OpenVPN server on a single LAN interface device

supertack · October 11, 2022, 10:34am

Hello, I hope you can help me in order to set up correctly OpenVPN on my device.
I have a Western Digital MyBookLive running OpenWrt, and I want to use it as a OpenVPN server to access remotely to my home devices and internet.

The MBL has only just one ethernet port, corresponding to "LAN" in OpenWrt.

This is my configuration:

Fiber modem : 192.168.1.1/255.255.255.0
Router : 192.168.1.2/255.255.255.0 (internet side) / 192.168.0.1/255.255.255.0 (lan side)
MBL : 192.168.0.5/255.255.255.0

I installed OpenVPN on the MBL without any problem, and I could establish sucessfully a VPN connexion between my Windows laptop (4G) and the server. However, I could access only to the IP address of the server, I mean 192.168.0.5. On remote client, I cannot access to other devices nor having internet connexion.

I think it's due to missing wan port configuration, so I don't know if I can set both WAN and LAN interfaces on the same physical port.

Parts of my client config:

user nobody
group nogroup
dev tun
nobind
client
auth-nocache

Parts of my server config:

user nobody
group nogroup
dev tun
port 1194
proto udp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "dhcp-option DNS 192.168.8.1"
push "dhcp-option DOMAIN "
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"

I also seen this post:

So how can I add the missing route ?

thanks a lot for your help !

kukulo · October 11, 2022, 12:41pm

What is the configuration of your firewall?
Do you have enabled the forwarding between the vpn zone and lan zone?

supertack · October 11, 2022, 12:49pm

Thanks for reply !
No, I did no forwarding between the two zones because I don't know how.
This is my firewall configuration file. I hope you can help me to do !

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone 'lan'
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'tun+'

config zone 'wan'
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config rule 'ovpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '1194'
	option proto 'udp'
	option target 'ACCEPT'

As you can see in the last rule created by the OpenVPN server installation itself, there is an option for trafic from WAN (but I don't have this interface, only LAN).

This is my network configuration:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd46:52f9:3880::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.0.5'
	option gateway '192.168.0.1'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

If it could help, this is my simplified home configuration:

So what can i do to edit this rule or add the missing forwarding ?

PS: 1194 UDP port forwarding is correctly configured on modem and router to the device and LuCI web interface is reacheable by OpenVPN clients.

kukulo · October 11, 2022, 1:06pm

In the

config zone 'lan'
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'tun+'

Remove the list device 'tun+', then add followings to the bottom:

config zone
	option output 'ACCEPT'
	option name 'vpn'
	list masq_src '192.168.8.0/24'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	list network 'tun0'

config forwarding
	option dest 'vpn'
	option src 'lan'

config forwarding
	option dest 'lan'
	option src 'vpn'

Then run a command:

/etc/init.d/firewall reload

Then go to Luci, and create the interface in interfaces section:

Assign a firewall zone:

Then just restart your openvpn instance from Luci or cli and reconnect to vpn.

trendy · October 11, 2022, 1:08pm

Add in lan zone,
option masq '1'

supertack · October 11, 2022, 1:09pm

Thanks a lot !
I'll give it a try once back to home.

is "tun0" a virtual interface ? I mean it's not associated to the physical ethernet interface ?

Thanks again !

kukulo · October 11, 2022, 1:11pm

The tun0 is virtual interface created by openvpn instance. You should see it in devices list in Luci when the openvpn server is running.

supertack · October 11, 2022, 1:13pm

Many thanks.
I'll test this ASAP !

supertack · October 11, 2022, 2:40pm

One additional question please, does the config you provided allows VPN clients to connect also to the home internet through the tunnel ? I mean the internet traffic will be routed through the VPN ?

I can leave the DHCP settings untouched on clients after installing the official OpenVPN client on both Windows and Android ?

Thanks.

kukulo · October 11, 2022, 3:36pm

If you forward port from ISP modem and underlying router, the rerouting of traffic will depend on the option

list push redirect gateway local def1

in your openvpn config file.

No need to play with the DHCP settings.

supertack · October 11, 2022, 7:39pm

Hello and thanks again for your support !

This is my situation now: after adding the TUN0 interface, adding the firewall entries and the option masq '1' to LAN zone, I can finally reach all the devices of my home network through the VPN !

However, still having no internet connexion on VPN clients. This is my configurations:

Firewall:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	list network 'lan'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config rule 'ovpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '1194'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option output 'ACCEPT'
	option name 'vpn'
	list masq_src '192.168.8.0/24'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	list network 'tun0'

config forwarding
	option dest 'vpn'
	option src 'lan'

config forwarding
	option dest 'lan'
	option src 'vpn'

Client:

user nobody
group nogroup
dev tun
nobind
client
remote <my-public-IP> 1194 udp
auth-nocache
remote-cert-tls server

Server:

user nobody
group nogroup
dev tun
port 1194
proto udp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "dhcp-option DNS 192.168.8.1"
push "dhcp-option DOMAIN "
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"

I don't know if I did something wrong. The only port I forwarded to my server is UDP 1194.

Should I add another forwarding ? How to use the option list push redirect gateway local def1 you told me ?

Edit : I added the list push redirect gateway local def1 to the OpenVPN configuration file but still no internet access on VPN clients.

Thanks again !

psherman · October 11, 2022, 8:13pm

remove this:

Change this to either your main router (192.168.0.1) or a public DNS like 8.8.8.8

remove this:

psherman · October 11, 2022, 8:21pm

you may also need one more directive in your OpenVPN config file...

	list push 'route 192.168.0.0 255.255.255.0'

supertack · October 11, 2022, 8:31pm

Wow worked like a charm !

Thanks to all for your help !

system · October 21, 2022, 8:32pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.