OpenWrt router as OpenVPN client: client network is not accessible

dropsonic · October 21, 2018, 10:48am

I have an OpenVPN server. I'd like to get the access from there to the resources available on the client's network. The client network is managed by an OpenWrt-based router; it serves as an OpenVPN client.

Network for the server has 192.168.3.0/24 mask, local network on the OpenWrt router is 192.168.1.0/24, so there should be no conflicts.

I configured this setup using the official manual.

The connection is successful, and I can ping my router from the server (ping 192.168.1.1) and backward (ping 192.168.3.1 from the router).

But for some reason, all devices in the client's network are not available from the server.

OpenVPN: Server configuration

port 1194
proto udp4
dev tun
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
dh "C:\\Program Files\\OpenVPN\\config\\dh2048.pem"
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
client-config-dir ccd
route 192.168.1.0 255.255.255.0
push "route 192.168.3.0 255.255.255.0"

ccd/client
iroute 192.168.1.0 255.255.255.0

OpenVPN: Client configuration (/etc/config/openvpn)

package openvpn

config openvpn 'client'

		option enabled 1
		option client '1'
		option dev 'tun'
		option proto 'udp4'
		list remote 'myvpnserver 1194'
		option resolv_retry 'infinite'
		option nobind '1'
		option persist_key '1'
		option persist_tun '1'
		option user 'nobody'
		option ca '/etc/openvpn/ca.crt'
		option cert '/etc/openvpn/client.crt'
		option key '/etc/openvpn/client.key'
		option remote_cert_tls 'server'
		option cipher 'AES-256-CBC'
		option verb '3'
		option status /etc/openvpn/openvpn-status.log
		option log /var/log/openvpn.log

I've added a corresponding interface and firewall rules on the router (based on the official manual):

/etc/config/network

config interface 'VPN'
		option proto 'none'
		option ifname 'tun0'

/etc/config/firewall

config zone
		option input 'ACCEPT'
		option output 'ACCEPT'
		option name 'vpn'
		option forward 'ACCEPT'
		option masq '1'
		option network 'VPN'

config forwarding
		option dest 'lan'
		option src 'vpn'

config forwarding
		option dest 'vpn'
		option src 'lan'

Client log

 TUN/TAP device tun0 opened
 TUN/TAP TX queue length set to 100
 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
 /sbin/ifconfig tun0 10.8.0.6 pointopoint 10.8.0.5 mtu 1500
 /sbin/route add -net 192.168.3.0 netmask 255.255.255.0 gw 10.8.0.5
 /sbin/route add -net 10.8.0.1 netmask 255.255.255.255 gw 10.8.0.5
 UID set to nobody
 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
 Initialization Sequence Completed

Server log

MULTI: Learn: 192.168.1.219 -> client/83.220.239.243:21301 # 192.168.1.219 is one of the devices connected to the client network (to the router)
MULTI: Learn: 192.168.1.1 -> client/83.220.239.243:21301 # 192.168.1.1 is the router

These records appeared when I tried to ping 192.168.1.219 and 192.168.1.1 respectively.

I've enabled IP Forwarding on the server and on the client as this article recommends.

I've also tried to disable the firewall on the router by using this command: /etc/init.d/firewall stop, but it didn't help either.

I did tracert 192.168.1.219 on the server:

1    34 ms    39 ms    34 ms  10.8.0.6
2     *        *        *     Request timed out.

10.8.0.6 is IP address of the router inside the VPN network.

What am I doing wrong?
Any advice would be much appreciated.

vgaetera · October 21, 2018, 11:56am

uci delete firewall.@zone[-1].masq
uci commit firewall
service firewall restart

dropsonic · October 21, 2018, 2:38pm

Tried that, no effect. 192.168.1.219 is still unavailable from the server.
As I wrote before, I also tried to disable the firewall completely with no effect.

vgaetera · October 21, 2018, 2:56pm

ipconfig /all & route print

dropsonic · October 21, 2018, 2:59pm

Windows IP Configuration

   Host Name . . . . . . . . . . . . : WIN-SERVER
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Ethernet:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : 10-BF-48-82-D8-AC
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Local Area Connection* 11:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
   Physical Address. . . . . . . . . : C6-E9-84-DD-28-0F
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Ethernet 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : TAP-Windows Adapter V9
   Physical Address. . . . . . . . . : 00-FF-6C-95-4B-1C
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::3c3a:e842:12d0:7979%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.8.0.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.252
   Lease Obtained. . . . . . . . . . : Sunday, October 21, 2018 14:36:04
   Lease Expires . . . . . . . . . . : Monday, October 21, 2019 14:36:04
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 10.8.0.2
   DHCPv6 IAID . . . . . . . . . . . : 587267948
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-22-FA-E5-6A-10-BF-48-82-D8-AC
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
									   fec0:0:0:ffff::2%1
									   fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : TP-LINK Wireless USB Adapter
   Physical Address. . . . . . . . . : C4-E9-84-DD-28-0F
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::e56f:5609:fc13:464e%17(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.3.110(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.3.1
   DHCPv6 IAID . . . . . . . . . . . : 281340292
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-22-FA-E5-6A-10-BF-48-82-D8-AC
   DNS Servers . . . . . . . . . . . : 192.168.3.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{6C954B1C-8207-4D6C-8D21-A8176054379B}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{DA0CA1EA-919F-4C67-AD96-465A030A731D}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
===========================================================================
Interface List
  3...10 bf 48 82 d8 ac ......Realtek PCIe GBE Family Controller
  4...c6 e9 84 dd 28 0f ......Microsoft Wi-Fi Direct Virtual Adapter
 10...00 ff 6c 95 4b 1c ......TAP-Windows Adapter V9
 17...c4 e9 84 dd 28 0f ......TP-LINK Wireless USB Adapter
  1...........................Software Loopback Interface 1
 18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 20...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
		  0.0.0.0          0.0.0.0      192.168.3.1    192.168.3.110    311
		 10.8.0.0    255.255.255.0         10.8.0.2         10.8.0.1     35
		 10.8.0.0  255.255.255.252         On-link          10.8.0.1    291
		 10.8.0.1  255.255.255.255         On-link          10.8.0.1    291
		 10.8.0.3  255.255.255.255         On-link          10.8.0.1    291
		127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
		127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
	  192.168.1.0    255.255.255.0         10.8.0.2         10.8.0.1     35
	  192.168.3.0    255.255.255.0         On-link     192.168.3.110    311
	192.168.3.110  255.255.255.255         On-link     192.168.3.110    311
	192.168.3.255  255.255.255.255         On-link     192.168.3.110    311
		224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
		224.0.0.0        240.0.0.0         On-link          10.8.0.1    291
		224.0.0.0        240.0.0.0         On-link     192.168.3.110    311
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link          10.8.0.1    291
  255.255.255.255  255.255.255.255         On-link     192.168.3.110    311
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
		  0.0.0.0          0.0.0.0      192.168.3.1  Default
===========================================================================

vgaetera · October 21, 2018, 3:15pm

@openvpn-server:

...
topology subnet
#ifconfig-pool-persist ipp.txt

@ccd/client:

...
ifconfig-push 10.8.0.2 255.255.255.0

dropsonic · October 21, 2018, 3:34pm

Unfortunately, it didn't help either.

Server log:

OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Windows version 6.2 (Windows 8 or greater) 64bit
library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
Enter Management Password:
MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Need hold release from management interface, waiting...
MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
MANAGEMENT: CMD 'state on'
MANAGEMENT: CMD 'log all on'
MANAGEMENT: CMD 'echo all on'
MANAGEMENT: CMD 'bytecount 5'
MANAGEMENT: CMD 'hold off'
MANAGEMENT: CMD 'hold release'
Diffie-Hellman initialized with 2048 bit key
interactive service msg_channel=0
ROUTE_GATEWAY 192.168.3.1/255.255.255.0 I=17 HWADDR=c4:e9:84:dd:28:0f
open_tun
TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{6C954B1C-8207-4D6C-8D21-A8176054379B}.tap
TAP-Windows Driver Version 9.21 
Set TAP-Windows TUN subnet mode network/local/netmask = 10.8.0.0/10.8.0.1/255.255.255.0 [SUCCEEDED]
Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.1/255.255.255.0 on interface {6C954B1C-8207-4D6C-8D21-A8176054379B} [DHCP-serv: 10.8.0.254, lease-time: 31536000]
Sleeping for 10 seconds...
Successful ARP Flush on interface [10] {6C954B1C-8207-4D6C-8D21-A8176054379B}
do_ifconfig, tt->did_ifconfig_ipv6_setup=0
MANAGEMENT: >STATE:1540135561,ASSIGN_IP,,10.8.0.1,,,,
MANAGEMENT: >STATE:1540135561,ADD_ROUTES,,,,,,
C:\Windows\system32\route.exe ADD 192.168.1.0 MASK 255.255.255.0 10.8.0.2
ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=35 and dwForwardType=4
Route addition via IPAPI succeeded [adaptive]
Socket Buffers: R=[65536->65536] S=[65536->65536]
UDPv4 link local (bound): [AF_INET][undef]:1194
UDPv4 link remote: [AF_UNSPEC]
MULTI: multi_init called, r=256 v=256
IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Initialization Sequence Completed
MANAGEMENT: >STATE:1540135561,CONNECTED,SUCCESS,10.8.0.1,,,,
83.220.239.12:59688 TLS: Initial packet from [AF_INET]83.220.239.12:59688, sid=7e05527f 26a4d92d
83.220.239.12:59688 VERIFY OK: depth=1, C=RU, ST=Moscow, L=Moscow, O=YAPS, OU=YAPS, CN=OpenVPN-CA, name=OpenVPN-CA, emailAddress=some@email.com
83.220.239.12:59688 VERIFY OK: depth=0, C=RU, ST=Moscow, L=Moscow, O=YAPS, OU=YAPS, CN=terminal, name=terminal, emailAddress=some@email.com
83.220.239.12:59688 peer info: IV_VER=2.4.5
83.220.239.12:59688 peer info: IV_PLAT=linux
83.220.239.12:59688 peer info: IV_PROTO=2
83.220.239.12:59688 peer info: IV_NCP=2
83.220.239.12:59688 peer info: IV_LZ4=1
83.220.239.12:59688 peer info: IV_LZ4v2=1
83.220.239.12:59688 peer info: IV_LZO=1
83.220.239.12:59688 peer info: IV_COMP_STUB=1
83.220.239.12:59688 peer info: IV_COMP_STUBv2=1
83.220.239.12:59688 peer info: IV_TCPNL=1
83.220.239.12:59688 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
83.220.239.12:59688 [terminal] Peer Connection Initiated with [AF_INET]83.220.239.12:59688
MULTI: new connection by client 'terminal' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
OPTIONS IMPORT: reading client specific options from: ccd\terminal
MULTI: Learn: 10.8.0.2 -> terminal/83.220.239.12:59688
MULTI: primary virtual IP for terminal/83.220.239.12:59688: 10.8.0.2
MULTI: internal route 192.168.1.0/24 -> terminal/83.220.239.12:59688
MULTI: Learn: 192.168.1.0/24 -> terminal/83.220.239.12:59688
terminal/83.220.239.12:59688 PUSH: Received control message: 'PUSH_REQUEST'
terminal/83.220.239.12:59688 SENT CONTROL [terminal]: 'PUSH_REPLY,route 192.168.3.0 255.255.255.0,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 1,cipher AES-256-GCM' (status=1)
terminal/83.220.239.12:59688 Data Channel: using negotiated cipher 'AES-256-GCM'
terminal/83.220.239.12:59688 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
terminal/83.220.239.12:59688 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
MULTI: Learn: 192.168.1.219 -> terminal/83.220.239.12:59688

Client log:

Control Channel: TLSv1.2, cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384, 4096 bit key
[server] Peer Connection Initiated with [AF_INET]134.0.111.210:1194
SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
PUSH: Received control message: 'PUSH_REPLY,route 192.168.3.0 255.255.255.0,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 1,cipher AES-256-GCM'
OPTIONS IMPORT: timers and/or timeouts modified
OPTIONS IMPORT: --ifconfig/up options modified
OPTIONS IMPORT: route options modified
OPTIONS IMPORT: route-related options modified
OPTIONS IMPORT: peer-id set
OPTIONS IMPORT: adjusting link_mtu to 1624
OPTIONS IMPORT: data channel crypto options modified
Data Channel: using negotiated cipher 'AES-256-GCM'
Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
TUN/TAP device tun0 opened
TUN/TAP TX queue length set to 100
do_ifconfig, tt->did_ifconfig_ipv6_setup=0
/sbin/ifconfig tun0 10.8.0.2 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
/sbin/route add -net 192.168.3.0 netmask 255.255.255.0 gw 10.8.0.1
WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Initialization Sequence Completed

Also this line started appearing sometimes in the client log:
write UDPv4: Operation not permitted (code=1)

vgaetera · October 21, 2018, 4:19pm

I suspect the issue could be platform-related and suggest to move OpenVPN Server to Linux host.

dropsonic · October 21, 2018, 5:34pm

I have a lot of other software that can only run on Windows, so this is not an option.
Traceroute shows that the server correctly routes 192.168.1.219 to 10.8.0.6 (OpenVPN client), but from that point something goes wrong on the OpenWrt router.

vgaetera · October 21, 2018, 7:05pm

@openvpn-client:

ip a; ip r; ip ru; iptables-save

dropsonic · October 21, 2018, 9:15pm

Output:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
	link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
	inet 127.0.0.1/8 scope host lo
	   valid_lft forever preferred_lft forever
	inet6 ::1/128 scope host
	   valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
	link/ether 7c:03:d8:9f:29:bd brd ff:ff:ff:ff:ff:ff
	inet6 fe80::7e03:d8ff:fe9f:29bd/64 scope link
	   valid_lft forever preferred_lft forever
24: br-WAN: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
	link/ether 7c:03:d8:9f:29:bd brd ff:ff:ff:ff:ff:ff
	inet6 fe80::7e03:d8ff:fe9f:29bd/64 scope link
	   valid_lft forever preferred_lft forever
25: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-WAN state UP qlen 1000
	link/ether 7c:03:d8:9f:29:bd brd ff:ff:ff:ff:ff:ff
26: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
	link/ether 7c:03:d8:9f:29:bd brd ff:ff:ff:ff:ff:ff
	inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
	   valid_lft forever preferred_lft forever
	inet6 fd21:42e1:2d36::1/60 scope global
	   valid_lft forever preferred_lft forever
	inet6 fe80::7e03:d8ff:fe9f:29bd/64 scope link
	   valid_lft forever preferred_lft forever
27: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
	link/ether 7c:03:d8:9f:29:bd brd ff:ff:ff:ff:ff:ff
28: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP qlen 1000
	link/ether 7c:03:d8:9f:29:bd brd ff:ff:ff:ff:ff:ff
	inet6 fe80::7e03:d8ff:fe9f:29bd/64 scope link
	   valid_lft forever preferred_lft forever
34: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
	link/[65534]
	inet 10.8.0.2/24 brd 10.8.0.255 scope global tun0
	   valid_lft forever preferred_lft forever
	inet6 fe80::a1d7:d3b4:99ed:33ad/64 scope link
	   valid_lft forever preferred_lft forever
35: 3g-4G: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 3
	link/ppp
	inet 100.107.52.159 peer 10.0.0.1/32 scope global 3g-4G
	   valid_lft forever preferred_lft forever
default via 10.0.0.1 dev 3g-4G
10.0.0.1 dev 3g-4G scope link  src 100.107.52.159
10.8.0.0/24 dev tun0 scope link  src 10.8.0.2
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1
192.168.3.0/24 via 10.8.0.1 dev tun0
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
# Generated by iptables-save v1.6.2 on Mon Oct 22 00:11:04 2018
*nat
:PREROUTING ACCEPT [2282:275751]
:INPUT ACCEPT [623:44998]
:OUTPUT ACCEPT [2462:175241]
:POSTROUTING ACCEPT [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_vpn_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_vpn_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_vpn_postrouting - [0:0]
:zone_vpn_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i br-WAN -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i 3g-4G -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_vpn_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o br-WAN -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o 3g-4G -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_vpn_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_vpn_postrouting -m comment --comment "!fw3: Custom vpn postrouting rule chain" -j postrouting_vpn_rule
-A zone_vpn_prerouting -m comment --comment "!fw3: Custom vpn prerouting rule chain" -j prerouting_vpn_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Mon Oct 22 00:11:04 2018
# Generated by iptables-save v1.6.2 on Mon Oct 22 00:11:04 2018
*mangle
:PREROUTING ACCEPT [65772:23501527]
:INPUT ACCEPT [6048:1192504]
:FORWARD ACCEPT [59258:22238577]
:OUTPUT ACCEPT [7324:744991]
:POSTROUTING ACCEPT [66386:22974239]
-A FORWARD -o br-WAN -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o 3g-4G -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Mon Oct 22 00:11:04 2018
# Generated by iptables-save v1.6.2 on Mon Oct 22 00:11:04 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpn_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_vpn_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_vpn_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_vpn_dest_ACCEPT - [0:0]
:zone_vpn_forward - [0:0]
:zone_vpn_input - [0:0]
:zone_vpn_output - [0:0]
:zone_vpn_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i br-WAN -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i 3g-4G -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_vpn_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i br-WAN -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i 3g-4G -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_vpn_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o br-WAN -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o 3g-4G -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_vpn_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to vpn forwarding policy" -j zone_vpn_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_vpn_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3: Custom vpn forwarding rule chain" -j forwarding_vpn_rule
-A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to lan forwarding policy" -j zone_lan_dest_ACCEPT
-A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
-A zone_vpn_input -m comment --comment "!fw3: Custom vpn input rule chain" -j input_vpn_rule
-A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_ACCEPT
-A zone_vpn_output -m comment --comment "!fw3: Custom vpn output rule chain" -j output_vpn_rule
-A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
-A zone_vpn_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o br-WAN -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o br-WAN -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o 3g-4G -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o 3g-4G -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o br-WAN -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o 3g-4G -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i br-WAN -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i 3g-4G -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Mon Oct 22 00:11:04 2018

dropsonic · October 21, 2018, 9:19pm

I also did another test: connected from my laptop to the server using the same client configuration (with topology subnet and other stuff posted above).
Connection succeeded, and I didn't get the write UDPv4: Operation not permitted (code=1) error.

After that, as a test, I've tried to ping one of the devices in the server's network (192.168.3.1; server is 192.168.3.110 / 10.8.0.1) from my laptop (10.8.0.6), but it didn't work. As far as I understand from the configuration, the access should be bi-directional: all devices from the client network should be accessible from the server (required), and all devices from the server network should be accessible from the client (what I've tested, but it is not required in my case).

vgaetera · October 21, 2018, 9:51pm

Similar message, but it works fine for me, so it's not important.

Default Windows firewall configuration permits ping/trace only for LocalSubnet in Private/Public zones.

Are you sure Windows has no routing limitations?

gjaltemba · October 21, 2018, 10:27pm

Try to modify the openvpn internal route (iroute)

ccd\client

iroute 192.168.1.0 255.255.255.0

dropsonic · October 22, 2018, 9:41am

ccd/client already looks this way.

dropsonic · October 22, 2018, 9:44am

How can I check it?
OS is Windows Server 2016; I've enabled IP Forwarding as this manual tells and restarted the machine.

Also I've added inbound & outbound rules for the firewall on the server (UDP 1194 and additional rules for openvpn executables).

netsh shows that the forwarding is enabled for the TAP adapter (Ethernet 2):

PS C:\Users\Administrator> netsh
netsh>interface ipv4
netsh interface ipv4>show interfaces

Idx     Met         MTU          State                Name
---  ----------  ----------  ------------  ---------------------------
  1          75  4294967295  connected     Loopback Pseudo-Interface 1
  3           5        1500  disconnected  Ethernet
 17          55        1500  connected     Wi-Fi
  4          25        1500  disconnected  Local Area Connection* 11
 10          35        1500  connected     Ethernet 2

netsh interface ipv4>show interface 10

Interface Ethernet 2 Parameters
----------------------------------------------
IfLuid                             : ethernet_32773
IfIndex                            : 10
State                              : connected
Metric                             : 35
Link MTU                           : 1500 bytes
Reachable Time                     : 15000 ms
Base Reachable Time                : 30000 ms
Retransmission Interval            : 1000 ms
DAD Transmits                      : 3
Site Prefix Length                 : 64
Site Id                            : 1
Forwarding                         : enabled
Advertising                        : disabled
Neighbor Discovery                 : enabled
Neighbor Unreachability Detection  : enabled
Router Discovery                   : dhcp
Managed Address Configuration      : enabled
Other Stateful Configuration       : enabled
Weak Host Sends                    : disabled
Weak Host Receives                 : disabled
Use Automatic Metric               : enabled
Ignore Default Routes              : disabled
Advertised Router Lifetime         : 1800 seconds
Advertise Default Route            : disabled
Current Hop Limit                  : 0
Force ARPND Wake up patterns       : disabled
Directed MAC Wake up patterns      : disabled
ECN capability                     : application

Btw, thanks for the help!

gjaltemba · October 22, 2018, 5:03pm

try ping from server to client network with packet capture on tcpdump or wireshark to troubleshoot.

vgaetera · October 23, 2018, 12:55am

And also take into account destination host routing table and its firewall configuration.