This is normal. You need to do this yourself (for both Wireguard and OpenVPN).
Have you followed either of the guides on the OpenWrt wiki?
I've seen both pages,last evening i tried again to create OpenVPN server but not terminated due to long time creating key and i followed the instruction at https://openwrt.org/docs/guide-user/services/vpn/openvpn/server . Previous time i've terminated the procedure ( dragged and dropped from page to SSH cmd) but no interface and firewall setting created . So something was goes wrong.Today i will try again .
Certainly I'm wrong in something, but either way I can't get them to work. The only exception is with Wireguard that once I run the script and configure the interface I can't navigate anymore. Once uninstalled, everything works properly again. Using OpenWrt 21.02.3. I've done other VPNs with other routers but I've never had as many problems as this time.
Those guides work for most users. So you may either have a mistake or some type of conflict. Let’s look at your configuration.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
Have you edited auth-user-pass in the ovpn file to point to the user/password?
auth-user-pass /etc/openvpn/OVPN.auth
The box below it's used for insert user and pass. Why also i need to add auth-user-pass /etc/openvpn/OVPN.auth ?
That's how a vpn client is set up so the service knows where to look for the user/password, I assume it would be the same for a server. You could also try it with just the keys to see if it's created without user/password.
cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
option confdir '/tmp/dnsmasq.d'
list server '/use-application-dns.net/'
list server '127.0.0.1#5053'
option noresolv '1'
option doh_backup_noresolv '-1'
list doh_backup_server '/use-application-dns.net/'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
option ipv6 '0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr 'xxx.xxx.xxx.xxx'
option netmask '255.255.255.0'
option ip6assign '60'
list dns 'xxx.xxx.xxx.xxx.'
option broadcast 'xxx.xxx.xxx.xxx'
option delegate '0'
option gateway 'xxx.xxx.xxx.xxx'
config interface 'wan'
option device 'eth1'
option proto 'static'
list dns 'xxx.xxx.xxx.xxx'
option ipaddr 'xxx.xxx.xxx.xxx'
option netmask '255.255.255.0'
option gateway 'xxx.xxx.xxx.xxx'
option broadcast 'xxx.xxx.xxx.xxx'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0'
cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'soc/40000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
option channel '100'
option band '5g'
option htmode 'VHT80'
option disabled '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'xxxxt'
option encryption 'psk2'
option key 'xxxx'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/a000000.wifi'
option channel '1'
option band '2g'
option htmode 'HT20'
option cell_density '0'
option country 'xx'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'xxxx'
option encryption 'psk2'
option key 'xxxx'
config wifi-device 'radio2'
option type 'mac80211'
option path 'platform/soc/a800000.wifi'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
option channel 'auto'
option country 'xx'
config wifi-iface 'default_radio2'
option device 'radio2'
option network 'lan'
option mode 'ap'
option ssid 'xxxx'
option encryption 'psk2'
option key 'xxxx'
cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'tun+'
list network 'lan'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
config include
option path '/etc/firewall.user'
config include 'bcp38'
option type 'script'
option path '/usr/lib/bcp38/run.sh'
option family 'IPv4'
option reload '1'
config redirect
option dest 'lan'
option target 'DNAT'
option name '1194 VPN'
option src_dport '1194'
option dest_ip '192.168.1.4'
option dest_port '1194'
option src 'wan'
option enabled '0'
config rule 'ovpn'
option name 'Allow-OpenVPN'
option src 'wan'
option dest_port '1194'
option proto 'udp'
option target 'ACCEPT'
Ok guys the vpn work . I can connect to server in my router using external ip. The problem is i can't access on my devices in the lan . May be a netmask restriction? I use /24. MyLAN may be 192.168.100.1 where the ip provides to VPN client is on 192.168.8.0 Lan. Furthermore nothing VPN interface compare in network/interface . Only Wan e Lan Interface. So if is correct i need to provide a client the same lan IP so 192.168.100.xxx . I hope the DHCP also work in this case.
This is parte of the server.conf file:
user nobody
group nogroup
dev tun
port 1194
proto udp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "dhcp-option DNS 192.168.8.1"
push "dhcp-option DOMAIN lan"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
Can i modify the network provided by server 192.168.8.0 to my lan 192.168.100.0?
You don’t need to redact this info. It is not sensitive or secret. With it redacted, nobody can help. Only redact things that are unique and actually sensitive such as your wireguard keys, public ip, max addresses, and WiFi passwords.
OK. Actually VPN network is 192.168.8.0 while the router network is 192.168.100.0 . Both interface are /24 so 255.255.255.0 . The client connect successfully to external ip and VPN server but i cant access to my devices in lan 192.168.100.0 . It is the information that is missing. Are Enought?
you need to push a route from the server to the client (push directive in the server configuration file) for 192.168.100.0 255.255.255.0.
The server configuration file i posted before and i can
push "route 192.168.100.0 255.255.255.0"
if is correct. Where 192.168.100.0 is my lan address.
Yes this is correct.
1 Like
I thought this seemed familiar and after looking around I found I had the same issue a few years ago, just forgot about it, @vgaetera explains what's needed for user/password with vpn server in this thread, although it sounds like its more secure to just use the certs.
2 Likes
Guys, now it works! even if some device remain unreachable. For exp the app to manage service on NAS.from phone. But i think is a problem not regarded by VPN server.
Great!
Some apps use mdns or other auto-discovery techniques that cannot be easily routed. In those cases, you won't be able to connect using the app.
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Furthermore the server work also without the route push "route 192.168.100.0 255.255.255.0"
Also solved with app. A password mismatch. Definitively solved!. Thank you all! Now i perform a backup and i repeat the procedure with Luci import. I will try 
.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.