Openvpn connects but no data transmitted

hello everyone

im new here so apologies if something goes wrong.

there were few similar topics but imo i couldnt find a resolution to my problem exactly. im using the newest TO OS 3 and openvpn plugin. installing went by the book. keys / profile is moved to a client device and CA is done to TO.

im trying to use openvpn from an android phone with openvpn for android application. it connects to my omnia as it should be but however it never gets data from my omnia. either ip is still the mobile operators own or then “nothing” works and android phone browser says error dns resolving. when disconnecting from vpn naturally data moves with mobile data.

i have tried to change from foris: All traffic through vpn and Use DNS from vpn choices. no changes.

and before im adding tons of logs i thought this was an easy wizard way to get openvpn working. so what im missing? first problem was “connection refused” but that was solved by to put openvpn service up from luci (i thought it was automatic when activating openvpn plugin from foris)

however im hoping to get help and once again apologies in advance if im missing something already :slight_smile:

Hi,
if you don’t change anything and everything is default only via foris is enabled, openvpn should be work. Check you in Luci, the vpn_turris interface has a address. The setting requires static ip and allocate ip in the vpn range. If you changed something on the firewall. check routing table.

thanks @Jan_Coufal for a reply!

luci says there is no ip at vpn_turris and protocol is unmanaged. so what i should change? to put static address protocol and insert my public ip to it?

there is a subnet in the foris. 10.xxxx. simply add static ip like 10.xxx.1.

Testing .ovpn profile on local network is usually failing. Use different ISP if possible. If you can’t (or it is still failing on mobile data), add “float” and “mssfix 0” to client-config file and retry. Also aside ensure you really have CA files present on router and eventually restart openvpn service (ensure it is running fine). You can valide the server-config without starting the service in terminal(there is option for that), so you know there is no issue with it.
You can also check if you have openvpn related rules in uci config for firewall/networking.(there is difference in actually used located in /tmp and those in /etc/config)

Vpn interface should be unmanaged, it is handled by openvpn daemon directly (if openvpn is up you will see the vpn_turris “active” in overview luci/interfaces section), if tunel will be active packet count will raise.

hi

im using different ISP and thus mobile data - easy to check that it is not using vpn and if it is nothing works.

in foris:
Current settings
Network: 10.111.111.0/24
Device: tun_turris
Port: 1194
Route: 192.168.1.0/24
im using server side dns because otherwise there is no dns servers used in the client config.

in luci:
VPN_TURRIS

Uptime:** 0h 5m 32s
MAC-Address: 00:00:00:00:00:00
RX : 16.53 KB (260 Pkts.) <-- this came when i connected to vpn once succesfully - according to openvpn for android (but no data can be transmitted)
TX : 0 B (0 Pkts.)

Interfaces - VPN_TURRIS

  • [Firewall Settings]
    vpn_turris: vpn_turris: Ethernet Adapter: “tun_turris” <-- this is checked under firewall settings

protocol is unmanaged as @Maxmilian_Picmaus said and RX value indicates.

however i cannot get any data out of my phone, like connecting to vpn blocks everything. if i put “exclude app from vpn” from openvpn for android. then of course an app i selected works with my mobile isp mobile data.

How you have your zones/interfaces configured? This seems to be glitch in firewall rules (just wild guess). I’ve faced this some time ago and root cause was in my zone forwarding setup (you might have the vpn stream rejected by iptables/firewall (/etc/config/firewall, there you should have section reflecting the picture below.

thanks.

lets see. there were differences to your firewall setup.
lan => wan vpn_turris was all accept - changed that to match the picture
wan => reject was the same
vpn_turris => lan wan was the same
quest_turris => wan was the same

now the interfaces under vpn_turris gets RX and TX data when i am browsing from the phones browser BUT the problem exists. when connected to vpn “my ip” shows to be mobile data ip (ISP) and TX data indicates just few KB so i dont believe it actually moves data but some “headers” / dns queries maybe?

when in foris i put All traffic through vpn and (Use DNS from vpn)
the vpn connection stop working at all and phones browser says err_name_not_resolved (webpage (server ip - eg. google - could not be found)

I assume you make masquerading (that should handle dns) and mss clamping same?
Can you share your client and server(there should be three “list push” directives for routing, dns and dhcp --> if missing maybe that’s the root cause) config and maybe the “firewall” as well?

Aside usually there is openvpn and system logs which should gave some info. On client side (not sure how it is on mobile, but on Windows you have option to trigger the client-log level ad-hoc, so you will receive some info what is happening).

yes that is correct to the picture you provided.

to be honest, now i have no idea where i can get server side config. foris just “does it” but still does not help user to check every aspect it should be like this thread already shows.

this i can provide here, im trying to remove my personal info(hopefully) so dont get confused :slight_smile: i put verbose log to the highest level.

2019-09-05 07:17:24 official build 0.7.8 running on HONOR NEM-L21 (hi6250), Android 7.0 (HONORNEM-L21) API 24, ABI arm64-v8a, xxx
2019-09-05 07:17:24 Building configuration…
2019-09-05 07:17:24 started Socket Thread
2019-09-05 07:17:24 Network Status: CONNECTED LTE to MOBILE internet
2019-09-05 07:17:24 Debug state info: CONNECTED LTE to MOBILE internet, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2019-09-05 07:17:24 Debug state info: CONNECTED LTE to MOBILE internet, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2019-09-05 07:17:24 Waiting 0s seconds between connection attempt
2019-09-05 07:17:24 Current Parameter Settings:
2019-09-05 07:17:24 config = ‘/data/user/0/de.blinkt.openvpn/cache/android.conf’
2019-09-05 07:17:24 mode = 0
2019-09-05 07:17:24 show_ciphers = DISABLED
2019-09-05 07:17:24 show_digests = DISABLED
2019-09-05 07:17:24 show_engines = DISABLED
2019-09-05 07:17:24 genkey = DISABLED
2019-09-05 07:17:24 key_pass_file = ‘[UNDEF]’
2019-09-05 07:17:24 show_tls_ciphers = DISABLED
2019-09-05 07:17:24 connect_retry_max = 0
2019-09-05 07:17:24 Connection profiles [0]:
2019-09-05 07:17:24 proto = udp
2019-09-05 07:17:24 local = ‘[UNDEF]’
2019-09-05 07:17:24 local_port = ‘[UNDEF]’
2019-09-05 07:17:24 remote = ‘xxx’
2019-09-05 07:17:24 remote_port = ‘1194’
2019-09-05 07:17:24 remote_float = DISABLED
2019-09-05 07:17:24 bind_defined = DISABLED
2019-09-05 07:17:24 bind_local = DISABLED
2019-09-05 07:17:24 bind_ipv6_only = DISABLED
2019-09-05 07:17:24 connect_retry_seconds = 2
2019-09-05 07:17:24 connect_timeout = 120
2019-09-05 07:17:24 socks_proxy_server = ‘[UNDEF]’
2019-09-05 07:17:24 socks_proxy_port = ‘[UNDEF]’
2019-09-05 07:17:24 tun_mtu = 1500
2019-09-05 07:17:24 tun_mtu_defined = ENABLED
2019-09-05 07:17:24 link_mtu = 1500
2019-09-05 07:17:24 link_mtu_defined = DISABLED
2019-09-05 07:17:24 tun_mtu_extra = 0
2019-09-05 07:17:24 tun_mtu_extra_defined = DISABLED
2019-09-05 07:17:24 mtu_discover_type = -1
2019-09-05 07:17:24 fragment = 0
2019-09-05 07:17:24 mssfix = 1450
2019-09-05 07:17:24 explicit_exit_notification = 0
2019-09-05 07:17:24 tls_auth_file = ‘[UNDEF]’
2019-09-05 07:17:24 key_direction = not set
2019-09-05 07:17:24 tls_crypt_file = ‘[UNDEF]’
2019-09-05 07:17:25 tls_crypt_v2_file = ‘[UNDEF]’
2019-09-05 07:17:25 Connection profiles END
2019-09-05 07:17:25 remote_random = DISABLED
2019-09-05 07:17:25 ipchange = ‘[UNDEF]’
2019-09-05 07:17:25 dev = ‘tun’
2019-09-05 07:17:25 dev_type = ‘[UNDEF]’
2019-09-05 07:17:25 dev_node = ‘[UNDEF]’
2019-09-05 07:17:25 lladdr = ‘[UNDEF]’
2019-09-05 07:17:25 topology = 1
2019-09-05 07:17:25 ifconfig_local = ‘[UNDEF]’
2019-09-05 07:17:25 ifconfig_remote_netmask = ‘[UNDEF]’
2019-09-05 07:17:25 ifconfig_noexec = DISABLED
2019-09-05 07:17:25 ifconfig_nowarn = ENABLED
2019-09-05 07:17:25 ifconfig_ipv6_local = ‘[UNDEF]’
2019-09-05 07:17:25 ifconfig_ipv6_netbits = 0
2019-09-05 07:17:25 ifconfig_ipv6_remote = ‘[UNDEF]’
2019-09-05 07:17:25 shaper = 0
2019-09-05 07:17:25 mtu_test = 0
2019-09-05 07:17:25 mlock = DISABLED
2019-09-05 07:17:25 keepalive_ping = 0
2019-09-05 07:17:25 keepalive_timeout = 0
2019-09-05 07:17:25 inactivity_timeout = 0
2019-09-05 07:17:25 ping_send_timeout = 0
2019-09-05 07:17:25 ping_rec_timeout = 0
2019-09-05 07:17:25 ping_rec_timeout_action = 0
2019-09-05 07:17:25 ping_timer_remote = DISABLED
2019-09-05 07:17:25 remap_sigusr1 = 0
2019-09-05 07:17:25 persist_tun = ENABLED
2019-09-05 07:17:25 persist_local_ip = DISABLED
2019-09-05 07:17:25 persist_remote_ip = DISABLED
2019-09-05 07:17:25 persist_key = DISABLED
2019-09-05 07:17:25 passtos = DISABLED
2019-09-05 07:17:25 resolve_retry_seconds = 1000000000
2019-09-05 07:17:25 resolve_in_advance = ENABLED
2019-09-05 07:17:25 username = ‘[UNDEF]’
2019-09-05 07:17:25 groupname = ‘[UNDEF]’
2019-09-05 07:17:25 chroot_dir = ‘[UNDEF]’
2019-09-05 07:17:25 cd_dir = ‘[UNDEF]’
2019-09-05 07:17:25 writepid = ‘[UNDEF]’
2019-09-05 07:17:25 up_script = ‘[UNDEF]’
2019-09-05 07:17:25 down_script = ‘[UNDEF]’
2019-09-05 07:17:25 down_pre = DISABLED
2019-09-05 07:17:25 up_restart = DISABLED
2019-09-05 07:17:25 up_delay = DISABLED
2019-09-05 07:17:25 daemon = DISABLED
2019-09-05 07:17:25 inetd = 0
2019-09-05 07:17:25 log = DISABLED
2019-09-05 07:17:25 suppress_timestamps = DISABLED
2019-09-05 07:17:25 machine_readable_output = ENABLED
2019-09-05 07:17:25 nice = 0
2019-09-05 07:17:25 verbosity = 4
2019-09-05 07:17:25 mute = 0
2019-09-05 07:17:25 gremlin = 0
2019-09-05 07:17:25 status_file = ‘[UNDEF]’
2019-09-05 07:17:25 status_file_version = 1
2019-09-05 07:17:25 status_file_update_freq = 60
2019-09-05 07:17:25 occ = ENABLED
2019-09-05 07:17:25 rcvbuf = 0
2019-09-05 07:17:25 sndbuf = 0
2019-09-05 07:17:25 sockflags = 0
2019-09-05 07:17:25 fast_io = DISABLED
2019-09-05 07:17:25 comp.alg = 0
2019-09-05 07:17:25 comp.flags = 0
2019-09-05 07:17:25 route_script = ‘[UNDEF]’
2019-09-05 07:17:25 route_default_gateway = ‘[UNDEF]’
2019-09-05 07:17:25 route_default_metric = 0
2019-09-05 07:17:25 route_noexec = DISABLED
2019-09-05 07:17:25 route_delay = 0
2019-09-05 07:17:25 route_delay_window = 30
2019-09-05 07:17:25 route_delay_defined = DISABLED
2019-09-05 07:17:25 route_nopull = DISABLED
2019-09-05 07:17:25 route_gateway_via_dhcp = DISABLED
2019-09-05 07:17:25 allow_pull_fqdn = DISABLED
2019-09-05 07:17:25 management_addr = ‘/data/user/0/de.blinkt.openvpn/cache/mgmtsocket’
2019-09-05 07:17:25 management_port = ‘unix’
2019-09-05 07:17:25 management_user_pass = ‘[UNDEF]’
2019-09-05 07:17:25 management_log_history_cache = 250
2019-09-05 07:17:25 management_echo_buffer_size = 100
2019-09-05 07:17:25 management_write_peer_info_file = ‘[UNDEF]’
2019-09-05 07:17:25 management_client_user = ‘[UNDEF]’
2019-09-05 07:17:25 management_client_group = ‘[UNDEF]’
2019-09-05 07:17:25 management_flags = 294
2019-09-05 07:17:25 shared_secret_file = ‘[UNDEF]’
2019-09-05 07:17:25 key_direction = not set
2019-09-05 07:17:25 ciphername = ‘BF-CBC’
2019-09-05 07:17:25 ncp_enabled = ENABLED
2019-09-05 07:17:25 ncp_ciphers = ‘AES-256-GCM:AES-128-GCM’
2019-09-05 07:17:25 authname = ‘SHA1’
2019-09-05 07:17:25 prng_hash = ‘SHA1’
2019-09-05 07:17:25 prng_nonce_secret_len = 16
2019-09-05 07:17:25 keysize = 0
2019-09-05 07:17:25 engine = DISABLED
2019-09-05 07:17:25 replay = ENABLED
2019-09-05 07:17:25 mute_replay_warnings = ENABLED
2019-09-05 07:17:25 replay_window = 64
2019-09-05 07:17:25 replay_time = 15
2019-09-05 07:17:25 packet_id_file = ‘[UNDEF]’
2019-09-05 07:17:25 test_crypto = DISABLED
2019-09-05 07:17:25 tls_server = DISABLED
2019-09-05 07:17:25 tls_client = ENABLED
2019-09-05 07:17:25 key_method = 2
2019-09-05 07:17:25 ca_file = ‘[[INLINE]]’
2019-09-05 07:17:25 ca_path = ‘[UNDEF]’
2019-09-05 07:17:25 dh_file = ‘[UNDEF]’
2019-09-05 07:17:25 cert_file = ‘[[INLINE]]’
2019-09-05 07:17:25 extra_certs_file = ‘[UNDEF]’
2019-09-05 07:17:25 priv_key_file = ‘[[INLINE]]’
2019-09-05 07:17:25 pkcs12_file = ‘[UNDEF]’
2019-09-05 07:17:25 cipher_list = ‘[UNDEF]’
2019-09-05 07:17:25 cipher_list_tls13 = ‘[UNDEF]’
2019-09-05 07:17:25 tls_cert_profile = ‘[UNDEF]’
2019-09-05 07:17:25 tls_verify = ‘[UNDEF]’
2019-09-05 07:17:25 tls_export_cert = ‘[UNDEF]’
2019-09-05 07:17:25 verify_x509_type = 0
2019-09-05 07:17:25 verify_x509_name = ‘[UNDEF]’
2019-09-05 07:17:25 crl_file = ‘[UNDEF]’
2019-09-05 07:17:25 ns_cert_type = 0
2019-09-05 07:17:25 remote_cert_ku[i] = 65535
2019-09-05 07:17:25 remote_cert_ku[i] = 0
2019-09-05 07:17:25 remote_cert_ku[i] = 0
2019-09-05 07:17:25 remote_cert_ku[i] = 0
2019-09-05 07:17:25 remote_cert_ku[i] = 0
2019-09-05 07:17:25 remote_cert_ku[i] = 0
2019-09-05 07:17:25 remote_cert_ku[i] = 0
2019-09-05 07:17:25 remote_cert_ku[i] = 0
2019-09-05 07:17:25 remote_cert_ku[i] = 0
2019-09-05 07:17:25 remote_cert_ku[i] = 0
2019-09-05 07:17:25 remote_cert_ku[i] = 0
2019-09-05 07:17:25 remote_cert_ku[i] = 0
2019-09-05 07:17:25 remote_cert_ku[i] = 0
2019-09-05 07:17:25 remote_cert_ku[i] = 0
2019-09-05 07:17:25 remote_cert_ku[i] = 0
2019-09-05 07:17:25 remote_cert_ku[i] = 0
2019-09-05 07:17:25 remote_cert_eku = ‘TLS Web Server Authentication’
2019-09-05 07:17:25 ssl_flags = 0
2019-09-05 07:17:25 tls_timeout = 2
2019-09-05 07:17:25 renegotiate_bytes = -1
2019-09-05 07:17:25 renegotiate_packets = 0
2019-09-05 07:17:25 renegotiate_seconds = 3600
2019-09-05 07:17:25 handshake_window = 60
2019-09-05 07:17:25 transition_window = 3600
2019-09-05 07:17:25 single_session = DISABLED
2019-09-05 07:17:25 push_peer_info = DISABLED
2019-09-05 07:17:25 tls_exit = DISABLED
2019-09-05 07:17:25 tls_crypt_v2_genkey_type = ‘[UNDEF]’
2019-09-05 07:17:25 tls_crypt_v2_genkey_file = ‘[UNDEF]’
2019-09-05 07:17:25 tls_crypt_v2_metadata = ‘[UNDEF]’
2019-09-05 07:17:25 client = ENABLED
2019-09-05 07:17:25 pull = ENABLED
2019-09-05 07:17:25 auth_user_pass_file = ‘[UNDEF]’
2019-09-05 07:17:25 OpenVPN 2.5-icsopenvpn [git:icsopenvpn/v0.7.8-0-g168367a5] arm64-v8a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Feb 22 2019
2019-09-05 07:17:25 library versions: OpenSSL 1.1.1a 20 Nov 2018, LZO 2.10
2019-09-05 07:17:25 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket
2019-09-05 07:17:25 MANAGEMENT: CMD ‘version 3’
2019-09-05 07:17:25 MANAGEMENT: CMD ‘hold release’
2019-09-05 07:17:25 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
2019-09-05 07:17:25 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
2019-09-05 07:17:25 Local Options String (VER=V4): ‘V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client’
2019-09-05 07:17:25 Expected Remote Options String (VER=V4): ‘V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server’
2019-09-05 07:17:25 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx:1194
2019-09-05 07:17:25 Socket Buffers: R=[212992->212992] S=[212992->212992]
2019-09-05 07:17:25 MANAGEMENT: CMD ‘bytecount 2’
2019-09-05 07:17:25 MANAGEMENT: CMD ‘state on’
2019-09-05 07:17:25 MANAGEMENT: CMD ‘needok ‘PROTECTFD’ ok’
2019-09-05 07:17:25 UDP link local: (not bound)
2019-09-05 07:17:25 UDP link remote: [AF_INET]xxx:1194
2019-09-05 07:17:25 MANAGEMENT: >STATE:1567657044,WAIT,
2019-09-05 07:17:25 MANAGEMENT: >STATE:1567657045,AUTH,
2019-09-05 07:17:25 TLS: Initial packet from [AF_INET]xxx:1194, sid=066c7b18 3975bce8
2019-09-05 07:17:25 VERIFY OK: depth=1, CN=openvpn
2019-09-05 07:17:25 VERIFY KU OK
2019-09-05 07:17:25 Validating certificate extended key usage
2019-09-05 07:17:25 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2019-09-05 07:17:25 VERIFY EKU OK
2019-09-05 07:17:25 VERIFY OK: depth=0, CN=turris
2019-09-05 07:17:25 NOTE: Options consistency check may be skewed by version differences
2019-09-05 07:17:25 WARNING: ‘version’ is used inconsistently, local=‘version V4’, remote=‘version V0 UNDEF’
2019-09-05 07:17:25 WARNING: ‘dev-type’ is present in local config but missing in remote config, local=‘dev-type tun’
2019-09-05 07:17:25 WARNING: ‘link-mtu’ is present in local config but missing in remote config, local=‘link-mtu 1541’
2019-09-05 07:17:25 WARNING: ‘tun-mtu’ is present in local config but missing in remote config, local=‘tun-mtu 1500’
2019-09-05 07:17:25 WARNING: ‘cipher’ is present in local config but missing in remote config, local=‘cipher BF-CBC’
2019-09-05 07:17:25 WARNING: ‘auth’ is present in local config but missing in remote config, local=‘auth SHA1’
2019-09-05 07:17:25 WARNING: ‘keysize’ is present in local config but missing in remote config, local=‘keysize 128’
2019-09-05 07:17:25 WARNING: ‘tls-server’ is present in local config but missing in remote config, local=‘tls-server’
2019-09-05 07:17:25 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
2019-09-05 07:17:25 [turris] Peer Connection Initiated with [AF_INET]xxx:1194
2019-09-05 07:17:26 MANAGEMENT: >STATE:1567657046,GET_CONFIG,
2019-09-05 07:17:26 SENT CONTROL [turris]: ‘PUSH_REQUEST’ (status=1)
2019-09-05 07:17:26 PUSH: Received control message: ‘PUSH_REPLY,route 192.168.1.0 255.255.255.0,redirect-gateway def1,dhcp-option DNS 10.111.111.1,route 10.111.111.1,topology net30,ping 10,ping-restart 120,ifconfig 10.111.111.6 10.111.111.5,peer-id 0,cipher AES-256-GCM’
2019-09-05 07:17:26 OPTIONS IMPORT: timers and/or timeouts modified
2019-09-05 07:17:26 OPTIONS IMPORT: --ifconfig/up options modified
2019-09-05 07:17:26 OPTIONS IMPORT: route options modified
2019-09-05 07:17:26 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2019-09-05 07:17:26 OPTIONS IMPORT: peer-id set
2019-09-05 07:17:26 OPTIONS IMPORT: adjusting link_mtu to 1624
2019-09-05 07:17:26 OPTIONS IMPORT: data channel crypto options modified
2019-09-05 07:17:26 Data Channel: using negotiated cipher ‘AES-256-GCM’
2019-09-05 07:17:26 Data Channel MTU parms [ L:1552 D:1450 EF:52 EB:406 ET:0 EL:3 ]
2019-09-05 07:17:26 Outgoing Data Channel: Cipher ‘AES-256-GCM’ initialized with 256 bit key
2019-09-05 07:17:26 Incoming Data Channel: Cipher ‘AES-256-GCM’ initialized with 256 bit key
2019-09-05 07:17:26 ROUTE_GATEWAY 127.100.103.119
2019-09-05 07:17:26 do_ifconfig, ipv4=1, ipv6=0
2019-09-05 07:17:26 MANAGEMENT: >STATE:1567657046,ASSIGN_IP,10.111.111.6,
2019-09-05 07:17:26 MANAGEMENT: CMD ‘needok ‘IFCONFIG’ ok’
2019-09-05 07:17:26 MANAGEMENT: CMD ‘needok ‘ROUTE’ ok’
2019-09-05 07:17:26 MANAGEMENT: >STATE:1567657046,ADD_ROUTES,
2019-09-05 07:17:26 MANAGEMENT: CMD ‘needok ‘ROUTE’ ok’
2019-09-05 07:17:26 MANAGEMENT: CMD ‘needok ‘ROUTE’ ok’
2019-09-05 07:17:26 MANAGEMENT: CMD ‘needok ‘DNSSERVER’ ok’
2019-09-05 07:17:26 MANAGEMENT: CMD ‘needok ‘PERSIST_TUN_ACTION’ OPEN_BEFORE_CLOSE’
2019-09-05 07:17:26 Opening tun interface:
2019-09-05 07:17:26 Local IPv4: 10.111.111.6/30 IPv6: (not set) MTU: 1500
2019-09-05 07:17:26 DNS Server: 10.111.111.1, Domain: null
2019-09-05 07:17:26 Routes: 0.0.0.0/0, 10.111.111.1/32, 10.111.111.4/30, 192.168.1.0/24
2019-09-05 07:17:26 Routes excluded:
2019-09-05 07:17:26 VpnService routes installed: 0.0.0.0/0
2019-09-05 07:17:26 Disallowed VPN apps:
2019-09-05 07:17:26 MANAGEMENT: CMD ‘needok ‘OPENTUN’ ok’
2019-09-05 07:17:26 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
2019-09-05 07:17:26 Initialization Sequence Completed
2019-09-05 07:17:26 MANAGEMENT: >STATE:1567657046,CONNECTED,SUCCESS,10.111.111.6,xxx,1194,
2019-09-05 07:17:27 Debug state info: CONNECTED LTE to MOBILE internet, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED

oki

there are UCI config (read by FORIS/LUCI web app), in /etc/config/openvpn /etc/config/firewall and so on. During the servise startup this is taken and used as source for “ad-hoc” generated one (usually it is combination of generic/common and uci configs together (usually in /var/run or /tmp)

in foris there is just plugin on top of openvpn,
in luci you have some more options to play with the openvpn setup (but usually the foris stuff should work by defautl == if you have some changes in firewalling/zones/routing you can face some issues.

the output seams normal, from my reading this is fine, you can can connect and establish tunnel, but data are not passing thru. TLS warnings are fine, TOS does not use TLS by default. So that’s really points to zones/firewall configs. If you do not get disconnected after some timeout, that means vpn is fine (tunnel is established). There is even the correct push directive event in log (that’s good). But there is no “route adding” afterwards(that;s not good). What is not clear to me, this is your gateway : ROUTE_GATEWAY 127.100.103.119 , is that correct ip of your wan? ( i assume that is your ISP’s one not the router’s)

list push directives sample
    list push 'route 192.168.1.0 255.255.255.0' ## lan definition 
    list push 'redirect-gateway def1' 
    list push 'dhcp-option DNS 10.100.100.1' ## dhcp for opevpn 

When using mobile, are you using native openvpn app for ios/android or the “bundled” feature of some vendors? Can you test it from some other client? (win10/linux/osx? – if on same lan, float/mssfix needs to be added and it should work)

btw: ‘/data/user/0/de.blinkt.openvpn/cache/android.conf’ is that really your config ?

without the log output from same time i am a bit of lost.

in /etc/config/openvpn

config openvpn ‘custom_config’
option enabled ‘0’
option config ‘/etc/openvpn/my-vpn.conf’

config openvpn ‘sample_server’
option enabled ‘0’
option port ‘1194’
option proto ‘udp’
option dev ‘tun’
option ca ‘/etc/openvpn/ca.crt’
option cert ‘/etc/openvpn/server.crt’
option key ‘/etc/openvpn/server.key’
option dh ‘/etc/openvpn/dh1024.pem’
option server ‘10.8.0.0 255.255.255.0’
option ifconfig_pool_persist ‘/tmp/ipp.txt’
option keepalive ‘10 120’
option compress ‘lzo’
option persist_key ‘1’
option persist_tun ‘1’
option user ‘nobody’
option status ‘/tmp/openvpn-status.log’
option verb ‘3’

config openvpn ‘sample_client’
option enabled ‘0’
option client ‘1’
option dev ‘tun’
option proto ‘udp’
list remote ‘my_server_1 1194’
option resolv_retry ‘infinite’
option nobind ‘1’
option persist_key ‘1’
option persist_tun ‘1’
option user ‘nobody’
option ca ‘/etc/openvpn/ca.crt’
option cert ‘/etc/openvpn/client.crt’
option key ‘/etc/openvpn/client.key’
option compress ‘lzo’
option verb ‘3’

config openvpn ‘server_turris’
option port ‘1194’
option proto ‘udp’
option dev ‘tun_turris’
option ca ‘/etc/ssl/ca/openvpn/ca.crt’
option crl_verify ‘/etc/ssl/ca/openvpn/ca.crl’
option cert ‘/etc/ssl/ca/openvpn/01.crt’
option key ‘/etc/ssl/ca/openvpn/01.key’
option dh ‘/etc/dhparam/dh-default.pem’
option server ‘10.111.111.0 255.255.255.0’
option ifconfig_pool_persist ‘/tmp/ipp.txt’
option duplicate_cn ‘0’
option keepalive ‘10 120’
option persist_key ‘1’
option persist_tun ‘1’
option status ‘/tmp/openvpn-status.log’
option verb ‘3’
option mute ‘20’
option enabled ‘1’
list push ‘route 192.168.1.0 255.255.255.0’
list push ‘redirect-gateway def1’
list push ‘dhcp-option DNS 10.111.111.1’

in /etc/config/firewall

config zone ‘vpn_turris’
nano 2.6.0 File: firewall

    option name 'vpn_turris'
    option input 'ACCEPT'
    option forward 'REJECT'
    option output 'ACCEPT'
    option masq '1'
    option enabled '1'
    list network 'vpn_turris'

config rule ‘vpn_turris_rule’
option name ‘vpn_turris_rule’
option target ‘ACCEPT’
option proto ‘udp’
option src ‘wan’
option dest_port ‘1194’
option enabled ‘1’

config forwarding ‘vpn_turris_forward_lan_in’
option src ‘vpn_turris’
option dest ‘lan’
option enabled ‘1’

config forwarding ‘vpn_turris_forward_lan_out’
option src ‘lan’
option dest ‘vpn_turris’
option enabled ‘1’

config forwarding ‘vpn_turris_forward_wan_out’
option src ‘vpn_turris’
option dest ‘wan’
option enabled ‘1’

config zone ‘guest_turris’
option enabled ‘1’
option name ‘guest_turris’
option input ‘REJECT’
option forward ‘REJECT’
option output ‘ACCEPT’
list network ‘guest_turris’

config forwarding ‘guest_turris_forward_wan’
option enabled ‘1’
option name ‘guest to wan forward’
option src ‘guest_turris’
option dest ‘wan’

config rule ‘guest_turris_dns_rule’
option enabled ‘1’
option name ‘guest dns rule’
option src ‘guest_turris’
option proto ‘tcpudp’
option dest_port ‘53’
option target ‘ACCEPT’

config rule ‘guest_turris_dhcp_rule’
option enabled ‘1’
option name ‘guest dhcp rule’
option src ‘guest_turris’
option proto ‘udp’
option src_port ‘67-68’
option dest_port ‘67-68’
option target ‘ACCEPT’

config redirect ‘adblock_dns’
option name ‘Adblock DNS’
option src ‘lan’
option proto ‘tcp udp’
option src_dport ‘53’
option dest_port ‘53’
option target ‘DNAT’

good point! ROUTE_GATEWAY 127.100.103.119 <-- isnt that local loopback ip address like 127.0.0.1 ? that may of course cause problems but i have no idea why its there and how to change it?

where this should be appear or how to config it correctly?

im using “openvpn for android” application by de.blinkt.openvpn. it can be found on play store.

i tried this with my phone but added float and mssfix 0. it connects via same lan wifi but same problem exists like before. route gateaway is the same and no data transmitted.

well, i moved client config from foris to the my phone and imported it from the “openvpn for android”.

so what log do you need more and from where?

thanks for being patient!

ad_firewall: the rules seems to be fine, (can you see the “names” in luci/network/firewall/traffic-rules section? , if those are really applied)

you have it correctly defined in “server_turris” openvpn configuration, that should work nicely, no need for change. and yes loopback is usually 127.0.0.1 .

you have it already in your config (done by Foris plugin), so that’s fine as well.

ach soo, chm, if there is vendor usually that is “client to provider” application sometimes compatible/enabled to use common .ovpn profiles. Anyway I would recommend official android

On the Google Play Store, the client you can download and install for free there is called OpenVPN Connect .

at least for initial testing. On the other hand, “xiaomi” miui vpn connector suprisingly detects ovpn profile automatically and it is working as part of system not via openvpn-connect app.

there are more names but for example

vpn_turris_rule Any udp
From any host in wan
To any router IP at port 1194 on this device
Accept input
this is naturally enabled like the rest of rules.

there are no ports open, no forward rules and no source nat values

ok. i tested the official version of openvpn. used mobile data (real case scenario)

log

19:34:44.283 – ----- OpenVPN Start -----

19:34:44.285 – EVENT: CORE_THREAD_ACTIVE

19:34:44.289 – OpenVPN core 3.git::728733ae:Release android arm64 64-bit PT_PROXY built on Aug 14 2019 14:13:26

19:34:44.314 – Frame=512/2048/512 mssfix-ctrl=1250

19:34:44.324 – UNUSED OPTIONS
4 [resolv-retry] [infinite]
5 [nobind]
6 [persist-key]
7 [persist-tun]
8 [mute-replay-warnings]
13 [verb] [3]

19:34:44.332 – EVENT: RESOLVE

19:34:44.352 – Contacting xxx:1194 via UDP

19:34:44.354 – EVENT: WAIT

19:34:44.387 – Connecting to [xxx]:1194 (xxx) via UDPv4

19:34:44.423 – EVENT: CONNECTING

19:34:44.433 – Tunnel Options:V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client

19:34:44.434 – Creds: UsernameEmpty/PasswordEmpty

19:34:44.437 – Peer Info:
IV_GUI_VER=OC30Android
IV_VER=3.git::728733ae:Release
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_AUTO_SESS=1
IV_BS64DL=1

19:34:44.738 – VERIFY OK : depth=1
cert. version : 3
serial number : xxx
issuer name : CN=openvpn
subject name : CN=openvpn
issued on : 2019-09-02 19:01:30
expires on : 2029-08-30 19:01:30
signed using : RSA with SHA-256
RSA key size : 4096 bits
basic constraints : CA=true
subject alt name :
cert. type : SSL CA
key usage : Key Cert Sign, CRL Sign

19:34:44.740 – VERIFY OK : depth=0
cert. version : 3
serial number : 01
issuer name : CN=openvpn
subject name : CN=turris
issued on : 2019-09-02 19:02:06
expires on : 2029-08-30 19:02:06
signed using : RSA with SHA-256
RSA key size : 4096 bits
basic constraints : CA=false
cert. type : SSL Server
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication

19:34:45.173 – SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

19:34:45.175 – Session is ACTIVE

19:34:45.176 – EVENT: GET_CONFIG

19:34:45.189 – Sending PUSH_REQUEST to server…

19:34:45.222 – OPTIONS:
0 [route] [192.168.1.0] [255.255.255.0]
1 [redirect-gateway] [def1]
2 [dhcp-option] [DNS] [10.111.111.1]
3 [route] [10.111.111.1]
4 [topology] [net30]
5 [ping] [10]
6 [ping-restart] [120]
7 [ifconfig] [10.111.111.6] [10.111.111.5]
8 [peer-id] [0]
9 [cipher] [AES-256-GCM]

19:34:45.224 – PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: SHA1
compress: NONE
peer ID: 0

19:34:45.225 – EVENT: ASSIGN_IP

19:34:45.255 – Connected via tun

19:34:45.257 – EVENT: CONNECTED info=‘xxx:1194 (xxx) via /UDPv4 on tun/10.111.111.6/ gw=[10.111.111.5/]’ trans=TO_CONNECTED

19:36:54.633 – EVENT: CORE_THREAD_INACTIVE trans=TO_DISCONNECTED

19:36:54.635 – Tunnel bytes per CPU second: 0

19:36:54.637 – ----- OpenVPN Stop -----

same problem, connects fine but no data transmitted - cant find any webpages etc.

ad rules, chm, strange, now i really don’t know where to look

unless you changed MTU globally, you should always stay under 1500 for debugging you can set it lower…

that means you reach your openvpn server … so now you have to find out where the end of tunnel is actually ending (some ping/tracert/dig/nslookup from that android)

here, if that helps, are my vpn related rules in firewall uci config.

firewall

config rule
option name ‘Allow-ESP-Inbound’
option src ‘wan’
option family ‘ipv4’
option dest ‘lan’
option proto ‘esp’
option target ‘ACCEPT’

config rule
option name ‘Allow-ISAKMP-Inbound’
option src ‘wan’
option family ‘ipv4’
option dest ‘lan’
option dest_port ‘500’
option proto ‘udp’
option target ‘ACCEPT’

config rule ‘vpn_turris_rule’
option name ‘vpn_turris_rule’
option target ‘ACCEPT’
option proto ‘udp’
option src ‘wan’
option dest_port ‘xxxx’

config zone ‘vpn_turris’
option name ‘vpn_turris’
option input ‘ACCEPT’
option forward ‘REJECT’
option output ‘ACCEPT’
option masq ‘1’
list network ‘vpn_turris’

config forwarding ‘vpn_turris_forward_lan_in’
option src ‘vpn_turris’
option dest ‘lan’

config forwarding ‘vpn_turris_forward_lan_out’
option src ‘lan’
option dest ‘vpn_turris’

config forwarding ‘vpn_turris_forward_wan_out’
option src ‘vpn_turris’
option dest ‘wan’

i havent changed anything. this a default value.

well with connectbot (android terminal emulator) ping google.com says unknown host while connected to openvpn server (TO)
So i dont know what else to test?

some differences there are:

config forwarding ‘vpn_turris_forward_lan_in’
option src ‘vpn_turris’
option dest ‘lan’
option enabled ‘1’ <-- you dont have this

option enabled ‘1’ <- i have this

config forwarding ‘vpn_turris_forward_wan_out’
option src ‘vpn_turris’
option dest ‘wan’
option enabled ‘1’

but i assume these dont affect to anything?

what else is left?

but somehow in log it is reporting 1540 and that is very possibly the root cause (i faced that some times ago and it was exactly reason why my tunnel was not working properly). Normally this should not need any adjustment (only when you are testing something “not default”). Check if you can change/lower the mtu in openvpn-server config (via Luci). to see if there will be any difference. Below is what you should see (mtu related stuff) in client vpn log …

tun-mtu,link-mtu log sample

Wed Jan 04 21:53:03 2017 us=8815 tun_mtu = 1500
Wed Jan 04 21:53:03 2017 us=8815 tun_mtu_defined = ENABLED
Wed Jan 04 21:53:03 2017 us=8815 tun_mtu_extra = 0
Wed Jan 04 21:53:03 2017 us=8815 tun_mtu_extra_defined = DISABLED
Wed Jan 04 21:53:03 2017 us=8815 mtu_discover_type = -1
Wed Jan 04 21:53:03 2017 us=8815 fragment = 0
Wed Jan 04 21:53:03 2017 us=8815 mssfix = 0

try “trace” (“tracert”) to your “lan” and “vpn” hosts/ips + some generic ones like 4.4.4.4 1.1.1.1 and so on, to get some overview what is replying and what is not and where the route ends … that might get you some info.

those are the rules which do the forwarding from/to zones (what you see in Luci in zone overview) , so that is pretty important. Yes, I might have some disabled ones (if you check/uncheck the option for traffic control for vpn …to go thru the router to internet or not). Sorry for confusion, but i hope you get the picture anyway.

Aside of that i am sure that in kernel log you will see the rejected packets from vpn zone when testing the connection. Also in system log, there should be some info related to vpn .
Always check if you get assigned ip from dhcp server, if you get correct push-list directive for routing and gateway … I would test the openvpn directly on Turris from some user’s ssh session or/and from some “desktop”.

I’ve exactly the same behavior. With OpenVPN and Wireguard.

Do you have correct ip on the vpn_turris interface? i had to make a static IP to have access to the lan.

In the meantime I found out, it must have something to do with my smartphone/Android. The same configuration files work fine when trying from my laptop. Currently investigating, what could be the reason. Maybe something I missed with the new OpenVPN-Android-App.