Starting up openvpn on OpenWrt

Final testings running. Final result is "site-to-site vpn". Network 10.5.0.0/22 is client1, named "koti", it is "home". Second network is 10.16.0.0/22, client2, named "halli", "hall".

Mask "22" it is not so popular. But, reason is simply: many years I use mask 24, and old network on home was 10.15.10.0/24. Static ip area was 10.15.10.1-10.15.10.19. Frustative allways think addresses. So present "10.15.0.1 gw, static ip 10.15.0.1-254, dhcp 10.15.1.1-254", spare 10.15.2" is excelent and make me free.

OK: SERVER IS Ubuntu 18.04 on Jelastic. It is cloud service. There is openvpn-server.
SERVER-SIDE:

#start of the /etc/openvpn/server.conf on the server
#port standard, protocol udp tcp4, dev tun
port 1194
proto udp4
dev tun
#keys
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
#pool standard, all examples speak 10.8.0.0 so we use it
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
mute 20
explicit-exit-notify 1
#then routes, we select logical 10.15.0.0 is vpn 10.8.0.15 etc
client-config-dir /etc/openvpn/ccd
route 10.15.0.0 255.255.252.0 10.8.0.15
route 10.16.0.0 255.255.252.0 10.8.0.16
route 10.17.0.0 255.255.252.0 10.8.0.17
push "route 10.15.0.0 255.255.252.0 10.8.0.15 1000"
push "route 10.16.0.0 255.255.252.0 10.8.0.16 1000"
push "route 10.17.0.0 255.255.252.0 10.8.0.17 1000"
#end of the /etc/openvpn/server.conf on the server

CCD
#start of the /etc/openvpn/ccd-file client1
ifconfig-push 10.8.0.15 255.255.255.0
iroute 10.15.0.0 255.255.252.0
push-remove redirect-gateway
#end of the /etc/openvpn/ccd-file client1

And client2 is 16, client3 17 etc.

THIS IS WORKING CONFIGURATION ON SERVER-SIDE.

CLIENT1 "KOTI", "HOME"-NETWORK. SETTINGS.

#start of /etc/config/network-file on client1 koti-network. Openwrt-x86-router.
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fdc1:e63d:b73e::/48'

config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'static'
option netmask '255.255.252.0'
option ip6assign '60'
option ipaddr '10.15.0.1'

#this is home-network adsl. Later must check if vpn use 4G reason speed.

config interface 'wan'
option ifname 'eth1'
option proto 'static'
option netmask '255.255.255.252'
option ip6assign '60'
option ipaddr ''
option gateway ''
list dns '8.8.8.8'
list dns '8.8.4.4'
#end of /etc/config/network-file on client1

FIREWALL SETTINGS ON CLIENT1

#Start of /etc/config/firewall on client1-router
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone 'lan'
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'tun0'

config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan'

config forwarding 'lan_wan'
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config include
option path '/etc/firewall.user'

config rule 'ovpn'
option name 'Allow-OpenVPN'
option src 'wan'
option dest_port '1194'
option proto 'udp'
option target 'ACCEPT'

#end of /etc/config/firewall on client1-router

And then openvpn configuration on client1

CLIENT1 OPENVPN CONFIGURATION FILE
#start of /etc/openvpn/client.conf on client1 home
client
dev tun
proto udp
remote 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
remote-cert-tls server
cipher AES-256-CBC
verb 3
mute 20
#end of /etc/openvpn/client.conf

AND CLIENT2, 3 ETC SAME WAY

In nutcell most important:
Server:
keys, certificates are clear and nobody cannot make mistakes
This it most important:
route 10.15.0.0 255.255.252.0 10.8.0.15
push "route 10.15.0.0 255.255.252.0 10.8.0.15 1000"
And ccd
ifconfig-push 10.8.0.15 255.255.255.0
iroute 10.15.0.0 255.255.252.0
push-remove redirect-gateway

CLIENT-SIDE
NETWORK-SETTINGS
"Interfaces", use stardard loopback as default file. config lan, wan standard way. Mainly, "interfaces" is not difficult to adjust.

FIREWALL

• config zone lan: list network 'lan', list device 'tun0'. Important add firewall zone "lan" and device "tun0", tun0 is openvpn-device. ZONE lan must contain lan and tun0.
• zone wan normally network wan.
• forwarding source lan, destination wan
• and most important:
  config rule 'ovpn'
  option name 'Allow-OpenVPN'
  option src 'wan'
  option dest_port '1194'
  option proto 'udp'
  option target 'ACCEPT'
  So, FIREWALL add openvpn-device tun0 and make ovpn-rule.

OPENVPN
Openvpn configuration file: mainly standard. client.conf: client, dev tun, udp, server ip, jne.

AND NOW IT TWO QUESTION, STILL NEED HELP...

1, on server I try million system. No one help. Openvpn must start manually openvpn /etc/openvpn/server.conf. No autostart, allways manually. So: /etc/openvpn/server.conf and openvpn server start. I go to test computer ("15 network" or "16" network). ping, and all work: ping 10.8.0.1 answer, 15 answer, all work. Then I go to openvpn server and I press ctrl-c. Openvpn server stops and vpn-connection breaks. How I can put this work allways?

2. dhcp-area not reachable over vpn.
   So, settings are as you see:
   route 10.15.0.0 255.255.252.0 10.8.0.15
   push "route 10.15.0.0 255.255.252.0 10.8.0.15 1000"
   ccd
   ifconfig-push 10.8.0.15 255.255.255.0
   iroute 10.15.0.0 255.255.252.0
   push-remove redirect-gateway

Now I go to computer "16" (computer connected to router 10.16.0.0/22)
ping 10.8.0.1: answer
ping 10.8.0.15: answer
ping 10.8.0.16: answer
ping 10.16:0.1: answer (itself own router... )
ping 10.15.0.1: answer (wow! This go over vpn!)
ping 10.15.0.7: answer (wow!!!! This is any printer on network 15!)
Ok... this my computer... ipconfig -all.... ok, this is 10.15.1.45. Also I found other computers... eg. 10.15.1.70. Hmm.. okay, I test internal, ping 10.15.1.70, it answer... so internal network work...
And now, I go to computer on network "16" back... and continue...
ping 10.15.1.45: not answer
ping 10.15.1.70: not answer

So: over vpn I can reach only 10.15.0.1-254. Not 10.15.1.1-254, it dchp-area.

How I must edit route dhcp work also?

sudo mv /etc/openvpn/server.conf /etc/openvpn/server/
sudo systemctl --now enable openvpn-server@server.service

I hope last question:
Client network is 15.10.0.0/22. Openwrt router ip address = gateway = 10.15.0.1. DHCP-area is 10.15.1.1-10.15.1.254. Other networks also, so 10.16.0.0 and 10.17.0.0 similar.

Site-to-site-vpn work now. I can ping 10.15.0.1-254 from both network, also I test printers etc. It is. From network "15" I can reach network "16" et vice versa.

BUT this dhcp-area I cannot reach. It is, eg. from network "16" I can ping 10.15.0.1 and it answer. But eg. ping 10.15.1.45 not answer.

What is right solution solve this problem? I test "server 10.8.0.0 255.255.252.0", it is, 10.8.0.0/22. No effect. Then, I test edit ccd-files:
ifconfig-push 10.8.0.15 255.255.255.0
ifconfig-push 10.8.1.15 255.255.255.0
iroute 10.15.0.0 255.255.252.0
push-remove redirect-gateway

Not work. VPN tube stop.

So, how I can add this DHCP-area?

Typically, routing issues should be diagnosed with the following method:

• Run traceroute or tracepath in both directions to localize the problem.
• Verify routing and firewall configuration on each host on the path:
  ip route show; ip rule show; iptables-save

This principle should apply to any OS, as long as you use the appropriate diagnostic commands.

It should just work-- 10.16.0.7 and 10.16.1.7 are certainly in the same network if everything is properly configured with a /22 netmask.

IPs in the VPN tunnel (10.8.0.0/24 here) are one for the server and one per each client; no matter how large the client's LAN is it will all gateway through that one IP. You don't have to have a large netmask.

By default a Windows 10 endpoint drops almost every packet incoming on its LAN, including pings. They're a little too much into the "Shields Up!" (tm) school of thought. Additionally Windows and possibly some other OSs distrust private IPs that are not in their own LAN, which is the case with your remote sites.

You could try moving the printer which you can ping to one of your "DHCP addresses" to see if it's a network problem or an endpoint issue.

Not work. (Of course I reboot whole server and /etc/init.d/openvpn restart etc.) Openvpn service is running after this. This is not enough. a) I must open ssh-connection and use cli, b) I must write openvpn /etc/openvpn/server server.conf and c) this command line ssh-must be active.

So question is: "How I can add to startup and put backgroud this openvpn /etc/openvpn/server server.conf"? It is truth as Heaven, openvpn site-to-site work only if this command is written and active.

For that question it's an Ubuntu server so not in the scope of this forum, but well documented elsewhere.

You are right. Thank you.

• I move one printer from static area to dynamic: 10.15.0.5, I change 10.15.1.5. Dynamic area. Now ping answer.
• I try ping my computer, ping 10.15.1.45, no answer.
• I try use Microsoft RDP: computer "JK4", username. Not found. If I use rdp on same network, I can use this name. BUT if I put 10.15.1.45, rdp work. (No, please, do not say now configure rdp other way, it is not a question, now I am interested only reach "1" area).
  -----------> so, "1" area is possible reach. Problem is inside window, it reject much. ....ping is rejected... but area "1" is ok.... please do not use network names (computer name JK4) use ip... etc etc.

Problem "1" solved.

Solving this sort of issue requires perseverance:

systemctl is-enabled openvpn-server@server.service
systemctl --no-pager status openvpn-server@server.service
journalctl --no-pager -b -u openvpn-server@server.service

Same system, one additional prefs, not important.

Home network is this 10.15.0.0/22. Gateway is 10.15.0.1, and it is, openwrt-router between adsl-modem and LAN. Inside LAN I can connect 4G-modem, 10.15.0.19.

How I can configure this home network this way: gateway to internet is 10.15.0.1. So, when I use my computer inside LAN, it use this 10.15.0.1, ADSL. But, when other site use home network, it is, 10.16.0.1 (site2) or 17, site3 want use this network, gateway is this 4G, 10.15.0.19?

So, "normal internet use on my home" is normal ADSL 10.15.0.1, but vpn-tube is 4G, 10.15.0.19?

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.