franz
April 13, 2019, 12:43pm
1
Hello all,
I'm new with openwrt.
I set up a openvpn connection with OpenWrt 18.06.1 / GL-USB150.
192.168.9.0/24 - [openwrt tap 10.3.0.42/255.255.255.252] - internet - [10.3.0.41 openvpn-server] - [openvpn client 10.3.0.26]
I try to connect from 192.168.9.0/24 the ip of the openvpn client 10.3.0.26
In case I delete all firewall rules, it works. With firewall traffic is blocked.
I tried to read and understand the firewall of openwrt with fw3, but there are crazy a lot of rules. I nevers used fw3.
Maybe someone can help me to enable the openvpn traffic from my local network to the other vpn host?
How and where to setup the firewall?
thank you
Franz
I'd highly recommend using TUN, not TAP -- TAP not supported on iOS and Android, has much more overhead (less efficient) and can introduce odd issues like you're experiencing. Try that first (there will be a few changes necessary to other parts of your config).
But in general, beyond that, nobody can help you without a lot more info...
post your config files:
/etc/config/network
/etc/config/firewall
/et/config/openvpn (server side, may be located elsewhere depending on how you did your config)
also need your client config file.
1 Like
franz
April 13, 2019, 2:55pm
3
here are my config files (without openvpn server, I have no access there right now)
[/etc/config/network]
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd61:5abd:8c83::/48'
config interface 'lan'
option ifname 'eth0'
option force_link '1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option hostname 'GL-USB150-d52'
option ipaddr '192.168.9.1'
config interface 'wwan'
option proto 'dhcp'
option metric '20'
[/etc/config/firewall]
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6 wwan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
option reload '1'
config rule
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include 'shadowsocks'
option type 'script'
option path '/var/etc/shadowsocks.include'
option reload '1'
config rule 'glservice_rule'
option name 'glservice'
option dest_port '83'
option proto 'tcp udp'
option src 'wan'
option target 'ACCEPT'
option enabled '0'
[openvpn config client ]
remote serverip
dev tap
ifconfig 10.3.0.42 255.255.255.252
tls-client
ca keys/ca.crt
cert keys/microrouter.crt
key keys/microrouter.key
port 5009
mssfix 1200
keepalive 10 60
route 10.49.1.0 255.255.255.0
route-gateway 10.3.0.41
route 10.3.0.0 255.255.255.252
route-gateway 10.3.0.41
route 10.3.0.4 255.255.255.252
route-gateway 10.3.0.41
route 10.3.0.8 255.255.255.252
route-gateway 10.3.0.41
route 10.3.0.16 255.255.255.252
route-gateway 10.3.0.41
route 10.3.0.24 255.255.255.252
route-gateway 10.3.0.41
route 10.3.0.28 255.255.255.252
route-gateway 10.3.0.41
route 10.3.0.32 255.255.255.252
route-gateway 10.3.0.41
route 10.3.0.36 255.255.255.252
route-gateway 10.3.0.41
franz
April 13, 2019, 3:06pm
4
I can not change the setup of the openvpn connection at the moment.
(from tap to tun).
Maybe it will be an option in the future.
it's possible to fix my problem with my acutal setup?
Please place data and output in code boxes by using the </> icon.
franz
April 13, 2019, 3:08pm
6
" Please place data and output in code boxes by using the </> icon."
I don't understand, what does it mean.
Looking at your config, I personally have no idea how to fix it. Except, that is, to change it to TUN.
I am not familiar with TAP on OpenVPN, but it seems odd the way you have it all configured (does ifconfig actually work with OpenVPN/TAP?, and shouldn't the network be defined as a /24?). If you define the network as a /24, I don't think you'll need all the route directives for your 10.3.0.0/24 network -- anything on the same subnet should not need a gateway.
uci set firewall.@zone[0].device="tap+"
uci commit firewall
service firewall restart
But I agree with @psherman , you'd better use TUN, unless there's no other option.
franz
April 13, 2019, 4:08pm
9
thx a lot, it works
more question:
I can not use "service" I used the script in /etc/init.d/firewall
how to install "service" ?
question:
what documention should I read, for I can understand, what you made?
do you have a link maybe?
Upgrade to the latest stable OpenWrt release and restore the factory profile:
cp -f -a /rom/etc/profile /etc
Otherwise add to your profile:
[ -e /tmp/.failsafe ] && export FAILSAFE=1
[ -f /etc/banner ] && cat /etc/banner
[ -n "$FAILSAFE" ] && cat /etc/banner.failsafe
grep -Fsq '/ overlay ro,' /proc/mounts && {
echo 'Your JFFS2-partition seems full and overlayfs is mounted read-only.'
echo 'Please try to remove files from /overlay/upper/... and reboot!'
}
export PATH="%PATH%"
export HOME=$(grep -e "^${USER:-root}:" /etc/passwd | cut -d ":" -f 6)
export HOME=${HOME:-/root}
export PS1='\u@\h:\w\$ '
export ENV=/etc/shinit
case "$TERM" in
xterm*|rxvt*)
export PS1='\[\e]0;\u@\h: \w\a\]'$PS1
;;
This file has been truncated. show original
franz
April 13, 2019, 4:34pm
11
@vgaetera
thx a lot for help
I have a last problem to this topic:
it works only, in case I login to the router after boot
and type:
/etc/init.d/openvpn restart
it's possible to fix it?
service openvpn enable
reboot
logread -e openvpn
Does the log right after reboot contain any errors?
franz
April 13, 2019, 5:05pm
13
no errors (no logfile)
I tried to enable openvpn with
/etc/init.d/openvpn enable
it worked after one reboot
but after new reboot not anymore....
(I still have no "service")...
grep -e "^service" /etc/profile
source /etc/profile
What does it say?
/etc/rc.local
logger -t devcheck `ifconfig -a | grep tap`
cat<<EOF > /tmp/waitforwan
loopcount=0
while ! [ "`ubus call network.interface.wan status | jq '.up'`" == "true" ];
do
logger -t devcheck `ifconfig -a | grep tap`
if [ "$loopcount" -eq 20 ]; then break; fi
sleep 2
let loopcount=$loopcount+1
done
/etc/init.d/openvpn restart
EOF
chmod +x /tmp/waitforwan
/tmp/waitforwan &
franz
April 13, 2019, 5:21pm
16
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 18.06.1, r7258-5eb055306f
-----------------------------------------------------
On OpenWrt OpenVPN service should restart on failure.
So it makes me believe that something is wrong here.
A similar thread:
After MANY trial and errors.. i think i have found the problem. There's 2 reason i can think of and you guys can maybe tell me what's is the real reason.
1st: When enabling openvpn service (service openvpn enable) the symlink was showing in /etc/rc.d as S90openvpn. In this folder, there was 2 other services starting with S90, S90startvpn and S90vpn-service. I disabled them both and now S90openvpn is still present after a reboot (was disapearring before).
2nd: The startvpn service was competing…
1 Like
cp -f -a /rom/etc/profile /etc
grep -e "^service" /rom/etc/profile /etc/profile
source /etc/profile &>/dev/null
ubus call system board
franz
April 13, 2019, 5:26pm
19
I made a quick and dirty test:
I put to /etc/rc.local:
/etc/init.d/openvpn restart &
now it's working....
but it's not a good config
something is still wrong
franz
April 13, 2019, 5:29pm
20
vgaetera:
ubus call system board
{
"kernel": "4.9.120",
"hostname": "GL-USB150",
"system": "Atheros AR9330 rev 1",
"model": "GL.iNet GL-USB150",
"board_name": "gl-usb150",
"release": {
"distribution": "OpenWrt",
"version": "18.06.1",
"revision": "r7258-5eb055306f",
"target": "ar71xx\/generic",
"description": "OpenWrt 18.06.1 r7258-5eb055306f"
}
}
now I have "service"
I made service openvpn enable
(remove it from rc.local)
2. reboot and it dosen't work.
my quick and dirty "solution"
rc.local works everytime
strange...
edit:
maybe I let it like that. I works now after every reboot without any problems.
thx a lot for everybody for help
openwrt is a great project and I'll not use any else anymore in the future
1 Like