Configuring automatic dns acquisition from vpn-server in openwrt

Installing and Using OpenWrt
1

Hello. I faced a problem when connecting OpenVPN on Xiaomi AX3000T router with OpenWRT firmware (tried versions 23 and 24).

The VPN session itself installs successfully - I get an IP address from the VPN server, but the DNS is still from my ISP, not the one that should be given out through the VPN.

I checked the configuration on other devices - the VPN server does send its DNS (via dhcp-option DNS x.x.x.x.x), but on OpenWRT it is not automatically applied. As a result, DNS queries bypass the VPN, which violates privacy and sometimes causes problems with access to the desired resources.

I want to implement such a configuration that OpenWRT automatically pulls up the DNS sent from the VPN-server without the need to manually write it every time (since dynamic DNS is used and it can change).

Could you please advise me on how to properly configure this behavior?

I would be grateful for any recommendations, especially if someone has already solved a similar problem on OpenWRT

2

Where did you find your ISPs DNS IP ?

3

OpenWRT does not do that by default (I know other third party firmwares will do this)

I use a script to do exactly what you want , get the DNS server pushed by the server and use that exclusively when the tunnel is up.

See: https://github.com/egc112/OpenWRT-egc-add-on/tree/main/stop-dns-leak/use-openvpn-dns

1 Like
4

I looked at whoer.net and it writes my local dns from my ISP

5

I did exactly the same thing, but I can't load some websites, and Leak dsn can't check. It gives “test error”.

7

What does the log say?

8

Tue Jul 8 08:03:05 2025 daemon.notice openvpn(new)[4373]: OpenVPN 2.5.8 aarch64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Tue Jul 8 08:03:05 2025 daemon.notice openvpn(new)[4373]: library versions: OpenSSL 3.0.15 3 Sep 2024, LZO 2.10
Tue Jul 8 08:03:05 2025 daemon.warn openvpn(new)[4373]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue Jul 8 08:03:05 2025 daemon.warn openvpn(new)[4373]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Jul 8 08:03:05 2025 daemon.warn openvpn(new)[4373]: WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1260)
Tue Jul 8 08:03:10 2025 daemon.err openvpn(new)[4373]: RESOLVE: Cannot resolve host address: vpn.mobilehop.com:1194 (Try again)
Tue Jul 8 08:03:15 2025 daemon.err openvpn(new)[4373]: RESOLVE: Cannot resolve host address: vpn.mobilehop.com:1194 (Try again)
Tue Jul 8 08:03:15 2025 daemon.warn openvpn(new)[4373]: Could not determine IPv4/IPv6 protocol
Tue Jul 8 08:03:15 2025 daemon.notice openvpn(new)[4373]: SIGUSR1[soft,init_instance] received, process restarting
Tue Jul 8 08:03:15 2025 daemon.notice openvpn(new)[4373]: Restart pause, 5 second(s)
Tue Jul 8 08:03:20 2025 daemon.warn openvpn(new)[4373]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue Jul 8 08:03:20 2025 daemon.warn openvpn(new)[4373]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Jul 8 08:03:20 2025 daemon.warn openvpn(new)[4373]: WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1260)
Tue Jul 8 08:03:20 2025 daemon.notice openvpn(new)[4373]: TCP/UDP: Preserving recently used remote address: [AF_INET]199.188.90.8:1194
Tue Jul 8 08:03:20 2025 daemon.notice openvpn(new)[4373]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Jul 8 08:03:20 2025 daemon.notice openvpn(new)[4373]: UDP link local: (not bound)
Tue Jul 8 08:03:20 2025 daemon.notice openvpn(new)[4373]: UDP link remote: [AF_INET]199.188.90.8:1194
Tue Jul 8 08:03:20 2025 daemon.notice openvpn(new)[4373]: TLS: Initial packet from [AF_INET]199.188.90.8:1194, sid=a1636d33 503f9a5e
Tue Jul 8 08:03:20 2025 daemon.warn openvpn(new)[4373]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Jul 8 08:03:20 2025 daemon.notice openvpn(new)[4373]: VERIFY OK: depth=2, C=GB, O=Sectigo Limited, CN=Sectigo Public Server Authentication Root R46
Tue Jul 8 08:03:20 2025 daemon.notice openvpn(new)[4373]: VERIFY OK: depth=1, C=GB, O=Sectigo Limited, CN=Sectigo Public Server Authentication CA DV R36
Tue Jul 8 08:03:20 2025 daemon.notice openvpn(new)[4373]: VERIFY OK: depth=0, CN=4gvpn.net
Tue Jul 8 08:03:21 2025 daemon.notice openvpn(new)[4373]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA384
Tue Jul 8 08:03:21 2025 daemon.notice openvpn(new)[4373]: [4gvpn.net] Peer Connection Initiated with [AF_INET]199.188.90.8:1194
Tue Jul 8 08:03:22 2025 daemon.notice openvpn(new)[4373]: SENT CONTROL [4gvpn.net]: 'PUSH_REQUEST' (status=1)
Tue Jul 8 08:13:02 2025 daemon.notice openvpn(new)[4373]: SENT CONTROL [4gvpn.net]: 'PUSH_REQUEST' (status=1)
Tue Jul 8 08:13:02 2025 daemon.notice openvpn(new)[4373]: [4gvpn.net] Inactivity timeout (--ping-restart), restarting
Tue Jul 8 08:13:02 2025 daemon.notice openvpn(new)[4373]: SIGUSR1[soft,ping-restart] received, process restarting
Tue Jul 8 08:13:02 2025 daemon.notice openvpn(new)[4373]: Restart pause, 5 second(s)
Tue Jul 8 08:13:07 2025 daemon.warn openvpn(new)[4373]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue Jul 8 08:13:07 2025 daemon.warn openvpn(new)[4373]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Jul 8 08:13:07 2025 daemon.warn openvpn(new)[4373]: WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1260)
Tue Jul 8 08:13:07 2025 daemon.notice openvpn(new)[4373]: TCP/UDP: Preserving recently used remote address: [AF_INET]199.188.90.8:1194
Tue Jul 8 08:13:07 2025 daemon.notice openvpn(new)[4373]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Jul 8 08:13:07 2025 daemon.notice openvpn(new)[4373]: UDP link local: (not bound)
Tue Jul 8 08:13:07 2025 daemon.notice openvpn(new)[4373]: UDP link remote: [AF_INET]199.188.90.8:1194
Tue Jul 8 08:13:07 2025 daemon.notice openvpn(new)[4373]: TLS: Initial packet from [AF_INET]199.188.90.8:1194, sid=d0574731 a3d7aa3b
Tue Jul 8 08:13:07 2025 daemon.notice openvpn(new)[4373]: VERIFY OK: depth=2, C=GB, O=Sectigo Limited, CN=Sectigo Public Server Authentication Root R46
Tue Jul 8 08:13:07 2025 daemon.notice openvpn(new)[4373]: VERIFY OK: depth=1, C=GB, O=Sectigo Limited, CN=Sectigo Public Server Authentication CA DV R36
Tue Jul 8 08:13:07 2025 daemon.notice openvpn(new)[4373]: VERIFY OK: depth=0, CN=4gvpn.net
Tue Jul 8 08:13:08 2025 daemon.notice openvpn(new)[4373]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA384
Tue Jul 8 08:13:08 2025 daemon.notice openvpn(new)[4373]: [4gvpn.net] Peer Connection Initiated with [AF_INET]199.188.90.8:1194
Tue Jul 8 08:13:09 2025 daemon.notice openvpn(new)[4373]: SENT CONTROL [4gvpn.net]: 'PUSH_REQUEST' (status=1)
Tue Jul 8 08:13:14 2025 daemon.notice openvpn(new)[4373]: SENT CONTROL [4gvpn.net]: 'PUSH_REQUEST' (status=1)
Tue Jul 8 08:13:17 2025 daemon.notice openvpn(new)[4373]: PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 192.168.1.157 192.168.1.158,dhcp-option DOMAIN lan,dhcp-option DNS 192.168.1.1,route-gateway 192.168.1.158,redirect-gateway def1'
Tue Jul 8 08:13:17 2025 daemon.notice openvpn(new)[4373]: OPTIONS IMPORT: timers and/or timeouts modified
Tue Jul 8 08:13:17 2025 daemon.notice openvpn(new)[4373]: OPTIONS IMPORT: --ifconfig/up options modified
Tue Jul 8 08:13:17 2025 daemon.notice openvpn(new)[4373]: OPTIONS IMPORT: route options modified
Tue Jul 8 08:13:17 2025 daemon.notice openvpn(new)[4373]: OPTIONS IMPORT: route-related options modified
Tue Jul 8 08:13:17 2025 daemon.notice openvpn(new)[4373]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Jul 8 08:13:17 2025 daemon.notice openvpn(new)[4373]: Using peer cipher 'AES-128-CBC'
Tue Jul 8 08:13:17 2025 daemon.notice openvpn(new)[4373]: Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Jul 8 08:13:17 2025 daemon.notice openvpn(new)[4373]: Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jul 8 08:13:17 2025 daemon.notice openvpn(new)[4373]: Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Jul 8 08:13:17 2025 daemon.notice openvpn(new)[4373]: Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jul 8 08:13:17 2025 daemon.notice openvpn(new)[4373]: net_route_v4_best_gw query: dst 0.0.0.0
Tue Jul 8 08:13:17 2025 daemon.notice openvpn(new)[4373]: net_route_v4_best_gw result: via 192.168.0.1 dev wan
Tue Jul 8 08:13:17 2025 daemon.notice openvpn(new)[4373]: TUN/TAP device tun0 opened
Tue Jul 8 08:13:17 2025 daemon.notice openvpn(new)[4373]: net_iface_mtu_set: mtu 1260 for tun0
Tue Jul 8 08:13:17 2025 daemon.notice openvpn(new)[4373]: net_iface_up: set tun0 up
Tue Jul 8 08:13:17 2025 daemon.notice openvpn(new)[4373]: net_addr_ptp_v4_add: 192.168.1.157 peer 192.168.1.158 dev tun0
Tue Jul 8 08:13:17 2025 daemon.notice openvpn(new)[4373]: /usr/libexec/openvpn-hotplug up new tun0 1260 1381 192.168.1.157 192.168.1.158 init
Tue Jul 8 08:13:17 2025 daemon.notice openvpn(new)[4373]: net_route_v4_add: 199.188.90.8/32 via 192.168.0.1 dev [NULL] table 0 metric -1
Tue Jul 8 08:13:17 2025 daemon.notice openvpn(new)[4373]: net_route_v4_add: 0.0.0.0/1 via 192.168.1.158 dev [NULL] table 0 metric -1
Tue Jul 8 08:13:17 2025 daemon.notice openvpn(new)[4373]: net_route_v4_add: 128.0.0.0/1 via 192.168.1.158 dev [NULL] table 0 metric -1
Tue Jul 8 08:13:17 2025 daemon.notice openvpn(new)[4373]: Initialization Sequence Completed
Tue Jul 8 08:22:40 2025 daemon.err openvpn(new)[4373]: event_wait : Interrupted system call (code=4)
Tue Jul 8 08:22:40 2025 daemon.notice openvpn(new)[4373]: /usr/libexec/openvpn-hotplug route-pre-down new tun0 1260 1381 192.168.1.157 192.168.1.158 init
Tue Jul 8 08:22:40 2025 daemon.notice openvpn(new)[4373]: net_route_v4_del: 199.188.90.8/32 via 192.168.0.1 dev [NULL] table 0 metric -1
Tue Jul 8 08:22:40 2025 daemon.notice openvpn(new)[4373]: net_route_v4_del: 0.0.0.0/1 via 192.168.1.158 dev [NULL] table 0 metric -1
Tue Jul 8 08:22:40 2025 daemon.notice openvpn(new)[4373]: net_route_v4_del: 128.0.0.0/1 via 192.168.1.158 dev [NULL] table 0 metric -1
Tue Jul 8 08:22:40 2025 daemon.notice openvpn(new)[4373]: Closing TUN/TAP interface
Tue Jul 8 08:22:40 2025 daemon.notice openvpn(new)[4373]: net_addr_ptp_v4_del: 192.168.1.157 dev tun0
Tue Jul 8 08:22:41 2025 daemon.notice openvpn(new)[4373]: /usr/libexec/openvpn-hotplug down new tun0 1260 1381 192.168.1.157 192.168.1.158 init
Tue Jul 8 08:22:41 2025 daemon.notice openvpn(new)[4373]: SIGTERM[hard,] received, process exiting
Tue Jul 8 08:22:46 2025 daemon.warn openvpn(new)[8113]: Multiple --up scripts defined. The previously configured script is overridden.
Tue Jul 8 08:22:46 2025 daemon.warn openvpn(new)[8113]: Multiple --down scripts defined. The previously configured script is overridden.
Tue Jul 8 08:22:46 2025 daemon.notice openvpn(new)[8113]: OpenVPN 2.5.8 aarch64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Tue Jul 8 08:22:46 2025 daemon.notice openvpn(new)[8113]: library versions: OpenSSL 3.0.15 3 Sep 2024, LZO 2.10
Tue Jul 8 08:22:46 2025 daemon.warn openvpn(new)[8113]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue Jul 8 08:22:46 2025 daemon.warn openvpn(new)[8113]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Jul 8 08:22:46 2025 daemon.warn openvpn(new)[8113]: WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1260)
Tue Jul 8 08:22:46 2025 daemon.notice openvpn(new)[8113]: TCP/UDP: Preserving recently used remote address: [AF_INET]199.188.90.8:1194
Tue Jul 8 08:22:46 2025 daemon.notice openvpn(new)[8113]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Jul 8 08:22:46 2025 daemon.notice openvpn(new)[8113]: UDP link local: (not bound)
Tue Jul 8 08:22:46 2025 daemon.notice openvpn(new)[8113]: UDP link remote: [AF_INET]199.188.90.8:1194
Tue Jul 8 08:22:47 2025 daemon.notice openvpn(new)[8113]: TLS: Initial packet from [AF_INET]199.188.90.8:1194, sid=fb48946c fac48984
Tue Jul 8 08:22:47 2025 daemon.warn openvpn(new)[8113]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Jul 8 08:22:47 2025 daemon.notice openvpn(new)[8113]: VERIFY OK: depth=2, C=GB, O=Sectigo Limited, CN=Sectigo Public Server Authentication Root R46
Tue Jul 8 08:22:47 2025 daemon.notice openvpn(new)[8113]: VERIFY OK: depth=1, C=GB, O=Sectigo Limited, CN=Sectigo Public Server Authentication CA DV R36
Tue Jul 8 08:22:47 2025 daemon.notice openvpn(new)[8113]: VERIFY OK: depth=0, CN=4gvpn.net
Tue Jul 8 08:22:47 2025 daemon.notice openvpn(new)[8113]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA384
Tue Jul 8 08:22:47 2025 daemon.notice openvpn(new)[8113]: [4gvpn.net] Peer Connection Initiated with [AF_INET]199.188.90.8:1194
Tue Jul 8 08:22:48 2025 daemon.notice openvpn(new)[8113]: SENT CONTROL [4gvpn.net]: 'PUSH_REQUEST' (status=1)
Tue Jul 8 08:22:53 2025 daemon.notice openvpn(new)[8113]: SENT CONTROL [4gvpn.net]: 'PUSH_REQUEST' (status=1)
Tue Jul 8 08:22:55 2025 daemon.notice openvpn(new)[8113]: PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 192.168.1.157 192.168.1.158,dhcp-option DOMAIN lan,dhcp-option DNS 192.168.1.1,route-gateway 192.168.1.158,redirect-gateway def1'
Tue Jul 8 08:22:55 2025 daemon.notice openvpn(new)[8113]: OPTIONS IMPORT: timers and/or timeouts modified
Tue Jul 8 08:22:55 2025 daemon.notice openvpn(new)[8113]: OPTIONS IMPORT: --ifconfig/up options modified
Tue Jul 8 08:22:55 2025 daemon.notice openvpn(new)[8113]: OPTIONS IMPORT: route options modified
Tue Jul 8 08:22:55 2025 daemon.notice openvpn(new)[8113]: OPTIONS IMPORT: route-related options modified
Tue Jul 8 08:22:55 2025 daemon.notice openvpn(new)[8113]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Jul 8 08:22:55 2025 daemon.notice openvpn(new)[8113]: Using peer cipher 'AES-128-CBC'
Tue Jul 8 08:22:55 2025 daemon.notice openvpn(new)[8113]: Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Jul 8 08:22:55 2025 daemon.notice openvpn(new)[8113]: Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jul 8 08:22:55 2025 daemon.notice openvpn(new)[8113]: Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Jul 8 08:22:55 2025 daemon.notice openvpn(new)[8113]: Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jul 8 08:22:55 2025 daemon.notice openvpn(new)[8113]: net_route_v4_best_gw query: dst 0.0.0.0
Tue Jul 8 08:22:55 2025 daemon.notice openvpn(new)[8113]: net_route_v4_best_gw result: via 192.168.0.1 dev wan
Tue Jul 8 08:22:55 2025 daemon.notice openvpn(new)[8113]: TUN/TAP device tun0 opened
Tue Jul 8 08:22:55 2025 daemon.notice openvpn(new)[8113]: net_iface_mtu_set: mtu 1260 for tun0
Tue Jul 8 08:22:55 2025 daemon.notice openvpn(new)[8113]: net_iface_up: set tun0 up
Tue Jul 8 08:22:55 2025 daemon.notice openvpn(new)[8113]: net_addr_ptp_v4_add: 192.168.1.157 peer 192.168.1.158 dev tun0
Tue Jul 8 08:22:55 2025 daemon.notice openvpn(new)[8113]: /usr/libexec/openvpn-hotplug up new tun0 1260 1381 192.168.1.157 192.168.1.158 init
Tue Jul 8 08:22:55 2025 daemon.notice openvpn(new)[8113]: net_route_v4_add: 199.188.90.8/32 via 192.168.0.1 dev [NULL] table 0 metric -1
Tue Jul 8 08:22:55 2025 daemon.notice openvpn(new)[8113]: net_route_v4_add: 0.0.0.0/1 via 192.168.1.158 dev [NULL] table 0 metric -1
Tue Jul 8 08:22:55 2025 daemon.notice openvpn(new)[8113]: net_route_v4_add: 128.0.0.0/1 via 192.168.1.158 dev [NULL] table 0 metric -1
Tue Jul 8 08:22:55 2025 daemon.notice openvpn(new)[8113]: Initialization Sequence Completed
Tue Jul 8 08:22:55 2025 user.notice ovpn-update-resolv-9[8308]: OpenVPN up: Exclusively using openvpn DNS server(s) from /tmp/resolv_conf.vpn: nameserver 192.168.1.1

10

openwrt
openwrt989×501 43.6 KB

openvpn
proxy
proxy1054×645 98.2 KB
proxy

11

The server is pushing an IP address and DNS server , it uses the very common 192.168.1.0/24 subnet which usually is a bad idea as the client or its upstream router might already use this subnet and as this is a routed solution all subnets should be different.

Where is the VPN server located did you set it up yourself or is this a commercial provider?

The script works as can be seen at:

Not that it matters as the default route is going via the VPN all traffic including DNS traffic should go via the VPN (unless see above the subnet of your router is 192.168.1.0/24)

A very good site to check for IP and DNS address is ipleak.net but browserleaks.com/dns is also a viable option.
Assuming you are in the Ukraine and are connecting to USA the last picture showed a USA IP address and USA DNS address, so that looks good?

If everything is not working, it might help if you can show your configs, please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show
ip -6 route show
ip rule show
cat /etc/config/openvpn
for ovpn in $(ls /etc/openvpn/*.ovpn);do echo $ovpn; cat $ovpn; echo;done
for vpn in $(ls /tmp/etc/openvpn*.conf);do echo $vpn;cat $vpn;echo;done
12

It's commercial. It's a mobile proxy - mobilehop service.

Not that it matters as the default route is going via the VPN all traffic including DNS traffic should go via the VPN (unless see above the subnet of your router is 192.168.1.0/24)

A very good site to check for IP and DNS address is ipleak.net but browserleaks.com/dns is also a viable option.
Assuming you are in the Ukraine and are connecting to USA the last picture showed a USA IP address and USA DNS address, so that looks good?

If everything is not working, it might help if you can show your configs, please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button

I have attached screenshots of the problems.I would like to have the same dns proxy as I have on openwrt.With your config I can't check the leakage, just the sites don't load.

root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.167",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "Xiaomi Mi Router AX3000T",
        "board_name": "xiaomi,mi-router-ax3000t",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.5",
                "revision": "r24106-10cc5fcd00",
                "target": "mediatek/filogic",
                "description": "23.05.5 241111"
        }
}
root@OpenWrt:~#


root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd52:b17a:200d::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'wan'
        option macaddr 'XX:xx:xx:xx:xx:xx'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'new'
        option proto 'dhcp'
        option device 'tun0'

root@OpenWrt:~#

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'
        option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

root@OpenWrt:~#
root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list device 'tun0'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'new'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'new'

config forwarding
        option src 'lan'
        option dest 'new'

root@OpenWrt:~#

root@OpenWrt:~# ip route show
0.0.0.0/1 via 192.168.1.218 dev tun0
default via 192.168.0.1 dev wan proto static src 192.168.0.100
128.0.0.0/1 via 192.168.1.218 dev tun0
192.168.1.0/24 dev wan proto kernel scope link src 192.168.0.100
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.1.1 dev tun0 scope link
192.168.1.218 dev tun0 proto kernel scope link src 192.168.1.217
199.188.90.8 via 192.168.0.1 dev wan
root@OpenWrt:~#
root@OpenWrt:~# ip -6 route show
fd52:XXX:XXXX::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd52:b17a:200d::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev phy0-ap0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wan proto kernel metric 256 pref medium
fe80::/64 dev phy1-ap0 proto kernel metric 256 pref medium
root@OpenWrt:~#
root@OpenWrt:~# ip rule show
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
root@OpenWrt:~# cat /etc/config/openvpn

config openvpn 'custom_config'
        option config '/etc/openvpn/my-vpn.conf'

config openvpn 'sample_server'
        option port '1194'
        option proto 'udp'
        option dev 'tun'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/server.crt'
        option key '/etc/openvpn/server.key'
        option dh '/etc/openvpn/dh2048.pem'
        option server '10.8.0.0 255.255.255.0'
        option ifconfig_pool_persist '/tmp/ipp.txt'
        option keepalive '10 120'
        option persist_key '1'
        option persist_tun '1'
        option user 'nobody'
        option status '/tmp/openvpn-status.log'
        option verb '3'

config openvpn 'sample_client'
        option client '1'
        option dev 'tun'
        option proto 'udp'
        list remote 'vpn.example.com 1194'
        option resolv_retry 'infinite'
        option nobind '1'
        option persist_key '1'
        option persist_tun '1'
        option user 'nobody'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/client.crt'
        option key '/etc/openvpn/client.key'
        option verb '3'

config openvpn 'new'
        option config '/etc/openvpn/new.ovpn'
        option enabled '1'

root@OpenWrt:~#


root@OpenWrt:~# for ovpn in $(ls /etc/openvpn/*.ovpn); do echo $ovpn; cat $ovpn; echo; done
/etc/openvpn/new.ovpn
dev tun
proto udp
remote vpn.example.com 1194
data-ciphers AES-128-CBC
cipher AES-128-CBC
auth SHA1
resolv-retry infinite
nobind
persist-key
persist-tun
up /etc/openvpn/ovpn-update-resolv-9
down /etc/openvpn/ovpn-update-resolv-9
client
verb 3
auth-user-pass /etc/openvpn/new.auth
tun-mtu 1260
<ca>
-----BEGIN CERTIFICATE-----
hidden
-----END CERTIFICATE-----
</ca>

root@OpenWrt:~#
13

Your VPN server is using the same subnet as your router that can never work.

It is hard to believe that a commercial VPN provider is using the much used subnet 192.168.1.0/24, as many clients, like you, are also using this.
OpenVPN (tun) is a routed solution and to work all three involved subnets (the client, the server and the VPN subnet) have to be different.

Solution is to use an other IP address for your router, so consider changing the ip address from 192.168.1.1 to e.g. 192.168.22.1 (anything other than 192.168.0.1 or 192.168.1.1)

Some more problematic settings:

OpenVPN sets up its own interface so if you want to use an interface set it to `option proto 'none'

It is fine if you use this interface and use a separate firewall zone (new) for it but then remove device tun0 from wan zone

Furthermore add to the new.ovpn config

remote-cert-tls server
2 Likes
14

Thank you so much!!!! You solved my problem, I am very much grateful to you.Yes, after all these solutions I now have exactly the same dns as before.Have a nice day, you made my day😇

15

Glad it is working :slight_smile:

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

1 Like
16

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.