openVPN Troubleshooting

Software SW help
1

Hello,

i have some problems setting up openVPN

configuration
I have a static public IP address.

My network configuration looks like this.

network
network764Ă—415 24.1 KB

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option dhcpv6 'server'
        option ra 'server'
        option leasetime '43200'
        option ra_management '1'
        option limit '50'
        list dns '2002:4e5e:691e::e37'
        list domain 'fdb7:cc78:74b7::e37'
        list dhcp_option '6,10.0.0.3'

My VPN configuration looks like this.

VPN
VPN1072Ă—407 28.5 KB

Problem 1
I created a client for my iPhone and downloaded the file for the openVPN app to my iPhone.
I can connect my iPhone to the VPN via the app.

Turris Log

2019-03-18 21:37:53 notice openvpn(server_turris)[29412]: XXXXXXXXX TLS: Initial packet from [AF_INET6]XXXXXXXXXXXXXXXXXX, sid=XXXXXXXXXXXXXXXXXX
2019-03-18 21:37:54 notice openvpn(server_turris)[29412]: XXXXXXXXX VERIFY OK: depth=1, CN=openvpn
2019-03-18 21:37:54 notice openvpn(server_turris)[29412]: XXXXXXXXX VERIFY OK: depth=0, CN=iPhone
2019-03-18 21:37:54 notice openvpn(server_turris)[29412]: XXXXXXXXX peer info: IV_GUI_VER=net.openvpn.connect.ios_3.0.2-894
2019-03-18 21:37:54 notice openvpn(server_turris)[29412]: XXXXXXXXX peer info: IV_VER=3.2
2019-03-18 21:37:54 notice openvpn(server_turris)[29412]: XXXXXXXXX peer info: IV_PLAT=ios
2019-03-18 21:37:54 notice openvpn(server_turris)[29412]: XXXXXXXXX peer info: IV_NCP=2
2019-03-18 21:37:54 notice openvpn(server_turris)[29412]: XXXXXXXXX peer info: IV_TCPNL=1
2019-03-18 21:37:54 notice openvpn(server_turris)[29412]: XXXXXXXXX peer info: IV_PROTO=2
2019-03-18 21:37:54 notice openvpn(server_turris)[29412]: XXXXXXXXX peer info: IV_LZO_STUB=1
2019-03-18 21:37:54 notice openvpn(server_turris)[29412]: XXXXXXXXX peer info: IV_COMP_STUB=1
2019-03-18 21:37:54 notice openvpn(server_turris)[29412]: XXXXXXXXX peer info: IV_COMP_STUBv2=1
2019-03-18 21:37:54 notice openvpn(server_turris)[29412]: XXXXXXXXX peer info: IV_AUTO_SESS=1
2019-03-18 21:37:54 notice openvpn(server_turris)[29412]: XXXXXXXXX peer info: IV_BS64DL=1
2019-03-18 21:37:54 notice openvpn(server_turris)[29412]: XXXXXXXXX Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
2019-03-18 21:37:54 notice openvpn(server_turris)[29412]: XXXXXXXXX [iPhone] Peer Connection Initiated with [AF_INET6]XXXXXXXXX
2019-03-18 21:37:54 notice openvpn(server_turris)[29412]: iPhone/XXXXXXXXX MULTI_sva: pool returned IPv4=10.0.1.6, IPv6=(Not enabled)
2019-03-18 21:37:54 notice openvpn(server_turris)[29412]: iPhone/XXXXXXXXX MULTI: Learn: 10.0.1.6 -> iPhone/XXXXXXXXX
2019-03-18 21:37:54 notice openvpn(server_turris)[29412]: iPhone/XXXXXXXXX MULTI: primary virtual IP for iPhone/XXXXXXXXX: 10.0.1.6
2019-03-18 21:37:54 notice openvpn(server_turris)[29412]: iPhone/XXXXXXXXX PUSH: Received control message: 'PUSH_REQUEST'
2019-03-18 21:37:54 notice openvpn(server_turris)[29412]: iPhone/XXXXXXXXX SENT CONTROL [iPhone]: 'PUSH_REPLY,route 10.0.0.0 255.255.255.0,redirect-gateway def1,route 10.0.1.1,topology net30,ping 10,ping-restart 120,ifconfig 10.0.1.6 10.0.1.5,peer-id 0,cipher AES-256-GCM' (status=1)
2019-03-18 21:37:54 notice openvpn(server_turris)[29412]: iPhone/XXXXXXXXX Data Channel: using negotiated cipher 'AES-256-GCM'
2019-03-18 21:37:54 notice openvpn(server_turris)[29412]: iPhone/XXXXXXXXX Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2019-03-18 21:37:54 notice openvpn(server_turris)[29412]: iPhone/XXXXXXXXX Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

After the connection, however, I no longer have Internet access on my iPhone.

I have the same problem with my laptop.

2

Try turning off all VPN traffic “Gesamten Verkehr durch VPN”

1 Like
3

Thanks, that helped!

I would like to access content in the LAN network from the VPN network.

I tried to adjust the physical settings of the VPN interface. With that I shot my network. Do I only have to adjust a few firewall rules?

4

Yes, you only need to edit the firewall:

config zone
	option name 'lan'
	list network 'lan'
	list network 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config rule
	option name 'OpenVPN'
	option src 'wan'
	option proto 'udp'
	option dest_port '1194'
	option target 'ACCEPT'

Source (Czech only): OpenVPN - konektivita mezi VPN a LAN

You may still need to edit /etc/config/network from here: http://www.s474n.com/project-turris-zprovozneni-openvpn-serveru/

5

hmm, that didn’t work out.

Firewall edit to

config zone
        option name 'lan'
        list network 'lan'
        list network 'vpn_turris'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config rule 'vpn_turris_rule'
        option enabled '1'
        option name 'vpn_turris_rule'
        option target 'ACCEPT'
        option proto 'udp'
        option src 'wan'
        option dest_port '1194'

Network edit to

config interface 'vpn_turris'
        option enabled '1'
        option auto '1'
        option ifname 'tun0'
        option proto 'static'
        option ipaddr '10.0.1.0'
        option netmask '255.255.255.240'

than

/etc/init.d/network restart
/etc/init.d/firewall restart
/etc/init.d/openvpn enable
/etc/init.d/openvpn stop
/etc/init.d/openvpn start

I can still connect to the VPN but can’t access the router for example.

6

Hmm, then I don’t know how others can work. I use TAP “switch” interface, so I apologize, hopefully somebody else will be here to help you. Sorry…