Resource busy vpnclient + server simultaneously

Hi,

These are my first steps with WRT so I consider myself a newbie in this area.

Recently I got myself a WRT enabled router as I wanted to run a vpn client on my router instead of installing a vpn client on multiple systems.
At the same time, it would be nice if I could access certain lan resources remotely via vpn as well (so install vpn server as well).

Router is a Linksys WRT3200ACM.
Firmware: OpenWrt 18.06.4 r7808-ef686b7292 /LuCI openwrt-18.06 branch (git-19.170.32094-4d6d8bc)
Kernel Version: 4.14.131

As for the openvpn client I used the doc on the openwrt site:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/client

This worked (also after reboot) but in system log I did see some errors related to ipv6:

Tue Aug 6 18:03:17 2019 daemon.notice openvpn(vpnclient)[5494]: GDG6: remote_host_ipv6=n/a
Tue Aug 6 18:03:17 2019 daemon.warn openvpn(vpnclient)[5494]: GDG6: NLMSG_ERROR: error Permission denied
Tue Aug 6 18:03:17 2019 daemon.warn openvpn(vpnclient)[5494]: OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
Tue Aug 6 18:03:17 2019 daemon.warn openvpn(vpnclient)[5494]: OpenVPN ROUTE: failed to parse/resolve route for host/network: fc00::/7

One of the last lines in the doc is that a redirect-gateway for ipv6 is added to the vpnclient.conf.

Question: Leave this as it is and ignore these lines in the log or should I remove/disable that redirect-gateway line in the conf file? Or modify something else?

With the openvpn client working it was time to try the openvpn server.
I found this doc: VPN Client & Server Simultaneously
https://openwrt.org/docs/guide-user/services/vpn/server_client

So first step is select protocol (openvpn) and install a vpn server.
For that I used the doc found on the openwrt site:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic

I tested from laptop via 4G/hotspot to be sure I had an external connection.
I could make VPN connection to router but when I checked what my public ip was, it showed my ISP ip and not my vpnclient ip.

After reconnecting directly to the router and checking my public ip once more, it was still that from my ISP, also after reboot.

I continued with the steps for vpnclient and server at the same time and followed these steps:
https://openwrt.org/docs/guide-user/services/vpn/server_client

But in the end I keep getting these lines in system log:

Tue Aug 6 20:58:49 2019 daemon.warn openvpn(vpnclient)[3993]: GDG6: NLMSG_ERROR: error Permission denied
Tue Aug 6 20:58:49 2019 daemon.warn openvpn(vpnclient)[3993]: OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
Tue Aug 6 20:58:49 2019 daemon.warn openvpn(vpnclient)[3993]: OpenVPN ROUTE: failed to parse/resolve route for host/network: fc00::/7
Tue Aug 6 20:58:49 2019 daemon.warn openvpn(vpnclient)[3993]: OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
Tue Aug 6 20:58:49 2019 daemon.warn openvpn(vpnclient)[3993]: OpenVPN ROUTE: failed to parse/resolve route for host/network: 3000::/4
Tue Aug 6 20:58:49 2019 daemon.warn openvpn(vpnclient)[3993]: OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
Tue Aug 6 20:58:49 2019 daemon.warn openvpn(vpnclient)[3993]: OpenVPN ROUTE: failed to parse/resolve route for host/network: 2000::/4
Tue Aug 6 20:58:49 2019 daemon.warn openvpn(vpnclient)[3993]: OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
Tue Aug 6 20:58:49 2019 daemon.warn openvpn(vpnclient)[3993]: OpenVPN ROUTE: failed to parse/resolve route for host/network: ::/3
Tue Aug 6 20:58:49 2019 daemon.err openvpn(vpnclient)[3993]: ERROR: Cannot ioctl TUNSETIFF tun0: Resource busy (errno=16)
Tue Aug 6 20:58:49 2019 daemon.notice openvpn(vpnclient)[3993]: Exiting due to fatal error

Especially the last two lines seems to require attention.
Is it that both vpnserver and vpnclient want to use the tun0 device?
Documentation has no reference about using a different device when you want to use both vpnclient and vpnserver (or did I miss it?).

Anyone got an idea what to do here?
It would be great if both vpn client and server could run simultaneously.

Thank you.

Yes, each tunnel needs it's own tunX interface.

The redirect ipv6 might have accidentally crept into that guide as there have been recent improvements on the wiki. If your not using ipv6 leave that out and use the equivalent statement for ipv4 if you need it.

Hi,

Thanks for your reply.

I changed the tunX device for the vpnclient to tun1 and that worked.
So vpnclient uses zone1 and tun1 and vpnserver uses zone0 and tun0.

But unfortunately I cannot get them to work at the same time.
I keep getting a TLS error on both laptop and router.

I restored a previous config and only installed the vpnserver and then it works fine; I can connect from my laptop via 4G.

I did the vpnclient install and the 'VPN Client & Server Simultaneously' setup steps but they won't work together (yet).

Part of the vpn log on my laptop attempting to connect:

Thu Aug 08 08:56:00 2019 UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
Thu Aug 08 08:56:00 2019 MANAGEMENT: >STATE:1565247360,WAIT,,,,,,
Thu Aug 08 08:57:00 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Aug 08 08:57:00 2019 TLS Error: TLS handshake failed
Thu Aug 08 08:57:00 2019 SIGUSR1[soft,tls-error] received, process restarting
Thu Aug 08 08:57:00 2019 MANAGEMENT: >STATE:1565247420,RECONNECTING,tls-error,,,,,
Thu Aug 08 08:57:00 2019 Restart pause, 5 second(s)

Would you happen to have experience with running vpnclient and vpnserver at the same time?

It works for me when running WireGuard server and OpenVPN client using UDP for both with the following workaround:

. /lib/functions/network.sh
network_flush_cache
network_find_wan NET_IF
network_get_device NET_DEV "${NET_IF}"
network_get_ipaddr NET_ADDR "${NET_IF}"
network_get_gateway NET_GW "${NET_IF}"
ip -4 rule add from "${NET_ADDR}" lookup 1
ip -4 route add default via "${NET_GW}" dev "${NET_DEV}" table 1

But neither this way nor the fwmark method work for OpenVPN server using UDP:

. /lib/functions/network.sh
network_flush_cache
network_find_wan NET_IF
network_get_device NET_DEV "${NET_IF}"
network_get_gateway NET_GW "${NET_IF}"
VPN_PORT="1194"
VPN_PROTO="udp"
ip -4 rule add fwmark 1 lookup 1
ip -4 route add default via "${NET_GW}" dev "${NET_DEV}" table 1
iptables -t mangle -A OUTPUT -m comment --comment "OpenVPN-server" \
    -p "${VPN_PROTO}" --sport "${VPN_PORT}" -j MARK --set-mark 1

Meanwhile VPR also relies on the fwmark method and its documentation states that OpenVPN server should use TCP.

2 Likes

Hi,

Yes I must have overlooked that VPR requires TCP for OpenVPN Server.

Did those steps, set my vpnserver to use TCP, set my vpnclient on laptop to use TCP and modified the firewall traffic rule (created by the OpenVPN Server setup) to use TCP as well.

Now I can connect my laptop via OpenVPN-TCP to my router and internet access is using the vpnclient on the router, just like when connected to my LAN directly.

Thanks.

[quote="vgaetera, post:4, topic:42182"]
Meanwhile VPR also relies on the fwmark method and its documentation states that OpenVPN server should use TCP[/quote]

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.