Cannot access google due to "your connection to this site is not secure"

I have openvpn client installed on the my openwrt. Its connection to openvpn server works fine.
After I connect my client pc to the openwrt network, it could access some site, linkined.com.
But cannot access google.com, youtube.com, the error shown up on the page is "your connection to this site is not secure", I check the cert it shows up, it is *.instagram.com. why? interesting.

If I switch to another network, and connect to the same openvpn server with client on my pc, everything works.

I guess there is a cert repo in openwrt, Can I do something to correct the cert it uses to visit the google.com? If so, how?

much appreciated any help.

Openwrt isn't touching your encrypted traffic.

Are the FQDNs resolving to the correct IPs ?

thx for the reply.

I performed the "network diagnoses" in the openwrt to ping the "google.com", it did have reply even though it was very slow, avg is 520ms. the IP returned for google.com is 142.251.43.14,
I think it is correct.

Agree with @frollic, check your DNS resolution, compare the output with default and another public dns resolver.
Deleted old.

ok, I checked again, sometime the ping google.com would return invalid IP which is 59.24.3.174. and get 100% packet loss. what happened? any idea what to do with it?

DNS poisoning i guess, try 1.1.1.1 8.8.8.8 .
59.24.3.174 -KOREA Telekom, your trafic is being intercepted, do not install the certificate to solve ssl issue!

It's your setup, you tell us.

Start by posting your config.

You could also compare FQDN pings from the router and the clients.

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; \
nslookup google.com 1.1.1.1 ; nslookup google.com

thx . here it is -

 `{
        "kernel": "5.10.201",
        "hostname": "iStoreOS",
        "system": "ARMv8 Processor rev 0",
        "model": "FriendlyElec NanoPi R5S LTS",
        "board_name": "friendlyelec,nanopi-r5s",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "iStoreOS",
                "version": "22.03.6",
                "revision": "2024051012",
                "target": "rockchip/rk35xx",
                "description": "iStoreOS 22.03.6 2024051012"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdad:7e51:97f6::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'eth2'

config device
        option name 'eth1'
        option macaddr '6a:9f:87:2d:35:08'

config device
        option name 'eth2'
        option macaddr '6a:9f:87:2d:35:0a'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.100.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option defaultroute '0'

config device
        option name 'eth0'
        option macaddr '6a:9f:87:2d:35:07'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'

config interface 'tun0'
        option proto 'none'
        option device 'tun0'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '1'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option fullcone '0'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option auto_helper '0'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option auto_helper '0'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config nat 'docker_nat'
        option name 'DockerNAT'
        option proto 'all'
        option src 'lan'
        option target 'MASQUERADE'
        option extra '-i docker0'

config rule 'linkease'
        option name 'linkease'
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp'
        option dest_port '8897'

config zone 'docker'
        option name 'docker'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option auto_helper '0'
        list device 'docker0'

config forwarding 'docker_to_wan'
        option src 'docker'
        option dest 'wan'

config forwarding 'docker_to_lan'
        option src 'docker'
        option dest 'lan'

config forwarding 'lan_to_docker'
        option src 'lan'
        option dest 'docker'

config zone
        option name 'VPN_FW'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option auto_helper '0'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'tun0'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'VPN_FW'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    inet 192.168.21.110/24 brd 192.168.21.255 scope global eth0
       valid_lft forever preferred_lft forever
17: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.100.1/24 brd 192.168.100.255 scope global br-lan
       valid_lft forever preferred_lft forever
19: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
23: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    inet 10.8.0.2/16 scope global tun0
       valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.8.0.1 dev tun0
default via 192.168.21.1 dev eth0 proto static src 192.168.21.110
10.8.0.0/16 dev tun0 proto kernel scope link src 10.8.0.2
20.254.162.75 via 192.168.21.1 dev eth0
128.0.0.0/1 via 10.8.0.1 dev tun0
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.21.0/24 dev eth0 proto kernel scope link src 192.168.21.110
192.168.100.0/24 dev br-lan proto kernel scope link src 192.168.100.1
broadcast 10.8.0.0 dev tun0 table local proto kernel scope link src 10.8.0.2
local 10.8.0.2 dev tun0 table local proto kernel scope host src 10.8.0.2
broadcast 10.8.255.255 dev tun0 table local proto kernel scope link src 10.8.0.2
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 172.17.0.0 dev docker0 table local proto kernel scope link src 172.17.0.1 linkdown
local 172.17.0.1 dev docker0 table local proto kernel scope host src 172.17.0.1
broadcast 172.17.255.255 dev docker0 table local proto kernel scope link src 172.17.0.1 linkdown
broadcast 192.168.21.0 dev eth0 table local proto kernel scope link src 192.168.21.110
local 192.168.21.110 dev eth0 table local proto kernel scope host src 192.168.21.110
broadcast 192.168.21.255 dev eth0 table local proto kernel scope link src 192.168.21.110
broadcast 192.168.100.0 dev br-lan table local proto kernel scope link src 192.168.100.1
local 192.168.100.1 dev br-lan table local proto kernel scope host src 192.168.100.1
broadcast 192.168.100.255 dev br-lan table local proto kernel scope link src 192.168.100.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2408:820c:8fa8:d0b0:689f:87ff:fe2d:3507/64 scope global dynamic noprefixroute
       valid_lft 259098sec preferred_lft 172698sec
    inet6 fe80::689f:87ff:fe2d:3507/64 scope link
       valid_lft forever preferred_lft forever
17: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fdad:7e51:97f6::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::689f:87ff:fe2d:3508/64 scope link
       valid_lft forever preferred_lft forever
23: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 500
    inet6 fe80::4048:4c3:13e7:3e57/64 scope link stable-privacy
       valid_lft forever preferred_lft forever
default from 2408:820c:8fa8:d0b0::/64 via fe80:0:f4:1c:71:1b:93:80 dev eth0 proto static metric 512 pref medium
2408:820c:8fa8:d0b0::/64 dev eth0 proto static metric 256 pref medium
unreachable 2408:820c:8fa8:d0b0::/64 dev lo proto static metric 2147483647 pref medium
fd33:2ef2:cff7::/64 from 2408:820c:8fa8:d0b0::/64 via fe80::1832:af6d:c742:37b3 dev eth0 proto static metric 512 pref medium
fdad:7e51:97f6::/64 dev br-lan proto static metric 1024 pref medium
unreachable fdad:7e51:97f6::/48 dev lo proto static metric 2147483647 pref medium
unreachable fde9:230:f655:884a::/64 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast 2408:820c:8fa8:d0b0:: dev eth0 table local proto kernel metric 0 pref medium
local 2408:820c:8fa8:d0b0:689f:87ff:fe2d:3507 dev eth0 table local proto kernel metric 0 pref medium
anycast fdad:7e51:97f6:: dev br-lan table local proto kernel metric 0 pref medium
local fdad:7e51:97f6::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev tun0 table local proto kernel metric 0 pref medium
local fe80::4048:4c3:13e7:3e57 dev tun0 table local proto kernel metric 0 pref medium
local fe80::689f:87ff:fe2d:3507 dev eth0 table local proto kernel metric 0 pref medium
local fe80::689f:87ff:fe2d:3508 dev br-lan table local proto kernel metric 0 pref medium
multicast ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev tun0 table local proto kernel metric 256 pref medium
0:      from all lookup local
32766:  from all lookup main
lrwxrwxrwx    1 root     root            16 May  8 13:11 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            47 May 26 17:16 /tmp/resolv.conf
-rw-r--r--    1 root     root            53 May 26 17:16 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root            53 May 26 17:16 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wan
nameserver 192.168.21.1
search VS020
Server:         1.1.1.1
Address:        1.1.1.1:53

Non-authoritative answer:
Name:   google.com
Address: 142.250.187.206

Non-authoritative answer:
Name:   google.com
Address: 2a00:1450:4009:81e::200e

Server:         127.0.0.1
Address:        127.0.0.1:53

Non-authoritative answer:
Name:   google.com
Address: 93.46.8.90

Non-authoritative answer:`

I just installed the openvpn client and create interface for it, and new firewall zone for it. nothing more.

That's not openwrt though, is it ?

It appears you are using firmware that is not from the official OpenWrt project.

When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.

You may find that the best options are:

1. Install an official version of OpenWrt, if your device is supported (see https://firmware-selector.openwrt.org).
2. Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
3. Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).

If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.

it is customized from openwrt.

Then ask the people who customized it for you, not us.

let me try the official openwrt fireware.

thank you very much any way.

ok, come back with the result on openwrt, same issue for accessing the google.com.
just flash out the openwrt fireware to the device and install & configure the openvpn client. not able to access google, but youtube.com works with "your connection to this site is not secure", the difference between them is , google cer is used for accessing youtube and facebook cert is used for accessing google.com.

{
        "kernel": "6.6.30",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 0",
        "model": "FriendlyElec NanoPi R5S",
        "board_name": "friendlyarm,nanopi-r5s",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "revision": "r26379-1082c6556e",
                "target": "rockchip/armv8",
                "description": "OpenWrt SNAPSHOT r26379-1082c6556e"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd00:4b2e:e3db::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'eth2'

config device
        option name 'eth1'
        option macaddr '6a:9f:87:2d:35:08'

config device
        option name 'eth2'
        option macaddr '6a:9f:87:2d:35:08'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0'
        option macaddr '6a:9f:87:2d:35:07'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'

config interface 'tun0'
        option proto 'none'
        option device 'tun0'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'tun0'
        list device 'tun0'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    inet 192.168.21.110/24 brd 192.168.21.255 scope global eth0
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 500
    inet 10.8.0.2/16 scope global tun0
       valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.8.0.1 dev tun0
default via 192.168.21.1 dev eth0  src 192.168.21.110
10.8.0.0/16 dev tun0 scope link  src 10.8.0.2
20.254.162.75 via 192.168.21.1 dev eth0
128.0.0.0/1 via 10.8.0.1 dev tun0
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1
192.168.21.0/24 dev eth0 scope link  src 192.168.21.110
local 10.8.0.2 dev tun0 table local scope host  src 10.8.0.2
broadcast 10.8.255.255 dev tun0 table local scope link  src 10.8.0.2
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
local 192.168.1.1 dev br-lan table local scope host  src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local scope link  src 192.168.1.1
local 192.168.21.110 dev eth0 table local scope host  src 192.168.21.110
broadcast 192.168.21.255 dev eth0 table local scope link  src 192.168.21.110
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2408:820c:8fa8:d0b0:689f:87ff:fe2d:3507/64 scope global dynamic noprefixroute
       valid_lft 259077sec preferred_lft 172677sec
    inet6 fe80::689f:87ff:fe2d:3507/64 scope link
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fd00:4b2e:e3db::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::689f:87ff:fe2d:3508/64 scope link
       valid_lft forever preferred_lft forever
6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 500
    inet6 fe80::7da3:ed54:1d4:3553/64 scope link flags 800
       valid_lft forever preferred_lft forever
default from 2408:820c:8fa8:d0b0::/64 via fe80:0:f4:1c:71:1b:93:80 dev eth0  metric 512
2408:820c:8fa8:d0b0::/64 dev eth0  metric 256
unreachable 2408:820c:8fa8:d0b0::/64 dev lo  metric 2147483647
fd00:4b2e:e3db::/64 dev br-lan  metric 1024
unreachable fd00:4b2e:e3db::/48 dev lo  metric 2147483647
fd33:2ef2:cff7::/64 from 2408:820c:8fa8:d0b0::/64 via fe80::1832:af6d:c742:37b3 dev eth0  metric 512
fe80::/64 dev br-lan  metric 256
fe80::/64 dev eth0  metric 256
fe80::/64 dev tun0  metric 256
local ::1 dev lo table local  metric 0
anycast 2408:820c:8fa8:d0b0:: dev eth0 table local  metric 0
local 2408:820c:8fa8:d0b0:689f:87ff:fe2d:3507 dev eth0 table local  metric 0
anycast fd00:4b2e:e3db:: dev br-lan table local  metric 0
local fd00:4b2e:e3db::1 dev br-lan table local  metric 0
anycast fe80:: dev br-lan table local  metric 0
anycast fe80:: dev eth0 table local  metric 0
anycast fe80:: dev tun0 table local  metric 0
local fe80::689f:87ff:fe2d:3507 dev eth0 table local  metric 0
local fe80::689f:87ff:fe2d:3508 dev br-lan table local  metric 0
local fe80::7da3:ed54:1d4:3553 dev tun0 table local  metric 0
multicast ff00::/8 dev br-lan table local  metric 256
multicast ff00::/8 dev eth0 table local  metric 256
multicast ff00::/8 dev tun0 table local  metric 256
0:      from all lookup local
32766:  from all lookup main
lrwxrwxrwx    1 root     root            16 May 21 10:29 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            47 May 26 11:25 /tmp/resolv.conf
-rw-r--r--    1 root     root            53 May 26 11:25 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root            53 May 26 11:25 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wan
nameserver 192.168.21.1
search VS020
Server:         1.1.1.1
Address:        1.1.1.1:53

Non-authoritative answer:
Name:   google.com
Address: 142.250.187.206

Non-authoritative answer:
Name:   google.com
Address: 2a00:1450:4009:81e::200e

Server:         127.0.0.1
Address:        127.0.0.1:53

Non-authoritative answer:
Name:   google.com
Address: 46.82.174.69

Non-authoritative answer:

image1597×709 33.5 KB

image1537×787 33.8 KB

it seems issue here -

running command -

nslookup google.com 1.1.1.1

will return correct google IP, but if just running

nslookup google.com

IP returned is not accessible.

DNS issue? any idea how to fix it? where to configure it? wan? tun0?

many thanks

Your Current DNS server is 192.168.21.1 which is your upstream router not sure why that is not functioning.
But on the WAN interface > Advanced options disable Use DNS servers advertised by peer and under Custom DNS servers add 9.9.9.9 and e.g. 1.0.0.1.

awesome man!! After updating the dns where you mentioned, issue gone!!

Google is not accessible in my ISP, so , I think my upstream router is not able to resolve the google IP from the ISP, have to specify the DNS which has the ability.
8.8.8.8 is the good one.
Thank you man!!!

DNS resolution and AS number traffic restriction are two different matters.
If your ISP would drop AS15169 traffic then for sure you wont be able to access google services.
Glad to hear you solved the issue.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.