[SOLVED] Ovpn server up but not able to connect from WAN (LAN ok)

oshgg · June 7, 2020, 5:03am

Dear all,

After trying for 2 weeks I finally got my ovpn server working on EA4500. (by following the basic guide)

My iphone with the official client app is able to connect to the server when it's connected to my home wifi (same LAN as the server)

connect from LAN ok:

Sun Jun  7 13:28:09 2020 daemon.err openvpn(server)[18189]: event_wait : Interrupted system call (code=4)
Sun Jun  7 13:28:09 2020 daemon.notice openvpn(server)[18189]: /sbin/ifconfig tun0 0.0.0.0
Sun Jun  7 13:28:09 2020 daemon.warn openvpn(server)[18189]: Linux ip addr del failed: external program exited with error status: 1
Sun Jun  7 13:28:09 2020 daemon.notice openvpn(server)[18189]: SIGTERM[hard,] received, process exiting
Sun Jun  7 13:28:09 2020 daemon.notice openvpn(server)[18286]: OpenVPN 2.4.7 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sun Jun  7 13:28:09 2020 daemon.notice openvpn(server)[18286]: library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.10
Sun Jun  7 13:28:09 2020 daemon.notice openvpn(server)[18286]: TUN/TAP device tun0 opened
Sun Jun  7 13:28:09 2020 daemon.notice openvpn(server)[18286]: /sbin/ifconfig tun0 192.168.8.1 netmask 255.255.255.0 mtu 1500 broadcast 192.168.8.255
Sun Jun  7 13:28:09 2020 daemon.warn openvpn(server)[18286]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Sun Jun  7 13:28:09 2020 daemon.notice openvpn(server)[18286]: UDPv4 link local (bound): [AF_INET][undef]:1194
Sun Jun  7 13:28:09 2020 daemon.notice openvpn(server)[18286]: UDPv4 link remote: [AF_UNSPEC]
Sun Jun  7 13:28:09 2020 daemon.notice openvpn(server)[18286]: GID set to nogroup
Sun Jun  7 13:28:09 2020 daemon.notice openvpn(server)[18286]: UID set to nobody
Sun Jun  7 13:28:09 2020 daemon.notice openvpn(server)[18286]: Initialization Sequence Completed
Sun Jun  7 13:28:15 2020 daemon.notice openvpn(server)[18286]: 192.168.1.121:56586 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.1.2-3096
Sun Jun  7 13:28:15 2020 daemon.notice openvpn(server)[18286]: 192.168.1.121:56586 peer info: IV_VER=3.git::f225fcd0
Sun Jun  7 13:28:15 2020 daemon.notice openvpn(server)[18286]: 192.168.1.121:56586 peer info: IV_PLAT=ios
Sun Jun  7 13:28:15 2020 daemon.notice openvpn(server)[18286]: 192.168.1.121:56586 peer info: IV_NCP=2
Sun Jun  7 13:28:15 2020 daemon.notice openvpn(server)[18286]: 192.168.1.121:56586 peer info: IV_TCPNL=1
Sun Jun  7 13:28:15 2020 daemon.notice openvpn(server)[18286]: 192.168.1.121:56586 peer info: IV_PROTO=2
Sun Jun  7 13:28:15 2020 daemon.notice openvpn(server)[18286]: 192.168.1.121:56586 peer info: IV_AUTO_SESS=1
Sun Jun  7 13:28:15 2020 daemon.notice openvpn(server)[18286]: 192.168.1.121:56586 peer info: IV_BS64DL=1
Sun Jun  7 13:28:15 2020 daemon.notice openvpn(server)[18286]: 192.168.1.121:56586 [client] Peer Connection Initiated with [AF_INET]192.168.1.121:56586
Sun Jun  7 13:28:15 2020 daemon.notice openvpn(server)[18286]: client/192.168.1.121:56586 MULTI_sva: pool returned IPv4=192.168.8.2, IPv6=(Not enabled)

but it's NOT able to connect when with mobile network. I assume there is some setting missing in Firewall? Port forwarding? however 1194 is forwarded to the server. and Allow-OpenVPN is also on the traffic rules list.

system log: looping error

Sun Jun  7 13:29:57 2020 daemon.notice openvpn(server)[18383]: Initialization Sequence Completed
Sun Jun  7 13:19:35 2020 daemon.err openvpn(server)[17903]: my_ip:23152 TLS Error: tls-crypt unwrapping failed from [AF_INET]my_ip:23152
Sun Jun  7 13:19:36 2020 daemon.err openvpn(server)[17903]: my_ip:23152 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1591507172) Sun Jun  7 13:19:32 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sun Jun  7 13:19:36 2020 daemon.err openvpn(server)[17903]: my_ip:23152 tls-crypt unwrap error: packet replay
Sun Jun  7 13:19:36 2020 daemon.err openvpn(server)[17903]: my_ip:23152 TLS Error: tls-crypt unwrapping failed from [AF_INET]my_ip:23152
Sun Jun  7 13:19:37 2020 daemon.err openvpn(server)[17903]: my_ip:23152 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1591507172) Sun Jun  7 13:19:32 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sun Jun  7 13:19:37 2020 daemon.err openvpn(server)[17903]: my_ip:23152 tls-crypt unwrap error: packet replay
Sun Jun  7 13:19:37 2020 daemon.err openvpn(server)[17903]: my_ip:23152 TLS Error: tls-crypt unwrapping failed from [AF_INET]my_ip:23152
Sun Jun  7 13:19:38 2020 daemon.err openvpn(server)[17903]: my_ip:23152 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1591507172) Sun Jun  7 13:19:32 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sun Jun  7 13:19:38 2020 daemon.err openvpn(server)[17903]: my_ip:23152 tls-crypt unwrap error: packet replay
Sun Jun  7 13:19:38 2020 daemon.err openvpn(server)[17903]: my_ip:23152 TLS Error: tls-crypt unwrapping failed from [AF_INET]my_ip:23152
Sun Jun  7 13:19:39 2020 daemon.err openvpn(server)[17903]: my_ip:23152 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1591507172) Sun Jun  7 13:19:32 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sun Jun  7 13:19:39 2020 daemon.err openvpn(server)[17903]: my_ip:23152 tls-crypt unwrap error: packet replay
Sun Jun  7 13:19:39 2020 daemon.err openvpn(server)[17903]: my_ip:23152 TLS Error: tls-crypt unwrapping failed from [AF_INET]my_ip:23152
Sun Jun  7 13:19:40 2020 daemon.err openvpn(server)[17903]: my_ip:23152 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1591507172) Sun Jun  7 13:19:32 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sun Jun  7 13:19:40 2020 daemon.err openvpn(server)[17903]: my_ip:23152 tls-crypt unwrap error: packet replay
Sun Jun  7 13:19:40 2020 daemon.err openvpn(server)[17903]: my_ip:23152 TLS Error: tls-crypt unwrapping failed from [AF_INET]my_ip:23152

anyone please give me some advice. Thank you so much!

eduperez · June 7, 2020, 9:13am

Is the OpenVPN server is on the router, you do not need any port forwarding, you just have to open the port. Perhaps you could share your firewall config here.

oshgg · June 7, 2020, 4:29pm

thank you for your reply eduperez,

yes, the openvpn server is on the router which IP is 192.168.1.1
i assume open the port (1194) means to redirect port 1194 to the vpn server?

here is my firewall settings:

firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.lan=zone
firewall.lan.name='lan'
firewall.lan.network='lan'
firewall.lan.input='ACCEPT'
firewall.lan.output='ACCEPT'
firewall.lan.forward='ACCEPT'
firewall.lan.device='tun0'
firewall.wan=zone
firewall.wan.name='wan'
firewall.wan.network='wan' 'wan6'
firewall.wan.input='REJECT'
firewall.wan.output='ACCEPT'
firewall.wan.forward='REJECT'
firewall.wan.masq='1'
firewall.wan.mtu_fix='1'
firewall.lan_wan=forwarding
firewall.lan_wan.src='lan'
firewall.lan_wan.dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@redirect[0]=redirect
firewall.@redirect[0].dest_port='80'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].name='www'
firewall.@redirect[0].src_dport='80'
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].dest_ip='192.168.1.1'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].proto='tcp'
firewall.@redirect[1]=redirect
firewall.@redirect[1].dest_port='5000'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].name='ds218_admin'
firewall.@redirect[1].src_dport='5000'
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].dest_ip='192.168.1.30'
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].proto='tcp'
firewall.@redirect[2]=redirect
firewall.@redirect[2].dest_port='500'
firewall.@redirect[2].src='wan'
firewall.@redirect[2].name='vpn_ipsec'
firewall.@redirect[2].src_dport='500'
firewall.@redirect[2].target='DNAT'
firewall.@redirect[2].dest_ip='192.168.1.30'
firewall.@redirect[2].dest='lan'
firewall.@redirect[2].proto='udp'
firewall.@redirect[3]=redirect
firewall.@redirect[3].dest_port='4500'
firewall.@redirect[3].src='wan'
firewall.@redirect[3].name='vpn_ipsec'
firewall.@redirect[3].src_dport='4500'
firewall.@redirect[3].target='DNAT'
firewall.@redirect[3].dest_ip='192.168.1.30'
firewall.@redirect[3].dest='lan'
firewall.@redirect[3].proto='udp'
firewall.@redirect[4]=redirect
firewall.@redirect[4].dest_port='1701'
firewall.@redirect[4].src='wan'
firewall.@redirect[4].name='vpn_l2tp'
firewall.@redirect[4].src_dport='1701'
firewall.@redirect[4].target='DNAT'
firewall.@redirect[4].dest_ip='192.168.1.30'
firewall.@redirect[4].dest='lan'
firewall.@redirect[4].proto='udp'
firewall.@redirect[5]=redirect
firewall.@redirect[5].dest_port='1194'
firewall.@redirect[5].src='wan'
firewall.@redirect[5].name='vpn_openvpn'
firewall.@redirect[5].src_dport='1194'
firewall.@redirect[5].target='DNAT'
firewall.@redirect[5].dest_ip='192.168.1.1'
firewall.@redirect[5].dest='lan'
firewall.@redirect[5].proto='udp'
firewall.ovpn=rule
firewall.ovpn.name='Allow-OpenVPN'
firewall.ovpn.src='wan'
firewall.ovpn.dest_port='1194'
firewall.ovpn.target='ACCEPT'
firewall.ovpn.proto='udp'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='lan'
firewall.@forwarding[1].src='DMZ'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].dest='DMZ'
firewall.@forwarding[2].src='wan'
firewall.@redirect[6]=redirect
firewall.@redirect[6].dest_port='21'
firewall.@redirect[6].src='wan'
firewall.@redirect[6].name='FTPS'
firewall.@redirect[6].src_dport='21'
firewall.@redirect[6].target='DNAT'
firewall.@redirect[6].dest_ip='192.168.1.30'
firewall.@redirect[6].dest='lan'
firewall.@redirect[7]=redirect
firewall.@redirect[7].dest_port='55536-56047'
firewall.@redirect[7].src='wan'
firewall.@redirect[7].name='FTPS'
firewall.@redirect[7].src_dport='55536-56047'
firewall.@redirect[7].target='DNAT'
firewall.@redirect[7].dest_ip='192.168.1.30'
firewall.@redirect[7].dest='lan'

thank you for your advise!

eduperez · June 7, 2020, 6:32pm

You have two rules regarding port 1194, one just opens the port, the other redirects to the machine at 192.168.1.1. If that IP belongs to the router, then you do not need the redirection at all, you can delete that route.

oshgg · June 8, 2020, 2:14am

It solved!! thank you eduperez.

I just took out this line and everything works!

I thought I should redirect the traffic to a specific IP inorder for a server-kind to work. I did that with other routers for WWW, FTP, SSH etc.

I have learnt something. Thanks!

eduperez · June 8, 2020, 6:22am

You have to redirect the traffic when the server is on a different machine, not when it is on the same machine.

I'm glad to know.it works now!

oshgg · June 8, 2020, 6:47am

Yes, the VPN works fine. Thank you

according to what you said. I should also take out the below line for port 80: (coz luci is on the router)

oshgg:

firewall.@redirect[0]=redirect
firewall.@redirect[0].dest_port='80'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].name='www'
firewall.@redirect[0].src_dport='80'
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].dest_ip='192.168.1.1' <------
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].proto='tcp'

and I can still reach luci from the outside network.
but no, it showed unreachable.

I put the line back and luci back again.

is it due to difference between UDP and TCP?
or only VPN(1194) work this way?
other services like 80, 21 I should do a redirect?

aboaboit · June 8, 2020, 7:05am

You need to open port 80 from outside for that to work... but I would recommend against doing that: at a minimum it should be https only with a valid certificate, ideally it should not be open at all.

oshgg · June 8, 2020, 7:15am

thx @aboaboit

yes, i have port 80 opened. just wonder why in this case i need to keep the redirect.dest_ip rule, while the vpn case i dont.

and thank you for the https advice. i will dip into that

aboaboit · June 8, 2020, 7:18am

You don't: in the normal case, uhttpd is listening on all local interfaces, including the wan. Opening the port is enough, just like for the vpn when the server runs on the router itself.

oshgg · June 8, 2020, 7:30am

but as I said, I took out this line:
firewall.@redirect[0].dest_ip='192.168.1.1
and luci is not reachable.

right after I put it back. luci back on.
so seems in my case. the above line is needed?

aboaboit · June 8, 2020, 8:07am

The normal policy for wan is to reject inbound connections: you need to explicitly open the port.

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp'
        option dest_port '80'
        option name 'Allow-LUCI'

firewall.@rule[10]=rule
firewall.@rule[10].target='ACCEPT'
firewall.@rule[10].src='wan'
firewall.@rule[10].proto='tcp'
firewall.@rule[10].dest_port='80'
firewall.@rule[10].name='Allow-LUCI'

oshgg · June 8, 2020, 9:58am

this is good to know! thx.

follow your advise. i have just learnt to use https from this wiki: secure luci by simply installing luci-ssl

by restarting uhttps it creates .crt/.key for me.
accessing from chrome in win7 to luci it prompt out:
connection is not private EVEN IF i already put the .crt in the trusted cert folder of windows.

then I follow this wiki: get rid of warning to create another .crt/.key.
did the same to put in the trusted folder.

But still getting the same Not Private warning. any idea please?

trendy · June 8, 2020, 10:02am

It is strongly advised not to expose the uhttpd server from the internet. It is not hardened to withstand an attack.
You can setup a vpn to access your router and lan when you are out of the house. Or use SSH tunneling.

aboaboit · June 8, 2020, 10:34am

I also said you need a valid certificate, else the browser will complain.
Anyhow, as @trendy noted: don't, just don't

oshgg · June 8, 2020, 10:35am

thx @trendy
did look into ssh tunneling, it seems too complicated for a rookie like me.

just thought https maybe easier.
but thank you for your advise. will dip into that.

oshgg · June 8, 2020, 10:38am

yes you did. so the 2 certificates that I created is not valid. I should pay if i need a valid one?

yes, i understand its dangerous. im just trying to understand more about networking by setting it up. i should seldom use it

aboaboit · June 8, 2020, 10:44am

You can use this service to obtain a valid certificate:

oshgg · June 8, 2020, 10:59am

appreciate that!

oshgg · June 10, 2020, 12:39pm

hi @trendy, you have mentioned above. Would you please verify my below understanding is correct. thank you.

Once a VPN connection is established from my home laptop to office desktop over Internet.
I can safely access the router's admin page from http (no need https)
I can safely ftp (no need sftp/ftps) to the file server on LAN

in this case, to avoid attack I should not open ports (80,21,443,etc) from the router. only open the VPN port.

is it right? thank you again