I managed to setup both vpn server and vpn client on my router. With help @stangri 's vpn-policy-routing app I managed to have a single IP connect to my vpn provider, rest normal to wan.
With help of stangri, via vpn tunnel to my vpn server I managed to reach all devices by IP address.
However I cannot reach the devices by hostnames
Locally it works. Dnsmasq does this I learned. In 'network' under 'dhcp and dns' I setup static leases for each device. DNS servers are setup like this:
hummingboard and vero2 are the 2 only devices that connect to the vpn provider. To reach them via vpn connection to my vpn server I had to add the last 2 config policies.
Can somebody help me here?
PS: In vpn server conf I already tried to add list push 'dhcp-option DNS 192.168.1.1' and also list push 'redirect-gateway def1' with no sucess.
I'm assuming you're trying to access a LAN device via it's hostname only? If so, the following should (if not must) be set:
Local domain should (if not must) be the same across all devices, of which is set on the router
/etc/config/dhcp, via option domain 'LEDE', where LEDE is the local domain.
Each device must have it's local domain (also referred to as the workgroup name) echo the local domain configured on the router.
Each device being accessed via it's hostname must have a static IP set with a hostname assigned (via the router, not the device itself)
Depending on the OS, and what's being accessed (WebUI, network share, etc), a host file entry may be required, on the device which is accessing another via it's hostname only, in the format of
Yes. But it still should be accessable via IP too.
So, a static lease in dhcp doesn't suffice?
Does it mean I ditch the whole dnsmasq setup? Or only the dhcp part?
I never set up static IP's before, I'll try to. I guess, like with static leases they mustn't be in dhcp address range, right?
Anything else I have to watch out for?
Thx so far for the help, I ask these things because I don't wanna end up with a more complicated setup that maybe meeds additional work to get everything working.
Vpn client gets Ip by dhcp now, I think?...
Is it then no problem if that client wants to reach a static Ip?
...As you see, I'm a noob in this field, theres so much basic stuff I'm lacking but I don't plan on getting deeper in it than I need to.
No, a static IP, with a hostname, must be configured, else the DNS server on the router has no clue where to route traffic if a hostname is not specified for a local device attempting to be accessed via it's hostname.
/etc/config/dhcp
Not a full dhcp config, just the relevant part we're speaking about
#
##::[[--- LEDE LAN DHCP Config ---]]::##
####################################################
##----- DNS Server -----##
####################################################
# DNSmasq #
#---------------------------------------------------
config dnsmasq
option domain 'lan'
####################################################
##----- Static IPs -----##
####################################################
config host
option ip 192.168.2.2
option mac 'AA:BB:CC:DD:EE:FF'
option name 'FreeNAS'
You can change this if you want, otherwise, if you're looking to access:
Ok, I set up all as you wrote it but still no success.
Over vpn tunnel this works:
ssh to router and ping vero2.home gives response
ssh to 3rd debian device, adding line in /etc/hosts and pinging vero2.home gives response
But entering http://vero2.home:8081/ in browser (vpn tunnel active, of course) doesnt work. Chrome says ERR_NAME_NOT_RESOLVED.
Any more ideas?
PS: I haven't set up the vpn server according to your very detailed wiki, I guess you saw it in the provided files.
You're missing configuration options in your VPN config.
# Push DNS to clients
list push 'dhcp-option DNS 192.168.1.1'
# WINS may be required, depending on your environment
list push 'dhcp-option WINS 192.168.1.1'
# Client to Client is required to have VPN clients access other devices
option client_to_client 1
It's tough to for me to figure out how they need to be changed to fit my setup. I already have the first rule from your linked post. The firewall of vpn server is named vpnserverfw. So change every vpn entry in your rules to that? Also the ips....Change 10.1.0.0/28 to 192.168.10.0/28?
Is this right?
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'tcp udp'
option src 'vpnserverfw'
option src_ip '192.168.10.0/28'
option dest_ip '192.168.1.0/24'
option name 'Allow OpenVPN -> LAN'
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'tcp udp'
option src 'vpnserverfw'
option dest *
option name 'Allow Forwarded OpenVPN -> <device>'
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'icmp'
option src 'vpnserverfw'
option src_ip '192.168.10.0/28'
option dest 'lan'
option name 'Allow OpenVPN (ICMP) -> LAN'
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'icmp'
list icmp_type 'echo-request'
option src 'vpnserverfw'
option src_ip '192.168.10.0/28'
option dest 'wan'
option name 'Allow OpenVPN (echo-request) -> WAN'
Please review the rules and input your own settings accordingly, as you're missing information above that is within the rules I posted... also, hierarchy matters and those rules should be in the order I laid out.
If your firewall rules match, and the options i noted above are added, the vpn server restarted, and the clients disconnected, then reconnected, the issue is not the server config or firewall rules.
You can determine r/w requests on the vpn server by upping it's verbosity to 6 or above, however, the vpn server wouldn't be the issue if you've added the 3 options above.
If you are still unable to narrow down where your issue is at, I'd recommend, if you've customized your dhcp config or are not using OpenWrt defaults, reviewing the DHCP Configuration wiki. Otherwise, I'd recommend starting with known working config options, then compare to see where the issue is at.
Known working configs for accessing LAN devices by hostname:
Yeah, seems like I have something for the weekend now..changing and pasting in the rules + vpn config does not work, I guess I'll start over using your wiki. It's better anyway..
I made the certs with easy-rsa and the vpn connection also throws mtu error. Seems like with your config everything is worked out and optimized. I'm gonna go for that.
Only thing I didn't find is where you create a firewall zone for vpnserver ...
Scratch that, I saw it's not done with uci command, it's in the fw config file. The ways to make changes are a bit confusing for me: Theres via uci commands, via luci webif and just write it in the file...and every way has different 'syntax'
If you pasted in what I mentioned above, the issue doesn't appear to be VPN related. The three options mentioned above for the server config are all thats required to push the DNS server to the client, and client to client allows communication between the VPN client and other devices on the network.
Perhaps I missed it above, but are you able to access devices by hostname when not connected through the VPN?
Are you reloading/restarting the firewall and VPN server after making changes?
Did you restart dnsmasq, odhcpd, and network after making changes to the dhcp config?
Did you reboot the LAN device after making changes to it's static entry in the dhcp config? Rebooting the router would also accomplish the same.
Router: reboot
UCI [Unified Configuration Interface] is mainly for scripting, else it becomes more work than it's worth.
Outside of scripting, it's far faster and more efficient to simply edit configs directly with vi or nano
LuCI [Lua Configuration Interface] is the GUI for making changes to the router and is also known as the WebUI/WebAdmin.
Unless a wiki specifically states to make changes via LuCI, this should not be utilized when following wikis.
Config files are a more sane way to edit and when done editing, to apply the changes, the affected daemons must be restarted to load the config changes.
I prefer editing configs directly versus that of utilizing LuCI, mainly because LuCI destroys the formatting of configs, of which makes reading & editing them directly more cumbersome and inefficient.
You can see this by comparing my syntax highlighted code boxes above to the bland code box created via the toolbar (for a starker comparison, compare my post here with this post).
If you're editing configs with vi, add # to the first line of the config, save the change, then re-open the file and vi should have applied basic syntax highlighting to the config. This is why all my configs start with a # on the first line.
Does it matter what I put in the Servers and clients line 201-225 in openssl.cnf?..
Also are these entries [ alt_freenas ] [ alt_sophos ]... just headlines and I can delete servers I dont need and change these?
I see the confusion is with the heading in that tabbox... (1) is what you need to edit, (2) is telling you where server and clients can be found in the openssl.cnf.
You don't need to re-issue certs... @stangri's wiki for creating certs is likely going to be easier for you to follow.
Again, your VPN is likely not the issue... as such, there's no reason to redo the setup.
And here:
Change the SAN DNS from VPNserver-Client1-Device-Hostname to match client username.
To match which client username? There was no mention of any client username so far. I thought maybe later in vpn client conf there is a username specified but cant find such entry. Can it be one of my choosing?
As I said I couldn't make it working. I don't want to patch sth. together I don't fully understand so I'm trying to follow the complete wiki.
You don't need to re-issue certs either way... utilize the certs you created when you followed @stangri's wiki.
This is explained in the bullet under 1.a.I in the Client Certs Prerequisite box.
While you're not the first user to have questions or issues with the certificate creation process in my wiki, I included all information required to answer questions regarding the certification creation process in the wiki.
For users not wishing to take the time to refer to the documentation contained in the wiki, such as the wealth of information here, here, and here, @stangri's wiki is what would likely be a better fit.
You're not following the wiki and I will no longer troubleshoot your issues with the certificate creation process because you're not following the wiki as written. Again, you do not need to re-generate certs
At this point, please refer to the Wiki Documentation, as I can no longer help you with any of your troubleshooting.
I'd strongly encourage re-reading this post, as it likely contains where your issue is
Initially I used this tutorial to set up vpn server.
Thing is, I'm still not sure if the adjusted firewall rules I posted here are correct.
Also like I mentioned there's also a openvpn client on my router and one device goes through that vpn tunnel with the help @stangri's vpn-policy-routing app, so in vpn server conf. route-nopullis used.
I don't know if that could affect sth.
Also DNS servers are set up like this: uci -q del dhcp.@dnsmasq[-1].server uci add_list dhcp.@dnsmasq[-1].server='8.8.8.8' uci add_list dhcp.@dnsmasq[-1].server='4.4.4.4' uci commit
because I want to use different dns servers.
This I don't know since I've never configured a router as a VPN client, however this shouldn't have any bearing on a remote client connecting to the VPN server and accessing devices by IP or hostname
That specific post is missing the initial rule for accepting the initial VPN connection request, of which I assumed was in your config, just that your copy/paste missed it.
These are your rules for your VPN server (double check I have everything correct)
config zone
option name 'vpn'
option network 'tun1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'tcp udp'
option src *
option dest_port 1194
option name 'Allow Forwarded OpenVPN Request -> <device>'
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'tcp udp'
option src 'vpn'
option src_ip '192.168.10.0/24'
option dest_ip '192.168.1.0/24'
option name 'Allow OpenVPN -> LAN'
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'tcp udp'
option src 'vpn'
option dest *
option name 'Allow Forwarded OpenVPN -> <device>'
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'icmp'
option src 'vpn'
option src_ip '192.168.10.0/24'
option dest 'lan'
option name 'Allow OpenVPN (ICMP) -> LAN'
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'icmp'
list icmp_type 'echo-request'
option src 'vpn'
option src_ip '192.168.10.0/24'
option dest 'wan'
option name 'Allow OpenVPN (echo-request) -> WAN'
config forwarding
option dest 'vpn'
option src 'lan'
config forwarding
option dest 'lan'
option src 'vpn'
config forwarding
option dest 'wan'
option src 'vpn'
Please post your dhcp config [/etc/config/dhcp], unless you're utilzing a dnsmasq.conf directly, and if you are, that is something I don't have the knowledge to help you with.