OpenVPN server setup not working with Moonlight

vgaetera · April 13, 2019, 5:30pm

No need for that:

lleachii · April 13, 2019, 5:31pm

Perhaps something else is wrong, though...?

vgaetera · April 13, 2019, 5:34pm

# Restart the services, then try to reconnect
service log restart; service openvpn restart; sleep 10
 
# Log and status
logread -e openvpn; netstat -l -n -p | grep -e openvpn

psherman · April 13, 2019, 5:36pm

I've never tried just adding a tun 'device' to a lan firewall zone instead of creating a network and adding that... no idea if that works and/or if there are advantages/disadvantages to the different approaches. But it seems that things aren't working, so I think my suggestion is worth trying (if it doesn't fix the situation, then the difference may be irrelevant).

BinaryDoge · April 13, 2019, 5:36pm

Will do that after I reinstall openvpn. I installed openwrt stock, the davidc502 version had preinstalled openvpn servers that couldnt be removed, and they showed up in the logs. It would have been confusing to try to figure out which server I was using, as all of the vpn servers showed in the logs, not just the one I had been actually using.

vgaetera · April 13, 2019, 5:41pm

It is tested, documented and works well enough:

lleachii · April 13, 2019, 5:44pm

...but...the OP doesn't have an OpenWrt enumerated Interface...they added the raw interface.

~~You both are correct.~~

~~The OP needs to make an unmanaged Interface, then add it to LAN by its Interface name. This was the syntax error I was testing for.~~

psherman · April 13, 2019, 5:45pm

wow... the more you know! Although I've always had success with the network device, I will keep this in mind as I help others

BinaryDoge · April 13, 2019, 5:45pm

The generation of the RSA for the Openvpn will take a long time. I will try this immediately.

psherman · April 13, 2019, 5:47pm

I hope you're doing your RSA key generation on a full fledged computer instead of your router... if not, try it... so much faster!

BinaryDoge · April 13, 2019, 5:48pm

But how? If that's possible, well I've been wasting my time. Using putty to type commands (SSH)

vgaetera · April 13, 2019, 5:51pm

The point is there's no true unmanaged interface type and proto=none doesn't work like it.
If you restart the network it drops L3-configuration of the interface and creates an additional point of failure.

psherman · April 13, 2019, 5:52pm

Download and install the RSA applications onto your computer.

I used easy-RSA to do mine. Releases are available for Windows and Linux, and it is also included in some client applications (such as Tunnelblick on the Mac)

lleachii · April 13, 2019, 5:52pm

Yes, you can puTTY to the command prompt via SSH. vi is the installed editor, but nano (if you have space), is often easier for Linux beginners:

opkg update
opkg install nano

Didn't realize you knew about SCP but not SSH. Apologies.

Then you can simply /etc/init.d/firewall reload

psherman · April 13, 2019, 5:54pm

I've never had this as a point of failure -- it has worked perfectly for me in every setup I've done and in the various threads where I've contributed to OpenVPN related issues. That said, it's good to know that there is this valid alternative method of configuration.

lleachii · April 13, 2019, 5:56pm

I draw my experience from IPENCAP tunnel, where I have to enumerate an Interface for proper passing for traffic and firewall behaviors. So I didn't want to "taint the waters."

I'm learning, and unclear if this is normal behavior when specifying the raw interface.

vgaetera · April 13, 2019, 6:07pm

Assume you connect to some remote OpenWrt host.
There's VPN-only access to the host.
If you restart network service, you will get locked.

BinaryDoge · April 13, 2019, 6:16pm

So where does this config zone go? I will get the logs to you if it doesn't work.

lleachii · April 13, 2019, 6:29pm

# in /etc/config/network

config interface 'vpn'
	option proto 'none'
	option ifname 'tun0'

# in /etc/config/firewall

config forwarding                                                    
        option dest 'vpn'                                          
        option src 'lan' 

config forwarding                                                    
        option dest 'lan'                                          
        option src 'vpn' 

config zone                             
	option name 'vpn'  
	option network 'vpn'        
	option forward 'DROP'           
	option output 'ACCEPT'              
	option input 'ACCEPT'      
	option mtu_fix '1'

Be mindful of @vgaetera's warning:

I don't quite understand it...and you don't use this method (but you learned how).

EDIT - see:

psherman · April 13, 2019, 6:34pm

I have a VPN server at home that allows me access to my LAN and internet via my tunnel. I'm not exactly sure what you mean by VPN-only access to the host, but to elaborate, my VPN sever (OpenWrt with OpenVPN) is not my primary router -- it sits behind my main router... when remote, the only way to get to the LAN or the OpenWrt VPN router is via a VPN tunnel.

On your 3rd point, you are right -- I've never tried it before, as it is rare that my VPN ever has a reason to have a network restart that wouldn't be part of a full OpenWrt reboot.

EDIT: Also worth noting that I do have wireguard installed as well, so I actually have another option should that get messed up, but yeah, I do see your point