cant connect from extern while VPN runs, works if VPN stopped

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
rakuri
OpenVpn Newbie
Posts: 3
Joined: Fri Feb 05, 2016 9:39 am

cant connect from extern while VPN runs, works if VPN stopped

Post by rakuri » Tue Jan 17, 2017 8:38 pm

Hello guys,

I have a strange problem with the OpenVpn on my OpenWrt system. And I hope you guys can help me with it.
I want to connect externally to my OpenWrt-Router. But this does not work as long as OpenVpn runs.

I use VPN as client mode and the VPN tunnel works so far. My whole traffic runs over the VPN tunnel.

But I can not connect externally to the Openwrt server.
Neither via ISP-IP or VPN-IP.

Locally it works perfectly. No matter what router I am connected.

Strange is that it works as soon as I stop vpn.

So my problem is:
Without running VPN I can connect via the external ISP-IP with the Openwrt server.
With running VPN I can not connect via the external ISP-IP or external VPN-IP with the Openwrt server.

What i want:
Access to OpenWRT lan (Port 12345 where a web server is behind)
With my ISP-IP (IP:PORT).

To my setting:
I have two routers.
One is my ISP-Router (for the Internet) and one is a OpenWrt-Router (VPN Server).

Image

I have to use the ISP-Router for internet.
Openwrt-Router is connectet with (WAN) to ISP-Router (LAN)
Openwrt Firmware: OpenWrt Chaos Calmer 15.05
OpenVPN Version: openvpn-openssl 2.3.6-5
openvpn config file
config openvpn 'IPVanish'
option float '1'
option client '1'
option comp_lzo 'yes'
option reneg_sec '0'
option verb '3'
option persist_key '1'
option nobind '1'
option remote_cert_tls 'server'
option dev 'tun255'
option proto 'udp'
option remote 'xxx.ipvanish.com 443'
option resolv_retry 'infinite'
option persist_tun '1'
option persist_remote_ip '1'
option ca '/etc/openvpn/ca.ipvanish.com.crt'
option auth_user_pass '/etc/openvpn/login.auth'
option auth 'SHA256'
option keysize '256'
option cipher 'AES-256-CBC'
option tls_cipher 'DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA'
option enabled '1'
option log '/tmp/openvpn.log'
#option route_nopull '1'
#option route_noexec '0'
#option route_up '/etc/openvpn/guest-up.sh'
option script_security '2'
route with OpenVPN

Code: Select all

root@OpenWrt:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         172.21.24.1     128.0.0.0       UG    0      0        0 tun255
default         192.168.1.1     0.0.0.0         UG    0      0        0 br-wan
81.171.85.10    192.168.1.1     255.255.255.255 UGH   0      0        0 br-wan
91.198.22.70    192.168.1.1     255.255.255.255 UGH   0      0        0 br-wan
128.0.0.0       172.21.24.1     128.0.0.0       UG    0      0        0 tun255
172.21.24.0     *               255.255.254.0   U     0      0        0 tun255
192.168.1.0     *               255.255.255.0   U     0      0        0 br-wan
192.168.2.0     *               255.255.255.0   U     0      0        0 br-lan
route without OpenVPN

Code: Select all

root@OpenWrt:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.1     0.0.0.0         UG    0      0        0 br-wan
91.198.22.70    192.168.1.1     255.255.255.255 UGH   0      0        0 br-wan
192.168.1.0     *               255.255.255.0   U     0      0        0 br-wan
192.168.2.0     *               255.255.255.0   U     0      0        0 br-lan
ifconfig -a with OpenVPN

Code: Select all

root@OpenWrt:~# ifconfig -a
br-lan    Link encap:Ethernet  HWaddr F8:1A:67:D8:DF:70
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::fa1a:67ff:fed8:df70/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1420461 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2452403 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:128038034 (122.1 MiB)  TX bytes:3160207919 (2.9 GiB)

br-wan    Link encap:Ethernet  HWaddr F8:1A:67:D8:DF:70
          inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::fa1a:67ff:fed8:df70/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2479591 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1397640 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3347345286 (3.1 GiB)  TX bytes:267938777 (255.5 MiB)

eth0      Link encap:Ethernet  HWaddr F8:1A:67:D8:DF:70
          inet6 addr: fe80::fa1a:67ff:fed8:df70/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2659901 errors:0 dropped:15 overruns:0 frame:0
          TX packets:1454596 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3452460036 (3.2 GiB)  TX bytes:279681325 (266.7 MiB)
          Interrupt:4

eth0.1    Link encap:Ethernet  HWaddr F8:1A:67:D8:DF:70
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:56951 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:5923646 (5.6 MiB)

eth0.2    Link encap:Ethernet  HWaddr F8:1A:67:D8:DF:70
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2659824 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1397637 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3404565476 (3.1 GiB)  TX bytes:267938439 (255.5 MiB)

gre0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-44-00-00-00-00-00-00-00-00
          NOARP  MTU:1476  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

gretap0   Link encap:Ethernet  HWaddr 00:00:00:00:00:00
          BROADCAST MULTICAST  MTU:1462  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:6106 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6106 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:496325 (484.6 KiB)  TX bytes:496325 (484.6 KiB)

tun255    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:172.21.25.50  P-t-P:172.21.25.50  Mask:255.255.254.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:368213 errors:0 dropped:0 overruns:0 frame:0
          TX packets:253719 errors:0 dropped:2535 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:417489101 (398.1 MiB)  TX bytes:28928731 (27.5 MiB)

wlan0     Link encap:Ethernet  HWaddr F8:1A:67:D8:DF:71
          inet6 addr: fe80::fa1a:67ff:fed8:df71/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1437196 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2502170 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:149681553 (142.7 MiB)  TX bytes:3214485248 (2.9 GiB)
ifconfig -a without OpenVPN

Code: Select all

root@OpenWrt:~# ifconfig -a
br-lan    Link encap:Ethernet  HWaddr F8:1A:67:D8:DF:70
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::fa1a:67ff:fed8:df70/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1422109 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2453384 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:128209596 (122.2 MiB)  TX bytes:3160509201 (2.9 GiB)

br-wan    Link encap:Ethernet  HWaddr F8:1A:67:D8:DF:70
          inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::fa1a:67ff:fed8:df70/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2480132 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1398159 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3347498959 (3.1 GiB)  TX bytes:268088277 (255.6 MiB)

eth0      Link encap:Ethernet  HWaddr F8:1A:67:D8:DF:70
          inet6 addr: fe80::fa1a:67ff:fed8:df70/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2660998 errors:0 dropped:15 overruns:0 frame:0
          TX packets:1456139 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3452808634 (3.2 GiB)  TX bytes:279933936 (266.9 MiB)
          Interrupt:4

eth0.1    Link encap:Ethernet  HWaddr F8:1A:67:D8:DF:70
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:57975 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:6020585 (5.7 MiB)

eth0.2    Link encap:Ethernet  HWaddr F8:1A:67:D8:DF:70
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2660921 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1398156 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3404894328 (3.1 GiB)  TX bytes:268087939 (255.6 MiB)

gre0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-44-00-00-00-00-00-00-00-00
          NOARP  MTU:1476  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

gretap0   Link encap:Ethernet  HWaddr 00:00:00:00:00:00
          BROADCAST MULTICAST  MTU:1462  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:6184 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6184 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:501964 (490.1 KiB)  TX bytes:501964 (490.1 KiB)

wlan0     Link encap:Ethernet  HWaddr F8:1A:67:D8:DF:71
          inet6 addr: fe80::fa1a:67ff:fed8:df71/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1439197 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2504354 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:149908825 (142.9 MiB)  TX bytes:3214929241 (2.9 GiB)
network config file
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd07:c655:478c::/48'

config interface 'lan'
option force_link '1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.2.1'
option _orig_ifname 'eth0.1 wlan0 radio1.network1'
option _orig_bridge 'true'
option ifname 'eth0.1'

config interface 'wan'
option ifname 'eth0.2'
option _orig_ifname 'eth0.2'
option _orig_bridge 'false'
option proto 'static'
option ipaddr '192.168.1.2'
option gateway '192.168.1.1'
option netmask '255.255.255.0'
option type 'bridge'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0t 2 3 4 5'

config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 1'

config route
option interface 'lan'
option target '91.198.22.70'
option gateway '192.168.1.1'

config route
option interface 'wan'
option target '91.198.22.70'
option gateway '192.168.1.1'

config interface 'VPN'
option proto 'static'
option ifname 'tun255'
firewall config file
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
option masq '1'

config zone
option name 'wan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'wan wan6'
option masq '1'

config include
option path '/etc/firewall.user'

config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'icmp'
option src '*'
option src_ip '192.168.2.0/24'
option dest 'wan'
option name 'Allow Outbound ICMP Echo Request (8)'
list icmp_type 'echo-request'

config zone
option name 'newzone'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option network 'VPN what VPN2'

config forwarding
option dest 'newzone'
option src 'lan'

config forwarding
option dest 'lan'
option src 'newzone'
Top
TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: cant connect from extern while VPN runs, works if VPN stopped

Post by TinCanTech » Tue Jan 17, 2017 9:38 pm

You cannot connect to your openvpn server while it is also connected as a client to IPVanish because the routing is changed by IPVanish.
Top
rakuri
OpenVpn Newbie
Posts: 3
Joined: Fri Feb 05, 2016 9:39 am

Re: cant connect from extern while VPN runs, works if VPN stopped

Post by rakuri » Thu Jan 19, 2017 2:43 pm

TinCanTech wrote:You cannot connect to your openvpn server while it is also connected as a client to IPVanish because the routing is changed by IPVanish.
is there a change to change the routing?

with nopull and up-script?
Top
TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: cant connect from extern while VPN runs, works if VPN stopped

Post by TinCanTech » Thu Jan 19, 2017 3:30 pm

rakuri wrote:I have two routers.
One is my ISP-Router (for the Internet)
77.189.xx.xx
rakuri wrote:and one is a OpenWrt-Router (VPN Server).
81.171.x.x

Which does not make sense to me ..
TinCanTech wrote:You cannot connect to your openvpn server while it is also connected as a client to IPVanish because the routing is changed by IPVanish.
rakuri wrote:is there a change to change the routing?
With OpenWRT-CC you should be able to use policy based routing to overcome this hurdle.
Top
rakuri
OpenVpn Newbie
Posts: 3
Joined: Fri Feb 05, 2016 9:39 am

Re: cant connect from extern while VPN runs, works if VPN stopped

Post by rakuri » Sat Jan 21, 2017 2:30 pm

thanks for the tip TinCanTech.

I configured policy based routing with mwan3.
Now it works all how i wanted.

This tutorial made the trick! https://www.leowkahman.com/2016/06/19/c ... stname-ip/
Top
Post Reply

Return to “Server Administration”