Hi there,
I have the OpenWrt 18.06 on the Linksys WRT1200AC and I've configured the OpenVPN service.
My intention is
- each connected client has its own static IP address 10.8.0.*,
- each connected client can access samba share hosted on the router,
- all the internet traffic should go through the tunnel.
Router IP is 192.168.1.1, devices have 192.168.1.100 - 192.168.1.110 addresses.
I use dynamic dns service from OVH.
My ISP (UPC) offers asynchronous connection 150 / 10 Mbit/s.
In general it works. However, once device (Moto G5 in this example below) is connected, outgoing traffic is extremely poor, almost 0 - I know I can expect 10 / 5 Mbit/s as a maximum through the VPN but Ookla cannot even run upload test while downloading is ~10 Mbit/s. So, as a result I can't even send an e-mail when I'm behind the VPN.
Could you please help me with solving this issue?
iwinfo
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.1 Mask:255.255.255.0
inet6 addr: fe80::162a:d3f8:92fc:fc55/64 Scope:Link
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:43991 errors:0 dropped:0 overruns:0 frame:0
TX packets:78291 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:3128995 (2.9 MiB) TX bytes:101139214 (96.4 MiB)
/etc/config/openvpn
config openvpn 'bonkowo'
option enabled '1'
option dev 'tun0'
option port '1915'
option proto 'udp'
option log '/tmp/openvpn.log'
option verb '3'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/skynet.crt'
option key '/etc/openvpn/skynet.key'
option server '10.8.0.0 255.255.255.0'
option dh '/etc/openvpn/dh.pem'
option client_config_dir '/etc/openvpn/ccd'
option topology 'subnet'
list push 'route 192.168.1.0 255.255.255.0'
list push 'redirect-gateway def1'
option keepalive '10 180'
/etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule
option name 'transmission'
option src 'wan'
option target 'ACCEPT'
option proto 'tcp'
option dest_port '55666'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '2211'
option dest_ip '192.168.1.1'
option dest_port '2211'
option name 'SSH'
config zone
option name 'vpn'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option network 'vpn'
option masq '1'
config forwarding
option src 'vpn'
option dest 'wan'
config rule
option name 'OpenVPN'
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
option dest_port '1915'
config forwarding
option src 'vpn'
option dest 'lan'
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd77:4b85:3b6a::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth1.2'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth1.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
config interface 'vpn'
option ifname 'tun0'
option proto 'none'
route -n #client
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.8.0.1 0.0.0.0 UG 50 0 0 tun0
0.0.0.0 192.168.43.1 0.0.0.0 UG 600 0 0 wlp4s0
10.8.0.0 0.0.0.0 255.255.255.0 U 50 0 0 tun0
xxx.xxx.xxx.xxx 192.168.43.1 255.255.255.255 UGH 600 0 0 wlp4s0
192.168.1.0 10.8.0.1 255.255.255.0 UG 50 0 0 tun0
192.168.43.0 0.0.0.0 255.255.255.0 U 600 0 0 wlp4s0
192.168.43.1 0.0.0.0 255.255.255.255 UH 600 0 0 wlp4s0
vpn client config
client
ca ca.crt
cert moto.crt
dev tun0
key moto.key
proto udp
remote subdomena.domena.ovh 1915
remote-cert-tls server
verb 3
grep 10.8.0.2 /tmp/openvpn.log
Sun Oct 14 17:27:33 2018 /sbin/ifconfig tun0 10.8.0.1 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Sun Oct 14 17:27:33 2018 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Sun Oct 14 17:30:33 2018 moto/xxx.xxx.101.197:xxx MULTI: Learn: 10.8.0.2 -> moto/xxx.xxx.101.197:xxx
Sun Oct 14 17:30:33 2018 moto/xxx.xxx.101.197:xxx MULTI: primary virtual IP for moto/xxx.xxx.101.197:xxx: 10.8.0.2
Sun Oct 14 17:30:34 2018 moto/xxx.xxx.101.197:xxx SENT CONTROL [moto]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Best regards, Przemek