Raspbi 3 - Hotel Mode - OpenVPN Route / Firewall doesn't work correctly

TeraX · March 6, 2018, 8:16pm

Hi all,

The main problem that I have is that the OpenVPN connection is not used.

Here are now some details what is my plan, what have I done and some logs.
I anyone of you can help me.

My plan is to use a Raspberry 3 for Hotel Trips and that all connected clients are automatically routed to a OpenVPN because the most Hotel Wifi has no secure connection (also interesting for Videostreaming in Hotels that support high bandwith connections).

For the setup I use the Raspi 3 onboard WLAN chip as Access Point for the local clients like smartphone / Tablet / Streaming Stick - works -
A USB WIFI stick is used as WIFI Client which connects to the Hotel WIFI (I use a CSL 300 with a RALink chipset / kmod-rt2800-usb is installed). - works -
A OpenVPN client on the raspberry connects to a OpenVPN Server at home - works -
and needs to route all the traffic via the VPN connection. - don't work

I installed lede-17.01.4-brcm2708-bcm2710-rpi-3-ext4-sdcard.img.gz image on a raspberry pi 3.
onboard ethernet port is not used (eth0)
Set onboard wlan chip as Access Point (br-lan)
Set USB Wifi as Client (wlan1)
installed openvpn-ssl and use howto from openwrt site (https://openwrt.org/docs/guide-user/services/vpn.client.openvpn.tun)
I used the certificates and settings in the past with my android smartphone and the OpenVPN for Android app and it is working without any problems
setting up firewall config like in the howto

I test the scenario with follow setup:

the wifi client is connected to my smartphone (with an open hotspot)
my laptop is connected to the raspbi Access Point
the Raspbi OpenVPN client connects to my home OpenVPN Server

Everytime i make a traceroute to (as example) google.com or open a "what is my ip" site I see the IP from Vodafone and not from my local internet provider so I know the connection is going out from my smartphone and not from the openvpn server

Here are my settings:

/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd1d:3cac:99ce::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '172.16.24.1'

config interface 'wwan'
	option proto 'dhcp'

config interface 'vpn_n'
	option proto 'none'
	option ifname 'tun0'
	option auto '1'
	option delegate '0'

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'platform/soc/3f300000.mmc/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
	option htmode 'HT20'
	option country 'DE'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'LEDE'
	option encryption 'psk2'
	option key 'secret'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11g'
	option path 'platform/soc/3f980000.usb/usb1/1-1/1-1.3/1-1.3:1.0'
	option htmode 'HT20'
	option channel '7'
	option country 'DE'

config wifi-iface
	option network 'wwan'
	option encryption 'psk2'
	option device 'radio1'
	option mode 'sta'
	option key 'secret'
	option ssid 'handy'

/etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option network 'wwan'
	option input 'REJECT'
	option forward 'REJECT'

config zone
        option name 'vpnn_fw'
        option network 'vpn_n'
        option masq '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config forwarding
	option src 'vpnn_fw'
	option dest 'lan'

config include
	option path '/etc/firewall.user'

config forwarding
	option dest 'vpnn_fw'
	option src 'lan'

/etc/config/openvpn

config openvpn 'vpn_new'
	option dev 'tun'
	option nobind '1'
	option verb '3'
	option port '1194'
	option dev_type 'tun'
	option comp_lzo 'adaptive'
	option keepalive '5 30'
	option persist_tun '1'
	option persist_key '1'
	option client '1'
	list remote 'openvpn.server'
	option proto 'udp'
	option ca '/etc/luci-uploads/cbid.openvpn.vpn_new.ca'
	option cert '/etc/luci-uploads/cbid.openvpn.vpn_new.cert'
	option key '/etc/luci-uploads/cbid.openvpn.vpn_new.key'
	option auth 'SHA1'
	option enabled '1'
	option pull '1'

route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.43.1    0.0.0.0         UG    0      0        0 wlan1
10.8.0.0        10.8.0.5        255.255.255.0   UG    0      0        0 tun0
10.8.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
172.16.24.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan
192.168.43.0    0.0.0.0         255.255.255.0   U     0      0        0 wlan1
192.168.43.1    0.0.0.0         255.255.255.255 UH    0      0        0 wlan1

ifconfig

br-lan    Link encap:Ethernet  HWaddr B8:27:EB:46:C3:B3  
          inet addr:172.16.24.1  Bcast:172.16.24.255  Mask:255.255.255.0
          inet6 addr: fe80::ba27:ebff:fe46:c3b3/64 Scope:Link
          inet6 addr: fd1d:3cac:99ce::1/60 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:9987 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9672 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2217628 (2.1 MiB)  TX bytes:6402524 (6.1 MiB)

eth0      Link encap:Ethernet  HWaddr B8:27:EB:46:C3:B3  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:44 errors:0 dropped:0 overruns:0 frame:0
          TX packets:44 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:3752 (3.6 KiB)  TX bytes:3752 (3.6 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.6  P-t-P:10.8.0.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wlan0     Link encap:Ethernet  HWaddr B8:27:EB:13:96:E6  
          inet6 addr: fe80::ba27:ebff:fe13:96e6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:9987 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9890 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2217628 (2.1 MiB)  TX bytes:6676360 (6.3 MiB)

wlan1     Link encap:Ethernet  HWaddr 24:05:0F:73:B5:A8  
          inet addr:192.168.43.184  Bcast:192.168.43.255  Mask:255.255.255.0
          inet6 addr: fe80::2605:fff:fe73:b5a8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8443 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8408 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:6066232 (5.7 MiB)  TX bytes:2421901 (2.3 MiB)

jeff · March 6, 2018, 8:30pm

The results of ip route when OpenVPN is connected will be helpful, as would be your /etc/config/network and your OpenVPN configuration (all appropriately redacted for sensitive information)

TeraX · March 6, 2018, 8:43pm

Hi jeff

I pressed the Save button to fast so many informations are missed after the first post release

I added much more information in the first post but here are also the requested

ip route

default via 192.168.43.1 dev wlan1  src 192.168.43.184 
10.8.0.0/24 via 10.8.0.5 dev tun0 
10.8.0.5 dev tun0  src 10.8.0.6 
172.16.24.0/24 dev br-lan  src 172.16.24.1 
192.168.43.0/24 dev wlan1  src 192.168.43.184 
192.168.43.1 dev wlan1  src 192.168.43.184

jeff · March 6, 2018, 8:57pm

Looks like something in your OpenVPN config as I'd expect to see a route that's effectively "default" (shows as 0/1 destination on my OpenVPN-connected laptop here) through the tunnel to the remote OpenVPN gateway. Might be either end of the OpenVPN connection that isn't setting up the route properly.

TeraX · March 6, 2018, 9:05pm

My OpenVPN Server is also running on an Router with LEDE.

Here is the config from the server
Did you see something missing or to much config line there?

/etc/config/openvpn - on OpenVPN Server

config openvpn 'myvpn'
	option enabled '1'
	option verb '3'
	option port '1194'
	option proto 'udp'
	option dev 'tun'
	option server '10.8.0.0 255.255.255.0'
	option push 'route 10.8.0.0 255.255.255.0'
	option push 'redirect-gateway def1'
	option duplicate_cn '1'
	option keepalive '10 120'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/my-server.crt'
	option key '/etc/openvpn/my-server.key'
	option dh '/etc/openvpn/dh2048.pem'
	option client_to_client '1'
	option float '1'