GL.iNet GL-MT6000 and weired openvpn routing problem

ivansb · October 20, 2025, 9:56pm

I was running a snapshot 23.x.x version of openwrt.

openvpn was running fine.

I upgraded to 24.10.2 but I don’t run openvpn regularly and after a while I discovered openvpn was not running properly anymore. I thought it was some upgrade, tried to move to a pristine status, upgraded to 24.10.3 but nothing changed.

I’ve some lans connected via openwrt/openvpn… the server and the clients are running a snapshot of 23.X.X.

My router was part of that network and had a nearly identical configuration to the other clients.

I’ve no memory of having changed anything on my client and I had the chance to compare my client configuration with other client configurations and nothing seems to point to a configuration error.

From the router I can reach other boxes on other lans… but from inside my lan I can’t. That was previously possible.

If I do

ping -I lan_ip_of_the_router box_on_another_lan

on a WORKING lan router running openvpn I can ping

but if I do the same on the problematic router I can’t

I can just do

ping -I side_of_the_PTP_connection box_on_another_lan

where side_of_the_PTP_connection is the inet addr of the tun interface.

I tried to turn off packet steering and hardware offloading but it didn’t solve the problem.

I don’t know if moving from 23 snapshot there is something else to tweak or it is some regression.

thanks

psherman · October 20, 2025, 10:11pm

In order to understand the context, please post your configs...

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
cat /etc/config/openvpn

ivansb · October 20, 2025, 10:46pm

root@r1:~# ubus call system board
{
"kernel": "6.6.104",
"hostname": "r1",
"system": "ARMv8 Processor rev 4",
"model": "GL.iNet GL-MT6000",
"board_name": "glinet,gl-mt6000",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.3",
"revision": "r28872-daca7c049b",
"target": "mediatek/filogic",
"description": "OpenWrt 24.10.3 r28872-daca7c049b",
"builddate": "1758316778"
}
}

root@r1:~# cat /etc/config/network

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fdcb:18f6:28cc::/48'
option packet_steering '1'

config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '10.3.3.253'
option netmask '255.255.255.0'
option ip6assign '60'

config interface 'wan'
option device 'eth1'
option proto 'dhcp'
option peerdns '0'

config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option norelease '1'
option peerdns '0'

config interface 'vpn0'
option proto 'none'
option device 'tun0'

config device
option type 'bridge'
option name 'br-WiFIGUEST'
option bridge_empty '1'

config interface 'WiFiGUEST'
option proto 'static'
option device 'br-WiFIGUEST'
option ipaddr '10.66.6.253'
option netmask '255.255.255.0'
option gateway '10.33.33.1'

root@r1:~# cat /etc/config/dhcp

config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/home.xxx.it/'
option domain 'home.xxx.it'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
list server '127.0.0.1#5353'
list server '::1#5353'
list addnhosts '/etc/hosts.lan'
option filter_aaaa '1'

config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'

config dhcp 'wan'
option interface 'wan'
option ignore '1'

config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
option piofolder '/tmp/odhcpd-piofolder'

root@r1:~# cat /etc/openvpn/XXX.ovpn

verb 3
port 1194
proto udp4

dev tun
client
pull

keepalive 10 120
persist-key
persist-tun
fast-io
reneg-sec 0
nobind

remote YYYY
remote-cert-tls server

ca /etc/openvpn/XXX/ca.crt
tls-auth /etc/openvpn/XXX/ta.key 1
dh /etc/openvpn/XXX/dh2048.pem
cert /etc/openvpn/XXX/CCC-client.crt
key /etc/openvpn/XXX/CCC-client.key

psherman · October 20, 2025, 11:39pm

Let's also see the firewall file.

In addition, when posting, please use the "markdown" setting in the composition window (instead of the rich text mode) since that works better with the formatting. The control is in the upper left corner of the composition formatting bar.

ivansb · October 21, 2025, 12:18am

Sorry if I missed it.
It is the same of other openwrt openvpn clients with the exception of ssh, imaps and some other services redirect

root@r1:~# cat /etc/config/firewall 

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'WiFiGUEST'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'WiFiGUEST'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vpn0'

config forwarding
        option src 'lan'
        option dest 'vpn'

config forwarding
        option src 'lan'
        option dest 'WiFiGUEST'

config forwarding
        option src 'vpn'
        option dest 'lan'

config forwarding
        option src 'vpn'
        option dest 'wan'

config forwarding
        option src 'WiFiGUEST'
        option dest 'wan'

config rule
        option name 'WiFiGUESTS Allow-Ping (device)'
        option src 'WiFiGUEST'
        option proto 'icmp'
        option family 'ipv4'
        option target 'ACCEPT'
        list icmp_type 'echo-request'

config rule
        option name 'WiFiGUESTS Allow-Ping (lan)'
        option src 'WiFiGUEST'
        option proto 'icmp'
        option family 'ipv4'
        option target 'ACCEPT'
        list icmp_type 'echo-request'
        option dest 'lan'

config rule
        option src 'WiFiGUEST'
        option name 'WiFiGUEST dns'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option src 'WiFiGUEST'
        option name 'WiFiGUEST apt-cacher-ng'
        option dest_port '3142'
        option target 'ACCEPT'
        option dest 'lan'
        list dest_ip '10.3.3.2'

config rule
        option src 'WiFiGUEST'
        option name 'WiFiGUEST dhcp'
        option dest_port '67-68'
        option target 'ACCEPT'

config rule
        option src 'wan'
        option name 'ssh (r1)'
        option dest_port '2222'
        option target 'ACCEPT'

config rule
        option src 'wan'
        option name 'https (r1)'
        option dest_port '443'
        option target 'ACCEPT'
        option enabled '0'

psherman · October 21, 2025, 12:44am

Try enabling masquerading on this zone:

The theory is that if the OpenVPN server (and the corresponding router(s)) don't have routes defined for your networks, the traffic will not return. By turning on masquerading, it the return traffic destination is known and will then be routed (via NAT masqerading) by your local router.

ivansb · October 21, 2025, 9:10am

That's not the problem.
Enabling masquerading still doesn't work. All the other clients don't have masquerading enabled. The server is pushing several routes.

I'm pretty sure the configuration of other clients and server has not been changed. What changed has to be on my router.
I can't spot any difference between my openvpn client and the others. That doesn't mean there is NO meaningful difference, but I really really couldn't spot it.

So on another router I have

config zone                   
        option name 'vpn'   
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT' 
        list network 'VPN0'

The name of the vpn network is slightly different BUT I already checked and it is consistent across all configuration files on my router.

root@XXXX:~# ping -I 192.168.2.1 192.168.1.200
PING 192.168.1.200 (192.168.1.200) from 192.168.2.1: 56 data bytes
64 bytes from 192.168.1.200: seq=0 ttl=127 time=19.784 ms

but this doesn't work
root@r1:~# ping -I 10.3.3.253 192.168.1.200

and this work

root@r1:~# ping 192.168.1.200
PING 192.168.1.200 (192.168.1.200): 56 data bytes
64 bytes from 192.168.1.200: seq=0 ttl=127 time=6.982 ms

and this works too

root@r1:~# wget -O - --no-check-certificate https://192.168.1.1
Downloading 'https://192.168.1.1'
Connecting to 192.168.1.1:443

I even deleted the ipp.txt on the server to check if there was anything stale but it didn't help.

So yeah... if anyone can spot something that sound unreasonable on these configuration it could be a clue that there is a difference between another working client, that I may actually missed something copying the configuration but this is unlikely.

The only substantial difference was that I'm using openvpn-wolfssl on the other boxes while on mine I was using openvpn-mbedtls. But the tunnel was somehow working so it couldn't have been an encryption problem. I tried to switch to openvpn-wolfssl but that didn't fix the problem.

I'd consider the GL-MT6000 a popular router among connoisseur since it is a pretty good router, so the probability that no one is running openvpn on openwrt should be pretty low... and I shouln't be the first one reporting this problem.
So I'm pretty cautious to call this problem a regression... but here we are.

P.S. I spotted a small difference...
ip route show table all
working router
192.168.1.0/24 via 10.88.1.9 dev tun0
not working router
192.168.1.0/24 via 10.88.1.13 dev tun0 metric 200

The metric is different for all the tun interfaces. Other than that the other route seems equivalent.

ivansb · October 21, 2025, 8:05pm

There is definitively some problem with the packages...
I just updated some luci packages and the situation slightly changed.

On the openvpn server I get:

Tue Oct 21 21:05:04 2025 daemon.err openvpn(XXXXX-server)[13341]: YYYY-client/37.119.20.231:39049 AEAD Decrypt error: cipher final failed

But just when eg I do
wget -O - --no-check-certificate https://192.168.1.1
from inside the lan but everything run smooth from my lan router.

The packet upgraded are just luci-* packages and I can't understand why anything should have changed, unless some luci package started to apply some further change to the actual settings of the router starting from the same configuration.

packages that were updated are

luci-lib-base - 25.291.72421~ce0e605 - 25.292.66247~75e41cb
luci-lib-ip - 25.291.72421~ce0e605 - 25.292.66247~75e41cb
luci-mod-system - 25.291.72421~ce0e605 - 25.292.66247~75e41cb
luci-theme-bootstrap - 25.291.72421~ce0e605 - 25.292.66247~75e41cb
luci-lua-runtime - 25.291.72421~ce0e605 - 25.292.66247~75e41cb
luci-mod-status - 25.291.72421~ce0e605 - 25.292.66247~75e41cb
luci-app-ddns - 25.291.72421~ce0e605 - 25.292.66247~75e41cb
luci-app-firewall - 25.291.72421~ce0e605 - 25.292.66247~75e41cb
luci-app-unbound - 25.291.72421~ce0e605 - 25.292.66247~75e41cb
luci-ssl - 25.291.72421~ce0e605 - 25.292.66247~75e41cb
luci-compat - 25.291.72421~ce0e605 - 25.292.66247~75e41cb
luci-app-package-manager - 25.291.72421~ce0e605 - 25.292.66247~75e41cb
luci-proto-ppp - 25.291.72421~ce0e605 - 25.292.66247~75e41cb
luci-mod-admin-full - 25.291.72421~ce0e605 - 25.292.66247~75e41cb
luci-base - 25.291.72421~ce0e605 - 25.292.66247~75e41cb
luci-proto-ipv6 - 25.291.72421~ce0e605 - 25.292.66247~75e41cb
luci-app-wol - 25.291.72421~ce0e605 - 25.292.66247~75e41cb
luci-lib-nixio - 25.291.72421~ce0e605 - 25.292.66247~75e41cb
luci-lib-jsonc - 25.291.72421~ce0e605 - 25.292.66247~75e41cb
luci - 25.291.72421~ce0e605 - 25.292.66247~75e41cb
luci-light - 25.291.72421~ce0e605 - 25.292.66247~75e41cb
luci-mod-network - 25.291.72421~ce0e605 - 25.292.66247~75e41cb
luci-app-openvpn - 25.291.72421~ce0e605 - 25.292.66247~75e41cb