Hi guys,
I have troubles to configure a FRITZ!WLAN Repeater 1750E to work as VPN tunnel. I want to use the repeater as VPN tunnel, so I don't have to activate the VPN on my PC.
The repeater is connected via Ethernet to my router.
So far I loaded my open vpn config file, setup a vpn interface, a vpn firewall and a wlan access point.
The internet works, on startup the vpn connection is established, but I still cannot access the intranet from work, which is why I need the vpn connection.
What am I missing?
Tanks in advance.
root@OpenWrt:~# logread -e openvpn
Thu Feb 4 09:05:56 2021 daemon.warn openvpn(traymond)[1958]: DEPRECATED OPTION: --cipher set to 'BF-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'BF-CBC' to --data-ciphers or change --cipher 'BF-CBC' to --data-ciphers-fallback 'BF-CBC' to silence this warning.
Thu Feb 4 09:05:57 2021 daemon.notice openvpn(traymond)[1958]: OpenVPN 2.5.0 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Thu Feb 4 09:05:57 2021 daemon.notice openvpn(traymond)[1958]: library versions: OpenSSL 1.1.1i 8 Dec 2020
Thu Feb 4 09:05:57 2021 daemon.warn openvpn(traymond)[1958]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Feb 4 09:05:57 2021 daemon.warn openvpn(traymond)[1958]: WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.6.
Thu Feb 4 09:05:57 2021 daemon.notice openvpn(traymond)[1958]: TCP/UDP: Preserving recently used remote address: [AF_INET]94.130.8.42:1194
Thu Feb 4 09:05:57 2021 daemon.notice openvpn(traymond)[1958]: UDP link local: (not bound)
Thu Feb 4 09:05:57 2021 daemon.notice openvpn(traymond)[1958]: UDP link remote: [AF_INET]94.130.8.42:1194
Thu Feb 4 09:06:00 2021 daemon.notice openvpn(traymond)[1958]: [gatekeep] Peer Connection Initiated with [AF_INET]94.130.8.42:1194
Thu Feb 4 09:09:07 2021 daemon.notice openvpn(traymond)[1958]: [gatekeep] Inactivity timeout (--ping-restart), restarting
Thu Feb 4 09:09:07 2021 daemon.notice openvpn(traymond)[1958]: SIGUSR1[soft,ping-restart] received, process restarting
Thu Feb 4 09:09:12 2021 daemon.warn openvpn(traymond)[1958]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Feb 4 09:09:12 2021 daemon.notice openvpn(traymond)[1958]: TCP/UDP: Preserving recently used remote address: [AF_INET]94.130.8.42:1194
Thu Feb 4 09:09:12 2021 daemon.notice openvpn(traymond)[1958]: UDP link local: (not bound)
Thu Feb 4 09:09:12 2021 daemon.notice openvpn(traymond)[1958]: UDP link remote: [AF_INET]94.130.8.42:1194
Thu Feb 4 09:09:13 2021 daemon.notice openvpn(traymond)[1958]: [gatekeep] Peer Connection Initiated with [AF_INET]94.130.8.42:1194
Thu Feb 4 09:09:15 2021 daemon.warn openvpn(traymond)[1958]: WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.6.
Thu Feb 4 09:09:15 2021 daemon.warn openvpn(traymond)[1958]: WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.6.
Thu Feb 4 09:09:15 2021 daemon.warn openvpn(traymond)[1958]: WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
Thu Feb 4 09:09:15 2021 daemon.notice openvpn(traymond)[1958]: TUN/TAP device tun0 opened
Thu Feb 4 09:09:15 2021 daemon.notice openvpn(traymond)[1958]: net_iface_mtu_set: mtu 1500 for tun0
Thu Feb 4 09:09:15 2021 daemon.notice openvpn(traymond)[1958]: net_iface_up: set tun0 up
Thu Feb 4 09:09:15 2021 daemon.notice openvpn(traymond)[1958]: net_addr_ptp_v4_add: 10.9.0.22 peer 10.9.0.21 dev tun0
Thu Feb 4 09:09:15 2021 daemon.notice openvpn(traymond)[1958]: /usr/libexec/openvpn-hotplug up traymond tun0 1500 1622 10.9.0.22 10.9.0.21 init
Thu Feb 4 09:09:15 2021 daemon.warn openvpn(traymond)[1958]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Feb 4 09:09:15 2021 daemon.notice openvpn(traymond)[1958]: Initialization Sequence Completed
openvpn config
root@OpenWrt:/etc/config# cat openvpn
config openvpn 'traymond'
option config '/etc/openvpn/traymond.ovpn'
option enabled '1'
network config
root@OpenWrt:/etc/config# cat network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd2b:485e:bb57::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.0.31'
option gateway '192.168.0.1'
list dns '192.168.0.1'
config interface 'OVPN'
option proto 'none'
option ifname 'tun0'
firewall config
root@OpenWrt:/etc/config# cat firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option masq '1'
config zone
option name 'ovpn_fw'
option network 'OVPN'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config forwarding
option src 'lan'
option dest 'ovpn_fw'
config forwarding
option src 'lan'
option dest 'wan'
wireless config
root@OpenWrt:/etc/config# cat wireless
config wifi-device 'radio0'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'pci0000:00/0000:00:00.0'
option htmode 'VHT80'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
config wifi-device 'radio1'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'platform/ahb/18100000.wmac'
option htmode 'HT20'
option disabled '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
config wifi-iface 'wifinet2'
option network 'lan'
option ssid 'tlr'
option encryption 'sae'
option device 'radio0'
option mode 'ap'
option ieee80211w '2'
option key '***********'
dhcp config
root@OpenWrt:/etc/config# cat dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'