Please Help With OpenVPN

Hi,

I have setup OpenVPN as per the instructions here: https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci

I have the interface running, but traffic is either blocked or not directed via the VPN, could somebody please advise what I need to do, I'm not experienced with Firewall rules at all.

/etc/config/network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fd22:bbf3:283f::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.2'
        option gateway '192.168.0.1'
        list dns '1.1.1.1'
        list dns '8.8.8.8'
        list dns '8.8.4.4'
        list dns '192.168.0.1'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'VPN'
        option proto 'none'
        option device 'tun0'
        option auto '0'

/etc/config/firewall:

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list device 'tun+'
        list network 'wan'
        list network 'wan6'
        list network 'VPN'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config zone
        option name 'VPN'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option masq '1'
        list network 'VPN'

config forwarding
        option src 'lan'
        option dest 'wan'

You have already added the VPN interface in wan firewall zone, so you can erase the VPN firewall zone.
Other than that the configuration looks good.
I can see that you are using default gateway on the lan interface. Do lan hosts use OpenWrt as the default gateway? If not, they'll be using the ISP router directly and they won't be able to use the vpn.
One solution is to disable dhcp server on the ISP router and enable on OpenWrt.
Another solution is to connect the OpenWrt WAN port to the ISP router, so there is proper network segregation.

2 Likes

@trendy I'm going to be running two routers, the ISP provided with no VPN and the OpenWrt with VPN (When I can get it to work). Clients will be connecting via the respective lan/wifi to the separate routers, so I think everything should be Ok? I have set the OpenWrt to the DMZ on the IP router, so I think everything should be ok on that side?

Also I have been messing, trying to get the VPN to work since my original post, everything looking ok below?

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        list device 'tun0'
        list network 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config forwarding
        option src 'lan'
        option dest 'wan'

Also I'm seeing this in the log, is this why I'm not seeing traffic via the VPN?

Tue Jul  6 11:35:01 2021 daemon.notice openvpn(DigibitAmsterdam)[2132]: UDP link local: (not bound)

As it stands, there is no separation between the routers, no matter where the lan host connects.

This doesn't look like an issue. Better post the following:
ip -4 addr; ip -4 ro list table all; ip -4 ru; traceroute 1.1.1.1

1 Like

@trendy Ok, so I need to stop the OpenWrt router from being a client of the ISP router? So I'm guesing that it needs to be the DHCP server?

The ouput from the traceroute is:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.0.2/24 brd 192.168.0.255 scope global wan
       valid_lft forever preferred_lft forever
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.0.2/24 brd 192.168.0.255 scope global br-lan
       valid_lft forever preferred_lft forever
13: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 500
    inet 10.8.0.143/24 scope global tun0
       valid_lft forever preferred_lft forever
default via 192.168.0.1 dev wan  src 192.168.0.2
10.8.0.0/24 dev tun0 scope link  src 10.8.0.143
174.138.13.4 via 192.168.0.1 dev br-lan
192.168.0.0/24 dev br-lan scope link  src 192.168.0.2
192.168.0.0/24 dev wan scope link  src 192.168.0.2
broadcast 10.8.0.0 dev tun0 table local scope link  src 10.8.0.143
local 10.8.0.143 dev tun0 table local scope host  src 10.8.0.143
broadcast 10.8.0.255 dev tun0 table local scope link  src 10.8.0.143
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.0.0 dev br-lan table local scope link  src 192.168.0.2
broadcast 192.168.0.0 dev wan table local scope link  src 192.168.0.2
local 192.168.0.2 dev br-lan table local scope host  src 192.168.0.2
local 192.168.0.2 dev wan table local scope host  src 192.168.0.2
broadcast 192.168.0.255 dev br-lan table local scope link  src 192.168.0.2
broadcast 192.168.0.255 dev wan table local scope link  src 192.168.0.2
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 38 byte packets
 1  192.168.0.1 (192.168.0.1)  0.684 ms  0.499 ms  0.489 ms
 2  *  *  *
 3  lag2.sr10.sabir.isp.sky.com (89.200.132.86)  8.297 ms  8.850 ms  8.043 ms
 4  02780daf.bb.sky.com (2.120.13.175)  8.195 ms  7.996 ms  8.272 ms
 5  one.one.one.one (1.1.1.1)  8.008 ms  7.799 ms  8.459 ms

You have an IP conflict here. Change the lan into 192.168.1.1

Also the default route is over the ISP, not VPN. Post here the vpn configuration as well, you might have filtered the default gateway.

2 Likes

Adding VPN to a dumb AP means that you will need to start routing between the VPN users and the VPN tunnel. If you leave VPN users on the LAN which is connected to the upstream network, they will continue to bridge to the upstream router and since it doesn't know about any VPN, they go directly to the Internet.

There are two ways to do this. The simplest one is to maintain the default lan-->wan routing setup, as if the router was connected direct to the ISP even though it is not. When the conventional VPN client setup is implemented, the VPN will take over the route from the LAN to the Internet and send LAN users via VPN instead.

A more complicated way is to make a network for VPN users like a guest network. It would have its own separate IP range, DHCP server, and firewall zone. This network forwards to a vpntunnel zone containing the VPN tunnel. NAT must be enabled on this destination zone. The advantage of this setup is an inherent "kill switch" functionality-- if the VPN fails, the vpn users have no Internet instead of (unknowingly) a raw connection.

Also since a VPN client makes a regular outgoing connection to the server, there is no need to open ports or DMZ on the main router.

1 Like

@trendy Ok, I've set the IP of the router to 192.168.1.1. The VPN config is:

client
dev tun
proto udp
remote 174.138.13.4 1194
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
auth-user-pass /etc/openvpn/DigibitAmsterdam.auth
comp-lzo
reneg-sec 0
verb 3

@mk24 Thanks for the explanation, I think the best choice would be to reset the LAN to defaults?

@trendy @mk24 It's all working after changing the IP to 192.168.1.1. :fireworks:

Thanks for the help!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.