OpenWrt Forum Archive

Topic: OpenVpn configuration issues

The content of this topic has been archived on 6 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
deerss
24 Dec 2017, 11:43

Hello!

I've been trying to set up a VPN server on a router with OpenWrt installed

I can successfully connect to the VPN and ping and traceroute work from the client. However I don't seem to get internet access through the VPN. DNS also seems to work just fine. Using Wireshark it does look like some tcp traffic goes through, so doesn't look like a Firewall problem. However I can't seem to be able to create a connection through the VPN.

Could you please help me out? I've disabled the firewall on the server side to make sure it's not the culprit.

Here is my server config:

ca /etc/openvpn/ca.crt
cert /etc/openvpn/my-server.crt
dev tun
dh /etc/openvpn/dh2048.pem
keepalive 10 120
key /etc/openvpn/my-server.key
port 1194
proto udp
server 10.8.0.0 255.255.255.0
verb 3
push route 192.168.1.0 255.255.255.0
push redirect-gateway def1

And my network setup on the server side:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdc3:aa38:426c::/48'

config interface 'lan'
        option ifname 'eth0'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'
        option peerdns '0'
        option dns '8.8.8.8 8.8.4.4'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 4'

config interface 'vpn0'
        option _orig_ifname 'tun0'
        option _orig_bridge 'false'
        option ifname 'tun0'
        option proto 'none'

(Last edited by deerss on 24 Dec 2017, 13:30)

Post #2
deerss
24 Dec 2017, 13:31

An update: From the client side, curl seems to work for h t t p , but not for h t t p s

I wonder if I need to do something to allow encrypted traffic to go through the VPN?


So to summarize:
1. The connection to the VPN server works
2. Even with the Firewall off (on both sides) I can't make an h t t p s connection
2. But h t t p works fine...

(Last edited by deerss on 24 Dec 2017, 13:56)

Post #3
ulmwind
24 Dec 2017, 18:55

It is rather strange. I don't think, your firewall has rules separately for 443 port, specific for https. Furthermore you tried to disable it with no effect. Does your curl work fine without establishing OpenVPN connection on your client?

Post #4
mk24
24 Dec 2017, 21:50

You have dev tun in the VPN config and ifname tun0 in the network config.  It should be the same name both places.

Also you have to put the VPN tunnel in the lan firewall zone or create a new zone for it that forwards to wan.

Post #5
deerss
25 Dec 2017, 08:33
mk24 wrote:

You have dev tun in the VPN config and ifname tun0 in the network config.  It should be the same name both places.

Also you have to put the VPN tunnel in the lan firewall zone or create a new zone for it that forwards to wan.


Thank you very much this indeed worked! Still have no idea why some of the traffic was getting through, but it is all good now.

Post #6
Sorbe
29 Dec 2017, 01:29

What is the proper way to combine the OpenVPN and MWAN3 packages?
I'm about to replace my older Attitude Adjustment based MWAN router.
I've moved to a load-balanced mix of DSL and T-Mobile LTE 4G, but I want VPN too.

Here are the two obvious topologies:
Should I configure and have MWAN3 load balance two VPN connections to different VPN servers (one over each gateway)?
Or should I configure one VPN connecion to one server and have MWAN3 try to load balance the traffic on each gateway?

It seems like it would be better to have two VPN connections, one through each gateway since MWAN3 routes traffic based on the odd/even-ness of the destination IP address.

Has anyone successfully used multiple gateways (via MWAN3) and VPN?
I've had trouble before getting VPN to work across T-Mobile's networks, they seem to inject RST packets.
Any suggestions on which VPN service provider to use for this (NordVPN, PureVPN, etc?)

(Last edited by Sorbe on 29 Dec 2017, 01:31)

Post #7
mk24
29 Dec 2017, 02:13

Open two VPN client connections, one dedicated to each ISP (by binding to a specific interface in the configuration).  They can connect to the same server if the service allows you to have multiple connections.  Then load balance the traffic going into the VPN tunnels.

Load balancing is based on selecting the least busy ISP for each new connection initiated by a user.  When you pass everything through a VPN, there are no new connections to the WAN interfaces.  One persistent connection is opened at the start and all the various traffic goes through it.

(Last edited by mk24 on 29 Dec 2017, 02:32)

The discussion might have continued from here.