Configure openvpn & nordvpn

uci show network

root@Hu:~# uci show network
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdfd:03ea:af64::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth1'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.wan=interface
network.wan.ifname='eth0'
network.wan.proto='dhcp'
network.wan.peerdns='0'
network.wan.dns='8.8.8.8' '8.8.4.4'
network.wan6=interface
network.wan6.ifname='eth0'
network.wan6.proto='dhcpv6'
network.nordvpntun=interface
network.nordvpntun.proto='none'
network.nordvpntun.ifname='tun0'
root@Hu:~#

**uci show firewall

root@Hu:~# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[2]=zone
firewall.@zone[2].name='vpnfirewall'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].masq='1'
firewall.@zone[2].mtu_fix='1'
firewall.@zone[2].network='nordvpntun'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='lan'
firewall.@forwarding[1].dest='vpnfirewall'
root@Hu:~#

ip -4 addr

root@Hu:~# ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
root@Hu:~#

ip -4 ro

root@Hu:~# ip -4 ro
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
root@Hu:~#

ip-4 ru

root@Hu:~# ip-4 ru
-ash: ip-4: not found
root@Hu:~#

.ovpn file

client
dev tun
proto udp
remote 184.170.253.38 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no

remote-cert-tls server

auth-user-pass
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512
<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----

</tls-auth>

in .ovpn file need to add username and password? I did not change anything in it.

Your main problem is that you don't have uplink to the internet. Only the lan interface is up and vpn cannot connect without internet. Check the cables etc...

Other than that:

Change line auth-user-pass with auth-user-pass /etc/openvpn/client.auth and create this file with your username in the first line and password on the second line.

1 Like

it is excluded.I install packages before that, everything is fine ,after reboot have the problem

ok, added

in interfaces where NORDVPNTUN i see Error: Network device is not present

By excluded you mean that you removed some lines from the output that you pasted here?
You need to paste here the exact output and cover any public IP or mac address.

Is there a tun0 interface or you excluded that too?

I don't remove any lines

this seems to be my problem(it comes out if I restarted interface)

Open VPN and NordVPN this seems to be my problem on the screenshot 5

Then where is wan (eth0) interface? I don't see it in "ip -4 addr", nor you have a default gateway in "ip -4 ro".

This is also not seen in the output of these commands.

I suggest you reset the router to defaults and start from the beginning. The wan interface has to be there all the time, otherwise the vpn cannot work.

it was because I configured the router first on 2 routers, and then connected to the first (ISP)

root@hu:~# ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 192.168.99.187/24 brd 192.168.99.255 scope global eth0
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
root@hu:~#
root@hu:~# ip -4 ro
default via 192.168.99.1 dev eth0 proto static src 192.168.99.187 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
192.168.99.0/24 dev eth0 proto kernel scope link src 192.168.99.187

and yet I don’t understand what to do with it

The file itself contains contents of file "ca.crt" between tags "" and "" and contents of file "ta.key" between tags "" and "". You can create separate files "ca.crt" and "ta.key" with corresponding content excluding tags, in the same folder, and replace tags with content in the original file with the following strings.

ca ca.crt tls-auth ta.key 1

You don't need to do anything, the ca and key are included in the .ovpn config file you downloaded.

Add the line log /tmp/ovpn.log in the client config, reload the openvpn instance service openvpn restart and check the log for any error messages.

log

Tue Nov 19 15:31:47 2019 disabling NCP mode (--ncp-disable) because not in P2MP
Options error: You must define TUN/TAP device (--dev)
Use --help for more information.
~
~
~
~
~
~
~

ls -la /etc/openvpn/ ; uci show openvpn; lsmod | grep tun
What is the output of these?

Also try to change the line dev tun into dev tun0

root@hu:~# ls -la /etc/openvpn/
drwxr-xr-x    2 root     root             0 Nov 19 15:51 .
drwxr-xr-x    1 root     root             0 Nov 17 01:49 ..
-rw-r--r--    1 root     root            32 Nov 19 13:52 secret
-rw-r--r--    1 root     root          2818 Nov 19 15:29 us4598.nordvpn.com.udp.ovpn

From the router command line, can you ping the Nordvpn server 184.170.253.38, or anywhere else on the Internet?

now works
until I realized where the error

Where was the error?

1 Like

a second time, did not specify the path to the configuration file in /etc/config/openvpn

uci set openvpn.nordvpn.config='/etc/openvpn/al1.nordvpn.com.tcp.ovpn'

and yet, why does this installation not work through another router? (if I want to use at work for example)

Does your internet connected router also use same 192.168.1.x subnet? (ie. same as your openvpn/openwrt router?)

If yes, change the LAN IP address of your openvpn client router to use a different subnet. eg. 192.168.111.1

1 Like

First I configure the client openvpn through router openwrt/wireguard with subnet 192.168.99.x vpn works,
but if connected to ISP router which have subnet 192.168.100.x vpn does not work

with subnet 192.168.111.1 also does not work

I suggest you post contents of /etc/config/network configuration file.

Also post contents of system log for the Openvpn instance, to observe for error messages.