[SOLVED] Unable to connect to OpenVPN server on wrt1900ac running 18.06.2


#1

Hi Guys,

I am trying to setup a OpenVPN server on my wrt1900ac v2 so that I can connect to my LAN remotely using the basic guide. My issue is that I can not connect to the OpenVPN server on my router. I have a DDNS set up, but have been using the IP from my ISP for testing purposes. If I disable the firewall I am able to connect to the VPN server on my wrt1900ac with the ISP IP. My ISP modem/router is in bridge mode so it shouldnt be a double DNS issue.

Logs files from the troubleshooting link in the guide:

root@wrt1900ac:~# logread -e openvpn; netstat -l -n -p | grep openvpn
Fri Mar 15 23:24:25 2019 daemon.err openvpn(vpnserver)[18622]: event_wait : Interrupted system call (code=4)
Fri Mar 15 23:24:25 2019 daemon.notice openvpn(vpnserver)[18622]: Closing TUN/TAP interface
Fri Mar 15 23:24:25 2019 daemon.notice openvpn(vpnserver)[18622]: /sbin/ifconfig tun0 0.0.0.0
Fri Mar 15 23:24:25 2019 daemon.warn openvpn(vpnserver)[18622]: Linux ip addr del failed: external program exited with error status: 1
Fri Mar 15 23:24:25 2019 daemon.notice openvpn(vpnserver)[18622]: SIGTERM[hard,] received, process exiting
Fri Mar 15 23:24:25 2019 daemon.notice openvpn(vpnserver)[31892]: OpenVPN 2.4.5 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Fri Mar 15 23:24:25 2019 daemon.notice openvpn(vpnserver)[31892]: library versions: OpenSSL 1.0.2p  14 Aug 2018, LZO 2.10
Fri Mar 15 23:24:25 2019 daemon.notice openvpn(vpnserver)[31892]: Diffie-Hellman initialized with 2048 bit key
Fri Mar 15 23:24:25 2019 daemon.notice openvpn(vpnserver)[31892]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Mar 15 23:24:25 2019 daemon.notice openvpn(vpnserver)[31892]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Mar 15 23:24:25 2019 daemon.notice openvpn(vpnserver)[31892]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Mar 15 23:24:25 2019 daemon.notice openvpn(vpnserver)[31892]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Mar 15 23:24:25 2019 daemon.notice openvpn(vpnserver)[31892]: TUN/TAP device tun0 opened
Fri Mar 15 23:24:25 2019 daemon.notice openvpn(vpnserver)[31892]: TUN/TAP TX queue length set to 100
Fri Mar 15 23:24:25 2019 daemon.notice openvpn(vpnserver)[31892]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Fri Mar 15 23:24:25 2019 daemon.notice openvpn(vpnserver)[31892]: /sbin/ifconfig tun0 192.168.8.1 netmask 255.255.255.0 mtu 1500 broadcast 192.168.8.255
Fri Mar 15 23:24:25 2019 daemon.warn openvpn(vpnserver)[31892]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Fri Mar 15 23:24:25 2019 daemon.notice openvpn(vpnserver)[31892]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Fri Mar 15 23:24:25 2019 daemon.notice openvpn(vpnserver)[31892]: UDPv4 link local (bound): [AF_INET][undef]:1194
Fri Mar 15 23:24:25 2019 daemon.notice openvpn(vpnserver)[31892]: UDPv4 link remote: [AF_UNSPEC]
Fri Mar 15 23:24:25 2019 daemon.notice openvpn(vpnserver)[31892]: GID set to nogroup
Fri Mar 15 23:24:25 2019 daemon.notice openvpn(vpnserver)[31892]: UID set to nobody
Fri Mar 15 23:24:25 2019 daemon.notice openvpn(vpnserver)[31892]: MULTI: multi_init called, r=256 v=256
Fri Mar 15 23:24:25 2019 daemon.notice openvpn(vpnserver)[31892]: IFCONFIG POOL: base=192.168.8.2 size=252, ipv6=0
Fri Mar 15 23:24:25 2019 daemon.notice openvpn(vpnserver)[31892]: Initialization Sequence Completed
Fri Mar 15 23:24:39 2019 daemon.notice openvpn(vpnserver)[31892]: 192.168.123.226:62583 TLS: Initial packet from [AF_INET]192.168.123.226:62583, sid=da47932b f10bf2c1
Fri Mar 15 23:25:23 2019 daemon.notice openvpn(vpnserver)[31892]: 192.168.123.226:58230 TLS: Initial packet from [AF_INET]192.168.123.226:58230, sid=95d7240b 6f0b17a0
Fri Mar 15 23:25:39 2019 daemon.err openvpn(vpnserver)[31892]: 192.168.123.226:62583 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Mar 15 23:25:39 2019 daemon.err openvpn(vpnserver)[31892]: 192.168.123.226:62583 TLS Error: TLS handshake failed
Fri Mar 15 23:25:39 2019 daemon.notice openvpn(vpnserver)[31892]: 192.168.123.226:62583 SIGUSR1[soft,tls-error] received, client-instance restarting

root@wrt1900ac:~# pgrep -f -a openvpn
18622 /usr/sbin/openvpn --syslog openvpn(vpnserver) --status /var/run/openvpn.vpnserver.status --cd /etc/openvpn --config /etc/openvpn/vpnserver.conf
root@wrt1900ac:~# ip addr show; ip route show; ip rule show; iptables-save
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 532
    link/ether c0:56:27:bb:f6:a3 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::c256:27ff:febb:f6a3/64 scope link
       valid_lft forever preferred_lft forever
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 532
    link/ether c2:56:27:bb:f6:a3 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::c056:27ff:febb:f6a3/64 scope link
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether c2:56:27:bb:f6:a3 brd ff:ff:ff:ff:ff:ff
    inet 192.168.123.254/24 brd 192.168.123.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fd1b:ff41:964::1/60 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::c056:27ff:febb:f6a3/64 scope link
       valid_lft forever preferred_lft forever
8: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether c2:56:27:bb:f6:a3 brd ff:ff:ff:ff:ff:ff
9: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether c0:56:27:bb:f6:a3 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::c256:27ff:febb:f6a3/64 scope link
       valid_lft forever preferred_lft forever
10: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN qlen 3
    link/ppp
    inet *ISP IP* peer 10.20.25.120/32 scope global pppoe-wan
       valid_lft forever preferred_lft forever
    inet6 fe80::4ce9:54fd:b461:155d/10 scope link
       valid_lft forever preferred_lft forever
11: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP qlen 1000
    link/ether c2:56:27:bb:f6:a5 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::c056:27ff:febb:f6a5/64 scope link
       valid_lft forever preferred_lft forever
12: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP qlen 1000
    link/ether c2:56:27:bb:f6:a4 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::c056:27ff:febb:f6a4/64 scope link
       valid_lft forever preferred_lft forever
18: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
    link/[65534]
    inet 192.168.8.1/24 brd 192.168.8.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::a450:d82a:1455:d5ba/64 scope link
       valid_lft forever preferred_lft forever
default via 10.20.25.120 dev pppoe-wan
10.20.25.120 dev pppoe-wan scope link  src *ISP IP*
192.168.8.0/24 dev tun0 scope link  src 192.168.8.1
192.168.123.0/24 dev br-lan scope link  src 192.168.123.254
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
# Generated by iptables-save v1.6.2 on Fri Mar 15 23:07:05 2019
*nat
:PREROUTING ACCEPT [2295:282576]
:INPUT ACCEPT [1031:66006]
:OUTPUT ACCEPT [254:19210]
:POSTROUTING ACCEPT [31:3461]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i eth1.2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o eth1.2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -j MINIUPNPD
COMMIT
# Completed on Fri Mar 15 23:07:05 2019
# Generated by iptables-save v1.6.2 on Fri Mar 15 23:07:05 2019
*mangle
:PREROUTING ACCEPT [263133:325365879]
:INPUT ACCEPT [4879:453216]
:FORWARD ACCEPT [257469:324730477]
:OUTPUT ACCEPT [4075:2158646]
:POSTROUTING ACCEPT [261517:326890042]
-A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Fri Mar 15 23:07:05 2019
# Generated by iptables-save v1.6.2 on Fri Mar 15 23:07:05 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth1.2 -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i eth1.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth1.2 -m comment --comment "!fw3" -j zone_wan_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth1.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth1.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o eth1.2 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: Allow-OpenVPN" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i eth1.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Fri Mar 15 23:07:05 2019
root@wrt1900ac:~#  uci show network; uci show firewall; uci show openvpn
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd1b:ff41:0964::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.123.254'
network.wan=interface
network.wan.ifname='eth1.2'
network.wan.proto='pppoe'
network.wan.username='teeedubb'
network.wan.password='*****'
network.wan.ipv6='auto'
network.wan6=interface
network.wan6.ifname='eth1.2'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='0 1 2 3 5t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='4 6t'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].device='tun0'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].forward='REJECT'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.miniupnpd=include
firewall.miniupnpd.type='script'
firewall.miniupnpd.path='/usr/share/miniupnpd/firewall.include'
firewall.miniupnpd.family='any'
firewall.miniupnpd.reload='1'
firewall.vpn=rule
firewall.vpn.name='Allow-OpenVPN'
firewall.vpn.src='wan'
firewall.vpn.dest_port='1194'
firewall.vpn.proto='udp'
firewall.vpn.target='ACCEPT'
openvpn.vpnserver=openvpn
openvpn.vpnserver.enabled='1'
openvpn.vpnserver.config='/etc/openvpn/vpnserver.conf'
root@wrt1900ac:~# head -n -0 /etc/openvpn/*.conf
verb 3
user nobody
group nogroup
dev tun0
port 1194
proto udp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 120
persist-tun
persist-key
push "dhcp-option DNS 192.168.8.1"
push "dhcp-option DOMAIN local"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
-----BEGIN DH PARAMETERS-----
...
-----END DH PARAMETERS-----
</dh>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-crypt>
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>

OpenVPN client:

Fri Mar 15 22:57:38 2019 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Fri Mar 15 22:57:38 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Fri Mar 15 22:57:38 2019 library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
Fri Mar 15 22:57:38 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Fri Mar 15 22:57:38 2019 Need hold release from management interface, waiting...
Fri Mar 15 22:57:39 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Fri Mar 15 22:57:39 2019 MANAGEMENT: CMD 'state on'
Fri Mar 15 22:57:39 2019 MANAGEMENT: CMD 'log all on'
Fri Mar 15 22:57:39 2019 MANAGEMENT: CMD 'echo all on'
Fri Mar 15 22:57:39 2019 MANAGEMENT: CMD 'bytecount 5'
Fri Mar 15 22:57:39 2019 MANAGEMENT: CMD 'hold off'
Fri Mar 15 22:57:39 2019 MANAGEMENT: CMD 'hold release'
Fri Mar 15 22:57:39 2019 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Mar 15 22:57:39 2019 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Mar 15 22:57:39 2019 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Mar 15 22:57:39 2019 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Mar 15 22:57:39 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]*ISP IP*:1194
Fri Mar 15 22:57:39 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Mar 15 22:57:39 2019 UDP link local: (not bound)
Fri Mar 15 22:57:39 2019 UDP link remote: [AF_INET]*ISP IP*:1194
Fri Mar 15 22:57:39 2019 MANAGEMENT: >STATE:1552651059,WAIT,,,,,,
Fri Mar 15 22:58:39 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Mar 15 22:58:39 2019 TLS Error: TLS handshake failed
Fri Mar 15 22:58:39 2019 SIGUSR1[soft,tls-error] received, process restarting

I get the feeling that an VPN zone is not being created during setup, but I am a noob when it comes to networking so I'm not sure.

Does anyone have any idea on where the issue lies?
Thanks in advance ( apologies for log files being out of order, I had to repost some due to the character limit on the forums)


#2

tun0 is assigned to zone lan:


#3

Ahhh, thanks.
Should it be showing up in the firewall zone page in luci? (thats where I got the hunch from)


#4

No, LuCI doesn't display it, it's because of that issue:
OpenVPN client tun adapter loses its IP address on network restart


#5

It isn't expected to work when connecting from LAN.
Try option float if you really need to do it that way.
Or connect to router LAN-address specifically.


#6

Thanks @vgaetera! I wasnt aware that it wouldnt work when connecting from LAN.
Also, my DDNS was not configured properly so I was getting a error when connecting remotely which looked very similar to when connecting via LAN - it started working after using my ISP IP and via a mobile hotspot. I have configured my DDNS properly so it is now all working as should :slight_smile:

Thanks again!