OpenVPN little problem

Hi

I have little problem with my OpenVPN client configuration on omnia.

I use my tun VPN, on all devices like notebooks,servers … all work fine. In actual configuration every device has own openvpn client. Now i want setup routing between VPN and LAN with Omnia. But openvpn client on omnia is “unreachable”. Tun interface receive IP but doesnt see any IP in VPN.

My client config on Omnia:

config openvpn 'client_tun’
option nobind '1’
option client '1’
option comp_lzo 'yes’
option dev 'tun’
option persist_tun '1’
option persist_key '1’
option remote_cert_tls 'server’
option verb '3’
list remote 'mydomain.xyz’
option ca '/etc/config/ovpn/ca.crt’
option cert '/etc/config/ovpn/shinigami.crt’
option key '/etc/config/ovpn/shinigami.key’
option proto 'udp’
option resolv-retry 'infinite’
option enabled ‘1’

log

Re-using SSL/TLS context
2016-10-25T22:48:41+02:00 notice openvpn(client_tun)[29462]: LZO compression initialized
2016-10-25T22:48:41+02:00 notice openvpn(client_tun)[29462]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
2016-10-25T22:48:41+02:00 notice openvpn(client_tun)[29462]: Socket Buffers: R=[163840->163840] S=[163840->163840]
2016-10-25T22:48:41+02:00 notice openvpn(client_tun)[29462]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
2016-10-25T22:48:41+02:00 notice openvpn(client_tun)[29462]: UDPv4 link local: [undef]
2016-10-25T22:48:41+02:00 notice openvpn(client_tun)[29462]: UDPv4 link remote: [AF_INET]xxxx:1194
2016-10-25T22:48:41+02:00 notice openvpn(client_tun)[29462]: TLS: Initial packet from [AF_INET]xxxx:1194, sid=e02cc1c4 840b12a2
2016-10-25T22:48:41+02:00 notice openvpn(client_tun)[29462]: VERIFY OK: depth=1, C=SK, ST=SK, L=Bratislava, O=xxx, OU=xxx, CN=xxx CA, name=xxx, emailAddress=xxx
2016-10-25T22:48:41+02:00 notice openvpn(client_tun)[29462]: Validating certificate key usage
2016-10-25T22:48:41+02:00 notice openvpn(client_tun)[29462]: ++ Certificate has key usage 00a0, expects 00a0
2016-10-25T22:48:41+02:00 notice openvpn(client_tun)[29462]: VERIFY KU OK
2016-10-25T22:48:41+02:00 notice openvpn(client_tun)[29462]: Validating certificate extended key usage
2016-10-25T22:48:41+02:00 notice openvpn(client_tun)[29462]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2016-10-25T22:48:41+02:00 notice openvpn(client_tun)[29462]: VERIFY EKU OK
2016-10-25T22:48:41+02:00 notice openvpn(client_tun)[29462]: VERIFY OK: depth=0, C=SK, ST=SK, L=Bratislava, O=xxx, OU=xx, CN=server, name=xxx, emailAddress=xx
2016-10-25T22:48:42+02:00 notice openvpn(client_tun)[29462]: Data Channel Encrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
2016-10-25T22:48:42+02:00 notice openvpn(client_tun)[29462]: Data Channel Encrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
2016-10-25T22:48:42+02:00 notice openvpn(client_tun)[29462]: Data Channel Decrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
2016-10-25T22:48:42+02:00 notice openvpn(client_tun)[29462]: Data Channel Decrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
2016-10-25T22:48:42+02:00 notice openvpn(client_tun)[29462]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
2016-10-25T22:48:42+02:00 notice openvpn(client_tun)[29462]: [server] Peer Connection Initiated with [AF_INET]xxxx:1194
2016-10-25T22:48:44+02:00 notice openvpn(client_tun)[29462]: SENT CONTROL [server]: ‘PUSH_REQUEST’ (status=1)
2016-10-25T22:48:44+02:00 notice openvpn(client_tun)[29462]: PUSH: Received control message: 'PUSH_REPLY,sndbuf 0,rcvbuf 0,route-gateway 10.12.12.1,topology subnet,ping 5,ping-restart 30,ifconfig 10.12.12.12 255.255.255.0’
2016-10-25T22:48:44+02:00 notice openvpn(client_tun)[29462]: OPTIONS IMPORT: timers and/or timeouts modified
2016-10-25T22:48:44+02:00 notice openvpn(client_tun)[29462]: OPTIONS IMPORT: --sndbuf/–rcvbuf options modified
2016-10-25T22:48:44+02:00 notice openvpn(client_tun)[29462]: Socket Buffers: R=[163840->163840] S=[163840->163840]
2016-10-25T22:48:44+02:00 notice openvpn(client_tun)[29462]: OPTIONS IMPORT: --ifconfig/up options modified
2016-10-25T22:48:44+02:00 notice openvpn(client_tun)[29462]: OPTIONS IMPORT: route-related options modified
2016-10-25T22:48:44+02:00 notice openvpn(client_tun)[29462]: Preserving previous TUN/TAP instance: tun0
2016-10-25T22:48:44+02:00 notice openvpn(client_tun)[29462]: Initialization Sequence Completed
2016-10-25T22:49:01+02:00 info cron[29545]: (root) CMD (/usr/bin/rainbow_button_sync.sh)
2016-10-25T22:49:14+02:00 notice openvpn(client_tun)[29462]: [server] Inactivity timeout (–ping-restart), restarting
2016-10-25T22:49:14+02:00 notice openvpn(client_tun)[29462]: TCP/UDP: Closing socket
2016-10-25T22:49:14+02:00 notice openvpn(client_tun)[29462]: SIGUSR1[soft,ping-restart] received, process restarting
2016-10-25T22:49:14+02:00 notice openvpn(client_tun)[29462]: Restart pause, 2 second(s)
2016-10-25T22:49:16+02:00 notice openvpn(client_tun)[29462]: Re-using SSL/TLS context
2016-10-25T22:49:16+02:00 notice openvpn(client_tun)[29462]: LZO compression initialized
2016-10-25T22:49:16+02:00 notice openvpn(client_tun)[29462]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
2016-10-25T22:49:16+02:00 notice openvpn(client_tun)[29462]: Socket Buffers: R=[163840->163840] S=[163840->163840]
2016-10-25T22:49:16+02:00 notice openvpn(client_tun)[29462]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
2016-10-25T22:49:16+02:00 notice openvpn(client_tun)[29462]: UDPv4 link local: [undef]
2016-10-25T22:49:16+02:00 notice openvpn(client_tun)[29462]: UDPv4 link remote: [AF_INET]xxxx:1194
2016-10-25T22:49:16+02:00 notice openvpn(client_tun)[29462]: TLS: Initial packet from [AF_INET]xxxx:1194, sid=a5c0c6f7 5acc2dd6
2016-10-25T22:49:16+02:00 notice openvpn(client_tun)[29462]: VERIFY OK: depth=1, C=SK, ST=SK, L=Bratislava, O=xxx, OU=xxx, CN=xxx CA, name=xxx, emailAddress=xxxx.xyz
2016-10-25T22:49:16+02:00 notice openvpn(client_tun)[29462]: Validating certificate key usage
2016-10-25T22:49:16+02:00 notice openvpn(client_tun)[29462]: ++ Certificate has key usage 00a0, expects 00a0
2016-10-25T22:49:16+02:00 notice openvpn(client_tun)[29462]: VERIFY KU OK
2016-10-25T22:49:16+02:00 notice openvpn(client_tun)[29462]: Validating certificate extended key usage
2016-10-25T22:49:16+02:00 notice openvpn(client_tun)[29462]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2016-10-25T22:49:16+02:00 notice openvpn(client_tun)[29462]: VERIFY EKU OK
2016-10-25T22:49:16+02:00 notice openvpn(client_tun)[29462]: VERIFY OK: depth=0, C=SK, ST=SK, L=Bratislava, O=xxx, OU=xxx, CN=server, name=xxx, emailAddress=xxxx
2016-10-25T22:49:16+02:00 notice openvpn(client_tun)[29462]: Data Channel Encrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
2016-10-25T22:49:16+02:00 notice openvpn(client_tun)[29462]: Data Channel Encrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
2016-10-25T22:49:16+02:00 notice openvpn(client_tun)[29462]: Data Channel Decrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
2016-10-25T22:49:16+02:00 notice openvpn(client_tun)[29462]: Data Channel Decrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
2016-10-25T22:49:16+02:00 notice openvpn(client_tun)[29462]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
2016-10-25T22:49:16+02:00 notice openvpn(client_tun)[29462]: [server] Peer Connection Initiated with [AF_INET]xxxx:1194
2016-10-25T22:49:18+02:00 notice openvpn(client_tun)[29462]: SENT CONTROL [server]: ‘PUSH_REQUEST’ (status=1)
2016-10-25T22:49:18+02:00 notice openvpn(client_tun)[29462]: PUSH: Received control message: 'PUSH_REPLY,sndbuf 0,rcvbuf 0,route-gateway 10.12.12.1,topology subnet,ping 5,ping-restart 30,ifconfig 10.12.12.12 255.255.255.0’
2016-10-25T22:49:18+02:00 notice openvpn(client_tun)[29462]: OPTIONS IMPORT: timers and/or timeouts modified
2016-10-25T22:49:18+02:00 notice openvpn(client_tun)[29462]: OPTIONS IMPORT: --sndbuf/–rcvbuf options modified
2016-10-25T22:49:18+02:00 notice openvpn(client_tun)[29462]: Socket Buffers: R=[163840->163840] S=[163840->163840]
2016-10-25T22:49:18+02:00 notice openvpn(client_tun)[29462]: OPTIONS IMPORT: --ifconfig/up options modified
2016-10-25T22:49:18+02:00 notice openvpn(client_tun)[29462]: OPTIONS IMPORT: route-related options modified
2016-10-25T22:49:18+02:00 notice openvpn(client_tun)[29462]: Preserving previous TUN/TAP instance: tun0
2016-10-25T22:49:18+02:00 notice openvpn(client_tun)[29462]: Initialization Sequence Completed
2016-10-25T22:49:48+02:00 notice openvpn(client_tun)[29462]: [server] Inactivity timeout (–ping-restart), restarting
2016-10-25T22:49:48+02:00 notice openvpn(client_tun)[29462]: TCP/UDP: Closing socket
2016-10-25T22:49:48+02:00 notice openvpn(client_tun)[29462]: SIGUSR1[soft,ping-restart] received, process restarting
2016-10-25T22:49:48+02:00 notice openvpn(client_tun)[29462]: Restart pause, 2 second(s)
2016-10-25T22:49:50+02:00 notice openvpn(client_tun)[29462]: Re-using SSL/TLS context
2016-10-25T22:49:50+02:00 notice openvpn(client_tun)[29462]: LZO compression initialized
2016-10-25T22:49:50+02:00 notice openvpn(client_tun)[29462]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
2016-10-25T22:49:50+02:00 notice openvpn(client_tun)[29462]: Socket Buffers: R=[163840->163840] S=[163840->163840]
2016-10-25T22:49:50+02:00 notice openvpn(client_tun)[29462]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
2016-10-25T22:49:50+02:00 notice openvpn(client_tun)[29462]: UDPv4 link local: [undef]
2016-10-25T22:49:50+02:00 notice openvpn(client_tun)[29462]: UDPv4 link remote: [AF_INET]xxxx:1194
2016-10-25T22:49:50+02:00 notice openvpn(client_tun)[29462]: TLS: Initial packet from [AF_INET]xxxx:1194, sid=f46aeead d1d70024
2016-10-25T22:49:50+02:00 notice openvpn(client_tun)[29462]: VERIFY OK: depth=1, C=SK, ST=SK, L=Bratislava, O=xxx, OU=xxx, CN=xxx CA, name=xxx, emailAddress=xxx.xyz
2016-10-25T22:49:50+02:00 notice openvpn(client_tun)[29462]: Validating certificate key usage
2016-10-25T22:49:50+02:00 notice openvpn(client_tun)[29462]: ++ Certificate has key usage 00a0, expects 00a0
2016-10-25T22:49:50+02:00 notice openvpn(client_tun)[29462]: VERIFY KU OK
2016-10-25T22:49:50+02:00 notice openvpn(client_tun)[29462]: Validating certificate extended key usage
2016-10-25T22:49:50+02:00 notice openvpn(client_tun)[29462]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2016-10-25T22:49:50+02:00 notice openvpn(client_tun)[29462]: VERIFY EKU OK
2016-10-25T22:49:50+02:00 notice openvpn(client_tun)[29462]: VERIFY OK: depth=0, C=SK, ST=SK, L=Bratislava, O=xxx, OU=xxx, CN=server, name=xxx, emailAddress=xxxx.xyz
2016-10-25T22:49:51+02:00 notice openvpn(client_tun)[29462]: Data Channel Encrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
2016-10-25T22:49:51+02:00 notice openvpn(client_tun)[29462]: Data Channel Encrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
2016-10-25T22:49:51+02:00 notice openvpn(client_tun)[29462]: Data Channel Decrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
2016-10-25T22:49:51+02:00 notice openvpn(client_tun)[29462]: Data Channel Decrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
2016-10-25T22:49:51+02:00 notice openvpn(client_tun)[29462]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
2016-10-25T22:49:51+02:00 notice openvpn(client_tun)[29462]: [server] Peer Connection Initiated with [AF_INET]92.222.75.135:1194
2016-10-25T22:49:53+02:00 notice openvpn(client_tun)[29462]: SENT CONTROL [server]: ‘PUSH_REQUEST’ (status=1)
2016-10-25T22:49:53+02:00 notice openvpn(client_tun)[29462]: PUSH: Received control message: 'PUSH_REPLY,sndbuf 0,rcvbuf 0,route-gateway 10.12.12.1,topology subnet,ping 5,ping-restart 30,ifconfig 10.12.12.12 255.255.255.0’
2016-10-25T22:49:53+02:00 notice openvpn(client_tun)[29462]: OPTIONS IMPORT: timers and/or timeouts modified
2016-10-25T22:49:53+02:00 notice openvpn(client_tun)[29462]: OPTIONS IMPORT: --sndbuf/–rcvbuf options modified
2016-10-25T22:49:53+02:00 notice openvpn(client_tun)[29462]: Socket Buffers: R=[163840->163840] S=[163840->163840]
2016-10-25T22:49:53+02:00 notice openvpn(client_tun)[29462]: OPTIONS IMPORT: --ifconfig/up options modified
2016-10-25T22:49:53+02:00 notice openvpn(client_tun)[29462]: OPTIONS IMPORT: route-related options modified
2016-10-25T22:49:53+02:00 notice openvpn(client_tun)[29462]: Preserving previous TUN/TAP instance: tun0
2016-10-25T22:49:53+02:00 notice openvpn(client_tun)[29462]: Initialization Sequence Completed
2016-10-25T22:50:01+02:00 info cron[29593]: (root) CMD ( /usr/bin/notifier)
2016-10-25T22:50:01+02:00 info cron[29596]: (root) CMD (/usr/bin/watchdog.sh)
2016-10-25T22:50:01+02:00 info cron[29599]: (root) CMD (/sbin/fan_ctrl.sh)
2016-10-25T22:50:01+02:00 info cron[29601]: (root) CMD (/usr/bin/rainbow_button_sync.sh)
2016-10-25T22:50:01+02:00 info cron[29600]: (root) CMD (nethist_stats.lua)
2016-10-25T22:50:01+02:00 info cron[29595]: (root) MAIL (mailed 204 bytes of output but got status 0x0001

Thanks for help

I setuped it like this in OpenWRT:

network
config interface 'vpn0’
option ifname 'tun0’
option proto 'none’
option auto ‘1’

firewall
config zone
option name 'vpn’
option input 'ACCEPT’
option forward 'REJECT’
option output 'ACCEPT’
option network ‘vpn0’

config forwarding
option src 'vpn’
option dest ‘wan’

config forwarding
option src 'vpn’
option dest ‘lan’

firewall.user
iptables -t nat -A POSTROUTING -s 10.0.8.0/24 -o eth0 -j MASQUERADE (10.0.8.0 is VPN)

You propably has already routed wan access and network setup done i assume

My network looks like this, (firewall.user is clear):

config interface 'loopback’
option ifname 'lo’
option proto 'static’
option ipaddr '127.0.0.1’
option netmask ‘255.0.0.0’

config globals 'globals’
option ula_prefix ‘fdb4:6334:f8f0::/48’

config interface 'lan’
option force_link '1’
option type 'bridge’
option proto 'static’
option netmask '255.255.255.0’
option _orig_ifname 'eth0 eth2 radio0.network1 radio1.network1’
option _orig_bridge 'true’
option ipaddr '10.10.10.1’
option ifname ‘eth0’

config interface 'wan’
option ifname 'eth1’
option _orig_ifname 'eth1’
option _orig_bridge 'false’
option proto 'dhcp’
option hostname 'shinigami’
option peerdns '0’
option dns ‘193.29.206.206 217.31.204.130’

config interface 'wan6’
option ifname 'eth1’
option _orig_ifname 'eth1’
option _orig_bridge 'false’
option proto ‘none’

config switch
option name 'switch0’
option reset '1’
option enable_vlan ‘1’

config switch_vlan
option device 'switch0’
option vlan '1’
option vid '1’
option ports ‘0 1 2 3 5’

config switch_vlan
option device 'switch0’
option vlan '3’
option ports '4 6’
option vid ‘2’

config interface 'guest_lan’
option proto 'static’
option ifname 'eth2’
option ipaddr '10.11.11.1’
option netmask ‘255.255.255.0’

firewall

config defaults
option syn_flood '1’
option input 'ACCEPT’
option output 'ACCEPT’
option forward ‘REJECT’

config zone
option name 'lan’
option input 'ACCEPT’
option output 'ACCEPT’
option forward 'ACCEPT’
option network ‘lan’

config zone
option name 'wan’
option input 'REJECT’
option output 'ACCEPT’
option forward 'REJECT’
option masq '1’
option mtu_fix '1’
option network ‘wan wan6’

config rule
option name 'Allow-DHCP-Renew’
option src 'wan’
option proto 'udp’
option dest_port '68’
option target 'ACCEPT’
option family ‘ipv4’

config rule
option name 'Allow-Ping’
option src 'wan’
option proto 'icmp’
option icmp_type 'echo-request’
option family 'ipv4’
option target ‘ACCEPT’

config rule
option name 'Allow-IGMP’
option src 'wan’
option proto 'igmp’
option family 'ipv4’
option target ‘ACCEPT’

config rule
option name 'Allow-DHCPv6’
option src 'wan’
option proto 'udp’
option src_ip 'fe80::/10’
option src_port '547’
option dest_ip 'fe80::/10’
option dest_port '546’
option family 'ipv6’
option target ‘ACCEPT’

config rule
option name 'Allow-MLD’
option src 'wan’
option proto 'icmp’
option src_ip 'fe80::/10’
list icmp_type '130/0’
list icmp_type '131/0’
list icmp_type '132/0’
list icmp_type '143/0’
option family 'ipv6’
option target ‘ACCEPT’

config rule
option name 'Allow-ICMPv6-Input’
option src 'wan’
option proto 'icmp’
list icmp_type 'echo-request’
list icmp_type 'echo-reply’
list icmp_type 'destination-unreachable’
list icmp_type 'packet-too-big’
list icmp_type 'time-exceeded’
list icmp_type 'bad-header’
list icmp_type 'unknown-header-type’
list icmp_type 'router-solicitation’
list icmp_type 'neighbour-solicitation’
list icmp_type 'router-advertisement’
list icmp_type 'neighbour-advertisement’
option limit '1000/sec’
option family 'ipv6’
option target ‘ACCEPT’

config rule
option name 'Allow-ICMPv6-Forward’
option src 'wan’
option dest '*'
option proto 'icmp’
list icmp_type 'echo-request’
list icmp_type 'echo-reply’
list icmp_type 'destination-unreachable’
list icmp_type 'packet-too-big’
list icmp_type 'time-exceeded’
list icmp_type 'bad-header’
list icmp_type 'unknown-header-type’
option limit '1000/sec’
option family 'ipv6’
option target ‘ACCEPT’

config include
option path ‘/etc/firewall.user’

config include
option path '/usr/share/firewall/turris’
option reload ‘1’

config include
option path '/etc/firewall.d/with_reload/firewall.include.sh’
option reload ‘1’

config include
option path '/etc/firewall.d/without_reload/firewall.include.sh’
option reload ‘0’

config include 'miniupnpd’
option type 'script’
option path '/usr/share/miniupnpd/firewall.include’
option family 'any’
option reload ‘1’

config zone
option input 'ACCEPT’
option forward 'REJECT’
option output 'ACCEPT’
option name 'guest_lan’
option network ‘guest_lan’

config forwarding
option dest 'wan’
option src ‘guest_lan’

config forwarding
option dest 'guest_lan’
option src ‘lan’

config forwarding
option dest 'wan’
option src ‘lan’

config zone
option input 'ACCEPT’
option output 'ACCEPT’
option name 'vpn’
option network 'vpn’
option forward ‘ACCEPT’

config forwarding
option dest 'lan’
option src ‘vpn’

config forwarding
option dest 'wan’
option src ‘vpn’

config forwarding
option dest 'vpn’
option src ‘lan’

Do you have static routes for the client networks? That is, the network(s) you are using in the “server” directive in server.conf (openvpn). Also, do you push any routes to the clients?