[SOLVED] OpenVPN not routing

Hi all,
This has likely been answered many times, but the search is not strong with me, I guess.
Problem: A while ago, I upgraded from OpenWRT 18.xx to 19.07. Before that, I had OpenVPN working just fine (could connect to VPN and see things on my network, as well as access the internet via my router). After I upgraded, I did a quick test, and everything seemed to be fine, but apparently was not. The issue I'm seeing now, is that while I can connect to the VPN, it does not seem to route anywhere.
When I initiate the VPN via my phone, connection completes successfully.

> tail -n 50 /etc/openvpn/openvpn.log
> Mon May 11 18:55:05 2020 172.58.140.171:19918 TLS: Initial packet from [AF_INET]172.58.140.171:19918, sid=eb2d4ab1 4afcfd26
> Mon May 11 18:55:05 2020 172.58.140.171:19918 VERIFY OK: depth=1, C=US, ST=IL, L=Chicago, O=Entropy, OU=MyOrganizationalUnit, CN=ChicagoHQ, name=EasyRSA, emailAddress=me@myhost.mydomain
> Mon May 11 18:55:05 2020 172.58.140.171:19918 VERIFY OK: depth=0, C=US, ST=IL, L=Chicago, O=Fort-Funston, OU=MyOrganizationalUnit, CN=OnePlus5, name=EasyRSA, emailAddress=me@myhost.mydomain
> Mon May 11 18:55:05 2020 172.58.140.171:19918 peer info: IV_VER=2.5_master
> Mon May 11 18:55:05 2020 172.58.140.171:19918 peer info: IV_PLAT=android
> Mon May 11 18:55:05 2020 172.58.140.171:19918 peer info: IV_PROTO=2
> Mon May 11 18:55:05 2020 172.58.140.171:19918 peer info: IV_NCP=2
> Mon May 11 18:55:05 2020 172.58.140.171:19918 peer info: IV_LZ4=1
> Mon May 11 18:55:05 2020 172.58.140.171:19918 peer info: IV_LZ4v2=1
> Mon May 11 18:55:05 2020 172.58.140.171:19918 peer info: IV_LZO=1
> Mon May 11 18:55:05 2020 172.58.140.171:19918 peer info: IV_COMP_STUB=1
> Mon May 11 18:55:05 2020 172.58.140.171:19918 peer info: IV_COMP_STUBv2=1
> Mon May 11 18:55:05 2020 172.58.140.171:19918 peer info: IV_TCPNL=1
> Mon May 11 18:55:05 2020 172.58.140.171:19918 peer info: IV_GUI_VER=de.blinkt.openvpn_0.7.5
> Mon May 11 18:55:05 2020 172.58.140.171:19918 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 2048 bit RSA
> Mon May 11 18:55:05 2020 172.58.140.171:19918 [OnePlus5] Peer Connection Initiated with [AF_INET]172.58.140.171:19918
> Mon May 11 18:55:05 2020 MULTI: new connection by client 'OnePlus5' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
> Mon May 11 18:55:05 2020 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/clients/OnePlus5
> Mon May 11 18:55:05 2020 MULTI_sva: pool returned IPv4=172.17.0.6, IPv6=(Not enabled)
> Mon May 11 18:55:05 2020 MULTI: Learn: 172.17.0.6 -> OnePlus5/172.58.140.171:19918
> Mon May 11 18:55:05 2020 MULTI: primary virtual IP for OnePlus5/172.58.140.171:19918: 172.17.0.6
> Mon May 11 18:55:06 2020 OnePlus5/172.58.140.171:19918 PUSH: Received control message: 'PUSH_REQUEST'
> Mon May 11 18:55:06 2020 OnePlus5/172.58.140.171:19918 SENT CONTROL [OnePlus5]: 'PUSH_REPLY,dhcp-option DNS 172.16.1.1,route 172.16.0.0/16,route 172.17.0.1,topology net30,ping 10,ping-restart 120,dhcp-option DNS 8.8.8.8,dhcp-option DNS 1.1.1.1,dhcp-option DNS 208.67.222.222,ifconfig 172.17.0.6 172.17.0.5,peer-id 1,cipher AES-256-GCM' (status=1)
> Mon May 11 18:55:06 2020 OnePlus5/172.58.140.171:19918 Data Channel: using negotiated cipher 'AES-256-GCM'
> Mon May 11 18:55:06 2020 OnePlus5/172.58.140.171:19918 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
> Mon May 11 18:55:06 2020 OnePlus5/172.58.140.171:19918 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

However, if I try to ping anything on the network, tcpdump shows me that the ping doesn't go anywhere (172.17.0.6 is my phone, and odroid.EASTWOOD is a computer on the network):

> tcpdump -i tun0 icmp
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
> 18:02:58.803157 IP 172.17.0.6 > odroid.EASTWOOD: ICMP echo request, id 275, seq 5, length 64
> 18:02:59.850164 IP 172.17.0.6 > odroid.EASTWOOD: ICMP echo request, id 275, seq 6, length 64
> 18:03:00.815471 IP 172.17.0.6 > odroid.EASTWOOD: ICMP echo request, id 275, seq 7, length 64
> 18:03:01.806226 IP 172.17.0.6 > odroid.EASTWOOD: ICMP echo request, id 275, seq 8, length 64

Basically, the router sees ICMP request, but I think it doesn't go anywhere.
Looking at the routing table, this makes sense(to me), because the tun0 doesn't show up in the routing table:

>  route
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> default         c-73-51-97-1.hs 0.0.0.0         UG    0      0        0 br-wan
> 10.14.0.0       *               255.255.0.0     U     0      0        0 WG0
> 10.14.0.3       *               255.255.255.255 UH    0      0        0 WG0
> 73.51.97.0      *               255.255.255.0   U     0      0        0 br-wan
> 172.16.0.0      *               255.255.0.0     U     0      0        0 br-lan

When I set up OpenVPN ages ago, I did it through the CLI with the help of an online guide, that I can no longer find. So I feel a bit up the creek here. Any help is appreciated. I suspect that there's some routing/firewall setting that I'm missing, forgot about, or screwed up at some point!

Any help is appreciated!

Here's my setup:
Network Setup:

>  cat /etc/config/network
> 
> config interface 'loopback'
>         option ifname 'lo'
>         option proto 'static'
>         option ipaddr '127.0.0.1'
>         option netmask '255.0.0.0'
> 
> config globals 'globals'
>         option ula_prefix 'fd45:8c44:5d35::/48'
> 
> config interface 'lan'
>         option type 'bridge'
>         option proto 'static'
>         option ip6assign '60'
>         option ipaddr '172.16.1.1'
>         option netmask '255.255.0.0'
>         option _orig_ifname 'eth0 wlan0 wlan1 wlan1-1'
>         option _orig_bridge 'true'
>         option ifname 'eth0'
> 
> config interface 'wan'
>         option ifname 'eth1'
>         option proto 'dhcp'
>         option type 'bridge'
> 
> config interface 'wan6'
>         option ifname 'eth1'
>         option proto 'dhcpv6'
> 
> config switch
>         option name 'switch0'
>         option reset '1'
>         option enable_vlan '1'
> 
> config switch_vlan
>         option device 'switch0'
>         option vlan '1'
>         option ports '0 1 2 3 5'
> 
> config switch_vlan
>         option device 'switch0'
>         option vlan '2'
>         option ports '4 6'
> 
> config route
> 
> config interface 'vpn0'
>         option ifname 'tun0'
>         option proto 'none'
> 
> config interface 'WG0'
>         option proto 'wireguard'
>         option private_key 'Something'
>         option listen_port '1234'
>         list addresses '10.14.0.0/16'
> 
> config wireguard_WG0
>         option public_key 'Something else'
>         list allowed_ips '10.14.0.3/32'
>         option route_allowed_ips '1'
>         option persistent_keepalive '25'

lastly, OpenVPN setup:

>  cat /etc/config/openvpn
> 
> config openvpn 'myvpn'
>         option enabled '1'
>         option verb '3'
>         option port '1194'
>         option proto 'udp'
>         option dev 'tun'
>         option keepalive '10 120'
>         option ca '/etc/openvpn/ca.crt'
>         option cert '/etc/openvpn/my-server.crt'
>         option key '/etc/openvpn/my-server.key'
>         option dh '/etc/openvpn/dh2048.pem'
>         option server '172.17.0.0 255.255.0.0'
>         option client_config_dir '/etc/openvpn/clients'
>         option log '/etc/openvpn/openvpn.log'
>         option float '1'
>         option cipher 'AES-256-CBC'
>         list push 'dhcp-option DNS 172.16.1.1'
>         list push 'route 172.16.0.0/16'

Thanks again for taking the time to look at this issue!

Spiff

You're missing the client-to-client directive in your OpenVPN config. Also the guide is still there (first result if you Google "openwrt openvpn“). I'm on mobile so I'll provide links later if you need it.

Edit: I see you're using the UCI config for OpenVPN, that should be option client_to_client '1' I think.

Now my OpenVPN config looks like this:

cat /etc/config/openvpn

config openvpn 'myvpn'
        option enabled '1'
        option verb '3'
        option port '1194'
        option proto 'udp'
        option dev 'tun'
        option keepalive '10 120'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/my-server.crt'
        option key '/etc/openvpn/my-server.key'
        option dh '/etc/openvpn/dh2048.pem'
        option server '172.17.0.0 255.255.0.0'
        option client_config_dir '/etc/openvpn/clients'
        option log '/etc/openvpn/openvpn.log'
        option float '1'
        option cipher 'AES-256-CBC'
        list push 'dhcp-option DNS 172.16.1.1'
        list push 'route 172.16.0.0/16'
        **option client_to_client '1'**

Seems to work like a champ again. Thanks!

1 Like

Please mark my reply if it solved the problem for you :slightly_smiling_face: .

1 Like