Server VPN tap on Netgear R9000 not work on client OpenWrt 21.02

chocobo · June 29, 2022, 9:22pm

Hi, I'm trying to setup my Netgear R9000's openvpn server on my Xiaomi 4A with openwrt 21.02.
I want to configure the VPN only with LAN 1. LAN 2 and WiFi without VPN.
I installed

openvpn-openssl
luci-app-openvpn

But ip address not changing

This is my configuration

network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxx:xxxx:xxxx::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.15.1'

config device
	option name 'eth0.2'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '4 2 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 6t'

config interface 'tap0'
	option proto 'none'
	option device 'tap0'

firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'tap0'
	list device 'tap0'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

OpenVPN

client
dev tap
proto udp
remote myname .mynetgear.com 12974
resolv-retry infinite
nobind
persist-key
persist-tun
log /etc/openvpn/log.txt
<ca>
-----MY CERTIFICATE-----
</ca>
<cert>
-----MY CERTIFICATE-----
</cert>
<key>
-----MY CERTIFICATE-----
</key>
cipher AES-128-CBC
comp-lzo
verb 5

mk24 · June 29, 2022, 10:14pm

Usually OpenVPN is used in TUN mode (routed). Your router setup is suited for that, but you have OpenVPN in TAP mode.

If you really intend to use TAP mode (bridged) you need to put the TAP interface into a bridge along with an Ethernet port and/or a wifi AP. Then anything plugged into the bridge ports will act as part of the LAN of the other side, including getting a DHCP address from the other side's DHCP server. The firewall is not an issue for TAP, since it works at level 2 basically making the TAP bridged network a dumb AP of the other network.

(TAP mode sounds great at first, but with a network of any size a lot of broadcast packets will unnecessarily go through the VPN only to be ignored, wasting bandwidth.)

chocobo · June 29, 2022, 10:50pm

The netgear tun configuration does not work. Many users have this problem.

Can you please help me with TAP mode (bridged) on openwrt ?

mk24 · June 30, 2022, 12:45pm

Remove everything that you did to network and firewall so far. Then in /etc/config/network, set up a bridge:

config device
    option name 'br-vpn'
    option type 'bridge'
    list ports 'tap0'
    list ports 'lan1'

config interface 'vpn'
    option device 'br-vpn'
    option proto 'none'

Also of course remove lan1 from br-lan.

Start up OpenVPN and review logread to confirm a successful launch and connection (Initialization Sequence Completed should be logged). Plug a PC into lan1 and it should be bridged to the remote LAN.

chocobo · June 30, 2022, 11:17pm

Now it works but the connection is very slow.
could it be a configuration problem?

I have tested the same configuration with openvpn software on windows 11 and it is fast

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxx:xxxx:xxxx::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.15.1'

config device
	option name 'eth0.2'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 6t'

config device
	option name 'br-vpn'
	option type 'bridge'
	list ports 'eth0.3'
	list ports 'tap0'

config interface 'vpn'
	option device 'br-vpn'
	option proto 'static'
	option gateway '192.168.0.1'

config interface 'tap0'
	option device 'tap0'
	option proto 'none'

config switch_vlan
	option device 'switch0'
	option ports '4 6t'
	option vlan '3'

mk24 · July 1, 2022, 12:54pm

Take this out. It isn't doing anything, having been replaced by br-vpn. At least it doesn't seem to be breaking anything.

What do you mean by "slow?" If it's the MT7628 based (non gigabit) 4A, that CPU is only good for about 10 Mb through OpenVPN. The MT7621 (gigabit) 4A will be slightly faster since it is more MHz, but the dual core is not much help because OpenVPN runs single thread. Obviously an x86 PC has a lot more CPU speed.

chocobo · July 1, 2022, 1:10pm

On ookla speedtest download 0.53 upload 0.46