I can't run OpenVPN Server at OpenWRT
Linksys WRT3200ACM
I install packages:
openvpn-easy-rsa
openvpn-openssl
luci-app-openvpn
Using easy-rsa, I do the following:
easy-rsa init-pki
easy-rsa build-ca nopass
easy-rsa build-server-full vpn.server nopass
Next:
uci set network.vpn=interface
uci set network.vpn.ifname=tun0
uci set network.vpn.proto=none
uci commit
uci add firewall zone
uci set firewall.@zone[-1].name=vpn
uci set firewall.@zone[-1].input=ACCEPT
uci set firewall.@zone[-1].forward=ACCEPT
uci set firewall.@zone[-1].output=ACCEPT
uci set firewall.@zone[-1].network=vpn
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='vpn'
uci set firewall.@forwarding[-1].dest='wan
uci add firewall rule
uci set firewall.@rule[-1].name=OpenVPN
uci set firewall.@rule[-1].target=ACCEPT
uci set firewall.@rule[-1].src=wan
uci set firewall.@rule[-1].proto=udp
uci set firewall.@rule[-1].dest_port=1194
uci commit firewall
/etc/init.d/network reload
/etc/init.d/firewall reload
Everything works fine here
uci set openvpn.home=openvpn
uci set openvpn.home.enabled=1
uci set openvpn.home.dev=tun
uci set openvpn.home.port=1194
uci set openvpn.home.proto=udp
uci set openvpn.home.log=/tmp/openvpn.log
uci set openvpn.home.verb=3
uci set openvpn.home.ca=/root/pki/ca.crt
uci set openvpn.home.cert=/root/pki/vpn.server.crt
uci set openvpn.home.key=/root/pki/vpn.serwer.key
uci set openvpn.home.server='10.9.19.0 255.255.255.0'
uci set openvpn.home.dh=/root/pki/dh.pem
uci commit openvpn
/etc/init.d/openvpn enable
/etc/init.d/openvpn start
After completing the last router freezes. No access to it. No internet access.
Unable to read logs. I need to restart the router to factory settings.
I performed these activities at OpenWRT 19.07 and 18.06 with the same result.
I noticed that the router has a problem with the server key. When I try to start the server after each new change in the settings, each time after adding the server key and starting the server the router hangs.
Please, help me. Maybe some suggestion. Maybe something else I can do.
Yes. But the router hangs only after the command:
/etc/init.d/openvpn start
I noticed now.
vpn.server = vpn.server
I checked 10x. It was entered correctly in the router.
In Lucia, the selection was made by clicking the mouse, so it was definitely good.
Yes. But the router hangs only after the command:
# /etc/init.d/openvpn start
For the time being, don't issue the enable command -- keep OpenVPN disabled (enable/disable affects auto-start on boot) and then issue the start command. This way if it hangs up, you can reboot and the service will not start automatically (thus saving you from needing to use failsafe to reset).
Let's see if anything is written incorrectly in the files.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/firewall
cat/ /etc/config/openvpn
All services are enabled automatically by default since OpenWrt 18.06 if not earlier, so you need to explicitly disable it to prevent autostart.
2 Likes
Good point. The OP was actively enabling the service, but you're right that it was not necessary to issue that command. However, as you said, explicitly disabling it is the right way to do this...
/etc/init.d/openvpn disable
1 Like
# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fde8:6d09:620e::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '10.9.19.1'
config interface 'wan'
option ifname 'eth1.2'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth1.2'
option proto 'dhcpv6'
option reqprefix 'auto'
option reqaddress 'try'
option auto '0'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
config interface 'vpn'
option ifname 'tun0'
option proto 'none'
# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config redirect
option dest_port '62910'
option src 'wan'
option src_dport '62910'
option target 'DNAT'
option dest_ip '10.9.19.11'
option dest 'lan'
list proto 'tcp'
option name 'eq3 MAX'
config redirect
option dest_port '80'
option src 'wan'
option name 'Server HTTP'
option src_dport '80'
option target 'DNAT'
option dest 'lan'
list proto 'tcp'
option dest_ip '10.9.19.4'
config redirect
option dest_port '443'
option src 'wan'
option name 'Server HTTPS'
option src_dport '443'
option target 'DNAT'
option dest_ip '10.9.19.4'
option dest 'lan'
list proto 'tcp'
config zone
option name 'vpn'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option network 'vpn'
config forwarding
option src 'vpn'
option dest 'wan'
config rule
option name 'OpenVPN'
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
option dest_port '1194'
# cat /etc/config/openvpn
config openvpn 'custom_config'
option enabled '0'
option config '/etc/openvpn/my-vpn.conf'
config openvpn 'sample_server'
option enabled '0'
option port '1194'
option proto 'udp'
option dev 'tun'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/server.crt'
option key '/etc/openvpn/server.key'
option dh '/etc/openvpn/dh1024.pem'
option server '10.8.0.0 255.255.255.0'
option ifconfig_pool_persist '/tmp/ipp.txt'
option keepalive '10 120'
option compress 'lzo'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option status '/tmp/openvpn-status.log'
option verb '3'
config openvpn 'sample_client'
option enabled '0'
option client '1'
option dev 'tun'
option proto 'udp'
list remote 'my_server_1 1194'
option resolv_retry 'infinite'
option nobind '1'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/client.crt'
option key '/etc/openvpn/client.key'
option compress 'lzo'
option verb '3'
config openvpn 'VPN_Server'
option enabled '1'
option dev 'tun'
option port '1194'
option proto 'udp'
option log '/tmp/openvpn.log'
option verb '3'
option ca '/root/pki/ca.crt'
option cert '/root/pki/issued/VPN.gatek.pl.crt'
option key '/root/pki/private/VPN.gatek.pl.key'
option server '10.9.19.0 255.255.255.0'
option dh '/root/pki/dh.pem'
Files ca.crt looks like:
----- BEGIN CERTIFICATE -----
xxxxx
----- END CERTIFICATE -----
The VPN.gatek.pl.key file looks like:
----- BEGIN PRIVATE KEY -----
xxxxx
----- END PRIVATE KEY -----
The file VPN.gatek.pl.crt, on the other hand, contains:
Certificate:
Date:
Version: 3 (0x2)
Serial Number:
etc. etc.
and finally
----- BEGIN CERTIFICATE -----
xxxxx
----- END CERTIFICATE -----
I am pretty sure I see your problem.... or at least the main one that is causing your OpenVPN server to hang up your entire router:
You have defined both the LAN and the OpenVPN using the same network (subnet), and in actuality, the actual address. This means that when OpenVPN comes up, it will take the same IP address as the LAN, causing a conflict such that neither can function.
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '10.9.19.1'
option server '10.9.19.0 255.255.255.0'
You must change either your LAN or your OpenVPN config to another network -- For example, move OpenVPN to option server '10.9.20.0 255.255.255.0'
3 Likes
Yes, Yes 
Peter, you're great. Thank you very much.
The server has started.
Here is the log:
Wed Jul 1 20:21:49 2020 OpenVPN 2.4.7 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Wed Jul 1 20:21:49 2020 library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.10
Wed Jul 1 20:21:49 2020 WARNING: --keepalive option is missing from server config
Wed Jul 1 20:21:49 2020 Diffie-Hellman initialized with 4096 bit key
Wed Jul 1 20:21:49 2020 TUN/TAP device tun0 opened
Wed Jul 1 20:21:49 2020 TUN/TAP TX queue length set to 100
Wed Jul 1 20:21:49 2020 /sbin/ifconfig tun0 10.9.20.1 pointopoint 10.9.20.2 mtu 1500
Wed Jul 1 20:21:49 2020 /sbin/route add -net 10.9.20.0 netmask 255.255.255.0 gw 10.9.20.2
Wed Jul 1 20:21:49 2020 Could not determine IPv4/IPv6 protocol. Using AF_INET
Wed Jul 1 20:21:49 2020 Socket Buffers: R=[163840->163840] S=[163840->163840]
Wed Jul 1 20:21:49 2020 UDPv4 link local (bound): [AF_INET][undef]:1194
Wed Jul 1 20:21:49 2020 UDPv4 link remote: [AF_UNSPEC]
Wed Jul 1 20:21:49 2020 MULTI: multi_init called, r=256 v=256
Wed Jul 1 20:21:49 2020 IFCONFIG POOL: base=10.9.20.4 size=62, ipv6=0
Wed Jul 1 20:21:49 2020 Initialization Sequence Completed
I can keep working now. I hope that now everything will go easily.
Thank you once again.