I've followed the OpenWRT OpenVPN tutorials to the letter, and no matter how many times I redo the VPN setup, OpenWRT refuses to allow clients to connect to tun0 on 1194.
- WRT1900ac, running the latest snapshot trunk build (today's, but this has been occurring for 2+ weeks)
- all certificates and keys correctly set up (ca, server/client crt and key, dh, & ta)
- both server and client config files set up correctly with mirrored options
- tried both tcp, then udp, separately, with both failing when server connection is attempted (tcp says server rejects, udp times out).
- Tunnel [tun0] is set up correctly as I can ping the tunnel subnet [10.10.10.1/24] from within the LAN subnet [192.168.200.0/24]
Followed tutorials:
http://wiki.openwrt.org/doc/howto/vpn.openvpn
http://wiki.openwrt.org/doc/howto/vpn.server.openvpn.tun
http://wiki.openwrt.org/oldwiki/vpn.server.openvpn.tun
as well as:
https://openvpn.net/index.php/open-source/documentation/howto.html#pkcs11
http://joepaetzel.com/2012/07/24/openvpn-on-freenas-8-2/
http://joepaetzel.com/2014/03/04/secure-freenas-9-2-1-2-with-a-firewall/
https://forums.freenas.org/index.php?th … ail.21856/
... and quite a few others, every time the server [wrt1900ac] refuses the connection, even though I've set up the firewall rules exactly as specified in the OpenWRT tutorials.
root@OpenWRT:~# uci show openvpn
openvpn.vpnserver=openvpn
openvpn.vpnserver.enabled=1
openvpn.vpnserver.dev=tun
openvpn.vpnserver.proto=tcp
openvpn.vpnserver.local=192.168.200.1
openvpn.vpnserver.server=10.10.10.0 255.255.255.0
openvpn.vpnserver.port=1194
openvpn.vpnserver.keepalive=10 120
openvpn.vpnserver.push=route 192.168.200.0 255.255.255.0
openvpn.vpnserver.ca=/etc/openvpn/keys/ca.crt
openvpn.vpnserver.cert=/etc/openvpn/keys/OpenWRT-VPNserver.crt
openvpn.vpnserver.key=/etc/openvpn/keys/OpenWRT-VPNserver.key
openvpn.vpnserver.dh=/etc/openvpn/keys/dh2048.pem
openvpn.vpnserver.tls_auth=/etc/openvpn/keys/ta.key 0
openvpn.vpnserver.ifconfig_pool_persist=/tmp/ipp.txt
openvpn.vpnserver.log_append=/tmp/openvpn.log
openvpn.vpnserver.status=/tmp/openvpn-status.log
openvpn.vpnserver.verb=4
openvpn.vpnserver.comp_lzo=yes
openvpn.vpnserver.cipher=AES-256-CBC
openvpn.vpnserver.client_to_client=1
openvpn.vpnserver.persist_key=1
openvpn.vpnserver.persist_tun=1
root@OpenWRT:~# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood=1
firewall.@defaults[0].input=ACCEPT
firewall.@defaults[0].output=ACCEPT
firewall.@defaults[0].forward=REJECT
firewall.@zone[0]=zone
firewall.@zone[0].name=lan
firewall.@zone[0].input=ACCEPT
firewall.@zone[0].output=ACCEPT
firewall.@zone[0].forward=ACCEPT
firewall.@zone[0].network=lan
firewall.@zone[1]=zone
firewall.@zone[1].name=wan
firewall.@zone[1].input=REJECT
firewall.@zone[1].output=ACCEPT
firewall.@zone[1].forward=REJECT
firewall.@zone[1].masq=1
firewall.@zone[1].mtu_fix=1
firewall.@zone[1].network=wan wan6
firewall.@zone[2]=zone
firewall.@zone[2].name=vpn
firewall.@zone[2].input=ACCEPT
firewall.@zone[2].forward=ACCEPT
firewall.@zone[2].output=ACCEPT
firewall.@zone[2].network=vpn0
firewall.@zone[2].masq=1
firewall.@include[0]=include
firewall.@include[0].path=/etc/firewall.user
firewall.@rule[0]=rule
firewall.@rule[0].name=Allow-OpenVPN-Inbound
firewall.@rule[0].target=ACCEPT
firewall.@rule[0].dest_port=1194
firewall.@rule[0].family=ipv4
firewall.@rule[0].src=*
firewall.@rule[0].proto=tcp udp
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest=wan
firewall.@forwarding[0].src=lan
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src=vpn
firewall.@forwarding[1].dest=lan
Client (Windows/Android)
client
dev tun
proto tcp
remote vpnserver.dyndns-server.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca "C:\\Program Files\\OpenVPN\\config\\OpenWRT-VPNserver\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\OpenWRT-VPNserver\\OpenWRT-VPNclient-AlienFractals.crt"
key "C:\\Program Files\\OpenVPN\\config\\OpenWRT-VPNserver\\OpenWRT-VPNclient-AlienFractals.key"
tls-auth "C:\\Program Files\\OpenVPN\\config\\OpenWRT-VPNserver\\ta.key" 1
ns-cert-type server
cipher AES-256-CBC
comp-lzo
verb 9#dev tap
#dev-node MyTap
#proto udp
#remote-random
#user nobody
#group nobody
#http-proxy-retry # retry on connection failures
#http-proxy [proxy server] [proxy port #]
#mute 20
I'm really at a loss here, so any opinions would be greatly appreciated. I've tried disabling the router firewall, as well as the firewall on my Nexus 6 [and PC] and the connection is still rejected by the router. I'm missing something here... just not sure exactly what.
(Last edited by JW0914 on 22 Mar 2015, 15:18)