Lost internet connection after OpenVPN connection

Hello, I have two networks: 192.168.1.1/24 and 192.168.3.1/24. I've successfully managed to make a OpenVPN connection from .3.1 to .1.1.

However, when the connection is established, my internet connection stop working.
I need some help, please!

Which guide have you used to configure OpenVPN?
Establish VPN-connection, login to OpenWrt through SSH.
Show output from OpenWrt:

ip a; ip r
uci show network
uci show firewall
uci show openvpn

From Windows-client:

ipconfig /all & route print
tracert -d example.org

Or from Linux-client:

ip a; ip r
tracepath -n example.org

@vgaetera Thanks! I really appreciate your help.

Network rules and forward make me confused. First outputs:

OpenWrt:

# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    link/ether 70:4f:57:19:dd:33 brd ff:ff:ff:ff:ff:ff
    inet 150.164.44.73/24 brd 150.164.44.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::724f:57ff:fe19:dd33/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP qlen 1000
    link/ether 70:4f:57:19:dd:31 brd ff:ff:ff:ff:ff:ff
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 70:4f:57:19:dd:31 brd ff:ff:ff:ff:ff:ff
    inet 192.168.3.1/24 brd 192.168.3.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fe80::724f:57ff:fe19:dd31/64 scope link 
       valid_lft forever preferred_lft forever
6: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 70:4f:57:19:dd:32 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::724f:57ff:fe19:dd32/64 scope link 
       valid_lft forever preferred_lft forever
7: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
    link/[65534] 
    inet 10.8.0.6 peer 10.8.0.5/32 scope global tun0
       valid_lft forever preferred_lft forever
# ip r
0.0.0.0/1 via 10.8.0.5 dev tun0 
default via 150.164.44.254 dev eth0 
10.8.0.1 via 10.8.0.5 dev tun0 
10.8.0.5 dev tun0  src 10.8.0.6 
128.0.0.0/1 via 10.8.0.5 dev tun0 
150.164.44.0/24 dev eth0  src 150.164.44.73 
150.164.49.175 via 150.164.44.254 dev eth0 
192.168.1.0/24 via 10.8.0.5 dev tun0 
192.168.3.0/24 dev br-lan  src 192.168.3.1 
# uci show network
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth1'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.3.1'
network.wan=interface
network.wan.ifname='eth0'
network.wan._orig_ifname='eth0'
network.wan._orig_bridge='false'
network.wan.proto='static'
network.wan.ipaddr='150.164.44.73'
network.wan.netmask='255.255.255.0'
network.wan.dns='150.164.51.1 150.164.255.230'
network.wan.gateway='150.164.44.254'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='0 1 2 3 4'
network.VPN=interface
network.VPN.ifname='tun0'
network.VPN.proto='unmanaged'
# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].network='lan VPN'
firewall.@zone[0].forward='REJECT'
firewall.@zone[0].masq='1'
firewall.@zone[0].mtu_fix='1'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan wan6'
firewall.@zone[2]=zone
firewall.@zone[2].name='VPN_FW'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].masq='1'
firewall.@zone[2].mtu_fix='1'
firewall.@zone[2].network='VPN'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest='VPN_FW'
firewall.@forwarding[0].src='lan'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='lan'
firewall.@forwarding[1].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
# uci show openvpn
uci: Entry not found

Important! My router has a 4Mb flash size. So I managed OpenVPN installing it in RAM every boot.

I found that I had to manually test rules to understand which might work, however I couldn't explain why.

Client with Wifi connection:

$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:21:5c:dc:60:9a brd ff:ff:ff:ff:ff:ff
    inet 192.168.3.103/24 brd 192.168.3.255 scope global dynamic wlp2s0
       valid_lft 43184sec preferred_lft 43184sec
    inet6 fe80::4ec4:7d1a:8029:f2d/64 scope link 
       valid_lft forever preferred_lft forever
$ ip r
default via 192.168.3.1 dev wlp2s0  proto static  metric 600 
192.168.3.0/24 dev wlp2s0  proto kernel  scope link  src 192.168.3.103  metric 600 
$ traceroute example.org
traceroute: unknown host

When the router start, it connects do the internet, download OpenVPN, install, start and the internet stop working.

I need to access devices inside server side but internet doesn't need to be forwarded through VPN connection.

Establish VPN-connection and show from OpenWrt:

ping -c3 example.org
ping -c3 8.8.8.8
nslookup example.org
nslookup example.org 8.8.8.8
nslookup example.org 150.164.51.1
nslookup example.org 150.164.255.230

uci show dhcp

All the outputs were with VPN established.

root@LEDE:~# ping -c3 example.org
ping: bad address 'example.org'
root@LEDE:~# ping -c3 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
root@LEDE:~# nslookup example.org
;; connection timed out; no servers could be reached

root@LEDE:~# nslookup example.org 8.8.8.8
;; connection timed out; no servers could be reached

root@LEDE:~# nslookup example.org 150.164.51.1
;; connection timed out; no servers could be reached

root@LEDE:~# nslookup example.org 150.164.255.230
;; connection timed out; no servers could be reached

root@LEDE:~# uci show dhcp
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].boguspriv='1'
dhcp.@dnsmasq[0].filterwin2k='0'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].nonegcache='0'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
dhcp.@dnsmasq[0].localservice='1'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.lan.ra_management='1'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'

I will run the commands disconnected from VPN, but I will edit this post since I need to personally be in the room.

EDIT: Now the output without VPN connection:

root@LEDE:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    link/ether 70:4f:57:19:dd:33 brd ff:ff:ff:ff:ff:ff
    inet 150.164.44.73/24 brd 150.164.44.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::724f:57ff:fe19:dd33/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP qlen 1000
    link/ether 70:4f:57:19:dd:31 brd ff:ff:ff:ff:ff:ff
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 70:4f:57:19:dd:31 brd ff:ff:ff:ff:ff:ff
    inet 192.168.3.1/24 brd 192.168.3.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fe80::724f:57ff:fe19:dd31/64 scope link 
       valid_lft forever preferred_lft forever
6: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 70:4f:57:19:dd:32 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::724f:57ff:fe19:dd32/64 scope link 
       valid_lft forever preferred_lft forever
root@LEDE:~# ip r
default via 150.164.44.254 dev eth0 
150.164.44.0/24 dev eth0  src 150.164.44.73 
150.164.49.175 via 150.164.44.254 dev eth0 
192.168.3.0/24 dev br-lan  src 192.168.3.1
thales@galliumos-thales:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:21:5c:dc:60:9a brd ff:ff:ff:ff:ff:ff
    inet 192.168.3.103/24 brd 192.168.3.255 scope global dynamic wlp2s0
       valid_lft 43154sec preferred_lft 43154sec
    inet6 fe80::4ec4:7d1a:8029:f2d/64 scope link 
       valid_lft forever preferred_lft forever
thales@galliumos-thales:~$ ip r
default via 192.168.3.1 dev wlp2s0  proto static  metric 600 
169.254.0.0/16 dev wlp2s0  scope link  metric 1000 
192.168.3.0/24 dev wlp2s0  proto kernel  scope link  src 192.168.3.103  metric 600 
thales@galliumos-thales:~$ traceroute exemple.org
traceroute to exemple.org (72.52.4.119), 64 hops max
  1   192.168.3.1  5,733ms  50,334ms  2,465ms 
  2   150.164.44.254  4,669ms  2,852ms  4,131ms 
  3   150.164.164.81  5,696ms  50,896ms  3,172ms 
  4   150.164.255.5  4,705ms  2,741ms  3,148ms 
  5   150.164.164.150  5,658ms  3,219ms  112,505ms 
  6   200.19.158.253  3,820ms  4,989ms  7,538ms 
  7   200.131.0.3  116,672ms  8,304ms  2,564ms 
  8   200.143.255.173  3,536ms  22,521ms  2,697ms 
  9   200.143.253.225  4,412ms  3,644ms  4,111ms 
 10   170.79.213.7  152,875ms  128,567ms  162,023ms 
 11   129.250.202.93  214,966ms  199,783ms  198,780ms 
 12   129.250.202.93  176,652ms  130,544ms  133,330ms 
 13   129.250.3.209  174,510ms  203,145ms  205,255ms 
 14   129.250.2.86  206,070ms  205,798ms  202,256ms 
 15   129.250.2.22  204,990ms  203,065ms  155,814ms 
 16   129.250.5.192  155,879ms  200,813ms  203,393ms 
 17   129.250.5.190  154,438ms  153,754ms  154,914ms 
 18   165.254.191.118  253,160ms  205,619ms  205,657ms 
 19   *  *  * 

Looks like connectivity is completely broken.

Can it ping server/peer at least?
From OpenWrt after establishing VPN-connection:

ping -c3 150.164.49.175
ping -c3 10.8.0.5
ping -c3 10.8.0.1

Better yet, I will try to explain the problem! Hopefully you can help me!

Single

Above picture show what I have. Two separated labs with internet connectivity.
Due security reasons and operation proposes, a client show connect to 192.168.3.* network and be able to access the data logger and web realy from 192.168.3.* network and 192.168.1.*.

In order to achieve that, I simply build a VPN connection as shown bellow.

The problem is that, when OpenVPN connection is established, internet connection just drop.

I truly believe that router is trying to redirect all incoming traffic from 10.8.0.1 to the network and simply ignoring its Wan connection.

It is somehow common for a VPN connection. The problem is that I have no clue how to configure it on OpenWRT.

I believe that this should be the fix for a desktop:

Just guessing.

Please, check bellow the outputs:

root@LEDE:~# ping -c3 10.8.0.6
PING 10.8.0.6 (10.8.0.6): 56 data bytes
64 bytes from 10.8.0.6: seq=0 ttl=64 time=0.909 ms
64 bytes from 10.8.0.6: seq=1 ttl=64 time=0.334 ms
64 bytes from 10.8.0.6: seq=2 ttl=64 time=0.330 ms

--- 10.8.0.6 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.330/0.524/0.909 ms
root@LEDE:~# ping -c3 10.8.0.1
PING 10.8.0.1 (10.8.0.1): 56 data bytes
64 bytes from 10.8.0.1: seq=0 ttl=64 time=1.939 ms
64 bytes from 10.8.0.1: seq=1 ttl=64 time=1.644 ms
64 bytes from 10.8.0.1: seq=2 ttl=64 time=1.586 ms

--- 10.8.0.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 1.586/1.723/1.939 ms
root@LEDE:~# ping -c3 150.164.49.175
PING 150.164.49.175 (150.164.49.175): 56 data bytes
64 bytes from 150.164.49.175: seq=0 ttl=62 time=0.843 ms
64 bytes from 150.164.49.175: seq=1 ttl=62 time=0.501 ms
64 bytes from 150.164.49.175: seq=2 ttl=62 time=0.516 ms

--- 150.164.49.175 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.501/0.620/0.843 ms

Replying my own post. To be clear, I'm not sure what the command is doing but i know the result:

sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp2s0 -j MASQUERADE

I believe that now, all my traffic is being routed through my VPN. Its a solution! Not the one I expected, but its working!

OK, it's clear now.
Hosts from 192.168.1.0/24 network (including default gateway) do not know routes to 10.8.0.0/24 and 192.168.3.0/24 networks.

MASQUERADE in fact is dynamic SNAT (Source Network Address Translation).
In case you have administrative privileges better solution would be adding static routes to 10.8.0.0/24 and 192.168.3.0/24 through 192.168.1.254 on your default gateway in 192.168.1.0/24 network (supposedly 192.168.1.1).

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.