Can't run ping under diagnostics with OpenVPN client active

I have defined DNS servers at using those provided by my VPN provider which I believe is the only abnormality. I have OpenVPN client running on the router but I can't ping and I can't load any packages.

PING openwrt.org (139.59.209.225): 56 data bytes
ping: sendto: Operation not permitted

How can I make the shell of OpenWRT still work while my LAN is being routed through the VPN?

I think you are saying devices connected to LAN are being tunnelled through the VPN.

Where have you defined the DNS servers on your openwrt router?
eg. try adding them to 'Custom DNS server' in the LAN interface, or try using google 8.8.8.8 DNS server to verify your openvpn client is correctly configured.

I had plugged the VPN DNS everywhere that I could find it because if I don't use their DNS servers, DNS Leak shows my true location.

/etc/config/dhcp:

config dhcp 'lan'

	list dhcp_option '6,(VPN DNS 1),(VPN DNS 2)

/etc/config/network:

config interface 'lan'	
	option dns '(VPN DNS1) (VPNDNS2)'
	
config interface 'wan'
	option dns '(VPN DNS1) (VPNDNS2)'

I just tried commenting out the two DNS lines in the "network" config file and I still get the same error.

then the ping starts working if OpenVPN client is shut down. As long as VPN is running, I get this error:


 _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 18.06.4, r7808-ef686b7292
 -----------------------------------------------------
root@DuVPN:~# ping www.google.com
PING www.google.com (172.217.15.4): 56 data bytes
ping: sendto: Operation not permitted

root@DuVPN:~# /etc/init.d/openvpn stop


root@DuVPN:~# ping www.google.com
PING www.google.com (172.217.15.4): 56 data bytes
64 bytes from 172.217.15.4: seq=0 ttl=53 time=30.520 ms
64 bytes from 172.217.15.4: seq=1 ttl=53 time=57.860 ms
64 bytes from 172.217.15.4: seq=2 ttl=53 time=16.220 ms
^C
--- www.google.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 16.220/34.866/57.860 ms

root@DuVPN:~# /etc/init.d/openvpn start

root@DuVPN:~# ping www.google.com
PING www.google.com (216.58.217.4): 56 data bytes
ping: sendto: Operation not permitted
root@DuVPN:~#

I also have:

/etc/config/firewall:

config zone
	option name 'vpn'
	option input 'REJECT'
	option forward 'ACCEPT'
	option output 'REJECT'	
	option masq '1'
	option mtu_fix '1'
	option network 'vpn0'

config forwarding
	option src 'lan'
	option dest 'vpn'

config forwarding
	option src 'vpn'
	option dest 'lan'


/etc/config/network:

config interface vpn0
	option ifname tun0
	option proto none
	option auto 1

config interface 'vpn0'        
	option ifname 'tun0'
	option proto 'none'
	option auto '1'

***** MAJOR EDIT; refresh your screen and re-review above if viewing 2020 04 08

Try removing the following lines as I do not see these in my /etc/firewall config file in my openvpn client router.

config forwarding
	option src 'vpn'
	option dest 'lan'

It is not clear from your earlier posts, but do you get same ping error when you use google dns servers?

Please post all of your /etc/firewall file to check for misconfiguration.

fwiw, as you are using 18.06.4, you may wish to review the alternative openvpn client setup/tutorial guide at bottom of owrt wiki page for dropbox link to my PDF guides. (v1.1 covers openwrt 18.06)
https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci

1 Like

You don't allow output on vpn zone. This won't permit ping or dns lookups from the router itself, unless you create rules in the firewall.

The forward is ACCEPT and you can switch it to REJECT.
Other than that, make sure the router is able to reach some namserver when you enable the vpn.

2 Likes

That did it. Changing the line to
option output 'ACCEPT'
allowed the VPN Client to work as intended with no DNS leaks for the LAN clients and also allows me to ping off the console and also install new packages on the router while the VPN is up and working (and thus allows adblock to do retrieves of new lists when needed). Thanks!

Forward should also be changed from ACCEPT to REJECT btw.

Basically you had Forward and Output settings transposed. I missed it but @trendy spotted the error.

Please mark as Solved if you haven't done so.

Bill888 - that's quite a bit of good effort you have provided to the community for something that is well needed I believe. Thank you.

My problem is that there are so many options on these panels that I don't understand, that I am left with raw plagerism to get things up and running. Maybe I can read over all your work and somehow back-trace this hacking I've been doing to make more sense to me rather than my simple copy and paste.

What I have been doing the last couple of years is just "splicing in" those referenced blocks of code I subitted above using Windows and WinSCP while editing config files on each router I add VPN Client to and then in the simple plain text editor from WinSCP I edit the files, And of course also adding the openvpn config package from a VPN provider's Linux server setup example and that to the appropriate etc/openvpn. I have found it's also necesssary to add DNS entries and use DNS server names provided by the VPN client providers to keep DNS from leaking.

I do the VPN setup like this because of my lack of Linux and routing table background and lack of understanding routing tables and the level of Linux that everyone seems to have here. I gathered bits and pieces of this setup method over the years and finally settled on this "improper method of setup, but it works" tecnique.

Hopefully I can go over your kind offerings here and get a better understanding on all this. Gracias!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.