OpenVPN server setup not working with Moonlight

No need for that:

1 Like

I concur. See my edit above.

Perhaps something else is wrong, though...?

1 Like
# Restart the services, then try to reconnect
service log restart; service openvpn restart; sleep 10
# Log and status
logread -e openvpn; netstat -l -n -p | grep -e openvpn

I've never tried just adding a tun 'device' to a lan firewall zone instead of creating a network and adding that... no idea if that works and/or if there are advantages/disadvantages to the different approaches. But it seems that things aren't working, so I think my suggestion is worth trying (if it doesn't fix the situation, then the difference may be irrelevant).

Will do that after I reinstall openvpn. I installed openwrt stock, the davidc502 version had preinstalled openvpn servers that couldnt be removed, and they showed up in the logs. It would have been confusing to try to figure out which server I was using, as all of the vpn servers showed in the logs, not just the one I had been actually using.

It is tested, documented and works well enough:

1 Like

...but...the OP doesn't have an OpenWrt enumerated Interface...they added the raw interface.

You both are correct.

The OP needs to make an unmanaged Interface, then add it to LAN by its Interface name. This was the syntax error I was testing for.

1 Like

wow... the more you know! Although I've always had success with the network device, I will keep this in mind as I help others :slight_smile:

The generation of the RSA for the Openvpn will take a long time. I will try this immediately.

I hope you're doing your RSA key generation on a full fledged computer instead of your router... if not, try it... so much faster!

1 Like

But how? If that's possible, well I've been wasting my time. Using putty to type commands (SSH)

1 Like

The point is there's no true unmanaged interface type and proto=none doesn't work like it.
If you restart the network it drops L3-configuration of the interface and creates an additional point of failure.


Download and install the RSA applications onto your computer.

I used easy-RSA to do mine. Releases are available for Windows and Linux, and it is also included in some client applications (such as Tunnelblick on the Mac)

Yes, you can puTTY to the command prompt via SSH. vi is the installed editor, but nano (if you have space), is often easier for Linux beginners:

opkg update
opkg install nano

Didn't realize you knew about SCP but not SSH. Apologies.

Then you can simply /etc/init.d/firewall reload

I've never had this as a point of failure -- it has worked perfectly for me in every setup I've done and in the various threads where I've contributed to OpenVPN related issues. That said, it's good to know that there is this valid alternative method of configuration.

1 Like

I draw my experience from IPENCAP tunnel, where I have to enumerate an Interface for proper passing for traffic and firewall behaviors. So I didn't want to "taint the waters."

I'm learning, and unclear if this is normal behavior when specifying the raw interface.

  • Assume you connect to some remote OpenWrt host.
  • There's VPN-only access to the host.
  • If you restart network service, you will get locked.
1 Like

So where does this config zone go? I will get the logs to you if it doesn't work.

# in /etc/config/network

config interface 'vpn'
	option proto 'none'
	option ifname 'tun0'
# in /etc/config/firewall

config forwarding                                                    
        option dest 'vpn'                                          
        option src 'lan' 

config forwarding                                                    
        option dest 'lan'                                          
        option src 'vpn' 

config zone                             
	option name 'vpn'  
	option network 'vpn'        
	option forward 'DROP'           
	option output 'ACCEPT'              
	option input 'ACCEPT'      
	option mtu_fix '1'

Be mindful of @vgaetera's warning:

I don't quite understand it...and you don't use this method (but you learned how).

EDIT - see:

I have a VPN server at home that allows me access to my LAN and internet via my tunnel. I'm not exactly sure what you mean by VPN-only access to the host, but to elaborate, my VPN sever (OpenWrt with OpenVPN) is not my primary router -- it sits behind my main router... when remote, the only way to get to the LAN or the OpenWrt VPN router is via a VPN tunnel.

On your 3rd point, you are right -- I've never tried it before, as it is rare that my VPN ever has a reason to have a network restart that wouldn't be part of a full OpenWrt reboot.

EDIT: Also worth noting that I do have wireguard installed as well, so I actually have another option should that get messed up, but yeah, I do see your point :slight_smile: