Openvpn server, can't reach internet

Installing and Using OpenWrt
1

Hello everyone
I have installed a vpn server and it works if I try within lan.
After that, the router cannot get online. Can't find what I forgot to configure.
I used template: "Server configuration for an Ethernet bridge VPN"
I have interface openvpn (tun0).
Have looked around the configuration and everything looks fine, but not working. Missed something and can't figure out what!?

config rule
	option name 'Allow-OpenVPN'
	list proto 'udp'
	option src 'wan'
	option target 'ACCEPT'
	option dest_port '1234'
config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list device 'tun0'
	list network 'Openvpn'
	list network 'wan'
	list network 'wan6'
	list network 'wg0'

Thanks for suggestions.

Octopus

2

Is your router directly connected to the internet?
If so what are the first two octets of the WAN interface e.g. XXX.YYY

This so we can see if you have a publicly available WAN ip address

Furthermore, please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
cat /etc/config/openvpn
for ovpn in $(ls /etc/openvpn/*.ovpn);do echo $ovpn; cat $ovpn; echo;done
for vpn in $(ls /tmp/etc/openvpn*.conf);do echo $vpn;cat $vpn;echo;done
logread | grep openvpn

On a side note setting up WireGuard is easier and faster, see:
https://openwrt.org/docs/guide-user/services/vpn/wireguard/road-warrior
or
https://openwrt.org/docs/guide-user/services/vpn/wireguard/server

But of course you still need a publicly available WAN IP address

3

It should be tap0 for bridge mode both here and in the openvpn config.
But for bridge mode what you have to do is join lan with tap0 . Everything above is enough except the firewall port entry

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'
	list ports 'tap0'

extra

config interface 'vpntap'
	option proto 'none'
	option device 'tap0'

in /etc/config/network
cheers!

edit

config openvpn 'tapserver'
	option enabled '1'
	option tls_server '1'
	option port '12191'
	option proto 'udp'
	option dev 'tap0'
	option dev_type 'tap'
	option server_bridge '192.168.1.1 255.255.255.0 192.168.1.168 192.168.1.177'
	list push 'redirect-gateway def1'
	list push 'dhcp-option DNS 192.168.1.1'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/servidor.crt'
	option key '/etc/openvpn/servidor.key'
	option dh '/etc/openvpn/dh2048.pem'
	option tls_auth '/etc/openvpn/tls-auth.key'
	option key_direction '0'
	option cipher 'AES-128-CBC'
	list data_ciphers 'AES-128-GCM:AES-192-CBC:AES-128-CBC:BF-CBC'
	option auth 'SHA224'
	option ifconfig_pool_persist '/etc/openvpn/ipptap.txt'
	option client_config_dir '/etc/openvpn/ccd'
	option keepalive '10 120'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option group 'nogroup'
	option client_to_client '1'
	option max_clients '10'
	option mute '20'
	option verb '4'
	option log_append '/var/log/openvpn.tapserver.log'
	option status_version '2'
	option comp_lzo 'no'
#	option compress lzo

my working config.
Each client that connects will have an IP in the range of the router

4

Thanks for your reply, sorry it took so long to reply.

I use routed client TUN.
My server works and starts and I can connect in LAN.
Can't test via the internet as I have CGNAT (100.) on the test router.

My problem was probably that I hadn't created the internet or firewall rules.
Nothing on the router could reach the internet.

Not sure how it should be.
Is there any LUCI description?

I have reset and started over and will soon configure my vpn TUN server again.

@egc

config openvpn 'openvpn_1'
	option dev 'tun'
	option comp_lzo 'no'
	option dh '/etc/openvpn/openvpn_1/dh.pem'
	option mssfix '1420'
	option keepalive '15 60'
	option key '/etc/openvpn/openvpn_1/server.key'
	option cert '/etc/openvpn/openvpn_1/server.crt'
	option verb '3'
	option ca '/etc/openvpn/openvpn_1/ca.crt'
	option server '10.0.100.0 255.255.255.0'
	option port '1234'
	option key_direction '1'
	option proto 'udp'
	option fast_io '1'
	option cipher 'AES-256-GCM'
	option auth_nocache '0'
	option tls_crypt '/etc/openvpn/openvpn_1/tlscrypt.key'
	option multihome '1'
	option log '/tmp/openvpn_1.log'
	list data_ciphers 'AES-256-GCM'
	list data_ciphers 'AES-256-CBC'
	list data_ciphers 'AES-128-GCM'
	option enabled '1'