[Solved] OpenVPN not working on OpenWrt 18.06.0-rc2 on ramips/mt76x8/TL-MR3420 V5

milankragujevic · July 20, 2018, 10:08pm

Description of the problem
OpenVPN apparently connects, but internet isn't "redirected" through it from LAN, however traceroute on the router shows the 10.8.0.1 IP, meaning the traffic is going through the VPN.

Steps to reproduce

Install OpenWRT build 18.06.0-rc2 on a router
Install OpenVPN with opkg update, openvpn-openssl openssl-util luci-app-openvpn
Download OpenVPN config into /etc/openvpn/ with wget http://myhost.com/client.ovpn
Create a simple config so OpenVPN will use the OVPN file in /etc/openvpn, i.e. /etc/config/openvpn

config openvpn 'client'
        option config '/etc/openvpn/client.ovpn'
        option enabled '1'

Restart OpenVPN with service openvpn stop and service openvpn start.
Try to access some website, i.e. http://165.227.135.2/ip.php which should show VPN's IP.

Expected result
Internet working

Actual result
165.227.135.2 refused to connect. and no Internet.

Please note, 165.227.135.2 is not the IP of the VPN, that's just my server I use to check my current IP address.

Additional note: Using the same client.ovpn config with OpenVPN GUI on Windows works, so it's not the config. The OVPN config is generated by this script: https://github.com/Nyr/openvpn-install

Redacted copy of client.ovpn

client
dev tun
proto udp
sndbuf 0
rcvbuf 0
remote [REDACTED FOR PRIVACY AND SECURITY REASONS] 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
comp-lzo
setenv opt block-outside-dns
key-direction 1
verb 3
<ca>
-----BEGIN CERTIFICATE-----
[REDACTED FOR PRIVACY AND SECURITY REASONS]
-----END CERTIFICATE-----
</ca>
<cert>
[REDACTED FOR PRIVACY AND SECURITY REASONS]
-----BEGIN CERTIFICATE-----
[REDACTED FOR PRIVACY AND SECURITY REASONS]
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
[REDACTED FOR PRIVACY AND SECURITY REASONS]
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
[REDACTED FOR PRIVACY AND SECURITY REASONS]
-----END OpenVPN Static key V1-----
</tls-auth>

lynxis · July 20, 2018, 10:33pm

It sounds like a firewall problem. Do you modified your firewall settings?

milankragujevic · July 20, 2018, 11:05pm

No, however it worked on a snapshot a few months ago with the same steps.

jeff · July 20, 2018, 11:18pm

What does

ip route

show when the VPN is connected? Have you confirmed that the VPN is connecting?

milankragujevic · July 20, 2018, 11:26pm

I'll post it tomorrow, it's late here (1:25 AM), and I've got to get up early.

milankragujevic · July 21, 2018, 9:26am

Output of ip route

0.0.0.0/1 via 10.8.0.1 dev tun0
default via 192.168.101.1 dev eth0.2  src 192.168.101.2
10.8.0.0/24 dev tun0 scope link  src 10.8.0.2
128.0.0.0/1 via 10.8.0.1 dev tun0
[PUBLIC IP OF MY VPN] via 192.168.101.1 dev eth0.2
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1
192.168.101.0/24 dev eth0.2 scope link  src 192.168.101.2
root@OpenWrt:/etc/config#

Note: 192.168.101.1 is the IP of my Ubiquiti antenna, 192.168.1.1 is the OpenWrt router, and 10.8.0.1 is the VPN's virtual interface.

milankragujevic · July 21, 2018, 9:53am

SOLVED! I changed auth to SHA1 (instead of SHA512) on server and client, and also cipher to AES-128-CBC instead of AES-256-CBC also on server and client and the setup works.

Sat Jul 21 09:52:20 2018 Unrecognized option or missing or extra parameter(s) in client.ovpn:15: block-outside-dns (2.4.5)
Sat Jul 21 09:52:20 2018 OpenVPN 2.4.5 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Jul 21 09:52:20 2018 library versions: OpenSSL 1.0.2o  27 Mar 2018, LZO 2.10
Sat Jul 21 09:52:20 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jul 21 09:52:20 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jul 21 09:52:20 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]{{MY VPN's IP}}:1194
Sat Jul 21 09:52:20 2018 Socket Buffers: R=[163840->163840] S=[163840->163840]
Sat Jul 21 09:52:20 2018 UDP link local: (not bound)
Sat Jul 21 09:52:20 2018 UDP link remote: [AF_INET]{{MY VPN's IP}}:1194
Sat Jul 21 09:52:20 2018 TLS: Initial packet from [AF_INET]{{MY VPN's IP}}:1194, sid=01275004 6917aeef
Sat Jul 21 09:52:20 2018 VERIFY OK: depth=1, CN=ChangeMe
Sat Jul 21 09:52:20 2018 VERIFY KU OK
Sat Jul 21 09:52:20 2018 Validating certificate extended key usage
Sat Jul 21 09:52:20 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Jul 21 09:52:20 2018 VERIFY EKU OK
Sat Jul 21 09:52:20 2018 VERIFY OK: depth=0, CN=server
Sat Jul 21 09:52:21 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sat Jul 21 09:52:21 2018 [server] Peer Connection Initiated with [AF_INET]{{MY VPN's IP}}:1194
Sat Jul 21 09:52:22 2018 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sat Jul 21 09:52:22 2018 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 1.1.1.1,dhcp-option DNS 1.0.0.1,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0'
Sat Jul 21 09:52:22 2018 OPTIONS IMPORT: timers and/or timeouts modified
Sat Jul 21 09:52:22 2018 OPTIONS IMPORT: --ifconfig/up options modified
Sat Jul 21 09:52:22 2018 OPTIONS IMPORT: route options modified
Sat Jul 21 09:52:22 2018 OPTIONS IMPORT: route-related options modified
Sat Jul 21 09:52:22 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Jul 21 09:52:22 2018 Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Sat Jul 21 09:52:22 2018 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jul 21 09:52:22 2018 Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Sat Jul 21 09:52:22 2018 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jul 21 09:52:22 2018 TUN/TAP device tun0 opened
Sat Jul 21 09:52:22 2018 TUN/TAP TX queue length set to 100
Sat Jul 21 09:52:22 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Jul 21 09:52:22 2018 /sbin/ifconfig tun0 10.8.0.2 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Sat Jul 21 09:52:22 2018 /sbin/route add -net {{MY VPN's IP}} netmask 255.255.255.255 gw 192.168.101.1
Sat Jul 21 09:52:22 2018 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.0.1
Sat Jul 21 09:52:22 2018 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.0.1
Sat Jul 21 09:52:22 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Jul 21 09:52:22 2018 Initialization Sequence Completed

Edit: I also ran the following commands, which is probably what fixed the issue:

uci set network.myvpnc=interface
uci set network.myvpnc.proto=none
uci set network.myvpnc.ifname=tun0
uci commit network

uci add firewall zone
uci set firewall.@zone[-1]=zone
uci set firewall.@zone[-1].name=myvpnc_fw
uci set firewall.@zone[-1].network=myvpnc
uci set firewall.@zone[-1].input=REJECT
uci set firewall.@zone[-1].output=ACCEPT
uci set firewall.@zone[-1].forward=REJECT
uci set firewall.@zone[-1].masq=1
uci set firewall.@zone[-1].mtu_fix=1
uci add firewall forwarding
uci set firewall.@forwarding[-1]=forwarding
uci set firewall.@forwarding[-1].src=lan
uci set firewall.@forwarding[-1].dest=myvpnc_fw
uci commit firewall