HELP NEEDED with fixing routes for an OpenVPN client using a proxy to connect to the server

This is outside OpenVPN. The route that needs to be added is to the passwall proxy server's Internet address.

/etc/config/network

config route
    option target <https proxy server IPv4>/32
    option interface 'wwan'
    option gateway '192.168.8.1'

This route can stay in place whether or not the VPN is up. The proxy server IP is the public address of the machine outside your country that passwall connects to. The route causes packets (encrypted) for that one machine to go out via the regular Internet connection. All other Internet addresses will be tunneled through VPN.

I will give a try to your solution.
In this case do I need to do any modifications to the client .ovpn file or it should route 0.0.0.0/0 tun0.gw ? Does the 0.0.0.0/0 route command override your route command?

The route to the proxy server has priority because it is more specific than the 0.0.0.0 routes. Thus the encrypted packets which need to stay outside the tunnel and go directly by regular Internet will be routed to the wan interface, but other Internet sites will use the default route into the tunnel.

I guess there is a directive or variable inside OpenVPN such as default gateway,... that I could use inside the OpenVPN config file.
I would rather to have it inside the config file instead of static route or script that runs after tun0 creation, due to internet interruptions the routes gets regenerated by the openvpn service and every time I have to execute that route command manually
Can I add it as static route in openwrt and be sure that openvpn client pushed routes do not affect the static route?
Thanks

If the proxy server is always at the same IP address you can install it as a /32 static route. OpenVPN installing and removing routes should not affect it.

1 Like

I tried your solution, it works fantastic, but there are some issues that I do not know how to solve them.

First I should mention that I have to execute up-all and down-all script command, I mean up_script and ovpn-update-resolv-7 together and likewise for down_script and ovpn-update-resolv-7 in order to access some website such as youtube.

I do not have any clue why youtube only shows online if the router (tun0) only uses its own VPN DNS server.

That said I tweaked the down_script from

# restart routing optional
service network restart 

to

# reload routing optional
service network reload

Since service network restart disconnects every iface, please correct me if I am wrong.

I would like to have all the DNS requests from the users of tun0 goes via the tun0 fetched DNS server (which is desirable) and not other DNS servers.
I have checked the DNS servers on the ipleak.net for LAN attached devices and I could confirm that since only the ip addresses similar to the VPN public IP was resolved as DNS server which is wise and desirable.

That said I am wondering if those DNS servers are pushed for the router device or the internal proxy server as well or not?

How can I check that, I mean is there something like ipleak.net for openwrt cli or not?

Due to a lot of internet disruptions with the ISP I have realised that if internet gets interrupted the openvpn client cannot recover (I have no clue how the openvpn service deals with disconnections , does it execute down_script or not).

Anyways for the mentioned case the openvpn syslog will loop throught following messages,

Mon Feb 12 18:02:52 2024 daemon.warn openvpn(homebrew_windscribe_swe[13158]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Feb 12 18:02:52 2024 daemon.notice openvpn(homebrew_windscribe_swe[13158]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Feb 12 18:02:52 2024 daemon.notice openvpn(homebrew_windscribe_swe[13158]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Feb 12 18:02:52 2024 daemon.notice openvpn(homebrew_windscribe_swe[13158]: TCP/UDP: Preserving recently used remote address: [AF_INET]127.0.0.1:1081
Mon Feb 12 18:02:52 2024 daemon.notice openvpn(homebrew_windscribe_swe[13158]: Attempting to establish TCP connection with [AF_INET]127.0.0.1:1081 [nonblock]
Mon Feb 12 18:02:52 2024 daemon.notice openvpn(homebrew_windscribe_swe[13158]: TCP connection established with [AF_INET]127.0.0.1:1081
Mon Feb 12 18:02:52 2024 daemon.notice openvpn(homebrew_windscribe_swe[13158]: TCP_CLIENT link local: (not bound)
Mon Feb 12 18:02:52 2024 daemon.notice openvpn(homebrew_windscribe_swe[13158]: TCP_CLIENT link remote: [AF_INET]127.0.0.1:1081
Mon Feb 12 18:02:57 2024 daemon.err openvpn(homebrew_windscribe_swe[13158]: Connection reset, restarting [-1]
Mon Feb 12 18:02:57 2024 daemon.notice openvpn(homebrew_windscribe_swe[13158]: SIGUSR1[soft,connection-reset] received, process restarting
Mon Feb 12 18:04:41 2024 daemon.warn odhcpd[1640]: No default route present, overriding ra_lifetime!

I think for the above case the tun0 does not execute down-all script.

Anyways I would like to know if there is any smart solution that makes the router recover from the unresponsive tun0.

I presume the tun0 should get constantly monitored for internet connection, once it is down an outside script should manually get triggered that first gives the proxy server a grace time to recover from disconnection and then restablishes tun0 connection again.

Any assistance that could deals with ISP disconnection is really appreciated.

That said I have collected following log messages for different cases,

Case 1 [Not using the ovpn-update-resolv-7 script]

Sat Feb 10 20:37:41 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: www.youtube.com
Sat Feb 10 20:37:54 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: accounts.youtube.com
Sat Feb 10 20:37:54 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: accounts.youtube.com

Case 2 [Interruptions from the ISP that case the proxy server and consequently the openvpn client to fail - In order to recover the openvpn service should stop and then it shoud wait for proxy server to recover and then openvpn client should restarts again]

Mon Feb 12 16:25:15 2024 daemon.notice netifd: Network device 'lan1' link is up
Mon Feb 12 16:25:16 2024 daemon.warn odhcpd[1640]: No default route present, overriding ra_lifetime!
Mon Feb 12 16:25:17 2024 daemon.warn odhcpd[1640]: No default route present, overriding ra_lifetime!
Mon Feb 12 16:25:18 2024 daemon.warn odhcpd[1640]: No default route present, overriding ra_lifetime!
Mon Feb 12 16:25:26 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 192.168.50.115 1c:61:b4:89:dc:b9
Mon Feb 12 16:25:26 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.50.115 1c:61:b4:89:dc:b9
Mon Feb 12 16:25:26 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan) 192.168.50.115 1c:61:b4:89:dc:b9
Mon Feb 12 16:25:26 2024 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan) 192.168.50.115 1c:61:b4:89:dc:b9 TAB-SFPR7
Mon Feb 12 16:26:57 2024 daemon.warn openvpn(homebrew_windscribe_swe[10256]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Feb 12 16:26:57 2024 daemon.notice openvpn(homebrew_windscribe_swe[10256]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Feb 12 16:26:57 2024 daemon.notice openvpn(homebrew_windscribe_swe[10256]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Feb 12 16:26:57 2024 daemon.notice openvpn(homebrew_windscribe_swe[10256]: TCP/UDP: Preserving recently used remote address: [AF_INET]127.0.0.1:1081
Mon Feb 12 16:26:57 2024 daemon.notice openvpn(homebrew_windscribe_swe[10256]: Attempting to establish TCP connection with [AF_INET]127.0.0.1:1081 [nonblock]
Mon Feb 12 16:26:57 2024 daemon.notice openvpn(homebrew_windscribe_swe[10256]: TCP connection established with [AF_INET]127.0.0.1:1081
Mon Feb 12 16:26:57 2024 daemon.notice openvpn(homebrew_windscribe_swe[10256]: TCP_CLIENT link local: (not bound)
Mon Feb 12 16:26:57 2024 daemon.notice openvpn(homebrew_windscribe_swe[10256]: TCP_CLIENT link remote: [AF_INET]127.0.0.1:1081
Mon Feb 12 16:27:02 2024 daemon.err openvpn(homebrew_windscribe_swe[10256]: Connection reset, restarting [-1]
Mon Feb 12 16:27:02 2024 daemon.notice openvpn(homebrew_windscribe_swe[10256]: SIGUSR1[soft,connection-reset] received, process restarting

Case 3 [manually restarting openvpn service, please consult the DHCP range and some issues with the dnsmasqfull]

Mon Feb 12 16:26:57 2024 daemon.warn openvpn(homebrew_windscribe_swe[10256]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Feb 12 16:26:57 2024 daemon.notice openvpn(homebrew_windscribe_swe[10256]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Feb 12 16:26:57 2024 daemon.notice openvpn(homebrew_windscribe_swe[10256]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Feb 12 16:26:57 2024 daemon.notice openvpn(homebrew_windscribe_swe[10256]: TCP/UDP: Preserving recently used remote address: [AF_INET]127.0.0.1:1081
Mon Feb 12 16:26:57 2024 daemon.notice openvpn(homebrew_windscribe_swe[10256]: Attempting to establish TCP connection with [AF_INET]127.0.0.1:1081 [nonblock]
Mon Feb 12 16:26:57 2024 daemon.notice openvpn(homebrew_windscribe_swe[10256]: TCP connection established with [AF_INET]127.0.0.1:1081
Mon Feb 12 16:26:57 2024 daemon.notice openvpn(homebrew_windscribe_swe[10256]: TCP_CLIENT link local: (not bound)
Mon Feb 12 16:26:57 2024 daemon.notice openvpn(homebrew_windscribe_swe[10256]: TCP_CLIENT link remote: [AF_INET]127.0.0.1:1081
Mon Feb 12 16:27:02 2024 daemon.err openvpn(homebrew_windscribe_swe[10256]: Connection reset, restarting [-1]
Mon Feb 12 16:27:02 2024 daemon.notice openvpn(homebrew_windscribe_swe[10256]: SIGUSR1[soft,connection-reset] received, process restarting
Mon Feb 12 16:27:17 2024 daemon.err uhttpd[1767]: [info] luci: accepted login on / for root from 192.168.50.115
Mon Feb 12 16:27:29 2024 daemon.warn dnsmasq[1]: Maximum number of concurrent DNS queries reached (max: 150)
Mon Feb 12 16:27:39 2024 daemon.warn dnsmasq[1]: Maximum number of concurrent DNS queries reached (max: 150)
Mon Feb 12 16:27:45 2024 daemon.warn dnsmasq[1]: Maximum number of concurrent DNS queries reached (max: 150)
Mon Feb 12 16:27:52 2024 daemon.warn dnsmasq[1]: Maximum number of concurrent DNS queries reached (max: 150)
Mon Feb 12 16:28:07 2024 daemon.warn dnsmasq[1]: Maximum number of concurrent DNS queries reached (max: 150)
Mon Feb 12 16:28:31 2024 daemon.notice openvpn(homebrew_windscribe_swe[10256]: /usr/libexec/openvpn-hotplug route-pre-down homebrew_windscribe_swe tun0 0 0 10.124.148.30 255.255.254.0 init
Mon Feb 12 16:28:31 2024 daemon.notice openvpn(homebrew_windscribe_swe[10256]: Closing TUN/TAP interface
Mon Feb 12 16:28:31 2024 daemon.notice openvpn(homebrew_windscribe_swe[10256]: net_addr_v4_del: 10.124.148.30 dev tun0
Mon Feb 12 16:28:31 2024 daemon.notice ttyd[5909]: [2024/02/12 16:28:31:9527] N: rops_handle_POLLIN_netlink: DELADDR
Mon Feb 12 16:28:31 2024 daemon.notice netifd: Network device 'tun0' link is down
Mon Feb 12 16:28:31 2024 daemon.notice netifd: Interface 'VPNTun' has link connectivity loss
Mon Feb 12 16:28:31 2024 daemon.notice netifd: Interface 'VPNTun' is now down
Mon Feb 12 16:28:31 2024 daemon.notice ttyd[5909]: [2024/02/12 16:28:31:9576] N: rops_handle_POLLIN_netlink: DELADDR
Mon Feb 12 16:28:32 2024 daemon.notice openvpn(homebrew_windscribe_swe[10256]: /usr/libexec/openvpn-hotplug down homebrew_windscribe_swe tun0 0 0 10.124.148.30 255.255.254.0 init
Mon Feb 12 16:28:32 2024 daemon.notice openvpn(homebrew_windscribe_swe[10256]: SIGTERM[hard,init_instance] received, process exiting
Mon Feb 12 16:28:32 2024 daemon.notice netifd: Interface 'VPNTun' is disabled
Mon Feb 12 16:28:32 2024 user.notice ovpn-update-resolv-7[12265]: Default DNS server(s) restored
Mon Feb 12 16:28:32 2024 daemon.info dnsmasq[1]: exiting on receipt of SIGTERM
Mon Feb 12 16:28:33 2024 user.notice ovpn-update-resolv-7[12265]: udhcpc: started, v1.36.1
Mon Feb 12 16:28:33 2024 user.notice ovpn-update-resolv-7[12265]: udhcpc: broadcasting discover
Mon Feb 12 16:28:36 2024 user.notice ovpn-update-resolv-7[12265]: udhcpc: no lease, failing
Mon Feb 12 16:28:36 2024 daemon.info dnsmasq[1]: started, version 2.89 cachesize 1000
Mon Feb 12 16:28:36 2024 daemon.info dnsmasq[1]: DNS service limited to local subnets
Mon Feb 12 16:28:36 2024 daemon.info dnsmasq[1]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
Mon Feb 12 16:28:36 2024 daemon.info dnsmasq[1]: UBus support enabled: connected to system bus






Mon Feb 12 16:30:35 2024 daemon.warn openvpn(homebrew_windscribe_swe[13158]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Feb 12 16:30:35 2024 daemon.notice openvpn(homebrew_windscribe_swe[13158]: VERIFY OK: depth=2, C=CA, ST=ON, L=Toronto, O=Windscribe Limited, OU=Systems, CN=Windscribe Node CA X1
Mon Feb 12 16:30:35 2024 daemon.notice openvpn(homebrew_windscribe_swe[13158]: VERIFY OK: depth=1, C=CA, ST=ON, L=Toronto, O=Windscribe Limited, OU=Systems, CN=Windscribe Node CA X2
Mon Feb 12 16:30:35 2024 daemon.notice openvpn(homebrew_windscribe_swe[13158]: VERIFY KU OK
Mon Feb 12 16:30:35 2024 daemon.notice openvpn(homebrew_windscribe_swe[13158]: Validating certificate extended key usage
Mon Feb 12 16:30:35 2024 daemon.notice openvpn(homebrew_windscribe_swe[13158]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Feb 12 16:30:35 2024 daemon.notice openvpn(homebrew_windscribe_swe[13158]: VERIFY EKU OK
Mon Feb 12 16:30:35 2024 daemon.notice openvpn(homebrew_windscribe_swe[13158]: VERIFY X509NAME OK: C=CA, ST=ON, L=Toronto, O=Windscribe Limited, OU=Systems, CN=arn-30.windscribe.com
Mon Feb 12 16:30:35 2024 daemon.notice openvpn(homebrew_windscribe_swe[13158]: VERIFY OK: depth=0, C=CA, ST=ON, L=Toronto, O=Windscribe Limited, OU=Systems, CN=arn-30.windscribe.com
Mon Feb 12 16:30:35 2024 daemon.notice openvpn(homebrew_windscribe_swe[13158]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA256
Mon Feb 12 16:30:35 2024 daemon.notice openvpn(homebrew_windscribe_swe[13158]: [arn-30.windscribe.com] Peer Connection Initiated with [AF_INET]127.0.0.1:1081
Mon Feb 12 16:30:35 2024 daemon.notice openvpn(homebrew_windscribe_swe[13158]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Feb 12 16:30:35 2024 daemon.notice openvpn(homebrew_windscribe_swe[13158]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Feb 12 16:30:35 2024 daemon.notice openvpn(homebrew_windscribe_swe[13158]: TUN/TAP device tun0 opened
Mon Feb 12 16:30:35 2024 daemon.notice openvpn(homebrew_windscribe_swe[13158]: net_iface_mtu_set: mtu 1500 for tun0
Mon Feb 12 16:30:35 2024 daemon.notice openvpn(homebrew_windscribe_swe[13158]: net_iface_up: set tun0 up
Mon Feb 12 16:30:35 2024 daemon.notice openvpn(homebrew_windscribe_swe[13158]: net_addr_v4_add: 10.124.148.117/23 dev tun0
Mon Feb 12 16:30:35 2024 daemon.notice openvpn(homebrew_windscribe_swe[13158]: /usr/libexec/openvpn-hotplug up homebrew_windscribe_swe tun0 1500 1626 10.124.148.117 255.255.254.0 init
Mon Feb 12 16:30:35 2024 daemon.notice netifd: Interface 'VPNTun' is enabled
Mon Feb 12 16:30:35 2024 daemon.notice netifd: Network device 'tun0' link is up
Mon Feb 12 16:30:35 2024 daemon.notice netifd: Interface 'VPNTun' has link connectivity
Mon Feb 12 16:30:35 2024 daemon.notice netifd: Interface 'VPNTun' is setting up now
Mon Feb 12 16:30:35 2024 daemon.notice netifd: Interface 'VPNTun' is now up
Mon Feb 12 16:30:36 2024 user.notice egc: ovpn-pbr-up uses interface:[tun0] = tun0 interface-up
Mon Feb 12 16:30:36 2024 daemon.notice openvpn(homebrew_windscribe_swe[13158]: Initialization Sequence Completed
Mon Feb 12 16:30:36 2024 user.notice ovpn-update-resolv-7[13285]: Exclusively using openvpn DNS server(s) from /tmp/resolv_conf.vpn
Mon Feb 12 16:30:36 2024 user.notice firewall: Reloading firewall due to ifup of VPNTun (tun0)
Mon Feb 12 16:30:36 2024 daemon.info dnsmasq[1]: exiting on receipt of SIGTERM
Mon Feb 12 16:30:36 2024 user.notice ovpn-update-resolv-7[13285]: udhcpc: started, v1.36.1
Mon Feb 12 16:30:36 2024 user.notice ovpn-update-resolv-7[13285]: udhcpc: broadcasting discover
Mon Feb 12 16:30:39 2024 user.notice ovpn-update-resolv-7[13285]: udhcpc: no lease, failing
Mon Feb 12 16:30:39 2024 daemon.info dnsmasq[1]: started, version 2.89 cachesize 1000
Mon Feb 12 16:30:39 2024 daemon.info dnsmasq[1]: DNS service limited to local subnets
Mon Feb 12 16:30:39 2024 daemon.info dnsmasq[1]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
Mon Feb 12 16:30:39 2024 daemon.info dnsmasq[1]: UBus support enabled: connected to system bus
Mon Feb 12 16:30:39 2024 daemon.info dnsmasq-dhcp[1]: DHCP, IP range 192.168.50.100 -- 192.168.50.249, lease time 12h (((((---- Why range 100-249 ----?))
Mon Feb 12 16:30:39 2024 daemon.info dnsmasq[1]: using only locally-known addresses for test
Mon Feb 12 16:30:39 2024 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Mon Feb 12 16:30:39 2024 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Mon Feb 12 16:30:39 2024 daemon.info dnsmasq[1]: using only locally-known addresses for local
Mon Feb 12 16:30:39 2024 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Mon Feb 12 16:30:39 2024 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Mon Feb 12 16:30:39 2024 daemon.info dnsmasq[1]: using only locally-known addresses for lan
Mon Feb 12 16:30:35 2024 daemon.notice netifd: Interface 'VPNTun' is enabled
Mon Feb 12 16:30:35 2024 daemon.notice netifd: Network device 'tun0' link is up
Mon Feb 12 16:30:35 2024 daemon.notice netifd: Interface 'VPNTun' has link connectivity
Mon Feb 12 16:30:35 2024 daemon.notice netifd: Interface 'VPNTun' is setting up now
Mon Feb 12 16:30:35 2024 daemon.notice netifd: Interface 'VPNTun' is now up
Mon Feb 12 16:30:36 2024 user.notice egc: ovpn-pbr-up uses interface:[tun0] = tun0 interface-up
Mon Feb 12 16:30:36 2024 daemon.notice openvpn(homebrew_windscribe_swe[13158]: Initialization Sequence Completed
Mon Feb 12 16:30:36 2024 user.notice ovpn-update-resolv-7[13285]: Exclusively using openvpn DNS server(s) from /tmp/resolv_conf.vpn
Mon Feb 12 16:30:36 2024 user.notice firewall: Reloading firewall due to ifup of VPNTun (tun0)
Mon Feb 12 16:30:36 2024 daemon.info dnsmasq[1]: exiting on receipt of SIGTERM
Mon Feb 12 16:30:36 2024 user.notice ovpn-update-resolv-7[13285]: udhcpc: started, v1.36.1
Mon Feb 12 16:30:36 2024 user.notice ovpn-update-resolv-7[13285]: udhcpc: broadcasting discover
Mon Feb 12 16:30:39 2024 user.notice ovpn-update-resolv-7[13285]: udhcpc: no lease, failing
Mon Feb 12 16:30:39 2024 daemon.info dnsmasq[1]: started, version 2.89 cachesize 1000
Mon Feb 12 16:30:39 2024 daemon.info dnsmasq[1]: DNS service limited to local subnets
Mon Feb 12 16:30:39 2024 daemon.info dnsmasq[1]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
Mon Feb 12 16:30:39 2024 daemon.info dnsmasq[1]: UBus support enabled: connected to system bus
Mon Feb 12 16:30:39 2024 daemon.info dnsmasq-dhcp[1]: DHCP, IP range 192.168.50.100 -- 192.168.50.249, lease time 12h
Mon Feb 12 16:30:39 2024 daemon.info dnsmasq[1]: using only locally-known addresses for test
Mon Feb 12 16:30:39 2024 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Mon Feb 12 16:30:39 2024 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Mon Feb 12 16:30:39 2024 daemon.info dnsmasq[1]: using only locally-known addresses for local
Mon Feb 12 16:30:39 2024 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Mon Feb 12 16:30:39 2024 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Mon Feb 12 16:30:39 2024 daemon.info dnsmasq[1]: using only locally-known addresses for lan
Mon Feb 12 16:30:39 2024 daemon.info dnsmasq[1]: reading /tmp/resolv_conf.vpn
Mon Feb 12 16:30:39 2024 daemon.info dnsmasq[1]: using nameserver 10.255.255.3#53
Mon Feb 12 16:30:39 2024 daemon.info dnsmasq[1]: using only locally-known addresses for test
Mon Feb 12 16:30:39 2024 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Mon Feb 12 16:30:39 2024 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Mon Feb 12 16:30:39 2024 daemon.info dnsmasq[1]: using only locally-known addresses for local
Mon Feb 12 16:30:39 2024 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Mon Feb 12 16:30:39 2024 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Mon Feb 12 16:30:39 2024 daemon.info dnsmasq[1]: using only locally-known addresses for lan
Mon Feb 12 16:30:39 2024 daemon.info dnsmasq[1]: read /etc/hosts - 12 names
Mon Feb 12 16:30:39 2024 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 4 names
Mon Feb 12 16:30:39 2024 daemon.info dnsmasq[1]: read /tmp/hosts/odhcpd - 2 names
Mon Feb 12 16:30:39 2024 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
Mon Feb 12 16:33:25 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Mon Feb 12 16:33:35 2024 daemon.warn odhcpd[1640]: No default route present, overriding ra_lifetime!

Kindly give me a clue on how to tackle ISP interruption issues.
Thanks

From the routers command line you can use:
curl ipinfo.io
To see what is resolved for the router itself

The pushed DNS servers are just added to the resolv.conf file (/tmp/resolv.conf.d/resolv.conf.auto) and DNSmasq will use that unless instructed differently (e.g. noresolv)

OpenVPN does indeed do a bad job at recovering from disconnections, you have to use a watchdog script to restart OpenVPN or the router after disconnections see:
https://openwrt.org/docs/guide-user/advanced/watchcat

@mk24
I have added the required script for openvpn disconnection discovery.
That said I have no problem with getting internet via ethernet interface.

But what I am unable to achieve is to bring the tun0 internet on the wireless attached devices.

I guess I know the cause of the problem, but I have no idea how to solve it.

For unknown reasons the attached wireless devices regardless of radio0 or radio1
get their IP addresses out of the DHCP range (192.168.50.64/26) that I decided to have their internet from tun0, which is the part or br-lan.

I do not want to expand that range but what I am confused is why the devices connected via the ethernet get correct IP within that range, but this does not apply to the wireless attached devices.

Shall I create a separate bridge for wireless devices, or I could tweak the attached configs to solve the issue.

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option channel 'auto'
	option band '2g'
	option htmode 'HT20'
	option country 'SE'
	option cell_density '0'
	option disabled '0'
	option txpower '20'

config wifi-iface 'conf_ap_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'Conf24GHz'
	option encryption 'psk2'
	option key '0000000000'
	option disabled '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel 'auto'
	option band '5g'
	option htmode 'VHT80'
	option country 'SE'
	option cell_density '0'
	option txpower '20'
	option disabled '0'

config wifi-iface 'conf_ap_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'Conf5GHz'
	option encryption 'psk2'
	option key '0000000000'
	option disabled '0'

config wifi-iface 'tpl_client_radio0'
	option device 'radio0'
	option mode 'sta'
	option network 'wwan'
	option ssid 'TPLI18'
	option encryption 'psk2+ccmp'
	option key '0000000000'
	option disable '0'
	option disabled '0'

config wifi-iface 'tpg_client_radio0'
	option device 'radio0'
	option mode 'sta'
	option network 'wwan'
	option ssid 'TPh'
	option encryption 'psk2+ccmp'
	option key '0000000000'
	option disabled '1'

config wifi-iface 'wp_client_radio1'
	option device 'radio1'
	option mode 'sta'
	option network 'wwan'
	option ssid 'WP'
	option encryption 'psk2+ccmp'
	option key ''0000000000'
	option disabled '1'

config wifi-iface 'wp_client_radio0'
	option device 'radio0'
	option mode 'sta'
	option network 'wwan'
	option ssid 'WP'
	option encryption 'psk2+ccmp'
	option key '0000000000'
	option disabled '1'

config wifi-iface 'wifinet6'
	option device 'radio0'
	option mode 'ap'
	option ssid 'LS05353'
	option encryption 'psk2+ccmp'
	option key '0000000000'
	option network 'lan'
	option disabled '1'

/etc/config/dhcp
[please pay attention to the two ra_flags values are set for the lan?? ]

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'
	option localuse '1'

config dhcp 'lan'
	option interface 'lan'
	option start '65'
	option limit '120'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd43:bc61:96c7::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.50.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '1.0.0.2'
	list dns '1.1.1.2'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	option metric '45'
	option dns_metric '5'

config interface 'wwan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.1.2'
	list dns '1.0.0.2'
	list dns '1.1.1.1'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	option metric '55'
	option dns_metric '5'

config interface 'VPNTun'
	option proto 'none'
	option device 'tun0'
	option metric '25'
	option dns_metric '0'

/etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option mtu_fix '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config zone
	option name 'OVPN'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'VPNTun'

config forwarding
	option src 'lan'
	option dest 'OVPN'

config include 'passwall'
	option type 'script'
	option path '/var/etc/passwall.include'
	option reload '1'

config include 'passwall_server'
	option type 'script'
	option path '/var/etc/passwall_server.include'
	option reload '1'

Please correct me if I am wrong, in case if I define a new bridge for the wireless attached clients with DHCP range 192.168.50.64/26, do the clients have access to the router (192.168.50.1) webpage which is desired. If not how can I map the router ip to the client's range?

Thanks

This means it hands out addresses from 65 - 185.

I think you want to hand out 64 - 128:

config dhcp 'lan'
	option interface 'lan'
	option start '64'
	option limit '64'

Thanks,that solved my issue, it was my clumsy mistake. :wink:

1 Like

Thanks for your suggestion, as I going to improve the solution
I need to include a couple of lines which is mentioned later into each of the
client openvpn.conf files.

Since I have more than 30 client config files modifying each of them is not clever, so I am wondering if I could have following lines as a common config among shared among all the clients files without need to modify the client files.

I want to include following lines into the client openvpn .conf files, and I have added following line into the client files,

config /etc/openvpn/shared_conf/common_lines.conf
while the contents of the common_lines.conf file is as follows

connect-retry 10
pull-filter ignore "redirect-gateway"
redirect-private def1

up /etc/openvpn/up-all
down /etc/openvpn/down-all

# if you are using sshtunnel
socks-proxy 127.0.0.1 1091

# if you are using another proxy
#socks-proxy 127.0.0.1 1081

as I tried it seems the openvpn does not honor and merge the contents of the
common_lines.conf file at all (I have checked that the up-all/down-all scripts do not get executed),
I am wondering whether I am using wrong directive or including extra partial config file into client.conf is not possible?

UCI configuration option config points the OpenVPN at one file (which would be in native OpenVPN format) and ignores the rest of the UCI block other than enabled.. There is probably a native way to include sub-configurations into an OpenVPN native config file. That would be found in the OpenVPN community documentation, it is not part of OpenWrt.

Any and all files named *.conf in /etc/openvpn will be parsed on startup. You almost always don't want that, so the convention is to name native OpenVPN config files .ovpn and/or store them in a different directory. I usually create a directory under /etc/config such as /etc/config/openvpnfiles/, as the whole /etc/config tree will be preserved through a system upgrade.