OpenVPN 'redirect-gateway def1' and local network DNS .lan

Installing and Using OpenWrt Network and Wireless Configuration
1

OpenWrt 18.06.1 r7258

Hi all,

Been reading through multiple threads in the forums on OpenVPN within the OpenWRT forums and am stuck on two configurations that had worked for me in prior builds that I cannot quite find a solution to in other threads.

  1. In the past when wanted my client machines to assume the public IP of the VPN server I could add list push 'redirect-gateway def1' to the server openvpn config and it would just work. Adding this in my current configuration breaks connectivity. Without this in the openvpn config I can browse local and external resources.

  2. I can only browse to local machine names by appending .lan to the end of their DNS name, is there any way to push or assume the .lan so that it works without having to type .lan. When I am inside of the network not on VPN I do not have to type .lan.

any help is much appreciated.

2
  1. Please see Troubleshooting, specifically #4
    • #2 (below) implies you're running an OpenVPN server on your router, but your information regarding "to assume the public IP of the VPN server " implies this is a client configuration... which are you running?

  2. You're likely not pushing WINS, or the local domain [workgroup on Windows] is not the same on the OpenVPN client, either way, the information from #1 will provide more insight.
3

Hi JW, Thanks for the follow up. Below is firewall, network and openvpn configs. This is a VPN server config on my router. The client I was referring to was the remote device (in this case Macbook laptop) that is connecting into the VPN.

uci show firewall

firewall.@rule[0]=rule
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[0].proto='tcp udp'
firewall.@rule[0].src='wan'
firewall.@rule[0].dest_port='5000'
firewall.@rule[0].name='vpnportforward'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-DHCP-Renew'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='udp'
firewall.@rule[1].dest_port='68'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[1].family='ipv4'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-Ping'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='icmp'
firewall.@rule[2].icmp_type='echo-request'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-IGMP'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='igmp'
firewall.@rule[3].family='ipv4'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-DHCPv6'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='udp'
firewall.@rule[4].src_ip='fc00::/6'
firewall.@rule[4].dest_ip='fc00::/6'
firewall.@rule[4].dest_port='546'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-MLD'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].src_ip='fe80::/10'
firewall.@rule[5].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Input'
firewall.@rule[6].src='wan'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-ICMPv6-Forward'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='*'
firewall.@rule[7].proto='icmp'
firewall.@rule[7].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[7].limit='1000/sec'
firewall.@rule[7].family='ipv6'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-IPSec-ESP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].proto='esp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].name='Allow-ISAKMP'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest='lan'
firewall.@rule[9].dest_port='500'
firewall.@rule[9].proto='udp'
firewall.@rule[9].target='ACCEPT'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[2]=zone
firewall.@zone[2].name='vpn'
firewall.@zone[2].network='vpn0'
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='vpn'
firewall.@forwarding[1].src='lan'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].dest='lan'
firewall.@forwarding[2].src='vpn'

uci show network

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='XXXXXXXXXX'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.wan=interface
network.wan.ifname='eth1.2'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.ifname='eth1.2'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='0 1 2 3 5t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='4 6t'
network.vpn0=interface
network.vpn0.ifname='tun0'
network.vpn0.proto='none'

uci show openvpn

openvpn.vpnserver=openvpn
openvpn.vpnserver.proto='udp'
openvpn.vpnserver.enabled='1'
openvpn.vpnserver.dev='tun0'
openvpn.vpnserver.topology='subnet'
openvpn.vpnserver.port='5000'
openvpn.vpnserver.server='10.1.0.0 255.255.255.240'
openvpn.vpnserver.ifcofig='10.1.0.1 255.255.255.240'
openvpn.vpnserver.push='route 192.168.1.0 255.255.255.0' 'dhcp-option    DNS 192.168.1.1' 'dhcp-option    NTP 45.56.123.24' 'dhcp-option    WINS 192.168.1.1' 'compress lz4' 'sndbuf 393216' 'rcvbuf 393216'
openvpn.vpnserver.dh='/etc/ssl/openvpn/dh2048.pem'
openvpn.vpnserver.auth='SHA512'
openvpn.vpnserver.pkcs12='/etc/ssl/openvpn/vpn-server.p12'
openvpn.vpnserver.cipher='AES-128-CBC'
openvpn.vpnserver.tls_server='1'
openvpn.vpnserver.tls_version_min='1.2'
openvpn.vpnserver.tls_crypt='/etc/ssl/openvpn/tls-crypt.key'
openvpn.vpnserver.tls_cipher='TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:!aNULL:!eNULL:!LOW:!3DES:!MD5:!SHA:!EXP:!PSK:!SRP:!DSS:!RC4:!kRSA'
openvpn.vpnserver.status='/tmp/openvpn-status.log'
openvpn.vpnserver.keepalive='10 120'
openvpn.vpnserver.compress='lz4'
openvpn.vpnserver.client_to_client='1'
openvpn.vpnserver.persist_key='1'
openvpn.vpnserver.persist_tun='1'
openvpn.vpnserver.sndbuf='393216'
openvpn.vpnserver.rcvbuf='393216'
openvpn.vpnserver.fragment='0'
openvpn.vpnserver.mssfix='0'
openvpn.vpnserver.tun_mtu='48000'
openvpn.vpnserver.user='nobody'
openvpn.vpnserver.group='nogroup'
openvpn.vpnserver.verb='5'

logread -l 250 -e openvpn

Tue Dec  4 20:54:50 2018 daemon.notice openvpn(vpnserver)[9361]: MULTI: multi_create_instance called
Tue Dec  4 20:54:50 2018 daemon.notice openvpn(vpnserver)[9361]: clientIP:38783 Re-using SSL/TLS context
Tue Dec  4 20:54:50 2018 daemon.notice openvpn(vpnserver)[9361]: clientIP:38783 LZ4 compression initializing
Tue Dec  4 20:54:50 2018 daemon.notice openvpn(vpnserver)[9361]: clientIP:38783 Control Channel MTU parms [ L:48122 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Tue Dec  4 20:54:50 2018 daemon.notice openvpn(vpnserver)[9361]: clientIP:38783 Data Channel MTU parms [ L:48122 D:48122 EF:122 EB:8156 ET:0 EL:3 ]
Tue Dec  4 20:54:50 2018 daemon.notice openvpn(vpnserver)[9361]: clientIP:38783 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 48102,tun-mtu 48000,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA512,keysize 128,key-method 2,tls-server'
Tue Dec  4 20:54:50 2018 daemon.notice openvpn(vpnserver)[9361]: clientIP:38783 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 48102,tun-mtu 48000,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA512,keysize 128,key-method 2,tls-client'
Tue Dec  4 20:54:50 2018 daemon.notice openvpn(vpnserver)[9361]: clientIP:38783 TLS: Initial packet from [AF_INET]clientIP:38783, sid=53e6863a f697cd57
Tue Dec  4 20:54:51 2018 daemon.notice openvpn(vpnserver)[9361]: clientIP:38783 VERIFY OK: depth=1, C=US, ST=MI, L=SOMEPLACE, O=Intertubes, OU=LAN, CN=intertubes.lan
Tue Dec  4 20:54:51 2018 daemon.notice openvpn(vpnserver)[9361]: clientIP:38783 VERIFY OK: depth=0, C=US, ST=MI, L=SOMEPLACE, O=Intertubes, OU=LAN, CN=IntertubesClient
Tue Dec  4 20:54:52 2018 daemon.notice openvpn(vpnserver)[9361]: clientIP:38783 peer info: IV_VER=2.4.6
Tue Dec  4 20:54:52 2018 daemon.notice openvpn(vpnserver)[9361]: clientIP:38783 peer info: IV_PLAT=mac
Tue Dec  4 20:54:52 2018 daemon.notice openvpn(vpnserver)[9361]: clientIP:38783 peer info: IV_PROTO=2
Tue Dec  4 20:54:52 2018 daemon.notice openvpn(vpnserver)[9361]: clientIP:38783 peer info: IV_NCP=2
Tue Dec  4 20:54:52 2018 daemon.notice openvpn(vpnserver)[9361]: clientIP:38783 peer info: IV_LZ4=1
Tue Dec  4 20:54:52 2018 daemon.notice openvpn(vpnserver)[9361]: clientIP:38783 peer info: IV_LZ4v2=1
Tue Dec  4 20:54:52 2018 daemon.notice openvpn(vpnserver)[9361]: clientIP:38783 peer info: IV_LZO=1
Tue Dec  4 20:54:52 2018 daemon.notice openvpn(vpnserver)[9361]: clientIP:38783 peer info: IV_COMP_STUB=1
Tue Dec  4 20:54:52 2018 daemon.notice openvpn(vpnserver)[9361]: clientIP:38783 peer info: IV_COMP_STUBv2=1
Tue Dec  4 20:54:52 2018 daemon.notice openvpn(vpnserver)[9361]: clientIP:38783 peer info: IV_TCPNL=1
Tue Dec  4 20:54:52 2018 daemon.notice openvpn(vpnserver)[9361]: clientIP:38783 peer info: IV_GUI_VER="net.tunnelblick.tunnelblick_5180_3.7.8__build_5180)"
Tue Dec  4 20:54:52 2018 daemon.warn openvpn(vpnserver)[9361]: clientIP:38783 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 48102', remote='link-mtu 48101'
Tue Dec  4 20:54:52 2018 daemon.warn openvpn(vpnserver)[9361]: clientIP:38783 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Tue Dec  4 20:54:52 2018 daemon.notice openvpn(vpnserver)[9361]: clientIP:38783 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES128-GCM-SHA256, 2048 bit RSA
Tue Dec  4 20:54:52 2018 daemon.notice openvpn(vpnserver)[9361]: clientIP:38783 [IntertubesClient] Peer Connection Initiated with [AF_INET]clientIP:38783
Tue Dec  4 20:54:52 2018 daemon.notice openvpn(vpnserver)[9361]: IntertubesClient/clientIP:38783 MULTI_sva: pool returned IPv4=10.1.0.2, IPv6=(Not enabled)
Tue Dec  4 20:54:52 2018 daemon.notice openvpn(vpnserver)[9361]: IntertubesClient/clientIP:38783 MULTI: Learn: 10.1.0.2 -> IntertubesClient/clientIP:38783
Tue Dec  4 20:54:52 2018 daemon.notice openvpn(vpnserver)[9361]: IntertubesClient/clientIP:38783 MULTI: primary virtual IP for IntertubesClient/clientIP:38783: 10.1.0.2
Tue Dec  4 20:54:54 2018 daemon.notice openvpn(vpnserver)[9361]: IntertubesClient/clientIP:38783 PUSH: Received control message: 'PUSH_REQUEST'
Tue Dec  4 20:54:54 2018 daemon.notice openvpn(vpnserver)[9361]: IntertubesClient/clientIP:38783 SENT CONTROL [IntertubesClient]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,dhcp-option    DNS 192.168.1.1,dhcp-option    NTP 45.56.123.24,dhcp-option    WINS 192.168.1.1,compress lz4,sndbuf 393216,rcvbuf 393216,route-gateway 10.1.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.1.0.2 255.255.255.240,peer-id 0,cipher AES-256-GCM' (status=1)
Tue Dec  4 20:54:54 2018 daemon.notice openvpn(vpnserver)[9361]: IntertubesClient/clientIP:38783 Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Dec  4 20:54:54 2018 daemon.notice openvpn(vpnserver)[9361]: IntertubesClient/clientIP:38783 Data Channel MTU parms [ L:48050 D:48050 EF:50 EB:8156 ET:0 EL:3 ]
Tue Dec  4 20:54:54 2018 daemon.notice openvpn(vpnserver)[9361]: IntertubesClient/clientIP:38783 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Dec  4 20:54:54 2018 daemon.notice openvpn(vpnserver)[9361]: IntertubesClient/clientIP:38783 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

vpnclient.ovpn

# Config Type #
#------------------------------------------------
client

# Connection  #
#------------------------------------------------
dev tun
proto udp
remote my ddns.com 5000

# Speed #
#------------------------------------------------
mssfix 0
fragment 0
tun-mtu 48000

# Reliability #
#------------------------------------------------
nobind
resolv-retry infinite


# Encryption #
#------------------------------------------------
auth-nocache
auth SHA512

# --- SSL --- #
cipher AES-128-CBC

# --- TLS --- #
tls-version-min 1.2

ca OpenWrt-OpenVPN_ICA-Chain.crt.pem
cert vpn-client1.crt.pem
key vpn-client1.key.pem

remote-cert-eku "TLS Web Server Authentication"

<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
KeyStuffsHere
-----END OpenVPN Static key V1-----
</tls-crypt>

# Logging #
#------------------------------------------------
verb 7
4

Apparently having NTP 45.56.123.24 in openVPN server config makes external DNS not work (cannot browse to google but can still see 192.168.1.1.) Also below errors are coming from the VPN client.

2018-12-04 21:34:01 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 48101', remote='link-mtu 48102'

2018-12-04 21:34:01 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'

5

You need another forwarding rule in the firewall src vpn, dest wan.

1 Like
6

On the WAN access issue, @psherman showed where the issue was, which can also be found in the Comprehensive wiki under Redirect Gateway

An ISP's, or any private organization's NTP, should never be utilized, instead the National Standards Institute for any arbitrary country should be utilized.

  • For the US, this would be hostname time.nist.gov, however OpenVPN requires an actual IP, which is garnished from NIST's NTP site.
    • Time-C rarely goes down from overload, so I always recommend it: 129.6.15.30

This has me perplexed, as it's configuring the Link [interface] MTU with the Tunnel MTU's value (the link-MTU should be 1500 or less). While you can specify a link-mtu in the server and client configs, not only should this not be necessary, it can create issues since it works best when the server and client are able to auto configure their interface MTUs (usually 1450, 1480, etc... rarely is it 1500 exactly).

This can be safely disregarded, however if you're utilizing OpenVPN v2.4 (you should be, as it brought much needed improvements and features), comp-lzo 'yes' has been depreciated and should be changed to compress 'lz4'

This is also perplexing, as you've specified AES-128-CBC in the server and client configs, yet it's utilizing AES-256-GCM for the Data Channel. Since AES256 is unnecessary, as AES128 will remain un-crackable until at least 2030, I'd investigate this when you have time.

7

Was away on vacation and just recently able to make adjustments to the router...

Thanks @psherman -- the missing firewall rule got me up and running while having 'redirect-gateway def1' in place.

Thanks @JW0914 for the feedback on NTP server address, link-mtu,compression and pushing the domain. Adding " list push 'dhcp-option DOMAIN lan' " allowed me to browse to local machine by only their machine name. However I am seeing slow traffic and error messages in the client when I am connecting to local http/https traffic, namely this from the client side:

2018-12-19 21:55:58 AEAD Decrypt error: bad packet ID (may be a replay): [ #160 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

2018-12-19 21:55:58 AEAD Decrypt error: bad packet ID (may be a replay): [ #161 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

2018-12-19 21:56:01 AEAD Decrypt error: bad packet ID (may be a replay): [ #163 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

2018-12-19 21:56:01 AEAD Decrypt error: bad packet ID (may be a replay): [ #432 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

It keeps going as long as data is transferring....

8

Please place all code, config, and log output within code boxes... three ways to do so

Did you look up the man page entries?