Yet another OpenVPN problem

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello all,

I'm trying to get OpenVPN to work on my router, the VPN profile seems to work because i see it's correctly routing traffic when using the shell with putty and using for example traceroute.

But when using a client (LAN/WLAN) it still seems to use the normal interface and not the tunnel one, so everything is still routed without a VPN.

I'm thinking this is because i once changed something to the VLAN, the thing i changed was so i could reach my devices who weren't connected to the router in the same network, but i can't really remember how i solved this.

The router is a R7800 with KONG 23 r0+23242-a96919608f / LuCI openwrt-23.05 branch git-23.175.78881-404bef1 (nss)

network, firewall and openvpn config:

root@OpenWrt:~# uci show network; uci show firewall; uci show openvpn
network.loopback=interface
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.loopback.device='lo'
network.globals=globals
network.globals.ula_prefix='fd1d:bf08:8ab7::/48'
network.lan=interface
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.gateway='192.168.0.1'
network.lan.ipaddr='192.168.0.2'
network.lan.device='br-lan'
network.wan=interface
network.wan.proto='dhcp'
network.wan.device='eth0.2'
network.wan6=interface
network.wan6.proto='dhcpv6'
network.wan6.device='eth0.2'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='1 2 3 4 5 6t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='0t'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='eth1.1'
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.lan=zone
firewall.lan.name='lan'
firewall.lan.input='ACCEPT'
firewall.lan.output='ACCEPT'
firewall.lan.forward='ACCEPT'
firewall.lan.network='lan'
firewall.wan=zone
firewall.wan.name='wan'
firewall.wan.input='REJECT'
firewall.wan.output='ACCEPT'
firewall.wan.forward='REJECT'
firewall.wan.masq='1'
firewall.wan.log='1'
firewall.wan.network='wan' 'wan6'
firewall.wan.device='tun0'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.miniupnpd=include
firewall.miniupnpd.type='script'
firewall.miniupnpd.path='/usr/share/miniupnpd/firewall.include'
firewall.miniupnpd.family='any'
firewall.miniupnpd.reload='1'
firewall.pbr=include
firewall.pbr.fw4_compatible='1'
firewall.pbr.type='script'
firewall.pbr.path='/usr/share/pbr/pbr.firewall.include'
firewall.nss_ecm=include
firewall.nss_ecm.type='script'
firewall.nss_ecm.path='/etc/firewall.d/qca-nss-ecm'
firewall.nss_ecm.family='any'
firewall.nss_ecm.reload='1'
openvpn.sample_server=openvpn
openvpn.sample_server.port='1194'
openvpn.sample_server.proto='udp'
openvpn.sample_server.dev='tun'
openvpn.sample_server.ca='/etc/openvpn/ca.crt'
openvpn.sample_server.cert='/etc/openvpn/server.crt'
openvpn.sample_server.key='/etc/openvpn/server.key'
openvpn.sample_server.dh='/etc/openvpn/dh1024.pem'
openvpn.sample_server.server='10.8.0.0 255.255.255.0'
openvpn.sample_server.ifconfig_pool_persist='/tmp/ipp.txt'
openvpn.sample_server.keepalive='10 120'
openvpn.sample_server.compress='lzo'
openvpn.sample_server.persist_key='1'
openvpn.sample_server.persist_tun='1'
openvpn.sample_server.user='nobody'
openvpn.sample_server.status='/tmp/openvpn-status.log'
openvpn.sample_server.verb='3'
openvpn.sample_client=openvpn
openvpn.sample_client.client='1'
openvpn.sample_client.dev='tun'
openvpn.sample_client.proto='udp'
openvpn.sample_client.remote='my_server_1 1194'
openvpn.sample_client.resolv_retry='infinite'
openvpn.sample_client.nobind='1'
openvpn.sample_client.persist_key='1'
openvpn.sample_client.persist_tun='1'
openvpn.sample_client.user='nobody'
openvpn.sample_client.ca='/etc/openvpn/ca.crt'
openvpn.sample_client.cert='/etc/openvpn/client.crt'
openvpn.sample_client.key='/etc/openvpn/client.key'
openvpn.sample_client.compress='lzo'
openvpn.sample_client.verb='3'
openvpn.US46NY=openvpn
openvpn.US46NY.config='/etc/openvpn/US46NY.ovpn'
openvpn.US46NY.enabled='1'

OpenVPN logfile:

Sun Jul 23 11:01:51 2023 daemon.warn openvpn(US46NY)[4329]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Sun Jul 23 11:01:51 2023 daemon.notice openvpn(US46NY)[4329]: OpenVPN 2.5.8 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sun Jul 23 11:01:51 2023 daemon.notice openvpn(US46NY)[4329]: library versions: OpenSSL 3.0.9 30 May 2023, LZO 2.10
Sun Jul 23 11:01:51 2023 daemon.warn openvpn(US46NY)[4329]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Jul 23 11:01:51 2023 daemon.notice openvpn(US46NY)[4329]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun Jul 23 11:01:51 2023 daemon.notice openvpn(US46NY)[4329]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun Jul 23 11:01:51 2023 daemon.notice openvpn(US46NY)[4329]: TCP/UDP: Preserving recently used remote address: [AF_INET]x:5060
Sun Jul 23 11:01:51 2023 daemon.notice openvpn(US46NY)[4329]: Socket Buffers: R=[180224->180224] S=[180224->180224]
Sun Jul 23 11:01:51 2023 daemon.notice openvpn(US46NY)[4329]: UDP link local: (not bound)
Sun Jul 23 11:01:51 2023 daemon.notice openvpn(US46NY)[4329]: UDP link remote: [AF_INET]x:5060
Sun Jul 23 11:01:52 2023 daemon.notice openvpn(US46NY)[4329]: TLS: Initial packet from [AF_INET]x:5060, sid=b641be5f 419cccad
Sun Jul 23 11:01:52 2023 daemon.warn openvpn(US46NY)[4329]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Jul 23 11:01:52 2023 daemon.notice openvpn(US46NY)[4329]: VERIFY OK: depth=2, C=CH, O=ProtonVPN AG, CN=ProtonVPN Root CA
Sun Jul 23 11:01:52 2023 daemon.notice openvpn(US46NY)[4329]: VERIFY OK: depth=1, C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1
Sun Jul 23 11:01:52 2023 daemon.notice openvpn(US46NY)[4329]: VERIFY KU OK
Sun Jul 23 11:01:52 2023 daemon.notice openvpn(US46NY)[4329]: Validating certificate extended key usage
Sun Jul 23 11:01:52 2023 daemon.notice openvpn(US46NY)[4329]: ++ Certificate has EKU (str) 1.3.6.1.5.5.8.2.2, expects TLS Web Server Authentication
Sun Jul 23 11:01:52 2023 daemon.notice openvpn(US46NY)[4329]: ++ Certificate has EKU (oid) 1.3.6.1.5.5.8.2.2, expects TLS Web Server Authentication
Sun Jul 23 11:01:52 2023 daemon.notice openvpn(US46NY)[4329]: ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Server Authentication
Sun Jul 23 11:01:52 2023 daemon.notice openvpn(US46NY)[4329]: ++ Certificate has EKU (oid) 1.3.6.1.5.5.7.3.2, expects TLS Web Server Authentication
Sun Jul 23 11:01:52 2023 daemon.notice openvpn(US46NY)[4329]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Jul 23 11:01:52 2023 daemon.notice openvpn(US46NY)[4329]: VERIFY EKU OK
Sun Jul 23 11:01:52 2023 daemon.notice openvpn(US46NY)[4329]: VERIFY OK: depth=0, CN=node-us-46.protonvpn.net
Sun Jul 23 11:01:52 2023 daemon.warn openvpn(US46NY)[4329]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1633', remote='link-mtu 1634'
Sun Jul 23 11:01:52 2023 daemon.warn openvpn(US46NY)[4329]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Sun Jul 23 11:01:52 2023 daemon.notice openvpn(US46NY)[4329]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA256
Sun Jul 23 11:01:52 2023 daemon.notice openvpn(US46NY)[4329]: [node-us-46.protonvpn.net] Peer Connection Initiated with [AF_INET]x:5060
Sun Jul 23 11:01:53 2023 daemon.notice openvpn(US46NY)[4329]: SENT CONTROL [node-us-46.protonvpn.net]: 'PUSH_REQUEST' (status=1)
Sun Jul 23 11:01:53 2023 daemon.notice openvpn(US46NY)[4329]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.22.0.1,sndbuf 524288,rcvbuf 524288,redirect-gateway def1,explicit-exit-notify,comp-lzo no,route-gateway 10.22.0.1,topology subnet,ping 10,ping-restart 60,socket-flags TCP_NODELAY,ifconfig 10.22.0.12 255.255.0.0,peer-id 393226,cipher AES-256-GCM'
Sun Jul 23 11:01:53 2023 daemon.notice openvpn(US46NY)[4329]: OPTIONS IMPORT: timers and/or timeouts modified
Sun Jul 23 11:01:53 2023 daemon.notice openvpn(US46NY)[4329]: OPTIONS IMPORT: explicit notify parm(s) modified
Sun Jul 23 11:01:53 2023 daemon.notice openvpn(US46NY)[4329]: OPTIONS IMPORT: compression parms modified
Sun Jul 23 11:01:53 2023 daemon.notice openvpn(US46NY)[4329]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Sun Jul 23 11:01:53 2023 daemon.notice openvpn(US46NY)[4329]: Socket Buffers: R=[180224->1048576] S=[180224->1048576]
Sun Jul 23 11:01:53 2023 daemon.notice openvpn(US46NY)[4329]: OPTIONS IMPORT: --socket-flags option modified
Sun Jul 23 11:01:53 2023 daemon.warn openvpn(US46NY)[4329]: NOTE: setsockopt TCP_NODELAY=1 failed
Sun Jul 23 11:01:53 2023 daemon.notice openvpn(US46NY)[4329]: OPTIONS IMPORT: --ifconfig/up options modified
Sun Jul 23 11:01:53 2023 daemon.notice openvpn(US46NY)[4329]: OPTIONS IMPORT: route options modified
Sun Jul 23 11:01:53 2023 daemon.notice openvpn(US46NY)[4329]: OPTIONS IMPORT: route-related options modified
Sun Jul 23 11:01:53 2023 daemon.notice openvpn(US46NY)[4329]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Jul 23 11:01:53 2023 daemon.notice openvpn(US46NY)[4329]: OPTIONS IMPORT: peer-id set
Sun Jul 23 11:01:53 2023 daemon.notice openvpn(US46NY)[4329]: OPTIONS IMPORT: adjusting link_mtu to 1656
Sun Jul 23 11:01:53 2023 daemon.notice openvpn(US46NY)[4329]: OPTIONS IMPORT: data channel crypto options modified
Sun Jul 23 11:01:53 2023 daemon.notice openvpn(US46NY)[4329]: Data Channel: using negotiated cipher 'AES-256-GCM'
Sun Jul 23 11:01:53 2023 daemon.notice openvpn(US46NY)[4329]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jul 23 11:01:53 2023 daemon.notice openvpn(US46NY)[4329]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jul 23 11:01:53 2023 daemon.notice openvpn(US46NY)[4329]: net_route_v4_best_gw query: dst 0.0.0.0
Sun Jul 23 11:01:53 2023 daemon.notice openvpn(US46NY)[4329]: net_route_v4_best_gw result: via 192.168.0.1 dev br-lan
Sun Jul 23 11:01:53 2023 daemon.notice openvpn(US46NY)[4329]: TUN/TAP device tun0 opened
Sun Jul 23 11:01:53 2023 daemon.notice openvpn(US46NY)[4329]: net_iface_mtu_set: mtu 1500 for tun0
Sun Jul 23 11:01:53 2023 daemon.notice openvpn(US46NY)[4329]: net_iface_up: set tun0 up
Sun Jul 23 11:01:53 2023 daemon.notice openvpn(US46NY)[4329]: net_addr_v4_add: 10.22.0.12/16 dev tun0
Sun Jul 23 11:01:53 2023 daemon.notice openvpn(US46NY)[4329]: /usr/libexec/openvpn-hotplug up US46NY tun0 1500 1584 10.22.0.12 255.255.0.0 init
Sun Jul 23 11:01:53 2023 daemon.notice openvpn(US46NY)[4329]: net_route_v4_add: 193.148.18.34/32 via 192.168.0.1 dev [NULL] table 0 metric -1
Sun Jul 23 11:01:53 2023 daemon.notice openvpn(US46NY)[4329]: net_route_v4_add: 0.0.0.0/1 via 10.22.0.1 dev [NULL] table 0 metric -1
Sun Jul 23 11:01:53 2023 daemon.notice openvpn(US46NY)[4329]: net_route_v4_add: 128.0.0.0/1 via 10.22.0.1 dev [NULL] table 0 metric -1
Sun Jul 23 11:01:53 2023 daemon.notice openvpn(US46NY)[4329]: Initialization Sequence Completed
udp        0      0 0.0.0.0:43596           0.0.0.0:*                           4329/openvpn

Thanks in advance for having a look into this

2

Could it be that you have setup as a Dumb AP https://openwrt.org/docs/guide-user/network/wifi/dumbap ?

If so point your LAN clients to 192.168.0.2 as gateway

I have not reviewed your firewall but make sure the VPN interface is added to the WAN zone.

Edit: looks like you did :slight_smile:

3

Oh no, of course, the gateway... So obvious, thank you! Setting a manual ip & changing gateway did indeed use the VPN. You are correct that i'm using it as a Dumb AP.

Is there a way to not have to change the default gateway?

The device 192.168.0.1 is sadly a router/modem where i have very limited controls over

4

then you need to double NAT.

1 Like
5

Thanks! Could you point me to a guide or something like that?

6

revert the dumb AP changes, or reset the device, and connect it using the WAN port.

1 Like