OpenVPN cannot access LAN / DNS not working

[WillyTP]

Hello everybody

I'm trying to configure a very simple OpenVPN setup,
in order to access Internet and LAN from my mobile phone.
I underline that I already did this many times in the recent past so... really no clue why now isn't working.
I'm using latest Merlin 384.7 b2.

For some unknown reason, my setup isn't working.
I attached it in the image below.
Logs aren't helping me, I don't find any error.

What happens:
VPN connection works.
If I disable "Inoltra DNS ai Client" (translated push DNS to clients),
I can browse the Internet (and, again for unknown reason, I expose to the internet my Mobile phone ISP IP, rather than the VPN one);
If I enable "Inoltra DNS ai Client", just nothing works.

Any hint?

Thanks everyone!

 

[Bluecube]

I had/ have an identical issue albeit with 384.6. You may get some help from the my thread but nothing worked for me. I wonder if it's a bug.

https://www.snbforums.com/threads/asus-ac88-vpn-client-to-client-issue.48780/

 

[WillyTP]

Actually started with that version for me too.
I'd like to help for debugging but I don't know what to do.
As stated before, nothing suspect is shown in logs.
I wonder if it's some default deny policy for Dnsmasq?

 

[Bluecube]

Our problem is that it’s not a problem for anyone else... It must be an obscure issue as even the Merlin maintainer couldn’t help.

 

[WillyTP]

I'm experiencing the same issue on another AC68U router, running Asus official latest. firmware. I bet is a bug introduced in one of the latest firmwares.

 

[Bluecube]

Is Merlin not based on a different firmware from the official Asus one though? Also the fact that no one else seems to have any issues seems a bit random. I hope it is a bug in a way as I’ve spent so much time trying to fix this issue that I’ll be very peeved that it’s down to me missing something!

 

[Jack Yaz]

What do you have set on General for OpenVPN server?

 

[WillyTP]

I tried Lan only, Internet + Lan, Internet only.... Same result.

 

[WillyTP]

If someone have any debugging hint, is greatly appreciated.
Thank you all

 

[M@rco]

Below are my settings. They work. They worked across 384.5, 384.6 and 384.7 beta 1, 2 and 3. And presumably on 384.7 final too.
I can access my LAN and connect to WAN, using my router as DNS (and therefore the benefits of Diversion, Skynet, pixelserv-tls etc.)

If you want to debug set 'Log Verbosity' (the second to last setting in the second screenshot) to a higher value for more verbose logging.

EDIT: Replaced second screenshot for more secure settings

 

[Martineau]

Below are my settings. They work. They worked across 384.5, 384.6 and 384.7 beta 1, 2 and 3. And presumably on 384.7 final too.

I can access my LAN and connect to WAN, using my router as DNS (and therefore the benefits of Diversion, Skynet, pixelserv-tls etc.)

Surely you have not deliberately posted a screen shot of a potentially insecure OpenVPN Server configuration?

Always use 'Username/Password Auth. Only=NO' to force authentication using Certificate and (optionally) together with a preferably unique User/PW

 

[WillyTP]

Hello everybody
Unfortunately nothing to do, same issue remains, and no errors are shown in log :/

Btw: as in previous tests, OpenVPN for Android shows 0 sent / received traffic.

 

[Martineau]

Hello everybody
Unfortunately nothing to do, same issue remains, and no errors are shown in log :/

Btw: as in previous tests, OpenVPN for Android shows 0 sent / received traffic.

Try changing:

'TLS control channel security=DISABLE'
'HMAC Authentication=DEFAULT'

P.S. I don't recall seeing you post the logs from either the Server or Client (with obfuscated data/IPs etc.).
I'm not saying you have missed anything, but you never know

 

[M@rco]

Surely you have not deliberately posted a screen shot of a potentially insecure OpenVPN Server configuration?

Always use 'Username/Password Auth. Only=NO' to force authentication using User/PW + Certificate

I assure you, nothing deliberate about my post, sir...
'Just' a lack of knowledge, I fear.

I replaced the second screenshot and changed the setting. I do wonder why it was set that way. I can't recall changing it, so is might it be set to a less secure option by default?

Anyway, thank you for pointing it out @Martineau.

 

[WillyTP]

You're right...
I'm posting right now the whole configuration with logs ;-)
Thanks for help.

Oct  2 22:09:19 ovpn-server1[3376]: 37.162.102.46 TLS: Initial packet from [AF_INET6]::ffff:37.162.102.46:13587, sid=542aa94f 33d8b05a
Oct  2 22:09:19 ovpn-server1[3376]: 37.162.102.46 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC68U, emailAddress=me@myhost.mydomain
Oct  2 22:09:19 ovpn-server1[3376]: 37.162.102.46 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, CN=client, emailAddress=me@myhost.mydomain
Oct  2 22:09:20 ovpn-server1[3376]: 37.162.102.46 peer info: IV_VER=2.5_master
Oct  2 22:09:20 ovpn-server1[3376]: 37.162.102.46 peer info: IV_PLAT=android
Oct  2 22:09:20 ovpn-server1[3376]: 37.162.102.46 peer info: IV_PROTO=2
Oct  2 22:09:20 ovpn-server1[3376]: 37.162.102.46 peer info: IV_NCP=2
Oct  2 22:09:20 ovpn-server1[3376]: 37.162.102.46 peer info: IV_LZ4=1
Oct  2 22:09:20 ovpn-server1[3376]: 37.162.102.46 peer info: IV_LZ4v2=1
Oct  2 22:09:20 ovpn-server1[3376]: 37.162.102.46 peer info: IV_LZO=1
Oct  2 22:09:20 ovpn-server1[3376]: 37.162.102.46 peer info: IV_COMP_STUB=1
Oct  2 22:09:20 ovpn-server1[3376]: 37.162.102.46 peer info: IV_COMP_STUBv2=1
Oct  2 22:09:20 ovpn-server1[3376]: 37.162.102.46 peer info: IV_TCPNL=1
Oct  2 22:09:20 ovpn-server1[3376]: 37.162.102.46 peer info: IV_GUI_VER=de.blinkt.openvpn_0.7.5
Oct  2 22:09:20 ovpn-server1[3376]: 37.162.102.46 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Oct  2 22:09:20 ovpn-server1[3376]: 37.162.102.46 TLS: Username/Password authentication succeeded for username 'blablablablabla'
Oct  2 22:09:20 ovpn-server1[3376]: 37.162.102.46 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Oct  2 22:09:20 ovpn-server1[3376]: 37.162.102.46 [client] Peer Connection Initiated with [AF_INET6]::ffff:37.162.102.46:13587
Oct  2 22:09:20 ovpn-server1[3376]: client/37.162.102.46 MULTI_sva: pool returned IPv4=10.10.0.3, IPv6=(Not enabled)
Oct  2 22:09:20 ovpn-server1[3376]: client/37.162.102.46 MULTI: Learn: 10.10.0.3 -> client/37.162.102.46
Oct  2 22:09:20 ovpn-server1[3376]: client/37.162.102.46 MULTI: primary virtual IP for client/37.162.102.46: 10.10.0.3
Oct  2 22:09:21 ovpn-server1[3376]: client/37.162.102.46 PUSH: Received control message: 'PUSH_REQUEST'
Oct  2 22:09:21 ovpn-server1[3376]: client/37.162.102.46 SENT CONTROL [client]: 'PUSH_REPLY,route 192.168.5.0 255.255.255.0 vpn_gateway 500,dhcp-option DNS 192.168.5.1,redirect-gateway def1,route-gateway 10.10.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.10.0.3 255.255.255.0,peer-id 1,cipher AES-256-GCM' (status=1)
Oct  2 22:09:21 ovpn-server1[3376]: client/37.162.102.46 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Oct  2 22:09:21 ovpn-server1[3376]: client/37.162.102.46 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

Obiouvsly my internal network is 192.168.5.x
If I configure the less secure PPTP VPN connection, everything works perfectly.

 

[john9527]

As a test, turn off IPv6 on the router and try it again.

 

[WillyTP]

Hi,
Unfortunately IpV6 connectivity is already set to off.

Thank you

Inviato dal mio SM-G965F utilizzando Tapatalk

 

[Martineau]

I'm posting right now the whole configuration with logs ;-)

Apart from a couple of extra messages from the Android client, and a few more messages reported by the OpenVPN Server, my OpenVPN server Syslog entries areessentially identical

I suggest you examine the log on the Android device to see how the client accepts (or possibly) rejects the pushed DNS directives.

If nothing is untoward, then I would personally start-over …

i.e. reset the router to defaults and ensure that a new OpenVPN Server configuration generates new server certificates in /jffs/openvpn; delete the VPN profile on the Android device and export the new (OpenVPN v2.4) config to import on the Android client.

I have setup many OpenVPN Servers/ Clients on Asus Routers and if I'm honest, the only time the Client couldn't connect correctly was due to my stupidity - typos etc.

If I configure the less secure PPTP VPN connection, everything works perfectly.

Yes PPTP is a very simple protocol and invariably always works first time, but is not recommended.

 

[bitmonster]

I thought I would ask here rather than risk starting an unnecessary new thread.. I OpenVPN works great now - except TAP does not work on my KUbuntu setup (only on my Android phone). I can access the router interface ok, but not other addresses on the router subnet. Is there any reason why I can't just assign VPN to the same router subnet? And I would like to really force all WAN access back through the router DNS and firewall... I clicked 'advertise DNS to clients' but I'm not sure if this is working. Perhaps I need to force it on the client side too. I just don't understand why a VPN still defaults to sending so much outside the VPN without so much additional config. So I just want the VPN to completely wrap the connection.

I use an Android phone, KUbuntu and Windows 10.

 

[ColinTaylor]

Is there any reason why I can't just assign VPN to the same router subnet?

I explained this for you here. You also appear to have an existing unresolved thread about this here.