What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

No internet for router clients (OpenVPN + stunnel)

santer_av

New Around Here
Hi there,

I have a problem with my Asus RT-AC68U (Firmware:386.14_2) when trying to use OpenVPN through stunnel.
I use the same configuration separately on my MacBook, VM on Linux, Windows. It works fine (openvpn to 127.0.0.1 + stunnel to external vpn server).
When I'm trying to repeat this configuration on my router (without need to do it on each client) I see this working only from router console (ssh) but not for connected clients.

Code:
client
dev tun
proto tcp
remote 127.0.0.1 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun

remote-cert-tls server
cipher AES-256-GCM
verb 3

Redirect Internet traffic through tunnel: Yes (all)

Code:
foreground = yes
[openvpn]
client = yes
accept = 127.0.0.1:1194
connect = 83.10.10.10:1111
verifyPeer = yes

My steps:
1. Check internet connection
- from router console (working)
Code:
curl api.myip.com
{"ip":"my_ISP_ip","country":"my_country","cc":"XX"}
- from client (working)
Code:
curl api.myip.com
{"ip":"my_ISP_ip","country":"my_country","cc":"XX"}

2. Turn OpenVPN client ON.
Code:
ip route show table ovpnc1
8.8.4.4 via 100.88.0.1 dev vlan2  metric 1
10.8.8.5 dev tun0  proto kernel  scope link  src 10.8.8.6
10.8.8.1 via 10.8.8.5 dev tun0
100.88.0.1 dev vlan2  proto kernel  scope link
8.8.8.8 via 100.88.0.1 dev vlan2  metric 1
127.0.0.1 via 100.88.0.1 dev vlan2
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
100.88.0.0/16 dev vlan2  proto kernel  scope link  src 100.88.25.57
127.0.0.0/8 dev lo  scope link
default via 10.8.8.5 dev tun0

3. Check internet connection
- from router console (not working)
Code:
curl api.myip.com
curl: (28) Failed to connect to api.myip.com port 80 after 150026 ms: Operation timed out

4. Manually add route which was in the log but actually wasn't in the route table
ip route add 83.10.10.10 via 10.8.8.5 table ovpnc1 #where 83.10.10.10 e.g. my external VPN server ip

5. Check internet connection
- from router console (working)
Code:
curl api.myip.com
{"ip":"my_VPN_ip","country":"VPN_country","cc":"YY"}
- from client (not working)
Code:
curl api.myip.com
curl: (28) Failed to connect to api.myip.com port 80 after 150026 ms: Operation timed out

So, there are 2 problems:
1. VPN external ip is not added to the ovpnc1 table
2. When it was fixed manually internet vpn connection works from router itself but doesn't from clients.

Please advice.
 
Last edited:
Any ideas? The first one seems to be a firmware bug as the log says it's added to the route, in fact it doesn't. Maybe something is not happen too which causes the second main issue.
 
I have no idea what you are trying to do there, it makes no sense to me. You cannot route 127.0.0.1, it`s just a local loopback, it's not routable.
 
I use the same configuration separately on my MacBook, VM on Linux, Windows. It works fine (openvpn to 127.0.0.1 + stunnel to external vpn server).

@RMerlin - he's missing a lot of specifics - depending on what Virt solution is running on the Mac - the localhost addr can be mangled inside the VM framework and turned into a routable address (which is not localhost)...

More info is needed...
 
@RMerlin @sfx2000
OK, here are the details.
OpenVPN client is routed to 127.0.0.1 port 1194 (remote 127.0.0.1 1194). Stunnel client on the same machine listens to this port on localhost and redirect traffic to stunnel external server (accept = 127.0.0.1:1194 connect = 83.10.10.10:1111). Then external server receive traffic by stunnel server (accept = 1111 connect = 127.0.0.1:1194) and redirect it to vpn server on the same machine (local 127.0.0.1 port 1194). So two openvpns (client + server) talk through stunnel.
Stunnel and openvpn client configs are in my first message. Server configs can be also described if needed.

Similar approach is described here: https://www.perfect-privacy.com/en/manuals/router_openwrt_openvpn_stealth_stunnel

I can run clean ubuntu server from scratch, install stunnel, openvpn and it will work there, but doesn't on Asus.
 
Last edited:

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Back
Top