If this did work, what Firewall Rules would i need for each Interface to set for the diversion of traffic?
I want the end result to be if i disable an OpenVPN connection under OpenVPN, then normal Routing goes back to normal, when i enable it, it then passes all Traffic through the OpenVPN Connection Gateway.
Something tells me im missing some config thats so very simple lol.
The VPN Connection is established, just the Routing part, and or maybe the Firewall Rules are incorrect.
No, it doesn't appear to be connected. There is no point at which it says that it completed the initialization or that it has successfully connected.
Your logs specifically say that there is a TLS error and that the handshake failed.
So the problem is not likely related to your firewall (or at least not at this point)... it is simply unable to connect because of the TLS failure. Figure out what is happening there first -- once you can connect properly (and the log will indicate that), you can then sort out any firewall issues.
The VPN should not be bridged at all. It should be a network on its own (using device tun0). That network can be associated with a network or directly with a firewall zone. I recommend creating a separate firewall zone for the VPN as well.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/firewall
root@THE-NET:/# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '*********'
config atm-bridge 'atm'
option encaps 'llc'
option payload 'bridged'
option nameprefix 'dsl'
option vci '0'
option vpi '101'
config dsl 'dsl'
option annex 'b'
option xfer_mode 'ptm'
option line_mode 'vdsl'
option ds_snr_offset '-10'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config device
option name 'lan1'
option macaddr '**********'
config device
option name 'lan2'
option macaddr 'same'
config device
option name 'lan3'
option macaddr 'same'
config device
option name 'lan4'
option macaddr 'same'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.*.*'
list dns '208.67.222.222'
list dns '208.67.220.220'
config device
option name 'dsl0'
option macaddr 'different'
config interface 'wan'
option proto 'pppoe'
option username 'username'
option password 'password'
option ipv6 '0'
option device 'dsl0.101'
option peerdns '0'
list dns '208.67.222.222'
list dns '208.67.220.220'
config interface 'wan6'
option device '@wan'
option proto 'dhcpv6'
option auto '0'
option reqaddress 'try'
option reqprefix 'auto'
config interface 'ExpressVPN'
option proto 'none'
option device 'tun0'
root@THE-NET:/# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option forward 'ACCEPT'
option input 'ACCEPT'
list network 'wan'
list network 'wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option src 'lan'
option dest 'wan'
option name 'ACL Blocked'
option target 'DROP'
list dest_ip '212.159.6.10'
list dest_ip '64.212.106.84'
list dest_ip '4.2.2.5'
list dest_ip '206.165.6.11'
list dest_ip '4.2.2.6'
list dest_ip '4.2.2.4'
list dest_ip '194.72.6.57'
list dest_ip '194.73.82.242'
list dest_ip '212.159.13.49'
list dest_ip '206.165.6.12'
list dest_ip '64.215.98.148'
list dest_ip '4.2.2.2'
list dest_ip '209.244.0.4'
list dest_ip '141.1.27.249'
list dest_ip '4.2.2.1'
list dest_ip '62.6.40.162'
list dest_ip '212.159.13.50'
list dest_ip '194.72.9.34'
list dest_ip '194.74.65.69'
list dest_ip '195.27.1.1'
list dest_ip '209.130.139.2'
list dest_ip '67.17.215.132'
list dest_ip '4.2.2.3'
list dest_ip '212.159.6.9'
list dest_ip '209.244.0.3'
list dest_ip '193.58.204.59'
list dest_ip '195.99.66.220'
list dest_ip '141.1.1.1'
list dest_ip '83.137.225.121'
list dest_ip '62.40.32.33'
list dest_ip '213.251.133.164'
list dest_ip '62.40.32.34'
list dest_ip '193.111.200.191'
list dest_ip '156.154.70.22'
list dest_ip '156.154.71.22'
list dest_ip '198.153.192.1'
list dest_ip '198.153.194.1'
list dest_ip '74.82.42.42'
list dest_ip '194.72.6.51'
list dest_ip '158.43.128.1'
list dest_ip '158.43.128.72'
list dest_ip '158.43.192.1'
list dest_ip '158.43.240.3'
list dest_ip '158.43.240.4'
list dest_ip '192.76.144.66'
list dest_ip '193.67.79.39'
list dest_ip '193.78.240.12'
list dest_ip '193.79.242.39'
list dest_ip '193.101.111.10'
list dest_ip '193.101.111.20'
list dest_ip '194.98.65.65'
list dest_ip '195.129.12.83'
list dest_ip '195.129.12.122'
list dest_ip '62.134.11.4'
list dest_ip '62.233.128.17'
list dest_ip '81.17.66.13'
list dest_ip '129.250.35.250'
list dest_ip '129.250.35.251'
list dest_ip '193.22.119.22'
list dest_ip '193.95.93.77'
list dest_ip '193.205.130.253'
list dest_ip '193.226.61.1'
list dest_ip '194.30.0.1'
list dest_ip '194.72.0.114'
list dest_ip '195.182.110.132'
list dest_ip '195.238.40.45'
list dest_ip '199.2.252.10'
list dest_ip '204.97.212.10'
list dest_ip '204.95.160.2'
list dest_ip '204.95.160.4'
list dest_ip '205.171.3.25'
list dest_ip '62.240.110.218'
list dest_ip '82.151.90.1'
list dest_ip '24.200.241.37'
list dest_ip '205.151.222.250'
list dest_ip '205.151.222.251'
config rule
option name 'RDP'
option src 'lan'
option src_port '3389'
option dest 'lan'
option dest_port '3389'
option target 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
config zone
option name 'ExpressVPN'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
list network 'ExpressVPN'
config forwarding
option src 'lan'
option dest 'ExpressVPN'
config forwarding
option src 'wan'
option dest 'ExpressVPN'
The IP`s on the Drop List are bad DNS Servers that do not use Https/DNSSEC, or Eavesdrop DNS Servers. I would set to Reject, though then the DNS Server gets a response, so better to Drop.
My main concern, establishing a connection to ExpressVPN and Route my traffic on-demand. Via a Tick Box.
Ive checked the TLS File extracted from the OPVN file from ExpressVPN, all seems good.
Though the only part within it that i added was this start line and the key between, which i dont know if it will affect it:
-----BEGIN OpenVPN Static key V1-----
and at the end
-----END OpenVPN Static key V1-----
Though before this Encryption key it states these variables, are they needed in the file?
tls-auth
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
and at the end
-----END OpenVPN Static key V1-----
/tls-auth
There is <> but couldnt post it like that, wouldnt allow it.
This is probably not what you want... most of the time, input and forward should be set to REJECT. You absolutely do not want users on the internet to have access to the router itself (which currently they do!).
This one won't have any effect once the VPN is established since it only covers the wan zone as the destination. Instead, remove the destination entirely and it will apply to both the WAN and the VPN.
This doesn't do anything because both the source and destination are in the same zone. You can remove this.
This should be removed... the WAN should not have access to the express VPN zone.
Let's see the entire OpenVPN config file (obfuscate/remove the keys, of course).
TLS Handshake Failed usually means there was no response from the VPN server at all during the initial negotiation.
Can you ping the server IP? If the server is configured as a name rather than an IP, the router's DNS must be operational even without the VPN up.
The other reason for TLS Handshake Failed would be using the wrong static key. The static key must match the one on the other end. Static keys are an optional extra layer of encryption, if the server does not expect a static key it must be disabled on the client as well.
Content without Keys:
dev tun
fast-io
persist-key
persist-tun
nobind
remote uk-1-docklands-ca-version-2.expressnetw.com 1195
remote-random
pull
comp-lzo no
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
key-direction 1
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1200
verb 3
cipher AES-256-CBC
keysize 256
auth SHA512
sndbuf 524288
rcvbuf 524288
auth-user-pass
`cert`
-----BEGIN CERTIFICATE-----
****************************
****************************
-----END CERTIFICATE-----
`/cert`
`key`
-----BEGIN RSA PRIVATE KEY-----
***************************
***************************
-----END RSA PRIVATE KEY-----
`/key`
`tls-auth`
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
************************************
************************************
************************************
-----END OpenVPN Static key V1-----
`/tls-auth`
`ca`
-----BEGIN CERTIFICATE-----
***********************************
***********************************
***********************************
-----END CERTIFICATE-----
`/ca`
A couple of these settings settings i cant find in the manual setup under advanced config and looking in the add section of each.
The ones i cant find is:
verify-x509-name Server name-prefix
route-method exe
All the rest i can find and set.
Also should my TLS Cert just need to contain the key and not the lines:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
and does it need the cert at the start and /cert at the end?
try removing these and see if it connects.
have you setup a user/pass file?
The OPVN file is not imported, that doesnt work and untestested by ExpressVPN as they informed me. It works with DD-WRT.
Im having to manually input all these settings from the OPVN file and create the separate files from the extracted data from the OpenVPN file.
auth-user pass created, and set
ca.crt created extracted from the OPVN file
etc etc
Though something is tell ing me that something is just a miss with the TLS file created from the OPVN extracted data.
Another thing i noticed with the connection it says the following:
Sun Nov 20 20:43:46 2022 daemon.warn openvpn(ExpressVPN)[11190]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Nov 20 20:43:46 2022 daemon.notice openvpn(ExpressVPN)[11190]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun Nov 20 20:43:46 2022 daemon.notice openvpn(ExpressVPN)[11190]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun Nov 20 20:43:46 2022 daemon.notice openvpn(ExpressVPN)[11190]: TCP/UDP: Preserving recently used remote address: [AF_INET]***.***.***.***:1194
Sun Nov 20 20:43:46 2022 daemon.notice openvpn(ExpressVPN)[11190]: Socket Buffers: R=[180224->360448] S=[180224->360448]
Sun Nov 20 20:43:46 2022 daemon.notice openvpn(ExpressVPN)[11190]: UDP link local: (not bound)
Sun Nov 20 20:43:46 2022 daemon.notice openvpn(ExpressVPN)[11190]: UDP link remote: [AF_INET]***.***.***.***:1194
Sun Nov 20 20:44:46 2022 daemon.err openvpn(ExpressVPN)[11190]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Nov 20 20:44:46 2022 daemon.err openvpn(ExpressVPN)[11190]: TLS Error: TLS handshake failed
Sun Nov 20 20:44:46 2022 daemon.notice openvpn(ExpressVPN)[11190]: SIGUSR1[soft,tls-error] received, process restarting
Sun Nov 20 20:44:46 2022 daemon.notice openvpn(ExpressVPN)[11190]: Restart pause, 300 second(s)
The part where it says UDP Local Link not bound ? is there a problem here?
I followed this Tutorial replacing all the data with whats contained with my OVPN file, and added some extra variables not listed in the tutorial but was in my OVPN file.
One other warning i get is the following:
Sun Nov 20 21:24:01 2022 daemon.warn openvpn(ExpressVPN)[23855]: WARNING: using --pull/--client and --ifconfig together is probably not what you want
To be clear, following a guide for LEDE is probably not the best option given that we've moved from 17.01 > 22.03 (that's 5 years, 4 major versions). Many things will be different.
Maybe follow something more modern:
1 Like
I`ll take a look at that guide, thanks.
One other warning i get is this:
Sun Nov 20 21:27:45 2022 daemon.warn openvpn(ExpressVPN)[24398]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Sun Nov 20 21:27:45 2022 daemon.warn openvpn(ExpressVPN)[24398]: WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6
Hi started fresh using this config and it failed at this point:
uci del_list firewall.wan.device="tun+"
uci add_list firewall.wan.device="tun+"
Result for both:
uci: invalid argument
and also cannot find this zip file from ExpressVPN that contains the Certificates and Keys, looked everywhere on their site.
Only place i can find these keys are contained within the .ovpn file.