It looks correct to me, you've got a proper vpn zone and forwarding rule. Post the output of "logread | grep openvpn"
Topic: Optimized and feature rich trunk build for select routers
The content of this topic has been archived between 20 Aug 2014 and 5 May 2018. Unfortunately there are posts – most likely complete pages – missing.
Page 79 of 155
Here you are:
(Last edited by johan81 on 9 Jul 2015, 13:06)
Everything looks fine, you can see the client is pulling the network configuration. You can reach the LAN, so that means the tunnel is working fine. The forwarding rule for vpn zone to wan is in place, so you should be able to reach the internet as well. You could tcpdump on the tun interface to look at the packet flow for clues. I'll try to reproduce with a clean config when I get the time.
(Last edited by arokh on 8 Jul 2015, 22:03)
When I got time, I will do a full backup of my setup now and do a factory reset and fix the firewall problem, just to be sure nothing I did messed anything up. Thanks for your help.
I have the same issue as johan81, I can connect via vpn but neither traffic to lan nor wan is let through. Changed the vpn zone list network in /etc/config/firewall to vpnudp vpntcp as per your hint, but no joy. I have tried the official Android app and OpenVPN client on windows.
Running the firewall reload command, it throws warnings. Also there is no tun0 and tun1 interface in the network config. See the configs as follows.
Output of /etc/init.d/firewall renew:
Warning: Unable to locate ipset utility, disabling ipset support
Warning: Section @zone[1] (vpn) cannot resolve device of network 'vpnudp vpntcp'
Warning: Section @zone[2] (tor) cannot resolve device of network 'tor'
Warning: Section @zone[1] (vpn) has no device, network, subnet or extra options
Warning: Section @zone[2] (tor) has no device, network, subnet or extra options
* Clearing IPv4 filter table
* Clearing IPv4 nat table
* Clearing IPv4 mangle table
* Clearing IPv4 raw table
* Populating IPv4 filter table
* Zone 'lan'
* Zone 'vpn'
* Zone 'tor'
* Zone 'wan'
* Rule 'Allow-DHCP-Renew'
* Rule 'Allow-Ping'
* Rule 'Allow-IGMP'
* Rule 'Allow OpenVPN'
* Rule 'Allow DHCP requests from Tor zone'
* Rule 'Allow traffic to the Tor proxy'
* Rule 'Allow DNS lookups from Tor zone'
* Rule 'Allow DNS lookups to Tor DNS proxy'
* Redirect 'Redirect TCP port 443 to OpenVPN'
* Forward 'lan' -> 'wan'
* Forward 'vpn' -> 'lan'
* Forward 'vpn' -> 'wan'
* Forward 'lan' -> 'vpn'
* Populating IPv4 nat table
* Zone 'lan'
* Zone 'vpn'
* Zone 'tor'
* Zone 'wan'
* Redirect 'Redirect TCP port 443 to OpenVPN'
* Populating IPv4 mangle table
* Zone 'lan'
* Zone 'vpn'
* Zone 'tor'
* Zone 'wan'
* Populating IPv4 raw table
* Zone 'lan'
* Zone 'vpn'
* Zone 'tor'
* Zone 'wan'
* Clearing IPv6 filter table
* Clearing IPv6 mangle table
* Clearing IPv6 raw table
* Populating IPv6 filter table
* Zone 'lan'
* Zone 'vpn'
* Zone 'tor'
* Zone 'wan'
* Rule 'Allow-DHCPv6'
* Rule 'Allow-MLD'
* Rule 'Allow-ICMPv6-Input'
* Rule 'Allow-ICMPv6-Forward'
* Rule 'Allow OpenVPN'
* Rule 'Allow DHCP requests from Tor zone'
* Rule 'Allow traffic to the Tor proxy'
* Rule 'Allow DNS lookups from Tor zone'
* Rule 'Allow DNS lookups to Tor DNS proxy'
* Forward 'lan' -> 'wan'
* Forward 'vpn' -> 'lan'
* Forward 'vpn' -> 'wan'
* Forward 'lan' -> 'vpn'
* Populating IPv6 mangle table
* Zone 'lan'
* Zone 'vpn'
* Zone 'tor'
* Zone 'wan'
* Populating IPv6 raw table
* Zone 'lan'
* Zone 'vpn'
* Zone 'tor'
* Zone 'wan'
* Set tcp_ecn to off
* Set tcp_syncookies to on
* Set tcp_window_scaling to on
* Running script '/usr/share/miniupnpd/firewall.include'My /etc/config/firewall:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'vpnudp vpntcp'
config zone
option name 'tor'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option conntrack '1'
option network 'tor'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config redirect
option src 'wan'
option src_dport '222'
option dest 'lan'
option dest_port '22'
option proto 'tcp'
option name 'Allow external SSH on port 222'
option target 'DNAT'
option enabled '0'
option reflection '1'
config redirect
option src 'wan'
option src_dport '443'
option dest 'lan'
option dest_port '1194'
option proto 'tcp'
option name 'Redirect TCP port 443 to OpenVPN'
option target 'DNAT'
option enabled '1'
config rule
option target 'ACCEPT'
option name 'Allow OpenVPN'
option src 'wan'
option proto 'udp'
option dest_port '1194'
option enabled '1'
config rule
option name 'Allow DHCP requests from Tor zone'
option src 'tor'
option proto 'udp'
option dest_port '67'
option target 'ACCEPT'
config rule
option name 'Allow traffic to the Tor proxy'
option src 'tor'
option proto 'tcp'
option dest_port '9040'
option target 'ACCEPT'
config rule
option name 'Allow DNS lookups from Tor zone'
option src 'tor'
option proto 'udp'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Allow DNS lookups to Tor DNS proxy'
option src 'tor'
option proto 'udp'
option dest_port '9053'
option target 'ACCEPT'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config forwarding
option dest 'lan'
option src 'vpn'
config forwarding
option dest 'wan'
option src 'vpn'
config forwarding
option dest 'vpn'
option src 'lan'My /etc/config/network:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdf3:2217:0e71::/48'
config interface 'lan'
option ifname 'eth0.1'
option force_link '1'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth1'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
option blinkrate '2'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5t'
config switch_port
option device 'switch0'
option port '1'
option led '6'
config switch_port
option device 'switch0'
option port '2'
option led '9'
config switch_port
option device 'switch0'
option port '5'
option led '2'
config interface 'vpnudp'
option proto 'none'
option ifname 'tun0'
config interface 'vpntcp'
option proto 'none'
option ifname 'tun1'
config interface 'tor'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'Ahh I'm so stupid.
Correct:
option network 'vpnudp vpntcp'This would also be correct:
list network 'vpnudp'
list network 'vpntcpNot correct:
list network 'vpnudp vpntcp'Do a reload/reboot and it should work, I have confirmed this with a clean config on the latest build.
(Last edited by arokh on 9 Jul 2015, 13:18)
Just to be clear, the list network should be deleted, or changed to 'vpn' ?
And option network should be added?
EDIT:
To answer my own question, yes, that is how it should be done, works flawlessly now! THANKS!
(Last edited by johan81 on 9 Jul 2015, 11:43)
Deleted. Use the correct line I posted above.
WOW! Just tested the speed and everything of the OpenVPN and it really has improved! I can now even stream HD video through the VPN on another location, great work!
Glad to hear it 
I'm working on a new build that will include strongSwan IKEv1 and IKEv2 out of the box support for IOS8/Android as well. I measured 50/50 Mbps with my iPad.
Is this installable on TP-Link 740N?
It's installable on any router (8MB flash required), but you'll have to compile yourself as I only provide images for the routers mentioned on the first page.
(Last edited by arokh on 9 Jul 2015, 14:52)
arokh wrote:
It's installable on any router (8MB flash required), but you'll have to compile yourself as I only provide images for the routers mentioned on the first page.
Damn it, you lost me on "8MB flash required".
I can confirm, that did the trick! Thanks for the quick help!
arokh wrote:
Ahh I'm so stupid.
Correct:
option network 'vpnudp vpntcp'This would also be correct:
list network 'vpnudp' list network 'vpntcpNot correct:
list network 'vpnudp vpntcp'Do a reload/reboot and it should work, I have confirmed this with a clean config on the latest build.
Thanks for letting me know
The TCP option with OpenVPN is brilliant! I once thought I had configured it before with your build, but now I see why it didn't work back then (didn't configure a separate TCP option in the OpenVPN config file). Now it works on way more networks which are pretty tightly blocking a lot of protocols, when connecting to the OpenVPN, I finally have a fully working network on those Wi-Fi networks, freedom!
How come the Archer builds aren't fixed by now?...
I will put out a new build in the next couple of days. I've done a lot of cleanups and made reghack into a package so it gets compiled for the specific arch instead of bundling already built binaries for each platform which is doomed to cause issues at some point. I'm hoping that might have been the problem, so if you can test a build for me that would be cool. I'd really like to get it working it's very annoying that I don't know what's causing it 
I'll be sure to test once a new build is out! Just be sure to reply to this thread once it's built so I get a notification.
Regarding OpenSSL and VPN, is there hardware acceleration support on the WNDR3700? I am getting roughly 600KB/s inbound via OpenVPN and the CPU is maxed out. Also there is no /dev/crypto so I guess we are doing crypto in software here.
No there is no hardware acceleration but that sounds very low I'm sure I got about 20Mbps with my old 3700v1.
New build r46298 currently building:
- Added strongSwan VPN with IKEv1+IKEv2 out of the box (measured 58Mbps/55Mbps with iPad/wdr4900 from LAN)
* iOS IKEv2 profile automatically generated at http://192.168.3.254/ios.mobileconfig
* Default username/password = openwrt/changeme (can be changed in /etc/ipsec.secrets)
* IKEv1 uses psk and xauth username/password - no certificates
* IKEv2 uses pubkey and eap username/password
- Cleaned up and moved logic for creating .ovpn profiles into /usr/sbin/vpn.sh which also handles strongSwan
- Made reghack into a package and cleaned up logic in /etc/init.d/boot (previously I used pre-built reghack binaries for each router)
- Added Avahi mDNS reflection for OpenVPN tun interfaces
- Consolidated some settings into /etc/config/arokh
- Cleaned up smcroute hotplug script
arokh wrote:
New build r46298 currently building:
* iOS IKEv2 profile automatically generated at http://192.168.3.254/ios.mobileconfig
This file appears to be empty on my wdr4900.
r46298 softbricked my wndr3700v2 ... stuck at boot
@erikoo
Run this command on your router:
wget -O /etc/strongswan.d/ios.template http://enduser.subsignal.org/~trondah/source-tree/package/feeds/packages/strongswan/files/ios.template && clean-all && rm /etc/.vpn && vpn.sh && ipsec restartThanks for the feedback, rebuilding to fix that.
@HumanMakro
That's odd, do you have a serial console by any chance?
Sorry, posts 1976 to 1975 are missing from our archive.
Page 79 of 155