Connected to VPN but no internet connection

Hi all, I have set a OpenVpn client in my Raspberry Pi which acts as an AP, so the wireless deviceses conected to the AP are connected to the VPN.
The VPN server works, the Ap works, but the wireless devices conected to the AP lose Internet connection when I activate the OpenVpn client instance.
I dont know if its the firewall, the dns or the script.sh, (the users already have static ip.)
client config

client
proto udp
explicit-exit-notify
remote (ip) (port)
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_16mFh07n4H6c7Tp8 name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
dev tun10
route-nopull
route-noexec
script-security 2
up /etc/openvpn/script.sh
verb 3

script.sh

#!/bin/sh
IFACE=${dev}
INDEX=${IFACE//[!0-9]/}
DEVICE_IP=192.168.2.$INDEX
TEST_IP=192.168.2.$(($INDEX+10))
TABLE_NAME=9$INDEX
CONDA_PORT=28153
CONDA_RANGE=$CONDA_PORT:$(($CONDA_PORT+1))

sysctl net.ipv4.ip_forward=1

iptables -w -t nat -A POSTROUTING -s 192.168.2.0/24 -j MASQUERADE
iptables -w -t nat -A PREROUTING -i $IFACE -p tcp --dport $CONDA_RANGE -j DNAT --to-destination $DEVICE_IP:$CONDA_PORT
iptables -w -A FORWARD -d $DEVICE_IP-p tcp --dport $CONDA_PORT -j ACCEPT

ip rule del from $DEVICE_IP
ip rule del from $TEST_IP
ip route flush table $TABLE_NAME
ip rule add from $DEVICE_IPtable $TABLE_NAME
ip rule add from $TEST_IP table $TABLE_NAME
ip route add default dev $IFACE table $TABLE_NAME

/etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'


config rule
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'
        option name 'Guest DNS'
        option src 'guest'

config rule
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67-68'
        option name 'Guest DHCP'
        option src 'guest'

config forwarding
        option dest 'lan'
        option src 'guest'

config zone
        option name 'guest'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'GUEST'

server.conf

port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 1.0.0.1"
push "dhcp-option DNS 1.1.1.1"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_16mFh07n4H6c7Tp8.crt
key server_16mFh07n4H6c7Tp8.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
log-append /var/log/openvpn.log
verb 3

OpenWrt Syslog

Tue Oct 26 14:24:25 2021 daemon.err openvpn(Hotspot1)[2637]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 26 14:24:25 2021 daemon.err openvpn(Hotspot1)[2637]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 26 14:24:25 2021 daemon.err openvpn(Hotspot1)[2637]: Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 26 14:24:25 2021 daemon.notice openvpn(Hotspot1)[2637]: OPTIONS IMPORT: timers and/or timeouts modified
Tue Oct 26 14:24:25 2021 daemon.notice openvpn(Hotspot1)[2637]: OPTIONS IMPORT: --ifconfig/up options modified
Tue Oct 26 14:24:25 2021 daemon.notice openvpn(Hotspot1)[2637]: OPTIONS IMPORT: route-related options modified
Tue Oct 26 14:24:25 2021 daemon.notice openvpn(Hotspot1)[2637]: OPTIONS IMPORT: peer-id set
Tue Oct 26 14:24:25 2021 daemon.notice openvpn(Hotspot1)[2637]: OPTIONS IMPORT: adjusting link_mtu to 1624
Tue Oct 26 14:24:25 2021 daemon.notice openvpn(Hotspot1)[2637]: OPTIONS IMPORT: data channel crypto options modified
Tue Oct 26 14:24:25 2021 daemon.notice openvpn(Hotspot1)[2637]: Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Tue Oct 26 14:24:25 2021 daemon.notice openvpn(Hotspot1)[2637]: Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Tue Oct 26 14:24:25 2021 daemon.notice openvpn(Hotspot1)[2637]: TUN/TAP device tun10 opened
Tue Oct 26 14:24:25 2021 daemon.notice openvpn(Hotspot1)[2637]: net_iface_mtu_set: mtu 1500 for tun10
Tue Oct 26 14:24:25 2021 daemon.notice openvpn(Hotspot1)[2637]: net_iface_up: set tun10 up
Tue Oct 26 14:24:25 2021 daemon.notice openvpn(Hotspot1)[2637]: net_addr_v4_add: 10.8.0.2/24 dev tun10
Tue Oct 26 14:24:25 2021 daemon.notice openvpn(Hotspot1)[2637]: /usr/libexec/openvpn-hotplug up Hotspot1 tun10 1500 1624 10.8.0.2 255.255.255.0 init
Tue Oct 26 14:24:25 2021 daemon.notice openvpn(Hotspot1)[2637]: Initialization Sequence Completed

pffff im a bit lost

It looks like you don't have the tunnel assigned to a firewall zone.

1 Like

How can I do that? :))

Add it to lan or make a new zone. The vpn zone needs masq enabled.

Also you're pushing routes from the server, but disabled pull on the client. Generally if you pull routes you won't need an up script.

3 Likes

I delated from server

push "dhcp-option DNS 1.0.0.1"
push "dhcp-option DNS 1.1.1.1"
push "redirect-gateway def1 bypass-dhcp"

and added the masq in the guest zone


these are the current

but how I add the tunnel to the guest zone?
this are the current rules of guest

Why did you delete those directives from the server? Those directives are useful, but the client config (specifically the lines below) prevent this from working and thus require you to run that script. If anything, these client side directives should be removed.

Is there a reason you have masquerading enabled on the lan zone? Normally this is not needed or desired.

Did you assign the VPN tunnel to the guest zone?
If you want internet access on the guest zone (and those the VPN), you need to enable forwarding from guest > wan.

1 Like

I want the script to execute, because I want only a specific user of the guest zone to use the VPN, but I dont understant how to assign the VPN tunnel to the guest zone, what I have to do?
The guest zone already have internet connection but when I activate the OpenVpn Client instace the user affected loses connection to internet.

I'm guessing your tunnel is tun0 -- so that needs to be added to your firewall zone. You could instead create a new firewall zone specifically for the VPN, and then you have granular control.

I'm not exactly sure how the guest zone has internet access given that it doesn't have guest > wan forwarding specified, but I'll take your word for it.

Meanwhile, it is occurring to me that maybe there is confusion because you haven't really defined the full use case and made it clear what is the server config vs the client config when it comes to the rest of the router configs - for example, are you using 2 OpenWrt routers in a site-to-site configuration, or a road-warrior setup, or something else?

Let me explain, the Raspberry Pi acts as the client of multiple VPN server, the device1 should conect to serverVP1 device2 to serverVPN2 etc.. so ifconfig of the PI has multiple tun devices

ifconfig

root@OpenWrt:~# ifconfig
br-lan    Link encap:Ethernet  HWaddr E4:5F:01:28:07:5E
          inet addr:192.168.1.171  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::e65f:1ff:fe28:75e/64 Scope:Link
          inet6 addr: fd80:7ccc:35b0::1/60 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:12096 errors:0 dropped:744 overruns:0 frame:0
          TX packets:20726 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:5140349 (4.9 MiB)  TX bytes:26624465 (25.3 MiB)

eth0      Link encap:Ethernet  HWaddr E4:5F:01:28:07:5E
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:12306 errors:0 dropped:2 overruns:0 frame:0
          TX packets:20726 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:5323629 (5.0 MiB)  TX bytes:26624465 (25.3 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:36 errors:0 dropped:0 overruns:0 frame:0
          TX packets:36 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4081 (3.9 KiB)  TX bytes:4081 (3.9 KiB)

tun10     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.3  P-t-P:10.8.0.3  Mask:255.255.255.0
          inet6 addr: fe80::4347:6c11:80e5:df4e/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:0 (0.0 B)  TX bytes:304 (304.0 B)

tun20     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.2  P-t-P:10.8.0.2  Mask:255.255.255.0
          inet6 addr: fe80::495f:af50:e30b:fd8/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:0 (0.0 B)  TX bytes:304 (304.0 B)

wlan0     Link encap:Ethernet  HWaddr E4:5F:01:28:07:60
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::e65f:1ff:fe28:760/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:19818 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10940 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:25166357 (24.0 MiB)  TX bytes:5406743 (5.1 MiB)

the suggestion above does not work

Your 2 tunnels appear to be on the same subnet, which could be part of the issue.

I would recommend that you start with a 1:1 configuration and get that working first. Remove the second vpn server instance and test with the device that is supposed to connect to the first server instance. Start simple and you can build from there once things are working.

If the 1:1 setup doesn’t work, we will dig deeper into it, but you need to provide very clear indications about what is happening on each device (server and client) so that we can truly understand the configuration.

2 Likes

Okey now I only have one instance, what files or commands shoud I provide?

Please post your openvpn server config file, as well as /etc/config/network and /etc/config/firewall -- all from the server side. We'll look at that first.

server.conf

port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_16mFh07n4H6c7Tp8.crt
key server_16mFh07n4H6c7Tp8.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
log-append /var/log/openvpn.log
duplicate-cn
verb 3

there is no /etc/config/ in the server

What OS is the server running?

ubuntu 20.04

Ok.... what about the client device(s)?

Fortunately since you run the servers you can give them distinct subnets (not all 10.8.0.0). That's the first step. Also you're likely going to need policy based routing on the multi-client.

It may work better to have one server and some other locations that are now servers connect to it as clients, becoming part of one network "backbone" with client to client enabled. Firewalling can be used to restrict access between the sites.

2 Likes

Set up PBR and preferably use WireGuard for better performance and simpler configuration:

1 Like

for the client /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'Guest DNS'
	option src 'guest'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'
	option name 'Guest DHCP'
	option src 'guest'

config zone
	option name 'guest'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	list network 'GUEST'
	list network 'tun20'
	

config forwarding
	option src 'guest'
	option dest 'lan'


etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd80:7ccc:35b0::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.171'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.1.1'
	list dns '8.8.8.8'
	list dns '1.1.1.1'

config interface 'GUEST'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.2.1'

config device
	option name 'tun20'

two things I'm seeing so far..

In your network config file, you should have something like this:

config interface 'OpenVPN'
	option proto 'none'
	option device 'tun20'

this would be instead of what you have here:

You've assigned this to the guest firewall zone. I would recommend putting it into its own zone like this:

config zone
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option name 'vpn'
	list network 'OpenVPN'

Then you can turn off masquerading on the lan and guest zones (they should probably not be masqueraded).

Finally, add forwarding from vpn > lan and/or vpn > guest (depending on which networks will use the VPN).

One last thing is that you should post your openvpn config file so we can review that, too.