[Solved]Remotely connect to home network behind openwrt router using openvpn


#1

I want to be able to remotely vpn into my home network and access my devices securely via openvpn.

I had this working on a previous version (ddwrt) and I can't find my notes or anything online (probably not asking the right question). If someone could point me to a tutorial I would really appreciate it.

I'm not interested in opening my openwrt router (luci) connection to the wan.


OpenVPN wiki article: server push config
#2

https://openwrt.org/docs/guide-user/services/vpn/openvpn/start


#3

Hi all,
I am trying to connect a Windows 10 laptop to my LEDE OpenWRT router using OpenVPN.
I am able to successfully connect to my router with openvpn (there are no errors in the client log anyway)
Unfortunately I cannot access any device behind my firewall (I cannot ping any device behind the firewall).

Here is my client ovpn file:

  client
  dev tun
  proto udp
  fast-io
  remote myserver.mydomain.com 1194
  remote-cert-tls server
  nobind
  persist-key
  persist-tun
  verb 3
  key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
MY CERTIFICATE GOES HERE
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4097 (0x1001)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=GB, ST=London, O=WWW Ltd.
        Validity
            Not Before: Jun 22 19:57:52 2018 GMT
            Not After : Jun 19 19:57:52 2028 GMT
        Subject: CN=my-client
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    Not sure if this is private, but to be on the safe side...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: 
                Digital Signature
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
    Signature Algorithm: sha256WithRSAEncryption
         Not sure if this is private, but to be on the safe side...
-----BEGIN CERTIFICATE-----
MY CERTIFICATE GOES HERE
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MY KEY GOES HERE
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
MY key GOES HERE
-----END OpenVPN Static key V1-----
</tls-auth>
  auth-nocache
  client
  dev tun
  proto udp
  fast-io
  remote myserver.mydomain.com 1194
  remote-cert-tls server
  nobind
  persist-key
  persist-tun
  verb 3
  key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
MY CERTIFICATE GOES HERE
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4097 (0x1001)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=GB, ST=London, O=WWW Ltd.
        Validity
            Not Before: Jun 22 19:57:52 2018 GMT
            Not After : Jun 19 19:57:52 2028 GMT
        Subject: CN=my-client
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    Not sure if this is private, but to be on the safe side...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: 
                Digital Signature
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
    Signature Algorithm: sha256WithRSAEncryption
         Not sure if this is private, but to be on the safe side...
-----BEGIN CERTIFICATE-----
MY CERTIFICATE GOES HERE
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MY KEY GOES HERE
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
MY KEY GOES HERE
-----END OpenVPN Static key V1-----
</tls-auth>

Here are the results of IPCONFIG:

Windows IP Configuration


Ethernet adapter Ethernet:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Ethernet adapter VirtualBox Host-Only Network:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::256d:1ee2:1c9f:9%7
   Autoconfiguration IPv4 Address. . : 169.254.0.9
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . :

Wireless LAN adapter Local Area Connection* 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Wireless LAN adapter Local Area Connection* 14:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Ethernet adapter Ethernet 3:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::3850:485:91ba:88f%15
   IPv4 Address. . . . . . . . . . . : 192.168.1.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : dd5c:beac:7fd6::936
   IPv6 Address. . . . . . . . . . . : fd46:3ca0:763c::719
   IPv6 Address. . . . . . . . . . . : fd46:3ca0:763c::9a9
   IPv6 Address. . . . . . . . . . . : fd8b:2425:da7b::4eb
   IPv6 Address. . . . . . . . . . . : fd8b:2425:da7b::719
   IPv6 Address. . . . . . . . . . . : fd8b:2425:da7b::936
   Link-local IPv6 Address . . . . . : fe80::c9df:f21f:2aea:a35e%16
   IPv4 Address. . . . . . . . . . . : 192.168.43.63
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.43.1
   
Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :   

Here is my client log:

Fri Jun 22 21:29:37 2018 OpenVPN 2.4.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017
Fri Jun 22 21:29:37 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Fri Jun 22 21:29:37 2018 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10
Enter Management Password:
Fri Jun 22 21:29:37 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Fri Jun 22 21:29:37 2018 Need hold release from management interface, waiting...
Fri Jun 22 21:29:37 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Fri Jun 22 21:29:38 2018 MANAGEMENT: CMD 'state on'
Fri Jun 22 21:29:38 2018 MANAGEMENT: CMD 'log all on'
Fri Jun 22 21:29:38 2018 MANAGEMENT: CMD 'echo all on'
Fri Jun 22 21:29:38 2018 MANAGEMENT: CMD 'hold off'
Fri Jun 22 21:29:38 2018 MANAGEMENT: CMD 'hold release'
Fri Jun 22 21:29:38 2018 NOTE: --fast-io is disabled since we are running on Windows
Fri Jun 22 21:29:38 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jun 22 21:29:38 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jun 22 21:29:38 2018 MANAGEMENT: >STATE:1529717378,RESOLVE,,,,,,
Fri Jun 22 21:29:38 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]67.8.225.251:1194
Fri Jun 22 21:29:38 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Jun 22 21:29:38 2018 UDP link local: (not bound)
Fri Jun 22 21:29:38 2018 UDP link remote: [AF_INET]67.8.225.251:1194
Fri Jun 22 21:29:38 2018 MANAGEMENT: >STATE:1529717378,WAIT,,,,,,
Fri Jun 22 21:29:38 2018 MANAGEMENT: >STATE:1529717378,AUTH,,,,,,
Fri Jun 22 21:29:38 2018 TLS: Initial packet from [AF_INET]67.8.225.251:1194, sid=8df89313 e47e40c2
Fri Jun 22 21:29:38 2018 VERIFY OK: depth=1, C=GB, ST=London, O=WWW Ltd.
Fri Jun 22 21:29:38 2018 VERIFY KU OK
Fri Jun 22 21:29:38 2018 Validating certificate extended key usage
Fri Jun 22 21:29:38 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri Jun 22 21:29:38 2018 VERIFY EKU OK
Fri Jun 22 21:29:38 2018 VERIFY OK: depth=0, CN=my-server
Fri Jun 22 21:29:38 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Fri Jun 22 21:29:38 2018 [my-server] Peer Connection Initiated with [AF_INET]67.8.225.251:1194
Fri Jun 22 21:29:39 2018 MANAGEMENT: >STATE:1529717379,GET_CONFIG,,,,,,
Fri Jun 22 21:29:39 2018 SENT CONTROL [my-server]: 'PUSH_REQUEST' (status=1)
Fri Jun 22 21:29:40 2018 PUSH: Received control message: 'PUSH_REPLY,topology subnet,redirect-gateway def1,route-gateway dhcp,route 192.168.1.0 255.255.255.0,dhcp-option DNS 192.168.1.1,comp-lzo yes,persist-key,persist-tun,route-gateway 192.168.1.1,topology subnet,ping 10,ping-restart 120,ifconfig 192.168.1.2 255.255.255.0,peer-id 1,cipher AES-256-GCM'
Fri Jun 22 21:29:40 2018 OPTIONS IMPORT: timers and/or timeouts modified
Fri Jun 22 21:29:40 2018 OPTIONS IMPORT: compression parms modified
Fri Jun 22 21:29:40 2018 OPTIONS IMPORT: --persist options modified
Fri Jun 22 21:29:40 2018 OPTIONS IMPORT: --ifconfig/up options modified
Fri Jun 22 21:29:40 2018 OPTIONS IMPORT: route options modified
Fri Jun 22 21:29:40 2018 OPTIONS IMPORT: route-related options modified
Fri Jun 22 21:29:40 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri Jun 22 21:29:40 2018 OPTIONS IMPORT: peer-id set
Fri Jun 22 21:29:40 2018 OPTIONS IMPORT: adjusting link_mtu to 1624
Fri Jun 22 21:29:40 2018 OPTIONS IMPORT: data channel crypto options modified
Fri Jun 22 21:29:40 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Fri Jun 22 21:29:40 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Jun 22 21:29:40 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Jun 22 21:29:40 2018 interactive service msg_channel=956
Fri Jun 22 21:29:40 2018 ROUTE_GATEWAY 192.168.43.1/255.255.255.0 I=16 HWADDR=70:1c:e7:dd:5c:b1
Fri Jun 22 21:29:40 2018 open_tun
Fri Jun 22 21:29:40 2018 TAP-WIN32 device [Ethernet 3] opened: \\.\Global\{9CD5241B-20A2-46F2-9B11-CC3D238B0DEF}.tap
Fri Jun 22 21:29:40 2018 TAP-Windows Driver Version 9.21 
Fri Jun 22 21:29:40 2018 Set TAP-Windows TUN subnet mode network/local/netmask = 192.168.1.0/192.168.1.2/255.255.255.0 [SUCCEEDED]
Fri Jun 22 21:29:40 2018 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.1.2/255.255.255.0 on interface {9CD5241B-20A2-46F2-9B11-CC3D238B0DEF} [DHCP-serv: 192.168.1.254, lease-time: 31536000]
Fri Jun 22 21:29:40 2018 Successful ARP Flush on interface [15] {9CD5241B-20A2-46F2-9B11-CC3D238B0DEF}
Fri Jun 22 21:29:40 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Fri Jun 22 21:29:40 2018 MANAGEMENT: >STATE:1529717380,ASSIGN_IP,,192.168.1.2,,,,
Fri Jun 22 21:29:45 2018 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Fri Jun 22 21:29:45 2018 C:\WINDOWS\system32\route.exe ADD 67.8.225.251 MASK 255.255.255.255 192.168.43.1
Fri Jun 22 21:29:45 2018 Route addition via service succeeded
Fri Jun 22 21:29:45 2018 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 192.168.1.1
Fri Jun 22 21:29:45 2018 Route addition via service succeeded
Fri Jun 22 21:29:45 2018 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 192.168.1.1
Fri Jun 22 21:29:45 2018 Route addition via service succeeded
Fri Jun 22 21:29:45 2018 MANAGEMENT: >STATE:1529717385,ADD_ROUTES,,,,,,
Fri Jun 22 21:29:45 2018 C:\WINDOWS\system32\route.exe ADD 192.168.1.0 MASK 255.255.255.0 192.168.1.1
Fri Jun 22 21:29:45 2018 Route addition via service succeeded
Fri Jun 22 21:29:45 2018 Initialization Sequence Completed
Fri Jun 22 21:29:45 2018 MANAGEMENT: >STATE:1529717385,CONNECTED,SUCCESS,192.168.1.2,67.8.225.251,1194,,
Fri Jun 22 21:29:50 2018 Bad LZO decompression header byte: 42
Fri Jun 22 21:30:00 2018 Bad LZO decompression header byte: 42
Fri Jun 22 21:31:33 2018 C:\WINDOWS\system32\route.exe DELETE 192.168.1.0 MASK 255.255.255.0 192.168.1.1
Fri Jun 22 21:31:33 2018 Route deletion via service succeeded
Fri Jun 22 21:31:33 2018 C:\WINDOWS\system32\route.exe DELETE 67.8.225.251 MASK 255.255.255.255 192.168.43.1
Fri Jun 22 21:31:33 2018 Warning: route gateway is not reachable on any active network adapters: 192.168.43.1
Fri Jun 22 21:31:33 2018 Route deletion via service failed
Fri Jun 22 21:31:33 2018 C:\WINDOWS\system32\route.exe DELETE 0.0.0.0 MASK 128.0.0.0 192.168.1.1
Fri Jun 22 21:31:33 2018 Route deletion via service succeeded
Fri Jun 22 21:31:33 2018 C:\WINDOWS\system32\route.exe DELETE 128.0.0.0 MASK 128.0.0.0 192.168.1.1
Fri Jun 22 21:31:33 2018 Route deletion via service succeeded
Fri Jun 22 21:31:33 2018 Closing TUN/TAP interface
Fri Jun 22 21:31:33 2018 TAP: DHCP address released
Fri Jun 22 21:31:33 2018 SIGTERM[hard,] received, process exiting
Fri Jun 22 21:31:33 2018 MANAGEMENT: >STATE:1529717493,EXITING,SIGTERM,,,,,

Here is my server /etc/config/openvpn file:

config openvpn 'vpnserver'
        option enabled '1'
        option dev_type 'tun'
        option dev 'ovpns0'
        option proto 'udp'
        option port '1194'
        option topology 'subnet'
        option tls_server '1'
        option mode 'server'
        option server '192.168.1.0 255.255.255.0'
        option route_gateway 'dhcp'
        option keepalive '10 120'
        option persist_key '1'
        option persist_tun '1'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/my-server.crt'
        option key '/etc/openvpn/my-server.key'
        option dh '/etc/openvpn/dh2048.pem'
        option tls_auth '/etc/openvpn/tls-auth.key 0'
        option client_to_client '1'
        option log '/tmp/openvpn.log'
        list push 'topology subnet'
        list push 'redirect-gateway def1'
        list push 'route-gateway dhcp'
        list push 'route 192.168.1.0 255.255.255.0'
        list push 'dhcp-option DNS 192.168.1.1'
        list push 'comp-lzo yes'
        list push 'persist-key'
        list push 'persist-tun'
        option comp_lzo 'yes'

Here is my /etc/config/firewall file:

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6 WAN6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '80'
        option dest_port '80'
        option name 'HTTP'
        option dest_ip '192.168.1.209'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '443'
        option dest_port '443'
        option name 'HTTPS'
        option dest_ip '192.168.1.209'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '2222'
        option dest_ip '192.168.1.159'
        option dest_port '22'
        option name 'SFTP'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '1000'
        option dest_ip '192.168.1.154'
        option dest_port '80'
        option name 'sprinklers'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '5000'
        option dest_ip '192.168.1.105'
        option dest_port '80'
        option name 'ted'

config rule
        option name 'Allow-OpenVPN-Inbound'
        option target 'ACCEPT'
        option src '*'
        option proto 'tcpudp'
        option dest_port '1194'

config zone
        option name 'vpnserver'
        option input 'ACCEPT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option masq '1'
        option network 'vpnserver'

config forwarding
        option src 'vpnserver'
        option dest 'wan'

config forwarding
        option src 'vpnserver'
        option dest 'lan'

Here is my /etc/config/network file:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'dd5c:beac:7fd6::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option dns '8.8.8.8 8.8.4.4'
        option ip6assign '64'

config interface 'wan'
        option ifname 'eth0'
        option proto 'dhcp'
        option macaddr '18:A6:F7:26:AF:19'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 6'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 0'

config interface 'WAN6'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option ifname 'eth0'

config interface 'vpnserver'
        option proto 'none'
        option ifname 'ovpns0'
        option auto '1'

#4

You need to set the OpenVPN server to a different subnet than the LAN. In your case, both are 192.168.1.0/24.

Change the OpenVPN subnet to something else... maybe 192.168.2.0/24 (just as an example).

Remove the push directives for the route-gateway dhcp and topology subnet. Keep your push route and your push dhcp-option dns as they are.

Check out this thread if you are still having issues.


#5

After your suggestion and reading the link you pointed me to, I have made the following changes to the /etc/config/openvpn:

.
.
.
config openvpn 'vpnserver'
        option proto 'udp'
        option port '1194'
        option dev_type 'tun'
        option dev 'ovpns0'
        option server '192.168.200.0 255.255.255.0'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/my-server.crt'
        option key '/etc/openvpn/my-server.key'
        option dh '/etc/openvpn/dh2048.pem'
        option tls_auth '/etc/openvpn/tls-auth.key 0'
        option tun_mtu '1500'
        option keepalive '10 120'
        option tls_server '1'
        option topology 'subnet'
        option route_gateway 'dhcp'
        option log '/tmp/openvpn.log'
        option client_to_client '1'
        option persist_key '1'
        option persist_tun '1'
        list push 'route 10.0.0.0 255.255.255.0'
.
.
.

and my home.ovpn on my laptop to:

.
.
.
</tls-auth>
  auth-nocache
  client
  dev tun
  remote thompco.com 1194 udp
  remote-cert-tls server
  verb 3
  key-direction 1  
.
.
.

Note that the rest of the two files are unchanged.
Unfortunately my connection behaves the same way (connects but no access to the devices behind the router)...
Any other suggestions?


#6

change this to your LAN address (from earlier, it was 192.168.1.0 255.255.255.0

Also add
list push dhcp-option dns 192.168.1.1


#7

And remove this line:
option route_gateway 'dhcp'


#8

Thanks psherman for all of your help.

PROGRESS!!!
I am able to connect and access my devices via IP address, but not via hostname. I assume that I am missing a dns directive somewhere...

When I do IPCONFIG /ALL from my client, it shows only one dns server (I assume that there would be at least two?):

.
.
.
DNS Servers . . . . . . . . . . . : 192.168.43.1
.
.
.

My /etc/config/openvpn file now looks like this:

.
.
.
config openvpn 'vpnserver'
        option proto 'udp'
        option port '1194'
        option dev_type 'tun'
        option dev 'ovpns0'
        option server '192.168.200.0 255.255.255.0'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/my-server.crt'
        option key '/etc/openvpn/my-server.key'
        option dh '/etc/openvpn/dh2048.pem'
        option tls_auth '/etc/openvpn/tls-auth.key 0'
        option tun_mtu '1500'
        option keepalive '10 120'
        option tls_server '1'
        option topology 'subnet'
        option log '/tmp/openvpn.log'
        option client_to_client '1'
        option persist_key '1'
        option persist_tun '1'
        list push 'route 192.168.1.0 255.255.255.0'
        list push 'dhcp-option DNS 192.168.1.1'
        option enabled '1'
.
.
.

#9

How do you normally connect to your devices by hostname? Are you using .local? or .lan? Do you have a specific DNS server on your network that you are using for host resolution?

If you're using .local, that will not work over a VPN or even across multiple VLANs because it is part of the mDNS system that is specifically designed to work within a single broadcast domain (does not route). It is plausible that you could try an mDNS reflector or something, but I'm not sure if that would work over a VPN.

Other name resolution services on your LAN may use mDNS and may be similarly unable to transit across subnets. If you have an actual DNS server with hostname mapping, that should work.

I am confused about your 192.168.43.1 DNS server -- I don't know where that is coming from -- are you testing this from a LAN outside your home? or do you have another subnet using that space? Or are there lines in your openvpn config that aren't shown in your posting?


#10

I'm pretty sure I remember seeing .lan (how can I check?)

I'm handling host name mapping via the LUCI interface (network -> host names) and assigning host names to IP/MAC addresses.

I was testing with a Hotspot on my phone so I could come in from outside my network. I assume that's where the DNS came from. What surprised me was that the one for my network was not there (192.168.1.1). I was assuming that was why I could not access hosts on my network by name.

Doesn't the line:
list push 'dhcp-option DNS 192.168.1.1'
handle DNS for VPN clients to look up local clients?

BTW, I just discovered that I can ping hosts via their fully qualified name from the remote computer. This is a awesome, but It would be nicer if I just used their host names...


#11

Yes, the dhcp-option dns directive pushes the requested DNS to the client, so that should push all dns inquiries through that server -- in this case, the router hosting the OpenVPN server.

When you refer to the FDQN of the devices on your network, are you referring to .lan? or another method of fully qualifying those hosts?

I could be wrong about the following, but this is how I understand it... I think that, by the nature of the way the OpenVPN client network is established, it will always require more than just the host name in order to establish the connection. Reason being that you need to get out of the local L2 switching domain. The only way to ensure that is the case is to specify a domain/suffix or IP address that is known to be outside the local switched environment.

Another way to look at it... Let's pretend that you are on the local network at a friend's house (or work or school or whatever) and it is 10.0.0.0/24 and a lan-level domain of .home. You connect to your VPN. If you type in 10.0.0.4 or the hostname (for the example: mars.home), you will still be able to access those local resources. But anything that traverses outside that realm (say myhomecomputer.lan or 192.168.1.45, or requests to the internet if redirect gateway def1 is enabled) will all go through the tunnel once it is clear that the host you're trying to reach cannot be found within the local broadcast domain.


#12

I am addressing the hosts as host1.mydomain.com

Your answer makes sense to me now that I think about it. NBD.

thanks very much for your help!


closed #13

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.