OpenWrt openvpn

nathanielhawthorne · August 18, 2022, 6:35am

my topo is

and i am built an openvpn between op3 and op5,i create interface tap0 on both op3 and op5 ,but i can not up the port by command /etc/openvpn/tap0.sh,and i get follow error

here is my tap0.sh on both op3 and op5

#!/bin/sh
#/etc/openvpn/startupscript
# OpenVPN Bridge Config File
# Creates TAP devices for use by OpenVPN and bridges them into OpenWRT Bridge
# Taken from http://openvpn.net/bridge.html
# Define Bridge Interface
# Preexisting on OpenWRT
br="br-lan"
# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"
case "$1" in
    up)
        # Make sure module is loaded
        insmod tun
        # Build tap devices
        for t in $tap; do
            openvpn --mktun --dev $t
        done
        # Add TAP interfaces to OpenWRT bridge
        for t in $tap; do
            brctl addif $br $t
        done
        #Configure bridged interfaces
        for t in $tap; do
            ifconfig $t 0.0.0.0 promisc up
        done
    ;;
    down)
        for t in $tap; do
            ifconfig $t 0.0.0.0 down
        done
        for t in $tap; do
            brctl delif $br $t
        done
        for t in $tap; do
            openvpn --rmtun --dev $t
        done
        rmmod tun
    ;;
    *)
        echo "$0 {up|down}"
    ;;
esac

and here is my config file on op3

vi /etc/openvpn/my-vpn.conf

dev tap0
port 443
proto tcp-server
comp-lzo yes
keepalive 10 60
verb 3
secret /etc/openvpn/static.key
#ca /etc/openvpn/ca.crt
#dh /etc/openvpn/dh1024.pem
#cert /etc/openvpn/server.crt
#key /etc/openvpn/server.key
#status-version 2
log /etc/openvpn/openvpn0.log
status /etc/openvpn/server.status
#tls-auth /etc/openvpn/ta.key 0
# Custom Configuration
#auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
#client-cert-not-required
#username-as-common-name

and my confif file on op5

vi /etc/openvpn/vpn.ovpn

dev tap0
proto tcp-client
remote 192.168.237.202 443
comp-lzo yes
keepalive 10 60
verb 3
secret /etc/openvpn/static.key
#ca /etc/openvpn/ca.crt
#dh /etc/openvpn/dh1024.pem
#cert /etc/openvpn/server.crt
#key /etc/openvpn/server.key
#status-version 2
log /etc/openvpn/openvpn0.log
status /etc/openvpn/server.status
#tls-auth /etc/openvpn/ta.key 0
# Custom Configuration
#auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
#client-cert-not-required
#username-as-common-name

plz tell me what cuase the error,than you

psherman · August 18, 2022, 6:48am

What does the OpenVPN log show?

Also, why are you setting up a vpn between two routers that are connected through the same switch (albeit on different subnets)? Is this for educational purposes?

nathanielhawthorne · August 18, 2022, 6:52am

it is just a test

nathanielhawthorne · August 18, 2022, 7:17am

faser · August 18, 2022, 7:59am

How should OP3 reach OP5 if not route between the 2 subnets exist?

nathanielhawthorne · August 18, 2022, 8:05am

there are routes on both op3 and op5,and op3 can reach to op5

faser · August 18, 2022, 8:10am

Can you show ping 192.168.237.202 from OP5?
As you logfile show 192.168.237.202 Host is unreachable

Also check on OP3 have you configured openvpn to use port 443? That could clash with uhttpd if you have that also on 443

nathanielhawthorne · August 18, 2022, 8:25am

my logfile show 192.168.237.202:443 Host is unreachable

op3

vi /etc/config/firewall
config 'redirect'
        option 'name' 'https'
        option 'src' 'wan'
        option 'proto' 'tcp udp'
        option 'src_dport' '443'
        option 'dest_ip' '192.168.235.201'             
        option 'dest_port' '443'
        option 'target' 'DNAT'
        option 'dest' 'lan'

there are same format config on firewall of op5

tap0 on both op3 and op5 are in wan zone,and protocol is dhcp client

nathanielhawthorne · August 18, 2022, 8:32am

now my tap0 can not up and link-on,is there a tool like tcping on openwrt to check port 443 status

nathanielhawthorne · August 18, 2022, 8:40am

nathanielhawthorne · August 18, 2022, 8:41am

tap0 open then down

faser · August 18, 2022, 8:50am

On OP3 run netstat -tulnp

nathanielhawthorne · August 18, 2022, 8:55am

neither 443 nor custom port is opened,how to open a custom port,like 443 or 1001

faser · August 18, 2022, 9:24am

Well first what is the Openvpn Server config on OP3? Is that configured to listen on 443?

nathanielhawthorne · August 18, 2022, 9:28am

op3 config
vi /etc/openvpn/vpn.conf

dev tap0
;proto tcp
proto tcp4
port 443
proto tcp-server
comp-lzo yes
keepalive 10 60
verb 3
secret /etc/openvpn/static.key
#ca /etc/openvpn/ca.crt
#dh /etc/openvpn/dh1024.pem
#cert /etc/openvpn/server.crt
#key /etc/openvpn/server.key
#status-version 2
log /etc/openvpn/openvpn0.log
status /etc/openvpn/server.status
#tls-auth /etc/openvpn/ta.key 0
# Custom Configuration
#auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
#client-cert-not-required
#username-as-common-name

nathanielhawthorne · August 18, 2022, 9:38am

command netstat -tulnp output on op3

config on op3

but there is no 443 listening , so weired

faser · August 18, 2022, 9:51am

Why would you choose port 443 if you already have uhttpd running on it? That surely would conflict.

Have you started the openvpn server? What is the log file saying /etc/openvpn/openvpn0.log?
Also I don't think it is recommended to write log file to /etc/!

nathanielhawthorne · August 18, 2022, 9:57am

faser · August 18, 2022, 10:04am

First it would be appreciate (by the forum owners) and myself if you would post logs and config snippets as text instead of pictures.

Secondly I would recommend to either change the uhttpd for HTTPS to something else than 443 or the one from openvpn (recommended) to avoid the conflict. After that again check the log and if it is started check with netstat.

You would like to see something like (here it is running on port 14443

tcp        0      0 0.0.0.0:14443            0.0.0.0:*               LISTEN      1946/openvpn

nathanielhawthorne · August 19, 2022, 1:01am

thank u very much,it works,u are a good guy