Hi all,
This has likely been answered many times, but the search is not strong with me, I guess.
Problem: A while ago, I upgraded from OpenWRT 18.xx to 19.07. Before that, I had OpenVPN working just fine (could connect to VPN and see things on my network, as well as access the internet via my router). After I upgraded, I did a quick test, and everything seemed to be fine, but apparently was not. The issue I'm seeing now, is that while I can connect to the VPN, it does not seem to route anywhere.
When I initiate the VPN via my phone, connection completes successfully.
> tail -n 50 /etc/openvpn/openvpn.log
> Mon May 11 18:55:05 2020 172.58.140.171:19918 TLS: Initial packet from [AF_INET]172.58.140.171:19918, sid=eb2d4ab1 4afcfd26
> Mon May 11 18:55:05 2020 172.58.140.171:19918 VERIFY OK: depth=1, C=US, ST=IL, L=Chicago, O=Entropy, OU=MyOrganizationalUnit, CN=ChicagoHQ, name=EasyRSA, emailAddress=me@myhost.mydomain
> Mon May 11 18:55:05 2020 172.58.140.171:19918 VERIFY OK: depth=0, C=US, ST=IL, L=Chicago, O=Fort-Funston, OU=MyOrganizationalUnit, CN=OnePlus5, name=EasyRSA, emailAddress=me@myhost.mydomain
> Mon May 11 18:55:05 2020 172.58.140.171:19918 peer info: IV_VER=2.5_master
> Mon May 11 18:55:05 2020 172.58.140.171:19918 peer info: IV_PLAT=android
> Mon May 11 18:55:05 2020 172.58.140.171:19918 peer info: IV_PROTO=2
> Mon May 11 18:55:05 2020 172.58.140.171:19918 peer info: IV_NCP=2
> Mon May 11 18:55:05 2020 172.58.140.171:19918 peer info: IV_LZ4=1
> Mon May 11 18:55:05 2020 172.58.140.171:19918 peer info: IV_LZ4v2=1
> Mon May 11 18:55:05 2020 172.58.140.171:19918 peer info: IV_LZO=1
> Mon May 11 18:55:05 2020 172.58.140.171:19918 peer info: IV_COMP_STUB=1
> Mon May 11 18:55:05 2020 172.58.140.171:19918 peer info: IV_COMP_STUBv2=1
> Mon May 11 18:55:05 2020 172.58.140.171:19918 peer info: IV_TCPNL=1
> Mon May 11 18:55:05 2020 172.58.140.171:19918 peer info: IV_GUI_VER=de.blinkt.openvpn_0.7.5
> Mon May 11 18:55:05 2020 172.58.140.171:19918 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 2048 bit RSA
> Mon May 11 18:55:05 2020 172.58.140.171:19918 [OnePlus5] Peer Connection Initiated with [AF_INET]172.58.140.171:19918
> Mon May 11 18:55:05 2020 MULTI: new connection by client 'OnePlus5' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
> Mon May 11 18:55:05 2020 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/clients/OnePlus5
> Mon May 11 18:55:05 2020 MULTI_sva: pool returned IPv4=172.17.0.6, IPv6=(Not enabled)
> Mon May 11 18:55:05 2020 MULTI: Learn: 172.17.0.6 -> OnePlus5/172.58.140.171:19918
> Mon May 11 18:55:05 2020 MULTI: primary virtual IP for OnePlus5/172.58.140.171:19918: 172.17.0.6
> Mon May 11 18:55:06 2020 OnePlus5/172.58.140.171:19918 PUSH: Received control message: 'PUSH_REQUEST'
> Mon May 11 18:55:06 2020 OnePlus5/172.58.140.171:19918 SENT CONTROL [OnePlus5]: 'PUSH_REPLY,dhcp-option DNS 172.16.1.1,route 172.16.0.0/16,route 172.17.0.1,topology net30,ping 10,ping-restart 120,dhcp-option DNS 8.8.8.8,dhcp-option DNS 1.1.1.1,dhcp-option DNS 208.67.222.222,ifconfig 172.17.0.6 172.17.0.5,peer-id 1,cipher AES-256-GCM' (status=1)
> Mon May 11 18:55:06 2020 OnePlus5/172.58.140.171:19918 Data Channel: using negotiated cipher 'AES-256-GCM'
> Mon May 11 18:55:06 2020 OnePlus5/172.58.140.171:19918 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
> Mon May 11 18:55:06 2020 OnePlus5/172.58.140.171:19918 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
However, if I try to ping anything on the network, tcpdump shows me that the ping doesn't go anywhere (172.17.0.6 is my phone, and odroid.EASTWOOD is a computer on the network):
> tcpdump -i tun0 icmp
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
> 18:02:58.803157 IP 172.17.0.6 > odroid.EASTWOOD: ICMP echo request, id 275, seq 5, length 64
> 18:02:59.850164 IP 172.17.0.6 > odroid.EASTWOOD: ICMP echo request, id 275, seq 6, length 64
> 18:03:00.815471 IP 172.17.0.6 > odroid.EASTWOOD: ICMP echo request, id 275, seq 7, length 64
> 18:03:01.806226 IP 172.17.0.6 > odroid.EASTWOOD: ICMP echo request, id 275, seq 8, length 64
Basically, the router sees ICMP request, but I think it doesn't go anywhere.
Looking at the routing table, this makes sense(to me), because the tun0 doesn't show up in the routing table:
> route
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface
> default c-73-51-97-1.hs 0.0.0.0 UG 0 0 0 br-wan
> 10.14.0.0 * 255.255.0.0 U 0 0 0 WG0
> 10.14.0.3 * 255.255.255.255 UH 0 0 0 WG0
> 73.51.97.0 * 255.255.255.0 U 0 0 0 br-wan
> 172.16.0.0 * 255.255.0.0 U 0 0 0 br-lan
When I set up OpenVPN ages ago, I did it through the CLI with the help of an online guide, that I can no longer find. So I feel a bit up the creek here. Any help is appreciated. I suspect that there's some routing/firewall setting that I'm missing, forgot about, or screwed up at some point!
Any help is appreciated!
Here's my setup:
Network Setup:
> cat /etc/config/network
>
> config interface 'loopback'
> option ifname 'lo'
> option proto 'static'
> option ipaddr '127.0.0.1'
> option netmask '255.0.0.0'
>
> config globals 'globals'
> option ula_prefix 'fd45:8c44:5d35::/48'
>
> config interface 'lan'
> option type 'bridge'
> option proto 'static'
> option ip6assign '60'
> option ipaddr '172.16.1.1'
> option netmask '255.255.0.0'
> option _orig_ifname 'eth0 wlan0 wlan1 wlan1-1'
> option _orig_bridge 'true'
> option ifname 'eth0'
>
> config interface 'wan'
> option ifname 'eth1'
> option proto 'dhcp'
> option type 'bridge'
>
> config interface 'wan6'
> option ifname 'eth1'
> option proto 'dhcpv6'
>
> config switch
> option name 'switch0'
> option reset '1'
> option enable_vlan '1'
>
> config switch_vlan
> option device 'switch0'
> option vlan '1'
> option ports '0 1 2 3 5'
>
> config switch_vlan
> option device 'switch0'
> option vlan '2'
> option ports '4 6'
>
> config route
>
> config interface 'vpn0'
> option ifname 'tun0'
> option proto 'none'
>
> config interface 'WG0'
> option proto 'wireguard'
> option private_key 'Something'
> option listen_port '1234'
> list addresses '10.14.0.0/16'
>
> config wireguard_WG0
> option public_key 'Something else'
> list allowed_ips '10.14.0.3/32'
> option route_allowed_ips '1'
> option persistent_keepalive '25'
lastly, OpenVPN setup:
> cat /etc/config/openvpn
>
> config openvpn 'myvpn'
> option enabled '1'
> option verb '3'
> option port '1194'
> option proto 'udp'
> option dev 'tun'
> option keepalive '10 120'
> option ca '/etc/openvpn/ca.crt'
> option cert '/etc/openvpn/my-server.crt'
> option key '/etc/openvpn/my-server.key'
> option dh '/etc/openvpn/dh2048.pem'
> option server '172.17.0.0 255.255.0.0'
> option client_config_dir '/etc/openvpn/clients'
> option log '/etc/openvpn/openvpn.log'
> option float '1'
> option cipher 'AES-256-CBC'
> list push 'dhcp-option DNS 172.16.1.1'
> list push 'route 172.16.0.0/16'
Thanks again for taking the time to look at this issue!
Spiff