This is my second attempt to use openwrt.
My 1st attempt was on virtualbox and bridged WAN, and 2nd is on a flashed TP-link Archer A7 router, on both routers I am getting stuck on the same issue.
I am trying to setup a openvpn site2site VPN, having a remote opnsense router as UDP server, and local OpenWRT router as client, using shared key.
When I used a local opnsense on VIrtBox the VPN worked, however throughput was terrible...
When I am using local OpenWRT, internet works fine, luci is showing OpenVPN is connected, confirmed in remote Opnsense as well.
The remote Opnsense connection status show reciving and sending bytes, also firewall logs all packets in green.
However on local openwrt, Under interfaces, I see Tx bytes, but no Rx bytes.
Here are some theories, However i do not know how to fix them
Since WAN network is in 192.168 range the firewall blocks the incoming traffic (Opensense does this by default) how to disable it in openwrt?
I need to add a firewall rule for input traffic from WAN to box.
25: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc fq_codel state UNKNOWN qlen 500
link/[65534]
inet 10.0.9.2 peer 10.0.9.1/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::52f6:3d35:bcc6:f007/64 scope link flags 800
valid_lft forever preferred_lft forever
The simplest way to set up site to site through the firewall in OpenWrt is to add the tun0 device to the lan firewall zone. Not a covered network, but a Device from the list on the Advanced page.
The other site (OpenVPN server) needs to be aware of the clients' remote LAN(s) and install routes to them. In OpenVPN this is done with a client config directory containing a file for each client and an iroute definition in each file. The client config process requires the use of PKI (certificate based) authentication so that clients can be uniquely identified as they connect.
Generally when you are tasked to deploy both ends of a VPN, you should use Wireguard.
Given I've tried in the same environment with Opnsense, and it worked, while with openwrt with both openvpn and wg, rx is not workign It must be something fundamental, where can i start looking for it?
Does wg show that handshakes have occured? Can you ping the IP of the other end of the tunnel from the router CLI (or network test page)? Do you have allowed_ips set properly (these need to be set to the IP of the other LAN)? Does the Opnsense router have routes into the tunnel? On OpenWrt you should set route_allowed_ips to 1 or yes.
Check the clocks on both sides, they need to match.
I had similar issue. wg show had no handshakes and 0 bytes received
even though ntpd was running, on OpenWrt, clock was off. I set it to match browser in Luci and then it worked.
root@OpenWrt:~# wg show
interface: wireguard
public key: OajtJ8mzrNnP/vAvXJeRsLNdHMpKCeYTU5MygHGbaAQ=
private key: (hidden)
listening port: 11950
peer: +zitNfC/JltFNKWSJVS13CklRwr7OZChXRl1TSsgu1I=
endpoint: RRRRR
allowed ips: 10.0.3.0/24, 10.1.96.0/24
transfer: 0 B received, 27.61 KiB sent
persistent keepalive: every 25 seconds
oot@OpenWrt:~# ping 10.0.3.1
PING 10.0.3.1 (10.0.3.1): 56 data bytes
^C
--- 10.0.3.1 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
root@OpenWrt:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.0.1 0.0.0.0 UG 0 0 0 wlan0
10.0.3.0 * 255.255.255.0 U 0 0 0 wireguard
10.0.9.1 * 255.255.255.255 UH 0 0 0 tun0
10.1.96.0 * 255.255.255.0 U 0 0 0 wireguard
144.202.12.119 192.168.0.1 255.255.255.255 UGH 0 0 0 wlan0
192.168.0.0 * 255.255.255.0 U 0 0 0 wlan0
192.168.3.0 * 255.255.255.0 U 0 0 0 br-lan
``
While going to check wg show config on Opnsense I see something is messed up there, so I started to uninstall reboot reinstall whatever..
But I wonder before I am going to dig into wireguard, isn't the fact that OpenVPN behaved alike that I am missing something int he openWRT
Wireguard in opnsense is broken in current version, and I do not want to use it.
Back to OpenVPN as in the title of the post.
I've exported a .ovpn file file opnsense, and imported into openwrt, and everything works perfectly, however its NATting meaning I could only instantiate or ping from openwrt lan to opnsese lan, not both ways.
I've disabled the imported connection, renabled the openvpn site2site connection, I could confirm tunnel is alive, routes on both sides, RX and TX on opnsense side, but only TX on on OpnWRT side
When I ping the other side of tunnel I do not get a response.
Does OPNsense have a route configured to send return traffic back through the VPN? Is OpenWRT masquerading down the tunnel? Is any other re-writing malarkey going on?
Change back to the imported configuration since that is close to working. NAT (Masquerading) in OpenWRT is controlled by the firewall. If the outgoing device (tun0) is in a zone with masquerading enabled, packets will be source NATd on their way out. In a default configuration the wan zone has masquerading enabled, but lan does not. So suggest moving the VPN tunnel to lan.
If you're not masquerading, the server needs a route back to your LAN. This is part of the OpenVPN server since the server uses a DHCP-like mechanism to assign tunnel IPs to the clients. As the client IP's vary, the underlying OS on the server cannot be configured with a constant static IP as the gateway to the remote LAN. Instead the route is installed dynamically by the OpenVPN process.
Thanks for your input, Its now working.
I will now write how I did it, for the next person bumping into this.
Moved the tun0 device to LAN
In opnsense added the 192.168.3.1/24 subnet into remote network of the OpenVPN server.
In opensense added a client specific override for the client with the common name openwrt (not magic this was the CN in the client certificate) with remote network 192.168.3.0/24 (without this opensense was routing to the right interface, but openvpn discarded it because it didn't knew to which tunnel to route it.
In my case I was still unable to ping the remote machines because of local firewall issues, but thats intended.