Hello.
I have openwrt 16 and VPN.
It was installed long time ago.
I've been using it very rarely.
It was working a few month ago.
Today I have a problem.
I can connect to VPN
I can ping internet
I can not ping host from my local network
I'm testing it with ping my router and opening my router web admin console
I don't remember any changes since it was working.
I can see my vpn IP
Ethernet adapter Ethernet 3:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.1.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
My router openvpn config:
config openvpn 'VPNserver'
option enabled '1'
# --- Protocol ---#
option dev 'tun'
option dev 'tun0'
option topology 'subnet'
option proto 'udp'
option port '1194'
#--- Routes ---#
option server '10.1.1.0 255.255.255.0'
option ifconfig '10.1.1.1 255.255.255.0'
#--- Client Config ---#
# option ccd_exclusive '1'
# option ifconfig_pool_persist '/etc/openvpn/clients/ipp.txt'
# option client_config_dir '/etc/openvpn/clients/'
#--- Pushed Routes ---#
list push 'route 192.168.1.0 255.255.255.0'
list push 'dhcp-option DNS 192.168.1.1'
list push 'dhcp-option WINS 192.168.1.1'
list push 'dhcp-option DNS 8.8.8.8'
list push 'dhcp-option DNS 8.8.4.4'
list push 'dhcp-option NTP 129.6.15.30'
#--- Encryption ---#
option cipher 'AES-256-CBC'
option dh '/etc/openvpn/dh2048.pem'
option 'ca' '/etc/openvpn/ca.crt'
option 'cert' '/etc/openvpn/server.crt'
option 'key' '/etc/openvpn/server.key'
option tls_auth '/etc/openvpn/ta.key 0'
#--- Logging ---#
option log '/tmp/openvpn.log'
option status '/tmp/openvpn-status.log'
option verb '7'
#--- Connection Options ---#
option keepalive '10 120'
option comp_lzo 'yes'
#--- Connection Reliability ---#
option client_to_client '1'
option persist_key '1'
option persist_tun '1'
#--- Connection Speed ---#
option sndbuf '393216'
option rcvbuf '393216'
option fragment '0'
option mssfix '0'
option tun_mtu '24000'
#--- Pushed Buffers ---#
list push 'sndbuf 393216'
list push 'rcvbuf 393216'
#--- Permissions ---#
option user 'nobody'
option group 'nogroup'
My router firewall config:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option name 'kamerka salon admin'
option dest_ip '192.168.1.151'
option src_dport '9090'
option dest_port '9090'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option name 'kamerka salon stream'
option dest_ip '192.168.1.151'
option src_dport '9091'
option dest_port '9091'
config rule
option target 'ACCEPT'
option name 'VPN'
option src 'wan'
option proto 'udp'
option dest_port '1194'
config zone
option name 'vpn'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option network 'vpn0'
config forwarding
option src 'vpn'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'vpn'
My openvpn client config:
client
tls-client
dev tun
auth SHA1
tls-auth "d:\\tools\\OpenVPN\\config\\ta.key" 1
proto udp
auth-nocache
cipher AES-256-CBC
remote x.x.x.x 1194
resolv-retry infinite
comp-lzo
float
nobind
# secret "d:\\tools\\OpenVPN\\config\\secret.key"
verb 3
ca "d:\\tools\\OpenVPN\\config\\ca.crt"
cert "d:\\tools\\OpenVPN\\config\\client.crt"
key "d:\\tools\\OpenVPN\\config\\client.key"
persist-key
persist-tun
Routing table from my laptop:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.43.1 192.168.43.136 55
10.1.1.0 255.255.255.0 On-link 10.1.1.2 291
10.1.1.2 255.255.255.255 On-link 10.1.1.2 291
10.1.1.255 255.255.255.255 On-link 10.1.1.2 291
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.1.0 255.255.255.0 10.1.1.1 10.1.1.2 291
192.168.43.0 255.255.255.0 On-link 192.168.43.136 311
192.168.43.136 255.255.255.255 On-link 192.168.43.136 311
192.168.43.255 255.255.255.255 On-link 192.168.43.136 311
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.43.136 311
224.0.0.0 240.0.0.0 On-link 10.1.1.2 291
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.43.136 311
255.255.255.255 255.255.255.255 On-link 10.1.1.2 291
===========================================================================
Ping 10.1.1.1 doesn't work.
Ping 192.168.1.1 (my router) doesn't work.
Above router config was taken from backup but I think it is current configuation.
I have no idea how I can troubleshoot it.
Any idea ?
Any help please ...
Regards Marcin