Please help no internet through open vpn

icanfly · July 3, 2022, 9:45am

UPDATE: I think I have mostly solved the issue it was to do with the way I was assigning static ips to my users on openvpn.. I was using a script file to do:

ifconfig-push 192.168.4.10 192.168.0.9

what I got from a guide on the interwebs.. but I changed it to:

ifconfig-push 192.168.4.10 255.255.555.0

and now my router can see internet, my clients get internet, and I can still ping the router from home

Only problem left is I cant get to my router from LAN, nor can I ssh into it. well maybe I will fix that.. lets see

Backstory: I am a network novice however the Internet does work when the open vpn client is connected until I changed the IP address of the LAN
Basically I had a setup where router was on IP: 192.168.0.2 connecting to vpn server over lte and getting the VPN ip of 192.168.4.20

the VPN is hosted on my home router which has the IP of 192.168.1. I didn't think this should be an issue having both routers on the same network as both routers are remote

However, I wondered why I couldn't ping 192.168.4.1 from home so I then decided maybe its not a good idea having both routers on the same network address so I changed the router with the openvpn client to 192.168.3.1 and suddenly I could ping it from home so I thought I was done!

Until I then discovered no internet when connected to the router and the router cant see the internet either.. Strange I can still ping the router from my home lan but but nothing else goes in or out of the router?

ok so internet worked when LAN was 192.168.0.2 and home router was 192.168.0.1 but change the router to 192.168.3.1 and its broked.. so surely my issue has to be something to do with static routing?

However I am a noob and I have no idea how to sort that if you can please help!

I want to also mention the same vpn works fine on my android phone no issues can see all devices and get internet. Openvpn is running on Asus RT-AX88U

Also one strange to mention is even when it was working when IP was 192.168.0.2 the vpn interface always shows RX of 0 but TX is always >1 on both IPS

Also FWIW my WAN setup is: Router -> E3372 USB dongle with LTE. No wired devices connected only WLAN (intended)

Also I googled the crap out of this and found a lot of guides to setting up VPN most are similar, some conflicting.. (same say create a VPN zone, others just say attach the vpn to the wan zone) some say to forward lan to vpn, or just add tun0 to the wan zone covered devices) in the end I found what worked when IP was 192.168.0.2 just adding vpn interface to the wan zone that worked (until I changed the IP)

some guides also said to go to your wan interface and put in custom dns and others had guides for creating rules and port forwards and setting masquerade on the LAN zone.

I dont think its dns related since I cant even ping by IP Address

The guide I followed in the end that worked (before I change the IP) is here: https://www.youtube.com/watch?v=WRWZmcKejhg&t=571s&ab_channel=VanTechCorner

also my IP Address of the USB dongle is 192.168.8.177/24
ip address of LAN is 192.168.3.1/24
ipv6 is enabled maybe I should disable that?
Here is all my config:

openvpn profile:

xxx 1194
float
nobind
proto udp
dev tun
sndbuf 0
rcvbuf 0
keepalive 10 30

# for OpenVPN 2.4 or older
comp-lzo yes
# for OpenVPN 2.4 or newer
#compress lzo

auth-user-pass /etc/openvpn/xxxx.auth
client
auth SHA1
cipher AES-128-CBC
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
blah
-----END CERTIFICATE-----

</ca>

<cert>
-----BEGIN CERTIFICATE-----
blah
-----END CERTIFICATE-----

</cert>

<key>
-----BEGIN PRIVATE KEY-----
blah
-----END PRIVATE KEY-----

</key>

network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd64:3473:1860::/48'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config device
	option name 'eth0'
	option macaddr 'c2:3f:0e:77:3a:2a'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.3.1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'
	option blinkrate '2'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5'

config switch_port
	option device 'switch0'
	option port '1'
	option led '6'

config switch_port
	option device 'switch0'
	option port '2'
	option led '9'

config switch_port
	option device 'switch0'
	option port '5'
	option led '2'

config interface 'lte'
	option proto 'dhcp'
	option device 'eth2'

config interface 'vpn'
	option proto 'dhcp'
	option device 'tun0'

firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'lte'
	list network 'vpn'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

Hope you can help me! Thanks!

viniribeirossa · July 3, 2022, 10:33am

VPN IP address cannot be changed, otherwise you will not connect to it

Leave the default address provided by the VPN provider

mk24 · July 3, 2022, 11:08am

Since you're running both sides of the VPN, they both have to be properly set up. The simplest setting is to have the server VPN tunnel in that router's lan firewall zone and the client in it's router's wan firewall zone. This will NAT the client's Internet usage into the tunnel, so LAN IPs are not so important. However it is a good idea to have the two LANs different if you ever want to set up LAN-LAN routing. If you're just needing to encrypt and redirect Internet on the client it is simpler.

The tunnel IPs must be different from anything else in the networks.

In the case of Internet access you have:
(client LAN) ---NAT to 192.168.4.20---> ~vpn~ 192.168.4.1 ---NAT to server's public IP---> Internet
The server's LAN isn't part of this process at all. But having the VPN tunnel in the server's lan firewall zone means that forwarding to WAN with NAT is already set up.

icanfly · July 3, 2022, 12:04pm

Thanks so much for the reply unfortunately my mind is melting trying to wrap my head around it

I kind of understand however the firewall settings on my ASUS router which is hosting the VPN server doesn't have any zones

So yes I think the issue is I want the VPN to go both ways..

I want the client and and any clients connected to it to be able to see my home lan and it can

For example, the router running the vpn client can ssh into one of my machines at home, as can a client connected to the router via WLAN! Great but unfortunately thats not how I want to use the setup

What I want is to see back the other way, for my home lan to be able to see the VPN client so is that actually possible to do with openvpn?

In my asus router settings for vpn its got a setting [Allow Client <-> Client] which wasnt turned on but now it is. But still doesnt work

anyhoo I will keep googling but if I want is possible and it seems like it is from your post, wondering if you would be so kind as to give instructions what I need to change in both routers and what I need to change it to

I really dont understand how firewall zones work completely.. need to learn that too

in any case I turned my firewall off on my router running the vpn server that didnt fix anything

icanfly · July 3, 2022, 12:57pm

the vpn server is my own running on my router and I push a config file which assigns ip based on username.. seems to be working?

my remaining issue is client to client getting it to work so I can ssh back into the openwrt or access the web interface

mk24 · July 3, 2022, 1:03pm

The OpenWrt on either router can be reached using its tunnel IP (.4.X), as long as the firewall allows.

If you want direct access to machines on the client LAN, that requires a client config directory on the server, so the server is aware of the client LAN(s) and can install routes on the server router back to them. As routes to the client LANs now exist, the clients use symmetric routing instead of NAT. For this to work of course the client LAN needs to be a subnet that is unique to everything else.

icanfly · July 3, 2022, 2:06pm

thanks a lot mk24 so Ive now changed the VPN to be 10.8.0.xx
the router hosting the vpn server is 192.168.0.1

so different subnets now?

or do you mean the actual ip address of the openwrt where the client is running needs to be on a different subnet?

Thanks

mk24 · July 3, 2022, 2:20pm

The two LANs need to be different. That is how routing works, a router will look at the subnet of the destination and determine where to send the packet.

The VPN server user interface must support per-client configuration of what OpenVPN calls "iroutes" back to the client's LAN. Since it is not running on official OpenWrt, that is outside the scope of this forum.

icanfly · July 3, 2022, 2:26pm

thanks.

so this is now my setup:

home router (vpn server) 192.168.0.1
remote router (vpn client) 10.0.0.1

vpn ip assigned 10.8.0.6 to client, 10.8.0.1 is the gateway for it

all existing is working, i can ping 10.8.0.6 from home, the remote router has internet and so do the clients

ok so how now can I set it up so my home lan (devices on 192.168.xx) can connect to the router at 10.8.0.6 (vpn ip) or can it be setup

I was able to find the config.opvn file on the asus for the vpn server and its already got this:

# Server Mode
server 10.8.0.0 255.255.255.0
client-config-dir ccd
client-to-client
duplicate-cn
push "route 192.168.0.0 255.255.255.0 vpn_gateway 500"
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.0.1"
push "route 192.168.0.1"
push "block-outside-dns"
verify-client-cert none

what else do I need in there to make it work please? Thanks

mk24 · July 3, 2022, 3:04pm

You must use unique CNs -- meaning each client has its own certificate, with a CN that is unique in the system -- for ccd to work. Each client certificate's CN is used to look up the client in the client config directory-- which is an actual directory on the server's disk, so you need a way to write files on the server.

If you aren't using client certificates at all, ccd cannot work. As well as it being very insecure.

icanfly · July 4, 2022, 9:31am

I just wanted to post an update I got it working with openvpn with no fiddling!

I realised it was a dumb idea to let the internet route through my vpn because this is a business device and my home internet goes out I assume the business will have no internet..

anyhoo so I changed my vpn to lan access only and after some changes in openwrt so it could get internet access from the wan but have lan access over vpn i can now see the router from my home network!

I can also ping it and ssh into it! So Im happy. Thanks for all your help

tmomas · July 14, 2022, 9:31am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.