FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
3,372 views 5 comments
by anonymous
Hi,

Is it possible to connect two lan's with tap openvpn and do a udp broadcast?

I have two RUT955 (latest firmware) both connected in a mesh network. Setup openvpn is done (according this instruction: https://wiki.teltonika.lt/view/OpenVPN_configuration_examples#TAP_.28bridged.29_OpenVPN) and I can see in traffic there is some link through udp port 1194. But the udp broadcast won't pass the tunnel. Is there some extra forwarding rules or firewall settings needed to achieve this?

LAN1: 10.10.200.0/21 (server vpn) (WAN: 10.10.9.1)

LAN2: 10.10.201.0/21 (client vpn) (WAN: 10.10.9.2)

I followed the manual to create the tap openvpn and I can see the service is running but the status of the vpn server doesn't show any clients.

Please advise whether this is possible. Thank you

1 Answer

0 votes
by anonymous

Hello,

Please take note that OpenVPN TAP (Bridge) is meant to connect two devices, which LAN IPs are from the same network. Because of that, you should either:

   a) change your device's LAN IPs, so that they would be in the same network (i.e. LAN1: 10.10.200.1,   LAN2: 10.10.200.2), or

   b) change your OpenVPN interface type from "TAP" to "TUN" (tunnel), which would allow you to use different LAN IPs (e.g. LAN1: 10.10.200.1,   LAN2: 10.10.201.1)

Best answer
by anonymous
Thank you for the reply. Yes of course the two LAN IP's should be in the same network for this to work.

I did change the LAN IP's but the openvpn is not working, could it be that an external public IP is needed on the WAN side for this to work? I don't have a public IP and I am using a private IP 10.10.9.1
by anonymous

Hello,

In essence, your devices must be able to communicate with each other in order to be able to establish VPN connection.

 - If your devices can communicate (i.e. if you can reach 10.10.9.1 from 10.10.9.2 and vice versa), then Public IP is not necessary. You can check this reachability by navigating to router's "System -> Administration -> Diagnostics" menu and trying to "ping" another router's WAN IP. This is how "correct" ping response looks like (meaning that 10.10.9.1 is reachable):

 - If currently devices cannot reach each other, then Public IP is necessary on at least one device, so that it could be used as VPN Server.

by anonymous
Thank you for the answer, it is very much appreciated.

Yes the two devices can communicate so I guess my problem is within the openvpn configuration.
by anonymous

Hello,

Yes, if devices can communicate with one another, but OpenVPN is not working, the issue is probably related with OpenVPN configuration.

If you have not found source of the issue yet, you can share troubleshoot package files from your routers, which would contain both your current router's configuration and router's logs.

Suggestion how to do that:

 - Power on both routers and wait few minutes, so that routers would have a change to establish OpenVPN bridge between one another.

 - Then navigate to "System -> Administration -> Troubleshoot" menu and download troubleshoot packages from both routers.

 - Archive both troubleshoot files into archive with password (e.g. with "7zip" or "winrar" applications).

 - Upload protected archive to this topic and send password separately via private message.

by anonymous
Hello,

Ok I have been playing with the settings and found out in the client openvpn settings a field extra option is always filled with the value 'admin'. From the gui this can not be removed so I had to do it from the cli with uci set command.

From the gui it is also impossible to select proto udp4 instead of udp. So I changed the value with uci.
From the logging I can see the connection is established but in the GUI both the server and clients do not show correct information. Also there is no data being forwarded through the tunnel. What else can I do?

This is the last logging from server and one client:
client1: (after uci set openvpn.xxxx.proto='udp4')

Thu Dec 20 14:07:08 2018 daemon.notice openvpn(636C69656E745F31)[3285]: OpenVPN 2.4.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Thu Dec 20 14:07:08 2018 daemon.notice openvpn(636C69656E745F31)[3285]: library versions: OpenSSL 1.0.2o  27 Mar 2018, LZO 2.10
Thu Dec 20 14:07:08 2018 daemon.warn openvpn(636C69656E745F31)[3285]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Thu Dec 20 14:07:08 2018 daemon.notice openvpn(636C69656E745F31)[3285]: LZO compression initializing
Thu Dec 20 14:07:08 2018 daemon.notice openvpn(636C69656E745F31)[3285]: Control Channel MTU parms [ L:1654 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Thu Dec 20 14:07:08 2018 daemon.notice openvpn(636C69656E745F31)[3285]: Data Channel MTU parms [ L:1654 D:1450 EF:122 EB:411 ET:32 EL:3 ]
Thu Dec 20 14:07:08 2018 daemon.notice openvpn(636C69656E745F31)[3285]: Local Options String (VER=V4): 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Thu Dec 20 14:07:08 2018 daemon.notice openvpn(636C69656E745F31)[3285]: Expected Remote Options String (VER=V4): 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Thu Dec 20 14:07:08 2018 daemon.notice openvpn(636C69656E745F31)[3285]: TCP/UDP: Preserving recently used remote address: [AF_INET]10.10.9.1:1194
Thu Dec 20 14:07:08 2018 daemon.notice openvpn(636C69656E745F31)[3285]: Socket Buffers: R=[8388608->8388608] S=[8388608->8388608]
Thu Dec 20 14:07:08 2018 daemon.notice openvpn(636C69656E745F31)[3285]: UDPv4 link local: (not bound)
Thu Dec 20 14:07:08 2018 daemon.notice openvpn(636C69656E745F31)[3285]: UDPv4 link remote: [AF_INET]10.10.9.1:1194
Thu Dec 20 14:07:08 2018 daemon.notice openvpn(636C69656E745F31)[3285]: TLS: Initial packet from [AF_INET]10.10.9.1:1194, sid=e0e39e14 5f029ee2
Thu Dec 20 14:07:08 2018 daemon.notice openvpn(636C69656E745F31)[3285]: VERIFY OK: depth=1, C=NL, ST=ZH, L=, O=, OU=, CN=CA, name=EasyRSA, emailAddress=me@myhost.mydomain
Thu Dec 20 14:07:08 2018 daemon.notice openvpn(636C69656E745F31)[3285]: VERIFY OK: depth=0, C=NL, ST=ZH, L=, O=, OU=, CN=server, name=EasyRSA, emailAddress=me@myhost.mydomain
Thu Dec 20 14:07:08 2018 daemon.notice openvpn(636C69656E745F31)[3285]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Thu Dec 20 14:07:08 2018 daemon.notice openvpn(636C69656E745F31)[3285]: [server] Peer Connection Initiated with [AF_INET]10.10.9.1:1194
Thu Dec 20 14:07:08 2018 local1.info gsmd[2298]: gsmd send: 'AT+CSQ' (7)
Thu Dec 20 14:07:08 2018 local1.info gsmd[2298]: gsmd get: '+CSQ: 99,99' (11)
Thu Dec 20 14:07:09 2018 daemon.notice openvpn(636C69656E745F31)[3285]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Dec 20 14:07:09 2018 daemon.notice openvpn(636C69656E745F31)[3285]: PUSH: Received control message: 'PUSH_REPLY,route 10.10.200.0 255.255.248.0,ping 10,ping-restart 120,ifconfig 10.0.0.2 10.0.0.1,peer-id 2,cipher AES-256-GCM'
Thu Dec 20 14:07:09 2018 daemon.notice openvpn(636C69656E745F31)[3285]: OPTIONS IMPORT: timers and/or timeouts modified
Thu Dec 20 14:07:09 2018 daemon.notice openvpn(636C69656E745F31)[3285]: OPTIONS IMPORT: --ifconfig/up options modified
Thu Dec 20 14:07:09 2018 daemon.notice openvpn(636C69656E745F31)[3285]: OPTIONS IMPORT: route options modified
Thu Dec 20 14:07:09 2018 daemon.notice openvpn(636C69656E745F31)[3285]: OPTIONS IMPORT: peer-id set
Thu Dec 20 14:07:09 2018 daemon.notice openvpn(636C69656E745F31)[3285]: OPTIONS IMPORT: adjusting link_mtu to 1657
Thu Dec 20 14:07:09 2018 daemon.notice openvpn(636C69656E745F31)[3285]: OPTIONS IMPORT: data channel crypto options modified
Thu Dec 20 14:07:09 2018 daemon.notice openvpn(636C69656E745F31)[3285]: Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Dec 20 14:07:09 2018 daemon.notice openvpn(636C69656E745F31)[3285]: Data Channel MTU parms [ L:1585 D:1450 EF:53 EB:411 ET:32 EL:3 ]
Thu Dec 20 14:07:09 2018 daemon.notice openvpn(636C69656E745F31)[3285]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Dec 20 14:07:09 2018 daemon.notice openvpn(636C69656E745F31)[3285]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Dec 20 14:07:09 2018 daemon.warn openvpn(636C69656E745F31)[3285]: WARNING: Since you are using --dev tap, the second argument to --ifconfig must be a netmask, for example something like 255.255.255.0. (silence this warning with --ifconfig-nowarn)
Thu Dec 20 14:07:09 2018 daemon.warn openvpn(636C69656E745F31)[3285]: OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
Thu Dec 20 14:07:09 2018 daemon.warn openvpn(636C69656E745F31)[3285]: OpenVPN ROUTE: failed to parse/resolve route for host/network: 10.10.200.0
Thu Dec 20 14:07:09 2018 daemon.notice openvpn(636C69656E745F31)[3285]: TUN/TAP device tap0 opened
Thu Dec 20 14:07:09 2018 daemon.notice openvpn(636C69656E745F31)[3285]: TUN/TAP TX queue length set to 100
Thu Dec 20 14:07:09 2018 daemon.notice openvpn(636C69656E745F31)[3285]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Dec 20 14:07:09 2018 daemon.notice openvpn(636C69656E745F31)[3285]: /sbin/ifconfig tap0 10.0.0.2 netmask 10.0.0.1 mtu 1500 broadcast 255.255.255.254
Thu Dec 20 14:07:09 2018 daemon.err openvpn(636C69656E745F31)[3285]: Linux ifconfig failed: external program exited with error status: 1
Thu Dec 20 14:07:09 2018 daemon.notice openvpn(636C69656E745F31)[3285]: Exiting due to fatal error

server after setting proto to udp4:
Thu Dec 20 13:15:48 2018 daemon.notice openvpn(7365727665725F31)[17189]: SIGTERM[hard,] received, process exiting
Thu Dec 20 13:15:48 2018 daemon.notice openvpn(7365727665725F31)[20286]: OpenVPN 2.4.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Thu Dec 20 13:15:48 2018 daemon.notice openvpn(7365727665725F31)[20286]: library versions: OpenSSL 1.0.2o  27 Mar 2018, LZO 2.10
Thu Dec 20 13:15:48 2018 daemon.warn openvpn(7365727665725F31)[20286]: NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Thu Dec 20 13:15:48 2018 daemon.warn openvpn(7365727665725F31)[20286]: WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
Thu Dec 20 13:15:48 2018 daemon.notice openvpn(7365727665725F31)[20286]: Diffie-Hellman initialized with 1024 bit key
Thu Dec 20 13:15:48 2018 daemon.notice openvpn(7365727665725F31)[20286]: TLS-Auth MTU parms [ L:1654 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Thu Dec 20 13:15:48 2018 daemon.warn openvpn(7365727665725F31)[20286]: OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
Thu Dec 20 13:15:48 2018 daemon.warn openvpn(7365727665725F31)[20286]: OpenVPN ROUTE: failed to parse/resolve route for host/network: 10.10.200.2
Thu Dec 20 13:15:48 2018 daemon.notice netifd: Network device 'tap0' link is up
Thu Dec 20 13:15:48 2018 daemon.notice openvpn(7365727665725F31)[20286]: TUN/TAP device tap0 opened
Thu Dec 20 13:15:48 2018 daemon.notice openvpn(7365727665725F31)[20286]: TUN/TAP TX queue length set to 100
Thu Dec 20 13:15:48 2018 daemon.notice openvpn(7365727665725F31)[20286]: Data Channel MTU parms [ L:1654 D:1450 EF:122 EB:411 ET:32 EL:3 ]
Thu Dec 20 13:15:48 2018 daemon.notice openvpn(7365727665725F31)[20286]: Socket Buffers: R=[8388608->8388608] S=[8388608->8388608]
Thu Dec 20 13:15:48 2018 daemon.notice openvpn(7365727665725F31)[20286]: UDPv4 link local (bound): [AF_INET][undef]:1194
Thu Dec 20 13:15:48 2018 daemon.notice openvpn(7365727665725F31)[20286]: UDPv4 link remote: [AF_UNSPEC]
Thu Dec 20 13:15:48 2018 daemon.notice openvpn(7365727665725F31)[20286]: MULTI: multi_init called, r=256 v=256
Thu Dec 20 13:15:48 2018 kern.info kernel: [102684.420000] device tap0 entered promiscuous mode
Thu Dec 20 13:15:48 2018 kern.info kernel: [102684.420000] br-lan: port 3(tap0) entered forwarding state
Thu Dec 20 13:15:48 2018 daemon.notice openvpn(7365727665725F31)[20286]: Initialization Sequence Completed
Thu Dec 20 13:15:50 2018 kern.info kernel: [102686.420000] br-lan: port 3(tap0) entered forwarding state
Thu Dec 20 13:15:52 2018 kern.info kernel: [102688.010000] Ports leds ON