OK, so here’s what’s happening:
Step 1: plug in AR750, connect to enterprise network
Step 2: the UI is a little finicky at this point, so enable/disable network in LUCI until network connectivity established and solid
Step 3: attempt to connect to OpenVPN server directly. This connection fails, as expected, due to enterprise network policy
Step 4: attempt to connect to OpenVPN via stunnel. Connection is successful. Log shows stunnel successful connection to remote server and OpenVPN shows key exchange, server settings (i.e. route push), and remote VPN IP address. However, no traffic is passed thru and Internet on local side does not work. The OpenVPN connection eventually dies due to activity timeout.
Step 5: disconnect from enterprise wifi and connect to mobile phone hotspot via LUCI
Step 6: verify Internet connectivity again after a quick enable/disable process in LUCI
Step 7: attempt to connect to OpenVPN via stunnel. Connection is successful but still no traffic is passed.
Step 8: attempt to connect to OpenVPN server directly via UDP. Connection is successful and traffic passes. Internet connectivity works successfully.
Step 9: disconnect from OpenVPN server directly and reconnect using stunnel. Connection is successful again AND traffic passes. Internet connectivity continues to work. I can verify via the logs that stunnel makes the connection to the remote server on TCP 443 and OpenVPN is connected to 127.0.0.1.
Step 10: disconnect from mobile phone hotspot and reconnect to enterprise wifi via LUCI
At this point the OpenVPN/stunnel connection times out and I get errors in the log such as Permission denied on /dev/net/tun until I can get the wifi connection up and running. It never really seems to connect the first time I have to disable/enable the connection before the WAN is reestablished.
Step 11: OpenVPN connection errored out and stopped trying. I disabled and enabled the connection again. And once again it connects, but no traffic is passed.
Step 12: At this point I disable OpenVPN so traffic (filtered on the enterprise network) is working again. I then connect from the OpenVPN client on my PC (via stunnel also installed on the PC) and connect successfully to the remote server.
That is how I am connected at the moment. OpenVPN (PC) -> stunnel (PC) -> AR750 -> enterprise wifi -> stunnel (remote) -> OpenVPN (remote)
My previous theory about an issue with the error of adding a route for 127.0.0.1 doesn’t seem to have panned out because sometimes it’s an error and sometimes not and the resulting Internet connectivity doesn’t correspond.
So, while I never rule anything out completely, I am not looking at my stunnel or OpenVPN server too closely since I am connected to them right now using my PC. The client configuration for both stunnel and OpenVPN on both the PC and AR750 are near identical with the exception of changing the IP address/port combination given the appropriate circumstance.
I am very curious about why the OpenVPN via stunnel connection on the AR750 works only after I connect one time to OpenVPN directly. If I unplug/reboot the AR750 and try to connect directly to OpenVPN via stunnel it will connect but traffic will not pass. This is occurring on two other WPA2-PSK wifi networks with no/limited firewall, one in particular is my mobile phone hotspot. Once I connect directly, then the stunnel works fine, doing nothing more than connecting first to OVPN direct.
The one thing I unfortunately can’t try is while connected to the enterprise network, without reconnecting network connections, to connect to OpenVPN directly first, since it’s blocked. I tried that process but since it never connects it’s not the same as on my mobile phone.
I am curious about this event…
Tue Feb 26 16:55:51 2019 user.notice firewall: Reloading firewall due to ifup of wwan (wlan-sta)
That is one of the reasons I was wondering if it was the firewall causing an issue. Everytime I get that event and then try to connect via stunnel, it doesn’t work. Connecting successfully directly to the OVPN server and then connecting via stunnel works, as long as this event didn’t fire off for whatever reason. One of those reasons is disconnecting from my hotspot and reconnecting to enterprise wifi. I don’t know, it’s strange but it seems like a dead end.
Not sure what else to look into…