Dear OpenWRT friends,
My Archer c2600 v1.0 with OpenWRT 18.06.2 drives me crazy and I need your help
Pretty sure, I messed up something in my configuration files on openwrt,
because it works perfectly when I substitute my Archer c2600 with a pfsense box (which was actually my initial point before switching the pfsense box with my c2600).
What I'm trying to do is basically (objective)
- OpenVPN site-to-site with SSL/TLS certificates (incl tls auth)
- with a pfsense OpenVPN server and an OpenWRT client
- to enable access to "LAN's" on both sides (client to server network access and server to client network access)
- whereas the pfsense server has a dynamic or static public IP and
- the openwrt client may be behind a carrier grade NAT, i.e. having no public IP
The testing topology is
SITE 1
site 1 LAN networks -[LAN ports]- pfsense server -[WAN port]- ISP public IP
|
internet (openvpn tunnel)
|
SITE 2
ISP cgnat IP -[mobile_rf]- smartphone hotspot -[WLAN]- AP (Openwrt) -[LAN port to WAN port] - AP (Archer c2600 openvpn client) -[LAN ports] - LAN networks of site 2
Problem: My OpenWRT router "freezes", meaning
- LuCI freezes, no web interface connection possible
- SSH freezes, no connection possible
- nor do I have any connection to the internet
although - my PC connected to the c2600 router gets a LAN IP
- and the pfsense box shows the openvpn client (c2600) has connected successfully (also visible in the system log)
Configuration files (only additional parts to the default configuration)
/etc/config/network
config interface 'Sitetun0'
option proto 'none'
option ifname 'tun0'
option delegate '0'
/etc/config/firewall
config zone
option name 'Site_FW'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'Sitetun0'
option family 'ipv4'
option input 'ACCEPT'
config forwarding
option dest 'Site_FW'
option src 'lan'
config forwarding
option dest 'lan'
option src 'Site_FW'
/etc/config/openvpn
config openvpn 'Sitetun0'
option config '/etc/openvpn/site.ovpn'
option enabled '1'
/etc/openvpn/site.ovpn
dev tun0
persist-tun
persist-key
cipher AES-256-CBC
auth SHA256
compress lzo
tls-client
client
resolv-retry infinite
remote [pfsense public IP] [correct port] udp
verify-x509-name "site-to-site cert" name
auth-user-pass pass.txt
remote-cert-tls server
log-append /var/log/site.log
status /var/log/status.log
key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
blabla
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
blabla
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
blabla
-----END PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
blabla
-----END OpenVPN Static key V1-----
</tls-auth>
Where is the bug ?
Many thanks ! and
cheers Blinton