[Solved] OpenVPN provide Internet access

oscar · February 22, 2018, 11:57am

Hello,
I read tons of post on this matter, but somehow there is no clear direction, as to what needs to be done. My main goal is to connect clients (thats me when I am travelling) to the internet through my router.

I followed this OpenVPN wiki. However, when I get on e.g. whatismyip.com, clients and server have different IPv4s and local LAN IPs. The client presents as if not connected to the VPN at all.
My VPN server conf:

config openvpn 'VPNserver'
    option  enabled             1
 
    # Protocol #
#------------------------------------------------
    option  dev                 'tun'
    option  dev                 'tun0'
    option  topology            'subnet'
    option  proto               'udp'
    option  port                5000
 
    # Routes IMPORTANT:subnetmask of VPN is 192.168.200.0/28, needs consistency with firewall# 
#------------------------------------------------
    option  server              '192.168.200.0 255.255.255.240'
    option  ifconfig            '192.168.200.1 255.255.255.240'        
 
    # Pushed Routes here also, check LAN has subnet 192.168.1.0/24 as below# 
#------------------------------------------------
    list    push                'route 192.168.100.0 255.255.255.0'
    list    push                'dhcp-option    DNS 192.168.100.1'
    list    push                'dhcp-option    WINS 192.168.100.1'
    list    push                'dhcp-option    DNS 208.67.232.143'
    list    push                'dhcp-option    DNS 208.367.220.123'
    list    push                'dhcp-option    NTP 129.6.15.30'
 
    # Encryption # 
#------------------------------------------------
    # Diffie-Hellman:
    option  dh                  '/etc/openvpn/dh4096.pem'
 
    # PKCS12:
    option  pkcs12              '/etc/openvpn/server.p12'
 
    # SSL:
    option  cipher              AES-256-CBC
    option  auth                'SHA512'
    option  tls_auth            '/etc/openvpn/tls-auth.key 0'
 
    # TLS:
    option  tls_server          1
    option  tls_version_min     1.2
    option  tls_cipher          'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:!LOW:!EXP:!SRP:!kRSA'
 
    # Logging # 
#------------------------------------------------
    option  log_append          '/tmp/openvpn.log'
    option  status              '/tmp/openvpn-status.log'
    option  verb                5
 
    # Connection Options # 
#------------------------------------------------
    option  keepalive           '10 120'
    option  comp_lzo            'yes'
 
    # Connection Reliability # 
#------------------------------------------------
    option  client_to_client    1
    option  persist_key         1
    option  persist_tun         1
 
    # Connection Speed # 
#------------------------------------------------
    option  sndbuf              393216
    option  rcvbuf              393216
    option  fragment            0
    option  mssfix              0
    option  tun_mtu             48000
 
    # Pushed Buffers # 
#------------------------------------------------
    list    push                'sndbuf 393216'
    list    push                'rcvbuf 393216'
 
    # Permissions # 
#------------------------------------------------
    option  user                'nobody'
    option  group               'nogroup'

Client conf in the next post ...

oscar · February 22, 2018, 12:06pm

here is my client configuration:

# Config Type #
#------------------------------------------------
client
 
# Connection  #
#------------------------------------------------
dev tun
proto udp
remote my-ddns.com 2300
 
# Speed #
#------------------------------------------------
mssfix 0
fragment 0
tun-mtu 48000
 
# Reliability #
#------------------------------------------------
float
nobind
comp-lzo
 
persist-key
persist-tun
resolv-retry infinite
 
# Encryption #
#------------------------------------------------
auth SHA512
auth-nocache
 
# --- SSL --- #
cipher AES-256-CBC
 
# --- TLS --- #
key-direction 1
tls-version-min 1.2
 
remote-cert-eku 'TLS Web Server Authentication'
 
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
copied into here ...
-----END OpenVPN Static key V1-----
</tls-auth>
 
# Logging #
#------------------------------------------------
verb 7

I have read a lot about putting "redirect-gateway def1" into the server config, but this blocks the internet access of the client. Other options are "option localservice '0'" to /etc/config/dhcp in the config dnsmasq section. I am getting lost, this is beyond my knowledge and I do not want to mess around with my router settings not knowing what I am doing.

It would be greatly appreciated to get advise on this matter in a way, that I can understand it, i.e. with a little bit of explanation.

I did not post the logs since they just show that the handshake took place, connection established, and correct routes are used. If required, please tell me and I will post them.

If of importance: I am using my LEDE Router as server and my mobile phone as client with wlan disconnected (phone line only).

Thanks,
Oscar

JW0914 · February 22, 2018, 1:58pm

It's never recommended to utilize the 192.168.100.0/24 subnet on a router, as that is the subnet all cable modems utilize for their web and dhcp servers

Regardless of what subnet a router uses, if you navigate to 192.168.100.1 it will bring up the modem's status/config page.

You simply need to add the following to /etc/config/firewall

# VPN to WAN #    
config forwarding
    option  dest            'wan'
    option  src             'vpn'

Then issue: /etc/init.d/firewall restart

Gateway Redirect is rarely used by the average user, and the fact many wikis have this as the default configuration serves only to confuse users.

Gateway Redirect is utilized when one wants to route all traffic from arbitrary interface 1 behind the router through the VPN and to arbitrary interface 2 behind the router (usually WAN).
- This serves to privatize the traffic going through arbitrary interface 1 to arbitrary interface 2 from all other interfaces on the router, thereby preventing access to the data from any snooping from behind the router.
Most users will never utilize this.

oscar · February 22, 2018, 2:27pm

I believe you are the guy who wrote the wiki I referred to. First of all, thank you, you did a hell of a job. Together with your explanations given in this thread I managed to set up a fully working VPN server without security compromise.

Its not my true LAN address, I altered all personal information before publishing.

JW0914
You simply need to add the following to /etc/config/firewall

Indeed, it was as easy as that! You may want to add it to your wiki?

I have easily had > 10 hits in the past 6 months dealing with this. In the end, my impression was that it has some voodoo magic...since I trust my LAN users it is of no benefit for me.

JW0914 · February 22, 2018, 2:33pm

No problem at all =]

Not at all, as there's a legitimate need for Redirect Gateway, it's just the average user will likely never have a need for it.

One common example is say you move in with roommates and want to ensure no one (they or guests) snoops your traffic, another example would be having an interface set up specifically for torrents, utilizing TOR, etc.