Openvpn - server network is not reachable from clients


Hello,
as the title says, I can not reach any device at the host from my client behind my openwrt router.
The vpn connection is working and up. In my client openvpn config, I added this 3 pull-filter ignore commands, because at first my router routed everything trough the vpn. Another thing, my router can reach the server network 192.168.1.0 /24, my pc behind my router not.

vpnclient.conf //client

client
dev tun0
proto udp
remote familie-schwenk.selfhost.bz 1194
resolv-retry infinite
nobind
comp-lzo
persist-key
persist-tun
remote-cert-tls server
key-direction 1
cipher AES-256-CBC
verb 3
pull-filter ignore "redirect-gateway def1 bypass-dhcp"
pull-filter ignore "dhcp-option DNS 192.168.1.1"
pull-filter ignore "dhcp-option familie-schwenk.selfhost.bz"
route 192.168.1.0 255.255.255.0
[... all certs and keys]

route -n //client

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.101.1 0.0.0.0 UG 0 0 0 wlan1
10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun0
10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.1.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0
192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
192.168.101.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan1

ip address list //client

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP group default qlen 1000
link/ether e4:95:6e:45:1f:ee brd ff:ff:ff:ff:ff:ff
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq master br-wan state DOWN group default qlen 1000
link/ether e4:95:6e:45:1f:ef brd ff:ff:ff:ff:ff:ff
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1380 qdisc noqueue state UP group default qlen 1000
link/ether e4:95:6e:45:1f:ee brd ff:ff:ff:ff:ff:ff
inet 192.168.3.1/24 brd 192.168.3.255 scope global br-lan
valid_lft forever preferred_lft forever
inet6 fde7:1a1b:4db7::1/60 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::e695:6eff:fe45:1fee/64 scope link
valid_lft forever preferred_lft forever
7: br-wan: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether e4:95:6e:45:1f:ef brd ff:ff:ff:ff:ff:ff
9: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
link/ether e4:95:6e:45:1f:ee brd ff:ff:ff:ff:ff:ff
inet6 fe80::e695:6eff:fe45:1fee/64 scope link
valid_lft forever preferred_lft forever
12: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1380 qdisc noqueue state UP group default qlen 1000
link/ether e4:95:6e:45:1f:ef brd ff:ff:ff:ff:ff:ff
inet 192.168.101.108/24 brd 192.168.101.255 scope global wlan1
valid_lft forever preferred_lft forever
inet6 fe80::e695:6eff:fe45:1fef/64 scope link
valid_lft forever preferred_lft forever
13: wlan1-1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state DOWN group default qlen 1000
link/ether e6:95:6e:45:1f:ef brd ff:ff:ff:ff:ff:ff
24: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.6 peer 10.8.0.5/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::bfd8:b8fd:779c:c6af/64 scope link stable-privacy
valid_lft forever preferred_lft forever

#general:network-and-wireless-configuration

uci show network; uci show firewall
1 Like
uci show network

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fde7:1a1b:4db7::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.3.1'
network.lan.mtu='1380'
network.wan=interface
network.wan.ifname='eth1'
network.wan.proto='dhcp'
network.wan.type='bridge'
network.wan6=interface
network.wan6.ifname='eth1'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='3 4 0'
network.trm_wwan=interface
network.trm_wwan.proto='dhcp'
network.trm_wwan.mtu='1380'

uci show firewall

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fde7:1a1b:4db7::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.3.1'
network.lan.mtu='1380'
network.wan=interface
network.wan.ifname='eth1'
network.wan.proto='dhcp'
network.wan.type='bridge'
network.wan6=interface
network.wan6.ifname='eth1'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='3 4 0'
network.trm_wwan=interface
network.trm_wwan.proto='dhcp'
network.trm_wwan.mtu='1380'
root@RT-NG:~# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan wan6 wwan trm_wwan VPNC FritzVPN'
firewall.@zone[1].device='tun0'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'

This is strange, because according to your configuration you are masquerading the hosts' IPs on the OpenWrt router. And since your router works, the hosts should work too. Can you verify that it indeed works? tcpdump -i tun0 -vvn

2 Likes

My Openwrt Router: 192.168.3.1 - My PC ".".3.2
Now both ping/icmp request get no answer, from router and pc.
Intresting is when I ping from my Router its directly using the virtual interface.

tcpdump -i tun0 -vvn //Ping from my pc and router

tcpdump: listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
11:36:35.203324 IP (tos 0x0, ttl 127, id 45740, offset 0, flags [none], proto ICMP (1), length 60)
192.168.3.2 > 192.168.1.1: ICMP echo request, id 1, seq 1, length 40
11:36:39.816795 IP (tos 0x0, ttl 127, id 45741, offset 0, flags [none], proto ICMP (1), length 60)
192.168.3.2 > 192.168.1.1: ICMP echo request, id 1, seq 2, length 40
11:36:44.815258 IP (tos 0x0, ttl 127, id 45742, offset 0, flags [none], proto ICMP (1), length 60)
192.168.3.2 > 192.168.1.1: ICMP echo request, id 1, seq 3, length 40
11:36:49.814906 IP (tos 0x0, ttl 127, id 45743, offset 0, flags [none], proto ICMP (1), length 60)
192.168.3.2 > 192.168.1.1: ICMP echo request, id 1, seq 4, length 40
11:38:01.690515 IP (tos 0x0, ttl 64, id 39911, offset 0, flags [DF], proto ICMP (1), length 84)
10.8.0.6 > 192.168.1.1: ICMP echo request, id 31501, seq 0, length 64
11:38:02.698364 IP (tos 0x0, ttl 64, id 40002, offset 0, flags [DF], proto ICMP (1), length 84)
10.8.0.6 > 192.168.1.1: ICMP echo request, id 31501, seq 1, length 64
11:38:03.708340 IP (tos 0x0, ttl 64, id 40017, offset 0, flags [DF], proto ICMP (1), length 84)
10.8.0.6 > 192.168.1.1: ICMP echo request, id 31501, seq 2, length 64
11:38:04.717724 IP (tos 0x0, ttl 64, id 40060, offset 0, flags [DF], proto ICMP (1), length 84)
10.8.0.6 > 192.168.1.1: ICMP echo request, id 31501, seq 3, length 64
11:38:05.727764 IP (tos 0x0, ttl 64, id 40062, offset 0, flags [DF], proto ICMP (1), length 84)
10.8.0.6 > 192.168.1.1: ICMP echo request, id 31501, seq 4, length 64
11:38:56.800729 IP (tos 0x0, ttl 64, id 15098, offset 0, flags [DF], proto ICMP (1), length 84)
10.8.0.6 > 192.168.1.100: ICMP echo request, id 2318, seq 0, length 64
11:38:57.807120 IP (tos 0x0, ttl 64, id 15181, offset 0, flags [DF], proto ICMP (1), length 84)
10.8.0.6 > 192.168.1.100: ICMP echo request, id 2318, seq 1, length 64
11:38:58.818268 IP (tos 0x0, ttl 64, id 15187, offset 0, flags [DF], proto ICMP (1), length 84)
10.8.0.6 > 192.168.1.100: ICMP echo request, id 2318, seq 2, length 64
11:38:59.828979 IP (tos 0x0, ttl 64, id 15212, offset 0, flags [DF], proto ICMP (1), length 84)
10.8.0.6 > 192.168.1.100: ICMP echo request, id 2318, seq 3, length 64
11:39:00.837647 IP (tos 0x0, ttl 64, id 15293, offset 0, flags [DF], proto ICMP (1), length 84)
10.8.0.6 > 192.168.1.100: ICMP echo request, id 2318, seq 4, length 64
11:39:47.611947 IP (tos 0x0, ttl 64, id 40550, offset 0, flags [DF], proto ICMP (1), length 84)
10.8.0.6 > 192.168.1.1: ICMP echo request, id 40462, seq 0, length 64
11:39:48.617599 IP (tos 0x0, ttl 64, id 40627, offset 0, flags [DF], proto ICMP (1), length 84)
10.8.0.6 > 192.168.1.1: ICMP echo request, id 40462, seq 1, length 64
11:39:49.627118 IP (tos 0x0, ttl 64, id 40725, offset 0, flags [DF], proto ICMP (1), length 84)
10.8.0.6 > 192.168.1.1: ICMP echo request, id 40462, seq 2, length 64
11:39:57.669879 IP (tos 0x0, ttl 64, id 19203, offset 0, flags [DF], proto ICMP (1), length 84)
10.8.0.6 > 192.168.1.100: ICMP echo request, id 41230, seq 0, length 64
11:39:58.678271 IP (tos 0x0, ttl 64, id 19302, offset 0, flags [DF], proto ICMP (1), length 84)
10.8.0.6 > 192.168.1.100: ICMP echo request, id 41230, seq 1, length 64

Maybe the tunnel is down then?

However keep in mind that the receiver of the packets needs to know how to return them back.
That means that both the OpenVPN server and the family router need to have routes for the 10.8.0.X

2 Likes

So I got it to work now. This is the guide I was using all the time and nothing was wrong with it.
Quick foreword my OpenVPN Server is running on Windows 10.
The Problem was the tap device where is installed by default. It's not working correctly but nothing is showing it log's or etc, nothing gives you a single hint, vpn just not working correct. I just found it randomly on the internet, you need to manually add a new tap device.
So i did all this in the above linked guide + the following:

#Win10 OpenVPN Server
#Open CMD as administrator
cd C:\Program Files\TAP-Windows\bin #theres the script for the tun add
addtap.bat #done you now should have a new tap network device
#Added to the server.ovpn following
topology subnet
dev-node "TAP"
#push "redirect-gateway def1 bypass-dhcp" #marked out this to dont set the vpn as default gateway
#Openwrt travelrouter / Client
#added this to the client.ovpn
route 192.168.1.0 255.255.255.0 #192.168.1.0 = your subnet - to route the traffic for this subnet to the vpn.

:100:

1 Like