Connect OpenWrt as a client to VPN server l2tp

Here it is, the config file from the server:

server.conf:

push "route 192.168.178.0 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
dev tun

management 127.0.0.1 1194

server 10.8.0.0 255.255.255.0


dh /var/packages/VPNCenter/target/etc/openvpn/keys/dh3072.pem
ca /var/packages/VPNCenter/target/etc/openvpn/keys/ca.crt
cert /var/packages/VPNCenter/target/etc/openvpn/keys/server.crt
key /var/packages/VPNCenter/target/etc/openvpn/keys/server.key

max-clients 15

comp-lzo no

persist-tun
persist-key

verb 3

log-append /var/log/openvpn.log

keepalive 10 60
reneg-sec 0

plugin /var/packages/VPNCenter/target/lib/radiusplugin.so /var/packages/VPNCenter/target/etc/openvpn/radiusplugin.cnf
client-cert-not-required
username-as-common-name
duplicate-cn

script-security 2
proto udp6
port 1194
cipher AES-256-CBC
auth SHA512

push "dhcp-option DNS 84.116.46.23"
push "dhcp-option DNS 1.1.1.1"
push "redirect-gateway def1"

Set in client config verb 4, and give log of connection:
logread -e openvpn

Here is the log

Wed May 24 20:11:16 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: OpenVPN 2.5.3 aarch64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Wed May 24 20:11:16 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: library versions: OpenSSL 1.1.1q  5 Jul 2022, LZO 2.10
Wed May 24 20:11:16 2023 daemon.warn openvpn(clientFileOpenVPN)[1318]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed May 24 20:11:16 2023 daemon.warn openvpn(clientFileOpenVPN)[1318]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed May 24 20:11:16 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Wed May 24 20:11:16 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Wed May 24 20:11:16 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
Wed May 24 20:11:16 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
Wed May 24 20:11:16 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: TCP/UDP: Preserving recently used remote address: [AF_INET]***:1194
Wed May 24 20:11:16 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed May 24 20:11:16 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: UDP link local: (not bound)
Wed May 24 20:11:16 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: UDP link remote: [AF_INET]***:1194
Wed May 24 20:11:16 2023 daemon.err openvpn(clientFileOpenVPN)[1318]: write UDP: Network unreachable (code=101)
Wed May 24 20:11:16 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: Network unreachable, restarting
Wed May 24 20:11:16 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: TCP/UDP: Closing socket
Wed May 24 20:11:16 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: SIGUSR1[soft,network-unreachable] received, process restarting
Wed May 24 20:11:16 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: Restart pause, 5 second(s)
Wed May 24 20:11:21 2023 daemon.warn openvpn(clientFileOpenVPN)[1318]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed May 24 20:11:21 2023 daemon.warn openvpn(clientFileOpenVPN)[1318]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed May 24 20:11:21 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: Re-using SSL/TLS context
Wed May 24 20:11:21 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Wed May 24 20:11:21 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Wed May 24 20:11:21 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
Wed May 24 20:11:21 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
Wed May 24 20:11:21 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: TCP/UDP: Preserving recently used remote address: [AF_INET]***:1194
Wed May 24 20:11:21 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed May 24 20:11:21 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: UDP link local: (not bound)
Wed May 24 20:11:21 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: UDP link remote: [AF_INET]***:1194
Wed May 24 20:11:21 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: TLS: Initial packet from [AF_INET]***:1194, sid=511026f6 92a97abe
Wed May 24 20:11:21 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: VERIFY OK: depth=1, C=TW, L=Taipei, O=Synology Inc., CN=Synology Inc. CA
Wed May 24 20:11:21 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: VERIFY OK: depth=0, C=TW, L=Taipei, O=Synology Inc., CN=synology
Wed May 24 20:11:24 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Wed May 24 20:11:24 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: [synology] Peer Connection Initiated with [AF_INET]***:1194
Wed May 24 20:11:25 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: SENT CONTROL [synology]: 'PUSH_REQUEST' (status=1)
Wed May 24 20:11:27 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: PUSH: Received control message: 'PUSH_REPLY,route 192.168.178.0 255.255.255.0,route 10.8.0.0 255.255.255.0,dhcp-option DNS 84.116.46.23,dhcp-option DNS 1.1.1.1,redirect-gateway def1,route 10.8.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.8.0.10 10.8.0.9'
Wed May 24 20:11:27 2023 daemon.warn openvpn(clientFileOpenVPN)[1318]: WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
Wed May 24 20:11:27 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: OPTIONS IMPORT: timers and/or timeouts modified
Wed May 24 20:11:27 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: OPTIONS IMPORT: --ifconfig/up options modified
Wed May 24 20:11:27 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: OPTIONS IMPORT: route options modified
Wed May 24 20:11:27 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed May 24 20:11:27 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: Using peer cipher 'AES-256-CBC'
Wed May 24 20:11:27 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed May 24 20:11:27 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed May 24 20:11:27 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed May 24 20:11:27 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed May 24 20:11:27 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: net_route_v4_best_gw query: dst 0.0.0.0
Wed May 24 20:11:27 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: net_route_v4_best_gw result: via 192.168.192.1 dev wlan0
Wed May 24 20:11:27 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: TUN/TAP device tun0 opened
Wed May 24 20:11:27 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: do_ifconfig, ipv4=1, ipv6=0
Wed May 24 20:11:27 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: net_iface_mtu_set: mtu 1500 for tun0
Wed May 24 20:11:27 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: net_iface_up: set tun0 up
Wed May 24 20:11:27 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: net_addr_ptp_v4_add: 10.8.0.10 peer 10.8.0.9 dev tun0
Wed May 24 20:11:27 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: /usr/libexec/openvpn-hotplug up clientFileOpenVPN tun0 1500 1622 10.8.0.10 10.8.0.9 init
Wed May 24 20:11:27 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: net_route_v4_add: ***/32 via 192.168.192.1 dev [NULL] table 0 metric -1
Wed May 24 20:11:27 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: net_route_v4_add: 0.0.0.0/1 via 10.8.0.9 dev [NULL] table 0 metric -1
Wed May 24 20:11:27 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: net_route_v4_add: 128.0.0.0/1 via 10.8.0.9 dev [NULL] table 0 metric -1
Wed May 24 20:11:27 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: net_route_v4_add: 192.168.178.0/24 via 10.8.0.9 dev [NULL] table 0 metric -1
Wed May 24 20:11:27 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: net_route_v4_add: 10.8.0.0/24 via 10.8.0.9 dev [NULL] table 0 metric -1
Wed May 24 20:11:27 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: net_route_v4_add: 10.8.0.1/32 via 10.8.0.9 dev [NULL] table 0 metric -1
Wed May 24 20:11:27 2023 daemon.warn openvpn(clientFileOpenVPN)[1318]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed May 24 20:11:27 2023 daemon.notice openvpn(clientFileOpenVPN)[1318]: Initialization Sequence Completed

I don't know if you guys want to see my dnsmasq.conf and my resolv.conf.auto ?

Try removing this directive from your server...

(be sure to leave the 1.1.1.1 DNS push)

I will make the change, hang on.

I removed the directive you said, and the DNS push of 1.1.1.1 is still present. But I can only ping to the ip address and not to google.com

It is OK.

What is output with errors/warnings trying to ping google.com?

Stil the same error: ping: bad address 'google.com'

OK, btw 'push dhcp-option' is effective on Windows OS. Try to use up/down scripts.

I tried it, but do you have a good example for me? But when I tried a up/down scripts (assigned to the client script) then I also had an error but I can't remember which error.

See Need help writing a shell script [openvpn dns resolver switchout], but it is not very simple.

Hahah well damn, I am going to try this thank you

Try initially to manually update DNS in console.

How do I do that?

I see in my version 22.03.5:

root@OpenWrt:/tmp/resolv.conf.d# cat resolv.conf.auto
# Interface wan
nameserver 208.67.222.222
nameserver 208.67.220.220

So try manually editing the file /tmp/resolv.conf.d/resolv.conf.auto, and check ping google.com

See /etc/config/dhcp:
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'

You can create separate file similar to resolv.conf.auto, and change option in UCI, as it is done in discussion.

I will try this first then

Manually it didn't work, so I guess I have to work on the scripts

I have checked, it works for me. At least removing lines results in 'bad address' message.

Then I do something wrong.

I went to /tmp/resolv.conf.d/resolv.conf.auto and added the 1.1.1.1 but didn't do anything for me, maybe I forgot to restart the service

Well that did the trick, I can ping to google.com now. But now when I connect my Apple TV to my network (wirelessly) then it doesn't load in anymore

It goes via VPN, should it work?