First I'd like to say hello and thanks for reading this.
If it's not obvious i'm new to OpenWrt ^_^ and OpenVPN .
I've struggled with this issue for 2 days, in the process reading a lot of other forum topics and following multiple tutorials.
I want to make a VPN server in order to access may local LAN and use my ISP IP-address when traveling or from public wifi
In order to achieve this i've used this tutorial: openwrt.org/docs/guide-user/services/vpn/openvpn/server.setup
Setup informations :
router private lan : 192.168.100.0/24
public IP is accessed using IPS provided DDNS
TUN IP is 192.168.200.0/24
My configuration files
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdb2:d044:8ff8::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.100.1'
config device 'lan_dev'
option name 'eth0.1'
option macaddr '<<MAC>>'
config interface 'wan'
option ifname 'eth0.2'
option proto 'pppoe'
option username '<<USERNAME>>'
option password '<<PASSWORD>>'
config device 'wan_dev'
option name 'eth0.2'
option macaddr '84:16:f9:e8:98:15'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 0t'
config interface 'vpnserver'
option proto 'none'
option ifname 'ovpns0'
option auto '1'
/etc/config/openvpn
config openvpn 'vpnserver'
option enabled '1'
option dev_type 'tun'
option dev 'ovpns0'
option port '1194'
option proto 'tcp'
option comp_lzo 'yes'
option keepalive '10 120'
option persist_key '1'
option persist_tun '1'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/my-server.crt'
option key '/etc/openvpn/my-server.key'
option dh '/etc/openvpn/dh2048.pem'
option tls_auth '/etc/openvpn/tls-auth.key 0'
option mode 'server'
option tls_server '1'
option server '192.168.200.0 255.255.255.0'
option topology 'subnet'
option route_gateway 'dhcp'
option client_to_client '1'
list push 'comp-lzo yes'
list push 'persist-key'
list push 'persist-tun'
list push 'topology subnet'
list push 'route-gateway dhcp'
list push 'redirect-gateway def1 bypass-dhcp'
list push 'route 192.168.100.0 255.255.255.0'
list push 'dhcp-option DNS 192.168.100.1'
/etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule
option name 'Allow-OpenVPN-Inbound'
option target 'ACCEPT'
option src '*'
option proto 'tcpudp'
option dest_port '1194'
config zone
option name 'vpnserver'
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
option masq '1'
option network 'vpnserver'
config forwarding
option src 'vpnserver'
option dest 'wan'
config forwarding
option src 'wan'
option dest 'vpnserver'
config forwarding
option src 'vpnserver'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'vpnserver'
openwrt routes
root@OpenWrt:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.0.0.1 0.0.0.0 UG 0 0 0 pppoe-wan
10.0.0.1 * 255.255.255.255 UH 0 0 0 pppoe-wan
192.168.100.0 * 255.255.255.0 U 0 0 0 br-lan
192.168.200.0 * 255.255.255.0 U 0 0 0 ovpns0
Messages from lubuntu client ( Internet was provided via Mobile host-spot), I've also tried connecting using an android client (openvpn app)
root@Laptop:/home/mosfet# openvpn --config /home/mosfet/Desktop/MOSFET.ovpn
Sat Mar 24 22:46:50 2018 OpenVPN 2.4.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 3 2017
Sat Mar 24 22:46:50 2018 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Sat Mar 24 22:46:50 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Mar 24 22:46:50 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Mar 24 22:46:51 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]<<PUBLIC_IP>>:1194
Sat Mar 24 22:46:51 2018 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sat Mar 24 22:46:51 2018 UDP link local: (not bound)
Sat Mar 24 22:46:51 2018 UDP link remote: [AF_INET]<<PUBLIC_IP>>:1194
Sat Mar 24 22:46:51 2018 TLS: Initial packet from [AF_INET]<<PUBLIC_IP>>:1194, sid=77157d7f fbf92825
Sat Mar 24 22:46:52 2018 VERIFY OK: depth=1, C=<<XX>>, ST=<<XXXX>>, O=Home.
Sat Mar 24 22:46:52 2018 VERIFY KU OK
Sat Mar 24 22:46:52 2018 Validating certificate extended key usage
Sat Mar 24 22:46:52 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Mar 24 22:46:52 2018 VERIFY EKU OK
Sat Mar 24 22:46:52 2018 VERIFY OK: depth=0, CN=my-server
Sat Mar 24 22:46:52 2018 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1541'
Sat Mar 24 22:46:52 2018 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Sat Mar 24 22:46:52 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Sat Mar 24 22:46:52 2018 [my-server] Peer Connection Initiated with [AF_INET]<<PUBLIC_IP>>:1194
Sat Mar 24 22:46:53 2018 SENT CONTROL [my-server]: 'PUSH_REQUEST' (status=1)
Sat Mar 24 22:46:53 2018 PUSH: Received control message: 'PUSH_REPLY,comp-lzo yes,persist-key,persist-tun,topology subnet,route-gateway dhcp,redirect-gateway def1,route 192.168.200.0 255.255.255.0,dhcp-option DNS 192.168.100.1,route-gateway 192.168.200.1,topology subnet,ping 10,ping-restart 120,ifconfig 192.168.200.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Sat Mar 24 22:46:53 2018 OPTIONS IMPORT: timers and/or timeouts modified
Sat Mar 24 22:46:53 2018 OPTIONS IMPORT: compression parms modified
Sat Mar 24 22:46:53 2018 OPTIONS IMPORT: --persist options modified
Sat Mar 24 22:46:53 2018 OPTIONS IMPORT: --ifconfig/up options modified
Sat Mar 24 22:46:53 2018 OPTIONS IMPORT: route options modified
Sat Mar 24 22:46:53 2018 OPTIONS IMPORT: route-related options modified
Sat Mar 24 22:46:53 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Mar 24 22:46:53 2018 OPTIONS IMPORT: peer-id set
Sat Mar 24 22:46:53 2018 OPTIONS IMPORT: adjusting link_mtu to 1625
Sat Mar 24 22:46:53 2018 OPTIONS IMPORT: data channel crypto options modified
Sat Mar 24 22:46:53 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Sat Mar 24 22:46:53 2018 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Mar 24 22:46:53 2018 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Mar 24 22:46:53 2018 ROUTE_GATEWAY 192.168.43.1/255.255.255.0 IFACE=wlp8s0 HWADDR=00:18:de:b8:17:54
Sat Mar 24 22:46:53 2018 TUN/TAP device tun0 opened
Sat Mar 24 22:46:53 2018 TUN/TAP TX queue length set to 100
Sat Mar 24 22:46:53 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Mar 24 22:46:53 2018 /sbin/ip link set dev tun0 up mtu 1500
Sat Mar 24 22:46:53 2018 /sbin/ip addr add dev tun0 192.168.200.2/24 broadcast 192.168.200.255
Sat Mar 24 22:46:53 2018 /sbin/ip route add <<PUBLIC_IP>>/32 via 192.168.43.1
Sat Mar 24 22:46:53 2018 /sbin/ip route add 0.0.0.0/1 via 192.168.200.1
Sat Mar 24 22:46:53 2018 /sbin/ip route add 128.0.0.0/1 via 192.168.200.1
Sat Mar 24 22:46:53 2018 /sbin/ip route add 192.168.200.0/24 via 192.168.200.1
RTNETLINK answers: File exists
Sat Mar 24 22:46:53 2018 ERROR: Linux route add command failed: external program exited with error status: 2
Sat Mar 24 22:46:53 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Mar 24 22:46:53 2018 Initialization Sequence Completed
Sat Mar 24 22:47:03 2018 Bad LZO decompression header byte: 42
Sat Mar 24 22:47:13 2018 Bad LZO decompression header byte: 42
Sat Mar 24 22:47:23 2018 Bad LZO decompression header byte: 42
Sat Mar 24 22:47:34 2018 Bad LZO decompression header byte: 42
Sat Mar 24 22:47:44 2018 Bad LZO decompression header byte: 42
THANKS again for your time and help.
(Last edited by Mosfet on 25 Mar 2018, 11:35)