Hello All,
I am trying to setup OpenVPN on my Linksys WRT 1200AC using LEDE Reboot 17.01.2. I am able to establish a connection but not much after that. I followed the guide here:
https://wiki.openwrt.org/doc/howto/openvpn-streamlined-server-setup?rev=1476474996
And it seems like everything is working. I think I am having issue with my internal routing.
I am using the internal IP address 172.168.0.0/16 for all my internal networking. When I start the service everything looks good (at least to me). Here is the output of my openvpn.log file when I issue the command.
Sat Nov 4 02:19:59 2017 OpenVPN 2.4.3 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4]
[EPOLL] [MH/PKTINFO] [AEAD]
Sat Nov 4 02:19:59 2017 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09
Sat Nov 4 02:19:59 2017 Diffie-Hellman initialized with 4096 bit key
Sat Nov 4 02:19:59 2017 Outgoing Control Channel Authentication: Using 384 bit message hash
'SHA384' for HMAC authentication
Sat Nov 4 02:19:59 2017 Incoming Control Channel Authentication: Using 384 bit message hash
'SHA384' for HMAC authentication
Sat Nov 4 02:19:59 2017 TUN/TAP device tun0 opened
Sat Nov 4 02:19:59 2017 TUN/TAP TX queue length set to 100
Sat Nov 4 02:19:59 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Nov 4 02:19:59 2017 /sbin/ifconfig tun0 10.1.1.1 netmask 255.255.255.0 mtu 1500 broadcast
10.1.1.255
Sat Nov 4 02:19:59 2017 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sat Nov 4 02:19:59 2017 Socket Buffers: R=[163840->327680] S=[163840->327680]
Sat Nov 4 02:19:59 2017 UDPv4 link local (bound): [AF_INET][undef]:1194
Sat Nov 4 02:19:59 2017 UDPv4 link remote: [AF_UNSPEC]
Sat Nov 4 02:19:59 2017 GID set to nogroup
Sat Nov 4 02:19:59 2017 UID set to nobody
Sat Nov 4 02:19:59 2017 MULTI: multi_init called, r=256 v=256
Sat Nov 4 02:19:59 2017 IFCONFIG POOL: base=10.1.1.2 size=252, ipv6=0
Sat Nov 4 02:19:59 2017 Initialization Sequence Completed
Here is /etc/openvpn
config openvpn 'VPNserver'
option enabled '1'
option dev 'tun'
option dev 'tun0'
option topology 'subnet'
option proto 'udp'
option port '1194'
#--- Routes ---#
option server '10.1.1.0 255.255.255.0'
option ifconfig '10.1.1.1 255.255.255.0'
#--- Pushed Routes ---#
list push 'route 172.168.0.0 255.255.0.0'
list push 'dhcp-option DNS 172.168.0.1'
list push 'dhcp-option WINS 172.168.0.1'
list push 'dhcp-option DNS 8.8.8.8'
list push 'dhcp-option DNS 8.8.4.4'
list push 'dhcp-option NTP 129.6.15.30'
#--- Encryption ---#
option cipher 'AES-256-CBC'
option auth 'SHA384'
option remote_cert_tls 'client'
option dh '/etc/openvpn/keys/dh4096.pem'
option pkcs12 '/etc/openvpn/keys/vpnserver.p12'
option tls_auth '/etc/openvpn/keys/ta.key 0'
option tls_version_min '1.2'
#--- Logging ---#
option log '/tmp/openvpn.log'
option status '/tmp/openvpn-status.log'
option verb '3'
#--- Connection Options ---#
option keepalive '10 120'
option comp_lzo 'yes'
#--- Connection Reliability ---#
option client_to_client '1'
option persist_key '1'
option persist_tun '1'
#--- Connection Speed ---#
option sndbuf '393216'
option rcvbuf '393216'
option fragment '0'
option mssfix '0'
option tun_mtu '1500'
#--- Pushed Buffers ---#
list push 'sndbuf 393216'
list push 'rcvbuf 393216'
#--- Permissions ---#
option user 'nobody'
option group 'nogroup'
Here is the last part of my /etc/network
config interface 'vpn0'
option ifname 'tun0'
option proto 'none'
And finally my /etc/firwall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'DROP'
option syn_flood 1
option drop_invalid 1
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'tcp udp'
option src '*'
option dest_port 1194
option name 'Allow Forwarded VPN Request -> <device>'
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'tcp udp'
option src '*'
option src_ip '10.1.0.0/28'
option dest_ip '172.168.0.0/26'
option name 'Allow VPN0 -> LAN'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option family 'ipv4'
option src '*'
option src_ip '10.1.0.0/28'
option dest '*'
option dest_ip '172.168.0.0/26'
option name 'Allow Forwarded VPN0 -> LAN'
config rule
option target 'ACCEPT'
option proto 'icmp'
option src '*'
option src_ip '10.1.0.0/28'
option dest 'lan'
option name 'Allow VPN0 (ICMP) -> LAN'
config rule
option target 'ACCEPT'
option proto 'icmp'
list icmp_type 'echo-request'
option src '*'
option src_ip '10.1.0.0/28'
option dest 'wan'
option name 'Allow VPN0 (ICMP 8) -> <device> '
config zone
option name 'lan'
option network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'DROP'
config zone
option name 'vpn'
option network 'vpn0'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
option network 'wan wan6'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option masq 1
option mtu_fix 1
config forwarding
option dest 'vpn'
option src 'lan'
config forwarding
option dest 'wan'
option src 'lan'
config forwarding
option dest 'lan'
option src 'vpn'
So with all that, like I said i am able to establish a connection and verify that I am getting the 10.1.1.0 class IP address. I can't ping anything on the internal LAN or get out my WAN.
Any help or suggestions would be greatly appreciated.