OpenWrt 18.06.2 & OpenVPN & VPN Unlimited

MaxedOut · May 13, 2019, 6:11am

Hello Guys/Gals,

I have been trying to configure the WRT32X that I have to run my VPN full time. I have managed to configure the router to use my tethered phone as a connection, but the VPN doesn't seem to go through. I need the VPN full time because I will be using a WISP you shouldn't trust anyone

I have tried to follow the guide that VPN Unlimited has, but it is for an older version of OpenWrt (15.05.1) and from what I can tell there have been enough changes that this doesn't work. I am usually pretty good at following instructions, but this one is eluding me.

Any help would be greatly appreciated.

Thanks.

Contents of OpenVPN file provided by VPN Unlimited

client
dev tun
reneg-sec 0
persist-tun
persist-key
ping 5
ping-exit 30
nobind
comp-lzo no
remote-random
remote-cert-tls server
auth-nocache
route-metric 1
cipher AES-256-CBC
auth SHA512
<ca>
-----BEGIN CERTIFICATE-----
a key was here
-----END CERTIFICATE-----
</ca>
<cert>

-----BEGIN CERTIFICATE-----
a key was here
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
a key was here
-----END PRIVATE KEY-----

</key>
remote us-sf.vpnunlimitedapp.com
proto udp

Contents of /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda3:f0d7:b9e8::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth1.2'
        option proto 'dhcp'
        option peerdns '0'
        option dns '1.1.1.1 8.8.8.8 8.8.4.4'

config interface 'wan6'
        option ifname 'eth1.2'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        option dns '2606:4700:4700::1111'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'

config interface 'Tether'
        option proto 'dhcp'
        option ifname 'usb0'

config interface 'VPN'
        option proto 'none'
        option ifname 'tun0'
        option auto '1'
        option delegate '0'

Contents of /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'lan'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option forward 'REJECT'
        option network 'wan wan6 Tether'
        option device 'tun0'
        option input 'REJECT'
        option masq '1'
        option mtu_fix '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'


config zone
        option name 'VPN'
        option forward 'REJECT'
        option output 'ACCEPT'
        option network 'VPN'
        option input 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option dest 'VPN'
        option src 'lan'

config forwarding
        option dest 'wan'
        option src 'lan'

Contents of /etc/config/openvpn

config openvpn 'VPN_Unlimited'
        option nobind '1'
        option port '1194'
        option dev_type 'tun'
        option keepalive '5 30'
        option persist_tun '1'
        option persist_key '1'
        option client '1'
        list remote 'us-sf.vpnunlimitedapp.com'
        option proto 'udp'
        option ca '/etc/luci-uploads/cbid.openvpn.VPN_Unlimited.ca'
        option cert '/etc/luci-uploads/cbid.openvpn.VPN_Unlimited.cert'
        option key '/etc/luci-uploads/cbid.openvpn.VPN_Unlimited.key'
        option auth 'SHA512'
        option cipher 'AES-256-CBC'
        option verb '9'
        option enabled '1'
        option remote_cert_tls 'server'
        option tls_cipher 'TLS-RSA-WITH-AES-256-CBC-SHA'
        option dev 'tun'

Contents of syslog

Mon May 13 07:29:20 2019 daemon.notice openvpn(VPN_Unlimited)[21222]: OpenVPN 2.4.5 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Mon May 13 07:29:20 2019 daemon.notice openvpn(VPN_Unlimited)[21222]: library versions: OpenSSL 1.0.2r  26 Feb 2019, LZO 2.10
Mon May 13 07:29:20 2019 daemon.notice openvpn(VPN_Unlimited)[21222]: Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Mon May 13 07:29:20 2019 daemon.notice openvpn(VPN_Unlimited)[21222]: Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Mon May 13 07:29:20 2019 daemon.notice openvpn(VPN_Unlimited)[21222]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes
Mon May 13 07:29:20 2019 daemon.notice openvpn(VPN_Unlimited)[21222]: calc_options_string_link_mtu: link-mtu 1621 -> 1601
Mon May 13 07:29:20 2019 daemon.notice openvpn(VPN_Unlimited)[21222]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes
Mon May 13 07:29:20 2019 daemon.notice openvpn(VPN_Unlimited)[21222]: calc_options_string_link_mtu: link-mtu 1621 -> 1601
Mon May 13 07:29:20 2019 daemon.notice openvpn(VPN_Unlimited)[21222]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
Mon May 13 07:29:20 2019 daemon.notice openvpn(VPN_Unlimited)[21222]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
Mon May 13 07:29:20 2019 daemon.notice openvpn(VPN_Unlimited)[21222]: TCP/UDP: Preserving recently used remote address: [AF_INET]209.58.135.120:1194
Mon May 13 07:29:20 2019 daemon.notice openvpn(VPN_Unlimited)[21222]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Mon May 13 07:29:20 2019 daemon.notice openvpn(VPN_Unlimited)[21222]: UDP link local: (not bound)
Mon May 13 07:29:20 2019 daemon.notice openvpn(VPN_Unlimited)[21222]: UDP link remote: [AF_INET]209.58.135.120:1194
Mon May 13 07:29:20 2019 daemon.notice openvpn(VPN_Unlimited)[21222]:  event_wait returned 1
Mon May 13 07:29:20 2019 daemon.notice openvpn(VPN_Unlimited)[21222]: UDP WRITE [14] to [AF_INET]209.58.135.120:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=b984d486 b9e07629 [ ] pid=0 DATA
Mon May 13 07:29:20 2019 daemon.notice openvpn(VPN_Unlimited)[21222]: UDP write returned 14
Mon May 13 07:29:20 2019 daemon.notice openvpn(VPN_Unlimited)[21222]:  event_wait returned 1
Mon May 13 07:29:20 2019 daemon.notice openvpn(VPN_Unlimited)[21222]: UDP read returned 26
Mon May 13 07:29:20 2019 daemon.notice openvpn(VPN_Unlimited)[21222]: UDP READ [26] from [AF_INET]209.58.135.120:1194: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 sid=9a93a2f6 b4e65fcf [ 0 sid=b984d486 b9e07629 ] pid=0 DATA
Mon May 13 07:29:20 2019 daemon.notice openvpn(VPN_Unlimited)[21222]: TLS: Initial packet from [AF_INET]209.58.135.120:1194, sid=9a93a2f6 b4e65fcf
Mon May 13 07:29:20 2019 daemon.notice openvpn(VPN_Unlimited)[21222]:  event_wait returned 1
Mon May 13 07:29:20 2019 daemon.notice openvpn(VPN_Unlimited)[21222]: UDP WRITE [22] to [AF_INET]209.58.135.120:1194: P_ACK_V1 kid=0 sid=b984d486 b9e07629 [ 0 sid=9a93a2f6 b4e65fcf ]
Mon May 13 07:29:20 2019 daemon.notice openvpn(VPN_Unlimited)[21222]: UDP write returned 22
Mon May 13 07:29:20 2019 daemon.notice openvpn(VPN_Unlimited)[21222]:  event_wait returned 1
Mon May 13 07:29:20 2019 daemon.notice openvpn(VPN_Unlimited)[21222]: UDP WRITE [104] to [AF_INET]209.58.135.120:1194: P_CONTROL_V1 kid=0 sid=b984d486 b9e07629 [ ] pid=1 DATA 16030100 55010000 5103034c 62dc1259 bbcf274d 04e4ace9 0dc5ad8a 77c95b8[more...]
Mon May 13 07:29:20 2019 daemon.notice openvpn(VPN_Unlimited)[21222]: UDP write returned 104
Mon May 13 07:29:22 2019 daemon.notice openvpn(VPN_Unlimited)[21222]:  event_wait returned 0
Mon May 13 07:29:22 2019 daemon.notice openvpn(VPN_Unlimited)[21222]:  event_wait returned 1
Mon May 13 07:29:22 2019 daemon.notice openvpn(VPN_Unlimited)[21222]: UDP WRITE [104] to [AF_INET]209.58.135.120:1194: P_CONTROL_V1 kid=0 sid=b984d486 b9e07629 [ ] pid=1 DATA 16030100 55010000 5103034c 62dc1259 bbcf274d 04e4ace9 0dc5ad8a 77c95b8[more...]
Mon May 13 07:29:22 2019 daemon.notice openvpn(VPN_Unlimited)[21222]: UDP write returned 104
Mon May 13 07:29:23 2019 daemon.notice openvpn(VPN_Unlimited)[21222]:  event_wait returned 0

trendy · May 13, 2019, 12:08pm

I don't see any forwarding rule from lan to wan in the firewall configuration.

MaxedOut · May 13, 2019, 4:58pm

here it is, thanks for looking

root@OpenWrt:/dev/net# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].network='wan wan6 Tether'
firewall.@zone[1].device='tun0'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[2]=zone
firewall.@zone[2].name='VPN'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].network='VPN'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].masq='1'
firewall.@zone[2].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest='VPN'
firewall.@forwarding[0].src='lan'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='wan'
firewall.@forwarding[1].src='lan'

MaxedOut · May 13, 2019, 5:05pm

There was an incomplete copy paste on my part, too many hours working on this, I have updated the firewall section and also added a reply that contains the output of uci show firewall

thanks for looking.

trendy · May 14, 2019, 9:28am

You have assigned the tun0 in 2 zones in the firewall. You can delete the VPN zone and keep the WAN only, which includes the tun0 interface.

If the problem persists post the following:
ip -4 addr ; ip -4 ro ; ip -4 ru

MaxedOut · May 21, 2019, 4:55am

Hey there Trendy, I have been busy, but I finally got around to trying your suggestion but it unfortunately didn't seem to work. I must have misunderstood.

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
15: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP ql                                                               en 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
17: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state                                                                UP qlen 1000
    inet 192.168.10.48/24 brd 192.168.10.255 scope global eth1.2
       valid_lft forever preferred_lft forever
22: usb0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOW                                                               N qlen 1000
    inet 192.168.42.145/24 brd 192.168.42.255 scope global usb0
       valid_lft forever preferred_lft forever
default via 192.168.42.129 dev usb0  src 192.168.42.145
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1
192.168.10.0/24 dev eth1.2 scope link  src 192.168.10.48
192.168.42.0/24 dev usb0 scope link  src 192.168.42.145
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

Contents of /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'lan'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option forward 'REJECT'
        option network 'wan wan6 Tether'
        option device 'tun0'
        option input 'REJECT'
        option masq '1'
        option mtu_fix '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config forwarding
        option dest 'wan'
        option src 'lan'

vgaetera · May 21, 2019, 7:41am

Either your configuration is incorrect, or your ISP performs content filtering.
Compare your configuration with the reference:
https://www.vpnunlimitedapp.com/en/info/manuals/how-to-manually-create-vpn-conf

ulmwind · May 21, 2019, 1:04pm

Yes, initially you should create standard configuration file, run it from Linux command line, after success run it from command line of router. The string "Initialization Sequence Completed" should appear in both cases.