Jump to content
nycaleksey

OpenVPN does not work

Recommended Posts

Hi,

I setup OpenVPN correctly as guided by Darren in the "Access Internal Networks" video and it works perfectly. I can access all the nodes in the victim LAN. However the victim computer on which the turtle is deployed cannot access Internet. If try to ping any host on the internet say 8.8.8.8, it says

172.16.84.1 Destination unreachable

Packets get rejected at the default gateway i.e. turtle

However if I SSH into the turtle then I can ping any host on the internet using turtle shell. Its as if the turtle and the openvpn module access the internet but the victim computer cannot. Kindly advice. I have also updated the DNS servers as mentioned in the previous post but to no avail.

Share this post


Link to post
Share on other sites

In this video I have described a problem that I have experienced with the openvpn access server, please watch this video, if you find a solution to the problem I have described please post it in this forum. 

Share this post


Link to post
Share on other sites

The problem is with the network config for uci. There are no default firewall rules for handling vpn traffic. Without them the turtle won't pass traffic from the vpn interface to the br-lan interface.

You can correct this by adding the following to /etc/config/firewall on the turtle. Put it in around line 26, before the lines that start with "config rule":

config zone
        option  name            'vpn'
        list    network         'vpn'
        option  input           ACCEPT
        option  output          ACCEPT
        option  forward         REJECT

config forwarding
        option  src             lan
        option  dest            vpn

config forwarding
        option  src             vpn
        option  dest            lan

After doing so, run the following:

/etc/init.d/network restart

This will bounce the interfaces and reset the firewall rules. With these instructions in place, you'll be able to reach the network on the far side of the turtle.

Share this post


Link to post
Share on other sites

A correction to my previous post: eth1 (the physical RJ45 port) is wan, not lan, so your config mods should only be:

config zone
        option  name            'vpn'
        list    network         'vpn'
        option  input           ACCEPT
        option  output          ACCEPT
        option  forward         REJECT

config forwarding
        option  src             vpn
        option  dest            wan

This was hidden in my earlier testing by some other direct iptables commands while I was trying to sort it out. I discovered today after rebooting the turtle that it no longer worked, and logging showed me that traffic was exiting the wan port.

Share this post


Link to post
Share on other sites

Hi 

I have followed all the instruction here and on Darrens video. 

Problem i am having is once the VPN opens i have no internet. But i can access the OpenVPN AS from the FQDN but nothing else. 

I am stumped on what is going on. 

Share this post


Link to post
Share on other sites
On 9/18/2016 at 6:05 AM, MartyRS1975 said:

Hi 

I have followed all the instruction here and on Darrens video. 

Problem i am having is once the VPN opens i have no internet. But i can access the OpenVPN AS from the FQDN but nothing else. 

I am stumped on what is going on. 

If your FQDN resolves to a public IP, and you can still reach that when the VPN is up, it sounds like all of your Internet traffic is being routed over the VPN. You probably don't want that (or maybe you do).

If you do, check that your OpenVPN AS system is configured to NAT traffic from your VPN network and that it has IP forwarding enabled. OVAS _should_ do this for you with its rules, but check anyway. You can use tcpdump to see if traffic from your client is leaving the VPN server without being NATted first, or if it's leaving at all.

On the other hand, if this is _not_ what you want, go into the admin area of AS and under VPN Settings / Routing select "No" for "Should client Internet traffic be routed through the VPN?"

If this doesn't resolve your issue, please create a new post with specific information about how you've set up the server, the client, and exactly what behavior you're experiencing. Include details like:

  • Is this with the Turtle or with your computer?
  • Can you ping by IP but not by hostname?
  • Have your DNS servers changed after connecting to the VPN?
  • Have you run the client in debug mode to get more information about the problem?
  • What client are you using, and on what OS?

The reason for creating a new post is because your problem is unique to you. We don't want a 400-page long thread about OpenVPN that answers 26 different questions. The reason for including details is because without them, we can only guess, and when we get into guessing, the quality of support drops rapidly.

/m

Share this post


Link to post
Share on other sites

Hello All!

I was having the same issue with the destination port unreachable until I made the following changes at the end of Darren's video. If you need help or need screenshots let me know! 

 

-Jeff

Share this post


Link to post
Share on other sites

Here is a very simple fix I found that may help. I did the trick for me.

https://www.monach.us/operations/turtle-uci-modifications-for-openvpn/

As noted here the default plug-n-play configuration for OpenVPN Access Server doesn’t work.
The problem is with the network config for uci. There are no default firewall rules for handling vpn traffic. Without them the turtle won’t pass traffic from the vpn interface to the br-lan interface.

You can correct this by adding the following to /etc/config/firewall on the turtle. Put it in around line 26, before the lines that start with config rule:


config zone
    option  name            'vpn'
    list    network         'vpn'
    option  input           ACCEPT
    option  output          ACCEPT
    option  forward         REJECT

config forwarding
    option  src             vpn
    option  dest            wan


After doing so, run the following:
/etc/init.d/network restart


This will bounce the interfaces and reset the firewall rules. With these instructions in place, you’ll be able to reach the network on the far side of the turtle.
NOTE (2016/09/06): An earlier version of this article (and a corresponding forum post) mistakenly configured the lan interface instead of the wan interface. On the LAN Turtle the RJ45 port is wan.

Share this post


Link to post
Share on other sites

Is there any difference between LanTurtle SD and LanTurtle 3G ? I followed the video and additional tweaks to firewall configuration but still cannot ping any machine on the remote turtle network. It says port unreachable once I connect both VPN clients from turtle and local machine.

Share this post


Link to post
Share on other sites
21 minutes ago, blackha7 said:

Will anyone from Hak5 reply? Guys, it seems you care only for the sales.

That's not fair. They'll support the product, but you're using open source software, and you're responsible for supporting it.

There's no significant difference in the underlying functionality between SD and 3G that would affect your OpenVPN configuration. You haven't given enough information to allow anyone to do any troubleshooting. You said, "I did something, and it doesn't work. Help me."

If you'd like to get people to respond, post enough information to allow someone else to understand or duplicate the issue. Some things to ask:

  • Is your VPN up? How do you know?
  • Have you checked the logs on both sides? Anything interesting?
  • How do you have it configured? Routed? Bridged?
  • Are the routes configured properly?
  • You said "firewall," and the response you're getting (destination port unreachable) sounds like firewall interference. If you followed the steps in the video that someone else said fixed this error, and if you still have the error, have you tried opening access completely?
  • Are your zones and interfaces named correctly?
  • Have you run tcpdump on both sides to see if the traffic is routed over the VPN or if it dies locally, remotely, and on what interface?

You might also get better visibility and assistance if you start a new thread.

Share this post


Link to post
Share on other sites

Or use the "route-nopull" option in the client config. Its simple, the client uses the default interface. If the vpn connection is only there for you to connect from the outside, its the way to go. 

 

I needed to install OpenVPN 2.4 today, I couldn't find it for the LAN Turtle. I flashed an updated OpenWRT and it works great. Plus access to other more updated Entware packages. Its bare bones, I think smaller than the Hak5 firmware, so a little more breathing room for Entware.

https://downloads.openwrt.org/snapshots/targets/ar71xx/generic/openwrt-ar71xx-generic-lan-turtle-squashfs-sysupgrade.bin

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...