OpenVPN Server not routing to LAN and WAN

mlariossr · February 24, 2020, 5:50am

Hi everyone,

I'm trying to get my VPN Server to work correctly, my goal is to have both LAN and WAN access, I'm migrating a couple of services from an Arch HTPC (this serves everything from SMB, Owncloud, VPN, Kodi, CUPS, etc) to a x86_64 OpenWRT router, in my HTPC all services work fine (and I'm using it as a reference for configs), but it's been a few days now and I can't find a solution to this (after reading several how-tos and posts).

My LAN is working fine and with internet access, and I have other small services working fine (adblock, ddns, etc,), its just my VPN which has no LAN nor WAN.

My current network setup is like this: ISP(router)---->[DMZ]x86Router(OpenWRT)[OpenVPN]----->LAN
I'm unable to put my ISP router in bridge mode because of my current contract, thus the DMZ (I'll change my contract once I have a fully funtional router).

I hope you can help me, it feels like its something stupid and obvious but I can't pin it.

Thank you.

I leave the config details, if you need more info let me know.

ISP (gateway): 192.168.1.254
Router:
eth0 (WAN): 192.168.1.150
eth1 & eth2 (LAN): 10.209.1.0/24
tun0 (VPN): 10.8.0.0/24

network

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdaa:4d3d:746e::/48'
network.LAN1=interface
network.LAN1.igmp_snooping='1'
network.LAN1.stp='1'
network.LAN1.type='bridge'
network.LAN1.proto='static'
network.LAN1.ipaddr='10.209.1.1'
network.LAN1.netmask='255.255.255.0'
network.LAN1.ip6assign='64'
network.LAN1.gateway='192.168.1.150'
network.LAN1.ifname='eth1 eth2'
network.wan=interface
network.wan.ifname='eth0'
network.wan.persist='true'
network.wan.maxfail='0'
network.wan.holdoff='10'
network.wan.proto='static'
network.wan.netmask='255.255.255.0'
network.wan.dns='8.8.8.8'
network.wan.ipaddr='192.168.1.150'
network.wan.gateway='192.168.1.254'
network.wan_dev=device
network.wan_dev.name='eth0'
network.wan_dev.macaddr='FC:AA:14:C6:95:7D'
network.vpn=interface
network.vpn.ifname='tun0'
network.vpn.proto='none'

firewall

firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='LAN1'
firewall.@zone[1]=zone
firewall.@zone[1].name='VPN'
firewall.@zone[1].network='vpn'
firewall.@zone[1].input='ACCEPT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='ACCEPT'
firewall.@zone[2]=zone
firewall.@zone[2].name='wan'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].mtu_fix='1'
firewall.@zone[2].network='wan'
firewall.@zone[2].masq='1'
firewall.@zone[2].input='DROP'
firewall.@zone[2].forward='DROP'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='lan'
firewall.@forwarding[1].dest='VPN'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].target='DROP'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@redirect[0]=redirect
firewall.@redirect[0].dest_port='443'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].name='Owncloud'
firewall.@redirect[0].src_dport='443'
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].dest_ip='10.209.1.101'
firewall.@redirect[0].dest='lan'
firewall.@rule[11]=rule
firewall.@rule[11].src='*'
firewall.@rule[11].target='ACCEPT'
firewall.@rule[11].name='Allow-VPN'
firewall.@rule[11].dest_port='834'
firewall.@rule[11].proto='udp'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].dest='lan'
firewall.@forwarding[2].src='VPN'
firewall.@forwarding[3]=forwarding
firewall.@forwarding[3].dest='wan'
firewall.@forwarding[3].src='VPN'

iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */
input_rule  all  --  anywhere             anywhere             /* !fw3: Custom input rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
syn_flood  tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN /* !fw3 */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:834 /* !fw3: Allow-VPN */
zone_lan_input  all  --  anywhere             anywhere             /* !fw3 */
zone_VPN_input  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_input  all  --  anywhere             anywhere             /* !fw3 */

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  10.8.0.0/24          Server.lan
forwarding_rule  all  --  anywhere             anywhere             /* !fw3: Custom forwarding rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_forward  all  --  anywhere             anywhere             /* !fw3 */
zone_VPN_forward  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_forward  all  --  anywhere             anywhere             /* !fw3 */
reject     all  --  anywhere             anywhere             /* !fw3 */

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */
output_rule  all  --  anywhere             anywhere             /* !fw3: Custom output rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_output  all  --  anywhere             anywhere             /* !fw3 */
zone_VPN_output  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_output  all  --  anywhere             anywhere             /* !fw3 */

Chain forwarding_VPN_rule (1 references)
target     prot opt source               destination

Chain forwarding_lan_rule (1 references)
target     prot opt source               destination

Chain forwarding_rule (1 references)
target     prot opt source               destination

Chain forwarding_wan_rule (1 references)
target     prot opt source               destination

Chain input_VPN_rule (1 references)
target     prot opt source               destination

Chain input_lan_rule (1 references)
target     prot opt source               destination

Chain input_rule (1 references)
target     prot opt source               destination

Chain input_wan_rule (1 references)
target     prot opt source               destination

Chain output_VPN_rule (1 references)
target     prot opt source               destination

Chain output_lan_rule (1 references)
target     prot opt source               destination

Chain output_rule (1 references)
target     prot opt source               destination

Chain output_wan_rule (1 references)
target     prot opt source               destination

Chain reject (2 references)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere             /* !fw3 */ reject-with tcp-reset
REJECT     all  --  anywhere             anywhere             /* !fw3 */ reject-with icmp-port-unreachable

Chain syn_flood (1 references)
target     prot opt source               destination
RETURN     tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50 /* !fw3 */
DROP       all  --  anywhere             anywhere             /* !fw3 */

Chain zone_VPN_dest_ACCEPT (3 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_VPN_forward (1 references)
target     prot opt source               destination
forwarding_VPN_rule  all  --  anywhere             anywhere             /* !fw3: Custom VPN forwarding rule chain */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3: Zone VPN to lan forwarding policy */
zone_wan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3: Zone VPN to wan forwarding policy */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
zone_VPN_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_VPN_input (1 references)
target     prot opt source               destination
input_VPN_rule  all  --  anywhere             anywhere             /* !fw3: Custom VPN input rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
zone_VPN_src_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_VPN_output (1 references)
target     prot opt source               destination
output_VPN_rule  all  --  anywhere             anywhere             /* !fw3: Custom VPN output rule chain */
zone_VPN_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_VPN_src_ACCEPT (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_lan_dest_ACCEPT (5 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_forward (1 references)
target     prot opt source               destination
forwarding_lan_rule  all  --  anywhere             anywhere             /* !fw3: Custom lan forwarding rule chain */
zone_wan_dest_REJECT  all  --  anywhere             anywhere             MAC 00:D9:D1:B0:96:34 TIME from 20:00:00 to 10:00:00 on Mon,Tue,Wed,Thu,Sun /* !fw3: Niños-Escuela */
zone_wan_dest_REJECT  all  --  anywhere             anywhere             MAC 00:D9:D1:B0:96:34 TIME from 22:00:00 to 10:00:00 on Fri,Sat /* !fw3: Niños-Finde */
zone_wan_dest_REJECT  all  --  anywhere             anywhere             MAC 70:3A:51:30:49:C6 TIME from 23:00:00 to 09:00:00 /* !fw3: Goran-Parental */
zone_wan_dest_REJECT  all  --  anywhere             anywhere             MAC EE:C6:FC:24:3F:CD TIME from 23:00:00 to 09:00:00 /* !fw3: Goran-Parental */
zone_wan_dest_REJECT  all  --  anywhere             anywhere             MAC 00:F4:8D:59:99:91 TIME from 23:00:00 to 09:00:00 /* !fw3: Goran-Parental */
zone_wan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3: Zone lan to wan forwarding policy */
zone_VPN_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3: Zone lan to VPN forwarding policy */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_input (1 references)
target     prot opt source               destination
input_lan_rule  all  --  anywhere             anywhere             /* !fw3: Custom lan input rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
zone_lan_src_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_output (1 references)
target     prot opt source               destination
output_lan_rule  all  --  anywhere             anywhere             /* !fw3: Custom lan output rule chain */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_src_ACCEPT (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_wan_dest_ACCEPT (3 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             ctstate INVALID /* !fw3: Prevent NAT leakage */
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_dest_DROP (1 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_dest_REJECT (5 references)
target     prot opt source               destination
reject     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_forward (1 references)
target     prot opt source               destination
forwarding_wan_rule  all  --  anywhere             anywhere             /* !fw3: Custom wan forwarding rule chain */
zone_lan_dest_ACCEPT  esp  --  anywhere             anywhere             /* !fw3: Allow-IPSec-ESP */
zone_lan_dest_ACCEPT  udp  --  anywhere             anywhere             udp dpt:isakmp /* !fw3: Allow-ISAKMP */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
zone_wan_dest_DROP  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_input (1 references)
target     prot opt source               destination
input_wan_rule  all  --  anywhere             anywhere             /* !fw3: Custom wan input rule chain */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc /* !fw3: Allow-DHCP-Renew */
DROP       icmp --  anywhere             anywhere             icmp echo-request /* !fw3: Allow-Ping */
ACCEPT     igmp --  anywhere             anywhere             /* !fw3: Allow-IGMP */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
zone_wan_src_DROP  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_output (1 references)
target     prot opt source               destination
output_wan_rule  all  --  anywhere             anywhere             /* !fw3: Custom wan output rule chain */
zone_wan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_src_DROP (1 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             /* !fw3 */

VPN Server

openvpn.MardyVPN=openvpn
openvpn.MardyVPN.comp_lzo='yes'
openvpn.MardyVPN.persist_tun='1'
openvpn.MardyVPN.persist_key='1'
openvpn.MardyVPN.cipher='AES-256-CBC'
openvpn.MardyVPN.ca='/etc/openvpn/pki/ca.crt'
openvpn.MardyVPN.dh='/etc/openvpn/pki/dh.pem'
openvpn.MardyVPN.key='/etc/openvpn/pki/private/server.key'
openvpn.MardyVPN.verb='3'
openvpn.MardyVPN.cert='/etc/openvpn/pki/issued/server.crt'
openvpn.MardyVPN.keepalive='10 120'
openvpn.MardyVPN.mode='server'
openvpn.MardyVPN.client_to_client='1'
openvpn.MardyVPN.log='/var/log/openvpn.log'
openvpn.MardyVPN.enabled='1'
openvpn.MardyVPN.compress='lzo'
openvpn.MardyVPN.log_append='/var/log/openvpn.log'
openvpn.MardyVPN.port='834'
openvpn.MardyVPN.proto='udp'
openvpn.MardyVPN.dev='vpn'
openvpn.MardyVPN.dev_type='tun'
openvpn.MardyVPN.user='nobody'
openvpn.MardyVPN.group='nogroup'
openvpn.MardyVPN.mute='5'
openvpn.MardyVPN.tls_server='1'
openvpn.MardyVPN.key_direction='0'
openvpn.MardyVPN.tls_auth='/etc/openvpn/pki/ta.key'
openvpn.MardyVPN.auth='SHA512'
openvpn.MardyVPN.server='10.8.0.0 255.255.255.0'
openvpn.MardyVPN.topology='subnet'
openvpn.MardyVPN.push='redirect-gateway def1' 'dhcp-option DNS 10.209.1.1' 'route 10.209.1.0 255.255.255.0'

ip a; ip r; traceroute openwrt.org

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 32
    link/ether ae:12:23:87:83:0d brd ff:ff:ff:ff:ff:ff
3: ifb1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 32
    link/ether 06:7b:0a:d7:8b:ec brd ff:ff:ff:ff:ff:ff
4: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether fc:aa:14:c6:95:7d brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.150/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::feaa:14ff:fec6:957d/64 scope link
       valid_lft forever preferred_lft forever
5: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-LAN1 state UP group default qlen 1000
    link/ether 50:3e:aa:03:95:83 brd ff:ff:ff:ff:ff:ff
6: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-LAN1 state UP group default qlen 1000
    link/ether 50:3e:aa:03:9b:c9 brd ff:ff:ff:ff:ff:ff
7: br-LAN1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 50:3e:aa:03:95:83 brd ff:ff:ff:ff:ff:ff
    inet 10.209.1.1/24 brd 10.209.1.255 scope global br-LAN1
       valid_lft forever preferred_lft forever
    inet6 fdaa:4d3d:746e::1/64 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::523e:aaff:fe03:9583/64 scope link
       valid_lft forever preferred_lft forever
9: vpn: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none
    inet 10.8.0.1/24 brd 10.8.0.255 scope global vpn
       valid_lft forever preferred_lft forever
    inet6 fe80::efc6:2002:d55a:a184/64 scope link stable-privacy
       valid_lft forever preferred_lft forever
default via 192.168.1.254 dev eth0 proto static
10.8.0.0/24 dev vpn proto kernel scope link src 10.8.0.1
10.209.1.0/24 dev br-LAN1 proto kernel scope link src 10.209.1.1
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.150
traceroute to openwrt.org (139.59.209.225), 30 hops max, 46 byte packets
 1  192.168.1.254 (192.168.1.254)  1.645 ms  0.436 ms  0.403 ms
 2  dsl-servicio-l200.uninet.net.mx (XXX.XXX.XXX.XXX)  3.154 ms  2.332 ms  2.663 ms
 3  bb-la-grand-8-be5.uninet.net.mx (XXX.XXX.XXX.XXX)  48.254 ms  47.584 ms  55.923 ms
 4  ffm-b11-link.telia.net (62.115.32.37)  56.044 ms  55.504 ms  58.029 ms
 5  ash-bb3-link.telia.net (62.115.137.36)  176.074 ms  175.047 ms  ash-bb2-link.telia.net (62.115.137.38)  173.927 ms
 6  prs-bb3-link.telia.net (62.115.112.243)  176.279 ms  prs-bb4-link.telia.net (62.115.122.158)  177.171 ms  prs-bb3-link.telia.net (62.115.112.243)  181.895 ms
 7  ffm-bb2-link.telia.net (62.115.114.99)  174.759 ms  169.906 ms  ffm-bb1-link.telia.net (62.115.123.12)  176.807 ms
 8  ffm-b5-link.telia.net (62.115.114.91)  170.929 ms  ffm-b5-link.telia.net (62.115.114.89)  178.565 ms  174.662 ms
 9  *  digitalocean-ic-328178-ffm-b4.c.telia.net (80.239.128.23)  194.863 ms  189.065 ms
10  *  *  *
11  *  *  *
12  wiki-01.infra.openwrt.org (139.59.209.225)  193.965 ms  189.302 ms  194.144 ms

psherman · February 24, 2020, 6:04am

In your OpenVPN server configuration, you need to add a route to your OpenWrt LAN (and from there, the WAN should work)

push 'route 10.209.1.0 255.255.255.0'

mlariossr · February 24, 2020, 3:07pm

The push route option is already there, or do you mean adding a route option? Because with the route option I lose internet in my LAN.

The push options are:

push 'redirect-gateway def1'
push 'dhcp-option DNS 10.209.1.1'
push 'route 10.209.1.0 255.255.255.0'

psherman · February 24, 2020, 3:48pm

whoops... I totally missed it (even though I quoted it!! )

What do the logs say on your client connection? And how are you testing it (i.e. inside or outside your own network)?

psherman · February 24, 2020, 3:52pm

One thing to try would be to have your push directives split out (each getting its own line and the explicit "push") -- I can't remember if the cascaded push items will all work or not.

mlariossr · February 24, 2020, 3:59pm

I'm testing from outside my network, with my mobile phone in AP mode, then connecting my laptop from there.

I've no idea why the "uci show" command shows the push in one line, but in /etc/config/openvpn every push directive has its own line.

The logs in my client are this (I think first is conecting and then disconecting):

Mon Feb 24 09:48:26 2020 OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 25 2019
Mon Feb 24 09:48:26 2020 Windows version 6.2 (Windows 8 or greater) 64bit
Mon Feb 24 09:48:26 2020 library versions: OpenSSL 1.1.0j  20 Nov 2018, LZO 2.10
Enter Management Password:
Mon Feb 24 09:48:26 2020 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Mon Feb 24 09:48:26 2020 Need hold release from management interface, waiting...
Mon Feb 24 09:48:27 2020 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Mon Feb 24 09:48:27 2020 MANAGEMENT: CMD 'state on'
Mon Feb 24 09:48:27 2020 MANAGEMENT: CMD 'log all on'
Mon Feb 24 09:48:27 2020 MANAGEMENT: CMD 'echo all on'
Mon Feb 24 09:48:27 2020 MANAGEMENT: CMD 'bytecount 5'
Mon Feb 24 09:48:27 2020 MANAGEMENT: CMD 'hold off'
Mon Feb 24 09:48:27 2020 MANAGEMENT: CMD 'hold release'
Mon Feb 24 09:48:27 2020 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Feb 24 09:48:27 2020 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Feb 24 09:48:27 2020 MANAGEMENT: >STATE:1582559307,RESOLVE,,,,,,
Mon Feb 24 09:48:27 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]187.170.232.146:834
Mon Feb 24 09:48:27 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Feb 24 09:48:27 2020 UDP link local: (not bound)
Mon Feb 24 09:48:27 2020 UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:PPP
Mon Feb 24 09:48:27 2020 MANAGEMENT: >STATE:1582559307,WAIT,,,,,,
Mon Feb 24 09:48:27 2020 MANAGEMENT: >STATE:1582559307,AUTH,,,,,,
Mon Feb 24 09:48:27 2020 TLS: Initial packet from [AF_INET]187.170.232.146:834, sid=998d4f6b 7e03410c
Mon Feb 24 09:48:27 2020 VERIFY OK: depth=1, CN=ChangeMe
Mon Feb 24 09:48:27 2020 VERIFY KU OK
Mon Feb 24 09:48:27 2020 Validating certificate extended key usage
Mon Feb 24 09:48:27 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Feb 24 09:48:27 2020 VERIFY EKU OK
Mon Feb 24 09:48:27 2020 VERIFY OK: depth=0, CN=server
Mon Feb 24 09:48:27 2020 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Mon Feb 24 09:48:27 2020 [server] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:PPP
Mon Feb 24 09:48:28 2020 MANAGEMENT: >STATE:1582559308,GET_CONFIG,,,,,,
Mon Feb 24 09:48:28 2020 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Mon Feb 24 09:48:29 2020 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.209.1.1,route 10.209.1.0 255.255.255.0,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Mon Feb 24 09:48:29 2020 OPTIONS IMPORT: timers and/or timeouts modified
Mon Feb 24 09:48:29 2020 OPTIONS IMPORT: --ifconfig/up options modified
Mon Feb 24 09:48:29 2020 OPTIONS IMPORT: route options modified
Mon Feb 24 09:48:29 2020 OPTIONS IMPORT: route-related options modified
Mon Feb 24 09:48:29 2020 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Feb 24 09:48:29 2020 OPTIONS IMPORT: peer-id set
Mon Feb 24 09:48:29 2020 OPTIONS IMPORT: adjusting link_mtu to 1625
Mon Feb 24 09:48:29 2020 OPTIONS IMPORT: data channel crypto options modified
Mon Feb 24 09:48:29 2020 Data Channel: using negotiated cipher 'AES-256-GCM'
Mon Feb 24 09:48:29 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Feb 24 09:48:29 2020 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Feb 24 09:48:29 2020 interactive service msg_channel=904
Mon Feb 24 09:48:29 2020 ROUTE_GATEWAY 192.168.43.252/255.255.255.0 I=18 HWADDR=04:ea:56:c3:55:55
Mon Feb 24 09:48:29 2020 open_tun
Mon Feb 24 09:48:29 2020 TAP-WIN32 device [Ethernet 3] opened: \\.\Global\{1A4471AB-2788-4D17-827A-96B9EA2BD11B}.tap
Mon Feb 24 09:48:29 2020 TAP-Windows Driver Version 9.23 
Mon Feb 24 09:48:29 2020 Set TAP-Windows TUN subnet mode network/local/netmask = 10.8.0.0/10.8.0.2/255.255.255.0 [SUCCEEDED]
Mon Feb 24 09:48:29 2020 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.2/255.255.255.0 on interface {1A4471AB-2788-4D17-827A-96B9EA2BD11B} [DHCP-serv: 10.8.0.254, lease-time: 31536000]
Mon Feb 24 09:48:29 2020 Successful ARP Flush on interface [7] {1A4471AB-2788-4D17-827A-96B9EA2BD11B}
Mon Feb 24 09:48:29 2020 MANAGEMENT: >STATE:1582559309,ASSIGN_IP,,10.8.0.2,,,,
Mon Feb 24 09:48:34 2020 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Mon Feb 24 09:48:34 2020 C:\WINDOWS\system32\route.exe ADD XXX.XXX.XXX.XXX MASK 255.255.255.255 192.168.43.252
Mon Feb 24 09:48:34 2020 Route addition via service succeeded
Mon Feb 24 09:48:34 2020 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.1
Mon Feb 24 09:48:34 2020 Route addition via service succeeded
Mon Feb 24 09:48:34 2020 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.1
Mon Feb 24 09:48:34 2020 Route addition via service succeeded
Mon Feb 24 09:48:34 2020 MANAGEMENT: >STATE:1582559314,ADD_ROUTES,,,,,,
Mon Feb 24 09:48:34 2020 C:\WINDOWS\system32\route.exe ADD 10.209.1.0 MASK 255.255.255.0 10.8.0.1
Mon Feb 24 09:48:34 2020 Route addition via service succeeded
Mon Feb 24 09:48:34 2020 Initialization Sequence Completed
Mon Feb 24 09:48:34 2020 MANAGEMENT: >STATE:1582559314,CONNECTED,SUCCESS,10.8.0.2,XXX.XXX.XXX.XXX:PPP,,
Mon Feb 24 09:49:31 2020 C:\WINDOWS\system32\route.exe DELETE 10.209.1.0 MASK 255.255.255.0 10.8.0.1
Mon Feb 24 09:49:31 2020 Route deletion via service succeeded
Mon Feb 24 09:49:31 2020 C:\WINDOWS\system32\route.exe DELETE XXX.XXX.XXX.XXX MASK 255.255.255.255 192.168.43.252
Mon Feb 24 09:49:31 2020 Route deletion via service succeeded
Mon Feb 24 09:49:31 2020 C:\WINDOWS\system32\route.exe DELETE 0.0.0.0 MASK 128.0.0.0 10.8.0.1
Mon Feb 24 09:49:31 2020 Route deletion via service succeeded
Mon Feb 24 09:49:31 2020 C:\WINDOWS\system32\route.exe DELETE 128.0.0.0 MASK 128.0.0.0 10.8.0.1
Mon Feb 24 09:49:31 2020 Route deletion via service succeeded
Mon Feb 24 09:49:31 2020 Closing TUN/TAP interface
Mon Feb 24 09:49:31 2020 TAP: DHCP address released
Mon Feb 24 09:49:31 2020 SIGTERM[hard,] received, process exiting
Mon Feb 24 09:49:31 2020 MANAGEMENT: >STATE:1582559371,EXITING,SIGTERM,,,,,

psherman · February 24, 2020, 5:28pm

Have you tried running OpenVPN on your phone (via the cellular connection) directly and then using a network utility app, running the traceroute and ping tests from the phone itself? (with AP/Tether/hotspot mode disabled)?

mlariossr · February 24, 2020, 5:45pm

Ok, I've tried your suggestion with the OpenVPN app, but I get the same results, no LAN and WAN.

When I connect to my older VPN (the one I'm trying to migrate into this new router) I have LAN and WAN.

I've no idea what's wrong with this server.

psherman · February 24, 2020, 6:33pm

I don't see anything obvious that would be an issue. What are the differences between your 'older VPN' and your new one (was that also running on an OpenWrt device? same topology for the upstream network connectivity? any notable diffs between the two server config files? etc.)

mlariossr · February 24, 2020, 11:34pm

Ok, I've made a few adjustments and now I've internet from the VPN, still no LAN.

Added: push 'remote-gateway vpn_server_ip'
Change push to: push 'dhcp-option DNS 8.8.8.8'
Removed: compress 'lzo'

OpenVPN conf.

openvpn.MardyVPN=openvpn
openvpn.MardyVPN.comp_lzo='yes'
openvpn.MardyVPN.persist_tun='1'
openvpn.MardyVPN.persist_key='1'
openvpn.MardyVPN.cipher='AES-256-CBC'
openvpn.MardyVPN.ca='/etc/openvpn/pki/ca.crt'
openvpn.MardyVPN.dh='/etc/openvpn/pki/dh.pem'
openvpn.MardyVPN.key='/etc/openvpn/pki/private/server.key'
openvpn.MardyVPN.verb='3'
openvpn.MardyVPN.cert='/etc/openvpn/pki/issued/server.crt'
openvpn.MardyVPN.keepalive='10 120'
openvpn.MardyVPN.mode='server'
openvpn.MardyVPN.client_to_client='1'
openvpn.MardyVPN.log='/var/log/openvpn.log'
openvpn.MardyVPN.enabled='1'
openvpn.MardyVPN.log_append='/var/log/openvpn.log'
openvpn.MardyVPN.port='834'
openvpn.MardyVPN.proto='udp'
openvpn.MardyVPN.dev='tun'
openvpn.MardyVPN.user='nobody'
openvpn.MardyVPN.group='nogroup'
openvpn.MardyVPN.mute='5'
openvpn.MardyVPN.tls_server='1'
openvpn.MardyVPN.key_direction='0'
openvpn.MardyVPN.tls_auth='/etc/openvpn/pki/ta.key'
openvpn.MardyVPN.auth='SHA512'
openvpn.MardyVPN.server='10.8.0.0 255.255.255.0'
openvpn.MardyVPN.topology='subnet'
openvpn.MardyVPN.push='redirect-gateway def1' 'dhcp-option DNS 8.8.8.8' 'remote-gateway vpn_server_ip' 'route 10.209.1.0 255.255.255.0'

This is how my Network used to be, the WiFi Router does all the "router stuff" (DHCP/DNS, Parental Control, QoS, Static Lease, DDNS, etc.), the HTPC is an Archlinux PC wich holds ALL services including VPN Server, Windows File Sharing (SMB), Owncloud and Streaming:

This is how my Network is now, the WiFi AP only takes care of the WiFi conections and no other "router stuff", then there's the OpenWRT Router and does all the "router stuff" and is also the VPN Server.

The main difference is that BEFORE all services where in the same machine (HTPC), and now the VPN Server is in the gateway and I have to access the HTPC for other services.

mlariossr · February 25, 2020, 12:01am

I've change push 'dhcp-option DNS 8.8.8.8' to push 'dhcp-option DNS 10.209.1.1' and still getting WAN but no LAN.

mlariossr · February 25, 2020, 12:58am

Just so you know, in order to discard firewall problems in the HTPC I've disabled ufw, but still not getting anything, although I can ping and route other devices within LAN.

This are the results from ping and traceroute from my Laptop connected to the VPN, the output is in spanish, but the results show that I can ping and route everything but the HTPC.

C:\Users\mlari>ping 10.209.1.149

Haciendo ping a 10.209.1.149 con 32 bytes de datos:
Respuesta desde 10.209.1.149: bytes=32 tiempo=160ms TTL=63
Respuesta desde 10.209.1.149: bytes=32 tiempo=43ms TTL=63
Respuesta desde 10.209.1.149: bytes=32 tiempo=47ms TTL=63
Respuesta desde 10.209.1.149: bytes=32 tiempo=108ms TTL=63

Estadísticas de ping para 10.209.1.149:
    Paquetes: enviados = 4, recibidos = 4, perdidos = 0
    (0% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
    Mínimo = 43ms, Máximo = 160ms, Media = 89ms

C:\Users\mlari>ping 10.209.1.101

Haciendo ping a 10.209.1.101 con 32 bytes de datos:
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.

Estadísticas de ping para 10.209.1.101:
    Paquetes: enviados = 4, recibidos = 0, perdidos = 4
    (100% perdidos),

C:\Users\mlari>tracert 10.209.1.101

Traza a la dirección Server.lan [10.209.1.101]
sobre un máximo de 30 saltos:

  1    57 ms    47 ms    66 ms  10.8.0.1
  2     *        *        *     Tiempo de espera agotado para esta solicitud.
  3  ^C
C:\Users\mlari>tracert 10.209.1.102

Traza a la dirección TV-Room.lan [10.209.1.102]
sobre un máximo de 30 saltos:

  1    43 ms    43 ms    44 ms  10.8.0.1
  2   107 ms   116 ms    35 ms  TV-Room.lan [10.209.1.102]

Traza completa.

C:\Users\mlari>tracert 10.209.1.100

Traza a la dirección Linksys.lan [10.209.1.100]
sobre un máximo de 30 saltos:

  1    50 ms    39 ms    45 ms  10.8.0.1
  2    58 ms    34 ms    35 ms  Linksys.lan [10.209.1.100]

Traza completa.

C:\Users\mlari>tracert openwrt.org

Traza a la dirección openwrt.org [139.59.209.225]
sobre un máximo de 30 saltos:

  1   997 ms    55 ms    34 ms  10.8.0.1
  2    66 ms    57 ms    71 ms  192.168.1.254
  3    52 ms    49 ms    57 ms  dsl-servicio-l200.uninet.net.mx [XXX.XXX.XXX.XXX]
  4    99 ms   106 ms    91 ms  bb-la-grand-8-be5.uninet.net.mx [XXX.XXX.XXX.XXX]
  5   118 ms    91 ms    91 ms  ffm-b11-link.telia.net [62.115.32.37]
  6     *        *      226 ms  ash-bb2-link.telia.net [62.115.137.38]
  7   215 ms   231 ms   219 ms  prs-bb3-link.telia.net [62.115.112.243]
  8   244 ms   216 ms   210 ms  ffm-bb1-link.telia.net [62.115.123.12]
  9   226 ms   224 ms   234 ms  ffm-b5-link.telia.net [62.115.114.89]
 10   235 ms   235 ms   256 ms  digitalocean-ic-328178-ffm-b4.c.telia.net [80.239.128.23]
 11   252 ms   244 ms   251 ms  138.197.250.156
 12     *        *        *     Tiempo de espera agotado para esta solicitud.
 13   249 ms   251 ms   243 ms  wiki-01.infra.openwrt.org [139.59.209.225]

Traza completa.

C:\Users\mlari>tracert 10.209.1.103

Traza a la dirección CamaraIP.lan [10.209.1.103]
sobre un máximo de 30 saltos:

  1    49 ms    41 ms    37 ms  10.8.0.1
  2    75 ms    41 ms    64 ms  CamaraIP.lan [10.209.1.103]

psherman · February 25, 2020, 6:38am

In theory, if you can ping devices on your LAN, you should have the ability to connect to them via standard services (as long as they don't require mdns).

Check to make sure that the HTPC doesn't have any other firewall settings. In particular, if it is a Windows based system, there is a setting that by default does not allow connections from RFC1918 networks aside from the one that the system is on (I don't use Windows, so I don't know where this setting is, but I know it exists).

Do you have other non-windows systems on your LAN that you can use to test (maybe using ssh, file sharing protocols, web management consoles, etc.)? If you can get to any other LAN devices, it would prove that the HTPC has some sort of firewall feature that is not disabled and is blocking your access from OpenVPN.

mlariossr · February 25, 2020, 3:16pm

I've tested if I can reach other devices and yes, I can log into the linksys wireless AP which is in the subnet 10.209.1.100, and I can even access my ISP modem which has a totally different subnet (192.168.1.254), but still can't get into the HTPC.

The HTPC is a Linux PC, so I disable ufw and iptables (clean all directives), but still no access. other than ufw and iptables what other services could be blocking the ports?

This is my HTPC iptables:

Chain INPUT (policy ACCEPT 17321 packets, 2324K bytes)
 pkts bytes target     prot opt in     out     source               destination         
  68M   76G ufw-before-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  68M   76G ufw-before-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  67M   76G ufw-after-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  67M   76G ufw-after-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  67M   76G ufw-reject-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  67M   76G ufw-track-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ufw-before-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-before-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-after-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-after-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-reject-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-track-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 17336 packets, 6866K bytes)
 pkts bytes target     prot opt in     out     source               destination         
  54M   27G ufw-before-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  54M   27G ufw-before-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  53M   26G ufw-after-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  53M   26G ufw-after-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  53M   26G ufw-reject-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  53M   26G ufw-track-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-after-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

mlariossr · February 25, 2020, 3:37pm

I've flushed all of my iptables rules, but still can't ping or access any services on my HTPC.

The HTPC iptables:

Chain INPUT (policy ACCEPT 6197 packets, 1320K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 6467 packets, 1641K bytes)
 pkts bytes target     prot opt in     out     source               destination

psherman · February 25, 2020, 6:32pm

I'm pretty certain that there is something on your HTPC that is preventing access. That's because you have proven that you can access other devices on the same subnet. There is no reason that you wouldn't be able to access the HTPC except for firewall rules or some other restriction somewhere, including possibly a service-specific restriction). On the OpenWrt side of things, you don't have any firewall rules that would limit the VPN > LAN connectivity, so it must be on the HTPC.

mlariossr · February 26, 2020, 2:39am

Ok, I've found the problem and fix it, thank you for all your ideas, I wasn't really going anyway and your input helped me see new options.

Well so anyone else knows about this:

The WAN problem got solve by adding the option push 'remote-gateway vpn_server_ip' to the Server config.

The HTPC problem was that my OpenVPN subnet (10.8.0.0) from the router was the same of the HTPC OpenVPN (10.8.0.0), so the HTPC saw connections attemps from that subnet, but they weren't comming from its own tun0 device, rather from the gateway and (I guess) as a safety measure denied all incoming requests, so changing the subnet solve everything and in the case of samba shares adding the new subnet to the hosts allow gave access.

system · March 7, 2020, 2:39am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.