I have problem with my openvpn. I can only connect to it while I'm connected to my lan. Whem I'm on cellular network it doesnt work.
Output of logread -e openvpn; netstat -l -n -p | grep -e openvpn
when using cullular network:
Sun Mar 21 02:36:34 2021 daemon.err openvpn(server)[1410]: 188.146.161.48:24722 tls-crypt unwrap error: packet replay
Sun Mar 21 02:36:34 2021 daemon.err openvpn(server)[1410]: 188.146.161.48:24722 TLS Error: tls-crypt unwrapping failed from [AF_INET]188.146.161.48:24722
Sun Mar 21 02:36:35 2021 daemon.err openvpn(server)[1410]: 188.146.161.48:24722 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1616294193) Sun Mar 21 02:36:33 2021 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
client.ovpn configuartion
dev tun
nobind
client
remote myipaddress 1194 udp
auth-nocache
remote-cert-tls server
<tls-crypt>
</tls-crypt>
<key>
</key>
<cert>
</cert>
<ca>
</ca>
server.conf configuartion
user nobody
group nogroup
dev tun
port 1194
proto udp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "dhcp-option DNS 192.168.8.1"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
</dh>
<tls-crypt>
</tls-crypt>
<key>
</key>
<cert>
</cert>
<ca>
</ca>
Firewall:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
list device 'tun+'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option forward 'REJECT'
option network 'wan wan6 tun0'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config redirect
option dest_port '25565'
option src 'wan'
option name 'minecraft'
option src_dport '25565'
option target 'DNAT'
option dest_ip '192.168.0.10'
option dest 'lan'
list proto 'tcp'
config redirect
option dest_port '80'
option src 'wan'
option name 'HTTP'
option src_dport '80'
option target 'DNAT'
option dest_ip '192.168.0.10'
option dest 'lan'
list proto 'tcp'
option enabled '0'
config redirect
option dest_port '443'
option src 'wan'
option name 'HTTPS'
option src_dport '443'
option target 'DNAT'
option dest_ip '192.168.0.10'
option dest 'lan'
list proto 'tcp'
option enabled '0'
config redirect
option dest_port '1194'
option src 'wan'
option name 'VPN'
option src_dport '1194'
option target 'DNAT'
option dest_ip '192.168.0.1'
option dest 'lan'
config redirect
option dest_port '1194'
option src 'lan'
option name 'VPN2'
option src_dport '1194'
option target 'DNAT'
option dest_ip '192.168.0.1'
option dest 'lan'
config rule 'ovpn'
option name 'Allow-OpenVPN'
option src 'wan'
option dest_port '1194'
option proto 'udp'
option target 'ACCEPT'
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd29:984b:1ee0::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.0.1'
config interface 'wan'
option ifname 'eth0.2'
option proto 'pppoe'
option password ''
option ipv6 'auto'
option username ''
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr ''
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
config interface 'tun0'
option ifname 'tun0'
option proto 'none'
option auto '0'