Solved Help with openvpn server

[andresmorago]

Hello to all
Im having some issues when trying to set up a openvpn server on my RT-AC68U running 383.3.

This is my current working setup. both routers are connected to internet in different locations.

clo01
10.0.0.0/24 - LAN
10.0.1.1 - VPN server 443tcp (10.0.1.0/24)

bga01
10.0.1.2 - VPN client
10.0.0.1 - LAN (10.0.4.0/24)
10.0.10.1 - VPN server 1194udp (10.0.10.0/24)

The site-to-site vpn works perfectly as i can access clo01 resources (no internet) from bga01.


I have set up the vpn server in bga01 and downloaded the client file. When i try to connect to bga01 with this file from an external computer, the connection executes but there is no ping connectivity to either 10.0.4.1 or 10.0.10.1, neither internet access.
The idea with this vpn server is to share both local resources (10.0.4.0/24) and internet from bga01 to any external client using the config file.

This is my server setup At bga01:

This is my client generated file from bga01

# Config generated by Asuswrt-Merlin 386.3, requires OpenVPN 2.4.0 or newer.

client
dev tun
proto udp4
remote bga01.xxxxx.com 1194
resolv-retry infinite
nobind
float
cipher AES-128-CBC
auth SHA1
keepalive 15 60
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

</ca>
<cert>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

</cert>
<key>
-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----

</key>

some verbose 4 at bga01. there is a bad source address from client [::], packet dropped that bothers me :

Aug  7 16:22:11 bga01 ovpn-server1[28025]: MULTI: multi_create_instance called
Aug  7 16:22:11 bga01 ovpn-server1[28025]: 191.95.xxx.xxx:24797 Re-using SSL/TLS context
Aug  7 16:22:11 bga01 ovpn-server1[28025]: 191.95.xxx.xxx:24797 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Aug  7 16:22:11 bga01 ovpn-server1[28025]: 191.95.xxx.xxx:24797 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Aug  7 16:22:11 bga01 ovpn-server1[28025]: 191.95.xxx.xxx:24797 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Aug  7 16:22:11 bga01 ovpn-server1[28025]: 191.95.xxx.xxx:24797 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Aug  7 16:22:11 bga01 ovpn-server1[28025]: 191.95.xxx.xxx:24797 TLS: Initial packet from [AF_INET]191.95.xxx.xxx:24797 (via [AF_INET]190.96.xxx.xxx%ppp0), sid=4542d5d9 cd6c80cd
Aug  7 16:22:11 bga01 ovpn-server1[28025]: 191.95.xxx.xxx:24797 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, OU=Home/Office, CN=RT-AC68U, emailAddress=me@asusrouter.lan
Aug  7 16:22:11 bga01 ovpn-server1[28025]: 191.95.xxx.xxx:24797 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, OU=Home/Office, CN=client, emailAddress=me@asusrouter.lan
Aug  7 16:22:11 bga01 ovpn-server1[28025]: 191.95.xxx.xxx:24797 peer info: IV_VER=2.4.9
Aug  7 16:22:11 bga01 ovpn-server1[28025]: 191.95.xxx.xxx:24797 peer info: IV_PLAT=win
Aug  7 16:22:11 bga01 ovpn-server1[28025]: 191.95.xxx.xxx:24797 peer info: IV_PROTO=2
Aug  7 16:22:11 bga01 ovpn-server1[28025]: 191.95.xxx.xxx:24797 peer info: IV_NCP=2
Aug  7 16:22:11 bga01 ovpn-server1[28025]: 191.95.xxx.xxx:24797 peer info: IV_LZ4=1
Aug  7 16:22:11 bga01 ovpn-server1[28025]: 191.95.xxx.xxx:24797 peer info: IV_LZ4v2=1
Aug  7 16:22:11 bga01 ovpn-server1[28025]: 191.95.xxx.xxx:24797 peer info: IV_LZO=1
Aug  7 16:22:11 bga01 ovpn-server1[28025]: 191.95.xxx.xxx:24797 peer info: IV_COMP_STUB=1
Aug  7 16:22:11 bga01 ovpn-server1[28025]: 191.95.xxx.xxx:24797 peer info: IV_COMP_STUBv2=1
Aug  7 16:22:11 bga01 ovpn-server1[28025]: 191.95.xxx.xxx:24797 peer info: IV_TCPNL=1
Aug  7 16:22:11 bga01 ovpn-server1[28025]: 191.95.xxx.xxx:24797 peer info: IV_GUI_VER=OpenVPN_GUI_11
Aug  7 16:22:11 bga01 ovpn-server1[28025]: 191.95.xxx.xxx:24797 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 1024 bit RSA, signature: RSA-SHA1
Aug  7 16:22:11 bga01 ovpn-server1[28025]: 191.95.xxx.xxx:24797 [client] Peer Connection Initiated with [AF_INET]191.95.xxx.xxx:24797 (via [AF_INET]190.96.xxx.xxx%ppp0)
Aug  7 16:22:11 bga01 ovpn-server1[28025]: client/191.95.xxx.xxx:24797 MULTI_sva: pool returned IPv4=10.0.10.2, IPv6=(Not enabled)
Aug  7 16:22:11 bga01 ovpn-server1[28025]: client/191.95.xxx.xxx:24797 MULTI: Learn: 10.0.10.2 -> client/191.95.xxx.xxx:24797
Aug  7 16:22:11 bga01 ovpn-server1[28025]: client/191.95.xxx.xxx:24797 MULTI: primary virtual IP for client/191.95.xxx.xxx:24797: 10.0.10.2
Aug  7 16:22:11 bga01 ovpn-server1[28025]: client/191.95.xxx.xxx:24797 Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Aug  7 16:22:11 bga01 ovpn-server1[28025]: client/191.95.xxx.xxx:24797 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Aug  7 16:22:11 bga01 ovpn-server1[28025]: client/191.95.xxx.xxx:24797 Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Aug  7 16:22:11 bga01 ovpn-server1[28025]: client/191.95.xxx.xxx:24797 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Aug  7 16:22:12 bga01 ovpn-server1[28025]: client/191.95.xxx.xxx:24797 PUSH: Received control message: 'PUSH_REQUEST'
Aug  7 16:22:12 bga01 ovpn-server1[28025]: client/191.95.xxx.xxx:24797 SENT CONTROL [client]: 'PUSH_REPLY,route 10.0.4.0 255.255.255.0 vpn_gateway 500,redirect-gateway def1,route-gateway 10.0.10.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.0.10.2 255.255.255.0,peer-id 0,cipher AES-128-CBC' (status=1)
Aug  7 16:22:12 bga01 ovpn-server1[28025]: client/191.95.xxx.xxx:24797 MULTI: bad source address from client [::], packet dropped

 

[eibgrad]

Best I can tell (it is a bit confusing to read), the site-to-site VPN is irrelevant to the problem. I say that based on the fact you're having access problems w/ the bga01 server's IP network on the tunnel (10.0.10.0/24), and the local network (10.0.4.0/24). As such, presumably if the site-to-site VPN was disabled, you'd have the exact same problems.

I want to be sure because I'd like to eliminate anything that is irrelevant to the immediate problem at hand. If I'm right in my assumptions, then this is just a simple case of NOT being able to access your OpenVPN server on bga01 from a remote client. And according to the syslog, I don't see anything to confirm you're even connected.

 

[andresmorago]

I agree. The site-to-site connection shouldnt be an issue here. There’s gotta be something in the vpn server that is preventing the connection to successfully occurr. I just can’t seem to find it being even a really basic setup

And according to the syslog, I don't see anything to confirm you're even connected.

Weird thing: when connecting from a windows OpenVPN client, i Do see an IP address assigned (10.0.10.2) to the adapter

 

[eibgrad]

If the OpenVPN client is connected, then the syslog on the OpenVPN server will contain a line that says "Initialization Sequence Completed". That's what I'm looking for. But the syslog you provided doesn't contain that line.

There's also typically two logs here, both the server and client. Usually when there's a problem, one or the other will provide a clue.

Given the client is Windows, one common problem is if the OpenVPN client (typically using OpenVPN Connect) is not run w/ administrative privleges. That's required in order for the client to change the local Windows routing table. So its possible to be connected in that situation, but have no connectivity since the routing requirements can't be met. Just a guess.

 

[andresmorago]

thanks for your help.
the logs in the windows client always showed a successful connection. i had also tried on iOS with the same results.

this was mysteriously fixed today by updating to 386.3_2. now im able to access bga01 resources