Openvpn routing problem

Serj-47 · June 6, 2022, 9:50pm

I have two routers. The first router has a cable inserted from the provider into the wan, and it distributes the Internet over Lan and Wlan, i.e. it works in standard mode. The second router connected to the first ( Lan-Lan) and works in the switch mode and as an openvpn server, for this I disabled dhcp on the Lan interface, registered a static ip from my local network and configured openvpn on the second router according to the openwrt wiki. Now I can connect to my home vpn server from my phone using a mobile network and the 'openvpn for android' application downloaded from f-droid. The problem is that the traffic does not pass beyond my openvpn server. when I try to ping google dns or my home gateway, I get...

From 10.8.0.1: icmp_seq=4 Destination Port Unreachable

i also wanted to say that I turned off the firewall on the second router to avoid unnecessary settings and wanted to mention that according to the wiki I configured the routing in this way:

uci add_list openvpn.myvpn.push='route 192.168.1.0 255.255.255.0'
uci add_list openvpn.myvpn.push='redirect-gateway def1'

In the settings of the openvpn for android application, I tried to leave the default routes and force all traffic through the vpn, but it didn't work

Guys, tell me, what kind of logs should I send you to understand the problem?

psherman · June 6, 2022, 9:51pm

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

ulmwind · June 7, 2022, 8:13am

It is bad idea. I suppose, you are going to configure tun interface. How second router running OpenVPN server connect to Internet? See routing table. The 'standard' configuration is to connect WAN port of second router into LAN port of first router.

trendy · June 7, 2022, 10:36am

From a first look R1 doesn't seem to have a static route for 10.8.0.0/24 via R2. This is necessary, since you have disabled firewall on R2 and you cannot masquerade traffic from tunnel.

Serj-47 · June 7, 2022, 1:19pm

There is a lack of free lan ports on R1. Therefore, in order for the devices connected to the lan ports of R2 to be in the same subnet as the devices connected to the lan ports of R1, I do not use wan on R2. In order for the Internet to work on R2, I also prescribed gateway and dns R1. And of course I configured the openvpn port forwarding to R1.

As for routing R1 and R2:
R1

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default           My-static-IP   0.0.0.0         UG    0      0        0 wan
My-static-IP   *               255.255.255.240 U     0      0        0 wan
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan

R2 with installed openvpn server

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.1     0.0.0.0         UG    0      0        0 br-lan
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
10.8.0.2        *               255.255.255.255 UH    0      0        0 tun0
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan

mk24 · June 7, 2022, 1:41pm

Like Trendy said, in R1 you need to install a route 10.8.0.0/24 via 192.168.1.X where X is R2's IP on the R1 LAN. Then when Internet or LAN request packets from the phone 10.8.0.2 appear on the R1 LAN, R1 knows to send the replies to R2 so they can be forwarded into the VPN tunnel and sent back to the phone.

The other approach is to use NAT in R2, which requires re-enabling the firewall and setting up two firewall zones such as vpn and lan and enabling forwarding from vpn to lan, and enable masquerade on lan. Now an Internet request from the phone will be translated inside R2 to appear to be from R2's interface on the 192.168.1.0 LAN, and R1 can deal with it directly without an additional route.

Serj-47 · June 7, 2022, 4:20pm

thanks for anwer, I understand you about routing. I read a little wiki, and I see that not everything is so simple for me. routing commands vary depending on the windows, unix, and openwrt platforms. Could you give an example of a command to route traffic to R1 in my case...

mk24 · June 7, 2022, 4:48pm

Then you'd want to look at the other way, which would be to have R2 NAT the phone into your LAN. That is done entirely within R2.

trendy · June 7, 2022, 7:07pm

Serj-47 · June 12, 2022, 9:41pm

Can I just use the route command to add a route? It's just that when I try to add a route manually on R1, I get an error.

root@OpenWrt:~# route add 10.8.0.0/24 192.168.1.96
route: netmask 000000ff and host route conflict

trendy · June 13, 2022, 7:55am

You can. You are usinging it wrongly though:

root@whale:[~]#route --help
BusyBox v1.33.2 (2022-02-16 20:29:10 UTC) multi-call binary.

Usage: route [-ne] [-A inet[6]] [{add|del} [-net|-host] TARGET [netmask MASK]
        [gw GATEWAY] [metric N] [mss BYTES] [window BYTES] [reject] [IFACE]]

Moreover it will not be restored if the interface goes down or router is reloaded.
It's better to use the uci static routes.

Serj-47 · June 15, 2022, 4:30pm

I added a route to r2 on r1. Now r1 can ping the openvpn gateway 10.8.0.1. However, from my phone, I still cannot ping any subnet address 192.168.1.0/24, except for the address of openvpn itself 10.8.0.1 and 192.168.1.96, only these two addresses pinged normally from my phone.

Upon successful connection to openvpn, the phone receives the ip address 10.8.0.6, I also tried to ping the phone with r1, and the ping also failed.
Also in the logs of the 'openvpn for android' application I see that the routes are assigned correctly:

19:31 Routes: 10.8.0.1/32, 10.8.0.4/30, 192.168.1.0/24

mk24 · June 15, 2022, 6:13pm

That doesn't seem right. Your 10.8.0.0 network is a /24.

Can you ping 10.8.0.6 from the OpenWrt router? Assuming the phone answers those pings it should also answer them originated from the main router.

Serj-47 · June 15, 2022, 7:04pm

I cannot ping the phone from the OpenWRT router(R1), the phone normally pings from the OpenVPN server(R2), and also from the phone itself I can only ping the OpenVPN server 192.168.1.96 and 10.8.0.6. But no other resources networks are not available from the phone.

trendy · June 15, 2022, 9:19pm

You probably still have a routing issue and R1 doesn't know where to find the OpenVPN subnet. You can quickly bypass that by enabling masquerade on lan zone of R2.

Serj-47 · June 16, 2022, 1:51pm

Hi guys. Yesterday I spent several hours trying to figure out why the routing does not work, although I added a route to the 10.8.0.0 network on R1. But it never worked, and it was already late and I just went to bed). And so, this morning I just rebooted R2 , and after turning it on everything works and now I can ping my local network from phone! I suspect that after adding a new route on R1, I just needed to restart two services on R2, first network and then openvpn. Thank you all!

system · June 26, 2022, 1:51pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.