OpenVPN server, no LAN no internet

psherman · June 18, 2018, 2:44pm

Your logs indicate that there are some inconsistencies in the client vs server config files. Any directives found in both files need to be identical.

Mon Jun 18 09:37:41 2018 204.48.78.161:54842 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1542'
Mon Jun 18 09:37:41 2018 X.X.X.X:54842 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'

Try either removing comp-lzo from the server or setting it so that it is the same on both sides. Similarly, make sure that the lin-mtu is defined and the same on both sides. Make both of these changes at the same time.

alirz1 · June 18, 2018, 3:10pm

On the server side. "comp-lzo" is set to yes. I checked on the client side in the .ovpn file, it was set to NO, I set to yes there too but that error message in the log still occurs. Shouldn't that value be pushed to the client by the server anyways?
Secondly, i cannot find where the MTU needs to be set. Again, that should be pushed to the client automatically?

psherman · June 18, 2018, 8:19pm

things are only pushed from server to client if explicitly included as a push directive. I haven't experimented with intentionally introducing differences between the two, but I would imagine that certain differences would cause failures in communication since each side is expecting something different.

Try explicitly setting link-mtu as the same value on both sides -- maybe try in this order until that error disappears and/or things start working (always keeping both sides the same):
1541, 1542, 1500, 1492

alirz1 · June 18, 2018, 9:22pm

would a MTU issue affect routing? because as i said, once connected to the VPN, the client cannot ping the vpn server IP or vice versa. That looks like a routing issue to me. Either the client doesnt know the route to the vpn server or the server doesnt know how to get back to the client.
PS, the server also cannot ping the client IP!

Also my server config has the following which as i understand mean, that push these to the client?

    list push 'comp-lzo yes'
    list push 'persist-key'
    list push 'persist-tun'
    list push 'topology subnet'
    list push 'route-gateway dhcp'
    list push 'redirect-gateway def1'
    list push 'route 192.168.200.0 255.255.255.0'

psherman · June 18, 2018, 9:33pm

The fact that it is unable to ping/route traffic could be related to a bunch of things, including things like inability to negotiate compression or other details of the tunnel behavior. Anything that is contradictory on the server vs the client could cause problems, even if there is a push directive. So some of the directives can be omitted from the client if the server will push them, others may need to be present but always consistent.

Try removing this line:

    list push 'route-gateway dhcp'

If it still isn't working, post both your server and client configs (sanitized where necessary, obviously), and then any logs from both sides during and after the connection is initiated.

alirz1 · June 19, 2018, 12:04am

Thanks. I tried remiving that line but still no go. Here all my logs and config files.. Beware long post!!

openwrt openvpn config, /etc/config/openvpn

config openvpn 'vpnserver'
        option enabled '1'
        option dev_type 'tun'
        option dev 'ovpns0'
        option port '1194'
        option comp_lzo 'no'
        option keepalive '10 120'
        option persist_key '1'
        option persist_tun '1'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/my-server.crt'
        option key '/etc/openvpn/my-server.key'
        option dh '/etc/openvpn/dh2048.pem'
        option tls_auth '/etc/openvpn/tls-auth.key 0'
        option mode 'server'
        option tls_server '1'
        option server '192.168.200.0 255.255.255.0'
        option topology 'subnet'
        option route_gateway 'dhcp'
        option log '/tmp/openvpn.log'
        option client_to_client '1'
        list push 'comp-lzo yes'
        list push 'persist-key'
        list push 'persist-tun'
        list push 'topology subnet'
        list push 'redirect-gateway def1'
        list push 'route 192.168.200.0 255.255.255.0'
        list push 'dhcp-option DNS 10.0.0.1'
        list push 'dhcp-option DNS 192.168.1.1'

Client side config file my-server.ovpn

  client
  dev tun
  proto udp # Warning : Sometimes u need to declare udp4 or udp6
  fast-io
  remote my_dynamic_dns 1194
  remote-cert-tls server
  nobind
  persist-key
  persist-tun
  comp-lzo no
  verb 3
  key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----BEGIN OpenVPN Static key V1-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END OpenVPN Static key V1-----
</tls-auth>
  client
  dev tun
  proto udp # Warning : Sometimes u need to declare udp4 or udp6
  fast-io
  remote my_dynamic_dns 1194
  remote-cert-tls server
  nobind
  persist-key
  persist-tun
  comp-lzo no
  verb 3
  key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----

openwrt Router firewall

root@OpenWrt:/# cat /etc/config/firewall 

config defaults
        option syn_flood '1'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'DROP'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option forward 'DROP'
        option output 'ACCEPT'
        option masq '1'
        option network 'wan wan6'
        option mtu_fix '1'
        option input 'DROP'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option target 'ACCEPT'
        option proto 'udp'

config include
        option path '/etc/firewall.user'


config forwarding
        option dest 'wan'
        option src 'lan'

config rule
        option name 'Allow-OpenVPN-Inbound'
        option target 'ACCEPT'
        option src '*'
        option dest_port '1194'
        option proto 'tcp udp'

config zone
        option name 'vpnserver'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option masq '1'
        option network 'vpnserver'
        option forward 'REJECT'

config forwarding
        option src 'vpnserver'
        option dest 'wan'

config forwarding
        option src 'vpnserver'
        option dest 'lan'

Server side log when the client connects:

Note that i've tried setting "comp-lzo" to no and even removing that line from server and client side config files, but the message remains in the server side log.
I have been unable to figure out how to set MTU. I tried using both the "mssfix" and "tun-mtu" to set the mtu value but with either of those in the config file, the server does not even start.

Mon Jun 18 19:53:53 2018 204.48.78.161:53918 peer info: IV_GUI_VER=OC30Android
Mon Jun 18 19:53:53 2018 204.48.78.161:53918 peer info: IV_VER=3.2
Mon Jun 18 19:53:53 2018 204.48.78.161:53918 peer info: IV_PLAT=android
Mon Jun 18 19:53:53 2018 204.48.78.161:53918 peer info: IV_NCP=2
Mon Jun 18 19:53:53 2018 204.48.78.161:53918 peer info: IV_TCPNL=1
Mon Jun 18 19:53:53 2018 204.48.78.161:53918 peer info: IV_PROTO=2
Mon Jun 18 19:53:53 2018 204.48.78.161:53918 peer info: IV_LZO=1
Mon Jun 18 19:53:53 2018 204.48.78.161:53918 peer info: IV_LZO_SWAP=1
Mon Jun 18 19:53:53 2018 204.48.78.161:53918 peer info: IV_LZ4=1
Mon Jun 18 19:53:53 2018 204.48.78.161:53918 peer info: IV_LZ4v2=1
Mon Jun 18 19:53:53 2018 204.48.78.161:53918 peer info: IV_COMP_STUB=1
Mon Jun 18 19:53:53 2018 204.48.78.161:53918 peer info: IV_COMP_STUBv2=1
Mon Jun 18 19:53:53 2018 204.48.78.161:53918 peer info: IV_AUTO_SESS=1
Mon Jun 18 19:53:53 2018 204.48.78.161:53918 peer info: IV_BS64DL=1
Mon Jun 18 19:53:53 2018 204.48.78.161:53918 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1542'
Mon Jun 18 19:53:53 2018 204.48.78.161:53918 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Mon Jun 18 19:53:53 2018 204.48.78.161:53918 [my-client] Peer Connection Initiated with [AF_INET]204.48.78.161:53918
Mon Jun 18 19:53:53 2018 MULTI_sva: pool returned IPv4=192.168.200.2, IPv6=(Not enabled)
Mon Jun 18 19:54:02 2018 my-client/204.48.78.161:53918 IP packet with unknown IP version=15 seen

Client side log. Openvpn Android app

19:53:51.737 -- ----- OpenVPN Start -----

19:53:51.738 -- EVENT: CORE_THREAD_ACTIVE

19:53:51.739 -- Frame=512/2048/512 mssfix-ctrl=1250

19:53:51.747 -- UNUSED OPTIONS
0 [client] 
1 [dev] [tun] 
2 [proto] [udp] 
3 [fast-io] 
5 [remote-cert-tls] [server] 
6 [nobind] 
7 [persist-key] 
8 [persist-tun] 
9 [comp-lzo] [no] 
10 [verb] [3] 
11 [key-direction] [1] 
13 [cert] [Certificate:     Data:         Version: 3 (0x2)         Serial N...] 
14 [key] [-----BEGIN PRIVATE KEY----- MIIJQwIBADANBgkqxxxxxxxxxxxxxxxx...] 
15 [tls-auth] [# # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key ...] 
19 [fast-io] 
22 [nobind] 
23 [persist-key] 
24 [persist-tun] 
26 [verb] [3] 


19:53:51.748 -- EVENT: RESOLVE

19:53:51.752 -- Contacting my_dynamic_dns_IP:1194 via UDP

19:53:51.752 -- EVENT: WAIT

19:53:51.755 -- Connecting to [my_dynamic_dns_hostname]:1194 (my_dynamic_dns_IP) via UDPv4

19:53:51.821 -- EVENT: CONNECTING

19:53:51.824 -- Tunnel Options:V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client

19:53:51.825 -- Creds: UsernameEmpty/PasswordEmpty

19:53:51.825 -- Peer Info:
IV_GUI_VER=OC30Android
IV_VER=3.2
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO=1
IV_LZO_SWAP=1
IV_LZ4=1
IV_LZ4v2=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_AUTO_SESS=1
IV_BS64DL=1


19:53:52.201 -- VERIFY OK : depth=1
cert. version     : 3
serial number     : DF:BC:CD:87:B6:2E:69:EB
issuer name       : C=GB, ST=London, O=WWW Ltd.
subject name      : C=GB, ST=London, O=WWW Ltd.
issued  on        : 2018-06-17 14:45:37
expires on        : 2028-06-14 14:45:37
signed using      : RSA with SHA-256
RSA key size      : 4096 bits
basic constraints : CA=true


19:53:52.203 -- VERIFY OK : depth=0
cert. version     : 3
serial number     : 10:00
issuer name       : C=GB, ST=London, O=WWW Ltd.
subject name      : CN=my-server
issued  on        : 2018-06-17 14:45:54
expires on        : 2028-06-14 14:45:54
signed using      : RSA with SHA-256
RSA key size      : 4096 bits
key usage         : Digital Signature, Key Encipherment
ext key usage     : TLS Web Server Authentication


19:53:52.624 -- SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

19:53:52.626 -- Session is ACTIVE

19:53:52.627 -- EVENT: GET_CONFIG

19:53:52.631 -- Sending PUSH_REQUEST to server...

19:53:52.668 -- OPTIONS:
0 [comp-lzo] [yes] 
1 [persist-key] 
2 [persist-tun] 
3 [topology] [subnet] 
4 [redirect-gateway] [def1] 
5 [route] [192.168.200.0] [255.255.255.0] 
6 [dhcp-option] [DNS] [10.0.0.1] 
7 [dhcp-option] [DNS] [192.168.1.1] 
8 [route-gateway] [192.168.200.1] 
9 [topology] [subnet] 
10 [ping] [10] 
11 [ping-restart] [120] 
12 [ifconfig] [192.168.200.2] [255.255.255.0] 
13 [peer-id] [0] 
14 [cipher] [AES-256-GCM] 


19:53:52.669 -- PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: SHA1
  compress: LZO
  peer ID: 0

19:53:52.669 -- EVENT: ASSIGN_IP

19:53:52.772 -- Connected via tun

19:53:52.773 -- LZO-ASYM init swap=0 asym=0

19:53:52.774 -- EVENT: CONNECTED info='@my_dynamic_dns_hostname:1194 (my_dynamic_dns_IP) via /UDPv4 on tun/192.168.200.2/ gw=[192.168.200.1/]' trans=TO_CONNECTED

19:54:01.550 -- EVENT: DISCONNECTED trans=TO_DISCONNECTED

19:54:01.553 -- EVENT: CORE_THREAD_INACTIVE

19:54:01.553 -- Tunnel bytes per CPU second: 0

19:54:01.553 -- ----- OpenVPN Stop -----

Route on the server side:

10.0.0.x is the internal LAN
192.168.200.x is the openvpn network.

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         74.58.65.1      0.0.0.0         UG    0      0        0 eth1.2
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 br-lan
74.58.65.0      0.0.0.0         255.255.255.0   U     0      0        0 eth1.2
192.168.200.0   0.0.0.0         255.255.255.0   U     0      0        0 ovpns0

psherman · June 19, 2018, 3:06am

There are some errors in your openVPN config files, including repeated lines and inconsistencies such as your client file having comp-lzo no twice, the server saying comp-lzo no but then pushing comp-lzo yes. You are pushing multiple routes and dns options including 192.168.1.1 -- I think the last one will override the previous ones. The log even shows a bunch of odd stuff happening.

I've tried to clean up your files to the bare minimum.

I think you can use this server config verbatim:

config openvpn 'vpnserver'
        option proto ‘udp’
        option port '1194'
        option dev_type 'tun'
        option dev 'ovpns0'
        option server '192.168.200.0 255.255.255.0'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/my-server.crt'
        option key '/etc/openvpn/my-server.key'
        option dh '/etc/openvpn/dh2048.pem'
        option tls_auth '/etc/openvpn/tls-auth.key 0'
        option tun_mtu '1500'
        option keepalive '10 120'
        option tls_server '1'
        option topology 'subnet'
        option route_gateway 'dhcp'
        option log '/tmp/openvpn.log'
        option client_to_client '1'
        option persist_key '1'
        option persist_tun '1'
        list push 'route 10.0.0.0 255.255.255.0'
        list push 'dhcp-option DNS 10.0.0.1'
        option enabled '1'

The client config will obviously require a few adjustments on your end, but try this as a template:

client
dev tun
remote my_dynamic_dns 1194 udp
remote-cert-tls server
verb 3
key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
</cert>
<key>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----BEGIN OpenVPN Static key V1-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END OpenVPN Static key V1-----
</key>

you had a tag for </tls-auth> in there -- not sure if you had a the TLS auth crypto info there or not, you might need to re-add it. But basically you should be able to use this directly except for crypto stuff (ca, cert, key, maybe tls-auth), and obviously 'my_dynamic_dns' should be replaced with your actual info.

Pro-tip: put the crypto info at the end of the file so that you know you don't have to keep reading beyond it -- that may explain why you had duplicate info there.

alirz1 · June 19, 2018, 1:41pm

I cleaned up my client config as per your recommendation. Yes, for some reason stuff was repeating in there twice.
Well, IT WORKS NOW!!!! I cant thank you enough. i have access to lan network when on the VPN, while internet is going outside the vpn. While i can easily live with that, would routing internet via the vpn be as simple as adding another route?
Again, thank you sooo much for going through my logs and config files i really appreciate it.

psherman · June 19, 2018, 2:35pm

Glad to see everything is working in general. I guess I forgot to add the following line to your client file:

redirect-gateway def1

Just add that into he client file (for readability, I'd recommend you add it above the crypto keys/certs) and your internet should go through the tunnel.

As far as other stuff you were enabling like comp-lzo and such, you can now experiment with those things to see if it improves performance or reduces bandwidth and stuff. Knowing that you have a working configuration in general will help both as a reference and as a fall-back (easily identify the directive(s) that broke things).

tmomas · June 19, 2018, 4:36pm

If your problem is solved, please consider marking this topic as [Solved].

alirz1 · June 19, 2018, 5:28pm

im not the original OP of this thread. I dont see any button to mark this as solved anywhere.

tmomas · June 19, 2018, 6:10pm

Oh - I see. Then nevermind and forget about that marking.

Sidenote: Click on the pencil button at the end of the topic to edit it.

psherman · June 19, 2018, 6:10pm

The OP said that it works except for the internet via the OpenVPN tunnel. Hopefully my last comment will fix that... hopefully once @alirz1 has had a chance to implement that and test, they can mark this thread as solved.

psherman · June 19, 2018, 6:12pm

oh.... yeah, I guess the OP is @lestat70 (if you're still active, please mark as solved if applicable; if not working properly, let the community know what issues remain and how we can help).

alirz1 · June 19, 2018, 7:05pm

@psherman Yes, your comment about adding the gateway fixed internet rotuing through the VPN also now.
This is now considered as SOLVED for me. Thank you.

psherman · June 19, 2018, 8:13pm

Glad it is all working now!