I have defined DNS servers at using those provided by my VPN provider which I believe is the only abnormality. I have OpenVPN client running on the router but I can't ping and I can't load any packages.
PING openwrt.org (139.59.209.225): 56 data bytes
ping: sendto: Operation not permitted
How can I make the shell of OpenWRT still work while my LAN is being routed through the VPN?
I think you are saying devices connected to LAN are being tunnelled through the VPN.
Where have you defined the DNS servers on your openwrt router?
eg. try adding them to 'Custom DNS server' in the LAN interface, or try using google 8.8.8.8 DNS server to verify your openvpn client is correctly configured.
I just tried commenting out the two DNS lines in the "network" config file and I still get the same error.
then the ping starts working if OpenVPN client is shut down. As long as VPN is running, I get this error:
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 18.06.4, r7808-ef686b7292
-----------------------------------------------------
root@DuVPN:~# ping www.google.com
PING www.google.com (172.217.15.4): 56 data bytes
ping: sendto: Operation not permitted
root@DuVPN:~# /etc/init.d/openvpn stop
root@DuVPN:~# ping www.google.com
PING www.google.com (172.217.15.4): 56 data bytes
64 bytes from 172.217.15.4: seq=0 ttl=53 time=30.520 ms
64 bytes from 172.217.15.4: seq=1 ttl=53 time=57.860 ms
64 bytes from 172.217.15.4: seq=2 ttl=53 time=16.220 ms
^C
--- www.google.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 16.220/34.866/57.860 ms
root@DuVPN:~# /etc/init.d/openvpn start
root@DuVPN:~# ping www.google.com
PING www.google.com (216.58.217.4): 56 data bytes
ping: sendto: Operation not permitted
root@DuVPN:~#
I also have:
/etc/config/firewall:
config zone
option name 'vpn'
option input 'REJECT'
option forward 'ACCEPT'
option output 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'vpn0'
config forwarding
option src 'lan'
option dest 'vpn'
config forwarding
option src 'vpn'
option dest 'lan'
/etc/config/network:
config interface vpn0
option ifname tun0
option proto none
option auto 1
config interface 'vpn0'
option ifname 'tun0'
option proto 'none'
option auto '1'
***** MAJOR EDIT; refresh your screen and re-review above if viewing 2020 04 08
That did it. Changing the line to
option output 'ACCEPT'
allowed the VPN Client to work as intended with no DNS leaks for the LAN clients and also allows me to ping off the console and also install new packages on the router while the VPN is up and working (and thus allows adblock to do retrieves of new lists when needed). Thanks!
Bill888 - that's quite a bit of good effort you have provided to the community for something that is well needed I believe. Thank you.
My problem is that there are so many options on these panels that I don't understand, that I am left with raw plagerism to get things up and running. Maybe I can read over all your work and somehow back-trace this hacking I've been doing to make more sense to me rather than my simple copy and paste.
What I have been doing the last couple of years is just "splicing in" those referenced blocks of code I subitted above using Windows and WinSCP while editing config files on each router I add VPN Client to and then in the simple plain text editor from WinSCP I edit the files, And of course also adding the openvpn config package from a VPN provider's Linux server setup example and that to the appropriate etc/openvpn. I have found it's also necesssary to add DNS entries and use DNS server names provided by the VPN client providers to keep DNS from leaking.
I do the VPN setup like this because of my lack of Linux and routing table background and lack of understanding routing tables and the level of Linux that everyone seems to have here. I gathered bits and pieces of this setup method over the years and finally settled on this "improper method of setup, but it works" tecnique.
Hopefully I can go over your kind offerings here and get a better understanding on all this. Gracias!