Internet broke after adding vlan to wan interface when connected to a vpn

m4ri0g · February 21, 2023, 3:40pm

Hello,
I have a new isp in order for my openwrt router to be able to obtain a public ip i had to create a vlan device and attach it to the wan interface.
it works fine but as soon as i connect to the vpn internet stop working and I cannot figure out which rule do i need to add in order to restablish internet when the vpn is connected. If i turn the vpn off i have proper internet access.
the problem i believe lies that the device wan.1081
here are the output of my network and firewall configuration:
/etc/config/network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ip6assign '60'
	list ipaddr '192.168.1.254/24'
	option ipv6 '0'
	option delegate '0'

config device
	option name 'wan'
	option macaddr 'xx:xx:xx:xx'

config interface 'wan'
	option proto 'dhcp'
	option ipv6 '0'
	option device 'wan.1081'

config interface 'wan6'
	option proto 'dhcpv6'
	option device 'wan.1081'
	option reqaddress 'try'
	option reqprefix 'auto'

config device
	option type '8021q'
	option ifname 'wan'
	option vid '1081'
	option name 'wan.1081'

/etc/config/firewall:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list device 'tun0'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'

I use protonvpn and i followed the instructions here:
https://protonvpn.com/support/how-to-set-up-protonvpn-on-openwrt-routers/

why internet breaks when I connect to the vpn. this is the route when the vpn is on:

I don't tag the wan with vlan 1081 i do not get a public ip from the ISP.

why is there no internet only when the vpn is connected? I added tun0 to the wan zone as shown in the instructions of protonvpn.

trendy · February 21, 2023, 4:22pm

With VPN connected:

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; \
logread -e openvpn

m4ri0g · February 21, 2023, 6:17pm

here is the output while connected to the vpn.

 uci export network; \
> uci export dhcp; uci export firewall; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; \
> logread -e openvpn
{
	"kernel": "5.10.146",
	"hostname": "OpenWrt",
	"system": "ARMv7 Processor rev 1 (v7l)",
	"model": "Linksys WRT3200ACM",
	"board_name": "linksys,wrt3200acm",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.2",
		"revision": "r19803-9a599fee93",
		"target": "mvebu/cortexa9",
		"description": "OpenWrt 22.03.2 r19803-9a599fee93"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ip6assign '60'
	list ipaddr '192.168.1.254/24'
	option ipv6 '0'
	option delegate '0'

config device
	option name 'wan'
	option macaddr '62:38:e0:c5:36:18'

config interface 'wan'
	option proto 'dhcp'
	option ipv6 '0'
	option device 'wan.1081'

config interface 'wan6'
	option proto 'dhcpv6'
	option device 'wan.1081'
	option reqaddress 'try'
	option reqprefix 'auto'

config device
	option type '8021q'
	option ifname 'wan'
	option vid '1081'
	option name 'wan.1081'

package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option dhcpv6 'disabled'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list device 'tun0'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
11: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.254/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
12: wan.1081@wan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet x.x.x.203/24 brd x.x.x.255 scope global wan.1081
       valid_lft forever preferred_lft forever
16: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 500
    inet 10.24.0.2/16 scope global tun0
       valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.24.0.1 dev tun0 
default via x.x.x.254 dev wan.1081  src x.x.x.203 
10.24.0.0/16 dev tun0 scope link  src 10.24.0.2 
69.10.63.242 via x.x.x.254 dev wan.1081 
x.x.x.0/24 dev wan.1081 scope link  src x.x.x.203 
128.0.0.0/1 via 10.24.0.1 dev tun0 
192.168.1.0/24 dev br-lan scope link  src 192.168.1.254 
broadcast 10.24.0.0 dev tun0 table local scope link  src 10.24.0.2 
local 10.24.0.2 dev tun0 table local scope host  src 10.24.0.2 
broadcast 10.24.255.255 dev tun0 table local scope link  src 10.24.0.2 
broadcast x.x.x.0 dev wan.1081 table local scope link  src x.x.x.203 
local x.x.x.203 dev wan.1081 table local scope host  src x.x.x.203 
broadcast x.x.x.255 dev wan.1081 table local scope link  src x.x.x.203 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 192.168.1.0 dev br-lan table local scope link  src 192.168.1.254 
local 192.168.1.254 dev br-lan table local scope host  src 192.168.1.254 
broadcast 192.168.1.255 dev br-lan table local scope link  src 192.168.1.254 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
lrwxrwxrwx    1 root     root            16 Oct 14 22:44 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            47 Feb 20 20:48 /tmp/resolv.conf
-rw-r--r--    1 root     root           141 Feb 21 00:15 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root           141 Feb 21 00:15 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wan
nameserver x.x.x.x
nameserver y.y.y.y
# Interface wan6
nameserver 
nameserver 

Tue Feb 21 15:37:29 2023 daemon.warn openvpn(nj)[22626]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Tue Feb 21 15:37:29 2023 daemon.notice openvpn(nj)[22626]: OpenVPN 2.5.7 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Tue Feb 21 15:37:29 2023 daemon.notice openvpn(nj)[22626]: library versions: OpenSSL 1.1.1s  1 Nov 2022, LZO 2.10
Tue Feb 21 15:37:29 2023 daemon.warn openvpn(nj)[22626]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Feb 21 15:37:29 2023 daemon.notice openvpn(nj)[22626]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Feb 21 15:37:29 2023 daemon.notice openvpn(nj)[22626]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Feb 21 15:37:29 2023 daemon.notice openvpn(nj)[22626]: TCP/UDP: Preserving recently used remote address: [AF_INET]69.10.63.242:1194
Tue Feb 21 15:37:29 2023 daemon.notice openvpn(nj)[22626]: Socket Buffers: R=[180224->180224] S=[180224->180224]
Tue Feb 21 15:37:29 2023 daemon.notice openvpn(nj)[22626]: UDP link local: (not bound)
Tue Feb 21 15:37:29 2023 daemon.notice openvpn(nj)[22626]: UDP link remote: [AF_INET]69.10.63.242:1194
Tue Feb 21 15:37:29 2023 daemon.notice openvpn(nj)[22626]: TLS: Initial packet from [AF_INET]69.10.63.242:1194, sid=c9339168 c209e949
Tue Feb 21 15:37:29 2023 daemon.notice openvpn(nj)[22626]: VERIFY OK: depth=2, C=CH, O=ProtonVPN AG, CN=ProtonVPN Root CA
Tue Feb 21 15:37:29 2023 daemon.notice openvpn(nj)[22626]: VERIFY OK: depth=1, C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1
Tue Feb 21 15:37:29 2023 daemon.notice openvpn(nj)[22626]: VERIFY KU OK
Tue Feb 21 15:37:29 2023 daemon.notice openvpn(nj)[22626]: Validating certificate extended key usage
Tue Feb 21 15:37:29 2023 daemon.notice openvpn(nj)[22626]: ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Server Authentication
Tue Feb 21 15:37:29 2023 daemon.notice openvpn(nj)[22626]: ++ Certificate has EKU (oid) 1.3.6.1.5.5.7.3.2, expects TLS Web Server Authentication
Tue Feb 21 15:37:29 2023 daemon.notice openvpn(nj)[22626]: ++ Certificate has EKU (str) 1.3.6.1.5.5.8.2.2, expects TLS Web Server Authentication
Tue Feb 21 15:37:29 2023 daemon.notice openvpn(nj)[22626]: ++ Certificate has EKU (oid) 1.3.6.1.5.5.8.2.2, expects TLS Web Server Authentication
Tue Feb 21 15:37:29 2023 daemon.notice openvpn(nj)[22626]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Feb 21 15:37:29 2023 daemon.notice openvpn(nj)[22626]: VERIFY EKU OK
Tue Feb 21 15:37:29 2023 daemon.notice openvpn(nj)[22626]: VERIFY OK: depth=0, CN=node-us-31.protonvpn.net
Tue Feb 21 15:37:29 2023 daemon.warn openvpn(nj)[22626]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1633', remote='link-mtu 1634'
Tue Feb 21 15:37:29 2023 daemon.warn openvpn(nj)[22626]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Tue Feb 21 15:37:29 2023 daemon.notice openvpn(nj)[22626]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA256
Tue Feb 21 15:37:29 2023 daemon.notice openvpn(nj)[22626]: [node-us-31.protonvpn.net] Peer Connection Initiated with [AF_INET]69.10.63.242:1194
Tue Feb 21 15:37:30 2023 daemon.notice openvpn(nj)[22626]: SENT CONTROL [node-us-31.protonvpn.net]: 'PUSH_REQUEST' (status=1)
Tue Feb 21 15:37:30 2023 daemon.notice openvpn(nj)[22626]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.31.0.1,sndbuf 524288,rcvbuf 524288,redirect-gateway def1,explicit-exit-notify,comp-lzo no,route-gateway 10.31.0.1,topology subnet,ping 10,ping-restart 60,socket-flags TCP_NODELAY,ifconfig 10.31.0.4 255.255.0.0,peer-id 983042,cipher AES-256-GCM'
Tue Feb 21 15:37:30 2023 daemon.notice openvpn(nj)[22626]: OPTIONS IMPORT: timers and/or timeouts modified
Tue Feb 21 15:37:30 2023 daemon.notice openvpn(nj)[22626]: OPTIONS IMPORT: explicit notify parm(s) modified
Tue Feb 21 15:37:30 2023 daemon.notice openvpn(nj)[22626]: OPTIONS IMPORT: compression parms modified
Tue Feb 21 15:37:30 2023 daemon.notice openvpn(nj)[22626]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Tue Feb 21 15:37:30 2023 daemon.notice openvpn(nj)[22626]: Socket Buffers: R=[180224->360448] S=[180224->360448]
Tue Feb 21 15:37:30 2023 daemon.notice openvpn(nj)[22626]: OPTIONS IMPORT: --socket-flags option modified
Tue Feb 21 15:37:30 2023 daemon.warn openvpn(nj)[22626]: NOTE: setsockopt TCP_NODELAY=1 failed
Tue Feb 21 15:37:30 2023 daemon.notice openvpn(nj)[22626]: OPTIONS IMPORT: --ifconfig/up options modified
Tue Feb 21 15:37:30 2023 daemon.notice openvpn(nj)[22626]: OPTIONS IMPORT: route options modified
Tue Feb 21 15:37:30 2023 daemon.notice openvpn(nj)[22626]: OPTIONS IMPORT: route-related options modified
Tue Feb 21 15:37:30 2023 daemon.notice openvpn(nj)[22626]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Feb 21 15:37:30 2023 daemon.notice openvpn(nj)[22626]: OPTIONS IMPORT: peer-id set
Tue Feb 21 15:37:30 2023 daemon.notice openvpn(nj)[22626]: OPTIONS IMPORT: adjusting link_mtu to 1656
Tue Feb 21 15:37:30 2023 daemon.notice openvpn(nj)[22626]: OPTIONS IMPORT: data channel crypto options modified
Tue Feb 21 15:37:30 2023 daemon.notice openvpn(nj)[22626]: Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Feb 21 15:37:30 2023 daemon.notice openvpn(nj)[22626]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Feb 21 15:37:30 2023 daemon.notice openvpn(nj)[22626]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Feb 21 15:37:30 2023 daemon.notice openvpn(nj)[22626]: net_route_v4_best_gw query: dst 0.0.0.0
Tue Feb 21 15:37:30 2023 daemon.notice openvpn(nj)[22626]: net_route_v4_best_gw result: via x.x.x.254 dev wan.1081
Tue Feb 21 15:37:30 2023 daemon.notice openvpn(nj)[22626]: TUN/TAP device tun0 opened
Tue Feb 21 15:37:30 2023 daemon.notice openvpn(nj)[22626]: net_iface_mtu_set: mtu 1500 for tun0
Tue Feb 21 15:37:30 2023 daemon.notice openvpn(nj)[22626]: net_iface_up: set tun0 up
Tue Feb 21 15:37:30 2023 daemon.notice openvpn(nj)[22626]: net_addr_v4_add: 10.31.0.4/16 dev tun0
Tue Feb 21 15:37:30 2023 daemon.notice openvpn(nj)[22626]: /usr/libexec/openvpn-hotplug up nj tun0 1500 1584 10.31.0.4 255.255.0.0 init
Tue Feb 21 15:37:30 2023 daemon.notice openvpn(nj)[22626]: net_route_v4_add: 69.10.63.242/32 via x.x.x.254 dev [NULL] table 0 metric -1
Tue Feb 21 15:37:30 2023 daemon.notice openvpn(nj)[22626]: net_route_v4_add: 0.0.0.0/1 via 10.31.0.1 dev [NULL] table 0 metric -1
Tue Feb 21 15:37:30 2023 daemon.notice openvpn(nj)[22626]: net_route_v4_add: 128.0.0.0/1 via 10.31.0.1 dev [NULL] table 0 metric -1
Tue Feb 21 15:37:30 2023 daemon.warn openvpn(nj)[22626]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Feb 21 15:37:30 2023 daemon.notice openvpn(nj)[22626]: Initialization Sequence Completed
Tue Feb 21 15:53:40 2023 daemon.err openvpn(nj)[22626]: event_wait : Interrupted system call (code=4)
Tue Feb 21 15:53:40 2023 daemon.notice openvpn(nj)[22626]: SIGTERM received, sending exit notification to peer
Tue Feb 21 15:53:41 2023 daemon.notice openvpn(nj)[22626]: net_route_v4_del: 69.10.63.242/32 via x.x.x.254 dev [NULL] table 0 metric -1
Tue Feb 21 15:53:41 2023 daemon.notice openvpn(nj)[22626]: net_route_v4_del: 0.0.0.0/1 via 10.31.0.1 dev [NULL] table 0 metric -1
Tue Feb 21 15:53:41 2023 daemon.notice openvpn(nj)[22626]: net_route_v4_del: 128.0.0.0/1 via 10.31.0.1 dev [NULL] table 0 metric -1
Tue Feb 21 15:53:41 2023 daemon.notice openvpn(nj)[22626]: Closing TUN/TAP interface
Tue Feb 21 15:53:41 2023 daemon.notice openvpn(nj)[22626]: net_addr_v4_del: 10.31.0.4 dev tun0
Tue Feb 21 15:53:42 2023 daemon.notice openvpn(nj)[22626]: /usr/libexec/openvpn-hotplug down nj tun0 1500 1584 10.31.0.4 255.255.0.0 init
Tue Feb 21 15:53:42 2023 daemon.notice openvpn(nj)[22626]: SIGTERM[soft,exit-with-notification] received, process exiting
Tue Feb 21 16:49:09 2023 daemon.warn openvpn(nj)[473]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Tue Feb 21 16:49:09 2023 daemon.notice openvpn(nj)[473]: OpenVPN 2.5.7 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Tue Feb 21 16:49:09 2023 daemon.notice openvpn(nj)[473]: library versions: OpenSSL 1.1.1s  1 Nov 2022, LZO 2.10
Tue Feb 21 16:49:09 2023 daemon.warn openvpn(nj)[473]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Feb 21 16:49:09 2023 daemon.notice openvpn(nj)[473]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Feb 21 16:49:09 2023 daemon.notice openvpn(nj)[473]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Feb 21 16:49:09 2023 daemon.notice openvpn(nj)[473]: TCP/UDP: Preserving recently used remote address: [AF_INET]69.10.63.242:5060
Tue Feb 21 16:49:09 2023 daemon.notice openvpn(nj)[473]: Socket Buffers: R=[180224->180224] S=[180224->180224]
Tue Feb 21 16:49:09 2023 daemon.notice openvpn(nj)[473]: UDP link local: (not bound)
Tue Feb 21 16:49:09 2023 daemon.notice openvpn(nj)[473]: UDP link remote: [AF_INET]69.10.63.242:5060
Tue Feb 21 16:49:09 2023 daemon.notice openvpn(nj)[473]: TLS: Initial packet from [AF_INET]69.10.63.242:5060, sid=644be1c4 975e588c
Tue Feb 21 16:49:09 2023 daemon.notice openvpn(nj)[473]: VERIFY OK: depth=2, C=CH, O=ProtonVPN AG, CN=ProtonVPN Root CA
Tue Feb 21 16:49:09 2023 daemon.notice openvpn(nj)[473]: VERIFY OK: depth=1, C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1
Tue Feb 21 16:49:09 2023 daemon.notice openvpn(nj)[473]: VERIFY KU OK
Tue Feb 21 16:49:09 2023 daemon.notice openvpn(nj)[473]: Validating certificate extended key usage
Tue Feb 21 16:49:09 2023 daemon.notice openvpn(nj)[473]: ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Server Authentication
Tue Feb 21 16:49:09 2023 daemon.notice openvpn(nj)[473]: ++ Certificate has EKU (oid) 1.3.6.1.5.5.7.3.2, expects TLS Web Server Authentication
Tue Feb 21 16:49:09 2023 daemon.notice openvpn(nj)[473]: ++ Certificate has EKU (str) 1.3.6.1.5.5.8.2.2, expects TLS Web Server Authentication
Tue Feb 21 16:49:09 2023 daemon.notice openvpn(nj)[473]: ++ Certificate has EKU (oid) 1.3.6.1.5.5.8.2.2, expects TLS Web Server Authentication
Tue Feb 21 16:49:09 2023 daemon.notice openvpn(nj)[473]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Feb 21 16:49:09 2023 daemon.notice openvpn(nj)[473]: VERIFY EKU OK
Tue Feb 21 16:49:09 2023 daemon.notice openvpn(nj)[473]: VERIFY OK: depth=0, CN=node-us-31.protonvpn.net
Tue Feb 21 16:49:10 2023 daemon.warn openvpn(nj)[473]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1633', remote='link-mtu 1634'
Tue Feb 21 16:49:10 2023 daemon.warn openvpn(nj)[473]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Tue Feb 21 16:49:10 2023 daemon.notice openvpn(nj)[473]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA256
Tue Feb 21 16:49:10 2023 daemon.notice openvpn(nj)[473]: [node-us-31.protonvpn.net] Peer Connection Initiated with [AF_INET]69.10.63.242:5060
Tue Feb 21 16:49:11 2023 daemon.notice openvpn(nj)[473]: SENT CONTROL [node-us-31.protonvpn.net]: 'PUSH_REQUEST' (status=1)
Tue Feb 21 16:49:11 2023 daemon.notice openvpn(nj)[473]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.24.0.1,sndbuf 524288,rcvbuf 524288,redirect-gateway def1,explicit-exit-notify,comp-lzo no,route-gateway 10.24.0.1,topology subnet,ping 10,ping-restart 60,socket-flags TCP_NODELAY,ifconfig 10.24.0.2 255.255.0.0,peer-id 524288,cipher AES-256-GCM'
Tue Feb 21 16:49:11 2023 daemon.notice openvpn(nj)[473]: OPTIONS IMPORT: timers and/or timeouts modified
Tue Feb 21 16:49:11 2023 daemon.notice openvpn(nj)[473]: OPTIONS IMPORT: explicit notify parm(s) modified
Tue Feb 21 16:49:11 2023 daemon.notice openvpn(nj)[473]: OPTIONS IMPORT: compression parms modified
Tue Feb 21 16:49:11 2023 daemon.notice openvpn(nj)[473]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Tue Feb 21 16:49:11 2023 daemon.notice openvpn(nj)[473]: Socket Buffers: R=[180224->360448] S=[180224->360448]
Tue Feb 21 16:49:11 2023 daemon.notice openvpn(nj)[473]: OPTIONS IMPORT: --socket-flags option modified
Tue Feb 21 16:49:11 2023 daemon.warn openvpn(nj)[473]: NOTE: setsockopt TCP_NODELAY=1 failed
Tue Feb 21 16:49:11 2023 daemon.notice openvpn(nj)[473]: OPTIONS IMPORT: --ifconfig/up options modified
Tue Feb 21 16:49:11 2023 daemon.notice openvpn(nj)[473]: OPTIONS IMPORT: route options modified
Tue Feb 21 16:49:11 2023 daemon.notice openvpn(nj)[473]: OPTIONS IMPORT: route-related options modified
Tue Feb 21 16:49:11 2023 daemon.notice openvpn(nj)[473]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Feb 21 16:49:11 2023 daemon.notice openvpn(nj)[473]: OPTIONS IMPORT: peer-id set
Tue Feb 21 16:49:11 2023 daemon.notice openvpn(nj)[473]: OPTIONS IMPORT: adjusting link_mtu to 1656
Tue Feb 21 16:49:11 2023 daemon.notice openvpn(nj)[473]: OPTIONS IMPORT: data channel crypto options modified
Tue Feb 21 16:49:11 2023 daemon.notice openvpn(nj)[473]: Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Feb 21 16:49:11 2023 daemon.notice openvpn(nj)[473]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Feb 21 16:49:11 2023 daemon.notice openvpn(nj)[473]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Feb 21 16:49:11 2023 daemon.notice openvpn(nj)[473]: net_route_v4_best_gw query: dst 0.0.0.0
Tue Feb 21 16:49:11 2023 daemon.notice openvpn(nj)[473]: net_route_v4_best_gw result: via x.x.x.254 dev wan.1081
Tue Feb 21 16:49:11 2023 daemon.notice openvpn(nj)[473]: TUN/TAP device tun0 opened
Tue Feb 21 16:49:11 2023 daemon.notice openvpn(nj)[473]: net_iface_mtu_set: mtu 1500 for tun0
Tue Feb 21 16:49:11 2023 daemon.notice openvpn(nj)[473]: net_iface_up: set tun0 up
Tue Feb 21 16:49:11 2023 daemon.notice openvpn(nj)[473]: net_addr_v4_add: 10.24.0.2/16 dev tun0
Tue Feb 21 16:49:11 2023 daemon.notice openvpn(nj)[473]: /usr/libexec/openvpn-hotplug up nj tun0 1500 1584 10.24.0.2 255.255.0.0 init
Tue Feb 21 16:49:11 2023 daemon.notice openvpn(nj)[473]: net_route_v4_add: 69.10.63.242/32 via x.x.x.254 dev [NULL] table 0 metric -1
Tue Feb 21 16:49:11 2023 daemon.notice openvpn(nj)[473]: net_route_v4_add: 0.0.0.0/1 via 10.24.0.1 dev [NULL] table 0 metric -1
Tue Feb 21 16:49:11 2023 daemon.notice openvpn(nj)[473]: net_route_v4_add: 128.0.0.0/1 via 10.24.0.1 dev [NULL] table 0 metric -1
Tue Feb 21 16:49:11 2023 daemon.warn openvpn(nj)[473]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Feb 21 16:49:11 2023 daemon.notice openvpn(nj)[473]: Initialization Sequence Completed

trendy · February 21, 2023, 7:09pm

Can you try these 2 when you are connected to vpn?
ping -c 3 1.1.1.1; ping -c 3 google.com

m4ri0g · February 21, 2023, 7:14pm

root@OpenWrt:/tmp/log# ping -c 3 1.1.1.1; ping -c 3 google.com
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: seq=0 ttl=57 time=94.567 ms
64 bytes from 1.1.1.1: seq=1 ttl=57 time=95.285 ms
64 bytes from 1.1.1.1: seq=2 ttl=57 time=127.617 ms

--- 1.1.1.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 94.567/105.823/127.617 ms
ping: bad address 'google.com'

from the router cli

trendy · February 21, 2023, 7:20pm

Thought as much.
The nameservers you have are provided by your ISP and are not reachable when you connect to VPN.
A few solutions:

Add the VPN dns 10.24.0.1 to the available DNS servers. Create a new interface, assign tun0 in that and add there the custom nameserver.
If you don't care much about the dnsleaks, add a couple of static routes for the nameservers of your ISP.

m4ri0g · February 21, 2023, 7:54pm

shouldn't the openvpn overriding the isp dns?
when i connect to the vpn using their apps i see in ipleak.net that the dns are changed.

it means that the ovpn file they provided is not pushing their dns server but relying on my isp.. which is not good at all
how can i force the dns of the vpn when i start the vpn server.
the idea is if i disconnect from the vpn i have the normal seupt if i start adding static routes. it is not ideal.

thanks

spindoctor · February 21, 2023, 9:14pm

Ever thought of using a 3rd party dns resolver in place of your ISP's?

You could use it for both ISP and vpn use.

m4ri0g · February 21, 2023, 11:34pm

yes i have.
this a new setup and i am try to get things working before i bring on a new element so to speak.

I just want to understand what is happening for education purposes. I know of ways of workaround the issue.
thanks

trendy · February 22, 2023, 6:34am

I think some special file /etc/openvpn/update-resolv-conf is needed for that.

m4ri0g · February 23, 2023, 10:34pm

this is what protonvpn had to say:

Thank you for the follow-up.

In such a case, unfortunately, it seems like your router is somehow unable to properly handle the DNS requests properly, which might be caused by some malfunction or misconfiguration of the network settings themselves.
Please note that normally, the DNS requests should be automatically handled by the internal Proton VPN DNS resolvers simply by following the steps provided in our official guide. However, since after several connection attempts to use separate connection configurations the issue still persists, it is most likely that this is caused by the router itself.

That said, unfortunately, this issue seems to be out of our scope, and therefore, we will be unable to proceed forward with troubleshooting that. At this point, we would like to recommend you utilize the native Proton VPN app for your devices in order to avoid any DNS leaking.

can you tell me based of this guide if its is normal that the vpn is attempting to use ISP servers?

trendy · February 23, 2023, 10:37pm

Have you run step 3. Add DNS updater script ?

m4ri0g · February 24, 2023, 4:41pm

no since they say to skip for 21+ and i have 22.03.

trendy · February 25, 2023, 3:45pm

I would try that first.