Repeater as VPN tunnel - Problems

Hi guys,
I have troubles to configure a FRITZ!WLAN Repeater 1750E to work as VPN tunnel. I want to use the repeater as VPN tunnel, so I don't have to activate the VPN on my PC.
The repeater is connected via Ethernet to my router.
So far I loaded my open vpn config file, setup a vpn interface, a vpn firewall and a wlan access point.
The internet works, on startup the vpn connection is established, but I still cannot access the intranet from work, which is why I need the vpn connection.

What am I missing?
Tanks in advance.

root@OpenWrt:~# logread -e openvpn
Thu Feb  4 09:05:56 2021 daemon.warn openvpn(traymond)[1958]: DEPRECATED OPTION: --cipher set to 'BF-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'BF-CBC' to --data-ciphers or change --cipher 'BF-CBC' to --data-ciphers-fallback 'BF-CBC' to silence this warning.
Thu Feb  4 09:05:57 2021 daemon.notice openvpn(traymond)[1958]: OpenVPN 2.5.0 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Thu Feb  4 09:05:57 2021 daemon.notice openvpn(traymond)[1958]: library versions: OpenSSL 1.1.1i  8 Dec 2020
Thu Feb  4 09:05:57 2021 daemon.warn openvpn(traymond)[1958]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Feb  4 09:05:57 2021 daemon.warn openvpn(traymond)[1958]: WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.6.
Thu Feb  4 09:05:57 2021 daemon.notice openvpn(traymond)[1958]: TCP/UDP: Preserving recently used remote address: [AF_INET]94.130.8.42:1194
Thu Feb  4 09:05:57 2021 daemon.notice openvpn(traymond)[1958]: UDP link local: (not bound)
Thu Feb  4 09:05:57 2021 daemon.notice openvpn(traymond)[1958]: UDP link remote: [AF_INET]94.130.8.42:1194
Thu Feb  4 09:06:00 2021 daemon.notice openvpn(traymond)[1958]: [gatekeep] Peer Connection Initiated with [AF_INET]94.130.8.42:1194
Thu Feb  4 09:09:07 2021 daemon.notice openvpn(traymond)[1958]: [gatekeep] Inactivity timeout (--ping-restart), restarting
Thu Feb  4 09:09:07 2021 daemon.notice openvpn(traymond)[1958]: SIGUSR1[soft,ping-restart] received, process restarting
Thu Feb  4 09:09:12 2021 daemon.warn openvpn(traymond)[1958]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Feb  4 09:09:12 2021 daemon.notice openvpn(traymond)[1958]: TCP/UDP: Preserving recently used remote address: [AF_INET]94.130.8.42:1194
Thu Feb  4 09:09:12 2021 daemon.notice openvpn(traymond)[1958]: UDP link local: (not bound)
Thu Feb  4 09:09:12 2021 daemon.notice openvpn(traymond)[1958]: UDP link remote: [AF_INET]94.130.8.42:1194
Thu Feb  4 09:09:13 2021 daemon.notice openvpn(traymond)[1958]: [gatekeep] Peer Connection Initiated with [AF_INET]94.130.8.42:1194
Thu Feb  4 09:09:15 2021 daemon.warn openvpn(traymond)[1958]: WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.6.
Thu Feb  4 09:09:15 2021 daemon.warn openvpn(traymond)[1958]: WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.6.
Thu Feb  4 09:09:15 2021 daemon.warn openvpn(traymond)[1958]: WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
Thu Feb  4 09:09:15 2021 daemon.notice openvpn(traymond)[1958]: TUN/TAP device tun0 opened
Thu Feb  4 09:09:15 2021 daemon.notice openvpn(traymond)[1958]: net_iface_mtu_set: mtu 1500 for tun0
Thu Feb  4 09:09:15 2021 daemon.notice openvpn(traymond)[1958]: net_iface_up: set tun0 up
Thu Feb  4 09:09:15 2021 daemon.notice openvpn(traymond)[1958]: net_addr_ptp_v4_add: 10.9.0.22 peer 10.9.0.21 dev tun0
Thu Feb  4 09:09:15 2021 daemon.notice openvpn(traymond)[1958]: /usr/libexec/openvpn-hotplug up traymond tun0 1500 1622 10.9.0.22 10.9.0.21 init
Thu Feb  4 09:09:15 2021 daemon.warn openvpn(traymond)[1958]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Feb  4 09:09:15 2021 daemon.notice openvpn(traymond)[1958]: Initialization Sequence Completed

openvpn config

root@OpenWrt:/etc/config# cat openvpn

config openvpn 'traymond'
	option config '/etc/openvpn/traymond.ovpn'
	option enabled '1'

network config

root@OpenWrt:/etc/config# cat network 

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd2b:485e:bb57::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.0.31'
	option gateway '192.168.0.1'
	list dns '192.168.0.1'

config interface 'OVPN'
	option proto 'none'
	option ifname 'tun0'

firewall config

root@OpenWrt:/etc/config# cat firewall 

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	option masq '1'

config zone
	option name 'ovpn_fw'
	option network 'OVPN'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'REJECT'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config forwarding
	option src 'lan'
	option dest 'ovpn_fw'

config forwarding
	option src 'lan'
	option dest 'wan'

wireless config

root@OpenWrt:/etc/config# cat wireless 

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0'
	option htmode 'VHT80'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'platform/ahb/18100000.wmac'
	option htmode 'HT20'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-iface 'wifinet2'
	option network 'lan'
	option ssid 'tlr'
	option encryption 'sae'
	option device 'radio0'
	option mode 'ap'
	option ieee80211w '2'
	option key '***********'

dhcp config

root@OpenWrt:/etc/config# cat dhcp 

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

Activate the VPN connection and post the output to pastebin.com redacting the private parts:

ubus call system board; uci show network; uci show firewall; uci show openvpn; \
ip address show; ip route show table all; ip rule show; iptables-save; \
head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

Thanks for the response. Here is the result:
https://pastebin.com/W7ZTRFwh

1 Like

Do you want to route all client traffic to the VPN, or access only VPN-specific subnets?

I don't know, if I understand your question.
I want all clients to use the VPN, which are connected via the wlan of the repeater.
But, the vpn is only required for a specific subnet, right?! So there is no need to route all traffic?
Normally I use Tunnelblick on my MacBook, but don't know, how they handle it.

Are you connecting to your own VPN server, or a commercial VPN provider?

I'm connecting to the VPN Server from my work, so I can access the intranet.

Assuming you need to access only subnets advertised by the VPN server:

You have 2 options:

  • Switch OpenWrt to the router mode as the AP/repeater modes are not suitable for routing.
  • Add static routes to each of those subnets via 192.168.0.31 on each of your clients or on the main router 192.168.0.1.

For the second point, if I add the route to a client, does it means I add a line like this to my hosts file?

## vpn home
192.168.0.31 192.168.111.0/24 192.168.112.0/24 192.168.110.0/24 192.168.90.0/24 10.9.0.0/24

Linux-based systems use /etc/hosts for DNS, it is unrelated to routing.
You need to add those routes in your network connection config.
There's basically only a couple of routes if you simplify them.

I see, I gonna check that.Thanks so far.

1 Like