OpenVPN Setup Question

[ColinTaylor]

How do I ping a device from my android phone?

There are plenty of free apps (like Network Tools or Fing) on the Play Store.

 

[abhi.ko]

There are plenty of free apps (like Network Tools or Fing) on the Play Store.

Thanks. So it is getting pinged successfully.

So as you suggested can I define a firewall rule in the router to allow the VPN IP range for all ports, or something similar? How do I solve for this access being blocked issue?

 

[ColinTaylor]

So as you suggested can I define a firewall rule in the router to allow the VPN IP range for all ports, or something similar? How do I solve for this access being blocked issue?

You need to create a firewall rule on 10.0.0.133 (not the router) that allows access from 10.8.0.0/24.

Also, change your VPN server's "Advertise DNS to clients" to Yes.

 

[abhi.ko]

You need to create a firewall rule on 10.0.0.133 (not the router) that allows access from 10.8.0.0/24.

Also, change your VPN server's "Advertise DNS to clients" to Yes.

Did both but no luck still. Added the 10.8.0.0/24 to the server's routing table.

Read this here - is this relevant? How do I access the management interface of the OpenVPN server?

For the purpose of this example, we will assume that the server-side LAN uses a subnet of 10.66.0.0/24and the VPN IP address pool uses 10.8.0.0/24 as cited in the server directive in the OpenVPN server configuration file.

First, you must advertise the 10.66.0.0/24 subnet to VPN clients as being accessible through the VPN. This can easily be done with the following server-side config file directive:

push "route 10.66.0.0 255.255.255.0"

 

[ColinTaylor]

Did both but no luck still. Added the 10.8.0.0/24 to the server's routing table.

You don't need to make any changes to any routing tables.

Temporarily turn off the firewall of 10.0.0.133 and see if you can now connect to it.

What/how are you trying to connect on 10.0.0.133? You know you are reaching it because of your ping test. Therefore the problem is either with your client or with 10.0.0.133.

Read this here - is this relevant? How do I access the management interface of the OpenVPN server?

No that is not relevant here.

 

[abhi.ko]

There isn't a firewall setting on the Unraid server that I know of that I can turn off. Could be my ignorance, I am trying to research that.

But leave the server aside 10.0.0.133, the other thing I need access to is the router management interface which is 10.0.0.1. That also is inaccessible via VPN currently. How do I solve for that?

 

[ColinTaylor]

I don't know why you're having these problems, everything should "just work". Having got the VPN client to connect successfully to the VPN server, and being able to ping the target, the only common problems are 1) DNS issues, and 2) access controls on the target machine (because the source IP is 10.8.0.x).

Router access should be as normal, e.g. http://10.0.0.1 or https://10.0.0.1:8443

Go to Administration > System and set "Redirect webui access to www.asusrouter.com" to "No" just in case that's causing a problem.

Maybe try a different browser or connecting from a different device.

Can you confirm that the size of your LAN subnet (10.0.0.0) is not greater than /16?

 

[abhi.ko]

Oh speaking of DNS I have two pihole servers that are configured as DNS's on the router. Not sure if that is causing the problems. All these machines are accessible from the home network without issues and pihole works as intended.

 

[ColinTaylor]

Oh speaking of DNS I have two pihole servers that are configured as DNS's on the router. Not sure if that is causing the problems. All these machines are accessible from the home network without issues and pihole works as intended.

With that DNS option I told you to set earlier the VPN server pushes the router's LAN DNS server address(es) to the client. If your router isn't using the default DNS setup this may cause problems with local name resolution. That's why I asked you to use IP addresses instead of host names so that we avoid any potential DNS issues.

You can see what information is pushed to the client when it connects by looking in the router's System Log.

 

[abhi.ko]

Okay thank you. I appreciate your time and expertise very much.

I am at work today and connected to the VPN successfully but looks like not internet sites are being connected or names resolved correctly while on the VPN, including snbforums and Google. Google.com doesn't even get pinged.

So the problem is something I did incorrectly with the configuration it seems.

I will check the router log when I get back home. Like you said it should work and the last time I did have it up and running through the docker it just did so that is why I am trying to figure out what I did wrong this time.

Also I am not sure how to check the size of the subnet on 10.0.0.1, that is why I haven't answered that question yet. If it is the connected devices count on the router then I do have that.

 

[ColinTaylor]

Try pinging a pubic IP address like 8.8.8.8.

 

[abhi.ko]

Sure here it is.

 

[ColinTaylor]

That's a bit odd. Because the VPN connection is UDP you can sometimes see that behaviour when the connection is of poor quality. Try it again when you get home.

 

[abhi.ko]

That's a bit odd. Because the VPN connection is UDP you can sometimes see that behaviour when the connection is of poor quality. Try it again when you get home.

Apologies was busy with work and couldn't come back to this till now.

So here is the update from home I am able to ping 8.8.8.8 while on VPN successfully, no issues. However name resolution is not working, tried google.com. I can ping local IP addresses as well but cannot access them through a browser.

Checked the system log and here are the entries I found for openvpn server:

Jun 30 12:40:00 ovpn-server1[662]: read UDPv4 [CMSG=8|EHOSTUNREACH]: No route to host (fd=10,code=113)
Jun 30 12:40:15 ovpn-server1[662]: read UDPv4 [CMSG=8|EHOSTUNREACH]: No route to host (fd=10,code=113)
Jun 30 12:40:30 ovpn-server1[662]: read UDPv4 [CMSG=8|EHOSTUNREACH]: No route to host (fd=10,code=113)
Jun 30 12:40:45 ovpn-server1[662]: read UDPv4 [CMSG=8|EHOSTUNREACH]: No route to host (fd=10,code=113)
Jun 30 12:41:00 ovpn-server1[662]: read UDPv4 [CMSG=8|EHOSTUNREACH]: No route to host (fd=10,code=113)
Jun 30 12:41:16 ovpn-server1[662]: read UDPv4 [CMSG=8|EHOSTUNREACH]: No route to host (fd=10,code=113)
Jun 30 12:41:16 ovpn-server1[662]: client/10.0.0.116:58653 [client] Inactivity timeout (--ping-restart), restarting
Jun 30 12:41:16 ovpn-server1[662]: client/10.0.0.116:58653 SIGUSR1[soft,ping-restart] received, client-instance restarting

 

[ColinTaylor]

Your log shows that your client was connected to your local network. What happens if you try the same thing when connecting from the internet over a cell phone network?

What is your router's subnet mask as seen on the LAN - LAN IP page?

What DNS server addresses do you have set on WAN - Internet Connection and LAN - DHCP Server?

 

[abhi.ko]

Your log shows that your client was connected to your local network. What happens if you try the same thing when connecting from the internet over a cell phone network?

Without the VPN it works fine, all sites are accessible. Here is a speedtest on Phone data:

What is your router's subnet mask as seen on the LAN - LAN IP page?

255.255.255.0

What DNS server addresses do you have set on WAN - Internet Connection and LAN - DHCP Server?

My pi-hole addresses - 10.0.0.10 and 10.0.0.20

Here is WAN-DNS:

Also the LAN DNS Director:

 

[ColinTaylor]

Without the VPN it works fine, all sites are accessible. Here is a speedtest on Phone data:

That's not what I meant. Your log shows that your phone was still connected to your router's Wi-Fi when you enabled it's VPN client. I wanted you to switch your phone to 5G and connect to the VPN server over the internet.

Change your WAN DNS servers to your ISP's instead of 10.0.0.10 and 10.0.0.20 and test again.

Also the LAN DNS Director:
View attachment 51456

The bottom of this image that has been cut off, I'm assuming you have some clients listed there?

 

[abhi.ko]

Got it - yes just this one time - in the previous tries I did switch WiFI off before connecting. Here is the log again with that.

Jun 30 13:58:37 ovpn-server1[662]: 172.58.176.205:15498 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, OU=Home/Office, CN=RT-AX86U, emailAddress=me@asusrouter.lan
Jun 30 13:58:37 ovpn-server1[662]: 172.58.176.205:15498 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, OU=Home/Office, CN=client, emailAddress=me@asusrouter.lan
Jun 30 13:58:37 ovpn-server1[662]: 172.58.176.205:15498 peer info: IV_VER=3.git::081bfebe:RelWithDebInfo
Jun 30 13:58:37 ovpn-server1[662]: 172.58.176.205:15498 peer info: IV_PLAT=android
Jun 30 13:58:37 ovpn-server1[662]: 172.58.176.205:15498 peer info: IV_NCP=2
Jun 30 13:58:37 ovpn-server1[662]: 172.58.176.205:15498 peer info: IV_TCPNL=1
Jun 30 13:58:37 ovpn-server1[662]: 172.58.176.205:15498 peer info: IV_PROTO=30
Jun 30 13:58:37 ovpn-server1[662]: 172.58.176.205:15498 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:BF-CBC
Jun 30 13:58:37 ovpn-server1[662]: 172.58.176.205:15498 peer info: IV_GUI_VER=net.openvpn.connect.android_3.3.4-9290
Jun 30 13:58:37 ovpn-server1[662]: 172.58.176.205:15498 peer info: IV_SSO=webauth,openurl,crtext
Jun 30 13:58:37 ovpn-server1[662]: 172.58.176.205:15498 peer info: IV_BS64DL=1
Jun 30 13:58:37 ovpn-server1[662]: 172.58.176.205:15498 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Jun 30 13:58:37 ovpn-server1[662]: 172.58.176.205:15498 TLS: Username/Password authentication succeeded for username 'vpn-admin'
Jun 30 13:58:37 ovpn-server1[662]: 172.58.176.205:15498 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Jun 30 13:58:37 ovpn-server1[662]: 172.58.176.205:15498 TLS: tls_multi_process: initial untrusted session promoted to trusted
Jun 30 13:58:37 ovpn-server1[662]: 172.58.176.205:15498 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 1024 bit RSA, signature: RSA-SHA256
Jun 30 13:58:37 ovpn-server1[662]: 172.58.176.205:15498 [client] Peer Connection Initiated with [AF_INET]172.58.176.205:15498 (via [AF_INET]99.36.3.221%eth0)
Jun 30 13:58:37 ovpn-server1[662]: client/172.58.176.205:15498 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Jun 30 13:58:37 ovpn-server1[662]: client/172.58.176.205:15498 MULTI: Learn: 10.8.0.2 -> client/172.58.176.205:15498
Jun 30 13:58:37 ovpn-server1[662]: client/172.58.176.205:15498 MULTI: primary virtual IP for client/172.58.176.205:15498: 10.8.0.2
Jun 30 13:58:37 ovpn-server1[662]: client/172.58.176.205:15498 SENT CONTROL [client]: 'PUSH_REPLY,route 10.0.0.0 255.255.255.0 vpn_gateway 500,dhcp-option DOMAIN hostname,dhcp-option DNS 10.0.0.10,dhcp-option DNS 10.0.0.20,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM,key-derivation tls-ekm' (status=1)
Jun 30 13:58:37 ovpn-server1[662]: client/172.58.176.205:15498 PUSH: Received control message: 'PUSH_REQUEST'
Jun 30 13:58:38 ovpn-server1[662]: client/172.58.176.205:15498 Data Channel: cipher 'AES-256-GCM', peer-id: 0
Jun 30 13:58:38 ovpn-server1[662]: client/172.58.176.205:15498 Timers: ping 15, ping-restart 120
Jun 30 13:58:38 ovpn-server1[662]: client/172.58.176.205:15498 Protocol options: protocol-flags tls-ekm

The bottom of this image that has been cut off, I'm assuming you have some clients listed there?

Just one client - kids' phone with Cloudflare Family as the redirection.

 

[ColinTaylor]

Got it - yes just this one time - in the previous tries I did switch WiFI off before connecting. Here is the log again with that.

That all looks fine. Can you now connect to http://10.0.0.1 or https://10.0.0.1:8443 ?

 

[abhi.ko]

Tried switch WAN DNS to ISP's DNS and no joy, no I can't even ping my server 10.0.0.133 - router (10.0.0.1) pings successfully.