1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

OpenVPN Server issues

Discussion in 'Asuswrt-Merlin' started by FalconB, Oct 20, 2019.

Tags:
  1. FalconB

    FalconB Regular Contributor

    Joined:
    Apr 20, 2017
    Messages:
    64
    Hi,

    Yesterday I had a router crash and ended up redoing everything from scratch. It's now up and running as before, except for the OVPN. The OVPN server is running on the router and I can connect to it from a client (phone). However I'm unable to use the internet via the VPN. What I want is to be able to surf on my phone as if I were at home, taking advantage of the adblocking by Diversion. This used to work, but now it doesn't :(.

    Router-config:
    Code:
    Model:
    RT-AC68U
    
    FW:
    384.13
    
    Settings:
    DoT with DNSFilter = Router
    
    Router ip: 192.168.1.1
    OVPN Server ip: 192.168.10.1
    Client will use VPN to access = Both
    
    Add-ons:
    amtm, Diversion+Pixelserv-TLS, YazFi
    
    Checking the iptables yields:
    Code:
    ---
    Chain OVPN (2 references)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    ---
    
    and
    
    ---
    -A OVPN -i tun21 -j ACCEPT
    ---
    
    The OVPN client file contains:
    client
    dev tun
    proto udp
    remote XXX.XXX.XXX.XXX 1194
    float
    ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
    cipher AES-128-CBC
    auth SHA1
    compress lz4-v2
    keepalive 15 60
    auth-user-pass
    remote-cert-tls server

    I notice that the server pushes the router's ip address as DNS server (ie 192.168.1.1). I tried to modify the client config file and added the ip address of the OVPN server (ie 192.168.10.1) as DNS server, which made the client have two DNS servers (192.168.1.1 and 192.168.10.1), but still I'm not able to surf.

    So, any ideas on what to try next? Thanks in advance! :cool:
     
  2. martinr

    martinr Part of the Furniture

    Joined:
    Nov 27, 2014
    Messages:
    2,208
    Location:
    Manchester, United Kingdom
    On the General page is “Client will use vpn to access” set to BOTH?

    On the Advanced page is “Advertise DNS to clients” set to YES?
     
  3. FalconB

    FalconB Regular Contributor

    Joined:
    Apr 20, 2017
    Messages:
    64
    Yup!
     
  4. martinr

    martinr Part of the Furniture

    Joined:
    Nov 27, 2014
    Messages:
    2,208
    Location:
    Manchester, United Kingdom
    Does the OVPN logfile on the client give any indication? I suppose it shows a successful connection and therefore has nothing else to log. And I don’t suppose syslog might have anything?
     
  5. martinr

    martinr Part of the Furniture

    Joined:
    Nov 27, 2014
    Messages:
    2,208
    Location:
    Manchester, United Kingdom
    I would probably next try:

    1. A different device (if you have)

    2. Temporarily disabling Skynet and Diversion.

    3. Exporting and importing a fresh .ovpn config file
     
  6. martinr

    martinr Part of the Furniture

    Joined:
    Nov 27, 2014
    Messages:
    2,208
    Location:
    Manchester, United Kingdom
    I see you have compression set. That might possibly be it, though on reflection it wouldn’t have connected. Use the default Disable and export a fresh .ovpn config file to the client.
     
    royarcher, FalconB and elorimer like this.
  7. FalconB

    FalconB Regular Contributor

    Joined:
    Apr 20, 2017
    Messages:
    64
    Will try that and get back! Thanx!
     
    royarcher likes this.
  8. elorimer

    elorimer Very Senior Member

    Joined:
    Dec 16, 2013
    Messages:
    885
    I think a mismatch in compression means a connection will be made, but no traffic will pass. So I suspect this might be it.
     
    royarcher, martinr and FalconB like this.
  9. FalconB

    FalconB Regular Contributor

    Joined:
    Apr 20, 2017
    Messages:
    64
    Well sir, you are the man :D! It is now working! Thank you very much!

    Now, to follow up on this. How would I go about if I want to only use the dns of the server (192.168.1.1) to gain the adblocking, but without access to the rest of my LAN? Switching to "Internet only" does not do the trick since that also seems to block the dns and adblocking of the router (192.168.1.1). Do I need to create some iptables rules for this to work, and if so, any idea what they should look like? :oops:
     
    Last edited: Oct 20, 2019
  10. martinr

    martinr Part of the Furniture

    Joined:
    Nov 27, 2014
    Messages:
    2,208
    Location:
    Manchester, United Kingdom
    That very question is one I’ve been wondering about for a long time. As, I think it was L&LD recently pointed out, we need ” Both” (Ie LAN access too) so we can access the router and pixelserv-tls for Diversion and Skynet.
    But I’m out of my depth when it comes to iptables, so I will follow with great interest any answers. That said, if access has to be granted to the router - for Skynet and Diversion to function - is there much point to restricting access elsewhere on the LAN?
    Delighted you’re up and running though.
     
    royarcher likes this.
  11. elorimer

    elorimer Very Senior Member

    Joined:
    Dec 16, 2013
    Messages:
    885
    1. Did you still fool with the second DNS address? Delete that, I think. That leads nowhere.
    2. "Internet only" pushes the router IP as the default gateway, so anything not on the client subnet goes out over the router. "LAN only" adds a route to the 192.168.1.xx subnet but doesn't change the default gateway. "Both" does, um, both. Diversion directs blocked domains to an address on the 192.168.1.xx subnet. "Internet only" means that the client can't reach that pixelserv address that Diversion sets up. Perhaps adding a static route to it would work.
    3. The client might be overriding the pushed default gateway, so that is another thing to look at.
     
    martinr likes this.
  12. FalconB

    FalconB Regular Contributor

    Joined:
    Apr 20, 2017
    Messages:
    64
    Well, I think I made it work with iptables. First off, I deleted all the rules within the OVPN chain to make it empty. I then added this:
    Code:
    iptables -I OVPN -j DROP
    
    iptables -I OVPN -p udp -d 192.168.1.1 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -I OVPN -p udp -s 192.168.1.1 --sport 53 -m state --state ESTABLISHED -j ACCEPT
    iptables -I OVPN -p tcp -d 192.168.1.1 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -I OVPN -p tcp -s 192.168.1.1 --sport 53 -m state --state ESTABLISHED -j ACCEPT
    
    iptables -I OVPN -i tun21 -o eth0 -j ACCEPT
    iptables -I OVPN -i eth0 -o tun21 -j ACCEPT
    Note that I use the -I (don't ask me why :oops:) so the rules are in the reverse order in the table.

    This now allows me to use the adblocking service via Diversion on 192.168.1.1 while surfing with no access to my LAN. Need some more testing though...

    EDIT:
    "Client will use VPN to access" in the GUI is set to "Both"

    EDIT 2:
    Found a small error in iptables rules, now fixed

    EDIT 3:
    I got the iptables rules from here: https://gist.github.com/thomasfr/9712418
     
    Last edited: Oct 20, 2019
    martinr likes this.
  13. elorimer

    elorimer Very Senior Member

    Joined:
    Dec 16, 2013
    Messages:
    885
    I think it would be worthwhile seeing what your ovpn log looks like in connecting, and what phone you are using. I'm not sure whether phones accept the pushed DNS without some special handling of the DHCP-option command.
     
  14. martinr

    martinr Part of the Furniture

    Joined:
    Nov 27, 2014
    Messages:
    2,208
    Location:
    Manchester, United Kingdom
    Do let us know how your testing goes.
     
  15. FalconB

    FalconB Regular Contributor

    Joined:
    Apr 20, 2017
    Messages:
    64
    Yes I will! However I have some other stuff to attend to, so the testing will be put on hold for awhile. But from the short tests I have done, it seems to work.
     
    martinr likes this.
  16. FalconB

    FalconB Regular Contributor

    Joined:
    Apr 20, 2017
    Messages:
    64
    Ok, back again! So, it seems to work :D! With the settings mentioned above I have connected to the VPN and tested:
    • Connect to router ip which fails - OK
    • Connect to my nas ip which fails - OK
    • Connect to other devices on separate subnets which fails - OK
    • Tried ipleak.net which reports my address to be the same as my routers public ip - OK
    • Tried ipleak.net which reports only 1 DNS-server, the DoT-server I have configured on the router (Cloudlflare) - OK
    • Tried adblocking test sites and ordinary websites and ads are beeing blocked - OK
    So I'm all happy!

    EDIT:
    I'm using a Google Pixel 3 phone to connect to the VPN. DNS is pushed to the phone, ie 192.168.1.1, as per the configuration on the router's VPN-page. I have made no modification to the exported .OVPN-file from the router, just imported it straight into the phone.
     
    Last edited: Oct 24, 2019
    martinr likes this.