OpenVPN server setup not working with Moonlight

Installing and Using OpenWrt Network and Wireless Configuration
1

I set up my openvpn with the following tutorial: https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic
Then, when I try to use moonlight on my phone (from lte for testing the openvpn) connected to the openvpn server via openvpn connect app, it doesn't work. I am unable to do anything in LAN with this configuration. My real lan network has the subnet of 192.168.1.*, if that matters.

2

There isn't enough info for anyone to help you. When you say it doesn't work, what does that mean? Does it fail to connect? Or are you able to successfully establish the tunnel but not reach the hosts/services you want?

What do the logs say?
What are the specific symptoms?
Have you tried things like pinging to IP addresses and domain names to test basic connectivity?

Have you looked at the troubleshooting page?

If you're looking for specific help, the above will be key. Also you might want to post your config files and describe how things are connected. Files of use include (but are not limited to)
/etc/config/network
/etc/config/firewall
/etc/config/openvpn (your openvpn server config file, even if not in that location)
your client side openvpn config file
log files of the init sequence from both sides (client and server).

1 Like
3

Internet connection works, just can't connect with LAN devices.
I have tried the troubleshooting page to no avail
I can connect to the openvpn server successfully

6

"Internet connection works" is normal behavior of a consumer router when plugging it in. You must provide more details.

  • Then if you tired it, why haven't you posted the results for us to see?
  • What about the files @psherman asked for in order to troubleshoot?
  • Then it works???
  • Where is your LAN issue involved?
  • What the IP scheme of all other involved networks?
  • Do you control the OpenVPN server?

In order to help you, you must stop being vague and provide details in your responses.

1 Like
7

Network config

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd7f:266e:30a5::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth1.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'

Firewall config

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option device 'tun0'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config include 'bcp38'
	option type 'script'
	option path '/usr/lib/bcp38/run.sh'
	option family 'IPv4'
	option reload '1'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'udp'
	option src_dport '47999'
	option dest_ip '192.168.1.123'
	option dest_port '47999'
	option name 'asdf'

config rule 'vpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '1194'
	option proto 'udp'
	option target 'ACCEPT'

Openvpn server config from etc/openvpn

verb 3
user nobody
group nogroup
dev tun0
port 1194
proto udp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 120
persist-tun
persist-key
push "dhcp-option DNS 192.168.8.1"
push "dhcp-option DOMAIN lan"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA5g8EnLYmAyiIRnC7w7EvHWL8zIhRDzjPioeuxN1xtyyMLxennWbC
I2DKdjIVEAHzlp9Hx5s+cesuLUFDcio4G0l0UgXaR3SQnikrTNQmmZO6iOdJmqVS
PXTS3fDQgDAogi79Su4/cYmaKLUKnTA/Ya61pmqDOgrayj3CkEko2dnFNTwtrepq
RH9G8Ya1eCydLcru7tjbea6i85GMfXlZrPCEZspuKo032jNJ/FboVoFSsiAzqgyg
UdY2+HdGMGk9WV4qtfDJ+UQna/fGATOlszGzUyMqzCKpPqP7dtyIdgJN8I2MSp6z
V+wW8lb/ECoEl8+VdjQvaZFyWtsikGkhYwIBAg==
-----END DH PARAMETERS-----
</dh>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
28cc1664379d1da0c9c0d18d86a543c5b97666116250427b4b31ea89642a57ce
26074d1909e1245d6967ea4a000c9cca72b2a1fea08909ea69cfa722d69dba1f
dc7f13e6b8bc4cf146f1e4823efa52015064d699fae834354aec494ce5b92f0a
333cb574fff59e61963741dc78088afbe66d86f7204f0efe9c031c0835742640
356e002ec7ecba269e97eaed36af3f7834de350dbac1fac9bddd89bd36252b0a
88537d63d473474734ae0840dc3c6e2339d3cde338db56f6f83bfcb31c557df1
d1b1b6b005575f5502b8bf37c463a616c40e3c999acd03d04a37cd09af997af9
dce5372572519c7f32d526a1d36e66f3f90302f2226cb74275262852cf5abe92
-----END OpenVPN Static key V1-----
</tls-crypt>
<ca>
-----BEGIN CERTIFICATE-----
MIIDOTCCAiGgAwIBAgIUcQu7Ioxmj9IAbY/CmIJmbUX7Sw8wDQYJKoZIhvcNAQEL
BQAwEDEOMAwGA1UEAwwFdnBuY2EwHhcNMTkwNDEzMDQwNDQ2WhcNMjkwNDEwMDQw
NDQ2WjAQMQ4wDAYDVQQDDAV2cG5jYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAOWLA7psmm1Yt1Q9gWpucR1aNHgRdpqT0v8EN37hBAH1OiBMIXOaB/Js
LZHbfHfaMHEw7nMZgam5ZQs2ymxrhf5Yl+7TMOmPt2A7YjEtNfXCixabkuhufEib
ETFsvljADFMaCwaGQGgxi4CJ+miHGejjSm5ASSLdIC2bizmgobHxxYhE+51yuDtW
Iv+w9gkokvFHDHiLfvXb7tmee5JYTSuffu91Q8ac5oswb4rE51/3/eAprBM0777j
eX3qzkpWb7n/W+EFXew0JyEbr0eeY+RtDvQwJlCRecLlzYkhhkpArCXK4EBCahg0
BnNJ1e3dACXyHY7AIR/ojPeN4WEQpB0CAwEAAaOBijCBhzAdBgNVHQ4EFgQUELR+
wGZDE1RjJzIssIQ3QUVv9vEwSwYDVR0jBEQwQoAUELR+wGZDE1RjJzIssIQ3QUVv
9vGhFKQSMBAxDjAMBgNVBAMMBXZwbmNhghRxC7sijGaP0gBtj8KYgmZtRftLDzAM
BgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAri9k
gGV1E2mJZRQZcgVH+x1w9c0ocpOHVA/xArL2u7fRbaxU83f114zXtPiGlTl5apfL
mzFPOmlaez2kWkjzeGxfKOD+xu+k5ksBgll5iowhKVy6bjSV+SLCuShfYPBHLUpA
3BMiE5RWXq7rDi7jagVTsVVi6fG7wXpaOMU0QrPR77USgw8EPq9kVgvfuIE++p0d
X2XDIZPdQb0Mxn43XhVcOVzdV8RChrysjsJT+EEa42B9wz1olLlmt4K1gaYobh8I
NOUQJTMlGzlqOxRSg+xRty/Psfb6BFbsE2hTyBIsLwauFrsUf7hzwXYblONYfbc5
yXKKpUsi68G3gunvEg==
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIDYjCCAkqgAwIBAgIRAK9YPWL7+qz09/ijsv3omOQwDQYJKoZIhvcNAQELBQAw
EDEOMAwGA1UEAwwFdnBuY2EwHhcNMTkwNDEzMDQwNDQ5WhcNMjkwNDEwMDQwNDQ5
WjAUMRIwEAYDVQQDDAl2cG5zZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQCnZAkmtizYa5Ihz9etjfOX6gnWuOXCs54JpDw+jLmSwTWmGaoISMdz
3geZBcF4oWf/135zg0CvyTvuZaasNrDJvZkp0hnGm3Wsrp7QuV2G7+9F7uAgEVDJ
82OOe2M2V6InICpgda0jlNG4KBwAzDGnlz0ICVGJ4EaJO7gX79SQDit/Na6LtT1i
/bK6WzLcnuPJp1Kxyz0JCG9cuZ+lq/174RBADJ8eq0ueFf7t+2nMi1L25YYFxbEz
qmshlPaRpATGO1u+VsNy20KfdK8O1FyGQHmUOIoMNV+OWFtpj+DzKf2BE5w8ljm8
phixME4Jr95CO1MOuDXqP4VZHmMtb6d9AgMBAAGjgbIwga8wCQYDVR0TBAIwADAd
BgNVHQ4EFgQUyJWM57jaypmZFE2nY7BOtfwBvIswSwYDVR0jBEQwQoAUELR+wGZD
E1RjJzIssIQ3QUVv9vGhFKQSMBAxDjAMBgNVBAMMBXZwbmNhghRxC7sijGaP0gBt
j8KYgmZtRftLDzATBgNVHSUEDDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBaAwFAYD
VR0RBA0wC4IJdnBuc2VydmVyMA0GCSqGSIb3DQEBCwUAA4IBAQCQhw9lHpfHk0rl
+PYfvxX82ZzluF55b45HJe38lXdiqxLLeFXHW9F0LcDekYjq2FFao0X23aKlAOIn
RyR/ILth8jrU3xkODjZV8M2BqnQteBMHZLj49Xd52efRscWdQmsWAJ1sgE0ot+dF
E3fRFdXn3fAcGnZQ8IhnVrpJs0oLOxJoSQb3lDSm8zbStgtBCXsVj8OUaaxzy84g
nOlzC0XKioSyWheDfbg0WeixKtZUvUUd8mhJM7Ip8Cx5hAVrgfDTINsPasQ13Hic
720Agihy3eKh0q9b8yN3/MqhdIYOds+DbClnEWI6T7pyJ0+0dnHImZKwaNQLRmMN
EzoNH5zv
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCnZAkmtizYa5Ih
z9etjfOX6gnWuOXCs54JpDw+jLmSwTWmGaoISMdz3geZBcF4oWf/135zg0CvyTvu
ZaasNrDJvZkp0hnGm3Wsrp7QuV2G7+9F7uAgEVDJ82OOe2M2V6InICpgda0jlNG4
KBwAzDGnlz0ICVGJ4EaJO7gX79SQDit/Na6LtT1i/bK6WzLcnuPJp1Kxyz0JCG9c
uZ+lq/174RBADJ8eq0ueFf7t+2nMi1L25YYFxbEzqmshlPaRpATGO1u+VsNy20Kf
dK8O1FyGQHmUOIoMNV+OWFtpj+DzKf2BE5w8ljm8phixME4Jr95CO1MOuDXqP4VZ
HmMtb6d9AgMBAAECggEAH2c2DEwrF6L+tFcwyD+UTpC6rczcVe2qnXZxUu7FtdGH
hhTUgF9fA87IsB2TUVU+lJHSCEu8a/4dvzjUzwQnoIFwZZcj/M2XgwDzjIbqE/GZ
ew44f+ufs3N03vso/r3sDtkK+jO5eq5ltd3YexHT0vQdoA9Xe71WnlJU1DDLOQcR
1+RY4gkSaECmW7vFh31TtMfZAwyIieLI7In7JseSrZ32WP4AsH7h8ecOesU+m/Gh
3yOPjV4rO/EluVukojATe4pg0hYYEG2tA3JxzZ6K2HtVd+zbHXDknyA7OY87XMk/
SEN2YFkSy5bmSI972ScDxo6tPuhz2BZpX7cEVXch4QKBgQDPfoLNbZUoFS/qzLxR
a62KS0nFusdRChBxnUcEsRXAKsvs51CNybaU+xtZZaZbI1FHmWyCa+6vbuWr7NEc
EJwmm2wo8bz6TKFqJbpZ75yivCtTpPn9cZZITKZHVpDD+VrvyHJP61tEpc7ykzua
8xZpzAjCpkKtl1eA/EGesmzC9QKBgQDOhYkoZwWxdU0Mxt6BbY1HCyYQ1FYSNyi8
/H+KuDstfQtPooTFwqb/ntCUS8SxsHJezTEVElbr512qr7qhOkkRFW25wRvqs+E9
tPnqg8HjKUD6eYim6oi6Lyrl6tfdyEMHHDQjfYdugZk1KU7zvxxHGcL3EQk5cNzz
g/pP6XBNaQKBgGYb0My9H4ixHHqEtCuxPJ5wvGYkq09TD5KJnlhNuPFvXhlAH+EW
odYg2G2e20XAVJBSjRaFfNkyTq3ThXg1KFLLa2eexqu6KDjvRgxaIQ/oX73y0t8J
FbaQmcdDb0wxmrGjR7XSkYBvxC6Vi+CNvbrkoG8BmJCKiJI+ESDCl0k9AoGBAKWw
9U34+dRabCroEvR8VHC/PRcbhMKwhnq5igpdrPzd6glGNogDl8BWRrnz4Cc/jUMK
FWr2f85cngWnX3CjNqQCMTpq+F7hWsELRcclVpVOL9fFUiG44WGfHifAttg1J7G4
qwweVl4OlEDWl4VvutxAiu92N5RiPKMTK+yZOYShAoGBAJAqG0UsdAUiSlwIb0yq
YS+E0rsSKk5YY2RTbCc7VSZcF9Vt99gfb4Ln1nGIOB6QksqnIBpHbq3N89JM6vxW
WJSx+Hg6eLXOBKmNgHpo11FRlrReq5kWDy7wajLgfXedKXRegOIURK93lZ0ZTuJo
1uNioNuIDPM6ikvUV8d/4ZTb
-----END PRIVATE KEY-----
</key>

Openvpn server config from etc/config (LISTS VPN SERVERS NOT IN USE THAT ARE PREINSTALLED ON LUCI-APP-OPENVPN. IF I CAN GET THIS VERSION TO WORK, THEN THAT WILL BE OK)


config openvpn 'custom_config'
	option config '/etc/openvpn/my-vpn.conf'

config openvpn 'sample_server'
	option port '1194'
	option proto 'udp'
	option dev 'tun'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/server.crt'
	option key '/etc/openvpn/server.key'
	option dh '/etc/openvpn/dh1024.pem'
	option server '10.8.0.0 255.255.255.0'
	option ifconfig_pool_persist '/tmp/ipp.txt'
	option keepalive '10 120'
	option compress 'lzo'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option status '/tmp/openvpn-status.log'
	option verb '3'
	option enabled '1'

config openvpn 'sample_client'
	option client '1'
	option dev 'tun'
	option proto 'udp'
	list remote 'my_server_1 1194'
	option resolv_retry 'infinite'
	option nobind '1'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/client.crt'
	option key '/etc/openvpn/client.key'
	option compress 'lzo'
	option verb '3'
1 Like
8

Ok. So, when I do a speedtest on speedtest.net, it clearly shows that it is pulling speeds from the internet. But, when I attempt to connect to my LAN NAS device, it doesn't connect. I cannot access anything on the LAN network, which is what the tutorial I linked said it aimed to do: "Access your VPN-server LAN-services remotely without port forwarding." I am on LTE on client device.

9
  • This IP is invalid. This (.0) is a network address, use something like .1.
  • What IP does your client receive?
  • can you post results of ip route show
  • Is tun0 up?
  • Please answer all other questions above

Have you verified your carrier permits this traffic?

10

Please note the edit on the config post. Real vpn server that is in use is the one from etc/openvpn

11

Yes, i use PIA vpn all the time on my lte network, the closest thing to my openvpn server.

12

Also, one of the config files (from etc/openvpn) is the correct one

13

IP route show:


default via 74.193.224.1 dev eth1.2  src 74.193.224.191
74.193.224.0/22 dev eth1.2 scope link  src 74.193.224.191
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1
192.168.8.0/24 dev tun0 scope link  src 192.168.8.1
14

How may I go about finding out the status of tun0?

15

My client receives the ip of 192.168.8.2

16
  • Please use ONE POST to answer, it's extremely difficult to follow in your style.

ifconfig tun0

(but we can see it's up already)

Trace to the NAS.

  • And to be clear, you can get to the Interent while connected to your VPN?
  • What is "Moonlight"?
17

1: ifconfig tun0


tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:192.168.8.1  P-t-P:192.168.8.1  Mask:255.255.255.0
          inet6 addr: fe80::d1d8:3f8:9335:92b0/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:3328 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3450 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:557276 (544.2 KiB)  TX bytes:3708941 (3.5 MiB)

2 : I can get internet while connect to my vpn.
3 : Moonlight is a game streaming service highly reliant on connection to lan services.
4 : Pinging to NAS comes up with packets that time out. If I ping to router, it does it successfully. Can't traceroute on my iphone.

1 Like
18
  • Can you ping 192.168.1.1 (the router's LAN IP)?
  • Can you ping any other LAN device?
19

1 : I can ping to router (192.168.1.1) successfully.
2 : I cannot ping any other device successfully

20

I wanna test for a possible bug (or a syntax the UCI "didn't like"):

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

Temporally change forward to ACCEPT - then re-test.

21

1: Ping to NAS and my PC still doesn't work
For more info, my openwrt build is DavidC502
Should I reboot after changing the config defaults?

22

You should definitely Save & Apply...some people like to reboot; but the new Lockout Prevention works with Save/Apply.

I actually was going to inquire that, just to be sure.