Hi all:
First of all, I wish a happy new year 2021 to all of you. Second, I'm really sorry for my bad english.
And third (and that's why I'm here), my OpenWRT + OpenVPN setting up problem. Let's go on...
I have an ISP router I can not replace, and I want to install a OpenVPN server in my network. I'm trying to do it adding a net device, an OpenWRT router (from now on, VPN-router) that will be used only as OpenVPN server.
My first attempt was almost successful, because I did it, working in TAP mode. After that I realized that TAP mode does not get well with android clients, so I had to start from scratch again to do it in TUN mode.
As first step, I followed this for the first set up:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/server
Then I tried to follow the tips/instructions the user @psherman (thanks in advance!!!!) gave us in the following threads:
https://forum.openwrt.org/t/openvpn-config-for-accessing-lan-and-internet/29125/19
https://forum.openwrt.org/t/open-vpn-on-chaoscalmer-behind-isp-modem/14936/2
Now clients can connect to the VPN server, but can not access to the main LAN devices, nor internet access via VPN. I think I have a firewall problem, but, of course, I'm not sure.
This is my network configuration:
ISP-router
- LAN port ip 172.17.18.1
- LAN network 172.17.18.0/24
- LAN public DDNS address, something like "xxxxxx.duckdns.org"
VPN-router
- WAN port ip 172.17.18.10 (connected to the ISP-router LAN)
- LAN port ip 172.17.20.10 (not used)
- LAN network 172.17.20.0/24 (not used)
- LAN DHCP serving from 172.17.20.100 to 172.17.20.110 (not used)
OpenVPN server in VPN-router
- tun0 address 172.17.20.209
- server 172.17.20.208 255.255.255.248 (it's a /29, DHCP from 208 to 215, enough to me)
A VPN client receive the IP address 172.17.20.210 and...
- can ping 172.17.20.209 (tun0 interface of the VPN-router)
- can ping 172.17.20.10 (LAN port ip of the VPN-router)
- can ping 172.17.18.10 (WAN interface ip of the VPN-router)
- can NOT ping 172.17.18.1 (ISP-router LAN ip)
Those are my configuration files:
ifconfig -a
br-lan Link encap:Ethernet HWaddr F8:8E:85:CF:D2:24
inet addr:172.17.20.10 Bcast:172.17.20.255 Mask:255.255.255.0
inet6 addr: fdc5:c219:961d::1/60 Scope:Global
inet6 addr: fe80::fa8e:85ff:fecf:d224/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:25 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:3646 (3.5 KiB)
eth0 Link encap:Ethernet HWaddr F8:8E:85:CF:D2:24
inet6 addr: fe80::fa8e:85ff:fecf:d224/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10106 errors:0 dropped:0 overruns:0 frame:0
TX packets:1723 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3358067 (3.2 MiB) TX bytes:335614 (327.7 KiB)
eth0.1 Link encap:Ethernet HWaddr F8:8E:85:CF:D2:24
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:25 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:3646 (3.5 KiB)
eth0.2 Link encap:Ethernet HWaddr F8:8E:85:CF:D2:24
inet addr:172.17.18.10 Bcast:172.17.18.255 Mask:255.255.255.0
inet6 addr: fe80::fa8e:85ff:fecf:d224/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10106 errors:0 dropped:0 overruns:0 frame:0
TX packets:1679 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3176159 (3.0 MiB) TX bytes:318263 (310.8 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:478 errors:0 dropped:0 overruns:0 frame:0
TX packets:478 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:63505 (62.0 KiB) TX bytes:63505 (62.0 KiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:172.17.20.209 P-t-P:172.17.20.209 Mask:255.255.255.248
inet6 addr: fe80::4ead:71c6:cc28:406b/64 Scope:Link
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 B) TX bytes:304 (304.0 B)
cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdc5:c219:961d::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '172.17.20.1'
option ipaddr '172.17.20.10'
option broadcast '172.17.20.255'
config interface 'wan'
option ifname 'eth0.2'
option proto 'static'
option broadcast '172.17.18.255'
option gateway '172.17.18.1'
list dns '8.8.8.8'
option netmask '255.255.255.0'
option ipaddr '172.17.18.10'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 8t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 8t'
config interface 'vpn'
option proto 'none'
option ifname 'tun0'
cat /etc/openvpn/server.conf
user nobody
group nogroup
dev tun
port 1910
proto udp
server 172.17.20.208 255.255.255.248
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "route 172.17.18.0 255.255.255.0"
push "dhcp-option DNS 172.17.18.1"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
-----BEGIN DH PARAMETERS-----
[...]
-----END CERTIFICATE-----
</ca>
Now, I don't understand most of the things I have in the firewall configuration file. Lots of them are the default options. As VPN-router is placed inside my main LAN side, so security is not a requirement for me (I trust in the ISP-router firewall). The simplest firewall configuration for the VPN-router will be the better option to me.
cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '1910'
option name 'Allow-UDP1910-Inbound'
option src '*'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '22'
option name 'Allow-UDP22-Inbound'
option src '*'
config rule
option target 'ACCEPT'
option proto 'tcp'
option dest_port '22'
option name 'Allow-TCP22-Inbound'
option src '*'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '80'
option name 'Allow-UDP80-Inbound'
option src '*'
config rule
option target 'ACCEPT'
option proto 'tcp'
option dest_port '80'
option name 'Allow-TCP80-Inbound'
option src '*'
config zone 'lan'
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'tun+'
config zone 'wan'
option name 'wan'
list network 'wan'
list network 'wan6'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option input 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '1-65535'
option name 'Allow-UDP-Inbound'
option src '*'
config rule
option target 'ACCEPT'
option proto 'tcp'
option dest_port '1-65535'
option name 'Allow-TCP-Inbound'
option src '*'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config rule 'ovpn'
option name 'Allow-OpenVPN'
option src 'wan'
option dest_port '1910'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'vpn'
option network 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '0'
config forwarding
option src 'vpn'
option dest 'wan'
config forwarding
option src 'wan'
option dest 'vpn'
cat /etc/openvpn/clientea.ovpn
dev tun
nobind
client
remote xxxxxx.duckdns.org 1910 udp
auth-nocache
remote-cert-tls server
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
[...]
-----END CERTIFICATE-----
</ca>
Please, let me know if I'm missing to post some relevant information.
Thank you all for your help!!!!