That guide definitely is missing some very important settings like changing the. Ovpn file line " user auth pass (filename of authentication txt)"
FIREWALL for VPN needs to be incoming AND outgoing Accept
How do I make a setting where there will be no internet if the connection drops ?
The guide says to :
Navigate to Network=>Firewall and underneath Zones open lan using the Edit button.
Scroll down to Inter-Zone Forwarding and next to Allow forward to destination zones activate only PP_Firewall . Then click on the button Save & Apply .
If you want to disable the firewall protection (“kill switch”) again, next to Allow forward to destination zones : PP-Firewall additionally activate WAN and WAN6 .
Will this be sufficient as a no vpn killswitch ?
How would Iroute vpn only on certain lan outputs in the back of the router ?
Also, should i worry about these warnings in the output of the VPN start up in sys log ? Warnings about inconsistent usage, Permission denied etc
my ISP does not allow ipv6 and i added option enabled ipv6 ‘0’ to everything in network config, in order to get opkg to download corrrectly
Jan 16 03:28:50 turris openvpn(PP_ZURICH)[12884]: WARNING: ‘link-mtu’ is
used inconsistently, local=‘link-mtu 1581’, remote=‘link-mtu 1633’
Jan 16 03:28:50 turris openvpn(PP_ZURICH)[12884]: WARNING: ‘keydir’ is
present in local config but missing in remote config, local=‘keydir 0’
Jan 16 03:28:50 turris openvpn(PP_ZURICH)[12884]: WARNING: ‘cipher’ is used
inconsistently, local=‘cipher AES-256-GCM’, remote=‘cipher AES-256-CBC’
Jan 16 03:28:50 turris openvpn(PP_ZURICH)[12884]: WARNING: ‘auth’ is used
inconsistently, local=‘auth [null-digest]’, remote=‘auth SHA512’
Jan 16 03:28:51 turris openvpn(PP_ZURICH)[12884]: GDG6:
remote_host_ipv6=n/a
Jan 16 03:28:51 turris openvpn(PP_ZURICH)[12884]: GDG6: NLMSG_ERROR: error
Permission denied
Jan 16 03:28:51 turris odhcp6c[11010]: Failed to send DHCPV6 message to
ff02::1:2 (Permission denied)
Jan 16 03:28:52 turris firewall: Reloading firewall due to ifup of PP_VPN
(tun0)
Jan 16 03:28:54 turris openvpn(PP_ZURICH)[12884]: /sbin/route add -net
152.89.162.226 netmask 255.255.255.255 gw 192.168.8.1
Jan 16 03:28:54 turris openvpn(PP_ZURICH)[12884]: /sbin/route add -net
0.0.0.0 netmask 128.0.0.0 gw 10.5.96.1
Jan 16 03:28:54 turris openvpn(PP_ZURICH)[12884]: /sbin/route add -net
128.0.0.0 netmask 128.0.0.0 gw 10.5.96.1
Jan 16 03:28:54 turris openvpn(PP_ZURICH)[12884]: add_route_ipv6(2000::/3
-> fdbf:1d37:bbe0:0:86::1 metric -1) dev tun0
Jan 16 03:28:54 turris openvpn(PP_ZURICH)[12884]: /sbin/route -A inet6 add
2000::/3 dev tun0
Jan 16 03:28:54 turris openvpn(PP_ZURICH)[12884]: add_route_ipv6(::/3 ->
fdbf:1d37:bbe0:0:86::1 metric -1) dev tun0
Jan 16 03:28:54 turris openvpn(PP_ZURICH)[12884]: /sbin/route -A inet6 add
::/3 dev tun0
Jan 16 03:28:54 turris openvpn(PP_ZURICH)[12884]: add_route_ipv6(2000::/4
-> fdbf:1d37:bbe0:0:86::1 metric -1) dev tun0
Jan 16 03:28:54 turris openvpn(PP_ZURICH)[12884]: /sbin/route -A inet6 add
2000::/4 dev tun0
Jan 16 03:28:54 turris openvpn(PP_ZURICH)[12884]: add_route_ipv6(3000::/4
-> fdbf:1d37:bbe0:0:86::1 metric -1) dev tun0
Jan 16 03:28:54 turris openvpn(PP_ZURICH)[12884]: /sbin/route -A inet6 add
3000::/4 dev tun0
Jan 16 03:28:54 turris openvpn(PP_ZURICH)[12884]: add_route_ipv6(fc00::/7
-> fdbf:1d37:bbe0:0:86::1 metric -1) dev tun0
Jan 16 03:28:54 turris openvpn(PP_ZURICH)[12884]: /sbin/route -A inet6 add
fc00::/7 dev tun0
Jan 16 03:28:54 turris openvpn(PP_ZURICH)[12884]: Initialization Sequence
Completed
Jan 16 03:29:01 turris /usr/sbin/cron[13399]: (root) CMD
(/usr/bin/rainbow_button_sync.sh)
Jan 16 03:29:10 turris kresd[13274]: [ ta ] active refresh failed for .
with rcode: 2
Jan 16 03:29:10 turris kresd[13274]: [ ta ] next refresh for . in
2.1712222222222 hours
ad_guide: on first look that guide is doing something openwrt specific since very start, so i would stick with turris guides for openvpn and use luci-opevpn to build config or use supplied ones(which is kind of openwrt way). In other words, why not use official doku?
I think for you, you just need to do somthing like this to have your config (whatever type) visible in luci
for sure that config must be valid , openvpn --config /etc/openvpn/vpn.conf should validate that config. once you edit it, use “uci commit openvpn” and that should populate it to luci so you can enable/disable(Start/stop) that instance …
in luci there are all possible templates (tunell, routed, bridged) so you can build copy/clone of your vpn.conf so instead in /etc/openvpn you will have it in uci format in /etc/config/openvpn …
you can have two types of configs …(okey three if you count uci itself).
one where you have path to cert/key/ca/tls files (usually named .conf and used for server or/and client) ,
second where you have all needed in one file (preffed variant) (usually named .ovpn used mainly for client >> resp. maybe for both i am not sure, but i never seen server .ovpn file so far on any of my managed servers at home/work)
ad_networking(routing): that is far from my knowledge …i am glad that foris did something automatically and i don’t need to dig into it (in previous versions of TOS there was no foris plugin, only luci module and you have to do the ca by your own, routing rules in firewall and so on…for me that was so “headache maker” evenings
Maybe i didnt make it clear in my previous post but i do have the Openvpn Luci client working now, showing correct IP and everything. Only things i had to change from the guide were the few things mentioned above.
What i was asking was if i need to worry / change anything to fix these WARNINGS in the log
WARNING: ‘link-mtu’ is used inconsistently, local=‘link-mtu 1581’, remote=‘link-mtu 1633’ Jan 16 03:28:50 turris openvpn(PP_ZURICH)[12884]:
WARNING: ‘keydir’ is present in local config but missing in remote config, local=‘keydir 0’ Jan 16 03:28:50 turris openvpn(PP_ZURICH)[12884]: WARNING: ‘cipher’ is used inconsistently, local=‘cipher AES-256-GCM’, remote=‘cipher AES-256-CBC’ Jan 16 03:28:50 turris openvpn(PP_ZURICH)[12884]: WARNING: ‘auth’ is used inconsistently, local=‘auth [null-digest]’,
thank you for your help and i hear you on the routing rabbit hole, it is my next deep dive on this router
you should not specify mtu , you can use “mtu-fix 1” directive … , if you have mtu value higher then your link-mtu (1500) you will have problems…(remove any directive specifying mtu value)
, when i played with cipher directive, it is better to keep default (so better to remove own during testing)
if you look around this forum i have quite a lot of post related to openvpn (in czech, but sources and snipets might help if you will have some other issues …
I am digging up this old thread, because there is no point in opening a new one.
A long time ago I bought an Omnia and put it in the closet when it turned out that I cannot make an easy VPN Client. I’m just too weak and I was frustrated then
Now I have found this has been added in 5.x and I have a question before I take my Omnia out of the closet with pleasure:
Is there a killswitch option? So the entire internet is off when the VPN connection collapses by chance.
Can a bypass be done for selected clients? For example, by client IP or per MAC.
Do all internal processes (such as checking for updates or time syncing) also exit via the VPN?
…i am glad that foris did something automatically and i don’t need to dig into it (in previous versions of TOS there was no foris plugin, only luci module and you have to do the ca by your own, routing rules in firewall and so on…for me that was so “headache maker” evenings 