OpenWrt Forum Archive

Topic: clients can't access router when it's connected to VPN server

The content of this topic has been archived on 8 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hello,
I'm typing this the second time now as I got logged out and everything was lost :-P

I'm new to Openwrt, but have some experience with ubuntu. I have got wr1043nd v4 and I'm using the current snapshot.

I want the openwrt connect to an openvpn server via 3g to connect the other openvpn client's local network.

I used the "OpenVPN Setup Guide for Beginners" of the wiki to configure the openwrt as an openvpn client and that part is working.

Unfortunately the openwrt's lan/wifi clients can't access the router anymore as soon as the vpn connection is established. How can I solve this problem?

I'm guessing it has something to do with the following steps if the guide:

#Create firewall zone (named vpn) for new vpn0 network. By default, it will allow both incoming and outgoing connections being created within the VPN tunnel. Edit the defaults as required. This does not (yet) allow clients to access the LAN or WAN networks, but allows clients to communicate with services on the router and may allow connections between VPN clients if your OpenVPN server configuration allows. :!: If you are planning to use your OpenVPN client as a second (or replacement) WAN adapter, it's recommended that you reject incoming traffic by default:
uci set firewall.vpn=zone
uci set firewall.vpn.name=vpn
uci set firewall.vpn.network=vpn0
uci set firewall.vpn.input=ACCEPT #REJECT if using as WAN replacement
uci set firewall.vpn.forward=REJECT
uci set firewall.vpn.output=ACCEPT
uci set firewall.vpn.masq=1
#(Optional) If you plan to allow clients behind the VPN server to connect to computers within your LAN, you'll need to allow traffic to be forwarded between the vpn firewall zone and the lan firewall zone:
uci set firewall.vpn_forwarding_lan_in=forwarding
uci set firewall.vpn_forwarding_lan_in.src=vpn
uci set firewall.vpn_forwarding_lan_in.dest=lan
#And if you want to initiate connections to clients (or the internet) behind the VPN server, you'll need to allow traffic to be forwarded that direction as well.
uci set firewall.vpn_forwarding_lan_out=forwarding
uci set firewall.vpn_forwarding_lan_out.src=lan
uci set firewall.vpn_forwarding_lan_out.dest=vpn
#Commit the changes:
uci commit network
/etc/init.d/network reload
uci commit firewall
/etc/init.d/firewall reload

ifconfig when vpn connected:

root@OpenWrt:~# ifconfig 
3g-wan    Link encap:Point-to-Point Protocol  
          inet addr:100.119.120.121  P-t-P:10.64.64.64  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:105 errors:0 dropped:0 overruns:0 frame:0
          TX packets:125 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3 
          RX bytes:24058 (23.4 KiB)  TX bytes:18494 (18.0 KiB)

br-lan    Link encap:Ethernet  HWaddr 84:16:F9:C8:9D:F4  
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fd6b:3eb3:fadc::1/60 Scope:Global
          inet6 addr: fe80::8616:f9ff:fec8:9df4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:67 errors:0 dropped:0 overruns:0 frame:0
          TX packets:32 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:6343 (6.1 KiB)  TX bytes:3468 (3.3 KiB)

eth0      Link encap:Ethernet  HWaddr 84:16:F9:C8:9D:F4  
          inet6 addr: fe80::8616:f9ff:fec8:9df4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:174 errors:0 dropped:0 overruns:0 frame:0
          TX packets:58 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:24208 (23.6 KiB)  TX bytes:6608 (6.4 KiB)
          Interrupt:4 

eth0.1    Link encap:Ethernet  HWaddr 84:16:F9:C8:9D:F4  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:167 errors:0 dropped:0 overruns:0 frame:0
          TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:20321 (19.8 KiB)  TX bytes:2792 (2.7 KiB)

eth0.2    Link encap:Ethernet  HWaddr 84:16:F9:C8:9D:F4  
          inet6 addr: fe80::8616:f9ff:fec8:9df4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:19 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:2330 (2.2 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:48 errors:0 dropped:0 overruns:0 frame:0
          TX packets:48 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:3913 (3.8 KiB)  TX bytes:3913 (3.8 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.6  P-t-P:10.8.0.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:24 errors:0 dropped:0 overruns:0 frame:0
          TX packets:33 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:4477 (4.3 KiB)  TX bytes:4170 (4.0 KiB)

wlan0     Link encap:Ethernet  HWaddr 84:16:F9:C8:9D:F4  
          inet6 addr: fe80::8616:f9ff:fec8:9df4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:83 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:10943 (10.6 KiB)

netstat -r when von connected:

root@OpenWrt:~# netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         10.64.64.64     0.0.0.0         UG        0 0          0 3g-wan
10.8.0.0        10.8.0.5        255.255.255.0   UG        0 0          0 tun0
10.8.0.5        *               255.255.255.255 UH        0 0          0 tun0
10.64.64.64     *               255.255.255.255 UH        0 0          0 3g-wan
192.168.1.0     10.8.0.5        255.255.255.0   UG        0 0          0 tun0
192.168.1.0     *               255.255.255.0   U         0 0          0 br-lan

netstat -r when vpn not connected:

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         10.64.64.64     0.0.0.0         UG        0 0          0 3g-wan
10.64.64.64     *               255.255.255.255 UH        0 0          0 3g-wan
192.168.1.0     *               255.255.255.0   U         0 0          0 br-lan

/etc/config/network:

                                                                                
config interface 'loopback'                                                     
        option ifname 'lo'                                                      
        option proto 'static'                                                   
        option ipaddr '127.0.0.1'                                               
        option netmask '255.0.0.0'                                              
                                                                                
config globals 'globals'                                                        
        option ula_prefix 'fd6b:3eb3:fadc::/48'                                 
                                                                                
config interface 'lan'                                                          
        option type 'bridge'                                                    
        option ifname 'eth0.1'                                                  
        option proto 'static'                                                   
        option ipaddr '192.168.1.1'                                             
        option netmask '255.255.255.0'                                          
        option ip6assign '60'                                                   
                                                                                
config interface 'wan'                                                          
        option proto '3g'                                                       
        option device '/dev/ttyUSB0'                                            
        option apn 'web.vodafone.de'                                            
        option pincode '1234'                                                   
        option dialnumber '*99***1#'                                            
        option ipv6 'auto'                                                      
                                                                                
config interface 'wan6'                                                         
        option ifname 'eth0.2'                                                  
        option proto 'dhcpv6'                                                   
                                                                                
config switch                                                                   
        option name 'switch0'                                                   
        option reset '1'                                                        
        option enable_vlan '1'                                                  
                                                                                
config switch_vlan                                                              
        option device 'switch0'                                                 
        option vlan '1'                                                         
        option ports '1 2 3 4 0t'                                               
                                                                                
config switch_vlan                                                              
        option device 'switch0'                                                 
        option vlan '2'                                                         
        option ports '5 0t'                                                     
                                                                                
config interface 'vpn0'                                                         
        option ifname 'tun0'                                                    
        option proto 'none'                                                     
        option auto '1'      

Thanks in advance for your help! Let me know, if any other information are necessary.
Ben

Check the main DB configuration setting i think there might be something went wrong during data parsing!

Clients of which router can't access which router?

Hello, thanks for your responses.

rony albert wrote:

Check the main DB configuration setting i think there might be something went wrong during data parsing!

Sorry, can you elaborate a bit please? I couldn't find anything like 'main DB configuration' :-[

ulmwind wrote:

Clients of which router can't access which router?

I have created the topology of my network to be clear:

unfortunately I can not add links: i.imgur.com/IFgaXN8.png

As long as 'openwrt' (192.168.1.1) hasn't got established a vpn connection to the openvpn server, the clients (192.168.1.123 and 192.168.1.124) can access 192.168.1.1. As soon as i establish the vpn connection no ping is successful anymore.

The discussion might have continued from here.