OPENVPN Server on OpenWrt - cannot access other devices from VPN

lemonek · November 30, 2019, 10:08pm

Hi

Im having two problems:

accessing devices in LAN while I'm connected from VPN to VPN Server on Router.
cutting off access to LAN while being connected to Commercial VPN

Problem 1 is more concerning to me...

LAN addressing is 10.1.1.0/24
VPN is 10.2.1.0/24
VPN for Commecial VPN Provider is 10.3.1.0
Before You will see my config - I need to explain one thing - I also have VPN Client on Router which one is used for separated SSID...

So to the point:

:

VPN Server configuration

config openvpn 'vpn_home'
        option keepalive '10 120'
        option verb '3'
        option client_to_client '1'
        option port '1194'
        option dh '/etc/easy-rsa/pki/dh.pem'
        option ca '/etc/easy-rsa/pki/ca.crt'
        option cert '/etc/easy-rsa/pki/issued/server.crt'
        option key '/etc/easy-rsa/pki/private/server.key'
        option enabled '1'
        option tls_auth '/etc/easy-rsa/pki/tc.pem'
        option persist_tun '1'
        option persist_key '1'
        option duplicate_cn '1'
        option tls_server '1'
        option dev 'tun1'
        option dev_type 'tun'
        option compress 'lzo'
        option server '10.2.1.0 255.255.255.0'
        option script_security '2'
        option auth_user_pass_verify '/etc/openvpn/userverify.sh via-file'
        list push 'persist-tun'
        list push 'persist-key'
        list push 'route 10.1.1.0 255.255.255.0'

VPN Client Profile

verb 3
dev tun
nobind
client
remote somedyndns.pl 1194 udp
comp-lzo
auth-user-pass
auth-nocache
remote-cert-tls server
...and certificates

Network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd19:8954:e110::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '10.1.1.1'
        option ifname 'eth0.1 tun1'
        option delegate '0'
        option igmp_snooping '1'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'
        option delegate '0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config interface 'ZEROTIER'
        option proto 'none'
        option ifname 'ztks5sle26'
        option delegate '0'

config interface 'VPN2LAN'
        option proto 'none'
        option ifname 'tun1'
        option delegate '0'

config interface 'VPN2PIA'
        option proto 'none'
        option ifname 'tun0'
        option auto '1'
        option delegate '0'

config interface 'LAN_PIA'
        option proto 'static'
        option type 'bridge'
        option ipaddr '10.3.1.1'
        option netmask '255.255.255.0'
        option delegate '0'

Firewall

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option name 'vpn_zt'
        option forward 'ACCEPT'
        option masq '1'
        option network 'ZEROTIER'

config forwarding
        option dest 'wan'
        option src 'vpn_zt'

config rule 'ovpn'
        option name 'Allow-OpenVPN'
        option src 'wan'
        option dest_port '1194'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option dest 'lan'
        option src 'vpn_zt'

config forwarding
        option dest 'vpn_zt'
        option src 'lan'

config forwarding
        option dest 'wan'
        option src 'lan'

config zone
        option name 'PIAVPN'
        option forward 'REJECT'
        option output 'ACCEPT'
        option network 'VPN2PIA'
        option input 'REJECT'
        option masq '1'
        option mtu_fix '1'

config zone
        option name 'LAN_PIA_FW'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'LAN_PIA'
        option forward 'ACCEPT'

config forwarding
        option dest 'PIAVPN'
        option src 'LAN_PIA_FW'

config zone
        option name 'newzone'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'VPN2LAN'

config forwarding
        option dest 'lan'
        option src 'newzone'

config forwarding
        option dest 'newzone'
        option src 'lan'

config rule
        option target 'ACCEPT'
        option name 'Allow route from VPN to LAN'
        option family 'ipv4'
        option src '*'
        option src_ip '10.2.1.0/24'
        option dest '*'
        option dest_ip '10.1.1.0/24'

config rule
        option target 'ACCEPT'
        option name 'Allow PING from VPN to LAN'
        option family 'ipv4'
        option proto 'icmp'
        option src '*'
        option src_ip '10.2.1.0/24'
        option dest '*'
        option dest_ip '10.1.1.0/24'

config rule
        option enabled '1'
        option target 'ACCEPT'
        option name 'Allow route from LAN to VPN'
        option family 'ipv4'
        option src '*'
        option src_ip '10.1.1.0/24'
        option dest '*'
        option dest_ip '10.2.1.0/24'

So if Im connected to my VPN I can ping and browse servces on 10.1.1.1 and 10.2.1.1 - that works but I cannot ping other devices within LAN.

Please kindly advise what I can do as I'm a bit tired already with no luck.

trendy · November 30, 2019, 10:21pm

I am pretty sure you cannot bridge a tun interface. So remove it from the lan bridge and use routing to access one to the other.

lemonek · November 30, 2019, 10:31pm

Hi @trendy

I have removed tun1 from LAN bridge. I will reboot device - what do you exactly mean by "use routing to access one to the other"

trendy · November 30, 2019, 10:34pm

I mean that tun1 has IPs 10.2.1.0 and lan has 10.1.1.0, so you cannot just bridge them, you have to route from one network to the other.

lemonek · November 30, 2019, 10:41pm

Isn't VPN Server config doing this?

list push 'route 10.1.1.0 255.255.255.0'

trendy · November 30, 2019, 10:44pm

Yes, that should do it.

lemonek · November 30, 2019, 10:48pm

Its been in config but its somehow not effective...

list push 'route 10.1.1.0 255.255.255.0'

and when I will add also option

route 10.1.1.0 255.255.255.0'

then somehow i cannot access internet from LAN (wtf??)

trendy · December 1, 2019, 12:14am

What is the output of these commands before and after connecting?
ip -4 addr; ip -4 ru; ip -4 ro ls tab all

lemonek · December 1, 2019, 12:30am

VPN ON

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
9: rmnet_data0: <UP,LOWER_UP> mtu 1500 qdisc htb state UNKNOWN group default qlen 1000
    inet 10.93.109.230/30 scope global rmnet_data0
       valid_lft forever preferred_lft forever
34: tun0: <POINTOPOINT,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
    inet 10.2.1.6/30 scope global tun0
       valid_lft forever preferred_lft forever
0:	from all lookup local 
10000:	from all fwmark 0xc0000/0xd0000 lookup legacy_system 
10500:	from all iif lo oif dummy0 uidrange 0-0 lookup dummy0 
10500:	from all iif lo oif rmnet_data0 uidrange 0-0 lookup rmnet_data0 
11000:	from all iif tun0 lookup local_network 
12000:	from all fwmark 0x0/0x20000 iif lo uidrange 0-99999 lookup tun0 
12000:	from all fwmark 0xc0078/0xcffff lookup tun0 
13000:	from all fwmark 0x10063/0x1ffff iif lo lookup local_network 
13000:	from all fwmark 0x10077/0x1ffff iif lo lookup rmnet_data0 
13000:	from all fwmark 0x10078/0x1ffff iif lo uidrange 0-99999 lookup tun0 
13000:	from all fwmark 0x10078/0x1ffff iif lo uidrange 0-0 lookup tun0 
14000:	from all iif lo oif dummy0 lookup dummy0 
14000:	from all iif lo oif rmnet_data0 lookup rmnet_data0 
14000:	from all iif lo oif tun0 uidrange 0-99999 lookup tun0 
15000:	from all fwmark 0x0/0x10000 lookup legacy_system 
16000:	from all fwmark 0x0/0x10000 lookup legacy_network 
17000:	from all fwmark 0x0/0x10000 lookup local_network 
19000:	from all fwmark 0x77/0x1ffff iif lo lookup rmnet_data0 
21000:	from all fwmark 0x78/0xffff lookup rmnet_data0 
22000:	from all fwmark 0x0/0xffff iif lo lookup rmnet_data0 
32000:	from all unreachable
10.1.1.0/24 dev tun0 table tun0 proto static scope link 
10.2.1.0/24 dev tun0 table tun0 proto static scope link 
10.2.1.4/30 dev tun0 table tun0 proto static scope link 
default dev dummy0 table dummy0 proto static scope link 
default via 10.93.109.229 dev rmnet_data0 table rmnet_data0 proto static 
10.93.109.228/30 dev rmnet_data0 table rmnet_data0 proto static scope link 
10.2.1.4/30 dev tun0 proto kernel scope link src 10.2.1.6 
10.93.109.228/30 dev rmnet_data0 proto kernel scope link src 10.93.109.230 
broadcast 10.2.1.4 dev tun0 table local proto kernel scope link src 10.2.1.6 
local 10.2.1.6 dev tun0 table local proto kernel scope host src 10.2.1.6 
broadcast 10.2.1.7 dev tun0 table local proto kernel scope link src 10.2.1.6 
broadcast 10.93.109.228 dev rmnet_data0 table local proto kernel scope link src 10.93.109.230 
local 10.93.109.230 dev rmnet_data0 table local proto kernel scope host src 10.93.109.230 
broadcast 10.93.109.231 dev rmnet_data0 table local proto kernel scope link src 10.93.109.230 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1

VPN OFF

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
9: rmnet_data0: <UP,LOWER_UP> mtu 1500 qdisc htb state UNKNOWN group default qlen 1000
    inet 10.93.109.230/30 scope global rmnet_data0
       valid_lft forever preferred_lft forever
0:	from all lookup local 
10000:	from all fwmark 0xc0000/0xd0000 lookup legacy_system 
10500:	from all iif lo oif dummy0 uidrange 0-0 lookup dummy0 
10500:	from all iif lo oif rmnet_data0 uidrange 0-0 lookup rmnet_data0 
13000:	from all fwmark 0x10063/0x1ffff iif lo lookup local_network 
13000:	from all fwmark 0x10077/0x1ffff iif lo lookup rmnet_data0 
14000:	from all iif lo oif dummy0 lookup dummy0 
14000:	from all iif lo oif rmnet_data0 lookup rmnet_data0 
15000:	from all fwmark 0x0/0x10000 lookup legacy_system 
16000:	from all fwmark 0x0/0x10000 lookup legacy_network 
17000:	from all fwmark 0x0/0x10000 lookup local_network 
19000:	from all fwmark 0x77/0x1ffff iif lo lookup rmnet_data0 
22000:	from all fwmark 0x0/0xffff iif lo lookup rmnet_data0 
32000:	from all unreachable
default dev dummy0 table dummy0 proto static scope link 
default via 10.93.109.229 dev rmnet_data0 table rmnet_data0 proto static 
10.93.109.228/30 dev rmnet_data0 table rmnet_data0 proto static scope link 
10.93.109.228/30 dev rmnet_data0 proto kernel scope link src 10.93.109.230 
broadcast 10.93.109.228 dev rmnet_data0 table local proto kernel scope link src 10.93.109.230 
local 10.93.109.230 dev rmnet_data0 table local proto kernel scope host src 10.93.109.230 
broadcast 10.93.109.231 dev rmnet_data0 table local proto kernel scope link src 10.93.109.230 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1

those are from Android - to be sure that im outside of my lan

lemonek · December 3, 2019, 1:25pm

Im a bit lost with this problem... And is seems that Community cannot help me. Meanwhile I have set up (parallel to OpenVPN) OpenConnect where this worked nearly out of the box as desired. I can ping / connect between to devices which are in LAN from OC Client like android / linux. So if anyone will be reading this - You may try to use alternative solution to OpenVPN. The only downside of this solution I have found (and I haven't yet tried to fix this) is low performance of router - with 100% of CPU I was able to download with speed at level of 700kB which is nice. I think bottleneck is related to cipher algorithms. 256 Bit for OC vs 128 OVPN, but as mentioned I haven't yet tried to optimize it. On top of this - OC supports user/password configuration from LuCI which is quite nice

trendy · December 3, 2019, 2:16pm

Sorry, I missed your earlier reply...

I meant from OpenWrt, but nevermind. I guess you are not up to troubleshooting any more since you found your way with OpenConnect.