Anyone has successfully use OpenConnect VPN client on OpenWRT? I was able to establish connection. However, traffic won't go through the tunnel.
1 Like
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
ubus call system board;
{
"kernel": "4.14.241",
"hostname": "GL-MV1000",
"model": "GL.inet GL-MV1000",
"board_name": "gl-mv1000",
"release": {
"distribution": "OpenWrt",
"version": "19.07.8",
"revision": "r11364-ef56c85848",
"target": "mvebu/cortexa53",
"description": "OpenWrt 19.07.8 r11364-ef56c85848"
}
}
uci export network;
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'ddb8:4a88:1ab7::/48'
config interface 'lan'
option type 'bridge'
option ifname 'lan0 lan1 usb0'
option proto 'static'
option netmask '255.255.255.0'
option hostname 'GL-MV1000-93e'
option ipaddr '192.168.0.1'
option ip6assign '64'
option igmp_snooping '1'
option multicast_to_unicast '0'
option ip6hint '0000'
option ip6ifaceid '::1'
config interface 'wan'
option ifname 'wan'
option metric '10'
option ipv6 '1'
option proto 'dhcp'
option peerdns '1'
config interface 'wan6'
option reqaddress 'try'
option reqprefix '56'
option ip6addr ' '
option ip6gw ' '
option proto 'dhcpv6'
option ifname '@wg0'
option disabled '0'
config interface 'lan0'
option ifname 'lan0'
option macaddr '94:83:c4:00:f9:3f'
config interface 'lan1'
option ifname 'lan1'
option macaddr '94:83:c4:00:f9:3f'
config interface 'VPN'
option proto 'openconnect'
option username ' '
option password ' '
option server 'xxx.xxx.xxx'
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option nonwildcard '1'
option localservice '1'
option noresolv '1'
list server '127.0.0.1#53535'
option resolvfile '/tmp/resolv.conf.auto'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option force '1'
option ra_management '1'
option dhcpv6 'server'
option ra 'server'
list dns 'ddb8:4a88:1ab7:0000:0000:0000:0000:0001'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config domain 'localhost'
option name 'console.gl-inet.com'
option ip '192.168.0.1'
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option masq6 '1'
option input 'DROP'
list network 'wan'
list network 'wan6'
list network 'VPN'
config forwarding
option src 'lan'
option dest 'wan'
option enabled '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
option reload '1'
config include 'glfw'
option type 'script'
option path '/usr/bin/glfw.sh'
option reload '1'
config rule 'sambasharewan'
option src 'wan'
option dest_port '137 138 139 445'
option dest_proto 'tcpudp'
option target 'DROP'
config rule 'sambasharelan'
option src 'lan'
option dest_port '137 138 139 445'
option dest_proto 'tcpudp'
option target 'ACCEPT'
config rule 'glservice_https'
option name 'glservice_https'
option dest_port '443'
option proto 'tcp udp'
option src 'wan'
option target 'ACCEPT'
option enabled '0'
config redirect
option target 'DNAT'
option name 'Web'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '443'
option dest_ip '192.168.0.122'
option dest_port '443'
option enabled '1'
option gl '1'
config redirect
option target 'DNAT'
option name 'Web80'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '80'
option dest_ip '192.168.0.122'
option dest_port '80'
option enabled '1'
option gl '1'
config include 'gls2s'
option type 'script'
option path '/var/etc/gls2s.include'
option reload '1'
config include 'glqos'
option type 'script'
option path '/usr/sbin/glqos.sh'
option reload '1'
config rule 'glipv6_guest_dhcp'
option name 'Allow-DHCP-IPV6'
option src 'guestzone'
option target 'ACCEPT'
option proto 'udp'
option dest_port '547:548'
option family 'ipv6'
config rule 'glipv6_guest_icmp'
option name 'Allow-ICMP-IPV6'
option src 'guestzone'
option target 'ACCEPT'
option proto 'icmp'
option dest_port '58'
option family 'ipv6'
config include 'nat6'
option path '/etc/firewall.nat6'
option reload '1'
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.1.146/24 brd 192.168.1.255 scope global wan
valid_lft forever preferred_lft forever
9: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.0.1/24 brd 192.168.0.255 scope global br-lan
valid_lft forever preferred_lft forever
10: vpn-VPN: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1300 qdisc fq_codel state UNKNOWN group default qlen 500
inet 10.208.250.21/32 brd 255.255.255.255 scope global vpn-VPN
valid_lft forever preferred_lft forever
default via 192.168.1.1 dev wan table 1 metric 10
10.208.250.0/23 dev vpn-VPN table 1 proto static scope link
50.59.171.38 via 192.168.1.1 dev wan table 1 proto static metric 10
192.168.0.0/24 dev br-lan table 1 proto kernel scope link src 192.168.0.1
192.168.1.0/24 dev wan table 1 proto static scope link metric 10
default dev vpn-VPN proto static scope link
default via 192.168.1.1 dev wan proto static src 192.168.1.146 metric 10
10.208.250.0/23 dev vpn-VPN proto static scope link
50.59.171.38 via 192.168.1.1 dev wan proto static metric 10
192.168.0.0/24 dev br-lan proto kernel scope link src 192.168.0.1
192.168.1.0/24 dev wan proto static scope link metric 10
local 10.208.250.21 dev vpn-VPN table local proto kernel scope host src 10.208.250.21
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.0.0 dev br-lan table local proto kernel scope link src 192.168.0.1
local 192.168.0.1 dev br-lan table local proto kernel scope host src 192.168.0.1
broadcast 192.168.0.255 dev br-lan table local proto kernel scope link src 192.168.0.1
broadcast 192.168.1.0 dev wan table local proto kernel scope link src 192.168.1.146
local 192.168.1.146 dev wan table local proto kernel scope host src 192.168.1.146
broadcast 192.168.1.255 dev wan table local proto kernel scope link src 192.168.1.146
0: from all lookup local
1001: from all iif wan lookup 1
2001: from all fwmark 0x100/0x3f00 lookup 1
2061: from all fwmark 0x3d00/0x3f00 blackhole
2062: from all fwmark 0x3e00/0x3f00 unreachable
32766: from all lookup main
32767: from all lookup default
Are you using mwan3 by any chance?
What is the output of uci export mwan3 ?
It looks like it is using mwan3 and the VPN interface doesn't show up on mwan3
package mwan3
config globals 'globals'
option enabled '1'
option mmx_mask '0x3F00'
config interface 'wan'
option enabled '1'
list track_ip '8.8.4.4'
list track_ip '8.8.8.8'
list track_ip '208.67.222.222'
list track_ip '208.67.220.220'
option family 'ipv4'
option reliability '2'
option count '1'
option timeout '2'
option interval '5'
option down '3'
option up '8'
config interface 'wwan'
option enabled '1'
list track_ip '8.8.4.4'
list track_ip '8.8.8.8'
list track_ip '208.67.222.222'
list track_ip '208.67.220.220'
option family 'ipv4'
option reliability '2'
option count '1'
option timeout '2'
option interval '5'
option down '3'
option up '8'
config interface 'tethering'
option enabled '1'
list track_ip '8.8.4.4'
list track_ip '8.8.8.8'
list track_ip '208.67.222.222'
list track_ip '208.67.220.220'
option family 'ipv4'
option reliability '2'
option count '1'
option timeout '2'
option interval '5'
option down '3'
option up '8'
config interface 'modem'
option enabled '1'
list track_ip '8.8.4.4'
list track_ip '8.8.8.8'
list track_ip '208.67.222.222'
list track_ip '208.67.220.220'
option family 'ipv4'
option reliability '2'
option count '1'
option timeout '2'
option interval '5'
option down '3'
option up '8'
config member 'wan_only'
option interface 'wan'
option metric '1'
option weight '3'
config member 'wwan_only'
option interface 'wwan'
option metric '2'
option weight '3'
config member 'tethering_only'
option interface 'tethering'
option metric '3'
option weight '3'
config member 'modem_only'
option interface 'modem'
option metric '4'
option weight '3'
config policy 'default_poli'
list use_member 'wan_only'
list use_member 'wwan_only'
list use_member 'tethering_only'
list use_member 'modem_only'
option last_resort 'default'
config rule 'default_rule'
option dest_ip '0.0.0.0/0'
option use_policy 'default_poli'
It appears you are using firmware that is not from the official OpenWrt project.
When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.
You may find that the best options are:
- Install an official version of OpenWrt, if your device is supported (see https://firmware-selector.openwrt.org).
- Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
- Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).
If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.
Ok. Let me install the pure OpenWRT and try again.
In any case, you'll need to manually add the vpn interface in mwan3 and create member, policy, and rules using it.
1 Like
I think mwan3 is what causing the problem. LUCI app won't automatically add it to mwan3.
It is working now. But the issue is when I disable openconnect interface, it won't route traffic back to WAN as expected. I have to restart the WAN too. Also, is there a UCI command to start/stop OpenConnect interface?
ifup VPN
Have you assigned a metric to the VPN interface?
Did you give it enough time to detect that the VPN went down?
1 Like
I did not use gateway metric. I did wait a bit and still won't have Internet unless I reboot the WAN.
By the way, do you know if there is a way that when OpenConnect VPN is on, I have one VLAN that route traffic via the tunnel but the other VLAN go straight to WAN?\
I have removed mwan3 from my installation.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.