Through help on here I have now got my OpenVPN configured and running. I also used the following link (although I dont use Nord) to create my Lan Interfaces and Firewall Zones.
But what I really want to do is leave my default WAN traffic alone but be able to specify which devices on my network I want to pass through a specific VPN and then the WAN connection. I have googled and read a lot on here and there is a lot of information to take in (and indeed different ways it appears).
Can anyone give me a very high level noob pointers to this please. It would be appreciated,
So go easy on me I am trying to understand some of the terminology here.
I've created an OpenVPN instance called VPN_General and it connects fine i.e starts
I've created a network interface called VPNGEN interfaced to tun0
I've created a firewall zone called VPNgen and allowed forward from source zone lan:
the VPNGEN interface comes back with a 'Error: Network device is not present'
Is this correct and what are my next stages please.
Let's see what might be the problem.
Please post here the output of the following command, copy and paste the whole block:
uci show network;uci show wireless; \
uci show firewall; uci show dhcp; \
ip -4 addr ; ip -4 ro ; ip -4 ru; \
iptables-save; \
head -n -0 /etc/firewall.user; \
ls -l /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
Please use "Preformatted text </>" for logs, scripts, configs and general console output.
There doesn't seem to be any tunnel interface. Are you certain that the OpenVPN starts without errors?
Can you check the logs for any referral to OpenVPN?
Post also the VPN configuration.
You may want to edit your previous post and cover the wifi keys, public IP addresses and MAC addresses.
Wed Oct 16 12:19:17 2019 daemon.notice openvpn(VPN_General)[10789]: OpenVPN 2.4.7 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Wed Oct 16 12:19:17 2019 daemon.notice openvpn(VPN_General)[10789]: library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10
Wed Oct 16 12:19:17 2019 daemon.notice openvpn(VPN_General)[10789]: Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Oct 16 12:19:17 2019 daemon.notice openvpn(VPN_General)[10789]: Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Oct 16 12:19:22 2019 daemon.err openvpn(VPN_General)[10789]: RESOLVE: Cannot resolve host address: xxxx:1194 (Try again)
I tried pinging the original host address after noticing this error and it wouldnt ping so I changed it to one that does put I still get the error. Tried it a few times and seem to get some success:
Wed Oct 16 12:24:05 2019 daemon.notice openvpn(VPN_General)[11570]: OpenVPN 2.4.7 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Wed Oct 16 12:24:05 2019 daemon.notice openvpn(VPN_General)[11570]: library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10
Wed Oct 16 12:24:05 2019 daemon.notice openvpn(VPN_General)[11570]: Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Oct 16 12:24:05 2019 daemon.notice openvpn(VPN_General)[11570]: Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Oct 16 12:24:05 2019 daemon.notice openvpn(VPN_General)[11570]: TCP/UDP: Preserving recently used remote address: [AF_INET]xxx
Wed Oct 16 12:24:05 2019 daemon.notice openvpn(VPN_General)[11570]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Wed Oct 16 12:24:05 2019 daemon.notice openvpn(VPN_General)[11570]: UDP link local: (not bound)
Wed Oct 16 12:24:05 2019 daemon.notice openvpn(VPN_General)[11570]: UDP link remote: [AF_INET]xxx
Wed Oct 16 12:24:05 2019 daemon.notice openvpn(VPN_General)[11570]: TLS: Initial packet from [AF_INET]xxx, sid=29ded650 87e5281c
Wed Oct 16 12:24:05 2019 daemon.warn openvpn(VPN_General)[11570]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Oct 16 12:24:05 2019 daemon.notice openvpn(VPN_General)[11570]: VERIFY OK: depth=1, C=SE, ST=CA, L=Stockholm, O=PrivateVPN, CN=PrivateVPN CA, name=PrivateVPN, emailAddress=support@privatvpn.se
Wed Oct 16 12:24:05 2019 daemon.notice openvpn(VPN_General)[11570]: VERIFY KU OK
Wed Oct 16 12:24:05 2019 daemon.notice openvpn(VPN_General)[11570]: Validating certificate extended key usage
Wed Oct 16 12:24:05 2019 daemon.notice openvpn(VPN_General)[11570]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 12:24:05 2019 daemon.notice openvpn(VPN_General)[11570]: VERIFY EKU OK
Wed Oct 16 12:24:05 2019 daemon.notice openvpn(VPN_General)[11570]: VERIFY OK: depth=0, C=SE, ST=CA, L=Stockholm, O=PrivateVPN, CN=PrivateVPN, name=PrivateVPN, emailAddress=support@privatvpn.se
Wed Oct 16 12:24:07 2019 daemon.warn openvpn(VPN_General)[11570]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1550', remote='link-mtu 1570'
Wed Oct 16 12:24:07 2019 daemon.warn openvpn(VPN_General)[11570]: WARNING: 'cipher' is used inconsistently, local='cipher AES-128-GCM', remote='cipher AES-256-CBC'
Wed Oct 16 12:24:07 2019 daemon.warn openvpn(VPN_General)[11570]: WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA256'
Wed Oct 16 12:24:07 2019 daemon.warn openvpn(VPN_General)[11570]: WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
Wed Oct 16 12:24:07 2019 daemon.notice openvpn(VPN_General)[11570]: Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Oct 16 12:24:07 2019 daemon.notice openvpn(VPN_General)[11570]: [PrivateVPN] Peer Connection Initiated with [AF_INET]185.41.242.67:1194
Wed Oct 16 12:24:08 2019 daemon.notice openvpn(VPN_General)[11570]: SENT CONTROL [PrivateVPN]: 'PUSH_REQUEST' (status=1)
Wed Oct 16 12:24:08 2019 daemon.notice openvpn(VPN_General)[11570]: AUTH: Received control message: AUTH_FAILED
Wed Oct 16 12:24:08 2019 daemon.notice openvpn(VPN_General)[11570]: SIGTERM[soft,auth-failure] received, process exiting```
I 'may' have resolved the OpenVPN connection at least. Like a true numpty I have been using the syntax:
username xxxxxxxxx
password xxxxxxxxx
in the auth file referred to above. When I edited out username and password I appear to have lost connection (I am remoting in) and now cant reconnect which sort of says the VPN is workin (I also use a dynamic DNS)
Nope it doesn't conclude the session establishment process. You'll see the message Initialization Sequence Completed when everything works fine.
Check the .auth file that it has correct user-pass inside. Also use full path for the filename, in case it is not in the same working directory of the OpenVPN process.
OpenWRT works and the tun0 interface shows activity.
Now I need to alloy dynamic DNS to function i.e. remote connection AND only allow the devices I specify to go through the VPN. I'm assuming as it stands at the moment that when enabled all traffic will be using the VPN. Is that correct?
> ls -l /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.0.1/24 brd 192.168.0.255 scope global br-lan
valid_lft forever preferred_lft forever
10: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet xx.xx.xx.xx/24 brd xx.xx.xx.xx scope global eth1.2
valid_lft forever preferred_lft forever
25: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
inet xx.xx.xx.xx/26 brd xx.xx.xx.xx scope global tun0
valid_lft forever preferred_lft forever
0.0.0.0/1 via xx.xx.xx.xx dev tun0
default via xx.xx.xx.xx dev eth1.2 proto static src xx.xx.xx.xx
xx.xx.xx.xx/24 dev eth1.2 proto kernel scope link src xx.xx.xx.xx
128.0.0.0/1 via xx.xx.xx.xx dev tun0
xx.xx.xx.xx via xx.xx.xx.xx dev eth1.2
xx.xx.xx.xx/26 dev tun0 proto kernel scope link src xx.xx.xx.xx
xx.xx.xx.xx/24 dev br-lan proto kernel scope link src xx.xx.xx.xx
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
lrwxrwxrwx 1 root root 16 Oct 11 15:31 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r-- 1 root root 0 Oct 16 11:20 /tmp/resolv.conf
-rw-r--r-- 1 root root 149 Oct 16 12:23 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
==> /tmp/resolv.conf <==
==> /tmp/resolv.conf.auto <==
# Interface lan
nameserver 8.8.8.8
nameserver 8.8.4.4
# Interface wan
nameserver xx.xx.xx.xx
nameserver xx.xx.xx.xx
search cable.virginmedia.net
As it stands now, all your traffic goes through the VPN tunnel. Therefore you can use the rules I posted earlier to classify traffic that should go via the regular ISP.
Regarding DynDNS, is the IP you got in trun0 interface public or private?
Would that just route any traffic from a device that I have setup with a static ip of 192.168.0.3 through the VPN or am I missing something?
And if I invoke OpenVPN and the VPN interface how do I get round my dynamic dns issue?
And as for being public or private the ip is from a subscribed service (no-ip) so I have Dynamic DNS running to make any ip changes that may occur and I access a PC on my home LAN via a port forwarding rule
When the OpenVPN tunnel is up, all traffic goes through the tunnel by default. The rule above is correct, but pointless.
You need to change the route command to use the wan interface, rather than the vpngen, for the devices you want to use the regular internet connection.
You didn't answer me if the IP you have on VPN tunnel interface is public or private (10.x.y.z, 172.16-31.x.y, 192.168.x.y).
no-ip gives you a name that is bound to the dynamic public IP that your interface has, If you have private IP then it cannot work that simply.
I assume it is public as it currently is 82.x.y.z which will be the one set by the ISP
I have a hostname that I access remotely from which is xxxxx.noip.me and the service does the rest i.e. changes the ip when needed.
So are you saying that you have to live with all traffic going through the OpenVPN tunnel and you have to exclude devices from going through OpenVPN. I only want a couple of devices to go through the VPN and the rest (30+) normal gateway (non VPN).
Would I set up a new network range on top of my current 192.168.0.x, say 192.168.1.x and set up a rule that excludes everything in the 192.168.0.x/24 range form passing through the VPN but anything a set to a 192.168.1.x address would then go through the VPN? Is my logic right?
This is for the WAN interface and it works fine from what I understand. If your question is whether you can do the same in the OpenVPN tun interface, it depends from the IP that your tun has, private or public. Usually they give private IPs, hence there is no point for dyndns service there or no possibility of port forwarding.
No, you can manipulate that. There is an option in Luci
Just to note for syntax purpose I'm using 19.07 and Openwrt is configurable in luci via editing the ovpn contents within the gui. and the syntax is route-nopull (and not route_nopull). Just for reference.
So added it and OpenVPN is alive, so is the interface(no RX traffic of course) and I can still remote connect. Many many thanks for your patience trendy. It is appreciated.
And one last question. Now I am all up and running what is the syntax of the rule I would setup to say if I am a specific ip address then pass all my traffic through my VPN interface (VPNGEN)