Hi,
I followed partly this how-to: https://wiki.openwrt.org/doc/howto/openvpn-streamlined-server-setup
From within lan the tunnel works, but outside lan it seems the traffic doesn’t even pass the firewall.
I hope somebody experienced can help me sorting this out?
My relevant configuration is as follows:
/etc/config/network:
config interface 'lan'
option force_link '1'
option ifname 'eth0'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option delegate '0'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
option delegate '0'
config interface 'wan6'
option ifname '@wan'
option proto 'dhcpv6'
config interface 'OpenVPN1'
option ifname 'tun1'
option proto 'none'
option auto '1'
/etc/config/firewall
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config zone
option name 'OpenVPN1'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option network 'OpenVPN1'
config rule
option name 'OpenVPN1'
option src '*'
option dest_port '40000'
option proto 'udp'
option target 'ACCEPT'
config forwarding
option src 'OpenVPN1'
option dest 'wan'
config forwarding
option src 'OpenVPN1'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'OpenVPN1'
config rule
option name 'Allow VPN0 -> LAN'
option src '*'
option src_ip '10.0.1.0/28'
option proto 'tcpudp'
option dest_ip '192.168.1.0/26'
option target 'ACCEPT'
config rule
option name 'Allow Forwarded VPN0 -> LAN'
option src '*'
option src_ip '10.0.1.0/28'
option proto 'tcpudp'
option dest '*'
option dest_ip '192.168.1.0/26'
option target 'ACCEPT'
config rule
option name 'Allow VPN0 (ICMP) -> LAN'
option src '*'
option src_ip '10.0.1.0/28'
option proto 'icmp'
option dest 'lan'
option target 'ACCEPT'
config rule
option name 'Allow VPN0 (ICMP 8)'
option src '*'
option src_ip '10.0.1.0/28'
option proto 'icmp'
list icmp_type 'echo-request'
option dest 'wan'
option target 'ACCEPT'
/etc/config/openvpn
config openvpn 'UDP'
option port '40000'
option proto 'udp'
option dev 'tun'
option dev 'tun1'
option topology 'subnet'
option comp_lzo 'yes'
option ifconfig_pool_persist '/etc/openvpn/tun1-ipp.log'
option status '/etc/openvpn/tun1-status.log'
option log '/etc/openvpn/tun1.log'
option tls_server '1'
option tls_version_min '1.2'
option tls_cipher 'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:!aNULL:!eNULL:!LOW:!3DES:!MD5:!SHA:!EXP:!PSK:!SRP:!DSS:!RC4:!kRSA'
option pkcs12 '/etc/openvpn/Router-OpenVPN.p12'
option dh '/etc/openvpn/dh5120.pem'
option tls_auth '/etc/openvpn/Router_ta.key 0'
option cipher 'AES-256-CBC'
option auth 'SHA512'
option sndbuf '393216'
option rcvbuf '393216'
option fragment '0'
option mssfix '0'
option tun_mtu '48000'
list push 'sndbuf 393216'
list push 'rcvbuf 393216'
option verb '5'
option mute '20'
option keepalive '10 120'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option group 'nogroup'
option server '10.0.1.0 255.255.255.0'
option push 'redirect-gateway def1'
option client_to_client '1'
option enabled '1'
Client configuration:
client
dev tun
proto udp
remote mydomain 40000
mssfix 0
fragment 0
tun-mtu 48000
float
nobind
comp-lzo
mute-replay-warnings
mute 20
persist-key
persist-tun
resolv-retry infinite
auth SHA512
auth-nocache
cipher AES-256-CBC
key-direction 1
tls-version-min 1.2
pkcs12 Client_1.p12
remote-cert-eku "TLS Web Server Authentication"
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
XXX
-----END OpenVPN Static key V1-----
</tls-auth>
verb 5