Posted: Thu Jan 17, 2019 19:47 Post subject: Cannot connect to OpenVPN via WAN
Hello, I apologize for yet another VPN-related post but I'm unable to debug my issue by looking at other posts.
The two issues I'm having:
1) I can connect to the VPN when on my local network, but not from any other network
2) Even when connected to the VPN via my local network, I cannot access the admin dashboard but can access other servers on the network (ie, 192.168.1.1 times out, but 192.168.1.180 can connect just fine)
I'm running DD-WRT v3.0-r37015M kongac on a Nighthawk R8000. My server config is in the attached image and my client config is:
client
dev tun0
proto tcp4
remote x.x.x.x 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1
remote-cert-tls server
cipher AES-256-CBC
verb 4
When I connect locally, I'll get logs like:
...
20190117 14:08:28 I TUN/TAP device tun0 opened
20190117 14:08:28 D do_ifconfig tt->did_ifconfig_ipv6_setup=0
20190117 14:08:28 I /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
20190117 14:08:28 I Listening for incoming TCP connection on [AF_INET][undef]:1194
20190117 14:08:28 I TCPv4_SERVER link local (bound): [AF_INET][undef]:1194
20190117 14:08:28 I TCPv4_SERVER link remote: [AF_UNSPEC]
20190117 14:08:28 I Initialization Sequence Completed
20190117 14:09:24 I TCP connection established with [AF_INET]192.168.1.123:58112
20190117 14:09:25 I 192.168.1.123:58112 peer info: IV_VER=2.4.6
20190117 14:09:25 I 192.168.1.123:58112 peer info: IV_PLAT=win
20190117 14:09:25 I 192.168.1.123:58112 peer info: IV_PROTO=2
20190117 14:09:25 I 192.168.1.123:58112 peer info: IV_NCP=2
20190117 14:09:25 I 192.168.1.123:58112 peer info: IV_LZ4=1
20190117 14:09:25 I 192.168.1.123:58112 peer info: IV_LZ4v2=1
20190117 14:09:25 I 192.168.1.123:58112 peer info: IV_LZO=1
20190117 14:09:25 I 192.168.1.123:58112 peer info: IV_COMP_STUB=1
20190117 14:09:25 I 192.168.1.123:58112 peer info: IV_COMP_STUBv2=1
20190117 14:09:25 I 192.168.1.123:58112 peer info: IV_TCPNL=1
20190117 14:09:25 I 192.168.1.123:58112 peer info: IV_GUI_VER=OpenVPN_GUI_11
20190117 14:09:25 I 192.168.1.123:58112 [client1] Peer Connection Initiated with [AF_INET]192.168.1.123:58112
20190117 14:09:25 I client1/192.168.1.123:58112 MULTI_sva: pool returned IPv4=10.8.0.6 IPv6=(Not enabled)
20190117 14:09:35 N client1/192.168.1.123:58112 Connection reset restarting [-1]
20190117 14:20:17 I TCP connection established with [AF_INET]192.168.1.123:58436
20190117 14:20:18 I 192.168.1.123:58436 peer info: IV_VER=2.4.6
20190117 14:20:18 I 192.168.1.123:58436 peer info: IV_PLAT=win
20190117 14:20:18 I 192.168.1.123:58436 peer info: IV_PROTO=2
20190117 14:20:18 I 192.168.1.123:58436 peer info: IV_NCP=2
20190117 14:20:18 I 192.168.1.123:58436 peer info: IV_LZ4=1
20190117 14:20:18 I 192.168.1.123:58436 peer info: IV_LZ4v2=1
20190117 14:20:18 I 192.168.1.123:58436 peer info: IV_LZO=1
20190117 14:20:18 I 192.168.1.123:58436 peer info: IV_COMP_STUB=1
20190117 14:20:18 I 192.168.1.123:58436 peer info: IV_COMP_STUBv2=1
20190117 14:20:18 I 192.168.1.123:58436 peer info: IV_TCPNL=1
20190117 14:20:18 I 192.168.1.123:58436 peer info: IV_GUI_VER=OpenVPN_GUI_11
20190117 14:20:18 I 192.168.1.123:58436 [client1] Peer Connection Initiated with [AF_INET]192.168.1.123:58436
20190117 14:20:18 I client1/192.168.1.123:58436 MULTI_sva: pool returned IPv4=10.8.0.6 IPv6=(Not enabled)
19691231 19:00:00
But theres no output when connecting from a non-local network. This seems like a firewall mis-configuration to me, but I don't know how to debug such a problem. I've run nmap on my server for port 1194 and its open so that can't be it. Any help is greatly appreciated![/img][/i]
I don't have that router...or use those particular rules..but they should work as I believe many do
Some are not really needed...at least on <Kong> builds
I'm willing to bet that your router does not use tun0 as referenced in your last two rules
My 6300v2 uses tun2 and I recall that fact stumping me for a while
I don't think the log tells you anymore but the openvpn.conf on the router may
Or try changing it and testing
Edit
Just loged in and now see your screenshot
I see you specify tum0 on aditional config.....not sure that will make router honor that though
To be honest I never tried to set it up as a daemon _________________ Location 1
R7800- DD-WRT v3.0-r53562 (10/03/23) Gateway
WNDR3400v1 DD-WRT v3.0-r35531_mega-nv64k (03/26/18 ) Access Point
WRT160Nv3 DD-WRT ?v3?.0-r35531 mini (03/26/18 ) Access Point
WRT54GSv5 DD-WRT v24-r33555_micro_generic (10/20/17) Repeater
Location 2
R7800- DD-WRT v3.0-r51855 (02/25/23) Gateway
R6300v2- DD-WRT v3.0-r50671 (10-26-22) Access Point
WNDR3700v2 DD-WRT v3.0-r35531 std (03/26/18 ) Access Point
E1200 v2 DD-WRT v3.0-r35531 mega-nv64k (03/26/18 ) Gateway(for trivial reasons)
RBWAPG-5HACT2HND-BE RouterOS-v6.46.4 (2/21/20) Outdoor Access Point
2x RBSXTG-5HPACD RouterOS-v6.46.4 (2/21/20) PTP Bridge 866.6Mbps-1GbpsLAN
Location 3
2x R7000- DD-WRT v3.0-r50671 (10/26/22) Access Points
2x RBWAPG-60AD RouterOS-v6.45.9 (04/30/20) PTP Bridge 2.3Gbps-1GbpsLAN
2x RBSXTsqG-5acD RouterOS-v6.49.7 (10/14/22) PTP Bridge 866.6Mbps-1GbpsLAN Thank You BrainSlayer for ALL that you do & have done, also to "most" everyone here that shares their knowledge
Thank you for the response, I'll try some of your suggestions. I just switched "Server" mode and it automatically calls the tunnel tun2 as you said so I'll use that from now on. I'll post back if I'm able to figure this out.
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Fri Jan 18, 2019 13:30 Post subject:
Yes do as @dr_K said, remove everything from additionel config you can use the push route but even that is not necessary of you enable redirect default gateway.
Remove all firewall rules but you need one firewall rule to NAT the VPN.
there are other preferences but this is what I use:
if 'main gateway router' has the ovpn server then --- at /Diagnostics.asp this should be saved as in Firewall
iptables -t nat -A POSTROUTING -s 10.122.163.240/28 -j MASQUERADE The IP & netmask should match your ovpn server network.
example my ovpn network: 10.122.163.240/28
in router at /Services.asp this should be put in 'Additional DNSMasq Options' if you want ovpn clients to use local DNS
interface=tun2 Should match router ovpn interface. I think most dd-wrt ovpn server would be tun2
|
|
and then there's
|
|
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr` would be only thing used in firewall for ovpn server on a properly configured WAP...
... in this type setup nothing needs added to main router and this will allow ALL clients
connected to the WAPs ovpn server seem as though they are actually on your local network.
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Fri Jan 18, 2019 20:01 Post subject:
MASQUERADING is the same as source natting to the out interface ie rules of Dr_K and mrjcd are doing the same.
As the VPN net is usually /24 That should probably be used instead of /29.
@mrjcd does not specify an out interface (which I would do) But as the default gateway is the WAN it works anyway.
Thanks a ton for the replies everyone. I did finally get my VPN working by letting the "Server" (as opposed to "Daemon") setting create most of my config file for me and then debugging from there as suggested by Dr_K.
My client config and firewall rules remained the same except they reference tun2 instead of tun0.
Here's my final server config. I don't know exactly which of the new config lines fixed my problem, so I've left some commentary about different sections that might help anyone also having config issues.
# Everything below is pretty much the same as my original file
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
keepalive 10 120
verb 3
mute 3
script-security 2
cipher aes-256-cbc
management 127.0.0.1 14
server 10.8.0.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
tls-auth /tmp/openvpn/ta.key 0
# My config did not include '-server', but I would be surprised if that was the issue
proto tcp4-server
# The port was not explicitly specified in my original config
port 1194
# The default tun # was indeed 2 so I just left it as that
dev tun2
# These next two lines seem like they def could have caused issues by not being included in my original config
tls-server
auth sha256
# I do not understand what the remaining lines do so they may or may not have helped in getting my VPN functional
syslog
management-log-cache 100
writepid /var/run/openvpnd.pid
topology subnet
client-connect /tmp/openvpn/clcon.sh
client-disconnect /tmp/openvpn/cldiscon.sh
client-config-dir /tmp/openvpn/ccd
ifconfig-pool-persist /tmp/openvpn/ip-pool 86400
tcp-nodelay
tun-mtu 1500
mtu-disc yes
iptables -t nat -A POSTROUTING -s xxx.xx.xx.0/29 -o vlan2 -j SNAT --to-source $(nvram get wan_ipaddr)
And this is the rules from @mrjcd
Quote:
iptables -t nat -A POSTROUTING -s 10.122.163.240/28 -j MASQUERADE
First of all this rule is not necessary per se to get VPN working. Without the rule you can connect to the VPN server and can have local acces to the VPN servers network.
The rule is needed if you want to have internet access via the VPN server.
Of course I assume that the router the VPN server is setup on, is your main router i.e. connected to the internet and this router is using NAT which is setting the source addreess of the local client to the externatl IP address of the router.
DDWRT by default only NAT's its own local subnet onto the internet (i.e. 192.168.1.0) and other subnets like the VPN's 10.8.0.0 are not NATted by default (note most vendor software will NAT all subnets by default)
Therefore you need to add an extra rule to NAT additional subnets like the VPN out onto the internet.
the general rul is
Code:
iptables -t nat-I POSTROUTING -j SNAT --to-source
(instead of --to-source you can just use --to )
The most basic rule is to just NAT anything going out of the WAN interface:
where 185.23.65.67 is my external IP address.
This rule is the fastest but external IP addresses can change if your WAN connection type is set to automatic.
So instead of the fixed external IP address we usually need something smarter, we ask the router for its current external IP address.
The exteranl IP address is saved in nvram so we implement an external command in the firewall rule to query the router.
There are two options to execute an external command and get the result into the firewall rule:
use $( ) of ` ` so `nvram get wan_ipaddr` and $(nvram get wan_ipaddr) are doing the same that is just reading the nvram parameter holding the external IP address and inserting it in the rule.
I personally prefer $( ) because I was once debugging a network setup and could not find the error. The error was the use of ' ' instead of ` ` and there are also curly and inverted curly ones hate those
But there is still a different way to get the external IP address and that is the use of -j MASQUERADE.
MASQUERADE is source natting to the out interface and is also dynamic i.e. every time it queries the router for the current external IP address.
This is more universal than the querying of the nvram which is specific for DDWRT.
I am not sure if there are any performance differences
Now on to the use of the out interface.
@mrjcd dows not specify one but as the default route is usually out on to the internet his command will normally use the WAN interface (on newer routers it is vlan2 but on older it was vlan1 or vlan0 I think)
For the the use of SNAT you specify an out interface and as we mostly want to advice a rule for older and newer routers, you can query the router for its WAN interface name with $(nvram get wan_iface) or `nvram get wan_iface` or you can invoke a special external command called get_wanface in all cases it returns the name of your WAN interface. Which is vlan2 on modern routers.
Look in the sbin directory of your router for more external commands.
Actually if you know that it is vlan2, than just using this is faster.
I would specify the out interface because @Eibgrad always told us to be as specific as possible and the rule is more universal using get_wanface instead of querying nvram.
But as said before it is all a matter of personal preference.
Disclaimer: I am not a networking professional so do not confuse my thoughts with the truth
My apologies for this straying off topic, but to anyone following along....this is good information
Thank you again egc for your detailed input and congratulations for getting me to add yet another bookmark to my already bursting folder's of bookmarks
egc wrote:
First of all this rule is not necessary per se to get VPN working. Without the rule you can connect to the VPN server and can have local acces to the VPN servers network.
The rule is needed if you want to have internet access via the VPN server.
Yes this apart of my requirements
egc wrote:
This rule is the fastest but external IP addresses can change if your WAN connection type is set to automatic.
So instead of the fixed external IP address we usually need something smarter, we ask the router for its current external IP address.
The exteranl IP address is saved in nvram so we implement an external command in the firewall rule to query the router.
Yes though not common it does happen...I like to minimize the reconfiguring process to get back up and running
egc wrote:
For @Dr_K your rules are the same and you can use just one of them or use the rule from @mrjcd or mine or mix and match
Now that made me humbly laugh at myself with a slight embarrassment
Goes to show what learning by brail and trial n error can get one to do.....redundantly...
Ironclad00 If you are following along still....in your own thread
You too, but for different reasons are adding extra repetitively redundant rules by keeping the ones from the original tutorial you were following
Sorry, one more slightly OT inquiry
mrjcd wrote
mrjcd wrote:
and then there's
|
|
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr` would be only thing used in firewall for ovpn server on a properly configured WAP...
... in this type setup nothing needs added to main router and this will allow ALL clients
connected to the WAPs ovpn server seem as though they are actually on your local network.
Is this accurate?
Wouldn't one need to... at minimum, forward the VPN's port # to the WAP....on the main router's config?
I ask because this is something I've needed to do at another location in the past....but was leery to forward a port....even if it was to a VPN (there's my cautious paranoia again) _________________ Location 1
R7800- DD-WRT v3.0-r53562 (10/03/23) Gateway
WNDR3400v1 DD-WRT v3.0-r35531_mega-nv64k (03/26/18 ) Access Point
WRT160Nv3 DD-WRT ?v3?.0-r35531 mini (03/26/18 ) Access Point
WRT54GSv5 DD-WRT v24-r33555_micro_generic (10/20/17) Repeater
Location 2
R7800- DD-WRT v3.0-r51855 (02/25/23) Gateway
R6300v2- DD-WRT v3.0-r50671 (10-26-22) Access Point
WNDR3700v2 DD-WRT v3.0-r35531 std (03/26/18 ) Access Point
E1200 v2 DD-WRT v3.0-r35531 mega-nv64k (03/26/18 ) Gateway(for trivial reasons)
RBWAPG-5HACT2HND-BE RouterOS-v6.46.4 (2/21/20) Outdoor Access Point
2x RBSXTG-5HPACD RouterOS-v6.46.4 (2/21/20) PTP Bridge 866.6Mbps-1GbpsLAN
Location 3
2x R7000- DD-WRT v3.0-r50671 (10/26/22) Access Points
2x RBWAPG-60AD RouterOS-v6.45.9 (04/30/20) PTP Bridge 2.3Gbps-1GbpsLAN
2x RBSXTsqG-5acD RouterOS-v6.49.7 (10/14/22) PTP Bridge 866.6Mbps-1GbpsLAN Thank You BrainSlayer for ALL that you do & have done, also to "most" everyone here that shares their knowledge
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Sat Jan 19, 2019 18:38 Post subject:
The alternative for the rule from @mrjcd is to set the NAT rule for the OVPN subnet on the main router and add a static route on the main router to get the OVPN subnet to the WAP.
So the rule from @mrjcd is an elegant solution especially if the main router is not configurable much.
However there is one drawback all VPN traffic originates from the WAP so you can not differentiate/troubleshoot.
So for larger networks with many clients not my prefered solution.
That said, I am using the rule posted by @mrjcd on my WAP which harbors my backup OVPN server.