RUT950 to Draytek OpenVPN

Currently Trying to Create a Remote Connection back to our Office with a RUT950 using OpenVPN.
But it only seems to be operating in ONE Direction.

Hosting Server is a Draytek 2927.
I Created Certificates there & Exported the OVPN file & used that at the RUT end.

This is my OVPN file with the Certs Deleted.

client
dev tun
proto udp
remote 203.xxx.xxx.xxx 1194
auth sha1
cipher aes-128-cbc
resolv-retry infinite
nobind

--pull-filter ignore redirect-gateway
route-nopull
auth-user-pass

persist-key
persist-tun
reneg-sec 3600
ping 10
ping-exit 60

#verb 5

<ca>
-----BEGIN CERTIFICATE-----
Contents Deleted
-----END CERTIFICATE-----
</ca>
<cert>
Contents Deleted
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
Contents Deleted
-----END RSA PRIVATE KEY-----
</key>

The Tunnel is Connecting,
Draytek Shows,

RUT950 Shows,

But it only seems to be operating in ONE Direction.
As in Clients on the Office Network; 192.168.59.0 can Access devices on the 192.168.60.0 Subnet,
I have no issues accessing the Web Interface of the RUT from the Office PC’s,
Pings Fine etc, from 192.168.59.21…

Pinging 192.168.60.100 with 32 bytes of data:
Reply from 192.168.60.100: bytes=32 time=117ms TTL=63
Reply from 192.168.60.100: bytes=32 time=134ms TTL=63
Reply from 192.168.60.100: bytes=32 time=89ms TTL=63
Reply from 192.168.60.100: bytes=32 time=184ms TTL=63

Ping statistics for 192.168.60.100:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 89ms, Maximum = 184ms, Average = 131ms

But Clients Connected to the RUT Cannot access Devices on the Office Network.
Strange thing though is Trace Routes find the first Hop.

BusyBox v1.34.1 (2023-12-19 09:26:03 UTC) built-in shell (ash)

   ____        _    ___  ____
  |  _ \ _   _| |_ / _ \/ ___|
  | |_) | | | | __| | | \___ \
  |  _ <| |_| | |_| |_| |___) |
  |_| \_\\__,_|\__|\___/|____/
---------------------------------
    Teltonika RUT9 series 2023
---------------------------------
   Device:     RUT950
   Kernel:     5.4.259
   Firmware:   RUT9_R_00.07.06
   Build:      e93742651d
   Build date: 2023-12-19 11:53:02
---------------------------------
root@RUT950:~# traceroute -m 5 -w 1 192.168.59.50
traceroute to 192.168.59.50 (192.168.59.50), 5 hops max, 38 byte packets
 1  192.168.59.100 (192.168.59.100)  66.492 ms  59.452 ms  59.091 ms
 2  *  *  *
 3  *  *  *
 4  *  *  *
 5  *  *  *
root@RUT950:~#

I’ve been browsing topics for the past weeks & get the impression that this may be a firewall issue, but not having much luck solving it.

The Zones get mention & mine look like this.

Routing Table at the RUT is this:-

Table on Draytek is this, noting that I currently have 6 VPN’s Active,
the other 5 being IPSec Lan to Lan.

Any Help would be greatly appreciated. I’ve had no issues getting others going but this seemingly small final step has me Stuck.

Thanks

Hello,

Thanks for reaching us.

Please try doing a firmware upgrade to the “7.06”, you can find the firmware file on link below

https://wiki.teltonika-networks.com/view/RUT950_Firmware_Downloads

Note: Before doing the firmware upgrade we would like you, to take a copy of the device’s backup and troubleshoot file in order to secure a copy of your current configuration.

You can upgrade the firmware on the router following below:

WebUI > System > Firmware > Update firmware > Turn off keep settings option > Upload the firmware

Note: Doing the firmware upgrade without “Keep settings” option ON will wipe out all existing configurations, and device might lose remote connectivity. Therefore, it is advisable to perform the firmware upgrade when the device is physically accessible to you or if you can ensure remote access through RMS or SMS Utilities as backup access.

-After that, ensure that ping from WAN sources is allowed on the LAN device. Most of the time, the ping request is denied by the firewall on the LAN device.

-Furthermore, try changing the gateway on your clients’ devices, for example, on the RUT950 side (192.168.60.100/24) device change to 192.168.80.0/24 and try testing it.

-You can also try disabling the firewall and seeing whether the ping works.

-You may also try to push it using the Extra options feature in RUT950’s OpenVPN configuration setting.

Thanks

Thanks for the reply,

I did upgrade the firmware to 7.06 back on 24/12; It was on 7.05.04 before that.
I have done all the upgrades with Keep Settings on though, & have been considering a Factory Reset.
Haven’t done that sine moving it from V6 to V7.

The devices I’m trying to ping on the 192.168.59 subnet include some that are not PC so no fire wall.
ESP32’s, rPi & the Draytek it’s self.

Have tried turning the Draytek’s firewall off, but no change.

Strange thing though is that I can’t ping the Draytek, but it replies if I do a Traceroute to another device on that subnet.

Can provide data from the Config Backup file if I’m pointed in the right direction of what to post.

Will do a factory reset & try & get back to the current point as soon as I get a chance.

I have now reconfigured after a Factory reset & further upgrade to 7.06.1.

Still only getting pings outgoing from the Office LAN.
From the CLI I do get this error after the Ping times out.

root@RUT950:~# ping 192.168.59.100
PING 192.168.59.100 (192.168.59.100): 56 data bytes
ping: sendto: Operation not permitted
root@RUT950:~#

Routing Tables have changed:-

So have the firewall rules:-

Any further thoughs?

Thanks

Just realised I haven’t as yet uploaded a Trouble Shooting File.

Tried to upload it but the site tells me new users don’t have Permission to Attach Files.

Changes I’ve made from defaults are as follows:-

Router IP moved to 192.168.60.100
DHCP Scope set to start at .11
Time Zone Set to Australia/Sydney & NTP Servers to 0.au.pool.ntp.org etc.
Auto APN changed to Custom & using telstra.extranet to get away from CG-NAT.
Enabled SSH & Remote Admin.
Wireless SSID etc.
Installed DDNS Service & configured.
Created OpenVPN Client Instance & uploaded ovpn file.

That now has the VPN connecting again, but still only operating in the one direction.

Phil.

Edit:- Uploaded to Googe Drive.

Edit #2:- Does this seem relevant to my situation? Bit beyond my normal depth here but it implies I may need to edit my ovpn file.
It currently contains this:-

client
dev tun
proto udp

This page openvpn firewall - Crowd Support Forum | Teltonika Networks
indicates it should be more like this:-

client
dev tun_c_Office
dev-type tun
proto udp

But I do note that the post is 4 years old & may only apply to version 6 Firmware.

I can now confirm that this is a Firewall issue.

If I run

/etc/init.d/firewall stop

Devices connected to the RUT can access all devices on the 192.168.59.0 Subnet.

Running

/etc/init.d/firewall start

Makes them inaccessible again.

1 Like

Still have not resolved this issue.

Still only able to Ping Out from the Main to the remote network.
Not from the remote (1192.168.60.0) back to the Host (192.168.59.0).

Can anyone help me with a resolution before this topic closes?

Am now able to attach a current Troubleshooting File for review if that’s possible.

troubleshoot-RUT950-2024-01-09.tar.gz (1.3 MB)

Thanks

Phil.

Hello,

Kindly proceed with the configuration example provided on link below:
https://wiki.teltonika-networks.com/view/OpenVPN_configuration_examples#Additional_configuration

Also, make sure you’ve pushed routes into your client as well as the route that connects to your server’s LAN.

If it doesn’t work, try it using an IPsec VPN, where you may add the Local Subnet / Remote Subnet from both ends and then ping vice versa.

Thanks

That Guide doesn’t help me much as the server config does not match the Draytek.
(And example are contradictory regarding Tunnel Endpoints which I don’t have on the Draytek).

Tunnel is connecting,


But firewall is blocking connections to the Server Lan.

This seems more relevant, but can’t get it right…
Open VPN Acces to clients - Crowd Support Forum | Teltonika Networks (teltonika-networks.com)

Have 5 RUT950’s that this applies to.
4 on a single clients site’s that can’t yet have services fully implemented due to this issue.

Had initially appempted IPsec VPN, but could not get successful authentication between the rut’s & the Draytek.

Hello,

Please keep in mind that I tested it myself and it works perfectly, as shown in the screenshots below:

Ping from client’s to server’s LAN IPs:
image

OpenVPN Server configuration:


image
image

OpenVPN client configuration:


image

Please ensure that Draytek is not blocking ping or incoming traffic.

I believe that the issue is not with Teltonika; it could be with Draytek firewall policies, for example.

Thanks

Appreciate that along with the testing.

My to the 5 RUT’s is not quite correct.
Inventory is actually this.
Client has 4,
RUT240 at their Transmitter Tower.
(Radio Station Transmitter).
RUT590 x3 in Remote Broadcast Locations.
5th is my own for test purposes.

Both Broadcast Studio & My Office where I’m testing Have Draytek 2927’s along with a second one at my office that can be solely devoted to testing.

What I can’t replicate here is your Server Setup as:-

  1. The Draytek uses Username/Password.

  2. It does not let me Specify a Virtual Network.

Draytek’s configs Look like this:-

OpenVPN Settings:-


Lan to Lan Profile Settings:-

My Client Config in the Rut950 looks like this:-



Can Confirm that is the case, and my main Draytek has 6 Active VPN’s connected 24/7.
Also the fact that the RUT gets a first reply only in a Trace Route to the Server indicates it is reaching it.
RUT Traceroute

I have tried disabling the Draytek Firewall with no change.

I did confirm though that disabling the RUT’s firewall from a SSH Session with:-

/etc/init.d/firewall stop

Allowed the RUT to have access to any device on the Server (.59.0 Subnet).
I was able to repeatedly start & stop the firewall & see pings fail or succeed in a second SSH Session.

Days later I can’t replicated the above today as I may have made a firewall change that I have not correctly reverted.

Only area I was testing those changes was here:-

I believe that testing situation was after 5pm on January 8th, and I did create a Default Configuration at least 1/2 an hour before that test.

Am I correct in assuming I an only restore that Config via the rest button.
References to User Default Configurations seem to be omitted from the Wiki & I don’t see a means of loading this from the GUI config.

I Appreciate the Assistance.

From the Previous Link you provided,
OpenVPN configuration examples - Teltonika Networks Wiki (teltonika-networks.com)

It’s this part that is not working for me.

Re my other Question, this is the Config I wish to revert to where disabling firewall for testing worked.
Can this be restored from the GUI or SSH, or can I only achieve this via the devices rest button?

This Page mentions it, but it does not seem to be possible to apply it from:-
System > Administration > Profiles
It is shown there but all options are Greyed out.

Hello,

Thanks for your response,

Please try to configure the firewall to add the covered networks as a LAN,WAN interface (it could be a SIM card which is mob1s1a1), and make sure the destination zone is covered by LAN and WAN as well. You can also create with the firewall to allow the destination to the OpenVPN server.

Regarding the config backup default configuration, you do not need to click apply it because by default it is applied automatically when you create a user default configuration.

Thanks

This topic was automatically closed after 15 days. New replies are no longer allowed.