OpenWrt blocks my openvpn traffic

vgaetera · April 13, 2019, 4:04pm

uci set firewall.@zone[0].device="tap+"
uci commit firewall
service firewall restart

But I agree with @psherman, you'd better use TUN, unless there's no other option.

franz · April 13, 2019, 4:08pm

thx a lot, it works

more question:
I can not use "service" I used the script in /etc/init.d/firewall
how to install "service" ?

question:
what documention should I read, for I can understand, what you made?
do you have a link maybe?

vgaetera · April 13, 2019, 4:19pm

Upgrade to the latest stable OpenWrt release and restore the factory profile:

cp -f -a /rom/etc/profile /etc

Otherwise add to your profile:

github.com

openwrt/openwrt/blob/master/package/base-files/files/etc/profile#L52-L59


      
          [ -e /tmp/.failsafe ] && export FAILSAFE=1
          
          [ -f /etc/banner ] && cat /etc/banner
          [ -n "$FAILSAFE" ] && cat /etc/banner.failsafe
          
          grep -Fsq '/ overlay ro,' /proc/mounts && {
          	echo 'Your JFFS2-partition seems full and overlayfs is mounted read-only.'
          	echo 'Please try to remove files from /overlay/upper/... and reboot!'
          }
          
          export PATH="%PATH%"
          export HOME=$(grep -e "^${USER:-root}:" /etc/passwd | cut -d ":" -f 6)
          export HOME=${HOME:-/root}
          export PS1='\u@\h:\w\$ '
          export ENV=/etc/shinit
          
          case "$TERM" in
          	xterm*|rxvt*)
          		export PS1='\[\e]0;\u@\h: \w\a\]'$PS1
          		;;

This file has been truncated. show original

franz · April 13, 2019, 4:34pm

@vgaetera
thx a lot for help

I have a last problem to this topic:
it works only, in case I login to the router after boot
and type:
/etc/init.d/openvpn restart

it's possible to fix it?

vgaetera · April 13, 2019, 4:46pm

service openvpn enable
reboot
logread -e openvpn

Does the log right after reboot contain any errors?

franz · April 13, 2019, 5:05pm

no errors (no logfile)

I tried to enable openvpn with
/etc/init.d/openvpn enable

it worked after one reboot
but after new reboot not anymore....
(I still have no "service")...

vgaetera · April 13, 2019, 5:13pm

grep -e "^service" /etc/profile
source /etc/profile

What does it say?

anon50098793 · April 13, 2019, 5:14pm

/etc/rc.local



logger -t devcheck `ifconfig -a | grep tap`
cat<<EOF > /tmp/waitforwan
loopcount=0
while ! [ "`ubus call network.interface.wan status | jq '.up'`" == "true" ];
do

    logger -t devcheck `ifconfig -a | grep  tap`

	if [ "$loopcount" -eq 20 ]; then break; fi
	   sleep 2
	   let loopcount=$loopcount+1
done
/etc/init.d/openvpn restart
EOF

chmod +x /tmp/waitforwan

/tmp/waitforwan &

franz · April 13, 2019, 5:21pm

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 18.06.1, r7258-5eb055306f
 -----------------------------------------------------

vgaetera · April 13, 2019, 5:23pm

On OpenWrt OpenVPN service should restart on failure.
So it makes me believe that something is wrong here.

A similar thread:

vgaetera · April 13, 2019, 5:25pm

cp -f -a /rom/etc/profile /etc
grep -e "^service" /rom/etc/profile /etc/profile
source /etc/profile &>/dev/null
ubus call system board

franz · April 13, 2019, 5:26pm

I made a quick and dirty test:

I put to /etc/rc.local:

/etc/init.d/openvpn restart &

now it's working....
but it's not a good config
something is still wrong

franz · April 13, 2019, 5:29pm

{
        "kernel": "4.9.120",
        "hostname": "GL-USB150",
        "system": "Atheros AR9330 rev 1",
        "model": "GL.iNet GL-USB150",
        "board_name": "gl-usb150",
        "release": {
                "distribution": "OpenWrt",
                "version": "18.06.1",
                "revision": "r7258-5eb055306f",
                "target": "ar71xx\/generic",
                "description": "OpenWrt 18.06.1 r7258-5eb055306f"
        }
}

now I have "service"

I made service openvpn enable

(remove it from rc.local)
2. reboot and it dosen't work.

my quick and dirty "solution"
rc.local works everytime

strange...

edit:
maybe I let it like that. I works now after every reboot without any problems.
thx a lot for everybody for help
openwrt is a great project and I'll not use any else anymore in the future

franz · April 17, 2019, 4:06pm

Hello People,
I have the same problem again.
similar router GL-AR150-Ext-2 OpenWrt 18.06.1,

config files:

openvpn:

remote remoteip
dev tap
ifconfig 10.4.0.6 255.255.255.252
tls-client
ca keyhit/ca.crt
cert keyhit/mike.crt
key keyhit/mike.key
port 5001
mssfix 1200
keepalive 10 60

route 192.168.2.0 255.255.255.0
route-gateway 10.4.0.5

/etc/config/network:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd19:5adb:f910::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option hostname 'GL-AR150-bd0'
        option macaddr 'e4:95:6e:45:6b:d1'
        option default_macaddr 'e4:95:6e:45:6b:d1'
        option ipaddr '192.168.10.1'


config interface 'wan'
        option ifname 'eth0'
        option proto 'dhcp'
        option hostname 'GL-AR150-bd0'
        option metric '10'

config interface 'wan6'
        option ifname 'eth0'
        option proto 'dhcpv6'

config interface 'guest'
        option ifname 'guest'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.9.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wwan'
        option proto 'dhcp'
        option metric '20'

/etc/config/firewall



config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option device 'tap+'


config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6 wwan'

config forwarding
        option src 'lan'
        option dest 'wan'


config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'


config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'


config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'


config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'


config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'
        option reload '1'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config include 'shadowsocks'
        option type 'script'
        option path '/var/etc/shadowsocks.include'
        option reload '1'


config rule 'glservice_rule'
        option name 'glservice'
        option dest_port '83'
        option proto 'tcp udp'
        option src 'wan'
        option target 'ACCEPT'
        option enabled '0'

config zone 'guestzone'
        option name 'guestzone'
        option network 'guest'
        option forward 'REJECT'
        option output 'ACCEPT'
        option input 'REJECT'

config forwarding 'guestzone_fwd'
        option src 'guestzone'
        option dest 'wan'

config rule 'guestzone_dhcp'
        option name 'guestzone_DHCP'
        option src 'guestzone'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67-68'

config rule 'guestzone_dns'
        option name 'guestzone_DNS'
        option src 'guestzone'
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'


config include 'glfw'
        option type 'script'
        option path '/usr/bin/glfw.sh'
        option reload '1'

config include 'glqos'
        option type 'script'
        option path '/usr/sbin/glqos.sh'
        option reload '1'

config include 'mwan3'
        option type 'script'
        option path '/var/etc/mwan3.include'
        option reload '1'

It's same like with first router. In case I delete the firewall it works
in case I run with firewall, it dosent.

I tried (without to understand):

uci set firewall.@zone[0].device="tap+"
uci commit firewall
service firewall restart

but this time it dosent help me.

Sorry for almost the same question again, but I don't know...
can someone tell me, what to do, maybe with a hint why?

The first openwrt router works without any problems with openvpn now.

franz · April 17, 2019, 4:28pm

Setup:
192.168.10.0/24 --- openwrt router/openvpn client ----- Internet ---- OpenVPN Server ---- 192.168.2.0/24

psherman · April 17, 2019, 7:00pm

Try changing to dev tun instead of tap. Works much better and solved the issue earlier in the thread.

franz · April 17, 2019, 7:00pm

it certainly did. It works.

franz · April 17, 2019, 7:01pm

do you have an example of a working openvpn confiuguration to connect 2 networks with tun with openvpn?

I know only with tap how to make it.

vgaetera · April 17, 2019, 7:30pm

It is called site-to-site connection.
OpenVPN-based solution: server + client + site-to-site

system · March 26, 2021, 4:18pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.