Fresh reset Vpn client connect but only resolve in terminal No webpage load

Docop3 · March 27, 2021, 5:52am

Hi So i did a fresh install of 19.07.7, all default in dhcp and web do work fine. I then follow different guide from vpn provider, but i mostly end up with only the terminal can ping any site and do curl. I do get the proper intit sequence completed and the ip from the vpn, but i cannot access any webpage in browser.

From the official guide client-luci , with no kill switch give same. Or following provider guide :

here a pretty straight foward guide: https://support.purevpn.com/article-categories/getting-started/router/openwrt-router
Or this one Uber easy with inport the .ovpn / set the interface /set the fw zone
https://hide.me/en/vpnsetup/openwrt/openvpn/
Vpn log show is connecting fine with no error. But firefox can't get anything..

If i set the Ntwk / interface/ Lan - use custom dns : 8.8.8.8 : nothing

When i set : WAN > Edit > Advanced Settings. Uncheck the Use DNS servers advertised by peer parameter and set 4.2.2.2 value for Use custom DNS server. nothing more

If i try : Network / Firewall / Wan - edit - Advances setting / Covered device =tun0

nothing more. did couple of reboot at each step. vpn in udp1194 or tcp443 is same

try to put the firewall / zone Lan -edit : Allow Forward to destination : at only the vpn interface. instead of wan and the vpn interf.. but still no change.

Here my /etc/config/network

ig interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7e:7cdc:5666::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.40.1'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'
        list dns '4.2.2.2'
        option peerdns '0'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'

config interface 'oVpn'
        option ifname 'tun0'
        option proto 'none'
        option delegate '0'

and on the /etc/config/firewall i got :


        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan'
        list device 'tun0'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'

config rule   allow icmpv6-input ....
        allow-icmpv6-forward .... all default
      allow-ipsec   ....  allow isakmp...
-----
config zone
        option network 'oVpn'
        option name 'vpn_FW'
        option mtu_fix '1'
        option input 'REJECT'
        option forward 'REJECT'
        option masq '1'
        option output 'ACCEPT'

config forwarding
        option dest 'vpn_FW'
        option src 'lan'

thanks for any hint !

pavelgl · March 27, 2021, 7:38am

If you don't need killswitch functionality, remove all openvpn firewall rules.

config zone
        option network 'oVpn'
        option name 'vpn_FW'
        option mtu_fix '1'
        option input 'REJECT'
        option forward 'REJECT'
        option masq '1'
        option output 'ACCEPT'

config forwarding
        option dest 'vpn_FW'
        option src 'lan'

Adding interface tun0 to wan zone should be enough for everything to work properly.

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan'
        list device 'tun0'

At the moment you have two conflicting firewall rules with vpn interface involved. Make the changes, restart the firewall and try to ping 8.8.8.8 from a device in the lan zone. After a successful ping test, you could try to resolve the DNS issues (if any).

Docop3 · March 29, 2021, 8:35pm

Hi So i spend the day again and thanks for the tips as now it do work when plug to the isp. I was plugged before into a first router running a vpn client. i think it look more as some port perhaps.. But part of the same problem are still present.

So Isp -) OpenWrt with vpn client : all run ok.

Now : if i plug a windows10 pc and fire up the openvpn gui: i do get a connection, but no web page load. I can ping / curl anything from the command prompt.

Same as with a linux terminal, and same if i plug a second router to the first one. terminal ok , web page in browser :not.

So from a fresh install as per the wiki guide, setup openvpn client, no vlan, no script, dns set in the lan section dns. basic setup as wiki 4.1b/6b with tun+ . And all work fine with pc connected to without other vpn client.

OpenWrt run vpn in Udp1194 , if i run the win10 or other in tcp443 or tcp1194 it don't pass either. I see the auto created ovpn zone do created random port/ip in the 10.10.. zone in order to pass/assign tun i guess. Is a port forward to this zone or something can do ?

i just need to have a ovpn client running in the win10 that will be plug into the OpenWrt : who is already having a vpn client running too.

*If i set an stunnel in the client machine it work fine. and go using the route vpn of pfsense.

thank again