Wifi Clients not connected over VPN


#1

Hi guys,

I’m a community Internet and Wireless mesh enthusiast and wanted to participate in the FFDD community (I live in DD). I was trying to check out the FFDD firmware today. I got myself a TL-WR841ND v10 and flashed the firmware v4.2 and plugged it to my internet gateway router. I was quite happy with how noob friendly the installation / configuration was.

However, there was one issue. I could not connect to the Internet through the Freifunk Dresden WLAN network. I could connect to the wifi network but just not to the internet. (I have just a typical setup. The WAN port of Freifunk router is connected to the LAN port of my home router. My home router is behind a NAT). I figured out that the LAN gateway: field in the Verwaltung > Expert > Backbone page was empty. So i filled it with my home router’s LAN IP (192.168.1.1) . This sorted the issue out. My WLAN clients were then connected to the internet, but however with one catch. They all had the public IP of my ISP, and not tunnelled through the VPN. Any idea why?

Another wierd thing is that in the Verwaltung > Expert > Backbone page, it shows that I am not connected to any of the 5 VPN clients (shown by the red X symbol). Does someone have an idea why?

Cheers,
err404


#2

Hi,

we can speek german if this is better. But I continue with english :wink:
First we have to ensure that you have connected the blue network socket (WAN) and not the
yellow socket to your home router. I ask because you mentioned that you have enterred a gateway ip into lan field.
When you are connected via WAN and per default use DHCP, then this must be sufficient.
The main problem that might occur is an IP conflict. When your home router uses an IP from range 192.168.1.x then you have first change the LAN Ip of your Freifunk router to different network range. For instance 192.168.88.1/255.255.255.0 (gateway and dns is not needed).
I assume that you haven’t connected anything to yellow LAN ports?

If you have solved such a IP conflict and rebooted your router, than it should work. You should see backbone connections. Per default you do not need to change backbone connections, because there must be some default values already.
When backbone connection is correct and have a connection then you should see in Verwaltung > Info -> Nodes/Koden the list of all Freifunk routes.

You say that you have public internet access from your wifi clients? this is strange and can only happen when you enable the option " Eignes Internet direkt freigeben:" (Verwaltung->System).
This option should never be activated when all traffic should go through freifunk network instead going directly through your ISP.

Can you tell me your router IP? Then I can check http://your-ip/sysinfo-json.cgi to get more infos.

Just for info. After booting (starting) your router it takes about 5 minutes until router has access to freifunk network. The router continuously checks for working internet connections every 3 minutes. When one working connection was found router will try to connect all backbone connections. When at least one connection has been established routing protocol starts collecting some network information to know the network. this takes about 1,5minutes.

BR
Stephan


#3

Hi Stephan,

we can speek german if this is better. But I continue with english :wink:

Sry, My German is (still) quite poor . :confused: I’m not natively from Germany.

When you are connected via WAN and per default use DHCP, then this must be sufficient.
The main problem that might occur is an IP conflict. When your home router uses an IP from range 192.168.1.x then you have first change the LAN Ip of your Freifunk router to different network range. For instance 192.168.88.1/255.255.255.0 (gateway and dns is not needed).
I assume that you haven’t connected anything to yellow LAN ports?

The subnets are appropriately segregated. I made sure of that.

You say that you have public internet access from your wifi clients? this is strange and can only happen when you enable the option " Eignes Internet direkt freigeben:" (Verwaltung->System).

Exactly. That’s what I expected. But that option is certainly turned off.

Currently, the situation has slightly improved sine my previous post. (because I moved the router to a completely different location with different ISP)

  1. I am now connected to all of the backbone servers.
  2. The footer of the router webpage that previously said “Internet IPv4 via: local/none” now says “Internet IPv4 via: 10.200.0.5 (4)”.

However,

  1. The wifi clients are still connected directly through my home ISP gateway and not through the tunnel.
  2. I do not see the node as online in the hotspot list in here: Hotspots (ID:1486). Nor do I see it on the map.

My FF IP is 10.200.5.212
In case you can not access it, here’s my sysinfo-json.cgi:

{
 "version":"10",
 "timestamp":"1498260480",
 "data":{

		"firmware":{
			"version":"4.2.2",
			"DISTRIB_ID":"OpenWrt",
			"DISTRIB_RELEASE":"15.05",
			"DISTRIB_REVISION":"r48246",
			"DISTRIB_CODENAME":"chaos_calmer",
			"DISTRIB_TARGET":"ar71xx/generic",
			"DISTRIB_DESCRIPTION":"OpenWrt Chaos Calmer 15.05"
		},
		"system":{
			"uptime":"12329.88 10358.06",
			"uname":"Linux r1486 3.18.23 #6 Tue Jan 19 23:13:35 CET 2016 mips GNU/Linux",
			"nameserver": [
			],
			"date":"Sat Jun 24 01:28:01 CEST 2017",
			"board":"tl-wr841n-v9",
			"model":"TP-Link TL-WR841N/ND v10",
			"model2":"",
			"cpuinfo":"Qualcomm Atheros QCA9533 ver 2 rev 0",
			"bmxd" : "BMX 0.3-freifunk-dresden-git:[67fc9f7:Fri Jan 15 12:59:30 2016], 10.200.5.212, LWS 20, PWS 100, OGI 1000ms, UT  0:03:24:58 (ms= 0.00bba8e3), CPU 5.5",
			"essid":"Freifunk Dresden [1486]"
		},
		"opkg":{
			"available_size" : "144.0K",
			"packages": [
				
			]
		},
		"common":{
			"city":"Dresden",
			"node":"1486",
			"domain":"freifunk-dresden.de",
			"ip":"10.200.5.212",
			"fastd_pubkey":"19792f25ca3e3b2174aaf68289ea0c256b0f78c221e613bb7176e153edb8e13e",
			"network_id":"1206"
		},
		"gps":{
			"latitude":"51.0333171",
			"longitude":"13.7096987",
			"altitude":"23"
		},
		"contact":{
			"name":"Sreekrishna+Pandi",
			"location":"FAL",
			"email":"sreekrishna.pandi%40tu-dresden.de",
			"note":"-"
		},
		"statistic" : {
			"accepted_user_count" : "0",
			"dhcp_count" : "",
			"dhcp_lease" : "5m",
			"traffic_gwt": "0,0",
			"traffic_priv": "0,14618",
			"traffic_lo": "351146,351146",
			"traffic_teql0": "0,0",
			"traffic_wan": "419545435,268310870",
			"traffic_wlan0-1": "90757585,159556294",
			"traffic_tbb_fastd": "229127531,38410416",
			"traffic_adhoc": "0,77667856",
			"traffic_eth0": "0,0",
			"traffic_ap": "88431378,156555636",
			"traffic_bmx_prime": "0,0",
			"traffic_br-lan": "0,0",
			"meminfo_MemTotal" : "29196 kB",
			"meminfo_MemFree" : "4532 kB",
			"meminfo_MemAvailable" : "12564 kB",
			"meminfo_Buffers" : "2532 kB",
			"meminfo_Cached" : "6716 kB",
			"meminfo_SwapCached" : "0 kB",
			"meminfo_Active" : "8188 kB",
			"meminfo_Inactive" : "4064 kB",
			"meminfo_Active(anon)" : "3144 kB",
			"meminfo_Inactive(anon)" : "68 kB",
			"meminfo_Active(file)" : "5044 kB",
			"meminfo_Inactive(file)" : "3996 kB",
			"meminfo_Unevictable" : "0 kB",
			"meminfo_Mlocked" : "0 kB",
			"meminfo_SwapTotal" : "0 kB",
			"meminfo_SwapFree" : "0 kB",
			"meminfo_Dirty" : "0 kB",
			"meminfo_Writeback" : "0 kB",
			"meminfo_AnonPages" : "3016 kB",
			"meminfo_Mapped" : "3408 kB",
			"meminfo_Shmem" : "208 kB",
			"meminfo_Slab" : "5852 kB",
			"meminfo_SReclaimable" : "1372 kB",
			"meminfo_SUnreclaim" : "4480 kB",
			"meminfo_KernelStack" : "352 kB",
			"meminfo_PageTables" : "396 kB",
			"meminfo_NFS_Unstable" : "0 kB",
			"meminfo_Bounce" : "0 kB",
			"meminfo_WritebackTmp" : "0 kB",
			"meminfo_CommitLimit" : "14596 kB",
			"meminfo_Committed_AS" : "9796 kB",
			"meminfo_VmallocTotal" : "1048372 kB",
			"meminfo_VmallocUsed" : "1648 kB",
			"meminfo_VmallocChunk" : "1026272 kB",
			"cpu_load" : "0.47 0.26 0.24 1/42 23145",
			"cpu_stat" : "cpu 84826 0 79765 1035806 0 0 32702 0 0 0",
			"gateway_usage" : [ ]
		},
		"bmxd":{
			"routing_tables":{
				"route":{
					"link":[
						{"target":"10.201.0.3","interface":"tbb_fastd"},
						{"target":"10.201.0.103","interface":"tbb_fastd"},
						{"target":"10.201.0.112","interface":"tbb_fastd"},
						{"target":"10.201.0.121","interface":"tbb_fastd"} ]
	  			},
				"hna":{
					"link":[ ],
		  		"global":[ ]
				}
			},
			"links":[
{"node":"2", "ip":"10.200.0.3", "rtq":"93", "rq":"95", "tq":"97"}, 
{"node":"102", "ip":"10.200.0.103", "rtq":"99", "rq":"99", "tq":"100"}, 
{"node":"111", "ip":"10.200.0.112", "rtq":"100", "rq":"100", "tq":"100"}, 
{"node":"120", "ip":"10.200.0.121", "rtq":"99", "rq":"100", "tq":"99"}
			],
			"gateways":{
				"selected":"10.200.0.103",
				"preferred":"0.0.0.0",
				"gateways":[
				{"ip":"10.200.0.3"},
				{"ip":"10.200.0.102"},
				{"ip":"10.200.0.101"},
				{"ip":"10.200.200.5"},
				{"ip":"10.200.5.151"},
				{"ip":"10.200.5.141"},
				{"ip":"10.200.200.2"},
				{"ip":"10.200.200.6"},
				{"ip":"10.200.0.112"},
				{"ip":"10.200.0.121"},
				{"ip":"10.200.5.156"},
				{"ip":"10.200.0.103"},
				{"ip":"10.200.0.5"} ]
			},
			"info":[
				"throw_rules            0                    ",
				"prio_rules             0                    ",
				"dev                    bmx_prime            ",
				"/linklayer          0                    ",
				"dev                    tbb_fastd            ",
				"/linklayer          1                    ",
				"dev                    wlan0                ",
				"/linklayer          2                    ",
				"hop_penalty            10                   ",
				"purge_timeout          20                   ",
				"routing_class          3                    ",
				"gateway_hysteresis     10                   ",
				"one_way_tunnel         1                    ",
				"two_way_tunnel         2                    " ]
		},
		"internet_tunnel":{},
		"connections":[
		],
		"configs":{
			"traffic_shaping":{ "network":"lan", "incomming":"200000", "outgoing":"50000"}
		}	
  }
}

Here’s the sys log:

Sat Jun 24 01:44:51 2017 daemon.err bmx[2139]: INFO send ip request to gateway: 10.200.0.102, preferred IP: 0.0.0.0
Sat Jun 24 01:44:52 2017 daemon.err bmx[2139]: INFO send ip request to gateway: 10.200.0.102, preferred IP: 0.0.0.0
Sat Jun 24 01:44:53 2017 daemon.err bmx[2139]: INFO send ip request to gateway: 10.200.0.102, preferred IP: 0.0.0.0
Sat Jun 24 01:44:54 2017 daemon.err bmx[2139]: INFO send ip request to gateway: 10.200.0.102, preferred IP: 0.0.0.0
Sat Jun 24 01:44:55 2017 daemon.err bmx[2139]: INFO send ip request to gateway: 10.200.0.102, preferred IP: 0.0.0.0
Sat Jun 24 01:44:56 2017 daemon.err bmx[2139]: INFO send ip request to gateway: 10.200.0.102, preferred IP: 0.0.0.0
Sat Jun 24 01:44:57 2017 daemon.err bmx[2139]: INFO send ip request to gateway: 10.200.0.102, preferred IP: 0.0.0.0
Sat Jun 24 01:44:59 2017 daemon.err bmx[2139]: INFO send ip request to gateway: 10.200.0.102, preferred IP: 0.0.0.0
Sat Jun 24 01:45:00 2017 daemon.err bmx[2139]: INFO send ip request to gateway: 10.200.0.102, preferred IP: 0.0.0.0
Sat Jun 24 01:45:00 2017 user.notice watchdog: wifi: country DE
Sat Jun 24 01:45:01 2017 daemon.err bmx[2139]: INFO send ip request to gateway: 10.200.0.102, preferred IP: 0.0.0.0
Sat Jun 24 01:45:02 2017 user.notice GW_CHECK: Set local gateway: dev:eth1, ip:192.168.16.1
Sat Jun 24 01:45:02 2017 daemon.err bmx[2139]: INFO send ip request to gateway: 10.200.0.102, preferred IP: 0.0.0.0
Sat Jun 24 01:45:02 2017 user.notice GW_CHECK: remove public gateway: dev:eth1, ip:192.168.16.1
Sat Jun 24 01:45:02 2017 user.notice GW_CHECK: restart openvpn
Sat Jun 24 01:45:03 2017 daemon.err bmx[2139]: INFO send ip request to gateway: 10.200.0.102, preferred IP: 0.0.0.0
Sat Jun 24 01:45:04 2017 daemon.err bmx[2139]: INFO send ip request to gateway: 10.200.0.102, preferred IP: 0.0.0.0
Sat Jun 24 01:45:05 2017 daemon.err bmx[2139]: INFO send ip request to gateway: 10.200.0.102, preferred IP: 0.0.0.0
Sat Jun 24 01:45:06 2017 daemon.err bmx[2139]: INFO send ip request to gateway: 10.200.0.102, preferred IP: 0.0.0.0
Sat Jun 24 01:45:07 2017 daemon.err bmx[2139]: INFO send ip request to gateway: 10.200.0.102, preferred IP: 0.0.0.0
Sat Jun 24 01:45:08 2017 daemon.err bmx[2139]: INFO send ip request to gateway: 10.200.0.102, preferred IP: 0.0.0.0

And my ifconfig

TP-Link TL-WR841N/ND v10 @ r1486:~# ifconfig 
bmx_prime Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.200.5.212  P-t-P:10.200.5.212  Mask:255.255.0.0
          UP POINTOPOINT NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

br-lan    Link encap:Ethernet  HWaddr F4:F2:6D:F1:C1:8A  
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

br-wifi2  Link encap:Ethernet  HWaddr F6:F2:6D:F1:C1:8A  
          inet addr:192.168.252.1  Bcast:192.168.255.255  Mask:255.255.252.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:176391 errors:0 dropped:88 overruns:0 frame:0
          TX packets:181926 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:90528687 (86.3 MiB)  TX bytes:159834088 (152.4 MiB)

eth0      Link encap:Ethernet  HWaddr F4:F2:6D:F1:C1:8A  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:5 

eth1      Link encap:Ethernet  HWaddr F4:F2:6D:F1:C1:8B  
          inet addr:192.168.16.103  Bcast:192.168.16.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1098338 errors:0 dropped:568 overruns:0 frame:0
          TX packets:828023 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:451185615 (430.2 MiB)  TX bytes:290159150 (276.7 MiB)
          Interrupt:4 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:4290 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4290 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:351222 (342.9 KiB)  TX bytes:351222 (342.9 KiB)

priv      Link encap:Ethernet  HWaddr BE:8D:33:5B:20:E2  
          UP BROADCAST RUNNING  MTU:1360  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:347 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:0 (0.0 B)  TX bytes:14618 (14.2 KiB)

tbb_fastd Link encap:Ethernet  HWaddr C2:79:75:E5:88:36  
          inet addr:10.201.5.212  Bcast:10.255.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING  MTU:1426  Metric:1
          RX packets:919042 errors:0 dropped:3 overruns:0 frame:0
          TX packets:168019 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:254423454 (242.6 MiB)  TX bytes:42719850 (40.7 MiB)

wlan0     Link encap:Ethernet  HWaddr F4:F2:6D:F1:C1:8A  
          inet addr:10.201.5.212  Bcast:10.255.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1426  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:289178 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:86526036 (82.5 MiB)

wlan0-1   Link encap:Ethernet  HWaddr F6:F2:6D:F1:C1:8A  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:176448 errors:0 dropped:0 overruns:0 frame:0
          TX packets:180268 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:93007074 (88.6 MiB)  TX bytes:162836643 (155.2 MiB)

Thanks a lot. I really appreciate the help :smiley: .

Cheers,
Err404


#4

Hello and welcome to the Freifunk project,

I’m not familiar with the Freifunk Dresden firmware. Most communities in Germany use a Gluon based firmware, whereas Gluon in based OpenWRT. I’m not sure, weather they use Gluon nowadays or not. But a bridging between your private network and the Freifunk wifi should never ever accidentally happen.

I’d completely reset the router and start from zero again. Go through the settings once more, enable VPN and then check the following two things:

  • does your freifunk router obtain an ip address from private internet router via DHCP? Is it pingable on that ip from within your private network?
  • check with the people from FF-Dresden, weather your Freifunk router needs to be registered, before it can use a vpn connection. In some communities, this is the case.

Regards,
Matthias


#5

Hi Matthias,

thanks for your help answering the questions. But those are confusing , because the logs above already show clearly that router is working correctly. VPN doesnt’ need to be activated, WAN port has correct ip addresses and vpn connection had been established.
The firmware in dresden does not use glueon, but is also based on openwrt.
There is also no registration needed with any server to get it running. As long as the router has not seen our registration server a temporary node-number is used. this number determines the used ip address. later when registration took place the router gets the node number updated and restarts to reflect new settings.
Because the ip address is from registration range router has also registered correctly.
I’ll reply with more ansers to post from err404.
But thanks for your help anyway.
BR
Stephan


#6

Hi Err404,

the logs and outputs are correctly.
Can you login to the router per ssh (using linux ssh command or putty via windows or so)?
Password is same as used for web login.

If yes please give me some output of command line commands. if you like you may send me
the password via email directly to me (you may change it before to some different if you like)
at stephan@freifunk-dresden.de
I then can directly check if something is wrong. As Matthias said bridging should never happen directly.

When I look a sysinfo-json then I see that your router is correcly not giving our internet public. for other freifunk user there is no way to use your internet connection directly.

But can you check if the public IP that your are seeing as Internet address in your smartphone/laptop is exactly the same that your home router has got? Because freifunk dresden has around 10 internet server/router where your traffic can go to. those ip addresses might be in germany and also might be same internet provider, but not your public IP.

Can you give me a traceroute seen from your smartphone to some internet addresses that you have checked? I think this is the first that you can give me. I only have time until tomorrow noon,
to help you directly (I’m then on vacation)

When you login via ssh I would like to see follwoing outputs of those commands:

brctrl show
ip rule
ip ro list table local_gateway
ip ro list table public_gateway

Edit: What device have you used to check whether your traffic goes through freifunk network?
I ask because when you use android smartphone it will try to detect if it has a working internet connection. if the freifunk router has no internet then android either changes your access point connection to different router or it simply shows the wifi icon in title with an “!” (which means android uses your mobile data connection)

BR
Stephan


#7

Alright, I wasn’t sure, how the setup is in Dresden and I wasn’t sure, weather you’re from there or just trying to give general help. I guess, you’ll take it from here :). Good luck


#8

Hey no Problem, I’m the main developer of the Firmware in Dresden and also of infrastructure of server and network. :wink:
Thanks anyway


#9

Hi Stephan,

Oddly enough, Everything seems to be in order now. The router is connected to the backbones and the wifi clients are routed over the VPN. I’m not sure if it was simply a matter of time or if you did any intervention from the admin side. Either way, thank you very much for the support :smiley: . I will move the node back to my original location (different ISP, different IP) on Monday and hopefully it still works.

On a different note, I’d love to participate / attend any community meetings that you might be organising to chat and learn a few more things about FFDD. I saw that there was biweekly wednesday meetings. Is there one happeneig this week?

Thanks again.
Cheers,
Err404


#10

Hi Matthias,

I’m not familiar with the Freifunk Dresden firmware. Most communities in Germany use a Gluon based firmware, whereas Gluon in based OpenWRT. I’m not sure, weather they use Gluon nowadays or not. But a bridging between your private network and the Freifunk wifi should never ever accidentally happen.

As Stephan just pointed out, they are not using Gluon. Actually, I was experimenting with Gluon myself for this reason when I encountered that FFDD community was established and quite mature so I wanted to try their firmware out in a bunch of nodes to see how it performs (I’m not particularly the biggest fan of BMX though :stuck_out_tongue: ).

Thanks for trying to help though.

Cheers,
err404