21.02.01 OpenVPN works but I dont know why


So I just upgraded my WRT3200ACM to OpenWrt 21.02.1 and tried to get the OpenVPN client to function properly. At first everything was working, I checked my IP and it was indeed the VPN providers IP address. Shortly after I could not enter most websites, but I still had an internet connection. For some reason I could Google random stuff for about 5-10 minutes, then the connection died. I have tried both TCP and UDP (and other servers).

I then followed a guide at:

According to this guide, I had done everything correctly for configuring OpenVPN for a device that is using OpenWRT 21.02+
I saw that some additional steps was required if the device is lower than 21.02+ (does not concern me)

(1) Add to config file under "auth-user-pass" :

script-security 2
up /etc/openvpn/client.sh
down /etc/openvpn/client.sh


(2) SSH into to router and add DNS updater script:

cat << "EOF" > /etc/openvpn/client.sh
env | sed -n -e "
" | sort -u > /tmp/resolv.conf.vpn
case ${script_type} in
(up) uci set dhcp.@dnsmasq[0].resolvfile="/tmp/resolv.conf.vpn" ;;
(down) uci revert dhcp ;;
/etc/init.d/dnsmasq restart &
chmod +x /etc/openvpn/client.sh

Again, I'm not supposed do to this according to linked guide as I'm running 21.02.1, yet adding them makes the VPN function properly.

Why does the VPN work after adding steps 1 & 2 and is it a bad solution?

Could I do this another way that does not involve ssh into router and adding a DNS script?
I don't really like to mess around with command line when I don't fully understand what I'm doing, GUI first, terminal later :slight_smile:

Thank you for reading all of this!

as far I understand that is for update the dns servers to the proper ones depending if the vpn is up or down... when is up use the dns for the vpn and if down use the ones of your own connection.

may be those dns are from a ISP restricting to be used from another connection so you may try to put fixed public dns servers like or or
if you can browse for a few minutes it can be dns since cached dns will work until ttl time cache expires.

but, again, not sure if that.

It appears it is setting dnsmasq to push the VPN DNS servers over DHCP so that the endpoint users have them directly advertised. This would have no effect on an endpoint until the endpoint reconnects or requests a DHCP renewal.

If you want to go through the VPN all the time and have it intentionally break ("kill switch" functionality) should the VPN be down, you could just set the settings assuming the VPN will be up. Make sure that DNS works well enough in the down state for the router to resolve the IP of the VPN server so it can make initial contact, or configure the VPN server by IP instead of name.

Ask support of your provider, if you follow their official manual.

Does the site specifically say that 21.02 should be treated differently, or does it just say that 19.07 and earlier use that script. It is entirely possible that they haven’t update the procedure for 21.02 but that it is very similar (if not the same).

They use an old version of the script from the OpenWrt wiki I coded a while ago.
Unfortunately there are known issues affecting all OpenWrt releases.
An up-to-date version of the same script is located here: