OpenVPN Server issues

[FalconB]

Hi,

Yesterday I had a router crash and ended up redoing everything from scratch. It's now up and running as before, except for the OVPN. The OVPN server is running on the router and I can connect to it from a client (phone). However I'm unable to use the internet via the VPN. What I want is to be able to surf on my phone as if I were at home, taking advantage of the adblocking by Diversion. This used to work, but now it doesn't .

Router-config:

Model:
RT-AC68U

FW:
384.13

Settings:
DoT with DNSFilter = Router

Router ip: 192.168.1.1
OVPN Server ip: 192.168.10.1
Client will use VPN to access = Both

Add-ons:
amtm, Diversion+Pixelserv-TLS, YazFi

Checking the iptables yields:

---
Chain OVPN (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
---

and

---
-A OVPN -i tun21 -j ACCEPT
---

The OVPN client file contains:

Spoiler: Config

client
dev tun
proto udp
remote XXX.XXX.XXX.XXX 1194
float
ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
cipher AES-128-CBC
auth SHA1
compress lz4-v2
keepalive 15 60
auth-user-pass
remote-cert-tls server

I notice that the server pushes the router's ip address as DNS server (ie 192.168.1.1). I tried to modify the client config file and added the ip address of the OVPN server (ie 192.168.10.1) as DNS server, which made the client have two DNS servers (192.168.1.1 and 192.168.10.1), but still I'm not able to surf.

So, any ideas on what to try next? Thanks in advance!

 

[martinr]

On the General page is “Client will use vpn to access” set to BOTH?

On the Advanced page is “Advertise DNS to clients” set to YES?

 

[FalconB]

On the General page is “Client will use vpn to access” set to BOTH?

On the Advanced page is “Advertise DNS to clients” set to YES?

Yup!

 

[martinr]

Does the OVPN logfile on the client give any indication? I suppose it shows a successful connection and therefore has nothing else to log. And I don’t suppose syslog might have anything?

 

[martinr]

I would probably next try:

1. A different device (if you have)

2. Temporarily disabling Skynet and Diversion.

3. Exporting and importing a fresh .ovpn config file

 

[martinr]

I see you have compression set. That might possibly be it, though on reflection it wouldn’t have connected. Use the default Disable and export a fresh .ovpn config file to the client.

 

[FalconB]

I see you have compression set. That might possibly be it, though on reflection it wouldn’t have connected. Use the default Disable and export a fresh .ovpn config file to the client.

Will try that and get back! Thanx!

 

[elorimer]

I see you have compression set. That might possibly be it, though on reflection it wouldn’t have connected.

I think a mismatch in compression means a connection will be made, but no traffic will pass. So I suspect this might be it.

 

[FalconB]

Well sir, you are the man ! It is now working! Thank you very much!

Now, to follow up on this. How would I go about if I want to only use the dns of the server (192.168.1.1) to gain the adblocking, but without access to the rest of my LAN? Switching to "Internet only" does not do the trick since that also seems to block the dns and adblocking of the router (192.168.1.1). Do I need to create some iptables rules for this to work, and if so, any idea what they should look like?

 

[martinr]

Well sir, you are the man ! It is now working! Thank you very much!

Now, to follow up on this. How would I go about if I want to only use the dns of the server (192.168.1.1) to gain the adblocking, but without access to the rest of my LAN? Switching to "Internet only" does not do the trick since that also seems to block the dns and adblocking of the router (192.168.1.1). Do I need to create some iptables rules for this to work, and if so, any idea what they should look like?

That very question is one I’ve been wondering about for a long time. As, I think it was L&LD recently pointed out, we need ” Both” (Ie LAN access too) so we can access the router and pixelserv-tls for Diversion and Skynet.
But I’m out of my depth when it comes to iptables, so I will follow with great interest any answers. That said, if access has to be granted to the router - for Skynet and Diversion to function - is there much point to restricting access elsewhere on the LAN?
Delighted you’re up and running though.

 

[elorimer]

1. Did you still fool with the second DNS address? Delete that, I think. That leads nowhere.
2. "Internet only" pushes the router IP as the default gateway, so anything not on the client subnet goes out over the router. "LAN only" adds a route to the 192.168.1.xx subnet but doesn't change the default gateway. "Both" does, um, both. Diversion directs blocked domains to an address on the 192.168.1.xx subnet. "Internet only" means that the client can't reach that pixelserv address that Diversion sets up. Perhaps adding a static route to it would work.
3. The client might be overriding the pushed default gateway, so that is another thing to look at.

 

[FalconB]

Well, I think I made it work with iptables. First off, I deleted all the rules within the OVPN chain to make it empty. I then added this:

iptables -I OVPN -j DROP

iptables -I OVPN -p udp -d 192.168.1.1 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I OVPN -p udp -s 192.168.1.1 --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -I OVPN -p tcp -d 192.168.1.1 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I OVPN -p tcp -s 192.168.1.1 --sport 53 -m state --state ESTABLISHED -j ACCEPT

iptables -I OVPN -i tun21 -o eth0 -j ACCEPT
iptables -I OVPN -i eth0 -o tun21 -j ACCEPT

Note that I use the -I (don't ask me why ) so the rules are in the reverse order in the table.

This now allows me to use the adblocking service via Diversion on 192.168.1.1 while surfing with no access to my LAN. Need some more testing though...

EDIT:
"Client will use VPN to access" in the GUI is set to "Both"

EDIT 2:
Found a small error in iptables rules, now fixed

EDIT 3:
I got the iptables rules from here: https://gist.github.com/thomasfr/9712418

 

[elorimer]

I think it would be worthwhile seeing what your ovpn log looks like in connecting, and what phone you are using. I'm not sure whether phones accept the pushed DNS without some special handling of the DHCP-option command.

 

[martinr]

Well, I think I made it work with iptables. ......
This now allows me to use the adblocking service via Diversion on 192.168.1.1 while surfing with no access to my LAN. Need some more testing though...

Do let us know how your testing goes.

 

[FalconB]

Do let us know how your testing goes.

Yes I will! However I have some other stuff to attend to, so the testing will be put on hold for awhile. But from the short tests I have done, it seems to work.

 

[FalconB]

Ok, back again! So, it seems to work ! With the settings mentioned above I have connected to the VPN and tested:

• Connect to router ip which fails - OK
• Connect to my nas ip which fails - OK
• Connect to other devices on separate subnets which fails - OK
• Tried ipleak.net which reports my address to be the same as my routers public ip - OK
• Tried ipleak.net which reports only 1 DNS-server, the DoT-server I have configured on the router (Cloudlflare) - OK
• Tried adblocking test sites and ordinary websites and ads are beeing blocked - OK

So I'm all happy!

EDIT:
I'm using a Google Pixel 3 phone to connect to the VPN. DNS is pushed to the phone, ie 192.168.1.1, as per the configuration on the router's VPN-page. I have made no modification to the exported .OVPN-file from the router, just imported it straight into the phone.