Hi all,
we moved from a WRT1900 using DD-WRT to a WRT3200ACM using OpenWrt (19.07.5 r11257-5090152ae3). An OpenVPN server worked without problems on the WRT1900 in bridged mode. I took the config over to OpenWRT and removed management and and the up/down scripts (which may be the problem).
In OpenWrt the tap device is created and can be found in /sys/class/net
. Unfortunately, it probably does not get initialised properly, since it does not occur in ifconfig
. VPN connections are established successfully, but the server does not send anything, the corresponding log entries look like this:
ClientName/***.***.***.***:37586 write to TUN/TAP : I/O error (code=5)
A similar VPN server using a tun device works with OpenWRT without problems, i. e. the tun device is created, initialised and occurs in ifconfig
.
Any help is much appreciated.
OpenVPN Configuration
dh /etc/openvpn/af/dh.pem
ca /etc/openvpn/af/ca.crt
cert /etc/openvpn/af/cert.pem
key /etc/openvpn/af/key.pem
keepalive 10 120
verb 5
mute 3
syslog
log /var/log/openvpn.af.log
status /tmp/openvpn/status.af.log 5
status-version 2
script-security 2
port 1194
proto udp4
cipher aes-256-cbc
auth sha256
client-config-dir /etc/openvpn/af/ccd
comp-lzo adaptive
ifconfig-pool-persist /tmp/openvpn/ip-pool
client-to-client
fast-io
mtu-disc yes
server-bridge 192.168.32.1 255.255.252.0 192.168.34.3 192.168.34.250
dev tap1
tls-auth /etc/openvpn/af/ta.key 0
crl-verify /etc/openvpn/af/ca.crl
push "dhcp-option DNS 192.168.32.1"
push "dhcp-option WINS 192.168.32.45"
push "route 192.168.32.0 255.255.252.0"
Network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd0f:f3a5:7ad5::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ip6assign '60'
list ipaddr '192.168.32.1/22'
option delegate '0'
config interface 'wan'
option ifname 'eth1.2'
option proto 'dhcp'
option delegate '0'
option type 'bridge'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
Firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
list device 'tap+'
list device 'tun+'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule
option src 'wan'
option name 'OpenVPN'
option target 'ACCEPT'
option dest_port '1194'
list proto 'udp'
option family 'ipv4'