OpenWrt Forum Archive

Topic: Connected to VPN but can't access internal ip's

The content of this topic has been archived on 25 Mar 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
icanfly
9 Jan 2018, 13:08

EDIT: It wouldn't allow me to post the URL of the wiki where I got the guide but it's the wiki HOWTOs ยป OpenVPN Setup Guide for Beginners

Hi

Was wondering if I could get some help please

Here is my setup:

HUAWEI Home Gateway HG659 is my main router, gateway, DHCP Server, WAN etc connected on 192.168.0.1
I have a NETGEAR WNDR3700 loaded with OpenWrt Chaos Calmer 15.05.1 which is setup as 192.168.0.2 and bridged to 192.168.0.1 and not running any DHCP etc and seems to work fine as a bridge etc for all intents and purposes. I use it mainly as a a print server and to wake on LAN over the Internet

Ok so wanted to setup openvpn and this seems to have worked as it connects with the settings and certificates on my Android device and on a Windows 8.1 machine but once connected, I cant access or ping any internal LAN.

I am getting an IP address 10.8.0.6 but cant see others and I cant ping from vpn client or ping to 10.8.0.6

I have setup according to this guide:

Using easy-rsa scripts, traditional TUN Server, and set the two firewall forwarding sections under 4 to allow clients to connect within LAN and the reverse.

But as I said, I cannot connect to any internal host ip's once connected. I have done the troubleshooting points 2 and 3 and they were correct.

I have also tried the first option Routing traffic PUSH setup firstly back to 192.168.0.2 where the vpn server and then  back to 192.168.0.1 where my gateway DHCP is etc

Didn't work

oh and I have also port forwarded 1194 on my router gateway 192.168.0.1 to 192.168.0.2

Here are my logs / settings etc. One thing I have noted is that openvpn is not writing out a log to /tmp/openvpn.log or anywhere else it seems that I can find so I can't provide you with that log file

cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd85:c020:0ff6::/48'

config interface 'lan'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option _orig_ifname 'eth0.1 radio0.network1 radio1.network1'
        option _orig_bridge 'true'
        option ifname 'eth0.1'
        option ipaddr '192.168.0.2'
        option gateway '192.168.0.1'
        option dns '192.168.0.1'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'
        option type 'bridge'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'
        option blinkrate '2'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5t'

config switch_port
        option device 'switch0'
        option port '1'
        option led '6'

config switch_port
        option device 'switch0'
        option port '2'
        option led '9'

config switch_port
        option device 'switch0'
        option port '5'
        option led '2'

config interface 'vpn0'
        option ifname 'tun0'
        option proto 'none'
        option auto '1'

cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network ' '

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fe80::/10'
        option src_port '547'
        option dest_ip 'fe80::/10'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config rule
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option src 'lan'
        option proto 'tcp'
        option dest_port '9100'
        option target 'ACCEPT'

config rule 'Allow_OpenVPN_Inbound'
        option target 'ACCEPT'
        option src '*'
        option proto 'udp'
        option dest_port '1194'

config zone 'vpn'
        option name 'vpn'
        option network 'vpn0'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option masq '1'
        option forward 'ACCEPT'

config forwarding 'vpn_forwarding_lan_in'
        option src 'vpn'
        option dest 'lan'

config forwarding 'vpn_forwarding_lan_out'
        option src 'lan'
        option dest 'vpn'

config redirect
        option target 'DNAT'
        option src 'vpn'
        option dest 'lan'
        option proto 'tcp udp'
        option dest_ip '192.168.0.1'
        option name 'Forward'

cat /etc/config/openvpn

config openvpn 'myvpn'
        option enabled '1'
        option verb '3'
        option port '1194'
        option proto 'udp'
        option dev 'tun'
        option server '10.8.0.0 255.255.255.0'
        option keepalive '10 120'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/my-server.crt'
        option key '/etc/openvpn/my-server.key'
        option dh '/etc/openvpn/dh2048.pem'

Many Thanks!

(Last edited by icanfly on 9 Jan 2018, 13:37)

Post #2
icanfly
9 Jan 2018, 23:42

I forgot to mention I also tried disabling the firewall but that didn't help either so I guess nothing is being blocked. Ta

Post #3
icanfly
10 Jan 2018, 00:36

Sorry all to waste your time, worked out you need to use TAP for a server-bridge connection. But now I have another problem TAP is not allowed on Android hmm

So I guess you can't have TUN and get VPN working to bridge?

Thanks

Post #4
mikma
10 Jan 2018, 02:04
icanfly wrote:

Sorry all to waste your time, worked out you need to use TAP for a server-bridge connection. But now I have another problem TAP is not allowed on Android hmm

So I guess you can't have TUN and get VPN working to bridge?

Thanks

Can't you use routing instead of bridging? If you can't add a static route to your main router then you could use a subnet of your lan (192.168.0.0/24) and use proxy arp on openwrt.

After configuring the IP addresses, add the following to /etc/sysctl.d/local.conf and run "sysctl -p /etc/sysctl.d/local.conf" to enable proxy_arp without needing to reboot.

sys.net.ipv4.conf.br-lan.proxy_arp=1
sys.net.ipv4.conf.tun0.proxy_arp=1

The discussion might have continued from here.