Everything is correct. You are using TUN interface. That means the openvpn creates another subnet, which is specified by option 'server' in server's config.
Topic: Setting up OpenVPN
The content of this topic has been archived between 7 Apr 2018 and 19 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.
Page 2 of 2
Hi khain,
thanks for your response. This means, In first step I had to copy all firewall rules of my lan and match them on the vpn access / vpn ip to give the connected account permissions to e.g. surf the internet and access everything in the LAN?!
Or how would I go on opening my vpn net a little bit for connected accounts? Are there any keywords I can search the wiki for?
Thanks and kind regards,
Dirk
PS: Minutes ago I managed to add my openvpn config to the ios openvpn app, so I can also test from at home, out of 3G or 4G net.
(Last edited by dirk1312 on 6 Jun 2016, 12:03)
dirk1312 wrote:
... I had to copy all firewall rules of my lan and match them on the vpn access / vpn ip to give the connected account permissions to e.g. surf the internet and access everything in the LAN?!
No, to access everything in server's LAN you have to push routes to clients and enable forwarding VPN<=>LAN. First check if connection to hosts in server's LAN from openvpn's clients is ok, then you can drop packets from specific client who don't need access to server's LAN. To block specific client you have to do 2 main things: set static IP for the client in openvpn environment and block this IP address with iptables (e.g. client name is client3 and his IP address in openvpn is 10.1.1.3):
1) Uncomment
option client_config_dir '/etc/openvpn/clients/'in /etc/config/openvpn
2) create file in /etc/openvpn/clients/ with name exactly the same as Common Name of client you want to block (Common Name is in client's certificate, e.g. CN=client3). File is case sensitive and have to be without extension.
3) Edit this file, in our instanes it is: /etc/openvpn/clients/client3
and put this:
ifconfig-push 10.1.1.3 255.255.255.04) Block 10.1.1.3 access to LAN by editing /etc/config/firewall
config rule
option enabled '1'
option src 'vpn'
option dest 'lan'
option name 'block client3'
option src_ip '10.1.1.3'
option dest_ip '192.168.1.0'
option target 'DROP'192.168.1.0 is address of server's LAN.
Then restart openvpn and firewall
/etc/init.d/openvpn restart
/etc/init.d/firewall restart(Last edited by khain on 6 Jun 2016, 12:58)
The choice of AES-256-CBC will impact your VPN speed to some extent. Using 128 will probably speed things up. Router CPUs generally do not have hardware AES-NI.
This does not impact any of your current issues. Leave it for now.
Hi khain,
thanks a lot for your response. I tried to read several sources on openwrt and openvpn website, but I'm not so sure if I'm really clear with the used phrases.
khain wrote:
No, to access everything in server's LAN you have to push routes to clients and enable forwarding VPN<=>LAN.
I now added the following to my /etc/config/openvpn file:
option client_config_dir '/etc/openvpn/clients/'
# this line raises validation errors in luci when restarting openvpn
# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE The clients directory as mentioned below for being able to block users and the iptables entry I found on openvpn website. Is this correct and, if I only wanted this config for e.g. 1 of 10 clients, would / could I put this also in the clients config file in /etc/openvpn/clients folder?
khain wrote:
First check if connection to hosts in server's LAN from openvpn's clients is ok, then you can drop packets from specific client who don't need access to server's LAN.
How do I check this? When I connect to my vpn using my iphone and then check LUCI's overview page .> DHCP LeasesI see "dirk's iphone" but the ip is 10.50.50.x but not 192.168.1.x as expected for vpn connections?!
[EDIT]: When I restart my router while my iphone is connected via vpn, I don't see my iphone connected, after the router restarted in LUCI's overview.
khain wrote:
To block specific client you have to do 2 main things: set static IP for the client in openvpn environment and block this IP address with iptables (e.g. client name is client3 and his IP address in openvpn is 10.1.1.3):
1) Uncommentoption client_config_dir '/etc/openvpn/clients/'in /etc/config/openvpn
2) create file in /etc/openvpn/clients/ with name exactly the same as Common Name of client you want to block (Common Name is in client's certificate, e.g. CN=client3). File is case sensitive and have to be without extension.
3) Edit this file, in our instanes it is: /etc/openvpn/clients/client3
and put this:ifconfig-push 10.1.1.3 255.255.255.04) Block 10.1.1.3 access to LAN by editing /etc/config/firewall
config rule option enabled '1' option src 'vpn' option dest 'lan' option name 'block client3' option src_ip '10.1.1.3' option dest_ip '192.168.1.0' option target 'DROP'192.168.1.0 is address of server's LAN.
Then restart openvpn and firewall/etc/init.d/openvpn restart /etc/init.d/firewall restart
Where exactly can I find / configure my client's client name? I guess in my case it's "my-client", since the generated .crt and .key files are named "my-client.crt/.key"?!
RangerZ wrote:
The choice of AES-256-CBC will impact your VPN speed to some extent. Using 128 will probably speed things up. Router CPUs generally do not have hardware AES-NI.
This does not impact any of your current issues. Leave it for now.
Thank you. Since there are no perfomance issues yet, I'd keep the 256-CBC. When everything works this is probably a good option to speed up everything, if there are performance issues.
Sorry, for wasting your time and thanks to both of you for wasting your time. Currently it's still hard for me to understand the big picture.
Thanks and kind regards,
Dirk
/etc/config/openvpn
config openvpn 'VPNserver'
option enabled '1'
# --- Protocol ---#
option dev 'tun0'
option topology 'subnet'
option proto 'udp'
option port '1194'
#--- Routes ---#
option server '10.1.1.0 255.255.255.0'
option ifconfig '10.1.1.1 255.255.255.0'
#--- Client Config ---#
option client_config_dir '/etc/openvpn/clients/'
# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
#--- Pushed Routes ---#
list push 'route 192.168.1.0 255.255.255.0'
list push 'dhcp-option DNS 192.168.1.1'
list push 'dhcp-option WINS 192.168.1.1'
list push 'dhcp-option DNS 8.8.8.8'
list push 'dhcp-option DNS 8.8.4.4'
list push 'dhcp-option NTP 129.6.15.30'
list push 'redirect-gateway def1'
#--- Encryption ---#
option cipher 'AES-256-CBC'
option dh '/etc/openvpn/keys/dh2048.pem'
option ca '/etc/openvpn/keys/ca.crt'
option cert '/etc/openvpn/keys/my-server.crt'
option key '/etc/openvpn/keys/my-server.key'
#--- Logging ---#
option log '/tmp/openvpn.log'
option status '/tmp/openvpn-status.log'
option verb '7'
#--- Connection Options ---#
option keepalive '10 120'
option comp_lzo 'yes'
#--- Connection Reliability ---#
option client_to_client '1'
option persist_key '1'
option persist_tun '1'
#--- Connection Speed ---#
#--- Pushed Buffers ---#
#--- Permissions ---#(Last edited by dirk1312 on 7 Jun 2016, 20:30)
Hi all,
I took me some time to read a little bit more about openvpn and now tried to add forwaring from vpn to wan and vpn to lan, but that does not work, too.
I'm not so sure, if it's a problem, that I don't see my iphone (connected via 4G / LTE with openVpn with the VPN) in LUCI's overview? I expected to see the iphone's vpn ip as part of the network.
Here is my firewall rule (/etc/config/firewall):
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option family 'ipv4'
option src '*'
option dest_port '1194'
option name 'Allow Inbound VPN0'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option family 'ipv4'
option src '*'
option src_ip '10.1.1.0/24'
option dest_ip '192.168.1.0/26'
option name 'Allow Inbound VPN0 Traffic to LAN'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option family 'ipv4'
option src '*'
option src_ip '10.1.1.0/24'
option dest '*'
option dest_ip '192.168.1.0/26'
option name 'Allow Forwarded VPN0 Traffic to LAN'
config rule
option target 'ACCEPT'
option proto 'icmp'
option src_ip '10.1.1.0/24'
option src '*'
option dest 'lan'
option name 'Allow Inbound ICMP Traffic from VPN0 to LAN'
config rule
option target 'ACCEPT'
option proto 'icmp'
option src '*'
option src_ip '10.1.1.0/24'
option dest 'wan'
option name 'Allow Outbound ICMP Echo Request (8) from VPN0'
list icmp_type 'echo-request'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'DROP'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'lan'
option forward 'ACCEPT'
config zone
option name 'vpn'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option network 'vpn0'
option family 'ipv4'
option masq '1'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
option input 'DROP'
option forward 'DROP'
config include
option path '/etc/firewall.user'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'guest'
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
option network 'guest'
option masq '1'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'Guest DNS'
option src 'guest'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option name 'Guest DHCP'
option src 'guest'
config zone
option name 'vpn'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option network 'vpn0'
option masq '1'
config redirect
option target 'SNAT'
option src 'guest'
option dest 'lan'
option proto 'all'
option src_dip '10.50.50.1'
option name 'allow-guest-INTERNET'
option enabled '0'
config rule
option src 'guest'
option dest 'lan'
option name 'reject-guest-any-lan'
option proto 'all'
option target 'REJECT'
option enabled '0'
config forwarding
option dest 'wan'
option src 'vpn'
config forwarding
option dest 'wan'
option src 'guest'
config forwarding
option dest 'vpn'
option src 'lan'
config forwarding
option dest 'wan'
option src 'lan'
config forwarding
option dest 'lan'
option src 'vpn'Would be kind, if you could help me once again.
Thanks and kind regards,
Dirk
I don't use Luci or Uci to configure openvpn, but I think that package luci-app-openvpn only shows instances of server, that's all. Gargoyle has plugin that shows how many clients are connected at time.
Luci can be used to configure either the server or the client config for OpenVPN. I also do not use this. I find it cumbersome and difficult to navigate. FYI, I also do not find the start\stop controls in Services=> OpenVPN work reliably.
I use WinSCP to do all my OpenWrt config maintenance. It has a built in text editor and a command console (to start\stop\enable\disable things)
All this client config is beyond my skill set.
I'm not using LUCI that much, only if I find tutorials / howtos that explicitely explain things for LUCI. In general I also use WinSCP (but only to copy files from router <=> pc). For all other issues I use putty and vi.
I strongly suggest the editor.
Tonight I still tried around "a little" bit and restarting the firewall / network, I got the following output:
root@router:~# uci commit network ; /etc/init.d/network reload ; uci commit firewall ; /etc/init.d/firewall restart
[b]Warning: Unable to locate ipset utility, disabling ipset support[/b]
* Flushing IPv4 filter table
* Flushing IPv4 nat table
* Flushing IPv4 mangle table
* Flushing IPv4 raw table
* Flushing IPv6 filter table
* Flushing IPv6 mangle table
* Flushing IPv6 raw table
* Flushing conntrack table ...
* Populating IPv4 filter table
* Zone 'lan'
* Zone 'vpn'
* Zone 'wan'
* Zone 'lan'
* Zone 'wan'
* Zone 'guest'
* Zone 'vpn'
* Rule 'Allow Inbound VPN0'
* Rule 'Allow Inbound VPN0 Traffic to LAN'
* Rule 'Allow Forwarded VPN0 Traffic to LAN'
* Rule 'Allow Inbound ICMP Traffic from VPN0 to LAN'
* Rule 'Allow Outbound ICMP Echo Request (8) from VPN0'
* Rule 'Allow-DHCP-Renew'
* Rule 'Allow-Ping'
* Rule 'Allow-IGMP'
* Rule #12
* Rule #13
* Rule 'Guest DNS'
* Rule 'Guest DHCP'
* Forward 'guest' -> 'wan'
* Forward 'lan' -> 'wan'
* Forward 'vpn' -> 'lan'
* Forward 'lan' -> 'vpn'
* Populating IPv4 nat table
* Zone 'lan'
* Zone 'vpn'
* Zone 'wan'
* Zone 'lan'
* Zone 'wan'
* Zone 'guest'
* Zone 'vpn'
* Populating IPv4 mangle table
* Zone 'lan'
* Zone 'vpn'
* Zone 'wan'
* Zone 'lan'
* Zone 'wan'
* Zone 'guest'
* Zone 'vpn'
* Populating IPv4 raw table
* Zone 'lan'
* Zone 'vpn'
* Zone 'wan'
* Zone 'lan'
* Zone 'wan'
* Zone 'guest'
* Zone 'vpn'
* Populating IPv6 filter table
* Zone 'lan'
* Zone 'wan'
* Zone 'lan'
* Zone 'wan'
* Zone 'guest'
* Zone 'vpn'
* Rule 'Allow Inbound ICMP Traffic from VPN0 to LAN'
[b] ! Skipping due to different family of ip address[/b]
* Rule 'Allow Outbound ICMP Echo Request (8) from VPN0'
[b] ! Skipping due to different family of ip address[/b]
* Rule 'Allow-DHCPv6'
* Rule 'Allow-MLD'
* Rule 'Allow-ICMPv6-Input'
* Rule 'Allow-ICMPv6-Forward'
* Rule #12
* Rule #13
* Rule 'Guest DNS'
* Rule 'Guest DHCP'
* Forward 'guest' -> 'wan'
* Forward 'lan' -> 'wan'
* Forward 'vpn' -> 'lan'
! Skipping due to different family of zone
* Forward 'lan' -> 'vpn'
! Skipping due to different family of zone
* Populating IPv6 mangle table
* Zone 'lan'
* Zone 'wan'
* Zone 'lan'
* Zone 'wan'
* Zone 'guest'
* Zone 'vpn'
* Populating IPv6 raw table
* Zone 'lan'
* Zone 'wan'
* Zone 'lan'
* Zone 'wan'
* Zone 'guest'
* Zone 'vpn'
* Set tcp_ecn to off
* Set tcp_syncookies to on
* Set tcp_window_scaling to on
* Running script '/etc/firewall.user'
* Running script '/etc/firewall.user'This rules skipped is probably the reason. But I couldn't find, what exactly is meant with this message. Is it, because I use ip addresses 10.50.50.x in the LAN and 192.168.1.x in the VPN or is there a problem translating the addresses to ipv6 (that was one reason I read about, but couldn't find info, how to fix that).
Adjusting /etc/config/openvpn, /etc/config/openvpn_recipes, /etc/config/firewall to use 10.50.50. instead of 192.168.1. and restarting the network, firewall, vpn server,... didn't make any difference.
Kind regards,
Dirk
The discussion might have continued from here.
Page 2 of 2