shenek: Are you sure that the openvpn server is running on you router?
BINGO! I didn´t realize the service IS NOT running - and that´s not easy and foolproof Service enabled and start in LuCi + 1 restart. Now I can use my LTE stick to connect to my home network.
(There´s some work to do - for example to connect my W10 PC. And not only satelite receiver, simple NAS and Turris. But so far so good.)
Many thanks!
Thank you for the suggestion.
I modified /etc/config/firewall, with your suggestion, so the forwarding rules now look like this:
config forwarding 'vpn_turris_forward_lan_in'
option src 'vpn_turris'
option dest 'lan'
config forwarding 'vpn_turris_forward_lan_out'
option src 'lan'
option dest 'vpn_turris'
config forwarding 'vpn_turris_forward_wan_out'
option src 'vpn_turris'
option dest 'wan'
and also edited /etc/config/openvpn to ensure it contained the following:
list push 'route 192.168.2.0 255.255.255.0' # My network is 192.168.2.0
list push 'dhcp-option DNS 8.8.8.8'
list push 'dhcp-option DNS 8.8.4.4'
list push 'redirect-gateway def1'
Then tested on my iPhone with `OpenVpn Client App, and lo and behold, the public IP on the iPhone had changed to my WAN’s public IP. Web surfing also worked, but with a slight, but noticeable, lag compared to before. (A local DNS cache will probably help a lot).
Whats even stranger, the Turris OpenVPN Server configuration, which wasn’t showing any entries the last two days, and really had me worried, now suddenly shows everything as if nothing happened.
I will summarize how to setup OpenVPN the same way as basically @Koleon wanted (route all traffic with local DNS resolving). I was experimenting with it for two hours before I’ve finally make it work.
Prerequisites:
You obviously have to enable OpenVPN through Foris interface
I’ve also enabled OpenVPN to start automatically by running /etc/init.d/openvpn enable
Go to LuCI http://192.168.1.1/cgi-bin/luci/admin/network/dhcp and uncheck/disable option Local Service Only under General settings tab (this was the thing I was missing in this discussion but it makes local name resolving working for me finally)
Then there are two ways how to do the other steps. By editing config files manually or through uci.
Manually:
Edit /etc/config/firewall, add those lines to the end:
config forwarding 'vpn_turris_forward_wan_out'
option src 'vpn_turris'
option dest 'wan'
I had all of this working as I wanted, till the other day, where I decided to install an mSATA disk in the device.
After installing the mSATA, and making the needed changes to the /etc/config/wireless file, I had my system back online - or so I thought.
It turns out my OpenVPN isn’t accessible from my iPhone any more. Whenever I attempt to connect, I now get connection timeouts. Other VPN connections from the iPhone works as they should.
Thanks @iddqd, this was exactly what I did (and attempted to write above).
The mystery remains, though - why did it suddenly change to not start on boot?
After setting up OpenVPN, I did reboot least 15 times, and each time the VPN setup remained working.
The only difference I can think of this time, is that I powered down the device completely to install the mSATA.
So perhaps we have some settings that somehow survives a reboot?
I didnt configure dnsmasq at all (and still, my .lan works). I tried the dig on my LAN subnet IP (which actually doesnt works as pushed DNS via OpenVPN), and from omnia I have different result (it doesnt point me to any other IP):
Well, it kind of works for me, but only for couple of seconds (about 15). I used installation trough Foris. I extracted certs and keys from downloaded configuration file and created VPN configuration manually trough GUI in Ubuntu. Then, I was able to connect and ping my NAS at 192.168.0.147. But after few seconds it stopped working. I disconnected from VPN and connect again. It started working but after another couple of seconds it failed again. I have no idea why is this happening.
Lokální síť mám 192.168.0.0/24 a při generování configurace VPN jsem nastavil 192.168.1.0/24. To je předpokládám správně, když se mi to alespoň na chvíli připojí.
That’s indeed weird and it should not happen. Is there something useful in the logs?
Anyways, if you want to make it bulletproof you could write a small script to check if OVPN is running and if necessary to start it.
Device Turris Omnia - RTROM01
Turris OS version 3.6.1
Kernel version 4.4.51-627f0117679bc72ef5e58881035f567a-3
After failing to generate CA: I uninstalled openvpn through updater, removed files from /etc/ssl/ca/openvpn/, rebooted turris, reinstalled openvpn, selected “Generate CA” and can get no further. The openvpn page in foris shows the certs generating then returns to “Currently there is no OpenVPN certificate authority(CA).”
/etc/ssl/ca/openvpn/ shows 15 files with time stamp after reboot:
-rw-r–r-- 1 root root 6704 Mar 27 05:30 01.crt
-rw-r–r-- 1 root root 1582 Mar 27 05:30 01.csr
-r-------- 1 root root 3276 Mar 27 05:30 01.key
-rw-r–r-- 1 root root 6704 Mar 27 05:30 01.pem
-rw-r–r-- 1 root root 893 Mar 27 05:30 ca.crl
-rw-r–r-- 1 root root 1862 Mar 27 05:29 ca.crt
-r-------- 1 root root 3272 Mar 27 05:29 ca.key
-rw-r–r-- 1 root root 3 Mar 27 05:30 crlnumber
-rw-r–r-- 1 root root 3 Mar 27 05:29 crlnumber.old
-rw-r–r-- 1 root root 39 Mar 27 05:30 index.txt
-rw-r–r-- 1 root root 20 Mar 27 05:30 index.txt.attr
-rw-r–r-- 1 root root 0 Mar 27 05:29 index.txt.old
-rw-r–r-- 1 root root 17 Mar 27 05:29 notes.txt
-rw-r–r-- 1 root root 3 Mar 27 05:30 serial
-rw-r–r-- 1 root root 3 Mar 27 05:29 serial.old
Why is openvpn page indicating no OpenVPN certificate authority?