After trying for 2 weeks I finally got my ovpn server working on EA4500. (by following the basic guide)
My iphone with the official client app is able to connect to the server when it's connected to my home wifi (same LAN as the server)
connect from LAN ok:
Sun Jun 7 13:28:09 2020 daemon.err openvpn(server)[18189]: event_wait : Interrupted system call (code=4)
Sun Jun 7 13:28:09 2020 daemon.notice openvpn(server)[18189]: /sbin/ifconfig tun0 0.0.0.0
Sun Jun 7 13:28:09 2020 daemon.warn openvpn(server)[18189]: Linux ip addr del failed: external program exited with error status: 1
Sun Jun 7 13:28:09 2020 daemon.notice openvpn(server)[18189]: SIGTERM[hard,] received, process exiting
Sun Jun 7 13:28:09 2020 daemon.notice openvpn(server)[18286]: OpenVPN 2.4.7 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sun Jun 7 13:28:09 2020 daemon.notice openvpn(server)[18286]: library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.10
Sun Jun 7 13:28:09 2020 daemon.notice openvpn(server)[18286]: TUN/TAP device tun0 opened
Sun Jun 7 13:28:09 2020 daemon.notice openvpn(server)[18286]: /sbin/ifconfig tun0 192.168.8.1 netmask 255.255.255.0 mtu 1500 broadcast 192.168.8.255
Sun Jun 7 13:28:09 2020 daemon.warn openvpn(server)[18286]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Sun Jun 7 13:28:09 2020 daemon.notice openvpn(server)[18286]: UDPv4 link local (bound): [AF_INET][undef]:1194
Sun Jun 7 13:28:09 2020 daemon.notice openvpn(server)[18286]: UDPv4 link remote: [AF_UNSPEC]
Sun Jun 7 13:28:09 2020 daemon.notice openvpn(server)[18286]: GID set to nogroup
Sun Jun 7 13:28:09 2020 daemon.notice openvpn(server)[18286]: UID set to nobody
Sun Jun 7 13:28:09 2020 daemon.notice openvpn(server)[18286]: Initialization Sequence Completed
Sun Jun 7 13:28:15 2020 daemon.notice openvpn(server)[18286]: 192.168.1.121:56586 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.1.2-3096
Sun Jun 7 13:28:15 2020 daemon.notice openvpn(server)[18286]: 192.168.1.121:56586 peer info: IV_VER=3.git::f225fcd0
Sun Jun 7 13:28:15 2020 daemon.notice openvpn(server)[18286]: 192.168.1.121:56586 peer info: IV_PLAT=ios
Sun Jun 7 13:28:15 2020 daemon.notice openvpn(server)[18286]: 192.168.1.121:56586 peer info: IV_NCP=2
Sun Jun 7 13:28:15 2020 daemon.notice openvpn(server)[18286]: 192.168.1.121:56586 peer info: IV_TCPNL=1
Sun Jun 7 13:28:15 2020 daemon.notice openvpn(server)[18286]: 192.168.1.121:56586 peer info: IV_PROTO=2
Sun Jun 7 13:28:15 2020 daemon.notice openvpn(server)[18286]: 192.168.1.121:56586 peer info: IV_AUTO_SESS=1
Sun Jun 7 13:28:15 2020 daemon.notice openvpn(server)[18286]: 192.168.1.121:56586 peer info: IV_BS64DL=1
Sun Jun 7 13:28:15 2020 daemon.notice openvpn(server)[18286]: 192.168.1.121:56586 [client] Peer Connection Initiated with [AF_INET]192.168.1.121:56586
Sun Jun 7 13:28:15 2020 daemon.notice openvpn(server)[18286]: client/192.168.1.121:56586 MULTI_sva: pool returned IPv4=192.168.8.2, IPv6=(Not enabled)
but it's NOT able to connect when with mobile network. I assume there is some setting missing in Firewall? Port forwarding? however 1194 is forwarded to the server. and Allow-OpenVPN is also on the traffic rules list.
system log: looping error
Sun Jun 7 13:29:57 2020 daemon.notice openvpn(server)[18383]: Initialization Sequence Completed
Sun Jun 7 13:19:35 2020 daemon.err openvpn(server)[17903]: my_ip:23152 TLS Error: tls-crypt unwrapping failed from [AF_INET]my_ip:23152
Sun Jun 7 13:19:36 2020 daemon.err openvpn(server)[17903]: my_ip:23152 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1591507172) Sun Jun 7 13:19:32 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sun Jun 7 13:19:36 2020 daemon.err openvpn(server)[17903]: my_ip:23152 tls-crypt unwrap error: packet replay
Sun Jun 7 13:19:36 2020 daemon.err openvpn(server)[17903]: my_ip:23152 TLS Error: tls-crypt unwrapping failed from [AF_INET]my_ip:23152
Sun Jun 7 13:19:37 2020 daemon.err openvpn(server)[17903]: my_ip:23152 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1591507172) Sun Jun 7 13:19:32 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sun Jun 7 13:19:37 2020 daemon.err openvpn(server)[17903]: my_ip:23152 tls-crypt unwrap error: packet replay
Sun Jun 7 13:19:37 2020 daemon.err openvpn(server)[17903]: my_ip:23152 TLS Error: tls-crypt unwrapping failed from [AF_INET]my_ip:23152
Sun Jun 7 13:19:38 2020 daemon.err openvpn(server)[17903]: my_ip:23152 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1591507172) Sun Jun 7 13:19:32 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sun Jun 7 13:19:38 2020 daemon.err openvpn(server)[17903]: my_ip:23152 tls-crypt unwrap error: packet replay
Sun Jun 7 13:19:38 2020 daemon.err openvpn(server)[17903]: my_ip:23152 TLS Error: tls-crypt unwrapping failed from [AF_INET]my_ip:23152
Sun Jun 7 13:19:39 2020 daemon.err openvpn(server)[17903]: my_ip:23152 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1591507172) Sun Jun 7 13:19:32 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sun Jun 7 13:19:39 2020 daemon.err openvpn(server)[17903]: my_ip:23152 tls-crypt unwrap error: packet replay
Sun Jun 7 13:19:39 2020 daemon.err openvpn(server)[17903]: my_ip:23152 TLS Error: tls-crypt unwrapping failed from [AF_INET]my_ip:23152
Sun Jun 7 13:19:40 2020 daemon.err openvpn(server)[17903]: my_ip:23152 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1591507172) Sun Jun 7 13:19:32 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sun Jun 7 13:19:40 2020 daemon.err openvpn(server)[17903]: my_ip:23152 tls-crypt unwrap error: packet replay
Sun Jun 7 13:19:40 2020 daemon.err openvpn(server)[17903]: my_ip:23152 TLS Error: tls-crypt unwrapping failed from [AF_INET]my_ip:23152
anyone please give me some advice. Thank you so much!
Is the OpenVPN server is on the router, you do not need any port forwarding, you just have to open the port. Perhaps you could share your firewall config here.
You have two rules regarding port 1194, one just opens the port, the other redirects to the machine at 192.168.1.1. If that IP belongs to the router, then you do not need the redirection at all, you can delete that route.
You need to open port 80 from outside for that to work... but I would recommend against doing that: at a minimum it should be https only with a valid certificate, ideally it should not be open at all.
You don't: in the normal case, uhttpd is listening on all local interfaces, including the wan. Opening the port is enough, just like for the vpn when the server runs on the router itself.
follow your advise. i have just learnt to use https from this wiki: secure luci by simply installing luci-ssl
by restarting uhttps it creates .crt/.key for me.
accessing from chrome in win7 to luci it prompt out:
connection is not private EVEN IF i already put the .crt in the trusted cert folder of windows.
then I follow this wiki: get rid of warning to create another .crt/.key.
did the same to put in the trusted folder.
But still getting the same Not Private warning. any idea please?
It is strongly advised not to expose the uhttpd server from the internet. It is not hardened to withstand an attack.
You can setup a vpn to access your router and lan when you are out of the house. Or use SSH tunneling.
hi @trendy, you have mentioned above. Would you please verify my below understanding is correct. thank you.
Once a VPN connection is established from my home laptop to office desktop over Internet.
I can safely access the router's admin page from http (no need https)
I can safely ftp (no need sftp/ftps) to the file server on LAN
in this case, to avoid attack I should not open ports (80,21,443,etc) from the router. only open the VPN port.