When connected to my openVPN (server) running on openWrt I get no local connectivity to LAN or Internet

jameshiscott · July 28, 2018, 9:00pm

Hi All,

Ramble: I am sure this is a simple question and a simple answer, for which i apologizes. I have searched all over the internet to try to find the answer but simple cant find something that has the same problem as I do.

Problem: I am unable to connect to my local devices (LAN) (e.g. 192.168.1.51, via ping or via a browser) or the Internet once i connect from my laptop to my openVPN server (running on my openWRT router). I can browse the routers configuration page (192.168.1.1) Very basic setup example:.

To do the setup i followed the full guide: server.setup everything was left as the examples. When i connect from the client (my laptop) everything seems fine and I can browse the LEDE config page so i know i am "inside my house".

Is it as simple as the fact that I get a 192.168.200.2 IP address or is it a setting that i need to change in the firewall/openVpn configs.

If this is not just me being silly, and to enable LAN/Internet access needs an extra step i will update the guide to help others.

Config files:
Ruuning: LEDE Reboot 17.01.5

Network:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd69:3124:5d6c::/48'

config dsl 'dsl'
	option xfer_mode 'ptm'
	option annex 'b'
	option tone 'a'
	option line_mode 'vdsl'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device 'lan_dev'
	option name 'eth0.1'
	option macaddr '38:35:fb:88:6f:f4'

config interface 'wan'
	option proto 'pppoe'
	option ipv6 '1'
	option username 'XXXXXX'
	option password 'XXXXXX'
	option _orig_ifname 'ptm0'
	option _orig_bridge 'false'
	option ifname 'ptm0.101'

config device 'wan_dev'
	option name 'ptm0'
	option macaddr '38:35:fb:88:6f:f5'

config interface 'wan6'
	option ifname '@wan'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 4 5 6t'
	option vid '1'

config interface 'vpnserver'
	option proto 'none'
	option ifname 'ovpns0'
	option auto '1'

Firewall:


config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config rule
	option name 'Allow-OpenVPN-Inbound'
	option target 'ACCEPT'
	option src '*'
	option proto 'tcpudp'
	option dest_port 'XXXX'

config zone
	option name 'vpnserver'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option masq '1'
	option network 'vpnserver'
	option forward 'REJECT'

config forwarding
	option src 'vpnserver'
	option dest 'wan'

config forwarding
	option src 'vpnserver'
	option dest 'lan'

openVPN sever:

config openvpn 'vpnserver'
	option enabled '1'
	option dev_type 'tun'
	option dev 'ovpns0'
	option proto 'udp'
	option port 'XXXX'
	option topology 'subnet'
	option tls_server '1'
	option mode 'server'
	option server '192.168.200.0 255.255.255.0'
	option route_gateway 'dhcp'
	option compress 'lz4'
	option keepalive '10 120'
	option persist_key '1'
	option persist_tun '1'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/my-server.crt'
	option key '/etc/openvpn/my-server.key'
	option dh '/etc/openvpn/dh2048.pem'
	option tls_auth '/etc/openvpn/tls-auth.key 0'
	option client_to_client '1'
	option log '/tmp/openvpn.log'
	list push 'topology subnet'
	list push 'redirect-gateway def1'
	list push 'route-gateway dhcp'
	list push 'route 192.168.200.0 255.255.255.0'
	list push 'dhcp-option DNS 192.168.1.1'
	list push 'compress lz4'
	list push 'persist-key'
	list push 'persist-tun'

openVPN Client:

  client
  dev tun
  proto udp
  fast-io
  remote XX.XX.XX.XX XXXX
  remote-cert-tls server
  nobind
  persist-key
  persist-tun
  compress lz4
  verb 3
  key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
XXXX
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4097 (0x1001)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=GB, ST=London, O=WWW Ltd.
        Validity
            Not Before: Jul 26 21:25:21 2018 GMT
            Not After : Jul 23 21:25:21 2028 GMT
        Subject: CN=my-client
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    XXXX
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: 
                Digital Signature
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
    Signature Algorithm: sha256WithRSAEncryption
         XXXX
-----BEGIN CERTIFICATE-----
XXXX
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
XXXX
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
XXXX
-----END OpenVPN Static key V1-----
</tls-auth>

You may have guessed I am very new to all this....

Thanks guys,
James

RolandB · July 28, 2018, 9:30pm

Am new to this myself so this is just a guess as had a similar issue when first getting vpn sorted. Have you created a new interface for your VPN?

If not go to bottom of this link and it will show you how:
https://blog.cavebeat.org/2018/02/vpn-tunnel-as-a-wan-interface-on-openwrt-lede-router/

jameshiscott · July 28, 2018, 9:37pm

Thanks looks like a good tutorial, but yes. The main opemwrt tutorial also adds the interface for the VPN.

Having said that, the Interface had never charged from:

RX: 0 B (0 Pkts.)
TX: 0 B (0 Pkts.)

Is that normal?

RolandB · July 28, 2018, 10:04pm

Not sure myself tbh as didn't check at the time. Just checked your config compared to mine and only real diff besides your openvpn settings (which may be right for you, but not sure) are your firewall settings at the end..

very end of yours.. has:

config forwarding
option src 'vpnserver'
option dest 'wan'

config forwarding
option src 'vpnserver'
option dest 'lan'

mine has:

config forwarding
option src 'vpnserver'
option dest 'wan'

config forwarding
option src 'wan'
option dest 'lan'

Other than that i'm over my head and hopefully someone with more than few weeks experience will chip in soon. Best of luck.

psherman · July 28, 2018, 11:20pm

Remove the following line from your firewall vpn zone:

Then, in your openvpn server file:
remove:

And modify this line:

to be this instead:

list push 'route 192.168.1.0 255.255.255.0'

Restart your firewall and openvpn server and see if that helps.

JW0914 · July 29, 2018, 1:20am

@jameshiscott Please perfrom all the steps under Troubleshooting... they're there for a reason.

Also, in your configs, please only remove key/cert output, not the actual config option for them, as your client config can't work as posted.

jameshiscott · July 29, 2018, 2:02pm

I just noticed that when i run the restart and reload command i get the following warnings:


Warning: Unable to locate ipset utility, disabling ipset support
Warning: Section @zone[2] (vpnserver) cannot resolve device of network 'vpnserver'
Warning: Section @zone[2] (vpnserver) has no device, network, subnet or extra options
 * Clearing IPv4 filter table
 * Clearing IPv4 nat table
 * Clearing IPv4 mangle table
 * Populating IPv4 filter table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpnserver'
Warning: fw3_ipt_rule_append(): Can't find target 'input_vpnserver_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'output_vpnserver_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'forwarding_vpnserver_rule'
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'Allow-OpenVPN-Inbound'
   * Forward 'lan' -> 'wan'
   * Forward 'vpnserver' -> 'wan'
   * Forward 'vpnserver' -> 'lan'
 * Populating IPv4 nat table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpnserver'
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_vpnserver_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_vpnserver_rule'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpnserver'
 * Clearing IPv6 filter table
 * Clearing IPv6 mangle table
 * Populating IPv6 filter table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpnserver'
Warning: fw3_ipt_rule_append(): Can't find target 'input_vpnserver_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'output_vpnserver_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'forwarding_vpnserver_rule'
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'Allow-OpenVPN-Inbound'
   * Forward 'lan' -> 'wan'
   * Forward 'vpnserver' -> 'wan'
   * Forward 'vpnserver' -> 'lan'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpnserver'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/usr/share/miniupnpd/firewall.include'

Do they give any clues?

JW0914 · July 29, 2018, 2:39pm

I don't have time at the moment to look into why you're experiencing what you are, but wanted to make you aware you forgot to remove your WAN IP from your server log.

Since edits will always be visible, please delete your prior post with your logs in it (ensuring you copy the info first via Edit), then repost the exact same information minus your WAN IP (do a find and replace, replacing it with x.x.x.x)

Warning: Section @zone[2] (vpnserver) cannot resolve device of network 'vpnserver'
Warning: Section @zone[2] (vpnserver) has no device, network, subnet or extra options

Usually indicates there's an issue with the network name and/or firewall zone name in the firewall config, or the interface name and/or ifname in the network config

jameshiscott · July 29, 2018, 2:47pm

@JW0914 thanks:

Repost:

@psherman Unfortunately your changes made no difference. I still got a 192.168.200.2 IP address and i still could only get to the router configuration page.

@JW0914 Apogees, I assumed that section was "if you cant connect at all". I made all the changes and the logs are below. It still had the same result. I have also updated the first post with the full configs (i think...):

Made all the troubshooting changes:

OpenWrt:
/etc/config/openvpn
verb 5
proto tcp

/etc/config/firewall:
Change OpenVPN rules to proto 'tcp udp'

cd /etc/init.d && ./firewall reload && ./openvpn restart

Client:
client.ovpn
verb 7
proto tcp

Server logs:

Sun Jul 29 14:40:21 2018 OpenVPN 2.4.4 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sun Jul 29 14:40:21 2018 library versions: OpenSSL 1.0.2o  27 Mar 2018, LZO 2.10
Sun Jul 29 14:40:21 2018 TUN/TAP device ovpns0 opened
Sun Jul 29 14:40:21 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Jul 29 14:40:21 2018 /sbin/ifconfig ovpns0 192.168.200.1 netmask 255.255.255.0 mtu 1500 broadcast 192.168.200.255
Sun Jul 29 14:40:21 2018 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sun Jul 29 14:40:21 2018 Listening for incoming TCP connection on [AF_INET][undef]:1194
Sun Jul 29 14:40:21 2018 TCPv4_SERVER link local (bound): [AF_INET][undef]:1194
Sun Jul 29 14:40:21 2018 TCPv4_SERVER link remote: [AF_UNSPEC]
Sun Jul 29 14:40:21 2018 Initialization Sequence Completed
Sun Jul 29 14:40:37 2018 TCP connection established with [AF_INET]82.132.222.47:15190
Sun Jul 29 14:40:39 2018 82.132.222.47:15190 peer info: IV_VER=2.4.6
Sun Jul 29 14:40:39 2018 82.132.222.47:15190 peer info: IV_PLAT=win
Sun Jul 29 14:40:39 2018 82.132.222.47:15190 peer info: IV_PROTO=2
Sun Jul 29 14:40:39 2018 82.132.222.47:15190 peer info: IV_NCP=2
Sun Jul 29 14:40:39 2018 82.132.222.47:15190 peer info: IV_LZ4=1
Sun Jul 29 14:40:39 2018 82.132.222.47:15190 peer info: IV_LZ4v2=1
Sun Jul 29 14:40:39 2018 82.132.222.47:15190 peer info: IV_LZO=1
Sun Jul 29 14:40:39 2018 82.132.222.47:15190 peer info: IV_COMP_STUB=1
Sun Jul 29 14:40:39 2018 82.132.222.47:15190 peer info: IV_COMP_STUBv2=1
Sun Jul 29 14:40:39 2018 82.132.222.47:15190 peer info: IV_TCPNL=1
Sun Jul 29 14:40:39 2018 82.132.222.47:15190 peer info: IV_GUI_VER=OpenVPN_GUI_11
Sun Jul 29 14:40:39 2018 82.132.222.47:15190 [my-client] Peer Connection Initiated with [AF_INET]82.132.222.47:15190
Sun Jul 29 14:40:39 2018 my-client/82.132.222.47:15190 MULTI_sva: pool returned IPv4=192.168.200.2, IPv6=(Not enabled)

Client logs:

Sun Jul 29 14:40:36 2018 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Sun Jul 29 14:40:36 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Sun Jul 29 14:40:36 2018 library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
Enter Management Password:
Sun Jul 29 14:40:36 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sun Jul 29 14:40:36 2018 Need hold release from management interface, waiting...
Sun Jul 29 14:40:36 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sun Jul 29 14:40:36 2018 MANAGEMENT: CMD 'state on'
Sun Jul 29 14:40:36 2018 MANAGEMENT: CMD 'log all on'
Sun Jul 29 14:40:36 2018 MANAGEMENT: CMD 'echo all on'
Sun Jul 29 14:40:36 2018 MANAGEMENT: CMD 'bytecount 5'
Sun Jul 29 14:40:36 2018 MANAGEMENT: CMD 'hold off'
Sun Jul 29 14:40:36 2018 MANAGEMENT: CMD 'hold release'
Sun Jul 29 14:40:36 2018 NOTE: --fast-io is disabled since we are running on Windows
Sun Jul 29 14:40:36 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Jul 29 14:40:36 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Jul 29 14:40:36 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:1194
Sun Jul 29 14:40:36 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Jul 29 14:40:36 2018 Attempting to establish TCP connection with [AF_INET]xx.xx.xx.xx:1194 [nonblock]
Sun Jul 29 14:40:36 2018 MANAGEMENT: >STATE:1532871636,TCP_CONNECT,,,,,,
Sun Jul 29 14:40:37 2018 TCP connection established with [AF_INET]xx.xx.xx.xx:1194
Sun Jul 29 14:40:37 2018 TCP_CLIENT link local: (not bound)
Sun Jul 29 14:40:37 2018 TCP_CLIENT link remote: [AF_INET]xx.xx.xx.xx:1194
Sun Jul 29 14:40:37 2018 MANAGEMENT: >STATE:1532871637,WAIT,,,,,,
Sun Jul 29 14:40:37 2018 MANAGEMENT: >STATE:1532871637,AUTH,,,,,,
Sun Jul 29 14:40:37 2018 TLS: Initial packet from [AF_INET]xx.xx.xx.xx:1194, sid=db193c3e bcaffebf
Sun Jul 29 14:40:39 2018 VERIFY OK: depth=1, C=GB, ST=London, O=WWW Ltd.
Sun Jul 29 14:40:39 2018 VERIFY KU OK
Sun Jul 29 14:40:39 2018 Validating certificate extended key usage
Sun Jul 29 14:40:39 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Jul 29 14:40:39 2018 VERIFY EKU OK
Sun Jul 29 14:40:39 2018 VERIFY OK: depth=0, CN=my-server
Sun Jul 29 14:40:39 2018 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Sun Jul 29 14:40:39 2018 [my-server] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1194
Sun Jul 29 14:40:40 2018 MANAGEMENT: >STATE:1532871640,GET_CONFIG,,,,,,
Sun Jul 29 14:40:40 2018 SENT CONTROL [my-server]: 'PUSH_REQUEST' (status=1)
Sun Jul 29 14:40:40 2018 PUSH: Received control message: 'PUSH_REPLY,topology subnet,redirect-gateway def1,route-gateway dhcp,route 192.168.200.0 255.255.255.0,dhcp-option DNS 192.168.1.1,compress lz4,persist-key,persist-tun,route-gateway 192.168.200.1,topology subnet,ping 10,ping-restart 120,ifconfig 192.168.200.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Sun Jul 29 14:40:40 2018 OPTIONS IMPORT: timers and/or timeouts modified
Sun Jul 29 14:40:40 2018 OPTIONS IMPORT: compression parms modified
Sun Jul 29 14:40:40 2018 OPTIONS IMPORT: --persist options modified
Sun Jul 29 14:40:40 2018 OPTIONS IMPORT: --ifconfig/up options modified
Sun Jul 29 14:40:40 2018 OPTIONS IMPORT: route options modified
Sun Jul 29 14:40:40 2018 OPTIONS IMPORT: route-related options modified
Sun Jul 29 14:40:40 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Jul 29 14:40:40 2018 OPTIONS IMPORT: peer-id set
Sun Jul 29 14:40:40 2018 OPTIONS IMPORT: adjusting link_mtu to 1627
Sun Jul 29 14:40:40 2018 OPTIONS IMPORT: data channel crypto options modified
Sun Jul 29 14:40:40 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Sun Jul 29 14:40:40 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jul 29 14:40:40 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jul 29 14:40:40 2018 interactive service msg_channel=772
Sun Jul 29 14:40:40 2018 ROUTE_GATEWAY 192.168.3.1/255.255.255.0 I=5 HWADDR=88:53:2e:2c:e0:d9
Sun Jul 29 14:40:40 2018 open_tun
Sun Jul 29 14:40:40 2018 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{55D59652-7A81-4743-92BB-C6562CAF48BA}.tap
Sun Jul 29 14:40:40 2018 TAP-Windows Driver Version 9.21 
Sun Jul 29 14:40:40 2018 Set TAP-Windows TUN subnet mode network/local/netmask = 192.168.200.0/192.168.200.2/255.255.255.0 [SUCCEEDED]
Sun Jul 29 14:40:40 2018 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.200.2/255.255.255.0 on interface {55D59652-7A81-4743-92BB-C6562CAF48BA} [DHCP-serv: 192.168.200.254, lease-time: 31536000]
Sun Jul 29 14:40:40 2018 Successful ARP Flush on interface [33] {55D59652-7A81-4743-92BB-C6562CAF48BA}
Sun Jul 29 14:40:40 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Jul 29 14:40:40 2018 MANAGEMENT: >STATE:1532871640,ASSIGN_IP,,192.168.200.2,,,,
Sun Jul 29 14:40:45 2018 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Sun Jul 29 14:40:45 2018 C:\WINDOWS\system32\route.exe ADD xx.xx.xx.xx MASK 255.255.255.255 192.168.3.1
Sun Jul 29 14:40:45 2018 Route addition via service succeeded
Sun Jul 29 14:40:45 2018 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 192.168.200.1
Sun Jul 29 14:40:45 2018 Route addition via service succeeded
Sun Jul 29 14:40:45 2018 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 192.168.200.1
Sun Jul 29 14:40:45 2018 Route addition via service succeeded
Sun Jul 29 14:40:45 2018 MANAGEMENT: >STATE:1532871645,ADD_ROUTES,,,,,,
Sun Jul 29 14:40:45 2018 C:\WINDOWS\system32\route.exe ADD 192.168.200.0 MASK 255.255.255.0 192.168.200.1
Sun Jul 29 14:40:45 2018 Route addition via service succeeded
Sun Jul 29 14:40:45 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Jul 29 14:40:45 2018 Initialization Sequence Completed
Sun Jul 29 14:40:45 2018 MANAGEMENT: >STATE:1532871645,CONNECTED,SUCCESS,192.168.200.2,xx.xx.xx.xx,1194,192.168.3.10,60499

Anything else i can try?

psherman · July 29, 2018, 6:44pm

You should still get a remote (VPN tunnel) IP address in the 192.168.200.0/24 network space. What we were trying to change was the gateway IP address.

This may be a part of your problem (from your client logs):

I wonder if your MTU is too large -- try adding this to your server config:
option tun_mtu '1500'
(or maybe smaller like 1492)

Also, this has me confused (also client log):

Where is this route gateway of 192.168.3.1/24 coming from? Your main network is defined as 192.168.1.0/24 (and OpenVPN on 192.168.200.0/24), so I don't understand where the other gateway address is coming from.

Also, do you have a non-windows based system to try? Linux, iOS, Android, MacOS? Just to run out Windows specific issues.

Another thought -- did you start this from a more-or-less default OpenWRT/LEDE install, or have you added other packages or made other significant changes prior to the OpenVPN server installation process?

jameshiscott · July 29, 2018, 8:02pm

@psherman thanks again!

I set the tun_mtu '1492' i now get an error on the client however, it does work....! Do i need to set the MTU on the client config as well? (log at end of post)

It is very slow to connect to any local web pages or browsing the internet (that may just be because its running on a HH5) but file browsing works

The 192.168.3.1 is the laptops local default gateway that i am testing the client on (I am using a totally different network and internet to simulate being outside my house).

Basically a default setup, only added UPnP and setup my vdsl connection.

Sun Jul 29 20:37:12 2018 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Sun Jul 29 20:37:12 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Sun Jul 29 20:37:12 2018 library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
Enter Management Password:
Sun Jul 29 20:37:12 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sun Jul 29 20:37:12 2018 Need hold release from management interface, waiting...
Sun Jul 29 20:37:13 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sun Jul 29 20:37:13 2018 MANAGEMENT: CMD 'state on'
Sun Jul 29 20:37:13 2018 MANAGEMENT: CMD 'log all on'
Sun Jul 29 20:37:13 2018 MANAGEMENT: CMD 'echo all on'
Sun Jul 29 20:37:13 2018 MANAGEMENT: CMD 'bytecount 5'
Sun Jul 29 20:37:13 2018 MANAGEMENT: CMD 'hold off'
Sun Jul 29 20:37:13 2018 MANAGEMENT: CMD 'hold release'
Sun Jul 29 20:37:13 2018 NOTE: --fast-io is disabled since we are running on Windows
Sun Jul 29 20:37:13 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Jul 29 20:37:13 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Jul 29 20:37:13 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
Sun Jul 29 20:37:13 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Jul 29 20:37:13 2018 UDP link local: (not bound)
Sun Jul 29 20:37:13 2018 UDP link remote: [AF_INET]x.x.x.x:1194
Sun Jul 29 20:37:13 2018 MANAGEMENT: >STATE:1532893033,WAIT,,,,,,
Sun Jul 29 20:37:13 2018 MANAGEMENT: >STATE:1532893033,AUTH,,,,,,
Sun Jul 29 20:37:13 2018 TLS: Initial packet from [AF_INET]x.x.x.x:1194, sid=5cbbc4ae 9e1c4e0b
Sun Jul 29 20:37:15 2018 VERIFY OK: depth=1, C=GB, ST=London, O=WWW Ltd.
Sun Jul 29 20:37:15 2018 VERIFY KU OK
Sun Jul 29 20:37:15 2018 Validating certificate extended key usage
Sun Jul 29 20:37:15 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Jul 29 20:37:15 2018 VERIFY EKU OK
Sun Jul 29 20:37:15 2018 VERIFY OK: depth=0, CN=my-server
Sun Jul 29 20:37:15 2018 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1534'
Sun Jul 29 20:37:15 2018 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1492'
Sun Jul 29 20:37:15 2018 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Sun Jul 29 20:37:15 2018 [my-server] Peer Connection Initiated with [AF_INET]x.x.x.x:1194
Sun Jul 29 20:37:16 2018 MANAGEMENT: >STATE:1532893036,GET_CONFIG,,,,,,
Sun Jul 29 20:37:16 2018 SENT CONTROL [my-server]: 'PUSH_REQUEST' (status=1)
Sun Jul 29 20:37:16 2018 PUSH: Received control message: 'PUSH_REPLY,topology subnet,redirect-gateway def1,route-gateway dhcp,route 192.168.200.0 255.255.255.0,dhcp-option DNS 192.168.1.1,compress lz4,persist-key,persist-tun,route-gateway 192.168.200.1,topology subnet,ping 10,ping-restart 120,ifconfig 192.168.200.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Sun Jul 29 20:37:16 2018 OPTIONS IMPORT: timers and/or timeouts modified
Sun Jul 29 20:37:16 2018 OPTIONS IMPORT: compression parms modified
Sun Jul 29 20:37:16 2018 OPTIONS IMPORT: --persist options modified
Sun Jul 29 20:37:16 2018 OPTIONS IMPORT: --ifconfig/up options modified
Sun Jul 29 20:37:16 2018 OPTIONS IMPORT: route options modified
Sun Jul 29 20:37:16 2018 OPTIONS IMPORT: route-related options modified
Sun Jul 29 20:37:16 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Jul 29 20:37:16 2018 OPTIONS IMPORT: peer-id set
Sun Jul 29 20:37:16 2018 OPTIONS IMPORT: adjusting link_mtu to 1625
Sun Jul 29 20:37:16 2018 OPTIONS IMPORT: data channel crypto options modified
Sun Jul 29 20:37:16 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Sun Jul 29 20:37:16 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jul 29 20:37:16 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jul 29 20:37:16 2018 interactive service msg_channel=728
Sun Jul 29 20:37:16 2018 ROUTE_GATEWAY 192.168.3.1/255.255.255.0 I=5 HWADDR=88:53:2e:2c:e0:d9
Sun Jul 29 20:37:16 2018 open_tun
Sun Jul 29 20:37:16 2018 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{55D59652-7A81-4743-92BB-C6562CAF48BA}.tap
Sun Jul 29 20:37:16 2018 TAP-Windows Driver Version 9.21 
Sun Jul 29 20:37:16 2018 Set TAP-Windows TUN subnet mode network/local/netmask = 192.168.200.0/192.168.200.2/255.255.255.0 [SUCCEEDED]
Sun Jul 29 20:37:16 2018 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.200.2/255.255.255.0 on interface {55D59652-7A81-4743-92BB-C6562CAF48BA} [DHCP-serv: 192.168.200.254, lease-time: 31536000]
Sun Jul 29 20:37:16 2018 Successful ARP Flush on interface [33] {55D59652-7A81-4743-92BB-C6562CAF48BA}
Sun Jul 29 20:37:16 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Jul 29 20:37:16 2018 MANAGEMENT: >STATE:1532893036,ASSIGN_IP,,192.168.200.2,,,,
Sun Jul 29 20:37:21 2018 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Sun Jul 29 20:37:21 2018 C:\WINDOWS\system32\route.exe ADD x.x.x.x MASK 255.255.255.255 192.168.3.1
Sun Jul 29 20:37:21 2018 Route addition via service succeeded
Sun Jul 29 20:37:21 2018 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 192.168.200.1
Sun Jul 29 20:37:21 2018 Route addition via service succeeded
Sun Jul 29 20:37:21 2018 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 192.168.200.1
Sun Jul 29 20:37:21 2018 Route addition via service succeeded
Sun Jul 29 20:37:21 2018 MANAGEMENT: >STATE:1532893041,ADD_ROUTES,,,,,,
Sun Jul 29 20:37:21 2018 C:\WINDOWS\system32\route.exe ADD 192.168.200.0 MASK 255.255.255.0 192.168.200.1
Sun Jul 29 20:37:21 2018 Route addition via service succeeded
Sun Jul 29 20:37:21 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Jul 29 20:37:21 2018 Initialization Sequence Completed
Sun Jul 29 20:37:21 2018 MANAGEMENT: >STATE:1532893041,CONNECTED,SUCCESS,192.168.200.2,x.x.x.x,1194,,

Thanks again!

JW0914 · July 29, 2018, 10:11pm

OpenVPN's tunnel MTU should be in the 48000 range, and definitely not set to anything near 1500. The tunnel MTU should be tuned to the encryption cipher being utilized... for example, AES-256 gets the highest throughput (~585mbit/s) with a tunnel MTU at 48000.

MTU Tuning: Optimizing Performance on Gigabit Networks

There's rarely ever a reason why one would need to modify the interface's MTU, which is what would be set to 1500 or lower, so unless a user specifically knows the interfaces MTU needs to be modified, it should be left alone, as it's an almost sure bet it's not the issue.

UPnP should never be utilized, as it's an enormous security risk.

There is no such thing as secure UPnP, and since only a handful of devices require port forwarding, manually configure the port redirects via LuCI or manually in /etc/config/firewall.