OpenWrt openvpn

You might want to tell people how you fixed it so that others in that situation can learn

ok,another question,i restart my node,i checked my log and found that the openvpn is up,but my route from op4 to op7 is not correct,but it is correct just now,why this happen?

traceroute output from op4 to op7

log of op3

log of op5

how do i put all the traffic into the tap0

@faser
are you there?

Sure I am, but you might want to first start with some points I mentioned:

And

Further more routing is automatically controlled by the openvpn server/client in their respective configuration. Not sure if you have read this help page already

A TAP interface doesn't route, it is a bridge. If that is really what you want, the diagram looks like a network loop could be created when the VPN bridge is established.

It isn't necessary to use a script. Set up bridges in UCI and define 'tap0' as one of their ports. When OpenVPN comes up, UCI should attach the new interface automatically.

1 Like

@mk24 how should i put all traffic in openvpn?

In fact, there was only one problem I encountered at the beginning, that was port conflict.
As the port used for OpenVPN tunnel conflicts with port 443, the tap0 port of my openVPN client keeps flipping. After changing the port of OpenVPN, the problem is solved, but now my tunnel is established, and all the traffic does not go through the tunnel.
I read the example you sent, which is a very simple explanation, and even makes me feel a little confused.This example does not have much explanation. There is a virtual address of the tunnel on the topo, but the configuration of the client does not have a virtual address of the local tunnel, and the virtual address of the local tunnel of the server turns out to be a network segment, and when I built the experiment according to this topo, When I installation the openvpn, an error occurred. The error shows that the openvpn file conflicts with /etc/config/openvpn.
I tried to start /etc/config/openvpn, but it doesn't seem to make any sense. Maybe I am not familiar with openwrt. , this example doesn't help me much.
take the topo I am building now, why all the data go through the traffic at the beginning, but not later. This is where I don't understand. What else config should I do?

Well maybe first of all you would need to try to explain what you want to achieve. Are you looking for a road warrior setup where the default route of the client is pushed to be the openvpn server or are you looking for a LAN to LAN communication with specific routes for certain ranges?
(As a side note for the later case of LAN to LAN communication wireguard would be the recommended solution.)

If you want a road warrior setup you should go for TUN instead of TAP interface as @mk24 also wrote.
The default openvpn setup would be doing that https://openwrt.org/docs/guide-user/services/vpn/openvpn/server

Happy to help but we first need to understand what your exact goal is.

I am looking for a LAN to LAN communication with specific routes for certain ranges

like my topo,I want all traffic to go through the tunnel

I want 192.168.2.0/24 go through openvpn tunnel

To be honest than wireguard is a much better option

Now you confuse me, specific routes or all traffic?

Anyway if you want to use openvpn instead of wireguard I suggest to remove your config and use the TUN based interface as the Openwrt documentation explains.

I have deleted the tap0 file,and restart openvpn, waht should I do next?how to set tap0 to TUN based interface?

You switch from TAP to TUN by changing the configuration files. But my recommendation is you remove all your configuration files and start from scratch following the instructions at https://openwrt.org/docs/guide-user/services/vpn/openvpn/server

But once again that is for roadwarrior setup which we still don't know if that is what you want?

I want do it like this

site to site openvpn


I want traffic from op4 go through openvpn tunnel to op7

I need to do speedtest by iperf3 between op4 and op7 to realize the bandwidth of openvpn tunnel

generaly,there should be a virtual tunnel address on op3 and op5 to up the tunnel

Ok, means not roadwarrior but only specific routes!
Anyway you would need to switch to TUN interface first, then you could on the server do something like push "route 192.168.2.0 255.255.255.0 vpn_gateway" in the server config if the target range is behind the server or iroute 192.168.2.0 255.255.255.0 in the client config if the range is behind the client.

If you tell us your hardware we can already give your an indication of the speed you can reach with openvpn.

I do not know how to change interface to TUN,can you tell me detail?
which file should I config?

root@OpenWrt:/# cd /etc/openvpn
root@OpenWrt:/etc/openvpn# ls
my-vpn.conf    openvpn0.log   server.status  startup.sh     static.key
root@OpenWrt:/etc/openvpn# 

or
/etc/network/network
or
/etc/network/firewall

and I have add route 192.168.2.0 255.255.255.0 to /etc/openvpn/my-vpn.conf on op3,then restart openvpn,but I get follow errors

op3

Sat Aug 20 08:10:21 2022 TUN/TAP device tun0 opened
Sat Aug 20 08:10:21 2022 TUN/TAP TX queue length set to 100
Sat Aug 20 08:10:21 2022 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sat Aug 20 08:10:21 2022 Socket Buffers: R=[87380->87380] S=[16384->16384]
Sat Aug 20 08:10:21 2022 Listening for incoming TCP connection on [AF_INET][undef]:1001
Sat Aug 20 08:10:25 2022 TCP connection established with [AF_INET]192.168.235.201:44648
Sat Aug 20 08:10:25 2022 TCPv4_SERVER link local (bound): [AF_INET][undef]:1001
Sat Aug 20 08:10:25 2022 TCPv4_SERVER link remote: [AF_INET]192.168.235.201:44648
Sat Aug 20 08:10:25 2022 Peer Connection Initiated with [AF_INET]192.168.235.201:44648
Sat Aug 20 08:10:26 2022 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Aug 20 08:10:26 2022 Initialization Sequence Completed
Sat Aug 20 08:26:09 2022 event_wait : Interrupted system call (code=4)
Sat Aug 20 08:26:09 2022 Closing TUN/TAP interface
Sat Aug 20 08:26:09 2022 SIGTERM[hard,] received, process exiting
~
~

op5

Sat Aug 20 08:37:12 2022 TUN/TAP device tun0 opened                                                               
Sat Aug 20 08:37:12 2022 TUN/TAP TX queue length set to 100  
Sat Aug 20 08:37:12 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.237.202:1001
Sat Aug 20 08:37:12 2022 Socket Buffers: R=[87380->87380] S=[16384->16384]
Sat Aug 20 08:37:12 2022 Attempting to establish TCP connection with [AF_INET]192.168.237.202:1001 [nonblock]
Sat Aug 20 08:37:13 2022 TCP: connect to [AF_INET]192.168.237.202:1001 failed: Connection refused       
Sat Aug 20 08:37:13 2022 Closing TUN/TAP interface                        
Sat Aug 20 08:37:13 2022 SIGUSR1[connection failed(soft),init_instance] received, process restarting         
Sat Aug 20 08:37:13 2022 Restart pause, 300 second(s)