PIA VPN successfully connects but clients not routing through it

djrobic · September 4, 2019, 10:00pm

Using the instructions I found at PrivateInternetAccess.com: https://www.privateinternetaccess.com/helpdesk/guides/routers/lede/lede-firmware-openvpn-setup#section-7-configure-openvpn-connection

I created a virtual machine (192.168.2.1) running the latest stable OpenWRT which sits behind my home router (192.168.1.1) and have managed to connect to the PIA VPN successfully. The problem is that when the VPN is up, my VM clients on the 192.168.2.0 network stop seeing the internet.

Suggestions?

I have had this config working successfully with DD-WRT for many years but would like to make the switch to OpenWRT.

Thanks in advance,
Dan

root@OpenWrt:/etc/config# cat network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdd1:635f:cfc1::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.2.1'

config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'
	option peerdns '0'
	option dns '209.222.18.218 209.222.18.222'

config interface 'wan6'
	option ifname 'eth1'
	option proto 'dhcpv6'

config interface 'PIA_VPN'
	option proto 'none'
	option ifname 'eth0'

root@OpenWrt:/etc/config# cat firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	option network 'PIA_VPN wan wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config forwarding
	option dest 'wan'
	option src 'lan'

config openvpn 'PIA_VPN_CONFIG'
	option dev 'tun'
	option nobind '1'
	option verb '3'
	option persist_tun '1'
	option persist_key '1'
	option client '1'
	option auth_user_pass '/etc/openvpn/credentials.txt'
	list remote 'us-east.privateinternetaccess.com'
	option proto 'udp'
	option resolv_retry 'infinite'
	option mute_replay_warnings '1'
	option tls_client '1'
	option auth_nocache '1'
	option remote_cert_tls 'server'
	option compress 'lzo'
	option enabled '1'
	option auth 'SHA1'
	option cipher 'AES-128-CBC'
	option ca '/etc/openvpn/ca.rsa.2048.crt'
	option port '1198'

vgaetera · September 4, 2019, 11:32pm

This is incorrect.

djrobic · September 5, 2019, 2:51pm

Got it working last night. Thanks for your help!

tmomas · September 15, 2019, 2:51pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.