OpenVPN setup: connection established but no tunnel and no internal connection to LAN / WAN

Hello All,

I am trying to setup OpenVPN on my Linksys WRT 1200AC using LEDE Reboot 17.01.2. I am able to establish a connection but not much after that. I followed the guide here:

https://wiki.openwrt.org/doc/howto/openvpn-streamlined-server-setup?rev=1476474996

And it seems like everything is working. I think I am having issue with my internal routing.

I am using the internal IP address 172.168.0.0/16 for all my internal networking. When I start the service everything looks good (at least to me). Here is the output of my openvpn.log file when I issue the command.


Sat Nov  4 02:19:59 2017 OpenVPN 2.4.3 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] 
[EPOLL] [MH/PKTINFO] [AEAD]
Sat Nov  4 02:19:59 2017 library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.09
Sat Nov  4 02:19:59 2017 Diffie-Hellman initialized with 4096 bit key
Sat Nov  4 02:19:59 2017 Outgoing Control Channel Authentication: Using 384 bit message hash 
'SHA384' for HMAC authentication
Sat Nov  4 02:19:59 2017 Incoming Control Channel Authentication: Using 384 bit message hash 
'SHA384' for HMAC authentication
Sat Nov  4 02:19:59 2017 TUN/TAP device tun0 opened
Sat Nov  4 02:19:59 2017 TUN/TAP TX queue length set to 100
Sat Nov  4 02:19:59 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Nov  4 02:19:59 2017 /sbin/ifconfig tun0 10.1.1.1 netmask 255.255.255.0 mtu 1500 broadcast 
10.1.1.255
Sat Nov  4 02:19:59 2017 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sat Nov  4 02:19:59 2017 Socket Buffers: R=[163840->327680] S=[163840->327680]
Sat Nov  4 02:19:59 2017 UDPv4 link local (bound): [AF_INET][undef]:1194
Sat Nov  4 02:19:59 2017 UDPv4 link remote: [AF_UNSPEC]
Sat Nov  4 02:19:59 2017 GID set to nogroup
Sat Nov  4 02:19:59 2017 UID set to nobody
Sat Nov  4 02:19:59 2017 MULTI: multi_init called, r=256 v=256
Sat Nov  4 02:19:59 2017 IFCONFIG POOL: base=10.1.1.2 size=252, ipv6=0
Sat Nov  4 02:19:59 2017 Initialization Sequence Completed

Here is /etc/openvpn


 config openvpn 'VPNserver'
   
    option enabled     '1'

    option dev         'tun'
    option dev         'tun0'
    option topology    'subnet'
    option proto       'udp'
    option port        '1194'

#--- Routes ---#
    option server    '10.1.1.0 255.255.255.0'
    option ifconfig  '10.1.1.1 255.255.255.0'

#--- Pushed Routes ---#
    list push    'route 172.168.0.0 255.255.0.0'
    list push    'dhcp-option DNS 172.168.0.1'
    list push    'dhcp-option WINS 172.168.0.1'
    list push    'dhcp-option DNS 8.8.8.8'
    list push    'dhcp-option DNS 8.8.4.4'
    list push    'dhcp-option NTP 129.6.15.30'

#--- Encryption ---#
    option cipher          'AES-256-CBC'
    option auth            'SHA384'
    option remote_cert_tls 'client'
    option dh              '/etc/openvpn/keys/dh4096.pem'
    option pkcs12          '/etc/openvpn/keys/vpnserver.p12'
    option tls_auth        '/etc/openvpn/keys/ta.key 0'
    option tls_version_min '1.2'

#--- Logging ---#
    option log           '/tmp/openvpn.log'
    option status        '/tmp/openvpn-status.log'
    option verb          '3'

#--- Connection Options ---#
    option keepalive        '10 120'
    option comp_lzo         'yes'

#--- Connection Reliability ---#
    option client_to_client '1'
    option persist_key      '1'
    option persist_tun      '1'

#--- Connection Speed ---#    
    option sndbuf            '393216'
    option rcvbuf            '393216'
    option fragment          '0'
    option mssfix            '0'
    option tun_mtu           '1500'

#--- Pushed Buffers ---#
    list push    'sndbuf 393216'
    list push    'rcvbuf 393216'

#--- Permissions ---#
    option user     'nobody'
    option group    'nogroup'

Here is the last part of my /etc/network


config interface 'vpn0'
option ifname 'tun0'
option proto 'none'

And finally my /etc/firwall


config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'

config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config include
option  path            '/etc/firewall.user'

config defaults
option  input           'ACCEPT'
option  output          'ACCEPT'
option  forward         'DROP'
option  syn_flood       1
option  drop_invalid    1

config rule
option  target          'ACCEPT'
option  family          'ipv4'
option  proto           'tcp udp'
option  src             '*'
option  dest_port       1194
option  name            'Allow Forwarded VPN Request -> <device>'

config rule
option  target          'ACCEPT'
option  family          'ipv4'
option  proto           'tcp udp'
option  src             '*'
option  src_ip          '10.1.0.0/28'
option  dest_ip         '172.168.0.0/26'
option  name            'Allow VPN0 -> LAN'

config rule
option  target          'ACCEPT'
option  proto           'tcp udp'
option  family          'ipv4'
option  src             '*'
option  src_ip          '10.1.0.0/28'
option  dest            '*'
option  dest_ip         '172.168.0.0/26'
option  name            'Allow Forwarded VPN0 -> LAN'

config rule
option  target          'ACCEPT'
option  proto           'icmp'
option  src             '*'
option  src_ip          '10.1.0.0/28'
option  dest            'lan'
option  name            'Allow VPN0 (ICMP) -> LAN'

config rule
option  target          'ACCEPT'
option  proto           'icmp'
list    icmp_type       'echo-request'
option  src             '*'
option  src_ip          '10.1.0.0/28'
option  dest            'wan'
option  name            'Allow VPN0 (ICMP 8) -> <device> '

config zone
option  name            'lan'
option  network         'lan'
option  input           'ACCEPT'
option  output          'ACCEPT'
option  forward         'DROP'

config zone
option  name            'vpn'
option  network         'vpn0'
option  input           'ACCEPT'
option  output          'ACCEPT'
option  forward         'ACCEPT'

config zone
option  name            'wan'
option  network         'wan wan6'
option  input              'DROP'
option  output           'ACCEPT'
option  forward         'DROP'
option  masq            1
option  mtu_fix         1

config forwarding
option  dest            'vpn'
option  src             'lan'

config forwarding
option  dest            'wan'
option  src             'lan'

config forwarding
option  dest            'lan'
option  src             'vpn'

So with all that, like I said i am able to establish a connection and verify that I am getting the 10.1.1.0 class IP address. I can't ping anything on the internal LAN or get out my WAN.

Any help or suggestions would be greatly appreciated.

firsty, you don't need to configure your OpenVPN server with server & ifconfig, only one of them:
server is entire subnet, ifconfig is needed when you will configure a pool address for your Clients (like a DHCP server). Then you can write your options like this:

#--- Routes ---#
option server '10.1.1.0 255.255.255.0'

or:

#--- Routes ---#
option ifconfig '10.1.1.1 255.255.255.0'
option ifconfig_pool '10.1.1.100 10.1.1.199 255.255.255.0' #for example

Then, when you want to get WAN, you need to redirect all your packets with:
list push 'redirect-gateway def1'
& configure your firewall like this: (for your VPN)

config forwarding
option dest 'vpn'
option src 'lan'

config forwarding
option dest 'wan'
option src 'vpn'

config forwarding
option dest 'lan'
option src 'vpn'

you don't need all another rules what you wrote:
please delete this section on your firewall:

config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'tcp udp'
option src '*'
option dest_port 1194
option name 'Allow Forwarded VPN Request -> '

config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'tcp udp'
option src '*'
option src_ip '10.1.0.0/28'
option dest_ip '172.168.0.0/26'
option name 'Allow VPN0 -> LAN'

config rule
option target 'ACCEPT'
option proto 'tcp udp'
option family 'ipv4'
option src ''
option src_ip '10.1.0.0/28'
option dest '
'
option dest_ip '172.168.0.0/26'
option name 'Allow Forwarded VPN0 -> LAN'

config rule
option target 'ACCEPT'
option proto 'icmp'
option src '*'
option src_ip '10.1.0.0/28'
option dest 'lan'
option name 'Allow VPN0 (ICMP) -> LAN'

config rule
option target 'ACCEPT'
option proto 'icmp'
list icmp_type 'echo-request'
option src '*'
option src_ip '10.1.0.0/28'
option dest 'wan'
option name 'Allow VPN0 (ICMP 8) -> '

& write please just this:

config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'udp'
option src 'wan'
option dest_port 1194
option name 'Allow Forwarded VPN Request'

so, you can delete this line too on your server configuration (you don't need it too, it's already configured through your firewall rules (in zones section):
list push 'route 172.168.0.0 255.255.0.0'

& add this line after your topology option:
list push 'topology subnet'

I have a question too, why 2 DNS??? local & public???
#--- Pushed Routes ---#
list push 'route 172.168.0.0 255.255.0.0'
list push 'dhcp-option DNS 172.168.0.1'
list push 'dhcp-option WINS 172.168.0.1'
list push 'dhcp-option DNS 8.8.8.8'
list push 'dhcp-option DNS 8.8.4.4'
list push 'dhcp-option NTP 129.6.15.30'

you can delete your local address when you plan to reach your server without any warning in Tunnelblick or whatever, you don't need to configure it, it will be set automatically.

tell me please if it works later

regards,
khllo

Hello khllo,

Thanks for the reply.

So I made the changes you suggested but after committing them I lost all connection to the internet. I was still able to connect my phone to the vpn but this time my phone wasn't able to browse anything which is a good thing I think because before it was like my connection wasn't pushed through the tun. So I think I made some progress.

Here is what i have now could you please review and let me know if maybe i made a mistake somewhere?

/etc/config/firewall


config include
option  path            '/etc/firewall.user'


config defaults
option  input           'ACCEPT'
option  output          'ACCEPT'
option  forward         'DROP'
option  syn_flood       1
option  drop_invalid    1

config rule
option target           'ACCEPT'
option family           'ipv4'
option proto            'udp'
option src              'wan'
option dest_port        1194
option name             'Allow Forwarded VPN Request' 

config zone
option  name            'lan'
option  network         'lan'
option  input           'ACCEPT'
option  output          'ACCEPT'
option  forward         'ACCEPT'

config zone
option  name            'vpn'
option  network         'vpn0'
option  input           'ACCEPT'
option  output          'ACCEPT'
option  forward         'ACCEPT'
option  log             '1'

config zone
option  name            'wan'
option  network         'wan'
option  input           'DROP'
option  output          'ACCEPT'
option  forward         'DROP'
option  masq            1
option  mtu_fix         1

config forwarding
option  dest            'vpn'
option  src             'lan'

config forwarding
option  dest            'wan'
option  src             'vpn'

config forwarding
option  dest            'lan'
option  src             'vpn'

/etc/config/openvpn


config oconfig openvpn 'VPNserver'

    option enabled     '1'

# --- Protocol ---#
    option dev         'tun'
    option dev         'tun0'
    option topology    'subnet'
    option proto       'udp'
    option port        '1194'

#--- Routes ---#
     option server        '10.1.1.0 255.255.255.0'

#--- Client Config ---#
#       option ccd_exclusive           '1'
#       option ifconfig_pool_persist   '/etc/openvpn/clients/ipp.txt'
#       option client_config_dir       '/etc/openvpn/clients/'

#--- Pushed Routes ---#
    list push    'dhcp-option WINS 172.168.0.1'
    list push    'dhcp-option DNS 8.8.8.8'
    list push    'dhcp-option DNS 8.8.4.4'
    list push    'topology subnet'
    list push    'redirect-gateway def1 local'
    list push    'dhcp-option NTP 129.6.15.30'

#--- Encryption ---#
    option cipher          'AES-256-CBC'
    option auth            'SHA384'
    option remote_cert_tls 'client'
    option dh              '/etc/openvpn/keys/dh4096.pem'
    option pkcs12          '/etc/openvpn/keys/vpnserver.p12'
    option tls_auth        '/etc/openvpn/keys/ta.key 0'
    option tls_version_min '1.2'
    option tls_cipher      'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256'

#--- Logging ---#
    option log           '/tmp/openvpn.log'
    option status        '/tmp/openvpn-status.log'
    option verb          '3'

#--- Connection Options ---#
    option keepalive        '10 120'
    option comp_lzo         'yes'

#--- Connection Reliability ---#
    option client_to_client '1'
    option persist_key      '1'
    option persist_tun      '1'

#--- Connection Speed ---#    
    option sndbuf            '393216'
    option rcvbuf            '393216'
    option fragment          '0'
    option mssfix            '0'
    option tun_mtu           '1500'

#--- Pushed Buffers ---#
    list push    'sndbuf 393216'
    list push    'rcvbuf 393216'

#--- Permissions ---#
    option user     'nobody'
    option group    'nogroup'
   penvpn 'VPNserver'

    option enabled     '1'

# --- Protocol ---#
    option dev         'tun'
    option dev         'tun0'
    option topology    'subnet'
    option proto       'udp'
    option port        '1194'

#--- Routes ---#
     option server        '10.1.1.0 255.255.255.0'


#--- Client Config ---#
#       option ccd_exclusive           '1'
#       option ifconfig_pool_persist   '/etc/openvpn/clients/ipp.txt'
#       option client_config_dir       '/etc/openvpn/clients/'

#--- Pushed Routes ---#
    list push    'dhcp-option WINS 172.168.0.1'
    list push    'dhcp-option DNS 8.8.8.8'
    list push    'dhcp-option DNS 8.8.4.4'
    list push    'topology subnet'
    list push    'redirect-gateway def1 local'
    list push    'dhcp-option NTP 129.6.15.30'

#--- Encryption ---#
    option cipher          'AES-256-CBC'
    option auth            'SHA384'
    option remote_cert_tls 'client'
    option dh              '/etc/openvpn/keys/dh4096.pem'
    option pkcs12          '/etc/openvpn/keys/vpnserver.p12'
    option tls_auth        '/etc/openvpn/keys/ta.key 0'
    option tls_version_min '1.2'
    option tls_cipher      'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-
  256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-
  CBC-SHA256'

#--- Logging ---#
    option log           '/tmp/openvpn.log'
    option status        '/tmp/openvpn-status.log'
    option verb          '3'

#--- Connection Options ---#
    option keepalive        '10 120'
    option comp_lzo         'yes'

#--- Connection Reliability ---#
    option client_to_client '1'
    option persist_key      '1'
    option persist_tun      '1'

#--- Connection Speed ---#    
    option sndbuf            '393216'
    option rcvbuf            '393216'
    option fragment          '0'
    option mssfix            '0'
    option tun_mtu           '1500'

#--- Pushed Buffers ---#
    list push    'sndbuf 393216'
    list push    'rcvbuf 393216'

#--- Permissions ---#
    option user     'nobody'
    option group    'nogroup'

As for your question I don't know why I had multiple DNS listed I was trying things that I saw when researching the problem I was having. I will continue to play with my firewall to see why I lose connection. If you have any more feedback I'd appreciate it.

Regards,
DM

I just wanted to update this thread as solved.

I was able to get it to work with the following configs:

/etc/config/openvpn


config openvpn 'myvpn'
option enabled '1'
option port '1194'
option proto 'udp'
option dev 'tun'
option server '10.1.1.0 255.255.255.0'
list push 'redirect-gateway def1'
list push 'dhcp-option DNS 8.8.8.8'
list push 'dhcp-option DNS 8.8.4.4'
list push 'dhcp-option NTP 129.6.15.30'
option keepalive '10 120'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/lede-server.crt'
option key '/etc/openvpn/lede-server.key'
option dh '/etc/openvpn/dh2048.pem'
option log '/tmp/openvpn.log'
option status '/tmp/openvpn-status.log'
option verb '7'
option user 'nobody'
option group 'nogroup'
option persist_key      '1'
option persist_tun      '1'

/etc/config/firewall


option name 'Allow Forwarded VPN Request'

config rule
option target 'ACCEPT'
option proto 'udp'
option family 'ipv4'
option src '*'
option src_ip '10.1.1.0/24'
option dest '*'
option dest_ip '172.168.0.0/16'
option name 'Allow Forwarded VPN0 Traffic to LAN'

config rule
option target 'ACCEPT'
option proto 'udp'
option family 'ipv4'
option src '*'
option src_ip '10.1.1.0/24'
option dest_ip '172.168.0.0/16'
option name 'Allow Inbound VPN0 Traffic to LAN'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'lan'
option forward 'DROP'

config zone
option name 'vpn'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option network 'vpn0'
option family 'ipv4'

config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
option input 'DROP'
option forward 'DROP'

So the only problem I get is when i run uci commit firewall and then /etc/init.d/firewall reload, after reloading the firewall i get the following errors but everything still seems to work regardless.

  • Forward 'lan' -> 'vpn'
    ! Skipping due to different family of zone
  • Forward 'vpn' -> 'wan'
    ! Skipping due to different family of zone
  • Forward 'vpn' -> 'lan'
    ! Skipping due to different family of zone

One other thing I notice is when I have my phone connected to the vpn and come home I am not able to browse the internet without rebooting the router. i get a DNS error. If any one has ran into that before please advise what the issue might be.

Other than that everything works well.