Trouble connecting to OpenVPN TAP Server


#21

Hi, I’m having a similar situation just with a GL-AR750S acting as OpenVPN client and connecting to a OpenVPN server in TAP mode. Right now I managed to establish the connection but I still have some trouble using the VPN from a device connected to The GL-AR750S and I thought that you might be able to help.
The setup:

  • 2GHz wifi of GL-AR750S connected to some internet cafe (it gets the e.g. the IP 10.130.222.1)
  • 5GHz wifi of GL-AR750S connected to my Android phone (my phone gets the IP 192.168.8.130, this IP is needed to operate an use the GUI of the GL-AR750S)
  • OpenVPN to a server is started, it connects, and the IP is 10.100.140.1.

Now from my phone I can access the local computers of the OpenVPN connection 10.100.140.xxx but not the Internet though this tunel.
Do I need to deactivate DHCP? but if I do how do I connect to the GL-AR750S the next time when the VPN connection is lost or not active?
Thank you.


#22

You can ssh to the router, and execute those commands.

ifconfig
ip route show
mwan3 status
cat /etc/config/network

#23

Hi thanks,
I did those commands and it is lots of data, how shall I send it to you?

I had a typo on my previous post, as I did not have the numbers in front of me, the OpenVPN IP is correct 10.111.240.1

So the remote PCs at 10.111.240.xxx I can access when connecting my phone to the gl-inet-router which has a VPN connection to the remote OpenVPN server.

Looks like all other traffic, DNS, etc, is staying in the gl-inet-router 10.130.222.109 or 192.168.8.0.

This is how I see the attributed IPs on the devices:

wifi-hotspot:
IP 10.130.222.109
Mask 255.255.254.0
Gateway 10.130.222.1
DNS 10.32.20.98

OpenVPN client:
IP 10.111.240.200

Android Phone:
IP 192.168.8.131
Mask 255.255.255.0
Gateway 192.168.8.1
DNS 192.168.8.

I think the main part of the issue could be on the routes:

root@GL-AR750S:~# ip route show

0.0.0.0/1 dev tap0 scope link
default via 10.130.222.1 dev wlan-sta proto static src 10.130.222.109 metric 20
10.111.240.0/20 dev tap0 proto kernel scope link src 10.111.240.200
10.130.222.0/23 dev wlan-sta proto static scope link metric 20
128.0.0.0/1 dev tap0 scope link
188.193.117.137 via 10.130.222.1 dev wlan-sta 192.168.8.0/24 dev br-lan proto kernel scope link src 192.168.8.1

root@GL-AR750S:~# ifconfig

br-lan Link encap:Ethernet HWaddr E4:95:6E:45:9C:4F
inet addr:192.168.8.1 Bcast:192.168.8.255 Mask:255.255.255.0
inet6 addr: fd2f:82f5:9885:10::1/60 Scope:Global
inet6 addr: fe80::e695:6eff:fe45:9c4f/64 Scope:Link

eth0 Link encap:Ethernet HWaddr E4:95:6E:45:9C:4E
inet6 addr: fe80::e695:6eff:fe45:9c4e/64 Scope:Link

eth0.1 Link encap:Ethernet HWaddr E4:95:6E:45:9C:4E

eth0.2 Link encap:Ethernet HWaddr E4:95:6E:45:9C:4E
inet6 addr: fe80::e695:6eff:fe45:9c4e/64 Scope:Link

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host

tap0 Link encap:Ethernet HWaddr B2:34:FA:01:F1:E5
inet addr:10.111.240.200 Bcast:10.111.255.255 Mask:255.255.240.0
inet6 addr: fe80::b034:faff:fe01:f1e5/64 Scope:Link

wlan-sta Link encap:Ethernet HWaddr E4:95:6E:45:9C:4E
inet addr:10.130.222.109 Bcast:10.130.223.255 Mask:255.255.254.0
inet6 addr: fe80::e695:6eff:fe45:9c4e/64 Scope:Link

wlan0 Link encap:Ethernet HWaddr E4:95:6E:45:9C:4F
inet6 addr: fe80::e695:6eff:fe45:9c4f/64 Scope:Link

wlan1 Link encap:Ethernet HWaddr E6:95:6E:45:9C:4E
inet6 addr: fe80::e495:6eff:fe45:9c4e/64 Scope:Link

(I remove the extra lines about the packets beginning with UP “BROADCAST RUNNING MULTICAST”)


#24

You can send it as attachment.

I check the output, it seems all is fine. But you didn’t show the mwan3 output here.


#25

Hi
I finally managed to get other traffic (e.g. internet) across the VPN besides the access to remote computers on the local network :slight_smile:

Solution
Using the following option in the client.ovpn configuration file as I did not have an equivalent “push” command on the server side, did make the required changes to the route table:

redirect-gateway def1 bypass-dhcp bypass-dns

the effect on the table is marked in bold below:

–WORKING–
root@GL-AR750S:~# route -n

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.111.248.1 128.0.0.0 UG 0 0 0 tap0
0.0.0.0 10.130.222.1 0.0.0.0 UG 20 0 0 wlan-sta
10.111.240.0 0.0.0.0 255.255.240.0 U 0 0 0 tap0
10.130.222.0 0.0.0.0 255.255.254.0 U 20 0 0 wlan-sta
128.0.0.0 10.111.248.1 128.0.0.0 UG 0 0 0 tap0
188.193.117.137 10.130.222.1 255.255.255.255 UGH 0 0 0 wlan-sta
192.168.8.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan

Remark 10.111.248.1 is the gateway and the DNS server on the remote local network that is accessible trough the VPN connection.

Table before the command and –NOT WORKING–

root@GL-AR750S:~# netstat -rn

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 0.0.0.0 128.0.0.0 U 0 0 0 tap0
0.0.0.0 10.130.222.1 0.0.0.0 UG 0 0 0 wlan-sta
10.111.240.0 0.0.0.0 255.255.240.0 U 0 0 0 tap0
10.130.222.0 0.0.0.0 255.255.254.0 U 0 0 0 wlan-sta
128.0.0.0 0.0.0.0 128.0.0.0 U 0 0 0 tap0
188.193.117.137 10.130.222.1 255.255.255.255 UGH 0 0 0 wlan-sta
192.168.8.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan

Anyway here is the mwan3 output from yesterday before the change, maybe something else must still be corrected:

root@GL-AR750S:~# mwan3 status

Interface status:
interface wan is unknown and tracking is down
interface wwan is offline and tracking is active
interface tethering is unknown and tracking is down
interface modem_1_1 is unknown and tracking is down

Current ipv4 policies:
default_poli:
default

Current ipv6 policies:
default_poli:
default

Directly connected ipv4 networks:
188.193.117.137
0.0.0.0/1
192.168.8.1
128.0.0.0/1
10.130.222.109
10.111.240.200
10.111.255.255
127.255.255.255
10.111.240.0
10.111.240.0/20
224.0.0.0/3
10.130.222.0
127.0.0.1
10.130.223.255
192.168.8.255
192.168.8.0
192.168.8.0/24
127.0.0.0
10.130.222.0/23
127.0.0.0/8

Directly connected ipv6 networks:
fd2f:82f5:9885:10::/64
fe80::/64

Active ipv4 user rules:
0 0 - default_poli all – * * 0.0.0.0/0 0.0.0.0/0

Active ipv6 user rules:
537 100K - default_poli all * * ::/0 ::/0

root@GL-AR750S:~#


#26

Glad to hear you solve this issue.

Actually, we had deal with the situation that the server doesn’t push def1 to client, but it missing gateway.

It is a bug, thank you!