Hi,

I've a problem with my openVPN-Projekt on a TP-Link MR 3020 Router with openWRT BB 14.07 which should work as server. I made the installation as described in the openWRT-Wiki "OpenVPN Setup Guide for Beginners" and everything was as described there without the command

route add -net 8.8.8.8 netmask 255.255.255.255 gateway 10.8.0.5

I get: route: SIOCADDRT: No such process

So I think the tunnel is not working.

Here are my Config-Files:

/etc/config/network:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config interface 'lan'
        option ifname 'eth0'
        option _orig_ifname 'eth0'
        option _orig_bridge 'false'
        option proto 'static'
        option netmask '255.255.255.0'
        option gateway '192.168.1.1'
        option broadcast '192.168.1.255'
        option dns '192.168.1.1'
        option ipaddr '192.168.1.2'

config globals 'globals'
        option ula_prefix 'fda7:b97b:37b2::/48'

config interface 'wifi'
        option proto 'static'
        option netmask '255.255.255.0'
        option type 'bridge'             
        option _orig_ifname 'wlan0'           
        option _orig_bridge 'true'             
        option ifname 'eth0'                   
        option ipaddr '192.168.2.110'         
        option gateway '192.168.2.1'           
        option broadcast '192.168.2.255'       
                                               
config interface '3g'                         
        option proto '3g'                     
        option device '/dev/ttyUSB0'           
        option service 'umts'                 
        option pincode '1234'                 
        option username 'internet'             
        option password 'internet'             
        option apn 'web.vodafone.de'           
                                               
config interface 'vpn0'                 
        option ifname 'tun0'           
        option proto 'none'             
        option auto '1'

*********************************************
/etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wifi'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'wifi'
        option forward 'REJECT'

config zone
        option name 'wwan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'     
        option network '3g'   
        option input 'ACCEPT' 
        option forward 'REJECT'
                               
config include                 
        option path '/etc/firewall.user'
                                       
config forwarding                       
        option dest 'lan'               
        option src 'wwan'               
                                       
config forwarding                       
        option dest 'wifi'             
        option src 'wwan'               
                                       
config forwarding                       
        option dest 'wwan'             
        option src 'lan'               
                                       
config forwarding                       
        option dest 'lan'               
        option src 'wifi'
                                       
config forwarding                       
        option dest 'wwan'             
        option src 'wifi'               
                                       
config rule                             
        option name 'Allow-OpenVPN-Inbound'
        option target 'ACCEPT'             
        option src '.*'                   
        option proto 'udp'                 
        option dest_port '1194'           
                                           
config zone                               
        option name 'vpn'                 
        option input 'ACCEPT'             
        option forward 'ACCEPT'           
        option output 'ACCEPT'             
        option network 'vpn0'             
                                           
config forwarding                         
        option src 'vpn'                   
        option dest 'wan'

*****************************************
/etc/config/openvpn:

config openvpn 'myvpn'
        option enabled '1'
        option dev 'tun'
        option port '1194'
        option proto 'udp'
        option log '/tmp/openvpn.log'
        option verb '3'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/ServerForVPN.crt'
        option key '/etc/openvpn/ServerForVPN.key'
        option server '10.8.0.0 255.255.255.0'
        option dh '/etc/openvpn/dh2048.pem'

I can reach the Internet and

traceroute 10.8.0.1 and
traceroute 8.8.8.8

works.

Can somebody tell me what's my error?

Michael

Hi!

Some carriers use NAT inside your networks then you can't be a OpenVPN Server because there is another router between your OpenWRT and the clients.

Please check your WAN IP address, then make a traceroute to www.google.com and show the results.

Post the result of the command netstat -tupan | grep 1194

Another test is check OpenPorts.

1. Connect your OpenWRT with 3G.
2. Check the WAN IP address
3. Start OpenVPN deamon.
4. outside this network execute nmap command. In linux you can execute this:
     

            you may need run this command as root.
5. If everything is ok you will see the word open in your screen.

Hi and thank you that you take your time for my problem.

Yes I know that it could be that the ISP give me only a local IP and so I can not reach my server/router, but ifconfig says to me that there is no traffic on the interface tun0. Am I right that it doesn' t matter (for the first tests) if there is a client or not?

OK, your Questions:

traceroute www.google.de
traceroute to www.google.de (173.194.112.55), 30 hops max, 38 byte packets
1  10.218.128.5 (10.218.128.5)  49.251 ms  86.100 ms  88.737 ms
2  10.218.129.61 (10.218.129.61)  47.863 ms  46.674 ms  49.061 ms
3  10.218.129.34 (10.218.129.34)  47.989 ms  86.624 ms  49.028 ms
4  10.218.130.20 (10.218.130.20)  88.300 ms  46.525 ms  49.799 ms
5  10.218.130.26 (10.218.130.26)  49.471 ms  46.575 ms  48.647 ms
6  92.79.230.45 (92.79.230.45)  88.126 ms  92.79.230.33 (92.79.230.33)  46.923 ms  47.145 ms
7  92.79.211.210 (92.79.211.210)  49.636 ms  92.79.211.206 (92.79.211.206)  58.083 ms  92.79.211.210 (92.79.211.210)  87.306 ms
8  145.253.33.114 (145.253.33.114)  45.910 ms  47.482 ms  49.766 ms
9  209.85.249.134 (209.85.249.134)  49.607 ms  47.967 ms  159.639 ms
10  72.14.233.31 (72.14.233.31)  50.219 ms  48.100 ms  72.14.233.214 (72.14.233.214)  49.501 ms
11  209.85.255.60 (209.85.255.60)  58.060 ms  57.961 ms  72.14.232.42 (72.14.232.42)  99.762 ms
12  216.239.48.132 (216.239.48.132)  68.064 ms  209.85.254.232 (209.85.254.232)  58.053 ms  216.239.48.138 (216.239.48.138)  58.176 ms
13  216.239.40.181 (216.239.40.181)  57.914 ms  57.896 ms  216.239.40.219 (216.239.40.219)  99.717 ms
14  216.239.40.215 (216.239.40.215)  107.776 ms  216.239.41.136 (216.239.41.136)  67.924 ms  209.85.243.109 (209.85.243.109)  68.155 ms
15  209.85.251.247 (209.85.251.247)  66.613 ms  209.85.250.142 (209.85.250.142)  108.016 ms  209.85.251.247 (209.85.251.247)  67.874 ms
16  72.14.235.247 (72.14.235.247)  65.663 ms  66.962 ms  79.623 ms
17  fra07s28-in-f23.1e100.net (173.194.112.55)  69.473 ms  68.444 ms  99.546 ms

netstat -tupan | grep 1194
udp        0      0 0.0.0.0:1194            0.0.0.0:*                           1341/openvpn

Over ifconfig i got the wan-IP: 2.203.199.165. I logged out of my router with openWRT and made another I-Netconnection (DSL-cable). Then typed in (have to install that package first):

nmap 2.203.199.165 -p 1194 -sU

Starting Nmap 6.47 ( http://nmap.org ) at 2015-08-30 07:24 CEST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.09 seconds

nmap 2.203.199.165 -Pn 1194 -sU brings me:

Starting Nmap 6.47 ( http://nmap.org ) at 2015-08-30 07:30 CEST
setup_target: failed to determine route to 1194 (0.0.4.170)
Nmap scan report for ip-2-203-199-165.web.vodafone.de (2.203.199.165)
Host is up (0.16s latency).
Not shown: 999 open|filtered ports
PORT    STATE  SERVICE
500/udp closed isakmp

Nmap done: 1 IP address (1 host up) scanned in 205.21 seconds

The ISP web.vodafone.de is correct.

(Last edited by MiPl on 30 Aug 2015, 06:36)

There is no traffic because there is nothing to send or receive.

Ok. let's do!

Your first IP 10.218.128.5 is a Private class network. You are inside a NAT.

This is OK, your Openvpn Server is running.

How do you get this WAN IP Address?
this address from Germany and you are in Denmark?

Port is closed.

Here to port is closed.

You need to see if you are using a shared IP Adress. Probably you are inside a vodafone network and sharing over NAT your public IP address. If you are 100% sure there is no NAT you have to talk with your carrier to ask about open at least one UDP port.

Best regards.

gamba47

Hi,

I got the IP over ifconfig.

I am in Germany. So if the IP is from Germany everything seems ok.

Well, you're quiet sure that i am in a private network. Sad, but the router will go in the next days to Spain and I don't know if it's there is a private network too. I will check this when I am there.

Thank you for your help.

Michael

My 2c. Most mobile providers will give you IP from the 10.XX.XX.XX range, that is it is private and you cannot run any server (http/ssh/openvpn) on it. To be more precise, you can run it, but it won't be accessible:) I have seen getting a public IP address on 3g connection when I was abroad (with three.co.uk sim card) but i have not tested whether ports are blocked or not.

I'll be on a Finca with nothing around. So might be there is a chance. I'll try it.