Raspberry pi zero w as VPN client

Wrath_Fred · February 3, 2021, 9:02pm

Hello!
I have configured a OpenVPN server on my ESXi Home Lab. I can connect to it with a laptop with OpenVPN Connect.

Now, What I want to achieve: I want to connect to some devices on the vpn client side from my home subnet. The VPN client is a Pi zero W getting is Internet from WiFi (MIFI device)

I have installed openwrt on my raspberry pi zero device. The pi is connected to a wifi and get an IP (192.168.1.15) from the MIFI mobile gateway (192.168.1.1). The USB port is connected to a USB to Ethernet device with a static address (192.168.1.150). The Ethernet port is connected to a hub where other Ethernet devices will also be connected.

I have installed openvpn-openssl package and copied the vpnclient.opvn from my server to the etc\openvpn folder. Now I'm stuck at step 2 of this guide : https://openwrt.org/docs/guide-user/services/vpn/openvpn/client
I think a messed up somewhere since the firewall file is now missing..

Here is my network configuration.

root@OpenWrt:~# uci show network
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd0a:71c9:0ee1::/48'
network.ETH=interface
network.ETH.type='bridge'
network.ETH.ifname='eth0'
network.ETH.force_link='1'
network.ETH.proto='static'
network.ETH.ipaddr='192.168.1.150'
network.ETH.netmask='255.255.255.0'
network.ETH.ip6assign='60'
network.wwan=interface
network.wwan.proto='dhcp'
network.wwan.peerdns='0'
network.wwan.dns='8.8.8.8 8.8.4.4'
network.vpnclient=interface
network.vpnclient.ifname='tun0'
network.vpnclient.proto='none'

I need help to rebuild the firewall file and to configure it to my needs.

Thanks

Fred

vgaetera · February 3, 2021, 9:06pm

The default firewall config is here:
https://raw.githubusercontent.com/openwrt/openwrt/openwrt-19.07/package/network/config/firewall/files/firewall.config

Wrath_Fred · February 4, 2021, 1:20am

Thank you for this!
I was able able to complete step 2!!

For step 3, I skipped the "cat" cmd and just rename my opvn config file to "client.conf". (this file was downloaded from the openvpn access server webpage for the user)

I've run the "sed" command then restarted openvpn process and after a minute I tried to login to openwrt webpage and it was unresponsive with this message :Failed to execute 'open' on 'XMLHttpRequest': Invalid URL

I rebooted the pi and logged in openwrt. I don't see any section related to a vpn or openvpn to see the status or parameter on the page.. is it normal?

vgaetera · February 4, 2021, 1:32am

This requires a couple of extra steps:

Wrath_Fred · February 4, 2021, 1:23pm

Thanks to thoses extra steps, I feel like i'm almost there!! The client connects to the server but for less than a minute. Here's the part of the system logs related to the openvpn process:

Thu Feb  4 08:01:06 2021 daemon.warn openvpn(client)[635]: WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail
Thu Feb  4 08:01:06 2021 daemon.warn openvpn(client)[635]: WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail
Thu Feb  4 08:01:06 2021 daemon.warn openvpn(client)[635]: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Thu Feb  4 08:01:06 2021 daemon.notice openvpn(client)[635]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb  4 08:01:06 2021 daemon.notice openvpn(client)[635]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb  4 08:01:06 2021 daemon.notice openvpn(client)[635]: TCP/UDP: Preserving recently used remote address: [AF_INET]70.82.80.147:1194
Thu Feb  4 08:01:06 2021 daemon.notice openvpn(client)[635]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Thu Feb  4 08:01:06 2021 daemon.notice openvpn(client)[635]: UDP link local: (not bound)
Thu Feb  4 08:01:06 2021 daemon.notice openvpn(client)[635]: UDP link remote: [AF_INET]70.82.80.147:1194
Thu Feb  4 08:01:06 2021 daemon.notice openvpn(client)[635]: TLS: Initial packet from [AF_INET]70.82.80.147:1194, sid=65709474 5a4cace2
Thu Feb  4 08:01:06 2021 daemon.notice openvpn(client)[635]: VERIFY OK: depth=1, CN=OpenVPN CA
Thu Feb  4 08:01:06 2021 daemon.notice openvpn(client)[635]: VERIFY OK: nsCertType=SERVER
Thu Feb  4 08:01:06 2021 daemon.notice openvpn(client)[635]: VERIFY OK: depth=0, CN=OpenVPN Server
Thu Feb  4 08:01:06 2021 daemon.notice openvpn(client)[635]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Thu Feb  4 08:01:06 2021 daemon.notice openvpn(client)[635]: [OpenVPN Server] Peer Connection Initiated with [AF_INET]70.82.80.147:1194
Thu Feb  4 08:07:04 2021 daemon.notice openvpn(client)[635]: SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Thu Feb  4 08:07:04 2021 daemon.notice openvpn(client)[635]: [OpenVPN Server] Inactivity timeout (--ping-restart), restarting
Thu Feb  4 08:07:04 2021 daemon.notice openvpn(client)[635]: SIGUSR1[soft,ping-restart] received, process restarting
Thu Feb  4 08:07:04 2021 daemon.notice openvpn(client)[635]: Restart pause, 5 second(s)
Thu Feb  4 08:07:09 2021 daemon.warn openvpn(client)[635]: WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail
Thu Feb  4 08:07:09 2021 daemon.warn openvpn(client)[635]: WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail
Thu Feb  4 08:07:09 2021 daemon.warn openvpn(client)[635]: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Thu Feb  4 08:07:09 2021 daemon.notice openvpn(client)[635]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb  4 08:07:09 2021 daemon.notice openvpn(client)[635]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb  4 08:07:09 2021 daemon.notice openvpn(client)[635]: TCP/UDP: Preserving recently used remote address: [AF_INET]70.82.80.147:443
Thu Feb  4 08:07:09 2021 daemon.notice openvpn(client)[635]: Socket Buffers: R=[87380->87380] S=[16384->16384]
Thu Feb  4 08:07:09 2021 daemon.notice openvpn(client)[635]: Attempting to establish TCP connection with [AF_INET]70.82.80.147:443 [nonblock]
Thu Feb  4 08:07:10 2021 daemon.notice openvpn(client)[635]: TCP connection established with [AF_INET]70.82.80.147:443
Thu Feb  4 08:07:10 2021 daemon.notice openvpn(client)[635]: TCP_CLIENT link local: (not bound)
Thu Feb  4 08:07:10 2021 daemon.notice openvpn(client)[635]: TCP_CLIENT link remote: [AF_INET]70.82.80.147:443
Thu Feb  4 08:07:10 2021 daemon.notice openvpn(client)[635]: TLS: Initial packet from [AF_INET]70.82.80.147:443, sid=2e31909c ebc928c9
Thu Feb  4 08:07:10 2021 daemon.notice openvpn(client)[635]: VERIFY OK: depth=1, CN=OpenVPN CA
Thu Feb  4 08:07:10 2021 daemon.notice openvpn(client)[635]: VERIFY OK: nsCertType=SERVER
Thu Feb  4 08:07:10 2021 daemon.notice openvpn(client)[635]: VERIFY OK: depth=0, CN=OpenVPN Server
Thu Feb  4 08:07:10 2021 daemon.notice openvpn(client)[635]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Thu Feb  4 08:07:10 2021 daemon.notice openvpn(client)[635]: [OpenVPN Server] Peer Connection Initiated with [AF_INET]70.82.80.147:443
Thu Feb  4 08:07:11 2021 daemon.notice openvpn(client)[635]: SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Thu Feb  4 08:07:12 2021 daemon.notice openvpn(client)[635]: PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 12,ping-restart 50,socket-flags TCP_NODELAY,compress stub-v2,redirect-gateway def1,redirect-gateway bypass-dhcp,redirect-gateway autolocal,route-gateway 172.27.224.1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,register-dns,block-ipv6,ifconfig 172.27.224.2 255.255.248.0,peer-id 0,auth-tokenSESS_ID,cipher AES-256-GCM'
Thu Feb  4 08:07:12 2021 daemon.warn openvpn(client)[635]: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.4.7)
Thu Feb  4 08:07:12 2021 daemon.warn openvpn(client)[635]: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.4.7)
Thu Feb  4 08:07:12 2021 daemon.warn openvpn(client)[635]: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.4.7)
Thu Feb  4 08:07:12 2021 daemon.warn openvpn(client)[635]: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:18: register-dns (2.4.7)
Thu Feb  4 08:07:12 2021 daemon.warn openvpn(client)[635]: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:19: block-ipv6 (2.4.7)
Thu Feb  4 08:07:12 2021 daemon.warn openvpn(client)[635]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Feb  4 08:07:12 2021 daemon.notice openvpn(client)[635]: OPTIONS IMPORT: timers and/or timeouts modified
Thu Feb  4 08:07:12 2021 daemon.notice openvpn(client)[635]: OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp
Thu Feb  4 08:07:12 2021 daemon.notice openvpn(client)[635]: OPTIONS IMPORT: compression parms modified
Thu Feb  4 08:07:12 2021 daemon.notice openvpn(client)[635]: OPTIONS IMPORT: --socket-flags option modified
Thu Feb  4 08:07:12 2021 daemon.notice openvpn(client)[635]: OPTIONS IMPORT: --ifconfig/up options modified
Thu Feb  4 08:07:12 2021 daemon.notice openvpn(client)[635]: OPTIONS IMPORT: route options modified
Thu Feb  4 08:07:12 2021 daemon.notice openvpn(client)[635]: OPTIONS IMPORT: route-related options modified
Thu Feb  4 08:07:12 2021 daemon.notice openvpn(client)[635]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Feb  4 08:07:12 2021 daemon.notice openvpn(client)[635]: OPTIONS IMPORT: peer-id set
Thu Feb  4 08:07:12 2021 daemon.notice openvpn(client)[635]: OPTIONS IMPORT: adjusting link_mtu to 1627
Thu Feb  4 08:07:12 2021 daemon.notice openvpn(client)[635]: OPTIONS IMPORT: data channel crypto options modified
Thu Feb  4 08:07:12 2021 daemon.notice openvpn(client)[635]: Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Feb  4 08:07:12 2021 daemon.notice openvpn(client)[635]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Feb  4 08:07:12 2021 daemon.notice openvpn(client)[635]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Feb  4 08:07:12 2021 daemon.notice netifd: Interface 'vpnclient' is enabled
Thu Feb  4 08:07:12 2021 daemon.notice netifd: Network device 'tun0' link is up
Thu Feb  4 08:07:12 2021 daemon.notice openvpn(client)[635]: TUN/TAP device tun0 opened
Thu Feb  4 08:07:12 2021 daemon.notice netifd: Interface 'vpnclient' has link connectivity
Thu Feb  4 08:07:12 2021 daemon.notice netifd: Interface 'vpnclient' is setting up now
Thu Feb  4 08:07:12 2021 daemon.notice openvpn(client)[635]: TUN/TAP TX queue length set to 100
Thu Feb  4 08:07:12 2021 daemon.notice openvpn(client)[635]: /sbin/ifconfig tun0 172.27.224.2 netmask 255.255.248.0 mtu 1500 broadcast 172.27.231.255
Thu Feb  4 08:07:12 2021 daemon.notice netifd: Interface 'vpnclient' is now up
Thu Feb  4 08:07:17 2021 daemon.err uhttpd[527]: luci: accepted login on / for root from 192.168.1.120
Thu Feb  4 08:07:17 2021 daemon.notice openvpn(client)[635]: /sbin/route add -net 70.82.80.147 netmask 255.255.255.255 gw 192.168.1.1
Thu Feb  4 08:07:17 2021 daemon.notice openvpn(client)[635]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 172.27.224.1
Thu Feb  4 08:07:17 2021 daemon.notice openvpn(client)[635]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 172.27.224.1
Thu Feb  4 08:07:17 2021 daemon.notice openvpn(client)[635]: GID set to nogroup
Thu Feb  4 08:07:17 2021 daemon.notice openvpn(client)[635]: UID set to nobody
Thu Feb  4 08:07:17 2021 daemon.notice openvpn(client)[635]: Initialization Sequence Completed
Thu Feb  4 08:07:19 2021 kern.err kernel: [   39.854858] ieee80211 phy0: brcmf_cfg80211_dump_station: BRCMF_C_GET_ASSOCLIST unsupported, err=-512
Thu Feb  4 08:07:20 2021 kern.err kernel: [   40.690921] ieee80211 phy0: brcmf_cfg80211_dump_station: BRCMF_C_GET_ASSOCLIST unsupported, err=-512
Thu Feb  4 08:07:25 2021 kern.err kernel: [   45.669122] ieee80211 phy0: brcmf_cfg80211_dump_station: BRCMF_C_GET_ASSOCLIST unsupported, err=-512
Thu Feb  4 08:08:52 2021 daemon.err openvpn(client)[635]: Connection reset, restarting [0]
Thu Feb  4 08:08:52 2021 daemon.notice openvpn(client)[635]: /sbin/route del -net 70.82.80.147 netmask 255.255.255.255
Thu Feb  4 08:08:52 2021 daemon.warn openvpn(client)[635]: ERROR: Linux route delete command failed: external program exited with error status: 1
Thu Feb  4 08:08:52 2021 daemon.notice openvpn(client)[635]: /sbin/route del -net 0.0.0.0 netmask 128.0.0.0
Thu Feb  4 08:08:52 2021 daemon.warn openvpn(client)[635]: ERROR: Linux route delete command failed: external program exited with error status: 1
Thu Feb  4 08:08:52 2021 daemon.notice openvpn(client)[635]: /sbin/route del -net 128.0.0.0 netmask 128.0.0.0
Thu Feb  4 08:08:52 2021 daemon.warn openvpn(client)[635]: ERROR: Linux route delete command failed: external program exited with error status: 1
Thu Feb  4 08:08:52 2021 daemon.notice openvpn(client)[635]: Closing TUN/TAP interface
Thu Feb  4 08:08:52 2021 daemon.notice openvpn(client)[635]: /sbin/ifconfig tun0 0.0.0.0
Thu Feb  4 08:08:52 2021 daemon.warn openvpn(client)[635]: Linux ip addr del failed: external program exited with error status: 1
Thu Feb  4 08:08:52 2021 daemon.notice netifd: Network device 'tun0' link is down
Thu Feb  4 08:08:52 2021 daemon.notice netifd: Interface 'vpnclient' has link connectivity loss
Thu Feb  4 08:08:52 2021 daemon.notice netifd: Interface 'vpnclient' is now down
Thu Feb  4 08:08:52 2021 daemon.notice openvpn(client)[635]: SIGUSR1[soft,connection-reset] received, process restarting
Thu Feb  4 08:08:52 2021 daemon.notice openvpn(client)[635]: Restart pause, 5 second(s)
Thu Feb  4 08:08:52 2021 daemon.notice netifd: Interface 'vpnclient' is disabled
Thu Feb  4 08:08:57 2021 daemon.warn openvpn(client)[635]: WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail
Thu Feb  4 08:08:57 2021 daemon.warn openvpn(client)[635]: WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail
Thu Feb  4 08:08:57 2021 daemon.warn openvpn(client)[635]: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Thu Feb  4 08:08:57 2021 daemon.notice openvpn(client)[635]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb  4 08:08:57 2021 daemon.notice openvpn(client)[635]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb  4 08:08:57 2021 daemon.notice openvpn(client)[635]: TCP/UDP: Preserving recently used remote address: [AF_INET]70.82.80.147:443
Thu Feb  4 08:08:57 2021 daemon.notice openvpn(client)[635]: Socket Buffers: R=[87380->87380] S=[16384->16384]
Thu Feb  4 08:08:57 2021 daemon.notice openvpn(client)[635]: Attempting to establish TCP connection with [AF_INET]70.82.80.147:443 [nonblock]
Thu Feb  4 08:08:58 2021 daemon.err openvpn(client)[635]: TCP: connect to [AF_INET]70.82.80.147:443 failed: Host is unreachable

Wrath_Fred · February 4, 2021, 2:25pm

oh Wait!! I remembered something I've read somewhere about the WWAN subnet that should'nt be the same as the LAN.. So I changed the MIFI gateway subnet to 192.168.10.1 and now the Tun interface stays up!

I will now try to configure server/client to be able to reach client side from server side subnet.

Thanks

Fred