Destination Port Unreachable

There are other threads with this question, but none of them worked for me. And their files are different than mine.

I have my computer connected to Raspberry PI wirelessly. I am using Raspberry PI as a router.

When VPN is off:

  • Internet works on my computer (and obviously internet works inside Raspberry PI).

When VPN is on:

  • Internet does not work on my computer, I get 'Destination Port Unreachable' error when I run ping google.com on this computer. However internet works inside the Raspberry PI.

Following are files:
cat firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

cat network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd76:8644:bd30::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.15'
	option netmask '255.255.255.0'
	option ip6assign '60'
        option force_link '1'

config interface 'wwan'
        option proto 'dhcp'
        option peerdns '0'
        option dns '1.1.1.1 8.8.8.8'
        

cat openvpn

config openvpn 'CA_expressvpn'
	option enabled '1'
	option client '1'
	option proto 'udp'
	option dev 'tun'
	option fast_io '1'
	option persist_key '1'
	option persist_tun '1'
	option nobind '1'
	list remote 'something.expressnetw.com'
	option port '1195'
	option remote_random '1'
	option pull '1'
	option comp_lzo 'no'
	option tls_client '1'
	option verify_x509_name 'Server name-prefix'
	option ns_cert_type 'server'
	option route_method 'exe'
	option route_delay '2'
	option tun_mtu '1500'
	option fragment '1300'
	option mssfix '1200'
	option verb '3'
	option cipher 'AES-256-CBC'
	option keysize '256'
	option auth 'SHA512'
	option sndbuf '524288'
	option rcvbuf '524288'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/user.crt'
	option key '/etc/openvpn/user.key'
	option tls_auth '/etc/openvpn/ta.key'
	option key_direction '1'
	option auth_user_pass '/etc/openvpn/user.auth'

cat wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '7'
	option hwmode '11g'
	option path 'platform/soc/fe300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
	option htmode 'HT20'
	option disabled '0'
	option short_gi_40 '0'
	option cell_density '0'

config wifi-iface 'wifinet1'
	option device 'radio0'
	option mode 'sta'
	option network 'wwan'
	option ssid 'home'
	option encryption 'psk2'
	option key 'password'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'scb/fd500000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/usb1/1-1/1-1.3/1-1.3:1.0'
	option htmode 'HT20'
	option disabled '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'RaspberryPi4'
	option encryption 'psk2'
    option key 'somepass'

You problem appears to be in the title, but you didn't really explain the symptoms.

Destination port unreachable from where to where?

In general, when you have a VPN enabled, the default route is often through the VPN itself, so if you need certain things to bypass the VPN, you need to use (VPN) Policy Based Routing

Destination port unreachable from where to where?

When I ping google.com on a computer, terminal shows this error. But when I do ping google.com inside the raspberry pi router, I see no problem.

Well, we should start by looking at this -- your LAN address is not correct.
This should be an RFC1918 address.

I have changed it to 192.168.1.15. Still same issue. When VPN is off, internet does not work on the computer but it does work inside the raspberry pi.

I don't want to bypass anything. I want everything to go through this vpn.
Basically, I want to use VPN so I can mask my location. That's all. So whenever I am connected to work computer, I want them to know that I am connected from xyz location.

It looks like you don't have your VPN assigned to a firewall zone. Assign tun0 to your wan zone.

Also -- this is really important: change the wan zone INPUT to reject! This is critical because your router is currently exposed to the internet.

Can you please help me with the config? How do I do both of them?

let's see the output of this:
uci show firewall.@zone[1]

root@OpenWrt:/etc/config# uci show firewall.@zone[1]
firewall.cfg03dc81=zone
firewall.cfg03dc81.name='wan'
firewall.cfg03dc81.input='ACCEPT'
firewall.cfg03dc81.output='ACCEPT'
firewall.cfg03dc81.forward='REJECT'
firewall.cfg03dc81.masq='1'
firewall.cfg03dc81.mtu_fix='1'
firewall.cfg03dc81.network='wan' 'wan6' 'wwan'
uci set firewall.@zone[1].input='REJECT'
uci set firewall.@zone[1].network='wan' 'wan6' 'wwan' 'tun0'
uci commit firewall
/etc/init.d/firewall restart

I did this. This is the result. I still have the same problem

root@OpenWrt:/etc/config# uci show firewall.@zone[1]
firewall.cfg03dc81=zone
firewall.cfg03dc81.name='wan'
firewall.cfg03dc81.output='ACCEPT'
firewall.cfg03dc81.forward='REJECT'
firewall.cfg03dc81.masq='1'
firewall.cfg03dc81.mtu_fix='1'
firewall.cfg03dc81.network='wan' 'wan6' 'wwan' 'tun0'
firewall.cfg03dc81.input='REJECT'

what happens if you ping 8.8.8.8?

  • When VPN is on:
    • Inside Raspberry PI:
root@OpenWrt:/etc/config# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=120 time=134.652 ms
64 bytes from 8.8.8.8: seq=1 ttl=120 time=134.153 ms
64 bytes from 8.8.8.8: seq=2 ttl=120 time=118.831 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 118.831/129.212/134.652 ms
  • On my computer
username@username-HP-ProBook-640-G1:~$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 192.168.1.15 icmp_seq=1 Destination Port Unreachable
From 192.168.1.15 icmp_seq=2 Destination Port Unreachable
From 192.168.1.15 icmp_seq=3 Destination Port Unreachable
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2034ms

your problem is DNS related.

Set a public DNS such as 8.8.8.8 on the router.

You need to add tun0 to the wan zone as a device not a network.
list device 'tun0'
Or you can do it the old way and create a dummy network to associate a network name with the device.
(in /etc/config/network)

config interface 'vpn'`
    option device 'tun0'
    option proto 'none'

then add 'vpn' to the list of networks in the wan zone.

2 Likes

How do I do that? Sorry for asking noob questions.

Hi u/psherman. It's working now. The answer by u/mk24 solved the problem. I will clean it up and post the clean solution so others who run into the same issue can solve it. Thanks

Hi mk24, thanks for your response. I did the 2nd part

config interface 'vpn'`
    option device 'tun0'
    option proto 'none

This worked. However your first part:

You need to add tun0 to the wan zone as a device not a network.

How would I do that if I were to do that?

It's an either or choice-- don't do both. The first way would be to add the list device line to the wan zone section of /etc/config/firewall.

2 Likes