Setting up openVPN server on a OpenWrt router with integrated cellular modem

vgaetera · July 17, 2019, 8:16pm

You need to fetch the server log after trying to connect the client.

pagravel · July 18, 2019, 12:26am

Well, it is... the log won’t show anything else once the server is started (no matter how many times I try to connect). There’s simply no connection to the router.

I’ve managed to setup the whole dh, certificates and key following the guide on the wiki and it’s working great on my other router so I don’t think the problem really lies in the openvpn configuration itself(I tried a few times to do it, with fresh firmware install). Here’s how I see it: the server is working in the tp-link and the outdoor router isn’t. Only difference between the two is the mobile modem and the fact that it use some kind of custom openwrt version. As for setup, I apply the same steps(I’ve run the same scripts on both), only difference I had is in the ddns setup where the tp-link doesn’t need to connect on a remote website to learn is public IP. So where should I look at? Overall there’s not much possible issues I can think of:

custom firmware
ISP block part of traffic in some way I don’t get
Something special to setup when using a cellular modem integrated with openwrt
Repeated fuck-ups on my end!

mk24 · July 18, 2019, 1:34am

Is your router's WAN IP in a public range and the same one that is registered in DDNS?

pagravel · July 18, 2019, 1:48am

No, my ISP is giving me a LAN IP, hence I needed to use web as ip source in my ddns config(see my config in the first post and the reference topic for more info)
Edit: I got mixed in my bookmarks, here's the correct topic: [Solved] DDNS on LEDE behind ISP router detects private ip

vgaetera · July 18, 2019, 6:32am

Private addresses are not routable via the internet.
You can only use a static public address or a dynamic public address with DDNS.
However, if you have another router with a public address, you can use this router as a client and set up site-to-site connectivity.

pagravel · July 18, 2019, 10:15am

If I understand, even if I’ve configured DDNS to get it’s public IP from a website (http://ip.changeip.com) Incoming VPN clients won’t route trough ISP router? I can see on my DNS provider’s account that the router is sending the public IP and this part is working.

Update: Outdoor router sent me their github for the firmware https://github.com/openezen/openwrt-ourdoorwifi

mk24 · July 18, 2019, 11:30am

DDNS only attaches a name to an IP address. It doesn't set up any routing.

If your WAN IP is in the 192.168 range it is likely your modem that is doing a NAT. Find out what is different in the modem configuration between the two routers.

pagravel · July 18, 2019, 12:02pm

I get that DDNS doesn't setup routing, but I didn't tought it could be my mobile modem itself that put me behind a NAT, I thought the ISP was doing this.

Here's how it look in the LUCI overview under Network - IPv4 Upstream

**Protocol:**  4G-PPP
**Address:**  10.206.X.X
**Netmask:**  255.255.255.255
**Gateway:**  10.64.X.X
**DNS 1:**  206.47.X.X
**DNS 2:**  207.231.X.X

Anyway, I have a few things to test, I'll dig a little around the modem configuration itself and I'll give a try to CCD also.

mk24 · July 18, 2019, 12:06pm

This looks like CG-NAT being done by the ISP, but did you say that you get a true public IP with the same ISP (same SIM card) on a different router?

pagravel · July 18, 2019, 12:46pm

No sorry, that's not what I meant.
The working server on the TP-link router is on his own network, with a standard cable modem and a public dynamic IP.

In fact, I could test the TP-link behind the Outdoor router.

DDNS log on Outdoor router:

164834       : ************ ************** ************** **************
 164835  note : PID '3269' started at 2019-07-18 16:48
 164835       : ddns version  : 2.7.8-1
 164835       : uci configuration:
ddns.ddnshydrep.domain=(MYDNS)'
ddns.ddnshydrep.enabled='1'
ddns.ddnshydrep.interface='wan'
ddns.ddnshydrep.ip_source='web'
ddns.ddnshydrep.ip_url='http://ip.changeip.com'
ddns.ddnshydrep.lookup_host='(MYDNS)'
ddns.ddnshydrep.password='***PW***'
ddns.ddnshydrep.service_name='(PROVIDER)'
ddns.ddnshydrep.use_logfile='1'
ddns.ddnshydrep.username='(MYUSER)'
ddns.ddnshydrep=service
 164839       : verbose mode  : 0 - run normal, NO console output
 164839       : check interval: 600 seconds
 164840       : force interval: 259200 seconds
 164840       : retry interval: 60 seconds
 164841       : retry counter : 0 times
 164841       : No old process
 164841       : last update: never
 164841       : Detect registered/public IP
 164842       : #> /usr/bin/nslookup (MYDNS)  >/var/run/ddns/ddnsXXX.dat 2>/var/run/ddns/ddnsXXX.err
 164843       : Registered IP '184.B.B.B' detected
 164843  info : Starting main loop at 2019-07-18 16:48
 164843       : Detect local IP on 'web'
 164844       : #> /usr/bin/curl -RsS -o /var/run/ddns/ddnsXXX.dat --stderr /var/run/ddns/ddnsXXX.err --noproxy '*' 'http://ip.changeip.com'
 164846       : Local IP '67.A.A.A' detected on web at 'http://ip.changeip.com'
 164848       : Update needed - L: '67.A.A.A' <> R: '184.B.B.B'
 164849       : parsing script '/usr/lib/ddns/(provider script)'
 164850       : sending dummy IP to '(provider)'
 164850       : #> /usr/bin/curl -RsS -o /var/run/ddns/ddnsXXX.dat --stderr /var/run/ddns/ddnsXXX.err --noproxy '*' 'http://(MYUSER):***PW***@(provider)/nic/update?hostname=(MYDNS)t&myip=127.0.0.1'
 164852       : '(provider)' answered:
good 127.0.0.1
 164853       : sending real IP to '(provider)'
 164854       : #> /usr/bin/curl -RsS -o /var/run/ddns/ddnsXXX.dat --stderr /var/run/ddns/ddnshydrep.err --noproxy '*' 'http://(MYUSER):***PW***@(provider)/nic/update?hostname=(MYDNS)&myip=67.A.A.A'
 164856       : '(provider)' answered:
good 67.A.A.A
 164856  info : Update successful - IP '67.A.A.A' send
 164856  info : Forced update successful - IP: '67.A.A.A' send
 164857       : Waiting 600 seconds (Check Interval)
 165857       : Detect registered/public IP
 165858       : #> /usr/bin/nslookup (MYDNS)  >/var/run/ddns/ddnsXXX.dat 2>/var/run/ddns/ddnsXXX.err
 165858       : Registered IP '67.A.A.A' detected
 165859  info : Rerun IP check at 2019-07-18 16:58
 165859       : Detect local IP on 'web'
 165859       : #> /usr/bin/curl -RsS -o /var/run/ddns/ddnsXXX.dat --stderr /var/run/ddns/ddnsXXX.err --noproxy '*' 'http://ip.changeip.com'
 165901       : Local IP '67.A.A.A' detected on web at 'http://ip.changeip.com'
 165901       : Waiting 600 seconds (Check Interval)
 170902       : Detect registered/public IP
 170902       : #> /usr/bin/nslookup (MYDNS)  >/var/run/ddns/ddnsXXX.dat 2>/var/run/ddns/ddnsXXX.err
 170903       : Registered IP '67.A.A.A' detected
 170903  info : Rerun IP check at 2019-07-18 17:09
 170904       : Detect local IP on 'web'
 170904       : #> /usr/bin/curl -RsS -o /var/run/ddns/ddnsXXX.dat --stderr /var/run/ddns/ddnsXXX.err --noproxy '*' 'http://ip.changeip.com'
 170905       : Local IP '67.A.A.A' detected on web at 'http://ip.changeip.com'
 170906       : Waiting 600 seconds (Check Interval)
 171906       : Detect registered/public IP
 171906       : #> /usr/bin/nslookup (MYDNS)  >/var/run/ddns/ddnsXXX.dat 2>/var/run/ddns/ddnshydrep.err
 171907       : Registered IP '67.A.A.A' detected
 171908  info : Rerun IP check at 2019-07-18 17:19
 171908       : Detect local IP on 'web'
 171908       : #> /usr/bin/curl -RsS -o /var/run/ddns/ddnsXXX.dat --stderr /var/run/ddns/ddnsXXX.err --noproxy '*' 'http://ip.changeip.com'
 171910       : Local IP '67.A.A.A' detected on web at 'http://ip.changeip.com'
 171910       : Waiting 600 seconds (Check Interval)
 172911       : Detect registered/public IP
 172911       : #> /usr/bin/nslookup (MYDNS)  >/var/run/ddns/ddnsXXX.dat 2>/var/run/ddns/ddnsXXX.err
 172912       : Registered IP '67.A.A.A' detected
 172912  info : Rerun IP check at 2019-07-18 17:29
 172913       : Detect local IP on 'web'
 172913       : #> /usr/bin/curl -RsS -o /var/run/ddns/ddnsXXX.dat --stderr /var/run/ddns/ddnsXXX.err --noproxy '*' 'http://ip.changeip.com'
 172914       : Local IP '67.A.A.A' detected on web at 'http://ip.changeip.com'
 172915       : Waiting 600 seconds (Check Interval)

vgaetera · July 18, 2019, 1:08pm

opkg update
opkg install tcpdump
tcpdump -n -i any udp port 1194

Then try to connect to the server from the internet and check the output.

pagravel · July 18, 2019, 1:34pm

I tried to connect around 18:28:11 and let tcpdump run until I had an error message on the client.

root@OutdoorRouter:/# tcpdump -n -i any udp port 1194
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
18:28:00.112631 IP 66.A.A.A.1194 > 10.B.B.B.34355: UDP, length 322
18:28:04.018618 IP 10.B.B.B.57433 > 66.A.A.A.1194: UDP, length 54
18:28:04.091571 IP 66.A.A.A.1194 > 10.B.B.B.57433: UDP, length 66
18:28:04.093788 IP 10.B.B.B.57433 > 66.A.A.A.1194: UDP, length 62
18:28:04.095676 IP 10.B.B.B.57433 > 66.A.A.A.1194: UDP, length 206
18:28:04.261620 IP 66.A.A.A.1194 > 10.B.B.B.57433: UDP, length 1128
18:28:04.263102 IP 10.B.B.B.57433 > 66.A.A.A.1194: UDP, length 62
18:28:04.267376 IP 66.A.A.A.1194 > 10.B.B.B.57433: UDP, length 1116
18:28:04.267379 IP 66.A.A.A.1194 > 10.B.B.B.57433: UDP, length 83
18:28:04.293743 IP 10.B.B.B.57433 > 66.A.A.A.1194: UDP, length 62
18:28:04.535319 IP 10.B.B.B.57433 > 66.A.A.A.1194: UDP, length 1128
18:28:04.537099 IP 10.B.B.B.57433 > 66.A.A.A.1194: UDP, length 1045
18:28:04.591574 IP 66.A.A.A.1194 > 10.B.B.B.57433: UDP, length 62
18:28:04.627958 IP 66.A.A.A.1194 > 10.B.B.B.57433: UDP, length 117
18:28:04.630515 IP 10.B.B.B.57433 > 66.A.A.A.1194: UDP, length 455
18:28:04.701588 IP 66.A.A.A.1194 > 10.B.B.B.57433: UDP, length 287
18:28:04.703221 IP 10.B.B.B.57433 > 66.A.A.A.1194: UDP, length 62
18:28:05.911359 IP 10.B.B.B.57433 > 66.A.A.A.1194: UDP, length 96
18:28:06.002965 IP 66.A.A.A.1194 > 10.B.B.B.57433: UDP, length 62
18:28:06.007982 IP 66.A.A.A.1194 > 10.B.B.B.57433: UDP, length 322
18:28:07.152663 IP 66.A.A.A.1194 > 10.B.B.B.57433: UDP, length 322
18:28:11.050206 IP 10.B.B.B.47972 > 66.A.A.A.1194: UDP, length 54
18:28:11.123212 IP 66.A.A.A.1194 > 10.B.B.B.47972: UDP, length 66
18:28:11.124285 IP 10.B.B.B.47972 > 66.A.A.A.1194: UDP, length 62
18:28:11.125106 IP 10.B.B.B.47972 > 66.A.A.A.1194: UDP, length 206
18:28:11.304544 IP 66.A.A.A.1194 > 10.B.B.B.47972: UDP, length 1128
18:28:11.306068 IP 10.B.B.B.47972 > 66.A.A.A.1194: UDP, length 62
18:28:11.307314 IP 66.A.A.A.1194 > 10.B.B.B.47972: UDP, length 1116
18:28:11.307317 IP 66.A.A.A.1194 > 10.B.B.B.47972: UDP, length 83
18:28:11.335411 IP 10.B.B.B.47972 > 66.A.A.A.1194: UDP, length 62
18:28:11.576952 IP 10.B.B.B.47972 > 66.A.A.A.1194: UDP, length 1128
18:28:11.578728 IP 10.B.B.B.47972 > 66.A.A.A.1194: UDP, length 1045
18:28:11.637605 IP 66.A.A.A.1194 > 10.B.B.B.47972: UDP, length 62
18:28:11.672854 IP 66.A.A.A.1194 > 10.B.B.B.47972: UDP, length 117
18:28:11.674883 IP 10.B.B.B.47972 > 66.A.A.A.1194: UDP, length 455
18:28:11.740610 IP 66.A.A.A.1194 > 10.B.B.B.47972: UDP, length 287
18:28:11.742247 IP 10.B.B.B.47972 > 66.A.A.A.1194: UDP, length 62
18:28:12.786804 IP 10.B.B.B.47972 > 66.A.A.A.1194: UDP, length 96
18:28:12.861866 IP 66.A.A.A.1194 > 10.B.B.B.47972: UDP, length 62
18:28:12.872763 IP 66.A.A.A.1194 > 10.B.B.B.47972: UDP, length 322
18:28:14.192754 IP 66.A.A.A.1194 > 10.B.B.B.47972: UDP, length 322
18:28:17.975379 IP 10.B.B.B.37483 > 66.A.A.A.1194: UDP, length 54
18:28:18.042642 IP 66.A.A.A.1194 > 10.B.B.B.37483: UDP, length 66
18:28:18.044852 IP 10.B.B.B.37483 > 66.A.A.A.1194: UDP, length 62
18:28:18.046495 IP 10.B.B.B.37483 > 66.A.A.A.1194: UDP, length 206
18:28:18.218938 IP 66.A.A.A.1194 > 10.B.B.B.37483: UDP, length 1128
18:28:18.220397 IP 10.B.B.B.37483 > 66.A.A.A.1194: UDP, length 62
18:28:18.222821 IP 66.A.A.A.1194 > 10.B.B.B.37483: UDP, length 1116
18:28:18.222824 IP 66.A.A.A.1194 > 10.B.B.B.37483: UDP, length 83
18:28:18.241088 IP 10.B.B.B.37483 > 66.A.A.A.1194: UDP, length 62
18:28:18.492652 IP 10.B.B.B.37483 > 66.A.A.A.1194: UDP, length 1128
18:28:18.494498 IP 10.B.B.B.37483 > 66.A.A.A.1194: UDP, length 1045
18:28:18.550881 IP 66.A.A.A.1194 > 10.B.B.B.37483: UDP, length 62
18:28:18.592876 IP 66.A.A.A.1194 > 10.B.B.B.37483: UDP, length 117
18:28:18.595854 IP 10.B.B.B.37483 > 66.A.A.A.1194: UDP, length 455
18:28:18.655047 IP 66.A.A.A.1194 > 10.B.B.B.37483: UDP, length 287
18:28:18.656724 IP 10.B.B.B.37483 > 66.A.A.A.1194: UDP, length 62
18:28:19.850638 IP 10.B.B.B.37483 > 66.A.A.A.1194: UDP, length 96
18:28:19.924901 IP 66.A.A.A.1194 > 10.B.B.B.37483: UDP, length 62
18:28:19.928666 IP 66.A.A.A.1194 > 10.B.B.B.37483: UDP, length 322
18:28:22.186041 IP 66.A.A.A.1194 > 10.B.B.B.37483: UDP, length 322
18:28:24.976933 IP 10.B.B.B.56877 > 66.A.A.A.1194: UDP, length 54
18:28:25.051669 IP 66.A.A.A.1194 > 10.B.B.B.56877: UDP, length 66
18:28:25.053499 IP 10.B.B.B.56877 > 66.A.A.A.1194: UDP, length 62
18:28:25.054551 IP 10.B.B.B.56877 > 66.A.A.A.1194: UDP, length 206
18:28:25.221720 IP 66.A.A.A.1194 > 10.B.B.B.56877: UDP, length 1128
18:28:25.223200 IP 10.B.B.B.56877 > 66.A.A.A.1194: UDP, length 62
18:28:25.226349 IP 66.A.A.A.1194 > 10.B.B.B.56877: UDP, length 1116
18:28:25.226353 IP 66.A.A.A.1194 > 10.B.B.B.56877: UDP, length 83
18:28:25.244885 IP 10.B.B.B.56877 > 66.A.A.A.1194: UDP, length 62
18:28:25.488098 IP 10.B.B.B.56877 > 66.A.A.A.1194: UDP, length 1128
18:28:25.489871 IP 10.B.B.B.56877 > 66.A.A.A.1194: UDP, length 1045
18:28:25.549920 IP 66.A.A.A.1194 > 10.B.B.B.56877: UDP, length 62
18:28:25.585561 IP 66.A.A.A.1194 > 10.B.B.B.56877: UDP, length 117
18:28:25.587609 IP 10.B.B.B.56877 > 66.A.A.A.1194: UDP, length 455
18:28:25.646043 IP 66.A.A.A.1194 > 10.B.B.B.56877: UDP, length 287
18:28:25.646986 IP 10.B.B.B.56877 > 66.A.A.A.1194: UDP, length 62
18:28:26.693557 IP 10.B.B.B.56877 > 66.A.A.A.1194: UDP, length 96
18:28:26.765792 IP 66.A.A.A.1194 > 10.B.B.B.56877: UDP, length 62
18:28:26.771581 IP 66.A.A.A.1194 > 10.B.B.B.56877: UDP, length 322
18:28:28.906085 IP 66.A.A.A.1194 > 10.B.B.B.56877: UDP, length 322
18:28:31.822725 IP 10.B.B.B.45953 > 66.A.A.A.1194: UDP, length 54
18:28:31.892941 IP 66.A.A.A.1194 > 10.B.B.B.45953: UDP, length 66
18:28:31.902803 IP 10.B.B.B.45953 > 66.A.A.A.1194: UDP, length 62
18:28:31.904360 IP 10.B.B.B.45953 > 66.A.A.A.1194: UDP, length 206
18:28:32.071260 IP 66.A.A.A.1194 > 10.B.B.B.45953: UDP, length 1128
18:28:32.072752 IP 10.B.B.B.45953 > 66.A.A.A.1194: UDP, length 62
18:28:32.077293 IP 66.A.A.A.1194 > 10.B.B.B.45953: UDP, length 1116
18:28:32.077296 IP 66.A.A.A.1194 > 10.B.B.B.45953: UDP, length 83
18:28:32.095818 IP 10.B.B.B.45953 > 66.A.A.A.1194: UDP, length 62
18:28:32.346139 IP 10.B.B.B.45953 > 66.A.A.A.1194: UDP, length 1128
18:28:32.347897 IP 10.B.B.B.45953 > 66.A.A.A.1194: UDP, length 1045
18:28:32.402333 IP 66.A.A.A.1194 > 10.B.B.B.45953: UDP, length 62
18:28:32.436838 IP 66.A.A.A.1194 > 10.B.B.B.45953: UDP, length 117
18:28:32.439855 IP 10.B.B.B.45953 > 66.A.A.A.1194: UDP, length 455
18:28:32.504965 IP 66.A.A.A.1194 > 10.B.B.B.45953: UDP, length 287
18:28:32.506023 IP 10.B.B.B.45953 > 66.A.A.A.1194: UDP, length 62
18:28:33.597620 IP 10.B.B.B.45953 > 66.A.A.A.1194: UDP, length 96
18:28:33.674099 IP 66.A.A.A.1194 > 10.B.B.B.45953: UDP, length 62
18:28:33.674101 IP 66.A.A.A.1194 > 10.B.B.B.45953: UDP, length 322
18:28:35.946096 IP 66.A.A.A.1194 > 10.B.B.B.45953: UDP, length 322
18:28:38.715231 IP 10.B.B.B.43460 > 66.A.A.A.1194: UDP, length 54
18:28:38.785725 IP 66.A.A.A.1194 > 10.B.B.B.43460: UDP, length 66
18:28:38.787515 IP 10.B.B.B.43460 > 66.A.A.A.1194: UDP, length 62
18:28:38.790281 IP 10.B.B.B.43460 > 66.A.A.A.1194: UDP, length 206
18:28:38.953171 IP 66.A.A.A.1194 > 10.B.B.B.43460: UDP, length 1128
18:28:38.954614 IP 10.B.B.B.43460 > 66.A.A.A.1194: UDP, length 62
18:28:38.959180 IP 66.A.A.A.1194 > 10.B.B.B.43460: UDP, length 1116
18:28:38.959182 IP 66.A.A.A.1194 > 10.B.B.B.43460: UDP, length 83
18:28:38.977297 IP 10.B.B.B.43460 > 66.A.A.A.1194: UDP, length 62
18:28:39.217618 IP 10.B.B.B.43460 > 66.A.A.A.1194: UDP, length 1128
18:28:39.219234 IP 10.B.B.B.43460 > 66.A.A.A.1194: UDP, length 1045
18:28:39.281724 IP 66.A.A.A.1194 > 10.B.B.B.43460: UDP, length 62
18:28:39.315734 IP 66.A.A.A.1194 > 10.B.B.B.43460: UDP, length 117
18:28:39.317782 IP 10.B.B.B.43460 > 66.A.A.A.1194: UDP, length 455
18:28:39.383730 IP 66.A.A.A.1194 > 10.B.B.B.43460: UDP, length 287
18:28:39.384699 IP 10.B.B.B.43460 > 66.A.A.A.1194: UDP, length 62
18:28:40.393485 IP 10.B.B.B.43460 > 66.A.A.A.1194: UDP, length 96
18:28:40.446221 IP 66.A.A.A.1194 > 10.B.B.B.43460: UDP, length 62
18:28:40.463009 IP 66.A.A.A.1194 > 10.B.B.B.43460: UDP, length 322
18:28:42.666253 IP 66.A.A.A.1194 > 10.B.B.B.43460: UDP, length 322
18:28:45.504518 IP 10.B.B.B.48369 > 66.A.A.A.1194: UDP, length 54
18:28:45.601747 IP 66.A.A.A.1194 > 10.B.B.B.48369: UDP, length 66
18:28:45.602975 IP 10.B.B.B.48369 > 66.A.A.A.1194: UDP, length 62
18:28:45.603722 IP 10.B.B.B.48369 > 66.A.A.A.1194: UDP, length 206
18:28:45.778320 IP 66.A.A.A.1194 > 10.B.B.B.48369: UDP, length 1128
18:28:45.779772 IP 10.B.B.B.48369 > 66.A.A.A.1194: UDP, length 62
18:28:45.784462 IP 66.A.A.A.1194 > 10.B.B.B.48369: UDP, length 1116
18:28:45.784465 IP 66.A.A.A.1194 > 10.B.B.B.48369: UDP, length 83
18:28:45.802757 IP 10.B.B.B.48369 > 66.A.A.A.1194: UDP, length 62
18:28:46.045916 IP 10.B.B.B.48369 > 66.A.A.A.1194: UDP, length 1128
18:28:46.047529 IP 10.B.B.B.48369 > 66.A.A.A.1194: UDP, length 1045
18:28:46.108007 IP 66.A.A.A.1194 > 10.B.B.B.48369: UDP, length 62
18:28:46.145034 IP 66.A.A.A.1194 > 10.B.B.B.48369: UDP, length 117
18:28:46.147949 IP 10.B.B.B.48369 > 66.A.A.A.1194: UDP, length 455
18:28:46.222022 IP 66.A.A.A.1194 > 10.B.B.B.48369: UDP, length 287
18:28:46.222975 IP 10.B.B.B.48369 > 66.A.A.A.1194: UDP, length 62
18:28:47.228725 IP 10.B.B.B.48369 > 66.A.A.A.1194: UDP, length 96
18:28:47.305919 IP 66.A.A.A.1194 > 10.B.B.B.48369: UDP, length 62
18:28:47.305921 IP 66.A.A.A.1194 > 10.B.B.B.48369: UDP, length 322
18:28:49.392734 IP 66.A.A.A.1194 > 10.B.B.B.48369: UDP, length 322

The 66.A.A.A IP isn't the Public IP adress registered to my DNS, but the 10.B.B.B is my 'wan' adress.

Edit: Reading about CG NAT, I found this topic which looks like my problem: https://community.ui.com/questions/Site-to-Site-VPN-with-one-side-behind-carrier-grade-NAT/8db4b74f-e92d-465a-b6a8-3c3b68dea737

pagravel · July 18, 2019, 6:50pm

I've used a PC behind the 'outdoor router' to connect to my tp-link's server, incoming connection is on the 60280 port while it should be 1194, so the ISP is using CG NAT, I understand that even if I use DDNS, I won't be able to have a working server (unless DDNS could send a port number with the IP? I don't know if it's possible...).

Only solution I have right now is to get a client on my 'Outdoor router' to connect to another server(like my TP-link) and use it as some kind of gateway for client to client communication. The problem is, I did try this in the past but it didn't work so I'll start over with a fresh install and hopefully it was user error.

mk24 · July 18, 2019, 6:59pm

You can't have a server on CG-NAT, they block incoming connections. So like you said, set up a server on the cable modem then have multiple clients (some possibly 4G) connect to it. The client-to-client setting must be turned on in the server.

pagravel · July 18, 2019, 8:19pm

Progress! so currently the 'Outdoor router' is setup as a client and it's connecting to my TP-link, but I'm unable to get access to the remote devices on the LAN and I don't have any Internet acccess when it's active. I tried Site-to-Site configuration but so far it's not working. It does look like this problem: https://superuser.com/questions/902078/openwrt-openvpn-lan-access
There's some stuff I'm not sure, for example; if my router on client side is on 192.168.30.1, do I consider 192.168.30.0 as the 'client side LAN' or it's the router's address I should use in the CCD config?

mk24 · July 18, 2019, 8:35pm

Don't use WAN addresses during VPN routing. The whole point is that there is a tunnel so it looks like a direct connection regardless of how the outer VPN packets traversed the Internet.

vgaetera · July 20, 2019, 8:52am

ifconfig-push specifies the client address in the VPN network, iroute specifies the client LAN network.

pagravel · July 20, 2019, 3:16pm

I got it to work! The "Outdoor router" is connecting as a client to my server on the TP-link and any other client can access the devices on the "Outdoor router" LAN. Please tell me if there's something unsafe in the following or if I misunderstood something.
I had to change a lot of stuff, but eventually it connected, then the challenge was to route client-to-client. In the beginning, I followed https://openwrt.org/docs/guide-user/services/vpn/openvpn/extra#site-to-site, but it wasn't working so I tried to find a reference manual explaining each options in detail and I found this article https://openwrt.org/docs/guide-user/services/vpn/openvpn/extra#site-to-site
Reading this, I understood I should put this:

route (CLIENT1 SIDE LAN) 255.255.255.0
push "route (SERVER SIDE LAN) 255.255.255.0"
push "route (CLIENT1 SIDE LAN) 255.255.255.0"

instead of this:

route (CLIENT1 VPN IP) 255.255.255.0 (CLIENT1 SIDE LAN)
push "route (SERVER SIDE LAN) 255.255.255.0"

The openVPN article use individual configuration files for each client that needs routing to his private LAN(I prefer it this way because you're not sure of the IP assigned by the VPN server if the client never connected). For exemple, if client name is "client1" you need to create a file with the name "client1" and a single line in it:

iroute (CLIENT1 SIDE LAN) 255.255.255.0

and in the server configuration file, "client-config-dir" specifies this directory

Please tell me if I understood this correctly: in the openwrt wiki, it doesn't really tells you that you can't use DHCP-OPTION and ROUTE, it's something I understood from mistakes and reading the openVPN how-to.

I had to remove the following lines in server conf file:

push "dhcp-option DNS ${VPN_DNS}"
push "dhcp-option DOMAIN ${VPN_DOMAIN}"
push "redirect-gateway def1"

as for the firewall, I've used the exact same thing explained in OpenWrt wiki,
on server:

uci set firewall.@zone[0].device="tun0"
uci -q delete firewall.vpn
uci set firewall.vpn="rule"
uci set firewall.vpn.name="Allow-OpenVPN"
uci set firewall.vpn.src="wan"
uci set firewall.vpn.dest_port="1194"
uci set firewall.vpn.proto="udp"
uci set firewall.vpn.target="ACCEPT"
uci commit firewall
service firewall restart

on Client (firewall settings from Site-to-Site in openVPN extra):

uci -q delete firewall.@zone[1].device
uci set firewall.@zone[0].device="tun0"
uci commit firewall
service firewall restart

Client conf file is the same thing that is generated by the basic how to from the wiki.

Server conf file is based of the one generated by the how to, but with a few changes.
It's looking like that if:
Client1 Router : 192.168.2.1 (client1 lan: 192.168.2.0)
Server Router: 192.168.1.1 (server lan: 192.168.1.0)
***Note: each client needs a seperate LAN.

verb 3
user nobody
group nogroup
dev tun0
port 1194
proto udp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 120
persist-tun
persist-key
client-config-dir /etc/openvpn/ccd
route 192.168.2.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
push "route 192.168.2.0 255.255.255.0"
push "persist-tun"
push "persist-key"
log "/tmp/openvpn.log"
<dh>
-----BEGIN DH PARAMETERS-----
(all the certificates generated by the basic openvpn server howto)

push "route 192.168.2.0 255.255.255.0" is used to give access to client1 lan to other clients, in my case all other clients are based on a PC or mobile phone so they don't need anything else specific in the server conf file.
If I want to add another router, am I correct if I just add it's configuration file in the "/etc/openvpn/ccd" directory then add those lines in the server configuration file:

route (NEWCLIENT SIDE LAN) 255.255.255.0
push "route (NEWCLIENT SIDE LAN) 255.255.255.0"

Thanks a lot for your help and your time. If you believe my english or my understanding is good enough, I'll be glad to add a few details in the wiki.

vgaetera · July 20, 2019, 5:41pm

OpenWrt and OpenVPN often provide multiple methods to achieve the same goal.
If your current setup is working, then it is fine.
The OpenWrt wiki describes the most common OpenVPN use cases.
Reading the official OpenVPN documentation is encouraged, especially if you require fine tuning.

system · July 30, 2019, 5:41pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.