GL-AR750S-EXT and OpenVPN on 3.212 version

ncister · 2022-06-14T10:27:46.556Z

Hi
I’ve a GL-AR750S-EX with 3.025 version and OpenVPN activated.
I’ve patched it to avoid the “default redirection all through the vpn” … and all worked fine.
I also have a direct visibility between single OpenVPN client node.
Now, after upgrade to 3.212 version:

Patch don’t works (but… I’m trying to use “VPN policies” …)
Ping between client nodes don’t works
Ping from server to clients works but I can’t access (e.g.) to client http, ssh services …
Any suggestion ?
Thanks.

alzhao · 2022-06-15T09:11:16.798Z

In the vpn connection page, there is an option “allow local access” you need to tick it.

image849×571 20.4 KB

ncister · 2022-06-15T09:15:12.936Z

Hi, and thank you for replay
I’ve already tried it … but seems don’t works
I will repeat the test now with a clean conf

alzhao · 2022-06-15T09:16:38.092Z

Pls test. If does not work, I can test more. But just better to have a more detailed setup so that I can exactly like you.

ncister · 2022-06-15T12:14:17.149Z

Hi
I’ve done a total conf reset e firmware upgrade.
Now:

I’ve about 20 GL-AR750S-EXT in production with 3.025 firmware. The only (initial) problem I have is that, for exclude “normal” traffic from VPN, a patch is required. But all works FINE: I regularly access to all client node and to SSH server services (VPN routed subnets).
(scenario “1” of attached file)
On one of this router I’ve updated firmware to 3.212 and OpenVPN don’t works for version incompatibiliry with server
(scenario “2” of attached file)
Adding “data-ciphers BF-CBC” parameter to ovpn conf, OpenVPN connects to server … but (by default) all traffic is through VPN
(scenario “3” of attached file)
Initially all works fine … but after some seconds I cannot access to nodes and to server services.
Only restarting router or restarting firewall (from OpenWrt Luci interface) all come to work for some time …
Use of patch is another topic … I hope to avoid it using VPN Policies …

In summary:
On this firmware version it seems OpenVPN is unstable …

Detailed Server and client conf: GL.inet configurations.txt.zip (1.6 KB)

Thanks

hilll · 2022-07-08T02:30:21.920Z

Hi, can you remove the “comp-lzo” config. server and client remove this config. test it can work fine?

the ovpn version more then 2.4, the comp-lzo config is remove. the 3.212 version, ovpn version is 2.5.2, the LZO config update to: compress lz4-v2.

this is the ovpn version diff problem.

ncister · 2022-07-12T14:41:09.594Z

Hi
I’ve tried to remove either on server and client “comp-lzo” option and VPN works fine.
The need to use the default redirection all through the vpn … patch remains … because, using VPN policy, input from other VPN nodes is inhibited

Thank you.

alzhao · 2022-07-12T15:33:52.145Z

@hilll will help to investigate the routing problem.

hilll · 2022-08-13T03:33:23.520Z

ovpn routing set lan to lan, have to config as follow:

ovpn server config set the client conf, as:
client-config-dir /etc/openvpn/ccd

int the /etc/openvpn/ccd directory, create each client conf, as:

/etc/openvpn/ccd/client1

/etc/openvpn/ccd/client2

int the /etc/openvpn/ccd/xxx client config, set as:

iroute 192.168.99.0 255.255.255.0

set the iroute is the client subnet; so ovpnserver can route the ovpnclient.

reference help:

https://backreference.org/2009/11/15/openvpn-and-iroute/