Hi all, I'm trying to set up a Site-to-Site (shared key) OpenVPN connection between two OpenWRT routers.
The VPN is establishing successfully, but I'm unable to ping between the two 'tun' interfaces that are used for OpenVPN (no response when pinging 192.168.9.2).
I have a feeling that it is firewall/iptables related, as when I run /etc/init.d/firewall stop on 'Router A', I can sometimes start pinging the remote router 'B' tun0 IP address after it has flushed the tables.
If I then restart the 'Router A' firewall with /etc/init.d/firewall restart, I can still maintain connectivity and I can even connect to the remote 'Router B' LAN clients successfully. So perhaps the connection is then seen as 'ESTABLISHED' and that could be why the connection is maintained?
However I cannot see any obvious issue with the firewall configuration on 'Router A'.
I have set this up as per the Wiki, by creating an 'unmanaged' interface for tun0 and then adding the appropriate rules.
Debug info from 'Router A':
Note, I have two OpenVPN instances. 'homevpn' which is a server instance used for connecting in to my home 'Router A' network remotely, this uses interface VPN1/tun1 and this is working fine.
The problem site-to-site connection ('sitevpn' in the firewall config), uses interface VPN0/tun0 with the range 192.168.9.0/30.
VPN connection logs:
Wed Aug 26 09:15:11 2020 daemon.notice openvpn(sherbourne)[28848]: TUN/TAP TX queue length set to 100
Wed Aug 26 09:15:11 2020 daemon.notice openvpn(sherbourne)[28848]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Aug 26 09:15:11 2020 daemon.notice openvpn(sherbourne)[28848]: /sbin/ifconfig tun0 192.168.9.1 pointopoint 192.168.9.2 mtu 1500
Wed Aug 26 09:15:11 2020 daemon.notice netifd: Interface 'VPN1' is now up
Wed Aug 26 09:15:11 2020 daemon.notice openvpn(sherbourne)[28848]: /sbin/route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.9.2
Wed Aug 26 09:15:11 2020 daemon.notice openvpn(sherbourne)[28848]: Data Channel MTU parms [ L:1573 D:1450 EF:73 EB:398 ET:0 EL:3 ]
Wed Aug 26 09:15:11 2020 daemon.notice openvpn(sherbourne)[28848]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1573,tun-mtu 1500,proto UDPv4,ifconfig 192.168.9.2 192.168.9.1,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,secret'
Wed Aug 26 09:15:11 2020 daemon.notice openvpn(sherbourne)[28848]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1573,tun-mtu 1500,proto UDPv4,ifconfig 192.168.9.1 192.168.9.2,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,secret'
Wed Aug 26 09:15:11 2020 daemon.warn openvpn(sherbourne)[28848]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Wed Aug 26 09:15:11 2020 daemon.notice openvpn(sherbourne)[28848]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Wed Aug 26 09:15:11 2020 daemon.notice openvpn(sherbourne)[28848]: UDPv4 link local (bound): [AF_INET][undef]:1195
Wed Aug 26 09:15:11 2020 daemon.notice openvpn(sherbourne)[28848]: UDPv4 link remote: [AF_UNSPEC]
Wed Aug 26 09:15:12 2020 user.notice firewall: Reloading firewall due to ifup of VPN0 (tun0)
Wed Aug 26 09:15:13 2020 user.notice firewall: Reloading firewall due to ifup of VPN1 (tun1)
Wed Aug 26 09:16:10 2020 daemon.notice openvpn(sherbourne)[28848]: Peer Connection Initiated with [AF_INET]<REDACTED>:1195
Wed Aug 26 09:16:12 2020 daemon.warn openvpn(sherbourne)[28848]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Aug 26 09:16:12 2020 daemon.notice openvpn(sherbourne)[28848]: Initialization Sequence Completed
ip addr
32: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
link/[65534]
inet 192.168.9.1 peer 192.168.9.2/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::2621:c63e:2acf:e708/64 scope link
valid_lft forever preferred_lft forever
/etc/config/openvpn
config openvpn 'sherbourne'
option dev 'tun'
option ifconfig '192.168.9.1 192.168.9.2'
option secret '/etc/openvpn/sherbourne-site-static.key'
option port '1195'
option cipher 'AES-256-CBC'
option enabled '1'
option client_to_client '0'
list push 'route 192.168.0.0 255.255.255.0'
option tls_server '0'
option dev_type 'tun'
option persist_tun '1'
option keepalive '10 120'
option persist_key '1'
option comp_lzo 'adaptive'
option nobind '0'
option ncp_ciphers 'AES-256-GCM:AES-128-GCM'
option auth 'SHA256'
list route '192.168.2.0 255.255.255.0'
option verb '5'
/etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '36482'
option dest_ip '192.168.0.12'
option dest_port '32400'
option name 'Plex-RPi'
config rule
option target 'ACCEPT'
option src 'lan'
option name 'Allow-VPN0'
list proto 'all'
config zone
option name 'sitevpn'
option network 'VPN0'
option input 'ACCEPT'
option forward 'ACCEPT'
list device 'tun0'
option output 'ACCEPT'
config forwarding
option dest 'lan'
option src 'sitevpn'
config forwarding
option dest 'sitevpn'
option src 'lan'
config zone
option name 'homevpn'
option network 'VPN1'
option input 'ACCEPT'
option forward 'ACCEPT'
list device 'tun1'
option output 'ACCEPT'
config forwarding
option dest 'lan'
option src 'homevpn'
config forwarding
option dest 'sitevpn'
option src 'homevpn'
config forwarding
option dest 'homevpn'
option src 'lan'
config forwarding
option dest 'homevpn'
option src 'sitevpn'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config rule
option target 'ACCEPT'
option src 'sitevpn'
option name 'Allowtun0'
list proto 'all'
config rule
option src 'wan'
option name 'AllowClientVPN'
option target 'ACCEPT'
list proto 'udp'
option dest_port '1194'
config rule
option src 'homevpn'
option name 'ClientVPN-LAN'
option dest 'lan'
option target 'ACCEPT'
list proto 'all'
config rule
option src 'lan'
option name 'LAN-ClientVPN'
option dest 'homevpn'
option target 'ACCEPT'
list proto 'all'
tcpdump from 'Router A' when pinging the remote tun IP address of 'Router B'. We see that no responses are received back over the tun0 interface:
root@OpenWrt:~# tcpdump -vni tun0
tcpdump: listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
09:39:16.155560 IP (tos 0x0, ttl 64, id 40603, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.9.1 > 192.168.9.2: ICMP echo request, id 13688, seq 0, length 64
09:39:17.163208 IP (tos 0x0, ttl 64, id 40606, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.9.1 > 192.168.9.2: ICMP echo request, id 13688, seq 1, length 64
09:39:18.173554 IP (tos 0x0, ttl 64, id 40633, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.9.1 > 192.168.9.2: ICMP echo request, id 13688, seq 2, length 64
09:39:19.183651 IP (tos 0x0, ttl 64, id 40698, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.9.1 > 192.168.9.2: ICMP echo request, id 13688, seq 3, length 64
09:39:20.194070 IP (tos 0x0, ttl 64, id 40710, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.9.1 > 192.168.9.2: ICMP echo request, id 13688, seq 4, length 64
Any pointers would be much appreciated - thank you.