No need for that:
I concur. See my edit above.
Perhaps something else is wrong, though...?
# Restart the services, then try to reconnect service log restart; service openvpn restart; sleep 10 # Log and status logread -e openvpn; netstat -l -n -p | grep -e openvpn
I've never tried just adding a tun 'device' to a lan firewall zone instead of creating a network and adding that... no idea if that works and/or if there are advantages/disadvantages to the different approaches. But it seems that things aren't working, so I think my suggestion is worth trying (if it doesn't fix the situation, then the difference may be irrelevant).
Will do that after I reinstall openvpn. I installed openwrt stock, the davidc502 version had preinstalled openvpn servers that couldnt be removed, and they showed up in the logs. It would have been confusing to try to figure out which server I was using, as all of the vpn servers showed in the logs, not just the one I had been actually using.
It is tested, documented and works well enough:
...but...the OP doesn't have an OpenWrt enumerated Interface...they added the raw interface.
You both are correct. The OP needs to make an unmanaged Interface, then add it to LAN by its Interface name. This was the syntax error I was testing for.
wow... the more you know! Although I've always had success with the network device, I will keep this in mind as I help others
The generation of the RSA for the Openvpn will take a long time. I will try this immediately.
I hope you're doing your RSA key generation on a full fledged computer instead of your router... if not, try it... so much faster!
But how? If that's possible, well I've been wasting my time. Using putty to type commands (SSH)
The point is there's no true unmanaged interface type and
proto=none doesn't work like it.
If you restart the network it drops L3-configuration of the interface and creates an additional point of failure.
Download and install the RSA applications onto your computer.
I used easy-RSA to do mine. Releases are available for Windows and Linux, and it is also included in some client applications (such as Tunnelblick on the Mac)
Yes, you can puTTY to the command prompt via SSH.
vi is the installed editor, but
nano (if you have space), is often easier for Linux beginners:
opkg update opkg install nano
Didn't realize you knew about SCP but not SSH. Apologies.
Then you can simply
I've never had this as a point of failure -- it has worked perfectly for me in every setup I've done and in the various threads where I've contributed to OpenVPN related issues. That said, it's good to know that there is this valid alternative method of configuration.
I draw my experience from IPENCAP tunnel, where I have to enumerate an Interface for proper passing for traffic and firewall behaviors. So I didn't want to "taint the waters."
I'm learning, and unclear if this is normal behavior when specifying the raw interface.
- Assume you connect to some remote OpenWrt host.
- There's VPN-only access to the host.
- If you restart network service, you will get locked.
So where does this config zone go? I will get the logs to you if it doesn't work.
# in /etc/config/network config interface 'vpn' option proto 'none' option ifname 'tun0'
# in /etc/config/firewall config forwarding option dest 'vpn' option src 'lan' config forwarding option dest 'lan' option src 'vpn' config zone option name 'vpn' option network 'vpn' option forward 'DROP' option output 'ACCEPT' option input 'ACCEPT' option mtu_fix '1'
Be mindful of @vgaetera's warning:
I don't quite understand it...and you don't use this method (but you learned how).
EDIT - see:
I have a VPN server at home that allows me access to my LAN and internet via my tunnel. I'm not exactly sure what you mean by VPN-only access to the host, but to elaborate, my VPN sever (OpenWrt with OpenVPN) is not my primary router -- it sits behind my main router... when remote, the only way to get to the LAN or the OpenWrt VPN router is via a VPN tunnel.
On your 3rd point, you are right -- I've never tried it before, as it is rare that my VPN ever has a reason to have a network restart that wouldn't be part of a full OpenWrt reboot.
EDIT: Also worth noting that I do have wireguard installed as well, so I actually have another option should that get messed up, but yeah, I do see your point