VPN Client Warning Noob in Training

dazzlerellis · November 7, 2018, 9:58pm

Okay so i'm slowly learning, wanting to enable a vpn, I have the vpnclient.ovpn (provided by provider) in /etc/openvpn

I have user pass in /etc/openvpn/vpnclient.auth

I have vpnclient instance which I can start and a vpnclient(tun0) interface, trouble is 0 pkts recieved or sent.

Here are logs

Wed Nov  7 21:53:56 2018 daemon.notice openvpn(vpnclient)[8341]: VERIFY OK: dept                                                                 h=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=server, name=c                                                                 hangeme, emailAddress=mail@host.domain
Wed Nov  7 21:53:57 2018 daemon.notice openvpn(vpnclient)[8341]: Control Channel                                                                 : TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Wed Nov  7 21:53:57 2018 daemon.notice openvpn(vpnclient)[8341]: [server] Peer C                                                                 onnection Initiated with [AF_INET]46.101.59.8:1194
Wed Nov  7 21:53:58 2018 daemon.notice openvpn(vpnclient)[8341]: SENT CONTROL [s                                                                 erver]: 'PUSH_REQUEST' (status=1)
Wed Nov  7 21:53:58 2018 daemon.notice openvpn(vpnclient)[8341]: AUTH: Received                                                                  control message: AUTH_FAILED
Wed Nov  7 21:53:58 2018 daemon.notice openvpn(vpnclient)[8341]: SIGTERM[soft,au                                                                 th-failure] received, process exiting
Wed Nov  7 21:53:58 2018 daemon.err openvpn(openvpn)[8342]: Options error: --nob                                                                 ind doesn't make sense unless used with --remote
Wed Nov  7 21:53:58 2018 daemon.warn openvpn(openvpn)[8342]: Use --help for more                                                                  information.
Wed Nov  7 21:54:03 2018 daemon.notice openvpn(vpnclient)[8343]: OpenVPN 2.4.5 m                                                                 ips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Wed Nov  7 21:54:03 2018 daemon.notice openvpn(vpnclient)[8343]: library version                                                                 s: OpenSSL 1.0.2p  14 Aug 2018, LZO 2.10
Wed Nov  7 21:54:03 2018 daemon.warn openvpn(vpnclient)[8343]: WARNING: No serve                                                                 r certificate verification method has been enabled.  See http://openvpn.net/howt                                                                 o.html#mitm for more info.
Wed Nov  7 21:54:03 2018 daemon.notice openvpn(vpnclient)[8343]: TCP/UDP: Preser                                                                 ving recently used remote address: [AF_INET]46.101.59.8:1194
Wed Nov  7 21:54:03 2018 daemon.notice openvpn(vpnclient)[8343]: Socket Buffers:                                                                  R=[163840->163840] S=[163840->163840]
Wed Nov  7 21:54:03 2018 daemon.notice openvpn(vpnclient)[8343]: UDP link local:                                                                  (not bound)
Wed Nov  7 21:54:03 2018 daemon.notice openvpn(vpnclient)[8343]: UDP link remote                                                                 : [AF_INET]46.101.59.8:1194
Wed Nov  7 21:54:03 2018 daemon.notice openvpn(vpnclient)[8343]: TLS: Initial pa                                                                 cket from [AF_INET]46.101.59.8:1194, sid=dc51f72d 71d53ac6
Wed Nov  7 21:54:03 2018 daemon.notice openvpn(vpnclient)[8343]: VERIFY OK: dept                                                                 h=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme, name                                                                 =changeme, emailAddress=mail@host.domain
Wed Nov  7 21:54:03 2018 daemon.notice openvpn(vpnclient)[8343]: VERIFY OK: dept                                                                 h=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=server, name=c                                                                 hangeme, emailAddress=mail@host.domain
Wed Nov  7 21:54:03 2018 daemon.err openvpn(openvpn)[8344]: Options error: --nob                                                                 ind doesn't make sense unless used with --remote
Wed Nov  7 21:54:03 2018 daemon.warn openvpn(openvpn)[8344]: Use --help for more                                                                  information.
Wed Nov  7 21:54:04 2018 daemon.notice openvpn(vpnclient)[8343]: Control Channel                                                                 : TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Wed Nov  7 21:54:04 2018 daemon.notice openvpn(vpnclient)[8343]: [server] Peer C                                                                 onnection Initiated with [AF_INET]46.101.59.8:1194
Wed Nov  7 21:54:05 2018 daemon.notice openvpn(vpnclient)[8343]: SENT CONTROL [s                                                                 erver]: 'PUSH_REQUEST' (status=1)
Wed Nov  7 21:54:05 2018 daemon.notice openvpn(vpnclient)[8343]: AUTH: Received                                                                  control message: AUTH_FAILED
Wed Nov  7 21:54:05 2018 daemon.notice openvpn(vpnclient)[8343]: SIGTERM[soft,au                                                                 th-failure] received, process exiting
Wed Nov  7 21:54:08 2018 daemon.err openvpn(openvpn)[8345]: Options error: --nob                                                                 ind doesn't make sense unless used with --remote
Wed Nov  7 21:54:08 2018 daemon.warn openvpn(openvpn)[8345]: Use --help for more                                                                  information.
Wed Nov  7 21:54:10 2018 daemon.notice openvpn(vpnclient)[8346]: OpenVPN 2.4.5 m                                                                 ips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Wed Nov  7 21:54:10 2018 daemon.notice openvpn(vpnclient)[8346]: library version                                                                 s: OpenSSL 1.0.2p  14 Aug 2018, LZO 2.10
Wed Nov  7 21:54:10 2018 daemon.warn openvpn(vpnclient)[8346]: WARNING: No serve                                                                 r certificate verification method has been enabled.  See http://openvpn.net/howt                                                                 o.html#mitm for more info.
Wed Nov  7 21:54:10 2018 daemon.notice openvpn(vpnclient)[8346]: TCP/UDP: Preser                                                                 ving recently used remote address: [AF_INET]46.101.59.8:1194
Wed Nov  7 21:54:10 2018 daemon.notice openvpn(vpnclient)[8346]: Socket Buffers:                                                                  R=[163840->163840] S=[163840->163840]
Wed Nov  7 21:54:10 2018 daemon.notice openvpn(vpnclient)[8346]: UDP link local:                                                                  (not bound)
Wed Nov  7 21:54:10 2018 daemon.notice openvpn(vpnclient)[8346]: UDP link remote                                                                 : [AF_INET]46.101.59.8:1194
Wed Nov  7 21:54:10 2018 daemon.notice openvpn(vpnclient)[8346]: TLS: Initial pa                                                                 cket from [AF_INET]46.101.59.8:1194, sid=2375e87b 14ec9486
Wed Nov  7 21:54:10 2018 daemon.notice openvpn(vpnclient)[8346]: VERIFY OK: dept                                                                 h=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme, name                                                                 =changeme, emailAddress=mail@host.domain
Wed Nov  7 21:54:10 2018 daemon.notice openvpn(vpnclient)[8346]: VERIFY OK: dept                                                                 h=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=server, name=c                                                                 hangeme, emailAddress=mail@host.domain
Wed Nov  7 21:54:11 2018 daemon.notice openvpn(vpnclient)[8346]: Control Channel                                                                 : TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Wed Nov  7 21:54:11 2018 daemon.notice openvpn(vpnclient)[8346]: [server] Peer C                                                                 onnection Initiated with [AF_INET]46.101.59.8:1194
Wed Nov  7 21:54:13 2018 daemon.notice openvpn(vpnclient)[8346]: SENT CONTROL [s                                                                 erver]: 'PUSH_REQUEST' (status=1)
Wed Nov  7 21:54:13 2018 daemon.notice openvpn(vpnclient)[8346]: AUTH: Received                                                                  control message: AUTH_FAILED
Wed Nov  7 21:54:13 2018 daemon.notice openvpn(vpnclient)[8346]: SIGTERM[soft,au                                                                 th-failure] received, process exiting
Wed Nov  7 21:54:13 2018 daemon.err openvpn(openvpn)[8347]: Options error: --nob                                                                 ind doesn't make sense unless used with --remote
Wed Nov  7 21:54:13 2018 daemon.warn openvpn(openvpn)[8347]: Use --help for more                                                                  information.
Wed Nov  7 21:54:18 2018 daemon.notice openvpn(vpnclient)[8348]: OpenVPN 2.4.5 m                                                                 ips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Wed Nov  7 21:54:18 2018 daemon.notice openvpn(vpnclient)[8348]: library version                                                                 s: OpenSSL 1.0.2p  14 Aug 2018, LZO 2.10
Wed Nov  7 21:54:18 2018 daemon.warn openvpn(vpnclient)[8348]: WARNING: No serve                                                                 r certificate verification method has been enabled.  See http://openvpn.net/howt                                                                 o.html#mitm for more info.
Wed Nov  7 21:54:18 2018 daemon.notice openvpn(vpnclient)[8348]: TCP/UDP: Preser                                                                 ving recently used remote address: [AF_INET]46.101.59.8:1194
Wed Nov  7 21:54:18 2018 daemon.notice openvpn(vpnclient)[8348]: Socket Buffers:                                                                  R=[163840->163840] S=[163840->163840]
Wed Nov  7 21:54:18 2018 daemon.notice openvpn(vpnclient)[8348]: UDP link local:                                                                  (not bound)
Wed Nov  7 21:54:18 2018 daemon.notice openvpn(vpnclient)[8348]: UDP link remote                                                                 : [AF_INET]46.101.59.8:1194
Wed Nov  7 21:54:18 2018 daemon.notice openvpn(vpnclient)[8348]: TLS: Initial pa                                                                 cket from [AF_INET]46.101.59.8:1194, sid=b0d0829b dae6b52f
Wed Nov  7 21:54:18 2018 daemon.notice openvpn(vpnclient)[8348]: VERIFY OK: dept                                                                 h=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme, name                                                                 =changeme, emailAddress=mail@host.domain
Wed Nov  7 21:54:18 2018 daemon.notice openvpn(vpnclient)[8348]: VERIFY OK: dept                                                                 h=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=server, name=c                                                                 hangeme, emailAddress=mail@host.domain
Wed Nov  7 21:54:18 2018 daemon.err openvpn(openvpn)[8349]: Options error: --nob                                                                 ind doesn't make sense unless used with --remote
Wed Nov  7 21:54:18 2018 daemon.warn openvpn(openvpn)[8349]: Use --help for more                                                                  information.
Wed Nov  7 21:54:19 2018 daemon.notice openvpn(vpnclient)[8348]: Control Channel                                                                 : TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Wed Nov  7 21:54:19 2018 daemon.notice openvpn(vpnclient)[8348]: [server] Peer C                                                                 onnection Initiated with [AF_INET]46.101.59.8:1194
Wed Nov  7 21:54:20 2018 daemon.notice openvpn(vpnclient)[8348]: SENT CONTROL [s                                                                 erver]: 'PUSH_REQUEST' (status=1)
Wed Nov  7 21:54:20 2018 daemon.notice openvpn(vpnclient)[8348]: AUTH: Received                                                                  control message: AUTH_FAILED
Wed Nov  7 21:54:20 2018 daemon.notice openvpn(vpnclient)[8348]: SIGTERM[soft,au                                                                 th-failure] received, process exiting
Wed Nov  7 21:54:23 2018 daemon.err openvpn(openvpn)[8350]: Options error: --nob                                                                 ind doesn't make sense unless used with --remote
Wed Nov  7 21:54:23 2018 daemon.warn openvpn(openvpn)[8350]: Use --help for more                                                                  information.
Wed Nov  7 21:54:25 2018 daemon.notice openvpn(vpnclient)[8351]: OpenVPN 2.4.5 m                                                                 ips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Wed Nov  7 21:54:25 2018 daemon.notice openvpn(vpnclient)[8351]: library version                                                                 s: OpenSSL 1.0.2p  14 Aug 2018, LZO 2.10
Wed Nov  7 21:54:25 2018 daemon.warn openvpn(vpnclient)[8351]: WARNING: No serve                                                                 r certificate verification method has been enabled.  See http://openvpn.net/howt                                                                 o.html#mitm for more info.
Wed Nov  7 21:54:25 2018 daemon.notice openvpn(vpnclient)[8351]: TCP/UDP: Preser                                                                 ving recently used remote address: [AF_INET]46.101.59.8:1194
Wed Nov  7 21:54:25 2018 daemon.notice openvpn(vpnclient)[8351]: Socket Buffers:                                                                  R=[163840->163840] S=[163840->163840]
Wed Nov  7 21:54:25 2018 daemon.notice openvpn(vpnclient)[8351]: UDP link local:                                                                  (not bound)
Wed Nov  7 21:54:25 2018 daemon.notice openvpn(vpnclient)[8351]: UDP link remote                                                                 : [AF_INET]46.101.59.8:1194
Wed Nov  7 21:54:25 2018 daemon.notice openvpn(vpnclient)[8351]: TLS: Initial pa                                                                 cket from [AF_INET]46.101.59.8:1194, sid=2d318295 44caf531
Wed Nov  7 21:54:25 2018 daemon.notice openvpn(vpnclient)[8351]: VERIFY OK: dept                                                                 h=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme, name                                                                 =changeme, emailAddress=mail@host.domain
Wed Nov  7 21:54:25 2018 daemon.notice openvpn(vpnclient)[8351]: VERIFY OK: dept                                                                 h=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=server, name=c                                                                 hangeme, emailAddress=mail@host.domain

opvn file starts like so certificate section removed

client
dev tun
proto udp
remote 46.101.59.8 1194
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
auth-user-pass
comp-lzo
reneg-sec 0
verb 3
<ca>
-----BEGIN CERTIFICATE-----

mk24 · November 7, 2018, 10:08pm

Authorization failed.

You have to put the name (including full path) of your user pass file on the same line with auth-user-pass.

When OpenVPN has connected fully, "Initialization Sequence Complete" will be logged.

dazzlerellis · November 7, 2018, 10:16pm

Hi thanks, like this?

auth-user-pass /etc/openvpn/vpnclient.auth

Is there a clean way to restart after changes to make sure i'm getting new logs or picking up changes.

TIA really appreciate it.

dazzlerellis · November 7, 2018, 10:44pm

edit

Sorry got it connecting now but no internet so presume my firewalls settings are not correct.

d Nov  7 22:52:39 2018 daemon.notice openvpn(vpnclient)[3818]: library versions: OpenSSL 1.0.2p  14 Aug 2018, LZO 2.10
Wed Nov  7 22:52:39 2018 daemon.warn openvpn(vpnclient)[3818]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Nov  7 22:52:39 2018 daemon.notice openvpn(vpnclient)[3818]: TCP/UDP: Preserving recently used remote address: [AF_INET]46.101.59.8:1194
Wed Nov  7 22:52:39 2018 daemon.notice openvpn(vpnclient)[3818]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Wed Nov  7 22:52:39 2018 daemon.notice openvpn(vpnclient)[3818]: UDP link local: (not bound)
Wed Nov  7 22:52:39 2018 daemon.notice openvpn(vpnclient)[3818]: UDP link remote: [AF_INET]46.101.59.8:1194
Wed Nov  7 22:52:39 2018 daemon.notice openvpn(vpnclient)[3818]: TLS: Initial packet from [AF_INET]46.101.59.8:1194, sid=52754441 ba3f6da3
Wed Nov  7 22:52:39 2018 daemon.notice openvpn(vpnclient)[3818]: VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Wed Nov  7 22:52:39 2018 daemon.notice openvpn(vpnclient)[3818]: VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=server, name=changeme, emailAddress=mail@host.domain
Wed Nov  7 22:52:39 2018 daemon.notice openvpn(vpnclient)[3818]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Wed Nov  7 22:52:39 2018 daemon.notice openvpn(vpnclient)[3818]: [server] Peer Connection Initiated with [AF_INET]46.101.59.8:1194
Wed Nov  7 22:52:40 2018 daemon.notice openvpn(vpnclient)[3818]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Nov  7 22:52:40 2018 daemon.notice openvpn(vpnclient)[3818]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 5,ping-restart 30,ifconfig 10.8.0.146 255.255.255.0,peer-id 31,cipher AES-256-GCM'
Wed Nov  7 22:52:40 2018 daemon.notice openvpn(vpnclient)[3818]: OPTIONS IMPORT: timers and/or timeouts modified
Wed Nov  7 22:52:40 2018 daemon.notice openvpn(vpnclient)[3818]: OPTIONS IMPORT: --ifconfig/up options modified
Wed Nov  7 22:52:40 2018 daemon.notice openvpn(vpnclient)[3818]: OPTIONS IMPORT: route options modified
Wed Nov  7 22:52:40 2018 daemon.notice openvpn(vpnclient)[3818]: OPTIONS IMPORT: route-related options modified
Wed Nov  7 22:52:40 2018 daemon.notice openvpn(vpnclient)[3818]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Nov  7 22:52:40 2018 daemon.notice openvpn(vpnclient)[3818]: OPTIONS IMPORT: peer-id set
Wed Nov  7 22:52:40 2018 daemon.notice openvpn(vpnclient)[3818]: OPTIONS IMPORT: adjusting link_mtu to 1657
Wed Nov  7 22:52:40 2018 daemon.notice openvpn(vpnclient)[3818]: OPTIONS IMPORT: data channel crypto options modified
Wed Nov  7 22:52:40 2018 daemon.notice openvpn(vpnclient)[3818]: Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Nov  7 22:52:40 2018 daemon.notice openvpn(vpnclient)[3818]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Nov  7 22:52:40 2018 daemon.notice openvpn(vpnclient)[3818]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Nov  7 22:52:40 2018 daemon.notice openvpn(vpnclient)[3818]: TUN/TAP device tun0 opened
Wed Nov  7 22:52:40 2018 daemon.notice openvpn(vpnclient)[3818]: TUN/TAP TX queue length set to 100
Wed Nov  7 22:52:40 2018 daemon.notice openvpn(vpnclient)[3818]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Nov  7 22:52:40 2018 daemon.notice openvpn(vpnclient)[3818]: /sbin/ifconfig tun0 10.8.0.146 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Wed Nov  7 22:52:40 2018 daemon.notice netifd: Interface 'vpnclient' is enabled
Wed Nov  7 22:52:40 2018 daemon.notice netifd: Network device 'tun0' link is up
Wed Nov  7 22:52:40 2018 daemon.notice netifd: Interface 'vpnclient' has link connectivity
Wed Nov  7 22:52:40 2018 daemon.notice netifd: Interface 'vpnclient' is setting up now
Wed Nov  7 22:52:40 2018 daemon.notice netifd: Interface 'vpnclient' is now up
Wed Nov  7 22:52:40 2018 daemon.notice openvpn(vpnclient)[3818]: /sbin/route add -net 46.101.59.8 netmask 255.255.255.255 gw 172.16.13.176
Wed Nov  7 22:52:40 2018 daemon.notice openvpn(vpnclient)[3818]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.0.1
Wed Nov  7 22:52:40 2018 daemon.notice openvpn(vpnclient)[3818]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.0.1
Wed Nov  7 22:52:40 2018 daemon.notice openvpn(vpnclient)[3818]: Initialization Sequence Completed
Wed Nov  7 22:52:40 2018 user.notice firewall: Reloading firewall due to ifup of vpnclient (tun0)
Wed Nov  7 22:53:21 2018 authpriv.info dropbear[3606]: Exit (root): Exited normally
Wed Nov  7 22:53:21 2018 authpriv.info dropbear[3575]: Exit (root): Exited normally
Wed Nov  7 22:55:38 2018 daemon.err openvpn(vpnclient)[3818]: event_wait : Interrupted system call (code=4)
Wed Nov  7 22:55:38 2018 daemon.notice openvpn(vpnclient)[3818]: /sbin/route del -net 46.101.59.8 netmask 255.255.255.255
Wed Nov  7 22:55:38 2018 daemon.notice openvpn(vpnclient)[3818]: /sbin/route del -net 0.0.0.0 netmask 128.0.0.0
Wed Nov  7 22:55:38 2018 daemon.notice openvpn(vpnclient)[3818]: /sbin/route del -net 128.0.0.0 netmask 128.0.0.0
Wed Nov  7 22:55:38 2018 daemon.notice openvpn(vpnclient)[3818]: Closing TUN/TAP interface
Wed Nov  7 22:55:38 2018 daemon.notice openvpn(vpnclient)[3818]: /sbin/ifconfig tun0 0.0.0.0
Wed Nov  7 22:55:38 2018 daemon.notice netifd: Network device 'tun0' link is down
Wed Nov  7 22:55:38 2018 daemon.notice netifd: Interface 'vpnclient' has link connectivity loss
Wed Nov  7 22:55:38 2018 daemon.notice netifd: Interface 'vpnclient' is now down

firewall settings

root@OpenWrt:~# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[2]=zone
firewall.@zone[2].name='vpnclient'
firewall.@zone[2].network='vpnclient'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest='wan'
firewall.@forwarding[0].src='lan'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='lan'
firewall.@forwarding[1].src='wan'
root@OpenWrt:~#

jeff · November 8, 2018, 12:02am

This may be a complete non-sequetor, but if your provider uses the same credentials for account access as they do for VPN, you might want to consider the "wisdom" of placing them on the router in any form whatsoever.

vgaetera · November 8, 2018, 1:39am

https://openwrt.org/docs/guide-user/services/vpn/openvpn/client

dazzlerellis · November 8, 2018, 10:23am

Hi no they are different, actually why I was getting the auth failure previously.
I remembered I needed different credentials.