No Traffic After Successful TUN Connection

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
DD-WRTUser
OpenVpn Newbie
Posts: 1
Joined: Wed Feb 09, 2022 10:18 pm

No Traffic After Successful TUN Connection

Post by DD-WRTUser » Mon Jul 25, 2022 8:06 pm

Hi all,

This is my first post / request for help so I apologize in advance if I make any mis-steps

Situation
I have installed the OpenVPN server (see logs for version) on a DD-WRT box IP 10.168.24.0/24. I have an OpenVPN server using a TAP interface working well on port 1194. I now need to get a 2nd server using the TUN interface working on port 1193 to enable android clients to connect (since they can only use TUN).

The Android clients should be able to see and interact with all the resources on the local LAN 10.168.24.0/24 and all traffic from the phones for the internet should also traverse the tunnel and be routed onto the internet via the local LAN.

I've configured the server and the client (see below for config) and the server comes up without errors (see "startup script" and log). The client connects to the server without errors (see log) - so I know I've got all the ports open correctly.

There are no errors in either the server or client logs after reporting a successful connection.

But after connecting I can't ping the android phone from DD-WRT and vice versa. I've also tried running trace route on both the server and the client - but I get no trace back, it just times out.

The Android "OpenVPN Client" does show some traffic leaving the phone (a few kbytes every minute). But there is no traffic coming back to the phone, other than a few blips every ~10 seconds when few 10s of bytes are received.

Possible Problems
I'm learning as a go here... so I suspect the problem is likely the IP Tables commands in the "server startup script" are not correct - although I took them directly from a couple of posts on the DD-WRT forum. But it could also be I'm not pushing some routing information correctly from the server to the client. Or something else entirely! :?

Any help would be much appreciated.. been bashing my head on this one for some time :cry:

Server Config

script-security 3 # Warning before added ths
mode server # Set OpenVPN major mode
proto udp # Setup the protocol (server), udp is better but
# didn't work from york
port 1193 # TCP/UDP port number; 1194 and 443 are for TAP
# mapped 1193 on rg-24devon to 1193 on rgss-24devon
# using NAT/QoS Port Forwarding UI page
dev tun0 # TUN/TAP virtual network device
keepalive 15 60 # Simplify the expression of --ping
daemon # Become a daemon after all initialization
verb 3 # Set output verbosity to n
comp-lzo # Use fast LZO compression
tun-mtu 1500 # Had problems before put this in

# Need to add config for tun
topology subnet
server 10.168.24.0 255.255.255.0 nopool
ifconfig-pool 10.168.24.90 10.168.24.99
push "remote-gateway 10.168.24.1"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.168.24.1" #Use local DNS Server

# OpenVPN server mode options
client-to-client # tells OpenVPN to internally route client-to-client traffic
duplicate-cn # Allow multiple clients with the same common name

# TLS Mode Options
tls-server # Enable TLS and assume server role during TLS handshake
askpass /jffs/etc/openvpn/PKP.txt # File containing Private Key Password
# chmod 600 so only root can read & write
ca /jffs/etc/openvpn/ca.crt # Certificate authority (CA) file
dh /jffs/etc/openvpn/dh1024.pem # File containing Diffie Hellman parameters
cert /jffs/etc/openvpn/OpenVPN-Server.crt # Local peer's signed certificate
key /jffs/etc/openvpn/OpenVPN-Server.key # Local peer's private key


Server Startup Script

#!/bin/bash

## Ensure openvpn isn't already running
killall -q openvpn

# Create virtual tcp/ip port - need to repeat this after reboot
# but sometimes get message saying it was persistant
/usr/sbin/openvpn --mktun --dev tun0

# Configures the TUN interface to request an IP address using DHCP
/sbin/ifconfig set tun0 DHCP

# Put TUN0 in promiscuous mode so it recieves all LAN traffic
/sbin/ifconfig tun0 0.0.0.0 promisc up

# Start openvpn server
/usr/sbin/openvpn --config /jffs/etc/openvpn/openvpn-tun.conf --daemon --log /jffs/etc/openvpn/openvpn-tun.log

# Allow connections to the OpenVPN server through the firewall - UDP Only
#Since tun interface can't be added to bridge
/usr/sbin/iptables -t nat -A POSTROUTING -s 10.168.24.0/24 -j MASQUERADE
/usr/sbin/iptables -t nat -I POSTROUTING -o tun0 -j ACCEPT
/usr/sbin/iptables -I FORWARD -p udp -s 10.168.24.0/24 -j ACCEPT
/usr/sbin/iptables -I FORWARD 1 --source 10.168.24.0/24 -j ACCEPT
/usr/sbin/iptables -I INPUT 1 -p udp --dport 1193 -j ACCEPT
/usr/sbin/iptables -I INPUT -p udp --dport 1193 -j ACCEPT
/usr/sbin/iptables -I OUTPUT -p udp --sport 1193 -j ACCEPT

# Connect tun0 to LAN ethernet port eth0 - not sure why this is required since br0 also connected to eth0!
/usr/sbin/iptables -I INPUT -p udp -i eth0 -j ACCEPT
/usr/sbin/iptables -I FORWARD -i eth0 -o tun0 -j ACCEPT
/usr/sbin/iptables -I FORWARD -i tun0 -o eth0 -j ACCEPT

# Connect tun0 to Bridge0 - which links eth0 eth2 and tap0
/usr/sbin/iptables -I INPUT -p udp -i br0 -j ACCEPT
/usr/sbin/iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
/usr/sbin/iptables -I FORWARD -i tun0 -o br0 -j ACCEPT


Server Log

Mon Jul 25 15:05:57 2022 OpenVPN 2.1_rc15 mipsel-unknown-linux-gnu [SSL] [LZO1] [EPOLL] built on Jan 1 2009
Mon Jul 25 15:05:57 2022 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Jul 25 15:05:58 2022 Diffie-Hellman initialized with 1024 bit key
Mon Jul 25 15:05:58 2022 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Jul 25 15:05:58 2022 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Jul 25 15:05:58 2022 TUN/TAP device tun0 opened
Mon Jul 25 15:05:58 2022 TUN/TAP TX queue length set to 100
Mon Jul 25 15:05:58 2022 /sbin/ifconfig tun0 10.168.24.1 netmask 255.255.255.0 mtu 1500 broadcast 10.168.24.255
Mon Jul 25 15:05:58 2022 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Jul 25 15:05:58 2022 Socket Buffers: R=[109568->131072] S=[109568->131072]
Mon Jul 25 15:05:58 2022 UDPv4 link local (bound): [undef]:1193
Mon Jul 25 15:05:58 2022 UDPv4 link remote: [undef]
Mon Jul 25 15:05:58 2022 MULTI: multi_init called, r=256 v=256
Mon Jul 25 15:05:58 2022 IFCONFIG POOL: base=10.168.24.90 size=10
Mon Jul 25 15:05:58 2022 Initialization Sequence Completed
Mon Jul 25 15:15:53 2022 MULTI: multi_create_instance called
Mon Jul 25 15:15:53 2022 69.158.246.28:34401 Re-using SSL/TLS context
Mon Jul 25 15:15:53 2022 69.158.246.28:34401 LZO compression initialized
Mon Jul 25 15:15:53 2022 69.158.246.28:34401 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Jul 25 15:15:53 2022 69.158.246.28:34401 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Jul 25 15:15:53 2022 69.158.246.28:34401 TLS: Initial packet from 69.158.246.28:34401, sid=de6e0da7 900eabb9
Mon Jul 25 15:15:54 2022 69.158.246.28:34401 VERIFY OK: depth=1, /C=<country>/ST=<state>/L=<city>/O=<org>/OU=<OU>/CN=<Device Name>/emailAddress=<email address>
Mon Jul 25 15:15:54 2022 69.158.246.28:34401 VERIFY OK: depth=0, /C=<country>/ST=<state>/L=<city>/O=<org>/OU=<OU>/CN=<Device Name>/emailAddress=<email address>
Mon Jul 25 15:15:54 2022 69.158.246.28:34401 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Jul 25 15:15:54 2022 69.158.246.28:34401 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jul 25 15:15:54 2022 69.158.246.28:34401 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Jul 25 15:15:54 2022 69.158.246.28:34401 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jul 25 15:15:54 2022 69.158.246.28:34401 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Jul 25 15:15:54 2022 69.158.246.28:34401 [<Device Name>] Peer Connection Initiated with 69.158.246.28:34401
Mon Jul 25 15:15:54 2022 <Device Name>/69.158.246.28:34401 MULTI: Learn: 10.168.24.90 -> <Device Name>/69.158.246.28:34401
Mon Jul 25 15:15:54 2022 <Device Name>/69.158.246.28:34401 MULTI: primary virtual IP for <Device Name>/69.158.246.28:34401: 10.168.24.90
Mon Jul 25 15:15:55 2022 <Device Name>/69.158.246.28:34401 PUSH: Received control message: 'PUSH_REQUEST'
Mon Jul 25 15:15:55 2022 <Device Name>/69.158.246.28:34401 SENT CONTROL [<Device Name>]: 'PUSH_REPLY,remote-gateway 10.168.24.1,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.168.24.1,dhcp-option DNS 172.16.0.1,route-gateway 10.168.24.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.168.24.90 255.255.255.0' (status=1)

<Disconnect from here on>
Mon Jul 25 15:17:25 2022 read UDPv4 [ECONNREFUSED]: Connection refused (code=146)
Mon Jul 25 15:19:11 2022 <Device Name>/69.158.246.28:34401 [<Device Name>] Inactivity timeout (--ping-restart), restarting
Mon Jul 25 15:19:11 2022 <Device Name>/69.158.246.28:34401 SIGUSR1[soft,ping-restart] received, client-instance restarting


Client Config

client
dev tun0
proto udp
remote <site name> 1193 UDP
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert Crt.crt
key Key.key
comp-lzo
verb 4
tun-mtu 1500
script-security 3
float


Client Log

2022-07-25 15:15:48 OpenVpnClient-google-api27-release-3.00.18 (23030018)
2022-07-25 15:15:48 Connecting request by user
2022-07-25 15:15:48 OpenVPN 2.4.9 android-arm64-v8a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 5 2020
2022-07-25 15:15:48 library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.10
2022-07-25 15:15:48 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2022-07-25 15:15:53 LZO compression initializing
2022-07-25 15:15:53 Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
2022-07-25 15:15:53 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
2022-07-25 15:15:53 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
2022-07-25 15:15:53 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
2022-07-25 15:15:53 TCP/UDP: Preserving recently used remote address: [AF_INET]70.53.45.238:1193
2022-07-25 15:15:53 Socket Buffers: R=[229376->229376] S=[229376->229376]
2022-07-25 15:15:53 UDPv4 link local: (not bound)
2022-07-25 15:15:53 UDPv4 link remote: [AF_INET]70.53.45.238:1193
2022-07-25 15:15:53 TLS: Initial packet from [AF_INET]70.53.45.238:1193, sid=c6db4377 298dbba5
2022-07-25 15:15:54 VERIFY OK: depth=1, C=<Contry>, ST=<State>, L=<City>, O=<Org>, OU=<OU>, CN=Easy-RSA CA, emailAddress=<email>
2022-07-25 15:15:54 VERIFY OK: depth=0, C=<Contry>, ST=<State>, L=<City>, O=<Org>, OU=<OU>, CN=OpenVPN-Server, emailAddress=<email>
2022-07-25 15:15:54 NOTE: Options consistency check may be skewed by version differences
2022-07-25 15:15:54 WARNING: 'version' is used inconsistently, local='version V4', remote='version V0 UNDEF'
2022-07-25 15:15:54 WARNING: 'dev-type' is present in local config but missing in remote config, local='dev-type tun'
2022-07-25 15:15:54 WARNING: 'link-mtu' is present in local config but missing in remote config, local='link-mtu 1542'
2022-07-25 15:15:54 WARNING: 'tun-mtu' is present in local config but missing in remote config, local='tun-mtu 1500'
2022-07-25 15:15:54 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
2022-07-25 15:15:54 WARNING: 'cipher' is present in local config but missing in remote config, local='cipher BF-CBC'
2022-07-25 15:15:54 WARNING: 'auth' is present in local config but missing in remote config, local='auth SHA1'
2022-07-25 15:15:54 WARNING: 'keysize' is present in local config but missing in remote config, local='keysize 128'
2022-07-25 15:15:54 WARNING: 'tls-server' is present in local config but missing in remote config, local='tls-server'
2022-07-25 15:15:54 Control Channel: TLSv1, cipher SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
2022-07-25 15:15:54 [OpenVPN-Server] Peer Connection Initiated with [AF_INET]70.53.45.238:1193
2022-07-25 15:15:55 SENT CONTROL [OpenVPN-Server]: 'PUSH_REQUEST' (status=1)
2022-07-25 15:15:55 PUSH: Received control message: 'PUSH_REPLY,remote-gateway 10.168.24.1,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.168.24.1,dhcp-option DNS 172.16.0.1,route-gateway 10.168.24.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.168.24.90 255.255.255.0'
2022-07-25 15:15:55 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:1: remote-gateway (2.4.9)
2022-07-25 15:15:55 OPTIONS IMPORT: timers and/or timeouts modified
2022-07-25 15:15:55 OPTIONS IMPORT: --ifconfig/up options modified
2022-07-25 15:15:55 OPTIONS IMPORT: route options modified
2022-07-25 15:15:55 OPTIONS IMPORT: route-related options modified
2022-07-25 15:15:55 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2022-07-25 15:15:55 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:406 ET:0 EL:3 ]
2022-07-25 15:15:55 Outgoing Data Channel: Cipher 'BF-CBC' initialized with 128 bit key
2022-07-25 15:15:55 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2022-07-25 15:15:55 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-07-25 15:15:55 Incoming Data Channel: Cipher 'BF-CBC' initialized with 128 bit key
2022-07-25 15:15:55 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2022-07-25 15:15:55 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-07-25 15:15:55 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
2022-07-25 15:15:55 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2022-07-25 15:15:56 TUN/TAP device opened
2022-07-25 15:15:56 Initialization Sequence Completed


2022-07-25 15:17:11 Disconnecting request by user
2022-07-25 15:17:11 Disconnecting...
2022-07-25 15:17:11 TCP/UDP: Closing socket
2022-07-25 15:17:11 Closing TUN/TAP interface
2022-07-25 15:17:11 SIGINT[soft,] received, process exiting

Post Reply