OpenVPN Site to Site issues

tuc · September 8, 2023, 10:26am

Hi,

I am using a Linksys E8450 (UBI) running OpenWrt 22.03.5 r20134-5f15225c1e / LuCI openwrt-22.03 branch git-23.119.80898-65ef406 with a local lan of 192.168.33.0/24 (OpenWrt is at 192.168.33.254). I have an OpenVPN server in AWS (Public IP outside, OpenVPN IP 10.8.0.1) that its (10.8.0.2) connected to, and I have my laptop (10.8.0.8) connecting to the same OpenVPN. Laptop can ping OpenWrt, OpenWrt can ping laptop. As part of the OpenVPN in AWS, it has a "iroute 192.168.33.0 255.255.255.0" so that I should be able to connect to the destination lan when I connect. From the laptop, I can access 192.168.33.254 fine. Its when I try to get to anything else on the lan its an issue. Ping and ssh times out.

I've been looking all over and trying everything I can think of, and I'm crosseyed. Any suggestions?

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fda2:6dee:30ee::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.33.254'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'OpenVPN_TUN0'
	option proto 'none'
	option device 'tun0'

/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'
 (All the typical config rules for Allow-DHCP-Renew, etc)
config zone
	option name 'OpenVPN_FW'
	option output 'ACCEPT'
	option mtu_fix '1'
	option input 'ACCEPT'
	option forward 'REJECT'
	list network 'OpenVPN_TUN0'

config forwarding
	option src 'lan'
	option dest 'OpenVPN_FW'

config forwarding
	option src 'OpenVPN_FW'
	option dest 'lan'

Given everywhere I looked, this should be working.

Any thoughts?

Thanks

vgaetera · September 8, 2023, 10:35am

https://openwrt.org/docs/guide-user/services/vpn/openvpn/extras#site-to-site
If the issue persists, collect the server side log while connecting the client.

mk24 · September 8, 2023, 3:12pm

Confirm that tun0 has a 10.8.0.2/24 (particularly look at the mask size) so there is a route back to the laptop. Also of course that would be visible in the routing table. Use tcpdump to see if packets from the laptop are leaving br-lan when you try to ping something on the lan.

client-to-client must be enabled in the OpenVPN server but I think not having that would prevent pinging the router at all from the laptop.

ulmwind · September 9, 2023, 10:20am

Very nice description of behavior

So routing works fine, but the issue is with access from tun to lan in OpenWRT router. Please, remove underscore '_' from names, configuration looks fine.

Run also traceroute 192.168.33.1 from PC, and give output.

ulmwind · September 9, 2023, 10:22am

Please, change input to 'REJECT', and check, whether you can connect to 192.168.33.254, as before.