Hi, since 1 week I am trying to figure the the setup and I am still not able to ping / route my client subnet
This is my /etc/config/openvpn
The roadwarrior myvpnserver is working well on port 1200
config openvpn 'myvpnerver'
option enabled '1'
option dev 'tun'
option topology subnet
option proto 'tcp'
option log '/tmp/openvpn_myvpnserver.log'
option verb '3'
option ca '/etc/openvpn/ca_openwrt.crt'
option cert '/etc/openvpn/server.crt'
option key '/etc/openvpn/server.key'
option dh '/etc/openvpn/dh4096.pem'
option server '10.20.30.0 255.255.255.0'
option cipher 'AES-256-CBC'
option data-ciphers 'AES-256-CBC'
option data-ciphers-fallback 'AES-256-CBC'
option auth 'SHA512'
option tls_auth '/etc/openvpn/ta.key 0'
option tls_cipher 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA'
option port '1200'
option keepalive '10 120'
option tls_server '1'
option tls_version_min '1.2'
list push 'route 192.168.134.0 255.255.255.0'
#The site2site is not routing my local subnet 192.168.134.0/24
# Client site2site
config openvpn 'dasite2site'
option client '1'
option tls-client '1'
option enabled '1'
option dev 'tun'
#option topology subnet
option proto 'tcp-client'
option log '/tmp/openvpn_dasite2site.log'
option verb '3'
option ca '/etc/openvpn/OpenVPN+CA.crt'
option cert '/etc/openvpn/OpenVPN+Client.crt'
option key '/etc/openvpn/OpenVPN+Client.key'
option remote 'opnsense.public.com 1201'
option cipher 'AES-256-CBC'
option data-ciphers 'AES-256-CBC'
option data-ciphers-fallback 'AES-256-CBC'
option auth 'SHA256'
option tls_cipher 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA'
option keepalive '10 120'
option tls_client '1'
option remote-cert-tls server
option tls_version_min '1.2'
option auth-nocache '0'
root@OpenWrt:/etc/config#
The keys are exchanged and the tunnel is up
root@OpenWrt:/etc/config# cat /tmp/openvpn_dasite2site.log
2021-09-28 10:56:19 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2021-09-28 10:56:19 OpenVPN 2.5.3 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2021-09-28 10:56:19 library versions: OpenSSL 1.1.1l 24 Aug 2021, LZO 2.10
2021-09-28 10:56:19 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2021-09-28 10:56:19 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2021-09-28 10:56:19 TCP/UDP: Preserving recently used remote address: [AF_INET]92.xx.xx.246:1201
2021-09-28 10:56:19 Socket Buffers: R=[131072->131072] S=[16384->16384]
2021-09-28 10:56:19 Attempting to establish TCP connection with [AF_INET]92.xx.xx.246:1201 [nonblock]
2021-09-28 10:56:19 TCP connection established with [AF_INET]92.xx.xx.246:1201
2021-09-28 10:56:19 TCP_CLIENT link local: (not bound)
2021-09-28 10:56:19 TCP_CLIENT link remote: [AF_INET]92.xx.xx.246:1201
2021-09-28 10:56:19 TLS: Initial packet from [AF_INET]92.xx.xx.246:1201, sid=cac71287 d874e094
2021-09-28 10:56:19 VERIFY OK: depth=1, C=DE, ST=DE, L=xxxxxxxxxxxxx, CN=internal-ca
2021-09-28 10:56:19 VERIFY OK: depth=0, C=DE, ST=DE, Lxxxxxxxxxxxxxx, CN=Server
2021-09-28 10:56:20 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2021-09-28 10:56:20 [Server] Peer Connection Initiated with [AF_INET]92.xx.xx.246:1201
2021-09-28 10:56:20 PUSH: Received control message: 'PUSH_REPLY,route 10.1.10.0 255.255.255.0,route 10.1.1.0 255.255.255.0,route 10.77.77.0 255.255.255.0,route 10.20.40.1,topology net30,ping 10,ping-restart 60,ifconfig 10.20.40.6 10.20.40.5,peer-id 0,cipher AES-256-GCM'
2021-09-28 10:56:20 OPTIONS IMPORT: timers and/or timeouts modified
2021-09-28 10:56:20 OPTIONS IMPORT: --ifconfig/up options modified
2021-09-28 10:56:20 OPTIONS IMPORT: route options modified
2021-09-28 10:56:20 OPTIONS IMPORT: peer-id set
2021-09-28 10:56:20 OPTIONS IMPORT: adjusting link_mtu to 1626
2021-09-28 10:56:20 OPTIONS IMPORT: data channel crypto options modified
2021-09-28 10:56:20 Data Channel: using negotiated cipher 'AES-256-GCM'
2021-09-28 10:56:20 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-09-28 10:56:20 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-09-28 10:56:20 net_route_v4_best_gw query: dst 0.0.0.0
2021-09-28 10:56:20 net_route_v4_best_gw result: via 62.214.63.87 dev pppoe-wan
2021-09-28 10:56:20 TUN/TAP device tun1 opened
2021-09-28 10:56:20 net_iface_mtu_set: mtu 1500 for tun1
2021-09-28 10:56:20 net_iface_up: set tun1 up
2021-09-28 10:56:20 net_addr_ptp_v4_add: 10.20.40.6 peer 10.20.40.5 dev tun1
2021-09-28 10:56:20 /usr/libexec/openvpn-hotplug up dasite2site tun1 1500 1554 10.20.40.6 10.20.40.5 init
2021-09-28 10:56:20 net_route_v4_add: 10.1.10.0/24 via 10.20.40.5 dev [NULL] table 0 metric -1
2021-09-28 10:56:20 net_route_v4_add: 10.1.1.0/24 via 10.20.40.5 dev [NULL] table 0 metric -1
2021-09-28 10:56:20 net_route_v4_add: 10.77.77.0/24 via 10.20.40.5 dev [NULL] table 0 metric -1
2021-09-28 10:56:20 net_route_v4_add: 10.20.40.1/32 via 10.20.40.5 dev [NULL] table 0 metric -1
2021-09-28 10:56:20 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2021-09-28 10:56:20 Initialization Sequence Completed
And the routes are available
root@OpenWrt:/etc/config# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default dor1901aihr001. 0.0.0.0 UG 0 0 0 pppoe-wan
10.1.1.0 10.20.40.5 255.255.255.0 UG 0 0 0 tun1
10.1.10.0 10.20.40.5 255.255.255.0 UG 0 0 0 tun1
10.9.0.0 192.168.134.1 255.255.255.0 UG 0 0 0 br-lan
10.10.10.0 * 255.255.255.0 U 0 0 0 wg1
10.20.30.0 * 255.255.255.0 U 0 0 0 tun0
10.20.40.1 10.20.40.5 255.255.255.255 UGH 0 0 0 tun1
10.20.40.5 * 255.255.255.255 UH 0 0 0 tun1
10.77.77.0 10.20.40.5 255.255.255.0 UG 0 0 0 tun1
62.214.63.87 * 255.255.255.255 UH 0 0 0 pppoe-wan
172.31.0.0 * 255.255.255.0 U 0 0 0 wg0
192.168.134.0 * 255.255.255.0 U 0 0 0 br-lan
root@OpenWrt:/etc/config#
from my openwrt openvpn client I am able to ping the remote subnets from the Interface tun1, which is the right setup .. I think,.
root@OpenWrt:~# ping -I tun1 10.77.77.1
PING 10.77.77.1 (10.77.77.1): 56 data bytes
64 bytes from 10.77.77.1: seq=0 ttl=63 time=25.174 ms
64 bytes from 10.77.77.1: seq=1 ttl=63 time=23.907 ms
64 bytes from 10.77.77.1: seq=2 ttl=63 time=23.709 ms
^C
--- 10.77.77.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 23.709/24.263/25.174 ms
root@OpenWrt:~# ping -I tun0 10.77.77.1
PING 10.77.77.1 (10.77.77.1): 56 data bytes
^C
--- 10.77.77.1 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
root@OpenWrt:~# ping -I br-lan 10.77.77.1
PING 10.77.77.1 (10.77.77.1): 56 data bytes
^C
--- 10.77.77.1 ping statistics ---
7 packets transmitted, 0 packets received, 100% packet loss
root@OpenWrt:~# ping -I tun1 10.1.1.182
PING 10.1.1.182 (10.1.1.182): 56 data bytes
64 bytes from 10.1.1.182: seq=0 ttl=127 time=23.522 ms
64 bytes from 10.1.1.182: seq=1 ttl=127 time=22.716 ms
64 bytes from 10.1.1.182: seq=2 ttl=127 time=22.945 ms
^C
--- 10.1.1.182 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 22.716/23.061/23.522 ms
root@OpenWrt:~# ping -I tun1 10.77.77.1
PING 10.77.77.1 (10.77.77.1): 56 data bytes
64 bytes from 10.77.77.1: seq=0 ttl=63 time=24.183 ms
64 bytes from 10.77.77.1: seq=1 ttl=63 time=23.973 ms
^C
--- 10.77.77.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 23.973/24.078/24.183 ms
root@OpenWrt:~#
I have created the iroute to my local subnet in this file like described in the docu.
root@OpenWrt:/etc/openvpn/ccd# cat client
iroute 192.168.134.0 255.255.255.0
push-remove redirect-gateway
root@OpenWrt:/etc/openvpn/ccd#
My local subnet is 192.168.134.0/24.
root@OpenWrt:/etc/config# ifconfig
br-lan Link encap:Ethernet HWaddr E8:DF:70:62:1F:96
inet addr:192.168.134.230 Bcast:192.168.134.255 Mask:255.255.255.0
inet6 addr: fe80::eadf:70ff:fe62:1f96/64 Scope:Link
inet6 addr: 2001:16b8:a1f:d00::1/60 Scope:Global
inet6 addr: fd8e:3a0d:bc8b::1/60 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2148050 errors:0 dropped:157663 overruns:0 frame:0
TX packets:1917699 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:486489495 (463.9 MiB) TX bytes:996332506 (950.1 MiB)
dsl0 Link encap:Ethernet HWaddr E8:DF:70:62:1F:9A
inet6 addr: fe80::eadf:70ff:fe62:1f9a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1947007 errors:0 dropped:0 overruns:0 frame:0
TX packets:1889417 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1063989518 (1014.6 MiB) TX bytes:550409591 (524.9 MiB)
dsl0.7 Link encap:Ethernet HWaddr E8:DF:70:62:1F:9A
inet6 addr: fe80::eadf:70ff:fe62:1f9a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:251676 errors:0 dropped:0 overruns:0 frame:0
TX packets:224069 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:110379787 (105.2 MiB) TX bytes:57506934 (54.8 MiB)
eth0 Link encap:Ethernet HWaddr E8:DF:70:62:1F:96
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2373794 errors:0 dropped:5397 overruns:0 frame:0
TX packets:1917707 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:549364691 (523.9 MiB) TX bytes:1007977596 (961.2 MiB)
ifb4pppoe-wan Link encap:Ethernet HWaddr DA:C7:5C:28:C1:4E
inet6 addr: fe80::d8c7:5cff:fe28:c14e/64 Scope:Link
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:250760 errors:0 dropped:0 overruns:0 frame:0
TX packets:250760 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:108158791 (103.1 MiB) TX bytes:108158791 (103.1 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:13 errors:0 dropped:0 overruns:0 frame:0
TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1288 (1.2 KiB) TX bytes:1288 (1.2 KiB)
pppoe-wan Link encap:Point-to-Point Protocol
inet addr:87.122.217.140 P-t-P:62.214.63.87 Mask:255.255.255.255
inet6 addr: 2001:16b8:b01:1c3e:89af:9244:681e:234c/64 Scope:Global
inet6 addr: fe80::89af:9244:681e:234c/128 Scope:Link
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:251108 errors:0 dropped:0 overruns:0 frame:0
TX packets:223494 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:108338563 (103.3 MiB) TX bytes:52572219 (50.1 MiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.20.30.1 P-t-P:10.20.30.1 Mask:255.255.255.0
inet6 addr: fe80::d739:8c06:e0bf:cb50/64 Scope:Link
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 B) TX bytes:640 (640.0 B)
tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.20.40.6 P-t-P:10.20.40.5 Mask:255.255.255.255
inet6 addr: fe80::f037:7711:4f02:9bc8/64 Scope:Link
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:72 errors:0 dropped:0 overruns:0 frame:0
TX packets:644 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:6048 (5.9 KiB) TX bytes:35984 (35.1 KiB)
wg0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:172.31.0.2 P-t-P:172.31.0.2 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MTU:1420 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
wg1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.10.10.1 P-t-P:10.10.10.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MTU:1420 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
wlan0 Link encap:Ethernet HWaddr E8:DF:70:62:1F:98
inet6 addr: fe80::eadf:70ff:fe62:1f98/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:100870 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:12986746 (12.3 MiB)
wlan0-1 Link encap:Ethernet HWaddr EA:DF:70:62:1F:98
inet6 addr: fe80::e8df:70ff:fe62:1f98/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:100869 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:12986658 (12.3 MiB)
root@OpenWrt:/etc/config#
When I use my 2 x windows boyes on 192.168.134.23 and 192.168.134.39 and try to ping the remote subnets, I get timeout.
Microsoft Windows [Version 10.0.19043.1237]
(c) Microsoft Corporation. Alle Rechte vorbehalten.
C:\Windows\system32>ping 10.1.1.182
Ping wird ausgeführt für 10.1.1.182 mit 32 Bytes Daten:
Antwort von 192.168.134.230: Zielport nicht erreichbar.
Antwort von 192.168.134.230: Zielport nicht erreichbar.
Antwort von 192.168.134.230: Zielport nicht erreichbar.
Antwort von 192.168.134.230: Zielport nicht erreichbar.
Ping-Statistik für 10.1.1.182:
Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0
(0% Verlust),
What do I have forgotten ?
I am not really familar with tools like tcpdump or other tolls to figure out, why no pakets from local 192.168.134.0/24 are routed into my tun1 interface.
btw :
ip.forward is enabled.
root@OpenWrt:/etc/config# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
root@OpenWrt:/etc/config#