Trouble with OpenVPN and vpn-policy-routing

Hello everyone,

I've been trying to set up my router as both an OpenVPN client and server, with the assistance of vpn-policy-routing. Unfortunately, I've run into some problems that I'm hoping I can get some help on; as far as I can tell, there's something going on with my firewall that's preventing everything from working correctly.

Everything works fine when I have OpenVPN set up as just a server; clients can connect and see my local network with no problem. However, when I follow the vpn-policy-routing readme guide for simultaneous server/client connection, I see these problems:

  • Clients can no longer connect to the OpenVPN server. In the logs, I can see a client's initial connection, but the server can't respond back. Specifically, the error is:
tls-crypt unwrap error: packet replay
TLS Error: tls-crypt unwrapping failed from [AF_INET]
write UDPv4: Operation not permitted (code=1)
  • The router itself loses Internet connectivity. The rest of the network can access the Internet just fine (over the OpenVPN connection).
PING ( 56 data bytes
ping: sendto: Operation not permitted

Would anyone be able to point me in the right direction for this? I've tried diving into iptables and all that, but it's all pretty arcane to me. I can post my configs if required, but they're pretty close to how they're supposed to be in the readme.

Any help is greatly appreciated!

There is the same problem here. Something seems to be wrong with the way that VPN PBR is routing back the responses.
Change verbosity setting to 2 and post the following:
cat /etc/config/vpn-policy-routing , /etc/init.d/vpn-policy-routing support , as well as the output of /etc/init.d/vpn-policy-routing reload

1 Like

Thank you for your response! I looked at the other post you linked, and it does indeed seem like the same problem I'm experiencing. I also tried that rule you mentioned towards the end of the post, but that didn't seem to help much...

The output for everything you requested is here:
There are a few extra policies I added to get my web server to work, and so far they seem to be working fine.

1 Like

I really wish we'll somehow be able to find a solution to this.
The tl;dr of my post so far is that the problem exists for basically any vpn client/server combination. It does not work for me for in either configuration:

  • OpenVPN client, Wireguard server
  • Wireguard client, Wireguard server

Now we can add yours as well

  • OpenVPN client, OpenVPN server

I have also set up rules for my web server which work fine. I really think we might need the help of the package's author @stangri

You should first make sure that you're using a vpn-policy-routing that includes commit id a4c4f316360b6a2bfd73f7e581b65132d75c029b from 6 days ago. The ip rules were lacking the mask, so if there's any other package marking packets and a single packet gets more than one mark, the rule won't match and the packet won't get routed properly.

1 Like

I have updated vpn-policy-routing to 0.2.1-7 which includes the commit you mention. At least for me the problem has not been fixed

@taylor.stratton I am really sorry if I am hijacking your thread; I just think that @trendy might be correct in assuming that we face the same problem.

No apology necessary! I think the more people working together on this, the better! I also agree with @trendy in that we're facing the same issue.

At some point today I'll update my vpn-policy-routing and see if that helps.