Setup dumb AP with Guest Wifi network

I am back... Seems like the new tagging broke my OpenVPN connection. I see these errors on my server log:

Tue Mar 20 19:58:37 2018 daemon.notice openvpn(bravo)[1088]: x.x.x.x:xxxx TLS: Initial packet from [AF_INET]x.x.x.x:xxxx, sid=xxx
Tue Mar 20 19:58:42 2018 daemon.notice openvpn(bravo)[1088]: x.x.x.x:xxxx TLS: Initial packet from [AF_INET]x.x.x.x:xxxx, sid=xxx
Tue Mar 20 19:59:37 2018 daemon.err openvpn(bravo)[1088]: x.x.x.x:xxxx TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Mar 20 19:59:37 2018 daemon.err openvpn(bravo)[1088]: x.x.x.x:xxxx TLS Error: TLS handshake failed
Tue Mar 20 19:59:37 2018 daemon.notice openvpn(bravo)[1088]: x.x.x.x:xxxx SIGUSR1[soft,tls-error] received, client-instance restarting
Tue Mar 20 19:59:42 2018 daemon.err openvpn(bravo)[1088]: x.x.x.x:xxxx TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Mar 20 19:59:42 2018 daemon.err openvpn(bravo)[1088]: x.x.x.x:xxxx TLS Error: TLS handshake failed
Tue Mar 20 19:59:42 2018 daemon.notice openvpn(bravo)[1088]: x.x.x.x:xxxx SIGUSR1[soft,tls-error] received, client-instance restarting

On my Macbook Tunnelblick client i see an error that the Certificate is expired (which expires in 2028, so this is false), and on my Android openvpn client i see SSL certificate read error (which seems to be the issue indeed).

When searching for the error, i got to this page: https://openvpn.net/index.php/open-source/faq/79-client/253-tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity.html

It states that the firewall should be the issue. When introducing this tagging, did i forgot to add some firewall rule for this? I thought it would have no impact?

Are you trying to route the guest over the VPN? If so you'll need some firewall rules to allow it.

It's unclear what you're trying to do with OpenVPN. Is your router the OpenVPN client, or a server? If you are running a server you do need to open its port in the firewall.

Sorry guys for the lack of info, here is some more:

I have an OpenVPN server running since day 1, was working perfectly untill i did the port tagging and setup the bridges. Port 1194 is open like it always was. OpenVPN clients had access to the complete LAN, since i am the only OpenVPN user.

I tried to switch from UDP to TCP, but then too i get a connection error. When i look in my system logs, i see the initial connection packet arriving, but after that, the client cannot connect and the server recieves nothing more. I think its when the certificate should be validated. The certificate is also the same as a couple of days ago when it was working.

Hope this gives you more info?

A packet in one direction, then "nothing more" often indicates a routing problem. Box A had a "good" route to Box B, but Box B doesn't have a good route to Box A. By "routing problem" that includes not only the routing table itself, but firewall rules, cables, ...

If its a cable issue, then Box A could never reach Box B in the first place right

Over the years, I've had problems where a routing table sent packets back over a different physical link than on which they arrived. A valid route, yes, but a failed or failing cable can cause much head scratching.

Let me try to summarize, a remote vpn client is connecting to a vpn server on your router listening on wan, and used to work... But after adjusting for vlans it stalls after the first packet?

Other than this, everything else works as normal after the guest addition?

Thats 100% correct sir! I also have some other open wan ports, and connecting through them from the outside world still works like a charm.

I did some more investigating and read something about openvpn tun mode doesnt work with bridges. I guess only the wlan points are bridges, so it should not impact right?

Strange, did you alter firewall at all? Is there anything different about wan setup? Does regular web surfing etc really work fine?

Yes everything works fine Speeds are top notch!

Summary:

• OpenVPN working fine, no vlans, no guest on my external AP
• Setup VLANs:
  • added new vlan on port 1
  • tagged port 1 on router for all (LAN/WAN/Guest)
  • made Private WLAN a bridge between LAN VLAN
  • made Guest WLAN a bridge between Guest VLAN
• All working great, OpenVPN stops working

No firewall changes watsoever.

There's probably no reason why port 1 should have wan vlan tagged in it. Remove wan from port 1 see if this helps perhaps something strange there... Seems unlikely but could be.

Done, but still same issue. This is what my vlan setup now looks like on the router:

Seemed to be a certificate thingy after all. After regenerating the whole shebang, everything works now thnx guys!

I keep coming back guys The VPN connection itself is working, but i cannot connect to any LAN members anymore when connected through VPN.

I tried changing my VPN interface to bridge tun0 and lan, but it did not work.

In firewall settings i set allow input/output/forward from vpn to lan.

Still, when connected to VPN i cannot connect to any device on lan, not even the router itself.

Any more brilliant ideas?

I'm not sure what's connected where for the VLANs. As I look at your switch diagram, all clients connected to the LAN 1 port need to be VLAN-aware. If that is a trunk to a VLAN-aware switch or router, then it makes sense as that device will/should be stripping / applying VLAN tags for its outbound / inbound connections to "normal" clients. If that's not the case, that might be some of the problem.

OpenVPN pushes routes over its connection to the far end. Probably the VPN client can't connect to the LAN members because it hasn't had a route pushed to it saying "to contact x.x.x.x network route through the VPN" this is an OpenVPN config issue.

https://openvpn.net/index.php/open-source/documentation/howto.html

search for "expanding the scope of the VPN to include additional machines..."