OpenVPN site to site no traffic incoming to VPN


This is my second attempt to use openwrt.
My 1st attempt was on virtualbox and bridged WAN, and 2nd is on a flashed TP-link Archer A7 router, on both routers I am getting stuck on the same issue.

I am trying to setup a openvpn site2site VPN, having a remote opnsense router as UDP server, and local OpenWRT router as client, using shared key.

When I used a local opnsense on VIrtBox the VPN worked, however throughput was terrible...

When I am using local OpenWRT, internet works fine, luci is showing OpenVPN is connected, confirmed in remote Opnsense as well.
The remote Opnsense connection status show reciving and sending bytes, also firewall logs all packets in green.
However on local openwrt, Under interfaces, I see Tx bytes, but no Rx bytes.
Here are some theories, However i do not know how to fix them
Since WAN network is in 192.168 range the firewall blocks the incoming traffic (Opensense does this by default) how to disable it in openwrt?
I need to add a firewall rule for input traffic from WAN to box.

25: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc fq_codel state UNKNOWN qlen 500
    inet peer scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::52f6:3d35:bcc6:f007/64 scope link flags 800 
       valid_lft forever preferred_lft forever

The simplest way to set up site to site through the firewall in OpenWrt is to add the tun0 device to the lan firewall zone. Not a covered network, but a Device from the list on the Advanced page.

The other site (OpenVPN server) needs to be aware of the clients' remote LAN(s) and install routes to them. In OpenVPN this is done with a client config directory containing a file for each client and an iroute definition in each file. The client config process requires the use of PKI (certificate based) authentication so that clients can be uniquely identified as they connect.

Generally when you are tasked to deploy both ends of a VPN, you should use Wireguard.

I must be missing something fundamental, because I've now set up wireguard and I have same issue.
On client, only Tx and no Rx

Given I've tried in the same environment with Opnsense, and it worked, while with openwrt with both openvpn and wg, rx is not workign It must be something fundamental, where can i start looking for it?

Does wg show that handshakes have occured? Can you ping the IP of the other end of the tunnel from the router CLI (or network test page)? Do you have allowed_ips set properly (these need to be set to the IP of the other LAN)? Does the Opnsense router have routes into the tunnel? On OpenWrt you should set route_allowed_ips to 1 or yes.

Check the clocks on both sides, they need to match.

I had similar issue. wg show had no handshakes and 0 bytes received
even though ntpd was running, on OpenWrt, clock was off. I set it to match browser in Luci and then it worked.

root@OpenWrt:~# wg show
interface: wireguard
  public key: OajtJ8mzrNnP/vAvXJeRsLNdHMpKCeYTU5MygHGbaAQ=
  private key: (hidden)
  listening port: 11950

peer: +zitNfC/JltFNKWSJVS13CklRwr7OZChXRl1TSsgu1I=
  endpoint: RRRRR
  allowed ips:,
  transfer: 0 B received, 27.61 KiB sent
  persistent keepalive: every 25 seconds

oot@OpenWrt:~# ping
PING ( 56 data bytes
--- ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

root@OpenWrt:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         UG    0      0        0 wlan0        *        U     0      0        0 wireguard        *      UH    0      0        0 tun0       *        U     0      0        0 wireguard UGH   0      0        0 wlan0     *        U     0      0        0 wlan0     *        U     0      0        0 br-lan

While going to check wg show config on Opnsense I see something is messed up there, so I started to uninstall reboot reinstall whatever..

But I wonder before I am going to dig into wireguard, isn't the fact that OpenVPN behaved alike that I am missing something int he openWRT

The WireGuard connection has failed to establish since the peer is missing a handshake.

1 Like

Wireguard in opnsense is broken in current version, and I do not want to use it.

Back to OpenVPN as in the title of the post.

I've exported a .ovpn file file opnsense, and imported into openwrt, and everything works perfectly, however its NATting meaning I could only instantiate or ping from openwrt lan to opnsese lan, not both ways.

I've disabled the imported connection, renabled the openvpn site2site connection, I could confirm tunnel is alive, routes on both sides, RX and TX on opnsense side, but only TX on on OpnWRT side

When I ping the other side of tunnel I do not get a response.

Does OPNsense have a route configured to send return traffic back through the VPN? Is OpenWRT masquerading down the tunnel? Is any other re-writing malarkey going on?

1 Like

Change back to the imported configuration since that is close to working. NAT (Masquerading) in OpenWRT is controlled by the firewall. If the outgoing device (tun0) is in a zone with masquerading enabled, packets will be source NATd on their way out. In a default configuration the wan zone has masquerading enabled, but lan does not. So suggest moving the VPN tunnel to lan.

If you're not masquerading, the server needs a route back to your LAN. This is part of the OpenVPN server since the server uses a DHCP-like mechanism to assign tunnel IPs to the clients. As the client IP's vary, the underlying OS on the server cannot be configured with a constant static IP as the gateway to the remote LAN. Instead the route is installed dynamically by the OpenVPN process.

I guess so, here are the routes from both sides

x.x.x.x is my server IP masked

I noticed the message ping: sendto: No buffer space available on the runnigng ping that was running on the OpnSense


ping: sendto: No buffer space available
ping: sendto: No buffer space available
ping: sendto: No buffer space available
ping: sendto: No buffer space available
ping: sendto: No buffer space available
ping: sendto: No buffer space available
ping: sendto: No buffer space available

--- ping statistics ---
2229 packets transmitted, 0 packets received, 100.0% packet loss
root@ROUTER:~ # netstat -r
Routing tables

Destination        Gateway            Flags     Netif Expire
default            x.x.x.x       UGS      vtnet0           UGS      ovpns1           link#8             UHS         lo0           link#8             UH       ovpns1           UGS      ovpns3           link#7             UHS         lo0           link#7             UH       ovpns3           link#9             UHS         lo0           link#9             UH       ovpns4       link#2             U        vtnet1
ROUTER             link#2             UHS         lo0
localhost          link#4             UH          lo0
x.x.x.x    link#1             U        vtnet0
x.x.x.x.vul link#1             UHS         lo0       UGHS     vtnet0           UGS      ovpns1           UGS      ovpns4


Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         UG    0      0        0 wlan0        *        U     0      0        0 wireguard        *      UH    0      0        0 tun0
x.x.x.x UGH   0      0        0 wlan0     *        U     0      0        0 wlan0     *        U     0      0        0 br-lan


Thanks for your input, Its now working.
I will now write how I did it, for the next person bumping into this.

Moved the tun0 device to LAN
In opnsense added the subnet into remote network of the OpenVPN server.
In opensense added a client specific override for the client with the common name openwrt (not magic this was the CN in the client certificate) with remote network (without this opensense was routing to the right interface, but openvpn discarded it because it didn't knew to which tunnel to route it.
In my case I was still unable to ping the remote machines because of local firewall issues, but thats intended.