Hello.
I setup an OpenVPN server on my router and am able to connect to it from the internet and access my internal LAN network (in my case, VPN to LAN_Port_4/192.168.4.0).
-
I'm unable to access the internet when I'm on the VPN (can't even ping 8.8.8.8). All other LAN networks on the router are able to access the internet just fine. I believe I correctly followed the posted howto on setting up the server on OpenWRT.
-
From the VPN, the only internal address I can't seem to access is 192.168.4.2 (it's another router). I'm able to access that device (and devices on that router) from the internal LAN_Port_4 network, just not the VPN.
Thanks for any insight you might have.
Here are some outputs of interest from the router that may be helpful in trying to find out where I went wrong.
#ubus call system board
{
"kernel": "5.4.154",
"hostname": "ABCD",
"system": "ARMv7 Processor rev 1 (v7l)",
"model": "Linksys WRT3200ACM",
"board_name": "linksys,wrt3200acm",
"release": {
"distribution": "OpenWrt",
"version": "21.02.1",
"revision": "r16325-88151b8303",
"target": "mvebu/cortexa9",
"description": "OpenWrt 21.02.1 r16325-88151b8303"
}
#server.conf
user nobody
group nogroup
dev tun
port 1194
proto udp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "dhcp-option DNS 8.8.8.8"
push "redirect-gateway"
push "persist-tun"
push "persist-key"
push "route 192.168.0.0 255.255.255.0"
#uci export network
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxx:xxxx:xxxx::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.0.1'
config device
option name 'wan'
option macaddr 'XX:XX:XX:XX:XX:XX
config interface 'wan'
option device 'wan'
option proto 'static'
option ipaddr 'X.X.X.X'
option netmask '255.255.255.0'
option gateway 'X.X.X.Y'
option broadcast 'X.X.X.Z'
list dns '8.8.8.8'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'LAN_Port_4'
option proto 'static'
option device 'lan4'
option netmask '255.255.255.0'
option ipaddr '192.168.4.1'
config interface 'LAN_Port_3'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.3.1'
option device 'lan3'
config interface 'Wireless'
option proto 'static'
option ipaddr '10.0.0.1'
option netmask '255.255.255.0'
list dns '8.8.8.8'
option device 'radio1.network1'
config route
option target '192.168.11.204'
option gateway '192.168.3.215'
option interface 'LAN_Port_3'
config interface 'VPN'
option proto 'none'
option device 'tun0'
#uci export dhcp
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
option start '100'
option limit '150'
option leasetime '12h'
list ra_flags 'none'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'LAN_Port_4'
option interface 'LAN_Port_4'
option start '100'
option limit '150'
option leasetime '12h'
list ra_flags 'none'
config dhcp 'LAN_Port_3'
option interface 'LAN_Port_3'
option start '100'
option limit '150'
option leasetime '12h'
list ra_flags 'none'
config dhcp 'Wireless'
option interface 'Wireless'
option start '100'
option limit '150'
option leasetime '12h'
list ra_flags 'none'
#uci export firewall
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option name 'WAN'
option input 'DROP'
option forward 'DROP'
list device 'tun+'
list network 'wan'
list network 'wan6'
config zone 'wan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option name 'LAN'
list network 'lan'
config forwarding
option dest 'WAN'
option src 'LAN'
config rule
option name 'Allow-DHCP-Renew'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
option src 'WAN'
config rule
option name 'Allow-Ping'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
option src 'WAN'
config rule
option name 'Allow-IGMP'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
option src 'WAN'
config rule
option name 'Allow-DHCPv6'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
option src 'WAN'
config rule
option name 'Allow-MLD'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
option src 'WAN'
config rule
option name 'Allow-ICMPv6-Input'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option src 'WAN'
config rule
option name 'Allow-ICMPv6-Forward'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option src 'WAN'
config rule
option name 'Allow-IPSec-ESP'
option proto 'esp'
option target 'ACCEPT'
option src 'WAN'
option dest 'LAN'
config rule
option name 'Allow-ISAKMP'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option src 'WAN'
option dest 'LAN'
config rule
option name 'Support-UDP-Traceroute'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option src 'WAN'
option enabled '0'
config include
option path '/etc/firewall.user' (note that this file is effectively empty)
config zone
option name 'LAN_Port_3'
option output 'ACCEPT'
option input 'ACCEPT'
option forward 'ACCEPT'
list network 'LAN_Port_3'
config zone
option name 'LAN_Port_4'
option output 'ACCEPT'
option input 'REJECT'
option forward 'REJECT'
list network 'LAN_Port_4'
config forwarding
option src 'LAN_Port_4'
option dest 'WAN'
config forwarding
option src 'LAN'
option dest 'LAN_Port_4'
config zone
option name 'Wireless'
option output 'ACCEPT'
option input 'ACCEPT'
option forward 'ACCEPT'
list network 'Wireless'
config forwarding
option src 'Wireless'
option dest 'WAN'
config rule
option name 'LAN Port 3 DHCP'
option src 'LAN_Port_3'
option dest_port '67-68'
option target 'ACCEPT'
config rule
option name 'LAN Port 3 DNS'
option src 'LAN_Port_3'
option dest_port '53'
option target 'ACCEPT'
config rule
option target 'ACCEPT'
option src 'LAN_Port_4'
option name 'LAN Port 4 DHCP'
option dest_port '67-68'
config rule
option target 'ACCEPT'
option src 'LAN_Port_4'
option name 'LAN Port 4 DNS'
option dest_port '53'
config rule
option target 'ACCEPT'
option src 'Wireless'
option name 'Wireless DHCP'
option dest_port '67-68'
config rule
option target 'ACCEPT'
option src 'Wireless'
option name 'Wireless DNS'
option dest_port '53'
config forwarding
option src 'LAN_Port_3'
option dest 'WAN'
config forwarding
option src 'LAN'
option dest 'LAN_Port_3'
config rule
option name 'OpenVPN'
list proto 'udp'
option src 'WAN'
option dest_port '1194'
option target 'ACCEPT'
option enabled '0'
config zone
option name 'VPN'
option input 'ACCEPT'
option output 'ACCEPT'
list network 'VPN'
option forward 'ACCEPT'
option mtu_fix '1'
config forwarding
option src 'VPN'
option dest 'WAN'
config forwarding
option src 'VPN'
option dest 'LAN_Port_4'
config forwarding
option src 'LAN'
#ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: lan4@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.4.1/24 brd 192.168.4.255 scope global lan4
valid_lft forever preferred_lft forever
4: lan3@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.3.1/24 brd 192.168.3.255 scope global lan3
valid_lft forever preferred_lft forever
7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet X.X.X.X/24 brd X.X.X.Y scope global wan
valid_lft forever preferred_lft forever
13: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.0.1/24 brd 192.168.0.255 scope global br-lan
valid_lft forever preferred_lft forever
17: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
inet 10.0.0.1/24 brd 10.0.0.255 scope global wlan1
valid_lft forever preferred_lft forever
29: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 500
inet 192.168.8.1/24 scope global tun0
valid_lft forever preferred_lft forever
default via X.X.X.Y dev wan
10.0.0.0/24 dev wlan1 scope link src 10.0.0.1
192.168.0.0/24 dev br-lan scope link src 192.168.0.1
192.168.3.0/24 dev lan3 scope link src 192.168.3.1
192.168.4.0/24 dev lan4 scope link src 192.168.4.1
192.168.8.0/24 dev tun0 scope link src 192.168.8.1
192.168.11.204 via 192.168.3.215 dev lan3
X.X.X.0/24 dev wan scope link src X.X.X.X
broadcast 10.0.0.0 dev wlan1 table local scope link src 10.0.0.1
local 10.0.0.1 dev wlan1 table local scope host src 10.0.0.1
broadcast 10.0.0.255 dev wlan1 table local scope link src 10.0.0.1
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 192.168.0.0 dev br-lan table local scope link src 192.168.0.1
local 192.168.0.1 dev br-lan table local scope host src 192.168.0.1
broadcast 192.168.0.255 dev br-lan table local scope link src 192.168.0.1
broadcast 192.168.3.0 dev lan3 table local scope link src 192.168.3.1
local 192.168.3.1 dev lan3 table local scope host src 192.168.3.1
broadcast 192.168.3.255 dev lan3 table local scope link src 192.168.3.1
broadcast 192.168.4.0 dev lan4 table local scope link src 192.168.4.1
local 192.168.4.1 dev lan4 table local scope host src 192.168.4.1
broadcast 192.168.4.255 dev lan4 table local scope link src 192.168.4.1
broadcast 192.168.8.0 dev tun0 table local scope link src 192.168.8.1
local 192.168.8.1 dev tun0 table local scope host src 192.168.8.1
broadcast 192.168.8.255 dev tun0 table local scope link src 192.168.8.1
broadcast X.X.X.0 dev wan table local scope link src X.X.X.X
local X.X.X.X dev wan table local scope host src X.X.X.X
broadcast X.X.X.Z dev wan table local scope link src X.X.X.X
broadcast X.X.X.255 dev wan table local scope link src X.X.X.X
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
#route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 X.X.X.Y 0.0.0.0 UG 0 0 0 wan
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 lan3
192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 0 lan4
192.168.8.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
192.168.11.204 192.168.3.215 255.255.255.255 UGH 0 0 0 lan3
X.X.X.0 0.0.0.0 255.255.255.0 U 0 0 0 wan
#ip route
default via 216.17.235.78 dev wan
10.0.0.0/24 dev wlan1 scope link src 10.0.0.1
192.168.0.0/24 dev br-lan scope link src 192.168.0.1
192.168.3.0/24 dev lan3 scope link src 192.168.3.1
192.168.4.0/24 dev lan4 scope link src 192.168.4.1
192.168.8.0/24 dev tun0 scope link src 192.168.8.1
192.168.11.204 via 192.168.3.215 dev lan3
X.X.X.0/24 dev wan scope link src X.X.X.X
#iptables-save -t nat
#Generated by iptables-save v1.8.7 on Sat Jan 22 22:22:12 2022
*nat
:PREROUTING ACCEPT [3605:590057]
:INPUT ACCEPT [92:9433]
:OUTPUT ACCEPT [60:4110]
:POSTROUTING ACCEPT [1008:52480]
:FWKNOP_MASQUERADE - [0:0]
:FWKNOP_POSTROUTING - [0:0]
:FWKNOP_PREROUTING - [0:0]
:postrouting_LAN_Port_3_rule - [0:0]
:postrouting_LAN_Port_4_rule - [0:0]
:postrouting_LAN_rule - [0:0]
:postrouting_VPN_rule - [0:0]
:postrouting_WAN_rule - [0:0]
:postrouting_Wireless_rule - [0:0]
:postrouting_rule - [0:0]
:prerouting_LAN_Port_3_rule - [0:0]
:prerouting_LAN_Port_4_rule - [0:0]
:prerouting_LAN_rule - [0:0]
:prerouting_VPN_rule - [0:0]
:prerouting_WAN_rule - [0:0]
:prerouting_Wireless_rule - [0:0]
:prerouting_rule - [0:0]
:zone_LAN_Port_3_postrouting - [0:0]
:zone_LAN_Port_3_prerouting - [0:0]
:zone_LAN_Port_4_postrouting - [0:0]
:zone_LAN_Port_4_prerouting - [0:0]
:zone_LAN_postrouting - [0:0]
:zone_LAN_prerouting - [0:0]
:zone_VPN_postrouting - [0:0]
:zone_VPN_prerouting - [0:0]
:zone_WAN_postrouting - [0:0]
:zone_WAN_prerouting - [0:0]
:zone_Wireless_postrouting - [0:0]
:zone_Wireless_prerouting - [0:0]
-A PREROUTING -j FWKNOP_PREROUTING
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i tun+ -m comment --comment "!fw3" -j zone_WAN_prerouting
-A PREROUTING -i wan -m comment --comment "!fw3" -j zone_WAN_prerouting
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_LAN_prerouting
-A PREROUTING -i lan3 -m comment --comment "!fw3" -j zone_LAN_Port_3_prerouting
-A PREROUTING -i lan4 -m comment --comment "!fw3" -j zone_LAN_Port_4_prerouting
-A PREROUTING -i wlan1 -m comment --comment "!fw3" -j zone_Wireless_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_VPN_prerouting
-A POSTROUTING -j FWKNOP_MASQUERADE
-A POSTROUTING -j FWKNOP_POSTROUTING
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o tun+ -m comment --comment "!fw3" -j zone_WAN_postrouting
-A POSTROUTING -o wan -m comment --comment "!fw3" -j zone_WAN_postrouting
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_LAN_postrouting
-A POSTROUTING -o lan3 -m comment --comment "!fw3" -j zone_LAN_Port_3_postrouting
-A POSTROUTING -o lan4 -m comment --comment "!fw3" -j zone_LAN_Port_4_postrouting
-A POSTROUTING -o wlan1 -m comment --comment "!fw3" -j zone_Wireless_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_VPN_postrouting
-A zone_LAN_Port_3_postrouting -m comment --comment "!fw3: Custom LAN_Port_3 postrouting rule chain" -j postrouting_LAN_Port_3_rule
-A zone_LAN_Port_3_prerouting -m comment --comment "!fw3: Custom LAN_Port_3 prerouting rule chain" -j prerouting_LAN_Port_3_rule
-A zone_LAN_Port_4_postrouting -m comment --comment "!fw3: Custom LAN_Port_4 postrouting rule chain" -j postrouting_LAN_Port_4_rule
-A zone_LAN_Port_4_prerouting -m comment --comment "!fw3: Custom LAN_Port_4 prerouting rule chain" -j prerouting_LAN_Port_4_rule
-A zone_LAN_postrouting -m comment --comment "!fw3: Custom LAN postrouting rule chain" -j postrouting_LAN_rule
-A zone_LAN_prerouting -m comment --comment "!fw3: Custom LAN prerouting rule chain" -j prerouting_LAN_rule
-A zone_VPN_postrouting -m comment --comment "!fw3: Custom VPN postrouting rule chain" -j postrouting_VPN_rule
-A zone_VPN_prerouting -m comment --comment "!fw3: Custom VPN prerouting rule chain" -j prerouting_VPN_rule
-A zone_WAN_postrouting -m comment --comment "!fw3: Custom WAN postrouting rule chain" -j postrouting_WAN_rule
-A zone_WAN_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_WAN_prerouting -m comment --comment "!fw3: Custom WAN prerouting rule chain" -j prerouting_WAN_rule
-A zone_Wireless_postrouting -m comment --comment "!fw3: Custom Wireless postrouting rule chain" -j postrouting_Wireless_rule
-A zone_Wireless_prerouting -m comment --comment "!fw3: Custom Wireless prerouting rule chain" -j prerouting_Wireless_rule
COMMIT
# Completed on Sat Jan 22 22:22:12 2022