VPN works only on LAN network

I have problem with my openvpn. I can only connect to it while I'm connected to my lan. Whem I'm on cellular network it doesnt work.

Output of logread -e openvpn; netstat -l -n -p | grep -e openvpn when using cullular network:

Sun Mar 21 02:36:34 2021 daemon.err openvpn(server)[1410]: 188.146.161.48:24722 tls-crypt unwrap error: packet replay
Sun Mar 21 02:36:34 2021 daemon.err openvpn(server)[1410]: 188.146.161.48:24722 TLS Error: tls-crypt unwrapping failed from [AF_INET]188.146.161.48:24722
Sun Mar 21 02:36:35 2021 daemon.err openvpn(server)[1410]: 188.146.161.48:24722 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1616294193) Sun Mar 21 02:36:33 2021 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

client.ovpn configuartion

dev tun
nobind
client
remote myipaddress 1194 udp
auth-nocache
remote-cert-tls server
<tls-crypt>

</tls-crypt>
<key>

</key>
<cert>

</cert>
<ca>

</ca>

server.conf configuartion

user nobody
group nogroup
dev tun
port 1194
proto udp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "dhcp-option DNS 192.168.8.1"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>

</dh>
<tls-crypt>

</tls-crypt>
<key>

</key>
<cert>

</cert>
<ca>

</ca>

Firewall:

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'
        list device 'tun+'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option forward 'REJECT'
        option network 'wan wan6 tun0'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config redirect
        option dest_port '25565'
        option src 'wan'
        option name 'minecraft'
        option src_dport '25565'
        option target 'DNAT'
        option dest_ip '192.168.0.10'
        option dest 'lan'
        list proto 'tcp'

config redirect
        option dest_port '80'
        option src 'wan'
        option name 'HTTP'
        option src_dport '80'
        option target 'DNAT'
        option dest_ip '192.168.0.10'
        option dest 'lan'
        list proto 'tcp'
        option enabled '0'

config redirect
        option dest_port '443'
        option src 'wan'
        option name 'HTTPS'
        option src_dport '443'
        option target 'DNAT'
        option dest_ip '192.168.0.10'
        option dest 'lan'
        list proto 'tcp'
        option enabled '0'

config redirect
        option dest_port '1194'
        option src 'wan'
        option name 'VPN'
        option src_dport '1194'
        option target 'DNAT'
        option dest_ip '192.168.0.1'
        option dest 'lan'

config redirect
        option dest_port '1194'
        option src 'lan'
        option name 'VPN2'
        option src_dport '1194'
        option target 'DNAT'
        option dest_ip '192.168.0.1'
        option dest 'lan'

config rule 'ovpn'
        option name 'Allow-OpenVPN'
        option src 'wan'
        option dest_port '1194'
        option proto 'udp'
        option target 'ACCEPT'

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd29:984b:1ee0::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.1'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'pppoe'
        option password ''
        option ipv6 'auto'
        option username ''

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr ''

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config interface 'tun0'
        option ifname 'tun0'
        option proto 'none'
        option auto '0'

• Why is your VPN interface attached to both LAN and WAN firewall zones?
• Where are your client and server located relative to each other and the ISP?
• You are not running VPN server and client on the same host, are you?

Why is your VPN interface attached to both LAN and WAN firewall zones?

Removed LAN one, left WAN to LAN one.

Where are your client and server located relative to each other and the ISP?

Not sure what are you asking for. But what I'm trying to do is connect to my home network from outside of it. My server is my router. And my client in this case my phone is outside my home network connected to some cellular tower

You are not running VPN server and client on the same host, are you?

I'm running only VPN server on my router

Screenshot_20210321_114119947×211 16.4 KB

Try to connect from WAN while checking the output:

opkg update
opkg install tcpdump
tcpdump -evni any udp port 1194
iptables-save -c | grep -e 1194

tcpdump -evni any udp port 1194

tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
10:43:49.385079  In ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 52, id 40720, offset 0, flags [none], proto UDP (17), length 82)
    188.146.161.48.24796 > myipaddress.1194: UDP, length 54
10:43:50.425348  In ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 52, id 39641, offset 0, flags [none], proto UDP (17), length 82)
    188.146.161.48.24796 > myipaddress.1194: UDP, length 54

iptables-save -c | grep -e 1194

[0:0] -A zone_lan_postrouting -s 192.168.0.0/24 -d 192.168.0.1/32 -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: VPN (reflection)" -j SNAT --to-source 192.168.0.1
[0:0] -A zone_lan_postrouting -s 192.168.0.0/24 -d 192.168.0.1/32 -p udp -m udp --dport 1194 -m comment --comment "!fw3: VPN (reflection)" -j SNAT --to-source 192.168.0.1
[0:0] -A zone_lan_prerouting -s 192.168.0.0/24 -d myipaddress/32 -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: VPN (reflection)" -j DNAT --to-destination 192.168.0.1:1194
[3:246] -A zone_lan_prerouting -s 192.168.0.0/24 -d myipaddress/32 -p udp -m udp --dport 1194 -m comment --comment "!fw3: VPN (reflection)" -j DNAT --to-destination 192.168.0.1:1194
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: VPN" -j DNAT --to-destination 192.168.0.1:1194
[4:328] -A zone_wan_prerouting -p udp -m udp --dport 1194 -m comment --comment "!fw3: VPN" -j DNAT --to-destination 192.168.0.1:1194
[26:2132] -A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: Allow-OpenVPN" -j ACCEPT

So what could cause this problem?

Remove or disable this firewall rule:

config redirect
        option dest_port '1194'
        option src 'wan'
        option name 'VPN'
        option src_dport '1194'
        option target 'DNAT'
        option dest_ip '192.168.0.1'
        option dest 'lan'

Check if that rule is still there:

config rule 'ovpn'
        option name 'Allow-OpenVPN'
        option src 'wan'
        option dest_port '1194'
        option proto 'udp'
        option target 'ACCEPT'

Make sure that the VPN interface is assigned only to LAN zone, restart the firewall and try again to see if there is any difference.

I removed port forward rule and

And this rule is still there

After removing it I can't connect to VPN even when I'm connected to my loacl network

But I don't understand what you mean by that:

Not sure how to do that

[ EDIT ]
Its working! Now i can't connect to it while connected to local network but when not using home network its working

Well now I can connect to my VPN server but nothing is loading.
Still having old error. Can't access any of my devices on home network

logread -e openvpn; netstat -l -n -p | grep -e openvpn

Sun Mar 21 20:17:40 2021 daemon.err openvpn(server)[10807]: 188.146.161.48:24663 tls-crypt unwrap error: packet replay
Sun Mar 21 20:17:40 2021 daemon.err openvpn(server)[10807]: 188.146.161.48:24663 TLS Error: tls-crypt unwrapping failed from [AF_INET]188.146.161.48:24663

[ Edit ]
Suddenly started working. I changed nothing.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.