Hello, first of all, I speak French most of the time so sorry if my English look funny (I put some time correcting this text so it should be alright).
I’ve been trying to configure an openVPN server for a few weeks on a ‘Outdoor router’ EZR30-Y4A (https://www.outdoorrouter.com/product/american-outdoor-4g-router-mimo-wi-fi-300mbps-canada-usa/) which is basically a Qualcomm QCA9531 (MIPS 24KC) with an integrated cellular modem Quectel EC25A in a nice waterproof box. It runs an openwrt firmware supplied by ‘Outdoor router’ having the following version in lucy : OpenWrt 18.06.2 r7676-cddd7b4c77 / LuCI branch, I tried both the version supplied with the router and their latest version supplied by e-mail : https://www.dropbox.com/s/2wir31lcv8tykno/OPLK1907.bin?dl=0
Update: they sent me their Github: https://github.com/openezen/openwrt-ourdoorwifi
Before posting anything, I’ve put a lot of hours searching, reading and trying, which I’ll try to summarize (I use forums as a last resort because most of the time, problems are kinda obvious when you take a step back) ;
I can’t get a client to connect to the server running on the EZR30-Y4A and, if configured as a client, I can’t get it to connect to another server but I’m able to use the openvpn client on a windows PC to connect to the same server, while the windows PC use the internet connection supplied by the EZR30-Y4A (I don’t think my ISP is blocking the connection).
I’m not an expert, so sorry if my problem is obvious. My tp-link router was the first time I setup a VPN server, so I still don’t quite get how ‘Interfaces' ‘Firewall rules’ and such should be configured in an application that uses a cellular modem connected to openwrt. I did read the openwrt wiki regarding the use of a cellular modem (my modem uses 4G PPP protocol) but I think I might need some guidance on where to look at! It comes with an interface called ‘MOBILE’ by default and it’s simply assigned to the ‘wan’ firewall zone. It also comes with packages for PPP, QMI, NCM and sierra wireless modems per default. Another possible issue could be the custom openwrt firmware supplied by ‘Outdoor router’ which could have issues with openVPN.
Right now, Open VPN server log shows the following :
Tue Jul 9 00:49:56 2019 OpenVPN 2.4.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Tue Jul 9 00:49:56 2019 library versions: OpenSSL 1.0.2q 20 Nov 2018, LZO 2.10
Tue Jul 9 00:49:56 2019 Diffie-Hellman initialized with 2048 bit key
Tue Jul 9 00:49:56 2019 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Jul 9 00:49:56 2019 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Jul 9 00:49:56 2019 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Jul 9 00:49:56 2019 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Jul 9 00:49:56 2019 TUN/TAP device tun0 opened
Tue Jul 9 00:49:56 2019 TUN/TAP TX queue length set to 100
Tue Jul 9 00:49:56 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Jul 9 00:49:56 2019 /sbin/ifconfig tun0 192.168.8.1 netmask 255.255.255.0 mtu 1500 broadcast 192.168.8.255
Tue Jul 9 00:49:56 2019 Could not determine IPv4/IPv6 protocol. Using AF_INET
Tue Jul 9 00:49:56 2019 Socket Buffers: R=[163840->163840] S=[163840->163840]
Tue Jul 9 00:49:56 2019 UDPv4 link local (bound): [AF_INET][undef]:1194
Tue Jul 9 00:49:56 2019 UDPv4 link remote: [AF_UNSPEC]
Tue Jul 9 00:49:56 2019 GID set to nogroup
Tue Jul 9 00:49:56 2019 UID set to nobody
Tue Jul 9 00:49:56 2019 MULTI: multi_init called, r=256 v=256
Tue Jul 9 00:49:56 2019 IFCONFIG POOL: base=192.168.8.2 size=252, ipv6=0
Tue Jul 9 00:49:56 2019 Initialization Sequence Completed
OpenVPN client log on remote windows PC shows the following
Wed Jul 17 15:14:53 2019 OpenVPN 2.4.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on May 11 2017
Wed Jul 17 15:14:53 2019 Windows version 6.1 (Windows 7) 64bit
Wed Jul 17 15:14:53 2019 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.10
Enter Management Password:
Wed Jul 17 15:14:53 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Wed Jul 17 15:14:53 2019 Need hold release from management interface, waiting...
Wed Jul 17 15:14:53 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Wed Jul 17 15:14:53 2019 MANAGEMENT: CMD 'state on'
Wed Jul 17 15:14:53 2019 MANAGEMENT: CMD 'log all on'
Wed Jul 17 15:14:53 2019 MANAGEMENT: CMD 'echo all on'
Wed Jul 17 15:14:53 2019 MANAGEMENT: CMD 'hold off'
Wed Jul 17 15:14:53 2019 MANAGEMENT: CMD 'hold release'
Wed Jul 17 15:14:53 2019 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Wed Jul 17 15:14:53 2019 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Jul 17 15:14:53 2019 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Wed Jul 17 15:14:53 2019 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Jul 17 15:14:53 2019 MANAGEMENT: >STATE:1563390893,RESOLVE,,,,,,
Wed Jul 17 15:14:53 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]X.X.X.X:1194
Wed Jul 17 15:14:53 2019 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Jul 17 15:14:53 2019 UDP link local: (not bound)
Wed Jul 17 15:14:53 2019 UDP link remote: [AF_INET]X.X.X.X:1194
Wed Jul 17 15:14:53 2019 MANAGEMENT: >STATE:1563390893,WAIT,,,,,,
I followed two guides :
- https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic (which was successfull on my tp-link router)
- https://robert.penz.name/312/howto-connect-multiple-networks-over-the-internet-the-cheap-way/
My ISP for the cellular connection is putting me behind his own router so my DDNS is configured as follows ([Solved] DDNS on LEDE behind ISP router detects private ip):
config ddns 'global'
option ddns_dateformat '%F %R'
option ddns_loglines '250'
option upd_privateip '0'
config service '(name)'
option enabled '1'
option use_logfile '1'
option lookup_host 'MY DNS
option service_name 'SERVICE PROVIDER '
option domain 'MY DNS'
option username 'MY USER'
option password 'MY PW'
option ip_source 'web'
option ip_url 'http://ip.changeip.com'
option interface 'wan'
OpenVPV server config:
verb 3
user nobody
group nogroup
dev tun0
port 1194
proto udp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 120
persist-tun
persist-key
push "dhcp-option DNS 192.168.8.1"
push "dhcp-option DOMAIN lan"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
log "/tmp/openvpn.log"
<dh>
-----BEGIN DH PARAMETERS-----
XXX
-----END DH PARAMETERS-----
</dh>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
XXX
-----END OpenVPN Static key V1-----
</tls-crypt>
<ca>
-----BEGIN CERTIFICATE-----
XXX
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
XXX
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
XXX
-----END PRIVATE KEY-----
</key>
OpenVPN client config:
verb 3
dev tun
nobind
client
remote (MY DNS) 1194 udp
auth-nocache
remote-cert-tls server
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
XXX
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----XXX-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----XXX==
-----END PRIVATE KEY-----
</key>