OpenWrt Forum Archive

Topic: [SOLVED] OpenVpn - client connects but no traffic (lan or wlan)

The content of this topic has been archived on 5 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
Mosfet
24 Mar 2018, 22:36

First I'd like to say hello and thanks for reading this.
If it's not obvious i'm new to OpenWrt ^_^ and OpenVPN .
I've struggled with this issue for 2 days, in the process reading a lot of other forum topics and following multiple tutorials.

I want to make a VPN server in order to access may local LAN and use my ISP IP-address when traveling or from public wifi
In order to achieve this i've used this tutorial: openwrt.org/docs/guide-user/services/vpn/openvpn/server.setup

Setup informations :

  • router private lan : 192.168.100.0/24

  • public IP is accessed using IPS provided DDNS

  • TUN IP is 192.168.200.0/24

My configuration files

/etc/config/network 

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fdb2:d044:8ff8::/48'

config interface 'lan'
    option type 'bridge'
    option ifname 'eth0.1'
    option proto 'static'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option ipaddr '192.168.100.1'

config device 'lan_dev'
    option name 'eth0.1'
    option macaddr '<<MAC>>'

config interface 'wan'
    option ifname 'eth0.2'
    option proto 'pppoe'
    option username '<<USERNAME>>'
    option password '<<PASSWORD>>'

config device 'wan_dev'
    option name 'eth0.2'
    option macaddr '84:16:f9:e8:98:15'

config interface 'wan6'
    option ifname 'eth0.2'
    option proto 'dhcpv6'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option ports '1 2 3 4 0t'

config switch_vlan
    option device 'switch0'
    option vlan '2'
    option ports '5 0t'

config interface 'vpnserver'
    option proto 'none'
    option ifname 'ovpns0'
    option auto '1'

/etc/config/openvpn

config openvpn 'vpnserver'
    option enabled '1'
    option dev_type 'tun'
    option dev 'ovpns0'
    option port '1194'
    option proto 'tcp'
    option comp_lzo 'yes'
    option keepalive '10 120'
    option persist_key '1'
    option persist_tun '1'
    option ca '/etc/openvpn/ca.crt'
    option cert '/etc/openvpn/my-server.crt'
    option key '/etc/openvpn/my-server.key'
    option dh '/etc/openvpn/dh2048.pem'
    option tls_auth '/etc/openvpn/tls-auth.key 0'
    option mode 'server'
    option tls_server '1'
    option server '192.168.200.0 255.255.255.0'
    option topology 'subnet'
    option route_gateway 'dhcp'
    option client_to_client '1'
    list push 'comp-lzo yes'
    list push 'persist-key'
    list push 'persist-tun'
    list push 'topology subnet'
    list push 'route-gateway dhcp'
    list push 'redirect-gateway def1 bypass-dhcp'
    list push 'route 192.168.100.0 255.255.255.0'
    list push 'dhcp-option DNS 192.168.100.1'

/etc/config/firewall

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'lan'
    list network 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'

config zone
    option name 'wan'
    list network 'wan'
    list network 'wan6'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'

config forwarding
    option src 'lan'
    option dest 'wan'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fc00::/6'
    option dest_ip 'fc00::/6'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-IPSec-ESP'
    option src 'wan'
    option dest 'lan'
    option proto 'esp'
    option target 'ACCEPT'

config rule
    option name 'Allow-ISAKMP'
    option src 'wan'
    option dest 'lan'
    option dest_port '500'
    option proto 'udp'
    option target 'ACCEPT'

config include
    option path '/etc/firewall.user'

config rule
    option name 'Allow-OpenVPN-Inbound'
    option target 'ACCEPT'
    option src '*'
    option proto 'tcpudp'
    option dest_port '1194'

config zone
    option name 'vpnserver'
    option input 'ACCEPT'
    option forward 'REJECT'
    option output 'ACCEPT'
    option masq '1'
    option network 'vpnserver'

config forwarding
    option src 'vpnserver'
    option dest 'wan'

config forwarding
    option src 'wan'
    option dest 'vpnserver'

config forwarding
    option src 'vpnserver'
    option dest 'lan'

config forwarding
    option src 'lan'
    option dest 'vpnserver'

openwrt routes 

root@OpenWrt:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.0.0.1        0.0.0.0         UG    0      0        0 pppoe-wan
10.0.0.1        *               255.255.255.255 UH    0      0        0 pppoe-wan
192.168.100.0   *               255.255.255.0   U     0      0        0 br-lan
192.168.200.0   *               255.255.255.0   U     0      0        0 ovpns0

Messages from lubuntu client ( Internet was provided via Mobile host-spot), I've also tried connecting using an android client (openvpn app)

root@Laptop:/home/mosfet# openvpn --config /home/mosfet/Desktop/MOSFET.ovpn
Sat Mar 24 22:46:50 2018 OpenVPN 2.4.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul  3 2017
Sat Mar 24 22:46:50 2018 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Sat Mar 24 22:46:50 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Mar 24 22:46:50 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Mar 24 22:46:51 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]<<PUBLIC_IP>>:1194
Sat Mar 24 22:46:51 2018 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sat Mar 24 22:46:51 2018 UDP link local: (not bound)
Sat Mar 24 22:46:51 2018 UDP link remote: [AF_INET]<<PUBLIC_IP>>:1194
Sat Mar 24 22:46:51 2018 TLS: Initial packet from [AF_INET]<<PUBLIC_IP>>:1194, sid=77157d7f fbf92825
Sat Mar 24 22:46:52 2018 VERIFY OK: depth=1, C=<<XX>>, ST=<<XXXX>>, O=Home.
Sat Mar 24 22:46:52 2018 VERIFY KU OK
Sat Mar 24 22:46:52 2018 Validating certificate extended key usage
Sat Mar 24 22:46:52 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Mar 24 22:46:52 2018 VERIFY EKU OK
Sat Mar 24 22:46:52 2018 VERIFY OK: depth=0, CN=my-server
Sat Mar 24 22:46:52 2018 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1541'
Sat Mar 24 22:46:52 2018 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Sat Mar 24 22:46:52 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Sat Mar 24 22:46:52 2018 [my-server] Peer Connection Initiated with [AF_INET]<<PUBLIC_IP>>:1194
Sat Mar 24 22:46:53 2018 SENT CONTROL [my-server]: 'PUSH_REQUEST' (status=1)
Sat Mar 24 22:46:53 2018 PUSH: Received control message: 'PUSH_REPLY,comp-lzo yes,persist-key,persist-tun,topology subnet,route-gateway dhcp,redirect-gateway def1,route 192.168.200.0 255.255.255.0,dhcp-option DNS 192.168.100.1,route-gateway 192.168.200.1,topology subnet,ping 10,ping-restart 120,ifconfig 192.168.200.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Sat Mar 24 22:46:53 2018 OPTIONS IMPORT: timers and/or timeouts modified
Sat Mar 24 22:46:53 2018 OPTIONS IMPORT: compression parms modified
Sat Mar 24 22:46:53 2018 OPTIONS IMPORT: --persist options modified
Sat Mar 24 22:46:53 2018 OPTIONS IMPORT: --ifconfig/up options modified
Sat Mar 24 22:46:53 2018 OPTIONS IMPORT: route options modified
Sat Mar 24 22:46:53 2018 OPTIONS IMPORT: route-related options modified
Sat Mar 24 22:46:53 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Mar 24 22:46:53 2018 OPTIONS IMPORT: peer-id set
Sat Mar 24 22:46:53 2018 OPTIONS IMPORT: adjusting link_mtu to 1625
Sat Mar 24 22:46:53 2018 OPTIONS IMPORT: data channel crypto options modified
Sat Mar 24 22:46:53 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Sat Mar 24 22:46:53 2018 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Mar 24 22:46:53 2018 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Mar 24 22:46:53 2018 ROUTE_GATEWAY 192.168.43.1/255.255.255.0 IFACE=wlp8s0 HWADDR=00:18:de:b8:17:54
Sat Mar 24 22:46:53 2018 TUN/TAP device tun0 opened
Sat Mar 24 22:46:53 2018 TUN/TAP TX queue length set to 100
Sat Mar 24 22:46:53 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Mar 24 22:46:53 2018 /sbin/ip link set dev tun0 up mtu 1500
Sat Mar 24 22:46:53 2018 /sbin/ip addr add dev tun0 192.168.200.2/24 broadcast 192.168.200.255
Sat Mar 24 22:46:53 2018 /sbin/ip route add <<PUBLIC_IP>>/32 via 192.168.43.1
Sat Mar 24 22:46:53 2018 /sbin/ip route add 0.0.0.0/1 via 192.168.200.1
Sat Mar 24 22:46:53 2018 /sbin/ip route add 128.0.0.0/1 via 192.168.200.1
Sat Mar 24 22:46:53 2018 /sbin/ip route add 192.168.200.0/24 via 192.168.200.1
RTNETLINK answers: File exists
Sat Mar 24 22:46:53 2018 ERROR: Linux route add command failed: external program exited with error status: 2
Sat Mar 24 22:46:53 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Mar 24 22:46:53 2018 Initialization Sequence Completed
Sat Mar 24 22:47:03 2018 Bad LZO decompression header byte: 42
Sat Mar 24 22:47:13 2018 Bad LZO decompression header byte: 42
Sat Mar 24 22:47:23 2018 Bad LZO decompression header byte: 42
Sat Mar 24 22:47:34 2018 Bad LZO decompression header byte: 42
Sat Mar 24 22:47:44 2018 Bad LZO decompression header byte: 42

THANKS again for your time and help.

(Last edited by Mosfet on 25 Mar 2018, 11:35)

Post #2
600cc
24 Mar 2018, 22:55
Mosfet wrote:

  • tap IP

Use tun, not tap, if you want routing. tun is easier for novices to set up.


Mosfet wrote:

/etc/config/openvpn

    list push 'redirect-gateway def1'
    list push 'route 192.168.200.0 255.255.255.0'

Replace with:

    list push 'redirect-gateway def1 bypass-dhcp'
    list push 'route 192.168.100.0 255.255.255.0'

You don't need to push the VPN's own subnet as a route. But if you want your clients to access the LAN, then you do need to push the LAN subnet as a route.

Post #3
Mosfet
24 Mar 2018, 23:14

Hey, THANKS smile

tap was a typo, sorry, it was configured for TUN
Made the modifications suggested traffic still wont pass (tested using an android client). 
I've uprated the configuration files in first post -- it makes it easier to read.

Thanks again ^_^

P.S. 600cc makes me think your a biker, it's mid-spring where i live, but its's snowing at the moment sad .

___________________________________________________________________________________
Later Edit

Testing on another windows machine
openvpn log 

Sun Mar 25 00:43:42 2018 OpenVPN 2.4.5 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar  1 2018
Sun Mar 25 00:43:42 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Sun Mar 25 00:43:42 2018 library versions: OpenSSL 1.1.0f  25 May 2017, LZO 2.10
Sun Mar 25 00:43:42 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sun Mar 25 00:43:42 2018 Need hold release from management interface, waiting...
Sun Mar 25 00:43:42 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sun Mar 25 00:43:42 2018 MANAGEMENT: CMD 'state on'
Sun Mar 25 00:43:42 2018 MANAGEMENT: CMD 'log all on'
Sun Mar 25 00:43:42 2018 MANAGEMENT: CMD 'echo all on'
Sun Mar 25 00:43:42 2018 MANAGEMENT: CMD 'bytecount 5'
Sun Mar 25 00:43:42 2018 MANAGEMENT: CMD 'hold off'
Sun Mar 25 00:43:42 2018 MANAGEMENT: CMD 'hold release'
Sun Mar 25 00:43:42 2018 NOTE: --fast-io is disabled since we are running on Windows
Sun Mar 25 00:43:42 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Mar 25 00:43:42 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Mar 25 00:43:42 2018 MANAGEMENT: >STATE:1521931422,RESOLVE,,,,,,
Sun Mar 25 00:43:42 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]<<PUBLIC_IP>>:1194
Sun Mar 25 00:43:42 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Mar 25 00:43:42 2018 UDP link local: (not bound)
Sun Mar 25 00:43:42 2018 UDP link remote: [AF_INET]<<PUBLIC_IP>>:1194
Sun Mar 25 00:43:42 2018 MANAGEMENT: >STATE:1521931422,WAIT,,,,,,
Sun Mar 25 00:43:42 2018 MANAGEMENT: >STATE:1521931422,AUTH,,,,,,
Sun Mar 25 00:43:42 2018 TLS: Initial packet from [AF_INET]<<PUBLIC_IP>>:1194, sid=742771aa 526bb8dc
Sun Mar 25 00:43:43 2018 VERIFY OK: depth=1, C=RO, ST=Bucharest, O=Home.
Sun Mar 25 00:43:43 2018 VERIFY KU OK
Sun Mar 25 00:43:43 2018 Validating certificate extended key usage
Sun Mar 25 00:43:43 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Mar 25 00:43:43 2018 VERIFY EKU OK
Sun Mar 25 00:43:43 2018 VERIFY OK: depth=0, CN=my-server
Sun Mar 25 00:43:43 2018 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1541'
Sun Mar 25 00:43:43 2018 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Sun Mar 25 00:43:43 2018 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Sun Mar 25 00:43:43 2018 [my-server] Peer Connection Initiated with [AF_INET]<<PUBLIC_IP>>:1194
Sun Mar 25 00:43:44 2018 MANAGEMENT: >STATE:1521931424,GET_CONFIG,,,,,,
Sun Mar 25 00:43:44 2018 SENT CONTROL [my-server]: 'PUSH_REQUEST' (status=1)
Sun Mar 25 00:43:44 2018 PUSH: Received control message: 'PUSH_REPLY,comp-lzo yes,persist-key,persist-tun,topology subnet,route-gateway dhcp,redirect-gateway def1 bypass-dhcp,route 192.168.100.0 255.255.255.0,dhcp-option DNS 192.168.100.1,route-gateway 192.168.200.1,topology subnet,ping 10,ping-restart 120,ifconfig 192.168.200.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Sun Mar 25 00:43:44 2018 OPTIONS IMPORT: timers and/or timeouts modified
Sun Mar 25 00:43:44 2018 OPTIONS IMPORT: compression parms modified
Sun Mar 25 00:43:44 2018 OPTIONS IMPORT: --persist options modified
Sun Mar 25 00:43:44 2018 OPTIONS IMPORT: --ifconfig/up options modified
Sun Mar 25 00:43:44 2018 OPTIONS IMPORT: route options modified
Sun Mar 25 00:43:44 2018 OPTIONS IMPORT: route-related options modified
Sun Mar 25 00:43:44 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Mar 25 00:43:44 2018 OPTIONS IMPORT: peer-id set
Sun Mar 25 00:43:44 2018 OPTIONS IMPORT: adjusting link_mtu to 1625
Sun Mar 25 00:43:44 2018 OPTIONS IMPORT: data channel crypto options modified
Sun Mar 25 00:43:44 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Sun Mar 25 00:43:44 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Mar 25 00:43:44 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Mar 25 00:43:44 2018 interactive service msg_channel=624
Sun Mar 25 00:43:44 2018 ROUTE_GATEWAY 192.168.43.1/255.255.255.0 I=4 HWADDR=00:24:d7:aa:3f:84
Sun Mar 25 00:43:44 2018 open_tun
Sun Mar 25 00:43:44 2018 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{ECCC8D0F-3D4A-443D-903D-38D6C05DF1B9}.tap
Sun Mar 25 00:43:44 2018 TAP-Windows Driver Version 9.21 
Sun Mar 25 00:43:44 2018 Set TAP-Windows TUN subnet mode network/local/netmask = 192.168.200.0/192.168.200.2/255.255.255.0 [SUCCEEDED]
Sun Mar 25 00:43:44 2018 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.200.2/255.255.255.0 on interface {ECCC8D0F-3D4A-443D-903D-38D6C05DF1B9} [DHCP-serv: 192.168.200.254, lease-time: 31536000]
Sun Mar 25 00:43:44 2018 Successful ARP Flush on interface [35] {ECCC8D0F-3D4A-443D-903D-38D6C05DF1B9}
Sun Mar 25 00:43:44 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Mar 25 00:43:44 2018 MANAGEMENT: >STATE:1521931424,ASSIGN_IP,,192.168.200.2,,,,
Sun Mar 25 00:43:49 2018 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Sun Mar 25 00:43:49 2018 C:\WINDOWS\system32\route.exe ADD <<PUBLIC_IP>> MASK 255.255.255.255 192.168.43.1
Sun Mar 25 00:43:49 2018 Route addition via service succeeded
Sun Mar 25 00:43:49 2018 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 192.168.200.1
Sun Mar 25 00:43:49 2018 Route addition via service succeeded
Sun Mar 25 00:43:49 2018 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 192.168.200.1
Sun Mar 25 00:43:49 2018 Route addition via service succeeded
Sun Mar 25 00:43:49 2018 MANAGEMENT: >STATE:1521931429,ADD_ROUTES,,,,,,
Sun Mar 25 00:43:49 2018 C:\WINDOWS\system32\route.exe ADD 192.168.100.0 MASK 255.255.255.0 192.168.200.1
Sun Mar 25 00:43:49 2018 Route addition via service succeeded
Sun Mar 25 00:43:49 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Mar 25 00:43:49 2018 Initialization Sequence Completed
Sun Mar 25 00:43:49 2018 MANAGEMENT: >STATE:1521931429,CONNECTED,SUCCESS,192.168.200.2,<<PUBLIC_IP>>,1194,,
Sun Mar 25 00:43:54 2018 Bad LZO decompression header byte: 42
Sun Mar 25 00:44:04 2018 Bad LZO decompression header byte: 42

Routes 

===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.43.1   192.168.43.167     55
          0.0.0.0        128.0.0.0    192.168.200.1    192.168.200.2    291
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
        128.0.0.0        128.0.0.0    192.168.200.1    192.168.200.2    291
   <<PUBLIC_IP>>   255.255.255.255     192.168.43.1   192.168.43.167    311
     192.168.43.0    255.255.255.0         On-link    192.168.43.167    311
   192.168.43.167  255.255.255.255         On-link    192.168.43.167    311
   192.168.43.255  255.255.255.255         On-link    192.168.43.167    311
    192.168.100.0    255.255.255.0    192.168.200.1    192.168.200.2    291
    192.168.200.0    255.255.255.0         On-link     192.168.200.2    291
    192.168.200.2  255.255.255.255         On-link     192.168.200.2    291
  192.168.200.255  255.255.255.255         On-link     192.168.200.2    291
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link    192.168.43.167    311
        224.0.0.0        240.0.0.0         On-link     192.168.200.2    291
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link    192.168.43.167    311
  255.255.255.255  255.255.255.255         On-link     192.168.200.2    291
===========================================================================
Persistent Routes:
  None

(Last edited by Mosfet on 25 Mar 2018, 00:01)

Post #4
600cc
24 Mar 2018, 23:58

I am indeed. Both bikes so far have been 600cc units. Next up is likely to be a Pan European or FJR or something along those lines. If the cops and paramedics ride them all day long, so can I.

Anyway, back to OpenVPN. This post - https://forum.openwrt.org/viewtopic.php … 75#p373075 - contains my working OpenVPN server configuration. Feel free to copy it for your use. Change the IP addresses to suit your needs.

Post #5
Inf1n1nty
25 Mar 2018, 08:50

Greetings,

I am also an OpenWRT Novice and have trouble configuring OpenVPN,  I think i have a problem with the OPENVPN Route or something. I have now copied some parts of this config, but I still get no connection.

I think it is a Routing or Portforwarding Problem.

I am running an Linksys WRT32X with stock firmware.

Here are the Log's and Config Files.

My Router-Subnet is 192.168.4.0.
Router IP 192.168.4.254


/etc/config/openvpn


config openvpn 'custom_config'
    option enabled '0'
    option config '/etc/openvpn/my-vpn.conf'

config openvpn 'sample_server'
    option enabled '0'
    option port '1194'
    option proto 'udp'
    option dev 'tun'
    option ca '/etc/openvpn/ca.crt'
    option cert '/etc/openvpn/server.crt'
    option key '/etc/openvpn/server.key'
    option dh '/etc/openvpn/dh1024.pem'
    option server '10.8.0.0 255.255.255.0'
    option ifconfig_pool_persist '/tmp/ipp.txt'
    option keepalive '10 120'
    option comp_lzo 'yes'
    option persist_key '1'
    option persist_tun '1'
    option user 'nobody'
    option status '/tmp/openvpn-status.log'
    option verb '3'

config openvpn 'sample_client'
    option enabled '0'
    option client '1'
    option dev 'tun'
    option proto 'udp'
    list remote 'my_server_1 1194'
    option resolv_retry 'infinite'
    option nobind '1'
    option persist_key '1'
    option persist_tun '1'
    option user 'nobody'
    option ca '/etc/openvpn/ca.crt'
    option cert '/etc/openvpn/client.crt'
    option key '/etc/openvpn/client.key'
    option comp_lzo 'yes'
    option verb '3'

config openvpn 'vpnserver'
    option enabled '1'
    option dev_type 'tun'
    option dev 'ovpns0'
    option port '1194'
    option proto 'tcp'
    option comp_lzo 'yes'
    option keepalive '10 120'
    option persist_key '1'
    option persist_tun '1'
    option ca '/etc/openvpn/ca.crt'
    option cert '/etc/openvpn/my-server.crt'
    option key '/etc/openvpn/my-server.key'
    option dh '/etc/openvpn/dh2048.pem'
    option tls_auth '/etc/openvpn/tls-auth.key 0'
    option mode 'server'
    option tls_server '1'
    option server '192.168.200.0 255.255.255.0'
    option topology 'subnet'
    option route_gateway 'dhcp'
    option client_to_client '1'
    list push 'comp-lzo yes'
    list push 'persist-key'
    list push 'persist-tun'
    list push 'topology subnet'
    list push 'route-gateway dhcp'
    list push 'redirect-gateway def1 bypass-dhcp'
    list push 'route 192.168.4.0 255.255.255.0'
    list push 'dhcp-option DNS 192.168.4.1'

/etc/config/firewall

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'lan'
    list network 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'

config zone
    option name 'wan'
    list network 'wan'
    list network 'wan6'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'

config forwarding
    option src 'lan'
    option dest 'wan'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'DROP'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fc00::/6'
    option dest_ip 'fc00::/6'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config include
    option path '/etc/firewall.user'

config rule
    option src 'wan'
    option dest 'lan'
    option proto 'esp'
    option target 'ACCEPT'

config rule
    option src 'wan'
    option dest 'lan'
    option dest_port '500'
    option proto 'udp'
    option target 'ACCEPT'

config rule
    option name 'Samba'
    option src 'lan'
    option proto 'tcp'
    option dest_port '139'
    option target 'ACCEPT'

config include 'miniupnpd'
    option type 'script'
    option path '/usr/share/miniupnpd/firewall.include'
    option family 'any'
    option reload '1'

config include 'krouter'
    option path '/usr/lib/krouter-scripts/firemark.sh'

config redirect
    option enabled '1'
    option target 'DNAT'
    option src 'wan'
    option dest 'lan'
    option name 'RDP_Client1'
    option dest_ip '192.168.4.10'
    option dest_port '3310'
    option src_dport '3389'
    option proto 'tcp udp icmp'

config rule
    option name 'Allow-OpenVPN-Inbound'
    option target 'ACCEPT'
    option src '*'
    option proto 'udp'
    option dest_port '1194'

config zone
    option name 'vpnserver'
    option input 'ACCEPT'
    option forward 'REJECT'
    option output 'ACCEPT'
    option masq '1'
    option network 'vpnserver'

config forwarding
    option src 'vpnserver'
    option dest 'wan'

config forwarding
    option src 'wan'
    option dest 'vpnserver'

config forwarding
    option src 'vpnserver'
    option dest 'lan'

config forwarding
    option src 'lan'
    option dest 'vpnserver'

/etc/config/network


config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fd85:f178:0495::/48'

config interface 'lan'
    option type 'bridge'
    option ifname 'eth1'
    option proto 'static'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option ipaddr '192.168.4.254'

config interface 'wan'
    option ifname 'eth0'
    option disabled '0'
    option proto 'static'
    option ipaddr 'xxx.xxx.xxx.xxx'
    option gateway 'xxx.xxx.xxx.xxx'
    option netmask 'xxx.xxx.xxx.xxx'
    list dns 'xxx.xxx.xxx.xxx'
    list dns 'xxx.xxx.xxx.xxx'

config interface 'wan6'
    option ifname 'eth0'
    option proto 'dhcpv6'
    option disabled '0'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option ports '0 1 2 3 6'

config switch_vlan
    option device 'switch0'
    option vlan '2'
    option ports '4 5'

config interface 'vpnserver'
    option proto 'none'
    option ifname 'ovpns0'
    option auto '1'

Client Config (I have deletet cert Informations)


  client
  dev tun
  proto tcp
  fast-io
  remote xxx.xxx.xxx.xxx 1194
  remote-cert-tls server
  nobind
  persist-key
  persist-tun
  comp-lzo no
  verb 3
  key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4097 (0x1001)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=GB, ST=London, O=WWW Ltd.
        Validity
            Not Before: Mar 24 19:21:14 2018 GMT
            Not After : Mar 21 19:21:14 2028 GMT
        Subject: CN=my-client
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:                  
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: 
                Digital Signature
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
    Signature Algorithm: sha256WithRSAEncryption
        
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----
</tls-auth>


Log File OpenVPN Client


Sun Mar 25 09:46:09 2018 OpenVPN 2.4.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017
Sun Mar 25 09:46:09 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Sun Mar 25 09:46:09 2018 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10
Sun Mar 25 09:46:09 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Sun Mar 25 09:46:09 2018 Need hold release from management interface, waiting...
Sun Mar 25 09:46:10 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Sun Mar 25 09:46:10 2018 MANAGEMENT: CMD 'state on'
Sun Mar 25 09:46:10 2018 MANAGEMENT: CMD 'log all on'
Sun Mar 25 09:46:10 2018 MANAGEMENT: CMD 'echo all on'
Sun Mar 25 09:46:10 2018 MANAGEMENT: CMD 'hold off'
Sun Mar 25 09:46:10 2018 MANAGEMENT: CMD 'hold release'
Sun Mar 25 09:46:10 2018 NOTE: --fast-io is disabled since we are running on Windows
Sun Mar 25 09:46:10 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Mar 25 09:46:10 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Mar 25 09:46:10 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:1194
Sun Mar 25 09:46:10 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Mar 25 09:46:10 2018 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxx:1194 [nonblock]
Sun Mar 25 09:46:10 2018 MANAGEMENT: >STATE:1521963970,TCP_CONNECT,,,,,,

Route

root@WRT32X:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         host-xxx.xxx.xxx 0.0.0.0         UG    0      0        0 eth0
192.168.4.0     *               255.255.255.0   U     0      0        0 br-lan
xxx.xxx.xxx.xxx  *               255.255.255.224 U     0      0        0 eth0
239.0.0.0       *               255.0.0.0       U     0      0        0 br-lan

I hope somebody can help me.

I wish you all a nice Sunday smile

Post #6
Inf1n1nty
25 Mar 2018, 09:01

I have found a Mistake in my config:



config rule
    option name 'Allow-OpenVPN-Inbound'
    option target 'ACCEPT'
    option src '*'
    [b]option proto 'tcp'[/b]
    option dest_port '1194'

But still no luck:

Sun Mar 25 09:57:59 2018 OpenVPN 2.4.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017
Sun Mar 25 09:57:59 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Sun Mar 25 09:57:59 2018 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10
Sun Mar 25 09:57:59 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Sun Mar 25 09:57:59 2018 Need hold release from management interface, waiting...
Sun Mar 25 09:58:00 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Sun Mar 25 09:58:00 2018 MANAGEMENT: CMD 'state on'
Sun Mar 25 09:58:00 2018 MANAGEMENT: CMD 'log all on'
Sun Mar 25 09:58:00 2018 MANAGEMENT: CMD 'echo all on'
Sun Mar 25 09:58:00 2018 MANAGEMENT: CMD 'hold off'
Sun Mar 25 09:58:00 2018 MANAGEMENT: CMD 'hold release'
Sun Mar 25 09:58:00 2018 NOTE: --fast-io is disabled since we are running on Windows
Sun Mar 25 09:58:00 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Mar 25 09:58:00 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Mar 25 09:58:00 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:1194
Sun Mar 25 09:58:00 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Mar 25 09:58:00 2018 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxx:1194 [nonblock]
Sun Mar 25 09:58:00 2018 MANAGEMENT: >STATE:1521964680,TCP_CONNECT,,,,,,
Sun Mar 25 10:00:00 2018 TCP: connect to [AF_INET]xxx.xxx.xxx.xxx:1194 failed: Unknown error
Post #7
Inf1n1nty
25 Mar 2018, 09:29

@600cc I have tried your config, but I still get the same error.

Post #8
Mosfet
25 Mar 2018, 10:23

EDITED PROBLEMS SOLVED

@600cc
Those are really nice and comfy bikes ^_^, currently i'm riding an CBR600F4, planing on selling it and upgrading something like vstrom

THANKS again for your help


Inf1n1nty
Try This configurations, they work for me !
Remember to modify according to your setup


OPENVPN configuration
     | Remember to check certificate & keys path
     | Remember to check subnets and devices according to network configuration (if  your are not using cofig listed below) 

config openvpn 'vpnserver'
    option local '<<IP/DDNS>>'
    option port '1194'
    option proto 'udp'
    option dev 'ovpns0'
    option dev_type 'tun'
    option ca '/etc/openvpn/ca.crt'
    option cert '/etc/openvpn/my-server.crt'
    option key '/etc/openvpn/my-server.key'
    option dh '/etc/openvpn/dh2048.pem'
    option tls_auth '/etc/openvpn/tls-auth.key 0'
    option duplicate_cn '1'
    option server '192.168.200.0 255.255.255.0'
    option topology 'subnet'
    list push 'topology subnet'
    list push 'redirect-gateway def1'
    list push 'route 192.168.100.0 255.255.255.0'
    list push 'dhcp-option DNS 192.168.100.1'
    list push 'dhcp-option DOMAIN lan'
    option client_to_client '1'
    option keepalive '10 120'
    option cipher 'AES-256-GCM'
    option compress 'lzo'
    option verb '3'
    option persist_key '1'
    option persist_tun '1'
    option user 'nobody'
    option status '/tmp/openvpn-udp-status.log'
    option mute '20'
    option enabled '1'
    option comp_lzo 'yes'
    list push 'comp-lzo yes'
    list push 'dhcp-option DNS 8.8.8.8'
       list push 'dhcp-option DNS 8.8.4.4'

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fdb2:d044:8ff8::/48'

config interface 'lan'
    option type 'bridge'
    option ifname 'eth0.1'
    option proto 'static'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option ipaddr '192.168.100.1'

config device 'lan_dev'
    option name 'eth0.1'
    option macaddr '84:16:f9:e8:98:14'

config interface 'wan'
    option ifname 'eth0.2'
    option proto 'pppoe'
    option username '<<username>>'
    option password '<<password>>'

config device 'wan_dev'
    option name 'eth0.2'
    option macaddr '84:16:f9:e8:98:15'

config interface 'wan6'
    option ifname 'eth0.2'
    option proto 'dhcpv6'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option ports '1 2 3 4 0t'

config switch_vlan
    option device 'switch0'
    option vlan '2'
    option ports '5 0t'

config interface 'vpnserver'
    option proto 'none'
    option ifname 'ovpns0'
    option auto '1'

firewall 

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'lan'
    list network 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'

config zone
    option name 'wan'
    list network 'wan'
    list network 'wan6'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'

config forwarding
    option src 'lan'
    option dest 'wan'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fc00::/6'
    option dest_ip 'fc00::/6'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-IPSec-ESP'
    option src 'wan'
    option dest 'lan'
    option proto 'esp'
    option target 'ACCEPT'

config rule
    option name 'Allow-ISAKMP'
    option src 'wan'
    option dest 'lan'
    option dest_port '500'
    option proto 'udp'
    option target 'ACCEPT'

config include
    option path '/etc/firewall.user'

config rule
    option name 'Allow-OpenVPN-Inbound'
    option target 'ACCEPT'
    option src '*'
    option proto 'tcpudp'
    option dest_port '1194'

config zone
    option name 'vpnserver'
    option input 'ACCEPT'
    option forward 'REJECT'
    option output 'ACCEPT'
    option masq '1'
    option network 'vpnserver'

config forwarding
    option src 'vpnserver'
    option dest 'wan'

config forwarding
    option src 'wan'
    option dest 'vpnserver'

config forwarding
    option src 'vpnserver'
    option dest 'lan'

config forwarding
    option src 'lan'
    option dest 'vpnserver'

client config (ovpn file)
    | certificate key and data removed 

  client
  dev tun
  proto udp
  remote mosfet.go.ro 1194
  block-outside-dns

  remote-cert-tls server
  cipher AES-256-GCM
  persist-key
  persist-tun
  nobind
  resolv-retry infinite
  comp-lzo
  verb 5
  mute 10
key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
<tls-auth>
</tls-auth>

(Last edited by Mosfet on 25 Mar 2018, 11:35)

Post #9
600cc
25 Mar 2018, 11:22
Inf1n1nty wrote:

@600cc I have tried your config, but I still get the same error.

May I suggest opening a new thread, so your request doesn't get lost among this one?

Post #10
600cc
25 Mar 2018, 11:34

/etc/config/firewall

config zone
        option input 'ACCEPT'
        option network 'vtun0 vtun1 '
        option output 'ACCEPT'
        option name 'vpn'
        option forward 'ACCEPT'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'udp'
        option dest_port '1194'
        option name 'OpenVPN UDP'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp'
        option dest_port '443'
        option name 'OpenVPN TCP'

config forwarding
        option dest 'lan'
        option src 'vpn'

config forwarding
        option dest 'wan'
        option src 'vpn'

config forwarding
        option dest 'vpn'
        option src 'lan'

I have two vtun networks because I have OpenVPN listening on two ports, one for each protocol, instead of combining both into a single instance.

Post #11
600cc
25 Mar 2018, 11:36

I've just spotted something else, too: you've got masquerade enabled on your VPN zone. You only need masquerading (NAT) on the WAN, and only if your WAN interface is the IP address you present to the outside world. Under normal circumstances (and this is one) you wouldn't typically need to apply NAT on a private address range.

Post #12
Inf1n1nty
25 Mar 2018, 14:26

@mosfet: Sorry didn't work with your config either.

I will open a new thread.

Post #13
Inf1n1nty
25 Mar 2018, 14:26

Thanks anyway!

The discussion might have continued from here.