Hello there everybody
Well it seems I have some kind of Problem with my OpenVPN Configuration.
A while ago I had an OpenVPN-Connection set up and running, everything worked fine.
A few weeks ago i changed my ISP and had some Problems with me OpenWRT-Router so I reinstalled it.
After setting up everything the way it was, I decided to finally had to get my VPN running.
So i installed the opnevpn package and copied back my old config files.
Well this is where I am stuck:
1. I can connect to my VPN
2. I can ping clients on my remote (the network I connected via VPN to) network
3. I can access the Internet (But with the local DNS of the device and not the DNS of my router)
My Network is basically:
192.168.0.0 /24 local net
192.168.1.0 /24 guest net
192.168.3.0 /24 VPN
Network configuration:
----------------------------
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdab:45db:aa88::/48'
config interface 'lan'
option ifname 'eth0.1'
option force_link '1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.0.1'
config interface 'wan'
option ifname 'eth0.2'
option _orig_ifname 'eth0.2'
option _orig_bridge 'false'
option proto 'pppoe'
option username 'somestuff'
option password 'secret'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 5t'
config 'interface' 'guest'
option 'proto' 'static'
option 'ipaddr' '192.168.1.1'
option 'netmask' '255.255.255.0'
config interface 'vpn0'
option proto 'none'
option ifname 'tun0'
Firewall Configuration:
-----------------------------
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdab:45db:aa88::/48'
config interface 'lan'
option ifname 'eth0.1'
option force_link '1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.0.1'
config interface 'wan'
option ifname 'eth0.2'
option _orig_ifname 'eth0.2'
option _orig_bridge 'false'
root@router:/etc/config# cat network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdab:45db:aa88::/48'
config interface 'lan'
option ifname 'eth0.1'
option force_link '1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.0.1'
config interface 'wan'
option ifname 'eth0.2'
option _orig_ifname 'eth0.2'
option _orig_bridge 'false'
option proto 'pppoe'
option username '002702375248551126881693#0001@t-online.de'
option password '13512767'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
root@router:/etc/config# cat network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
root@router:/etc/config# cat firewall
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option src_ip fe80::/10
option src_port 547
option dest_ip fe80::/10
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
# include a file with users custom iptables rules
config include
option path /etc/firewall.user
config 'zone'
option 'name' 'guest'
option 'network' 'guest'
option 'input' 'REJECT'
option 'forward' 'REJECT'
option 'output' 'ACCEPT'
# Allow Guest -> Internet
config 'forwarding'
option 'src' 'guest'
option 'dest' 'wan'
# Allow DNS Guest -> Router
# Client DNS queries ordinate from dynamic UDP ports (>1023)
config 'rule'
option 'name' 'Allow DNS Queries'
option 'src' 'guest'
option 'dest_port' '53'
option 'proto' 'tcpudp'
option 'target' 'ACCEPT'
# Allow DHCP Guest -> Router
# DHCP communication uses UDP ports 67-68
config 'rule'
option 'name' 'Allow DHCP request'
option 'src' 'guest'
option 'src_port' '67-68'
option 'dest_port' '67-68'
option 'proto' 'udp'
option 'target' 'ACCEPT'
config rule
option name 'Allow-OpenVPN-Inbound'
option target 'ACCEPT'
option proto 'udp'
option dest_port '1194'
option src '*'
config zone
option name 'vpn'
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
option network 'vpn0'
config forwarding
option src 'vpn'
option dest 'wan'
OpenVPN Server Config:
--------------------------------
config openvpn 'myvpn'
option enabled '1'
option dev 'tun'
option proto 'udp'
option server '192.168.3.0 255.255.255.0'
list push 'redirect-gateway def1'
option port '1194'
option keepalive '10 120'
option ca '/etc/openvpn/keys/ca.crt'
option key '/etc/openvpn/keys/router.key'
option cert '/etc/openvpn/keys/router.crt'
option dh '/etc/openvpn/keys/dh2048.pem'
option log '/tmp/openvpn.log'
option verb '3'
Openvpn Client Config:
------------------------------
client
dev tun
proto udp
remote domain port
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert smartphone-e.crt
key smartphone-e.key
ns-cert-type server
verb 3
I've read myself through all of the openvpn related articals but I'm stuck.
Hopefully someone can help me with this strange problem.
EDIT 2: Maybe I should make my intensions with this project clear
I want to access my LAN (Server, PC, etc.) via my VPN to access files on my Server on the fly.
Furthermore I want to use to VPN to browse safely while I am connected to a public WIFI.
So basicly route all traffic from my client throught my LAN
Thank you in advance
Elopsm
(Last edited by elopsm on 8 Feb 2017, 18:00)