CyberghostVPN OpenWrt 22.03.5 install

joman · May 21, 2023, 9:08am

Hi,
I recently installed cyberghost vpn, I am only getting TX trafic and no RX traffic. Here is my config:

config interface 'lan'
        option device 'eth1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option delegate '0'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        option delegate '0'

config interface 'cyberghostvpn'
        option proto 'none'
        option device 'tun0'

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list device 'tun0'
        list network 'cyberghostvpn'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

d687r02j8g · May 21, 2023, 10:16am

Looks like you're using openvpn. What does the system log say about the openvpn connection?

joman · May 21, 2023, 10:30am

yes, it's openvpn

Sun May 21 12:25:37 2023 daemon.warn openvpn(open2)[3621]: DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated debug feature that will be removed in OpenVPN 2.6
Sun May 21 12:25:37 2023 daemon.warn openvpn(open2)[3621]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: OpenVPN 2.5.7 x86_64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: library versions: OpenSSL 1.1.1t  7 Feb 2023, LZO 2.10
Sun May 21 12:25:37 2023 daemon.warn openvpn(open2)[3621]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: TCP/UDP: Preserving recently used remote address: [AF_INET]102.129.143.89:443
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: UDP link local: (not bound)
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: UDP link remote: [AF_INET]102.129.143.89:443
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: TLS: Initial packet from [AF_INET]102.129.143.89:443, sid=18076c48 8d80b176
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: VERIFY OK: depth=1, C=RO, L=Bucharest, O=CyberGhost S.A., CN=CyberGhost Root CA, emailAddress=info@cyberghost.ro
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: VERIFY KU OK
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: Validating certificate extended key usage
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: VERIFY EKU OK
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: VERIFY OK: depth=0, CN=huenenberg-rack412.nodes.gen4.ninja
Sun May 21 12:25:37 2023 daemon.warn openvpn(open2)[3621]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1569', remote='link-mtu 1553'
Sun May 21 12:25:37 2023 daemon.warn openvpn(open2)[3621]: WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA256
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: [huenenberg-rack412.nodes.gen4.ninja] Peer Connection Initiated with [AF_INET]102.129.143.89:443
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,route-ipv6 2000::/3,dhcp-option DNS 10.0.0.243,route-gateway 10.14.4.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.14.4.38 255.255.255.0,peer-id 2'
Sun May 21 12:25:37 2023 daemon.warn openvpn(open2)[3621]: WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: OPTIONS IMPORT: timers and/or timeouts modified
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: OPTIONS IMPORT: --ifconfig/up options modified
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: OPTIONS IMPORT: route options modified
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: OPTIONS IMPORT: route-related options modified
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: OPTIONS IMPORT: peer-id set
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: OPTIONS IMPORT: adjusting link_mtu to 1624
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: Outgoing Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: Incoming Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: net_route_v4_best_gw query: dst 0.0.0.0
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: net_route_v4_best_gw result: via 192.168.1.254 dev eth0
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: GDG6: remote_host_ipv6=n/a
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: net_route_v6_best_gw query: dst ::
Sun May 21 12:25:37 2023 daemon.warn openvpn(open2)[3621]: sitnl_send: rtnl: generic error (-101): Network unreachable
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: TUN/TAP device tun0 opened
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: do_ifconfig, ipv4=1, ipv6=0
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: net_iface_mtu_set: mtu 1500 for tun0
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: net_iface_up: set tun0 up
Sun May 21 12:25:37 2023 daemon.notice netifd: Interface 'cyberghostvpn' is enabled
Sun May 21 12:25:37 2023 daemon.notice netifd: Network device 'tun0' link is up
Sun May 21 12:25:37 2023 daemon.notice netifd: Interface 'cyberghostvpn' has link connectivity
Sun May 21 12:25:37 2023 daemon.notice netifd: Interface 'cyberghostvpn' is setting up now
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: net_addr_v4_add: 10.14.4.38/24 dev tun0
Sun May 21 12:25:37 2023 daemon.notice openvpn(open2)[3621]: /usr/libexec/openvpn-hotplug up open2 tun0 1500 1624 10.14.4.38 255.255.255.0 init
Sun May 21 12:25:37 2023 daemon.notice netifd: Interface 'cyberghostvpn' is now up
Sun May 21 12:25:37 2023 user.notice firewall: Reloading firewall due to ifup of cyberghostvpn (tun0)
Sun May 21 12:25:42 2023 daemon.notice openvpn(open2)[3621]: net_route_v4_add: 102.129.143.89/32 via 192.168.1.254 dev [NULL] table 0 metric -1
Sun May 21 12:25:42 2023 daemon.notice openvpn(open2)[3621]: net_route_v4_add: 0.0.0.0/1 via 10.14.4.1 dev [NULL] table 0 metric -1
Sun May 21 12:25:42 2023 daemon.notice openvpn(open2)[3621]: net_route_v4_add: 128.0.0.0/1 via 10.14.4.1 dev [NULL] table 0 metric -1
Sun May 21 12:25:42 2023 daemon.notice openvpn(open2)[3621]: WARNING: OpenVPN was configured to add an IPv6 route. However, no IPv6 has been configured for tun0, therefore the route installation may fail or may not work as expected.
Sun May 21 12:25:42 2023 daemon.notice openvpn(open2)[3621]: add_route_ipv6(2000::/3 -> :: metric -1) dev tun0
Sun May 21 12:25:42 2023 daemon.notice openvpn(open2)[3621]: net_route_v6_add: 2000::/3 via :: dev tun0 table 0 metric -1
Sun May 21 12:25:42 2023 daemon.warn openvpn(open2)[3621]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun May 21 12:25:42 2023 daemon.notice openvpn(open2)[3621]: Initialization Sequence Completed

bigsmile · May 21, 2023, 11:12am

Check this first, apply your VPN service DNS servers (1.1.1.1 and 1.0.0.1)

joman · May 21, 2023, 11:49am

I tested, but i have no internet connection

bigsmile · May 21, 2023, 1:32pm

Make a backup of your configuration
Check your settings against this:
https://github.com/jcrincon/cyberghostvpn_openwrt_setup