Hi
I try for a few days to set up an OpenWRT router as an OpenVPN client. My goal is to redirect all the traffic from the LAN to the internet via the VPN network.
My problem is that I can't even have the VPN working fine from the openwrt router. It connects fine but then there is nothing I can do. I'm connected via SSH to the OpenWRT router and can't ping or traceroute 8.8.8.8 for example - I have no connection at all.
My ISP router is connected on the WAN port, while my computer is connected on the LAN.
If I connect my ISP router on the LAN port (with a setup different to get good gateway of course) I can connect to the VPN just fine - but as I want to use it to redirect LAN computers to the VPN network I'd prefer to be able to connect to the VPN server connecting my ISP router to the WAN port.
I'd guess that it's a firewall or routing issue but I don't understand what it is as with the ISP router connected on the LAN port and a similar setup that works fine - and internet access from either the OpenWRT router or a LAN client works great when the VPN is off... And this VPN config works really nice on my desktop computer, so the problem is not the VPN server side nor connectivity...
I tried with different OpenVPN config, either with my test server or with commercial providers, different ports... always the same. The VPN connects and then the there is no network connectivity anymore...
Is there anyone that could help me or give me a right direction to search? I've been experimenting with different configs and googling without success for a few days...
Thanks!
uname -a
Linux OpenWrt 3.10.49 #3 Wed Oct 1 14:00:51 CEST 2014 mips GNU/Linuxcat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdf6:a1b4:c0e7::/48'
config interface 'lan'
option ifname 'eth0.1'
option force_link '1'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option ifname '@wan'
option proto 'dhcpv6'
config interface 'vpn'
option ifname 'tun0'
option proto 'none'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0t 2 3 4 5'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 1'
cat /etc/config/firewall
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config zone
option name vpn
list network 'vpn'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option src_ip fe80::/10
option src_port 547
option dest_ip fe80::/10
option dest_port 546
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
# include a file with users custom iptables rules
config include
option path /etc/firewall.user
cat /etc/firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule./etc/openvpn/client.conf
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote VPN.SERVER.IP 1194
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nogroup
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20(did remove CA, cert & key)
openvpn log
Tue May 5 19:31:22 2015 OpenVPN 2.3.6 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jan 6 2015
Tue May 5 19:31:22 2015 library versions: OpenSSL 1.0.2a 19 Mar 2015, LZO 2.08
Tue May 5 19:31:22 2015 Socket Buffers: R=[163840->131072] S=[163840->131072]
Tue May 5 19:31:22 2015 UDPv4 link local: [undef]
Tue May 5 19:31:22 2015 UDPv4 link remote: [AF_INET]VPN.SERVER.IP:1194
Tue May 5 19:31:22 2015 TLS: Initial packet from [AF_INET]VPN.SERVER.IP:1194, sid=045af054 d03f6c18
Tue May 5 19:31:23 2015 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Tue May 5 19:31:23 2015 VERIFY OK: nsCertType=SERVER
Tue May 5 19:31:23 2015 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Tue May 5 19:31:25 2015 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue May 5 19:31:25 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue May 5 19:31:25 2015 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue May 5 19:31:25 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue May 5 19:31:25 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Tue May 5 19:31:25 2015 [changeme] Peer Connection Initiated with [AF_INET]94.242.57.198:1194
Tue May 5 19:31:27 2015 SENT CONTROL [changeme]: 'PUSH_REQUEST' (status=1)
Tue May 5 19:31:28 2015 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.8 10.8.0.9'
Tue May 5 19:31:28 2015 OPTIONS IMPORT: timers and/or timeouts modified
Tue May 5 19:31:28 2015 OPTIONS IMPORT: --ifconfig/up options modified
Tue May 5 19:31:28 2015 OPTIONS IMPORT: route options modified
Tue May 5 19:31:28 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue May 5 19:31:28 2015 TUN/TAP device tun0 opened
Tue May 5 19:31:28 2015 TUN/TAP TX queue length set to 100
Tue May 5 19:31:28 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue May 5 19:31:28 2015 /sbin/ifconfig tun0 10.8.0.8 pointopoint 10.8.0.9 mtu 1500
Tue May 5 19:31:28 2015 /sbin/route add -net VPN.SERVER.IP netmask 255.255.255.255 gw 192.168.1.254
Tue May 5 19:31:28 2015 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.0.9
Tue May 5 19:31:28 2015 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.0.9
Tue May 5 19:31:28 2015 /sbin/route add -net 10.8.0.1 netmask 255.255.255.255 gw 10.8.0.9
Tue May 5 19:31:28 2015 Initialization Sequence Completed
Tue May 5 19:37:26 2015 [changeme] Inactivity timeout (--ping-restart), restarting
Tue May 5 19:37:26 2015 SIGUSR1[soft,ping-restart] received, process restarting
Tue May 5 19:37:26 2015 Restart pause, 2 second(s)
Tue May 5 19:37:28 2015 Socket Buffers: R=[163840->131072] S=[163840->131072]
Tue May 5 19:37:28 2015 UDPv4 link local: [undef]
Tue May 5 19:37:28 2015 UDPv4 link remote: [AF_INET]VPN.SERVER.IP:1194
Tue May 5 19:38:28 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue May 5 19:38:28 2015 TLS Error: TLS handshake failed
Tue May 5 19:38:28 2015 SIGUSR1[soft,tls-error] received, process restarting
Tue May 5 19:38:28 2015 Restart pause, 2 second(s)
Tue May 5 19:38:30 2015 Socket Buffers: R=[163840->131072] S=[163840->131072]
Tue May 5 19:38:30 2015 UDPv4 link local: [undef]
Tue May 5 19:38:30 2015 UDPv4 link remote: [AF_INET]VPN.SERVER.IP:1194
Tue May 5 19:39:30 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue May 5 19:39:30 2015 TLS Error: TLS handshake failed
Tue May 5 19:39:30 2015 SIGUSR1[soft,tls-error] received, process restarting
Tue May 5 19:39:30 2015 Restart pause, 2 second(s)
Tue May 5 19:39:32 2015 Socket Buffers: R=[163840->131072] S=[163840->131072]
Tue May 5 19:39:32 2015 UDPv4 link local: [undef]
Tue May 5 19:39:32 2015 UDPv4 link remote: [AF_INET]VPN.SERVER.IP:1194
can keep on a long time.. it looses the connection too.If I stop the VPN at that point, that will reset the routing and the connection will work perfect through my ISP.
ifconfig
br-lan Link encap:Ethernet HWaddr 64:XX:XX:XX:XX
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::6670:2ff:feaa:c9e0/64 Scope:Link
inet6 addr: fdf6:a1b4:c0e7::1/60 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1952 errors:0 dropped:0 overruns:0 frame:0
TX packets:2620 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:221185 (216.0 KiB) TX bytes:2507888 (2.3 MiB)
eth0 Link encap:Ethernet HWaddr 64:XX:XX:XX:XX
inet6 addr: fe80::6670:2ff:feaa:c9e0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4237 errors:0 dropped:4 overruns:0 frame:0
TX packets:3999 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2727046 (2.6 MiB) TX bytes:2717381 (2.5 MiB)
Interrupt:4
eth0.1 Link encap:Ethernet HWaddr 64:XX:XX:XX:XX
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2034 errors:0 dropped:0 overruns:0 frame:0
TX packets:2583 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:230798 (225.3 KiB) TX bytes:2504418 (2.3 MiB)
eth0.2 Link encap:Ethernet HWaddr 64::XX:XX:XX:XX
inet addr:192.168.1.19 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::6670:2ff:feaa:c9e0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2196 errors:0 dropped:1 overruns:0 frame:0
TX packets:1412 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2418861 (2.3 MiB) TX bytes:196535 (191.9 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:249 errors:0 dropped:0 overruns:0 frame:0
TX packets:249 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:23048 (22.5 KiB) TX bytes:23048 (22.5 KiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.8 P-t-P:10.8.0.9 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:588 (588.0 B)route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.8.0.9 128.0.0.0 UG 0 0 0 tun0
default 192.168.1.254 0.0.0.0 UG 0 0 0 eth0.2
10.8.0.1 10.8.0.9 255.255.255.255 UGH 0 0 0 tun0
10.8.0.9 * 255.255.255.255 UH 0 0 0 tun0
VPN.SERVER.IP 192.168.1.254 255.255.255.255 UGH 0 0 0 br-lan
128.0.0.0 10.8.0.9 128.0.0.0 UG 0 0 0 tun0
192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0.2Please feel free to ask if you need any more information - and thanks for your precious time if you are willing to help me 
Cheers!
(Last edited by johndoe on 5 May 2015, 22:09)