OpenVPN TAP configuration help [solved]

Hello guys.
I try to setup an OpenVPN server on a R7800, wich i buy only for this, after alot of reading and considering.
I manage to install OpenWRT 19.07.1, configure OpenVPN until the point i can connect as client from outside the network, but pinging any ip inside network fail, and internet isnt working offcourse.
I need bridging mode not routing, all the trafic of the client go trough VPN after it connect, and client must get an IP from local pool wich is
Can any kind soul walk me to the light ?

Maybe it's about firewall policy.

Try adding a dummy interface for the openvpn network interface, with protocol being none.

Then the easy way forward would be adding that newly added netifd interface to firewall zone lan. That way you will be allowed to communicate with other hosts in lan network, and forwarding to wan with MASQUERADE.

Or if more control is needed, just placing that netifd interface to its own firewall zone, then modifying firewall rules to suit your needs.

Im sure is a firewall or/and routing problem, i would love a step by step configuration of these two parts, because those are not easy to understand.
I dont need special control of the VPN, just to make it work the way i describe.
Thank you very much.
At the moment configuration is done all via LUCI : server_bridge, and push : redirect-gateway/dhcp-option/DNS DNSofmyprovider/route
In the firewall the only modification is accept on UDP port of OpenVPN.

Post /etc/config/network, and server config.

Assuming you have OpenVpn installed properly and have created a proper config, use the following script to add firewall rules. btw....This can be called directly when a tun interface gets created.


ROOTDIR="$( cd "$( dirname "$(readlink -f ${BASH_SOURCE[0]})" )" > /dev/null 2>&1 && pwd )"


	local cnt=0
	local bin=$1
	while [ $((${bin} & 0x80)) != 0 ]; do
		bin="$((${bin} << 1))"
		cnt=$((${cnt} + 1))
	echo ${cnt}

# Example: => 24
	local int=0
	local a b c d

	{ IFS=. read a b c d; } <<< $1

	int=$((${int} + $(count_bits ${a})))
	int=$((${int} + $(count_bits ${b})))
	int=$((${int} + $(count_bits ${c})))
	int=$((${int} + $(count_bits ${d})))

	echo ${int}

    local a b c d
    { IFS=. read a b c d; } <<< $1
    echo $(((((((a << 8) | b) << 8) | c) << 8) | d))

    local ui32=$1; shift
    local ip n
    for n in 1 2 3 4; do
        ip=$((ui32 & 0xff))${ip:+.}$ip
        ui32=$((ui32 >> 8))
    echo $ip

# Example: network 24 =>
    local addr=$(ip2int $1); shift
    local mask=$(ip2int $1); shift
    int2ip $((addr & mask))

iptables -t nat -I POSTROUTING 1 -s $(network ${ADDR} ${NM})/$(prefix ${NM}) -o ${BR} -j MASQUERADE
iptables -I INPUT 1 -i ${IFACE} -j ACCEPT
iptables -I FORWARD 1 -i ${BR} -o ${IFACE} -j ACCEPT
iptables -I FORWARD 1 -i ${IFACE} -o ${BR} -j ACCEPT
iptables -I INPUT 1 -i ${BR} -p udp --dport 1194 -j ACCEPT

It is tap, not tun. Firewall should be configured only for incoming connection.

Network :

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr ''
	option netmask ''

config globals 'globals'
	option ula_prefix 'fdf9:08d3:a178::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.1'
	option proto 'static'
	option netmask ''
	option ip6assign '60'
	option ipaddr ''

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'pppoe'
	option password 'xxxxxxxxxxxxx'
	option username 'xxxxxxxxxxxxx'
	option ipv6 '0'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'
	option reqprefix 'auto'
	option reqaddress 'try'
	option auto '0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0t'

config interface 'tap0'
	option proto 'none'
	option ifname 'eth1.1'
	option type 'bridge'

OpenVPN :

  config openvpn 'custom_config'
  option config '/etc/openvpn/my-vpn.conf'

config openvpn 'testtap'
	option dev 'tap'
	option verb '3'
	option port '4000'
	option keepalive '10 600'
	option client_to_client '1'
	option dev_type 'tap'
	option ca '/etc/openvpn/ca.crt'
	option dh '/etc/openvpn/dh2048.pem'
	option enabled '1'
	option cipher 'AES-128-CBC'
	option cert '/etc/openvpn/serverkey.crt'
	option key '/etc/openvpn/serverkey.key'
	option server_bridge ''
	list push 'redirect-gateway'
	list push 'dhcp-option DNS XXXXXXXXXXXXX'
	list push 'dhcp-option DNS XXXXXXXXXXXXX'
	list push 'route'

In firewall i have this rule :

config rule
	option name 'openvpn-udp'
	option src 'wan'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '4000'

In OpenWRT-manual I see example:

config interface 'lan'
	option type 'bridge'
	option ifname 'wlan0 tap0'

Please, give output of
brctl show
We should check, whether interface tap0 in your configuration is member of bridge br-lan.

This is the output :

bridge name     bridge id               STP enabled     interfaces
br-lan          7fff.3894ed1579ce       no                    eth1.1
br-tap0         7fff.000000000000       no

I try to edit but this look somehow scattered, not as i paste it.
It look as "br-tap0" has no interface, and "br-lan" has eth1.1, wlan0, wlan1.
I try to present the output more correct :

bridge name -    bridge id  -     STP enabled ---- interfaces

You should include tap0 in br-lan, as it is shown in example.

I can do that using LUCI ?

Just as an aside, what are the client(s) that you expect to connect to your OpenVPN server in TAP mode?

I ask because TAP is not supported on iOS and Android, and possibly other platforms, so you may run into issues further down the line.

Clients are computers, win and linux, all are ok.
I upgrade to this router because the old one (a tplink 3600 with ddwrt, same tap configuration) cant keep up with the bandwith.

So only by adding the tap0 interface to the br-lan bridge i will get the VPN working as i want ?
I do the best i can in LUCI, now as the response to the command "brctl show" i have under br-lan all thise : eth1.1/wlan0/wlan1/tap0, and the br-tap0 has dissapeared.
Is this correct ?

Yes, now try to connect.

So i connect, still the same, no ping inside the network 192.168.100.x (i try on multiple clients/devices inside this network even .1 wich is suppose to be the gateway), no internet, exactly the way it was before i add the tap0 interface to the br-lan on the router.
I power cicle the router just in case, nothing change.
On the client (linux mint, from the wan side) tap0 status i see tap0, ip, broadcast adress, subnet mask, default route, wich seem all correct.

So now everything is working as i desire.
Seem first problem was iface tap0 being outside the lan bridge on the server side, and the second the security settings on the linux mint (client side) set as default, wich was wrong for my case, after i set manually aes128cbc and sha1 (wich mimic the server settings) the pachets flow happy back and forth, client internet is routed trough the server, all the devices inside server lan are visibile from the client side.
I try 3 times, when i set "default" security settings on the client side nothing flow, and when i set manually all is ok.
Isnt this settings suppose to be pushed by the server/keys/certificates into the client ?
You are awsome guys.

You should generate client cert, and key, and copy it to client. Of course most options should correspond with server ones.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.