R7800 VPN Service

[mfifield01]

Is anyone using their R7800 as a VPN Server? I currently can't connect with Voxel R7800-V1.0.2.84SF. I have tried using OpenVPN on my Windows laptop and my Android phone. No luck at all. On previous stock firmwares, I was able to connect.

 

[n1llam1]

Is anyone using their R7800 as a VPN Server? I currently can't connect with Voxel R7800-V1.0.2.84SF. I have tried using OpenVPN on my Windows laptop and my Android phone. No luck at all. On previous stock firmwares, I was able to connect.

My R7800 operating in router mode (Voxel R7800-V1.0.2.85SF as well as prior versions) is working fine as a VPN server.

My experience has been that it will not work both as VPN client and a VPN server. Also, previously when using stock firmware, I had also run into a problem and was not able to connect to my VPN server. The problem was resolved by disabling the VPN service, re-enabling the VPN service and using the new OpenVPN configuration package download.

I hope that helps.

 

[mfifield01]

Did you need to go in and turn off the VPN client? I haven't configured anything to use it as a client.

 

[n1llam1]

Did you need to go in and turn off the VPN client? I haven't configured anything to use it as a client.

You may just need to disable and then enable the VPN Service. I think behind the scenes that will generate a new encryption certificate for the clients to be able to connect. The old certificate may have expired.

I was experimenting with enabling the OpenVPN client using the Kamoj Add-on. When I saw with the VPN client enabled, my android phone was no longer able to connect to the R7800 VPN Service. The R7800 VPN Service is more important to me than the VPN client, so I disabled the VPN client (also using the Kamoj Add-on to do so).

My android phone and Windows laptop are able to use an OpenVPN client app to establish a VPN connection to my home network.

 

[R. Gerrits]

I was experimenting with enabling the OpenVPN client using the Kamoj Add-on. When I saw with the VPN client enabled, my android phone was no longer able to connect to the R7800 VPN Service. The R7800 VPN Service is more important to me than the VPN client, so I disabled the VPN client (also using the Kamoj Add-on to do so).

yep, known issue.

Potential causes:
If you use IP-address in your VPN config, or if you configured a static DNS entry, then:
Traffic towards your VPN server is sent directly via your ISP, but return traffic is sent via VPN provider thus never can be matched to the original request and is dropped.

If you use dynamicDNS in your VPN config:
Shortly after enabling VPN client, the previous still applies.
But at the next DDNS renewal, the ddns record will contain your VPN IP. -> whether it then again would start working, depends if you have a VPN provider that supports port-forwarding and whether you configured that port-forwarding for the VPN server.

Other potential issues with the 2nd situation:
I'm sure that starting / restarting the VPN client actually triggers a DDNS update. And also, if your VPN IP address would change, then I'm not sure that the DDNS immediatelly detects the IP-address change and updates the dns record.

my workaround:
I've put my router itself on the VPN bypass list. This is not possible via GUI, but requires editing /usr/bin/addon_bypassvpnip.sh
and then add this line somewhere just above the last "ip route flush cache"

[ "$(ip rule list | grep -c "iif lo lookup $NOVPN_TABLE")" = "0" ] && ip rule add iif lo table $NOVPN_TABLE

This workaround ensures that DDNS will still register my real public IP with DDNS. And it allows port-forwarded traffic to work again.

 

[n1llam1]

yep, known issue.

Potential causes:
If you use IP-address in your VPN config, or if you configured a static DNS entry, then:
Traffic towards your VPN server is sent directly via your ISP, but return traffic is sent via VPN provider thus never can be matched to the original request and is dropped.

If you use dynamicDNS in your VPN config:
Shortly after enabling VPN client, the previous still applies.
But at the next DDNS renewal, the ddns record will contain your VPN IP. -> whether it then again would start working, depends if you have a VPN provider that supports port-forwarding and whether you configured that port-forwarding for the VPN server.

Other potential issues with the 2nd situation:
I'm sure that starting / restarting the VPN client actually triggers a DDNS update. And also, if your VPN IP address would change, then I'm not sure that the DDNS immediatelly detects the IP-address change and updates the dns record.

my workaround:
I've put my router itself on the VPN bypass list. This is not possible via GUI, but requires editing /usr/bin/addon_bypassvpnip.sh
and then add this line somewhere just above the last "ip route flush cache"

[ "$(ip rule list | grep -c "iif lo lookup $NOVPN_TABLE")" = "0" ] && ip rule add iif lo table $NOVPN_TABLE

This workaround ensures that DDNS will still register my real public IP with DDNS. And it allows port-forwarded traffic to work again.

Thank you for the info. In my case I do use DDNS, although that is configured on my ISP router. My R7800 router is double-NATed and sits behind the ISP router. Internet<->ISP<->ISP Router<->R7800 (in router mode). If I get a chance I'll try your workaround to see if that works for my setup as well. Thanks again.

 

[mfifield01]

It ended up being DDNS. I've been using DDNS for a while, but for some reason the router wasn't sending the correct IP to the DDNS site. I checked the site and it had an incorrect IP. I just disabled DDNS, applied it, and enabled it again. It sent the correct IP. My Android phone and Windows laptop are now working fine.

 

[kamoj]

It is now possible with latest add-on version.
Thank you for highlighting this now and then so I don't forget it!

..I've put my router itself on the VPN bypass list. This is not possible via GUI, but requires editing /usr/bin/addon_bypassvpnip.sh
..

 

[misp]

Is anyone able to help me please ? in version R7800 V1.0.2.84SF im trying to setup OpenServer - but is not working for me. Im very basic user i have:

- placed all config vpn files in /etc/openvpn/config

how i may sure openvpn server is started, using this files, and will start automaticaly after rebook ?

I know possibly very easy questions but... any help will be welcome - thanks !

 

[R. Gerrits]

What exactly are you trying to do?

You talk about OpenVPN server. But the actions you describe belong to configuring an OpenVPN client (albeit a bit wrong.)

So are you trying to configure OpenVPN client, so that your router will connect to a 3rd party OpenVPN?
in that case you need to copy the files into /etc/openvpn/config/client
And you should be able to check if it works by looking at /var/log/openvpn-client.log
(this should also tell you what is wrong, if it still doesn't work.)

Look at chapter 8 of the readme for more details.

If you are trying to configure OpenVPN server, so that you can for instance use your phone to connect to your home network via VPN, then configure it via the web interface.
And optionally, you could use your own certificate files, as described in chapter 7 of the readme.
(but I think the readme file does not explain how to generate your own certificate files....)

 

[misp]

thank you for prompt answer,

I guess now is more clear to me to:
- i placed config files here: /etc/openvpn/config
- started in webgui Enable Service VPNand Applied

I see now:

25109 root 2044 S /usr/sbin/openvpn /tmp/openvpn/server_tap.conf
25110 root 2044 S /usr/sbin/openvpn /tmp/openvpn/server_tun.conf

Inside of TUN:
dh /tmp/openvpn/dh1024.pem
ca /etc/openvpn/config/ca.crt
cert /etc/openvpn/config/server.crt
key /etc/openvpn/config/server.key

i may assum eits ok - not sure about first line.

If still i may ask, now how shalli generate any client config ? Shall i use WebGui ? Or try to do it manually base on my config files ?
Where i may see OpenServer log file ?


_____________________________
Just cleared /tmp/openvpn folder from all files and starting VPN Service again - now all makes much more sense and looks much better.

 

[R. Gerrits]

If still i may ask, now how shalli generate any client config ? Shall i use WebGui ? Or try to do it manually base on my config files ?
Where i may see OpenServer log file ?

Yes, generate client config via WebGui.
and the location for the log files is defined in the server_tun.conf and server_tap.conf files.
( /tmp/openvpn_tun_log and /tmp/openvpn_log )

 

[Easy Rhino]

You may just need to disable and then enable the VPN Service. I think behind the scenes that will generate a new encryption certificate for the clients to be able to connect. The old certificate may have expired.

I was also having problems.
Disabling, then re-enabling, then downloading a new config, seems to have helped.
I also turned both tun and tap to TCP, and set the service to "all sites on the internet and home network", which i don't think worked before, but they did after re-enable and re-download

 

[Kitsap]

I was also having problems.
Disabling, then re-enabling, then downloading a new config, seems to have helped.
I also turned both tun and tap to TCP, and set the service to "all sites on the internet and home network", which i don't think worked before, but they did after re-enable and re-download

If you log into your R7800 with the hidden information command (http://xxx.xxx.xxx.xxx/hidden_info.htm) you will see information related to the VPN Cert at the bottom.