=etc-config-network - to set the interface]
config interface 'vpnserver'
option proto 'none'
option auto '1'
option ifname 'tun0'
[/oconf]
[oconf=etc-openvpn-openvpn.conf - the server config]
port 443
proto udp4
dev tun0
server 192.168.5.0 255.255.255.0
push "redirect-gateway def1"
client-to-client
push "dhcp-option DNS 192.168.1.1"
compress
keepalive 10 60
log /tmp/log/openvpn.log
verb 7 # for now...
user nobody
group nogroup
persist-key
persist-tun
# crypto settings
cipher AES-256-GCM
auth SHA512
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
<inlined certs & keys>
[/oconf]
[oconf=android client config]
remote 192.168.1.1 443
client
remote-cert-tls server
dev tun0
resolv-retry infinite
nobind
persist-key
persist-tun
float
compress
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
cipher AES-256-GCM
auth SHA512
<inlined certs & keys>
[/oconf]
The clients can connect to the VPN server/router but can't ping anything or surf the web. I've enabled ip forwarding, tweaked the /etc/config/firewall and interfaces, but the devices still can't connect or reachout once on the VPN, though when they're not on they are fine. I've read through several tutorials, and specfically https://openwrt.org/docs/guide-user/services/vpn/openvpn/server.setup.
Any suggestions - thanks!
@JW0914 - thanks for the pointers, still no dice though.
VPN stuff;
I actually have a remote my.ddns.com port# entry (and do use the redirect-gateway) which I tried; I use the VPN both internally and externally - still no pinging on either
port 443 - I may change this at some point but I do sometimes encounter restrictive firewalls and I'd like to get it working first
cipher - no target on my back, but no real performance loss either; as a side note I wish we could attach a message onto any packet/flow that said something like "please don't read this" and people would respect that. Unfortunately our world doesn't work like that.
Firewall stuff;
I removed option masq 1 from vpnserver zone
I added the following rules to my /etc/config/firewall, taken from https://openwrt.org/docs/guide-user/services/vpn/openvpn/server.comprehensive#tab__rules and slightly modified for my config (udp only, vpn network is 192.168.5.0/24)
config rule
option name 'Allow-OpenVPN-Inbound'
option family 'ipv4'
option target 'ACCEPT'
option src '*'
option dest_port '443'
option proto 'udp'
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'udp'
option src 'vpnserver'
option src_ip '192.168.5.0/24'
option dest_ip '192.168.1.0/24'
option name 'Allow OpenVPN -> LAN'
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'udp'
option src 'vpnserver'
option dest *
option name 'Allow Forwarded OpenVPN -> <device>'
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'icmp'
option src 'vpnserver'
option src_ip '192.168.1.0/24'
option dest 'lan'
option name 'Allow OpenVPN (ICMP) -> LAN'
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'icmp'
list icmp_type 'echo-request'
option src 'vpnserver'
option src_ip '192.168.5.0/24'
option dest 'wan'
option name 'Allow OpenVPN (ICMP 8: echo-request) -> WAN'
Restarted the firewall, openvpn server, and even the network stack - still can't surf the web or ping anything - same results as before. Anything else?
There's a substantial hit on throughput performance, which you can see with openssl speed
- The higher the encryption, the slower the throughput, and since there is zero added benefit for going with anything higher than AES-128, there's not a point to utilizing a higher encryption setting, unless one is a potential target of a nation state.
- Cracking the encryption on an arbitrary data block would require resources only a nation state has, and even then is futile since the default setting is to re-key every 60min... at that point, a far better solution would be re-keying every 10min versus raising the encryption level
Allow OpenVPN (ICMP) -> LAN
has the incorrect subnet listed as src
, should be 192.168.5.0/24
Reboot your router, and if you still have an issue, please perform the steps in Troubleshooting for your next post.
- Please place all code, config, and log output within code boxes... please see this post for the three ways to do so