Cannot ping over "SOME" OpenVPN client connections / After reliable Openvpn restart service script

NewbieWRT · May 22, 2019, 12:37pm

Hello all,

I am fairly new to OpenWRT and OpenVPN but have managed to successfully setup a VM with the x86-64 running and a OpenVPN client connecting to a paid vpn provider.

What i am finding is that with some servers i connect to (e.g AU Melb) it will successfully ping (via the openwrt cms ssh) to a pub ip ( e.g 1.1.1.1, 9.9.9.9, 8.8.8.8) but with other vpn servers it will just timeouts (e.g US San Francisco)

When connected to a AUS Melbourne server the following ping command receives a response 4 times, no packet loss.
ping -I tun0 1.1.1.1

but when i connect to a US San Francisco server with the same command i get no response.

Same issue when i use the ping test in the Diagnostic menu.

I am trying to setup a script to run every minute to ping over the tun0 interface and if no response is received it will restart the openvpn service.

Any help would be great

trendy · May 22, 2019, 12:54pm

I am not sure I understand exactly the problem.
Does ping work immediately after connecting, but not after a while?
Doesn't it work at all?
Can you post here the vpn configuration as well as the following:
cat /etc/config/network; cat /etc/config/firewall; ip -4 addr ; ip -4 ro ; ip -4 ru

lleachii · May 22, 2019, 1:43pm

@NewbieWRT, welcome to the community!

Why don't you inquire with your VPN provider?
I surmise you pay for support, correct?

NewbieWRT · May 22, 2019, 1:56pm

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd43:6de5:dcf6::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option netmask '255.255.255.0'
        option delegate '0'
        option ipaddr '10.58.32.1'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'
        option delegate '0'
        option hostname 'openwrtusa'
        option metric '5'

config interface 'ovct'
        option proto 'none'
        option ifname 'tun0'


config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        option masq '0'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'vpnfirewall'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'ovct'

config forwarding
        option dest 'vpnfirewall'
        option src 'lan'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    inet 10.58.23.3/24 brd 10.58.23.255 scope global eth1
       valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 10.58.32.1/24 brd 10.58.32.255 scope global br-lan
       valid_lft forever preferred_lft forever
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    inet 10.182.0.14 peer 10.182.0.13/32 scope global tun0
       valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.182.0.13 dev tun0
default via 10.58.23.1 dev eth1 proto static src 10.58.23.3 metric 5
10.58.23.0/24 dev eth1 proto static scope link metric 5
10.58.32.0/24 dev br-lan proto kernel scope link src 10.58.32.1
10.182.0.1 via 10.182.0.13 dev tun0
10.182.0.13 dev tun0 proto kernel scope link src 10.182.0.14
104.238.43.143 via 10.58.23.1 dev eth1
128.0.0.0/1 via 10.182.0.13 dev tun0
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

NewbieWRT · May 22, 2019, 2:29pm

With the above config i cannot ping through the tun0 interface successfully.

If i change the vpn server i am connecting to, lets say to a AU Melb server, i can ping through the tun0 interface no worries at all.

The .ovpn config files i use are identical and the only difference is the address for the different vpn servers.

All i can think of is that some of the vpn servers are blocking pings, while others are not.

Has me puzzled.

lleachii · May 22, 2019, 2:35pm

YES!!! That's all I can think of too!!!