Probably a newbie issue, but still banging my head on the wall ...
Set up stunnel/openvpn with OpenWRT as a client. Went more or less fine with only 1 bump: had to set a static route on the client config file 'route 255.255.255.255 net_gateway'.
So OpenWRT is perfectly able to act as a client on stunnel/openvpn and reach the Internet.
The biggest issue is that I cannot have the computers connected to OpenWRT to go on the Internet.
Local network (lan) is 192.168.0.0/24.
OpenVPN network is pretty standard, 10.8.0.0/24.
root@OpenWrt:~# ip route
default via 10.8.0.5 dev tun0
10.8.0.1 via 10.8.0.5 dev tun0
10.8.0.5 dev tun0 proto kernel scope link src 10.8.0.6
VPNSERVERIP via 192.168.1.1 dev eth0.2
127.0.0.1 via 192.168.1.1 dev eth0.2
192.168.0.0/24 dev br-lan proto kernel scope link src 192.168.0.1
192.168.1.0/24 dev eth0.2 proto kernel scope link src 192.168.1.50
root@OpenWrt:~#
I even turned off the firewall, but still the clients connected on 'lan' OpenWRT cannot access the Internet.
oot@OpenWrt:~# cat /etc/config/openvpn
package openvpn
#################################################
Sample to include a custom config file.
#################################################
config openvpn custom_config
# Set to 1 to enable this instance:
option enabled 1
# Include OpenVPN configuration
option config /etc/openvpn/vpnclient.conf
root@OpenWrt:~# cat /etc/openvpn/vpnclient.conf
client
dev tun
proto tcp
remote 127.0.0.1 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
tls-auth ta.key 1
cipher AES-128-CBC
auth SHA256
key-direction 1
verb 3
askpass /etc/openvpn/vpnclient.auth
auth-nocache
route VPNSERVERIP 255.255.255.255 net_gateway
sed -i -r -e "s/^(dev\s).*/\1tun0/" /etc/openvpn/vpnclient.conf
service openvpn restart
uci set firewall.@zone[1].device="tun0"
uci commit firewall
service firewall restart
Sat Aug 3 18:19:23 2019 daemon.warn openvpn(custom_config)[2123]: NOTE: unable to redirect default gateway -- Cannot read current default gateway from system
Then ping did not work anymore. So I re-added manually a route and it worked at least from tun0
# route add default gw 10.8.0.5
root@OpenWrt:~# ping www.google.com
PING www.google.com (172.217.19.164): 56 data bytes
ping: sendto: Network unreachable
root@OpenWrt:~#
root@OpenWrt:~# ping -I tun0 www.google.com
PING www.google.com (172.217.19.164): 56 data bytes
64 bytes from 172.217.19.164: seq=0 ttl=53 time=228.104 ms
64 bytes from 172.217.19.164: seq=1 ttl=53 time=227.825 ms
It's my own vpn server.
But the VPN is successfully established. I can access the internet through the tunnel from openwrt.
It's the clients connected to openwrt that cannot access the internet (they are in the 192.168.0.1/24 network)
root@OpenWrt:~# sleep 10; ip route show
default via 192.168.1.1 dev eth0.2 src 192.168.1.4
192.168.0.0/24 dev br-lan scope link src 192.168.0.1
192.168.1.0/24 dev eth0.2 scope link src 192.168.1.4
root@OpenWrt:~# service openvpn start
root@OpenWrt:~# sleep 10; ip route show
0.0.0.0/1 via 10.8.0.5 dev tun0
default via 192.168.1.1 dev eth0.2 src 192.168.1.4
10.8.0.1 via 10.8.0.5 dev tun0
10.8.0.5 dev tun0 scope link src 10.8.0.6
VPNSERVERIP via 192.168.1.1 dev eth0.2
127.0.0.1 via 192.168.1.1 dev eth0.2
128.0.0.0/1 via 10.8.0.5 dev tun0
192.168.0.0/24 dev br-lan scope link src 192.168.0.1
192.168.1.0/24 dev eth0.2 scope link src 192.168.1.4
root@OpenWrt:~#
I had to fix the routes in the following way to at least have openwrt to connect to the internet
(still the clients connected to openwrt cannot access the internet)
root@OpenWrt:~# ip route show
10.8.0.1 via 10.8.0.5 dev tun0
10.8.0.5 dev tun0 scope link src 10.8.0.6
VPNSERVERIP via 192.168.1.1 dev eth0.2
127.0.0.1 via 192.168.1.1 dev eth0.2
192.168.0.0/24 dev br-lan scope link src 192.168.0.1
192.168.1.0/24 dev eth0.2 scope link src 192.168.1.4
root@OpenWrt:~#
From one of the LAN clients, ping an Internet-based IP address which is known to respond. Some suitable examples include Cloudflare's and Google's DNS servers.
While the ping is running, kick off tcpdump on every network interface, both physical and logical/virtual, between the LAN client and the egress point from your Digital Ocean VPS. This includes running tcpdump on the DO VPS as well. Find out where the failure occurs.
Does the traffic from the LAN client even go down the VPN tunnel in the first place?
Does any return traffic get generated?
Does the DO VPS have a return route from itself back to your LAN clients?
Do the above three questions trigger any other ideas?
Routes are not stateful, not in the same way that stateful firewall rules are. Just because I have a route from A to B, does not automatically mean that an equivalent route exists from B back to A. As a genuine real-world example, only last week I found a customer firewall was being pinged every second from a management station, but did not have a route in its routing table for the management station's IP address. So it was receving regular ICMP ECHO REQUEST packets, and it was trying to send ICMP ECHO REPLY packets in response but didn't know where to send them. There was a route from A to B, but not from B to A.