OpenWrt Forum Archive

Topic: Followed OpenWRT OpenVPN tutorials, OpenWRT [server]refuses connection

The content of this topic has been archived on 3 Jun 2015. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

I've followed the OpenWRT OpenVPN tutorials to the letter, and no matter how many times I redo the VPN setup, OpenWRT refuses to allow clients to connect to tun0 on 1194.


- WRT1900ac, running the latest snapshot trunk build (today's, but this has been occurring for 2+ weeks)
- all certificates and keys correctly set up (ca, server/client crt and key, dh, & ta)
- both server and client config files set up correctly with mirrored options
- tried both tcp, then udp, separately, with both failing when server connection is attempted (tcp says server rejects, udp times out).
- Tunnel [tun0] is set up correctly as I can ping the tunnel subnet [10.10.10.1/24] from within the LAN subnet [192.168.200.0/24]

Followed tutorials:

http://wiki.openwrt.org/doc/howto/vpn.openvpn
http://wiki.openwrt.org/doc/howto/vpn.server.openvpn.tun
http://wiki.openwrt.org/oldwiki/vpn.server.openvpn.tun

as well as:

https://openvpn.net/index.php/open-source/documentation/howto.html#pkcs11
http://joepaetzel.com/2012/07/24/openvpn-on-freenas-8-2/
http://joepaetzel.com/2014/03/04/secure-freenas-9-2-1-2-with-a-firewall/
https://forums.freenas.org/index.php?th … ail.21856/

... and quite a few others, every time the server [wrt1900ac] refuses the connection, even though I've set up the firewall rules exactly as specified in the OpenWRT tutorials.

root@OpenWRT:~# uci show openvpn
openvpn.vpnserver=openvpn
openvpn.vpnserver.enabled=1
openvpn.vpnserver.dev=tun
openvpn.vpnserver.proto=tcp
openvpn.vpnserver.local=192.168.200.1
openvpn.vpnserver.server=10.10.10.0 255.255.255.0
openvpn.vpnserver.port=1194
openvpn.vpnserver.keepalive=10 120
openvpn.vpnserver.push=route 192.168.200.0 255.255.255.0
openvpn.vpnserver.ca=/etc/openvpn/keys/ca.crt
openvpn.vpnserver.cert=/etc/openvpn/keys/OpenWRT-VPNserver.crt
openvpn.vpnserver.key=/etc/openvpn/keys/OpenWRT-VPNserver.key
openvpn.vpnserver.dh=/etc/openvpn/keys/dh2048.pem
openvpn.vpnserver.tls_auth=/etc/openvpn/keys/ta.key 0
openvpn.vpnserver.ifconfig_pool_persist=/tmp/ipp.txt
openvpn.vpnserver.log_append=/tmp/openvpn.log
openvpn.vpnserver.status=/tmp/openvpn-status.log
openvpn.vpnserver.verb=4
openvpn.vpnserver.comp_lzo=yes
openvpn.vpnserver.cipher=AES-256-CBC
openvpn.vpnserver.client_to_client=1
openvpn.vpnserver.persist_key=1
openvpn.vpnserver.persist_tun=1

root@OpenWRT:~# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood=1
firewall.@defaults[0].input=ACCEPT
firewall.@defaults[0].output=ACCEPT
firewall.@defaults[0].forward=REJECT
firewall.@zone[0]=zone
firewall.@zone[0].name=lan
firewall.@zone[0].input=ACCEPT
firewall.@zone[0].output=ACCEPT
firewall.@zone[0].forward=ACCEPT
firewall.@zone[0].network=lan
firewall.@zone[1]=zone
firewall.@zone[1].name=wan
firewall.@zone[1].input=REJECT
firewall.@zone[1].output=ACCEPT
firewall.@zone[1].forward=REJECT
firewall.@zone[1].masq=1
firewall.@zone[1].mtu_fix=1
firewall.@zone[1].network=wan wan6
firewall.@zone[2]=zone
firewall.@zone[2].name=vpn
firewall.@zone[2].input=ACCEPT
firewall.@zone[2].forward=ACCEPT
firewall.@zone[2].output=ACCEPT
firewall.@zone[2].network=vpn0
firewall.@zone[2].masq=1
firewall.@include[0]=include
firewall.@include[0].path=/etc/firewall.user
firewall.@rule[0]=rule
firewall.@rule[0].name=Allow-OpenVPN-Inbound
firewall.@rule[0].target=ACCEPT
firewall.@rule[0].dest_port=1194
firewall.@rule[0].family=ipv4
firewall.@rule[0].src=*
firewall.@rule[0].proto=tcp udp
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest=wan
firewall.@forwarding[0].src=lan
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src=vpn
firewall.@forwarding[1].dest=lan

Client (Windows/Android)

client
dev tun
proto tcp
remote vpnserver.dyndns-server.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca "C:\\Program Files\\OpenVPN\\config\\OpenWRT-VPNserver\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\OpenWRT-VPNserver\\OpenWRT-VPNclient-AlienFractals.crt"
key "C:\\Program Files\\OpenVPN\\config\\OpenWRT-VPNserver\\OpenWRT-VPNclient-AlienFractals.key"
tls-auth "C:\\Program Files\\OpenVPN\\config\\OpenWRT-VPNserver\\ta.key" 1
ns-cert-type server
cipher AES-256-CBC
comp-lzo
verb 9




#dev tap
#dev-node MyTap
#proto udp
#remote-random
#user nobody
#group nobody
#http-proxy-retry # retry on connection failures
#http-proxy [proxy server] [proxy port #]
#mute 20




I'm really at a loss here, so any opinions would be greatly appreciated.  I've tried disabling the router firewall, as well as the firewall on my Nexus 6 [and PC] and the connection is still rejected by the router.  I'm missing something here... just not sure exactly what.

(Last edited by JW0914 on 22 Mar 2015, 15:18)

In case anyone having the same issue stumbles across this, the issue is the local directive within the server config file.

Remove the  local directive from the server config

Remove

local 192.168.x.x

uci output

openvpn.vpnserver.local=192.168.1.1

(Last edited by JW0914 on 24 Mar 2015, 22:31)

The discussion might have continued from here.