OpenWrt on Raspberry 4B - tun0 does not get any IP address with running OpenVPN instance

AlexanderW · January 20, 2022, 10:05pm

Hi all,

I have followed the discussion with Dominik-1980 here and checked it with my configuration because Dominik seems to had similar problems as I have currently but with an older Raspberry version with quite the same application.

Here is my story:

I installed OpenWrt on a Raspberry 4B and OpenVPN package. I followed tutorials since I have never worked with OpenWrt before.
I configured Ethernet in DHCP mode because I want to connect it with my DSL fritzbox which is the DHCP server at IP address 192.168.178.1. My idea is to use the Raspberry also on travels as a mobile VPN router. Therefore, I want to avoid to give it a fixed IP address at the Ethernet interface. It shall run out-of-the-box within any local network configuration. At home, I basically want to provide WiFi ( I have a second WiFi router) and VPN WiFi for all devices at the same time. I need VPN WiFi especially for my television which is not capable to run a OpenVPN app or other kind of VPN application.
I enabled the OpenWrt WiFi connection as WLAN access point. Connection worked pretty well directly from start and established a straight connection between WLAN client (my laptop) to my DSL fritzbox router through ethernet. Therefore, direct routing seems to run without any problems.
I configured OpenVPN and downloaded certificates and configuration files from my provider CyberGhost who supports all kind of OpenWrt / OpenVPN routers. I could start the OpenVPN instance without out problems from the OpenVPN web interface without any problems (at least I could not identify any problem at the OpenVPN relevant logs)

And here comes my problem:
It tried to configure OpenWrt through Luci in the same way as Dominik did at his issue topic but I failed much earlier at setting up tun0 interface.

When I ran command

ip a

I got the following output

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP group default qlen 1000
    link/ether dc:a6:32:9e:26:e0 brd ff:ff:ff:ff:ff:ff
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP group default qlen 1000
    link/ether dc:a6:32:9e:26:e2 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::dea6:32ff:fe9e:26e2/64 scope link 
       valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether dc:a6:32:9e:26:e0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.178.72/24 brd 192.168.178.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fe80::dea6:32ff:fe9e:26e0/64 scope link 
       valid_lft forever preferred_lft forever
5: **tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500**
**    link/none**

Now I wonder how I can manage to make tun0 connected with my VPN server.

This what the commands

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

suggested by trendy gave back my configuration:

{
	"kernel": "5.10.90",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 3",
	"model": "Raspberry Pi 4 Model B Rev 1.2",
	"board_name": "raspberrypi,4-model-b",
	"rootfs_type": "ext4",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"revision": "r18539-f2c3875dfc",
		"target": "bcm27xx/bcm2711",
		"description": "OpenWrt SNAPSHOT r18539-f2c3875dfc"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd0b:9890:1224::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'

config device
	option name 'tun0'
	option ipv6 '0'

config interface 'OpenVPN'
	option proto 'none'
	option device 'tun0'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/fe300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
	option cell_density '0'
	option country 'DE'
	option htmode 'HT20'
	option channel 'auto'
	option band '5g'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option key 'ThisWasMyPassword'
	option ssid 'KeepOutVPN'
	option wmm '0'
	option encryption 'psk2'
	option network 'lan'

package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'OpenVPN'
	option interface 'OpenVPN'
	option ignore '1'
	list ra_flags 'none'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'tun0'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config zone
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	option masq '1'
	option name 'CyberGVpn'
	list network 'OpenVPN'

config forwarding
	option src 'CyberGVpn'
	option dest 'lan'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.178.72/24 brd 192.168.178.255 scope global br-lan
       valid_lft forever preferred_lft forever
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    inet 10.5.4.176/24 scope global tun0
       valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.5.4.1 dev tun0 
default via 192.168.178.1 dev br-lan proto static src 192.168.178.72 
10.5.4.0/24 dev tun0 proto kernel scope link src 10.5.4.176 
128.0.0.0/1 via 10.5.4.1 dev tun0 
146.70.39.135 via 192.168.178.1 dev br-lan 
192.168.178.0/24 dev br-lan proto kernel scope link src 192.168.178.72 
broadcast 10.5.4.0 dev tun0 table local proto kernel scope link src 10.5.4.176 
local 10.5.4.176 dev tun0 table local proto kernel scope host src 10.5.4.176 
broadcast 10.5.4.255 dev tun0 table local proto kernel scope link src 10.5.4.176 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.178.0 dev br-lan table local proto kernel scope link src 192.168.178.72 
local 192.168.178.72 dev br-lan table local proto kernel scope host src 192.168.178.72 
broadcast 192.168.178.255 dev br-lan table local proto kernel scope link src 192.168.178.72 
0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default
lrwxrwxrwx    1 root     root            16 Jan 11 00:06 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root             0 Jan 20 21:47 /tmp/resolv.conf
-rw-r--r--    1 root     root             0 Jan 20 21:47 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root             0 Jan 20 21:47 resolv.conf.auto
==> /etc/resolv.conf <==

==> /tmp/resolv.conf <==

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==

I would very much appreciate if anybody could help me out with my issue. Thank you in advance!

psherman · January 20, 2022, 10:13pm

If you are connecting to a commercial VPN, you probably want it to reside in the wan zone. But that is not the root of your issue.... what do the logs show when you try to start the OpenVPN connection?

AlexanderW · January 21, 2022, 9:20pm

Sorry psherman, I could not answer before and had to work all day. It took me while to find a appropriate command since there is no separate openvpn log on my machine.

This is what

logread -e openvpn

gave back:

Tue Jan 18 21:48:45 2022 daemon.warn openvpn(CyberGhostOpenVPN_AR)[1387]: DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated debug feature that will be removed in OpenVPN 2.6
Tue Jan 18 21:48:45 2022 daemon.warn openvpn(CyberGhostOpenVPN_AR)[1387]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Tue Jan 18 21:48:45 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: OpenVPN 2.5.5 aarch64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Tue Jan 18 21:48:45 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: library versions: OpenSSL 1.1.1m  14 Dec 2021, LZO 2.10
Tue Jan 18 21:48:45 2022 daemon.warn openvpn(CyberGhostOpenVPN_AR)[1387]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Jan 18 21:48:45 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Tue Jan 18 21:48:45 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Tue Jan 18 21:48:45 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
Tue Jan 18 21:48:45 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
Tue Jan 18 21:48:45 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: TCP/UDP: Preserving recently used remote address: [AF_INET]146.70.39.13:443
Tue Jan 18 21:48:45 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Jan 18 21:48:45 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: UDP link local: (not bound)
Tue Jan 18 21:48:45 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: UDP link remote: [AF_INET]146.70.39.13:443
Tue Jan 18 21:48:46 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: TLS: Initial packet from [AF_INET]146.70.39.13:443, sid=02c409de 43c2064d
Tue Jan 18 21:48:46 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: VERIFY OK: depth=1, C=RO, L=Bucharest, O=CyberGhost S.A., CN=CyberGhost Root CA, emailAddress=info@cyberghost.ro
Tue Jan 18 21:48:46 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: VERIFY KU OK
Tue Jan 18 21:48:46 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: Validating certificate extended key usage
Tue Jan 18 21:48:46 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Jan 18 21:48:46 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: VERIFY EKU OK
Tue Jan 18 21:48:46 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: VERIFY OK: depth=0, CN=buenosaires-rack403.nodes.gen4.ninja
Fri Jan 21 20:59:58 2022 daemon.err openvpn(CyberGhostOpenVPN_AR)[1387]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Jan 21 20:59:58 2022 daemon.err openvpn(CyberGhostOpenVPN_AR)[1387]: TLS Error: TLS handshake failed
Fri Jan 21 20:59:58 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: TCP/UDP: Closing socket
Fri Jan 21 20:59:58 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: SIGUSR1[soft,tls-error] received, process restarting
Fri Jan 21 20:59:58 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: Restart pause, 5 second(s)
Fri Jan 21 21:00:03 2022 daemon.warn openvpn(CyberGhostOpenVPN_AR)[1387]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Jan 21 21:00:03 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: Re-using SSL/TLS context
Fri Jan 21 21:00:03 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Fri Jan 21 21:00:03 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Fri Jan 21 21:00:03 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
Fri Jan 21 21:00:03 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
Fri Jan 21 21:00:03 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: TCP/UDP: Preserving recently used remote address: [AF_INET]146.70.39.145:443
Fri Jan 21 21:00:03 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Jan 21 21:00:03 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: UDP link local: (not bound)
Fri Jan 21 21:00:03 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: UDP link remote: [AF_INET]146.70.39.145:443
Fri Jan 21 21:00:03 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: TLS: Initial packet from [AF_INET]146.70.39.145:443, sid=78c934c0 5aec7aee
Fri Jan 21 21:00:03 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: VERIFY OK: depth=1, C=RO, L=Bucharest, O=CyberGhost S.A., CN=CyberGhost Root CA, emailAddress=info@cyberghost.ro
Fri Jan 21 21:00:03 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: VERIFY KU OK
Fri Jan 21 21:00:03 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: Validating certificate extended key usage
Fri Jan 21 21:00:03 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri Jan 21 21:00:03 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: VERIFY EKU OK
Fri Jan 21 21:00:03 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: VERIFY OK: depth=0, CN=buenosaires-rack404.nodes.gen4.ninja
Fri Jan 21 21:00:03 2022 daemon.warn openvpn(CyberGhostOpenVPN_AR)[1387]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1569', remote='link-mtu 1549'
Fri Jan 21 21:00:03 2022 daemon.warn openvpn(CyberGhostOpenVPN_AR)[1387]: WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth [null-digest]'
Fri Jan 21 21:00:03 2022 daemon.warn openvpn(CyberGhostOpenVPN_AR)[1387]: WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Fri Jan 21 21:00:03 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA256
Fri Jan 21 21:00:03 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: [buenosaires-rack404.nodes.gen4.ninja] Peer Connection Initiated with [AF_INET]146.70.39.145:443
Fri Jan 21 21:00:05 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: SENT CONTROL [buenosaires-rack404.nodes.gen4.ninja]: 'PUSH_REQUEST' (status=1)
Fri Jan 21 21:00:05 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,route-ipv6 2000::/3,dhcp-option DNS 10.0.0.243,route-gateway 10.15.4.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.15.4.60 255.255.255.0,peer-id 9'
Fri Jan 21 21:00:05 2022 daemon.warn openvpn(CyberGhostOpenVPN_AR)[1387]: WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
Fri Jan 21 21:00:05 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: OPTIONS IMPORT: timers and/or timeouts modified
Fri Jan 21 21:00:05 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: OPTIONS IMPORT: --ifconfig/up options modified
Fri Jan 21 21:00:05 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: OPTIONS IMPORT: route options modified
Fri Jan 21 21:00:05 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: OPTIONS IMPORT: route-related options modified
Fri Jan 21 21:00:05 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri Jan 21 21:00:05 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: OPTIONS IMPORT: peer-id set
Fri Jan 21 21:00:05 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: OPTIONS IMPORT: adjusting link_mtu to 1624
Fri Jan 21 21:00:05 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Fri Jan 21 21:00:05 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: Outgoing Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Jan 21 21:00:05 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Fri Jan 21 21:00:05 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: Incoming Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Jan 21 21:00:05 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: net_route_v4_best_gw query: dst 0.0.0.0
Fri Jan 21 21:00:05 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: net_route_v4_best_gw result: via 192.168.178.1 dev br-lan
Fri Jan 21 21:00:05 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: GDG6: remote_host_ipv6=n/a
Fri Jan 21 21:00:05 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: net_route_v6_best_gw query: dst ::
Fri Jan 21 21:00:05 2022 daemon.warn openvpn(CyberGhostOpenVPN_AR)[1387]: sitnl_send: rtnl: generic error (-13): Permission denied
Fri Jan 21 21:00:05 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: TUN/TAP device tun0 opened
Fri Jan 21 21:00:05 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: do_ifconfig, ipv4=1, ipv6=0
Fri Jan 21 21:00:05 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: net_iface_mtu_set: mtu 1500 for tun0
Fri Jan 21 21:00:05 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: net_iface_up: set tun0 up
Fri Jan 21 21:00:05 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: net_addr_v4_add: 10.15.4.60/24 dev tun0
Fri Jan 21 21:00:05 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: /usr/libexec/openvpn-hotplug up CyberGhostOpenVPN_AR tun0 1500 1624 10.15.4.60 255.255.255.0 init
Fri Jan 21 21:00:10 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: net_route_v4_add: 146.70.39.145/32 via 192.168.178.1 dev [NULL] table 0 metric -1
Fri Jan 21 21:00:10 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: net_route_v4_add: 0.0.0.0/1 via 10.15.4.1 dev [NULL] table 0 metric -1
Fri Jan 21 21:00:10 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: net_route_v4_add: 128.0.0.0/1 via 10.15.4.1 dev [NULL] table 0 metric -1
Fri Jan 21 21:00:10 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: WARNING: OpenVPN was configured to add an IPv6 route. However, no IPv6 has been configured for tun0, therefore the route installation may fail or may not work as expected.
Fri Jan 21 21:00:10 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: add_route_ipv6(2000::/3 -> :: metric -1) dev tun0
Fri Jan 21 21:00:10 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: net_route_v6_add: 2000::/3 via :: dev tun0 table 0 metric -1
Fri Jan 21 21:00:10 2022 daemon.warn openvpn(CyberGhostOpenVPN_AR)[1387]: sitnl_send: rtnl: generic error (-13): Permission denied
Fri Jan 21 21:00:10 2022 daemon.warn openvpn(CyberGhostOpenVPN_AR)[1387]: ERROR: Linux IPv6 route can't be added
Fri Jan 21 21:00:10 2022 daemon.warn openvpn(CyberGhostOpenVPN_AR)[1387]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Jan 21 21:00:10 2022 daemon.notice openvpn(CyberGhostOpenVPN_AR)[1387]: Initialization Sequence Completed
Fri Jan 21 21:11:16 2022 daemon.warn openvpn[2045]: Cipher negotiation is disabled since neither P2MP client nor server mode is enabled
Fri Jan 21 21:11:16 2022 daemon.err openvpn[2045]: Options error: You must define TUN/TAP device (--dev)
Fri Jan 21 21:11:16 2022 daemon.warn openvpn[2045]: Use --help for more information.

Aside that IPv6 configuration is not set up properly, it doesn't look odd, does it?

AlexanderW · January 29, 2022, 9:49pm

Finally, I could give tun0 an IP address by enabling the IPv6 option.

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP group default qlen 1000
    link/ether dc:a6:32:9e:26:e0 brd ff:ff:ff:ff:ff:ff
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP group default qlen 1000
    link/ether dc:a6:32:9e:26:e2 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::dea6:32ff:fe9e:26e2/64 scope link 
       valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether dc:a6:32:9e:26:e0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.178.72/24 brd 192.168.178.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fe80::dea6:32ff:fe9e:26e0/64 scope link 
       valid_lft forever preferred_lft forever
7: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none 
    inet 10.1.4.154/24 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::9df5:527f:2349:e667/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

But as of now, I could not establish a proper routing through VPN. My laptop connected through WiFi still passes through LAN to WAN directly and I find the IP address of my German provider where I actually expected an Argentinian one. Any ideas how I can fix this and where I need to look at next?

Thank you!

psherman · January 30, 2022, 2:01am

Your firewall has issues.

Remove the tun0 line from below:

And the forwarding is backwards below:

source should be lan, destination should be CyberGVpn

AlexanderW · January 30, 2022, 11:32pm

Thanks psherman,

I removed the old zone CyberGVpn completely and created it under a new name VPNzone so that I do not confused the firewall zone with the VPN interfaces. It tried to configure the firewall in the same way as it is captured here at Dominik-1980's issue. Now, it looks like this:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option forward 'REJECT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config zone
	option name 'VPNZone'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'OpenVPN'
	option input 'REJECT'
	option masq '1'

config forwarding
	option src 'lan'
	option dest 'VPNZone'

I compared the configuration of Dominik and mine:

Aside this part of the configuration

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

(which I don't know where it comes from) it looks pretty the same.

Now, I came to know out it works when, change the WiFi connection of my laptop to manual and configure the OpenWrt router as gateway. Well done so far! Thank you!

Now, my remaining question: Do I have to do this with each device I want to connect with VPN through WiFi or is there a way to make it work as well configured through DHCP and assigned to the correct gateway? Could I configure this for instance somewhere within the wireless or DHCP configuration of the OpenWrt router so that each device gets connected properly out of the box? That would increase the WAF at home

Thanks in advance!

psherman · January 30, 2022, 11:42pm

Is this the main router, or is this device behind another router?

psherman · January 30, 2022, 11:48pm

Nevermind my previous question. You had answered this in the OP.

Since the DHCP server is on the firtzbox, it will assign the fritzbox as the gateway for all of your network devices that obtain their address via DHCP. Therefore, the thing we need to know is if you can tell the fritzbox to send a different gateway address to the DHCP clients. If so, that's the easiest way to achieve the goal. This does mean that all of your devices would then route through the Pi and the VPN tunnel. Is that a desirable outcome? (there are some ways around this with VPN Policy Based Routing, but that is another topic).

An alternative to changing the gateway address on the Fritzbox DHCP server would be to disable the DHCP server on that device entirely and then enable the DHCP server on the OpenWrt Pi. This method would assume you can disable the DHCP server on the Fritzbox -- this may be more likely than the ability to change the DHCP server issued gateway on the Fritzbox. It would have the same effect, though - all clients would get the OpenWrt Pi as the network gateway.

AlexanderW · January 31, 2022, 9:37pm

Thanks, I will check what my fritzbox can do. Perhaps, I can implement some IP-address-based gateway routing so that only media contents like Netflix go that way through VPN. Thank you so much!

Alexander

system · February 10, 2022, 9:38pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.