Mi Router 4A OpenVPN issue (Connected to vpn but no internet connection)

emresenyuva · February 18, 2021, 8:10pm

I am added vpn server to Luci with ovpn file and enabled, but no internet connection while connected.
Help me
Ovpn server named "Russia"

root@OpenWrt:~# cat /etc/config/openvpn

config openvpn 'custom_config'
	option config '/etc/openvpn/my-vpn.conf'

config openvpn 'sample_server'
	option port '1194'
	option proto 'udp'
	option dev 'tun'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/server.crt'
	option key '/etc/openvpn/server.key'
	option dh '/etc/openvpn/dh1024.pem'
	option server '10.8.0.0 255.255.255.0'
	option ifconfig_pool_persist '/tmp/ipp.txt'
	option keepalive '10 120'
	option compress 'lzo'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option status '/tmp/openvpn-status.log'
	option verb '3'

config openvpn 'sample_client'
	option client '1'
	option dev 'tun'
	option proto 'udp'
	list remote 'my_server_1 1194'
	option resolv_retry 'infinite'
	option nobind '1'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/client.crt'
	option key '/etc/openvpn/client.key'
	option compress 'lzo'
	option verb '3'

config openvpn 'russia'
	option config '/etc/openvpn/russia.ovpn'
	list push 'dhcp-option DNS 192.168.1.1'
	option enabled '1'

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd8e:9714:04d6::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr '54:48:e6:a3:a2:81'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'

emresenyuva · February 18, 2021, 8:11pm

system log

Thu Feb 18 20:03:01 2021 daemon.warn openvpn(russia)[2623]: Unrecognized option or missing or extra parameter(s) in /etc/openvpn/russia.ovpn:19: block-outside-dns (2.4.7)
Thu Feb 18 20:03:01 2021 daemon.notice openvpn(russia)[2623]: OpenVPN 2.4.7 mipsel-openwrt-linux-gnu [SSL (mbed TLS)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Thu Feb 18 20:03:01 2021 daemon.notice openvpn(russia)[2623]: library versions: mbed TLS 2.16.9, LZO 2.10
Thu Feb 18 20:03:01 2021 daemon.notice openvpn(russia)[2623]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Thu Feb 18 20:03:01 2021 daemon.notice openvpn(russia)[2623]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Feb 18 20:03:01 2021 daemon.notice openvpn(russia)[2623]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Thu Feb 18 20:03:01 2021 daemon.notice openvpn(russia)[2623]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Feb 18 20:03:01 2021 daemon.notice openvpn(russia)[2623]: TCP/UDP: Preserving recently used remote address: [AF_INET]45.156.23.187:1194
Thu Feb 18 20:03:01 2021 daemon.notice openvpn(russia)[2623]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Thu Feb 18 20:03:01 2021 daemon.notice openvpn(russia)[2623]: UDP link local: (not bound)
Thu Feb 18 20:03:01 2021 daemon.notice openvpn(russia)[2623]: UDP link remote: [AF_INET]45.156.23.187:1194
Thu Feb 18 20:03:01 2021 daemon.notice openvpn(russia)[2623]: TLS: Initial packet from [AF_INET]45.156.23.187:1194, sid=7515489c 82f898a9
Thu Feb 18 20:03:01 2021 daemon.err hostapd: Using interface wlan1 with hwaddr 54:48:e6:a3:a2:83 and ssid "OpenWrt"
Thu Feb 18 20:03:02 2021 daemon.notice openvpn(russia)[2623]: VERIFY OK: depth=1, CN=cn_egfHOXKstUmZ5VSX
Thu Feb 18 20:03:02 2021 daemon.notice openvpn(russia)[2623]: Validating certificate key usage
Thu Feb 18 20:03:02 2021 daemon.notice openvpn(russia)[2623]: VERIFY KU OK
Thu Feb 18 20:03:02 2021 daemon.notice openvpn(russia)[2623]: Validating certificate extended key usage
Thu Feb 18 20:03:02 2021 daemon.notice openvpn(russia)[2623]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Feb 18 20:03:02 2021 daemon.notice openvpn(russia)[2623]: VERIFY EKU OK
Thu Feb 18 20:03:02 2021 daemon.notice openvpn(russia)[2623]: VERIFY X509NAME OK: CN=server_hwxKMnc4LXZvd3wZ
Thu Feb 18 20:03:02 2021 daemon.notice openvpn(russia)[2623]: VERIFY OK: depth=0, CN=server_hwxKMnc4LXZvd3wZ
Thu Feb 18 20:03:02 2021 kern.info kernel: [   25.519122] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
Thu Feb 18 20:03:02 2021 kern.info kernel: [   25.525956] br-lan: port 2(wlan1) entered blocking state
Thu Feb 18 20:03:02 2021 kern.info kernel: [   25.531303] br-lan: port 2(wlan1) entered forwarding state
Thu Feb 18 20:03:02 2021 daemon.notice hostapd: wlan1: interface state HT_SCAN->ENABLED
Thu Feb 18 20:03:02 2021 daemon.notice hostapd: wlan1: AP-ENABLED
Thu Feb 18 20:03:02 2021 daemon.notice netifd: Network device 'wlan1' link is up
Thu Feb 18 20:03:03 2021 daemon.notice openvpn(russia)[2623]: Control Channel: TLSv1.2, cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256, 256 bit key
Thu Feb 18 20:03:03 2021 daemon.notice openvpn(russia)[2623]: [server_hwxKMnc4LXZvd3wZ] Peer Connection Initiated with [AF_INET]45.156.23.187:1194
Thu Feb 18 20:03:04 2021 daemon.notice openvpn(russia)[2623]: SENT CONTROL [server_hwxKMnc4LXZvd3wZ]: 'PUSH_REQUEST' (status=1)
Thu Feb 18 20:03:04 2021 daemon.notice openvpn(russia)[2623]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 94.140.14.14,dhcp-option DNS 94.140.15.15,redirect-gateway def1 bypass-dhcp,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-128-GCM'
Thu Feb 18 20:03:04 2021 daemon.notice openvpn(russia)[2623]: OPTIONS IMPORT: timers and/or timeouts modified
Thu Feb 18 20:03:04 2021 daemon.notice openvpn(russia)[2623]: OPTIONS IMPORT: --ifconfig/up options modified
Thu Feb 18 20:03:04 2021 daemon.notice openvpn(russia)[2623]: OPTIONS IMPORT: route options modified
Thu Feb 18 20:03:04 2021 daemon.notice openvpn(russia)[2623]: OPTIONS IMPORT: route-related options modified
Thu Feb 18 20:03:04 2021 daemon.notice openvpn(russia)[2623]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Feb 18 20:03:04 2021 daemon.notice openvpn(russia)[2623]: OPTIONS IMPORT: peer-id set
Thu Feb 18 20:03:04 2021 daemon.notice openvpn(russia)[2623]: OPTIONS IMPORT: adjusting link_mtu to 1624
Thu Feb 18 20:03:04 2021 daemon.notice openvpn(russia)[2623]: OPTIONS IMPORT: data channel crypto options modified
Thu Feb 18 20:03:04 2021 daemon.notice openvpn(russia)[2623]: Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Thu Feb 18 20:03:04 2021 daemon.notice openvpn(russia)[2623]: Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Thu Feb 18 20:03:04 2021 daemon.notice openvpn(russia)[2623]: TUN/TAP device tun0 opened
Thu Feb 18 20:03:04 2021 daemon.notice openvpn(russia)[2623]: TUN/TAP TX queue length set to 100
Thu Feb 18 20:03:04 2021 daemon.notice openvpn(russia)[2623]: /sbin/ifconfig tun0 10.8.0.2 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Thu Feb 18 20:03:04 2021 daemon.notice openvpn(russia)[2623]: /sbin/route add -net 45.156.23.187 netmask 255.255.255.255 gw 178.233.192.1
Thu Feb 18 20:03:04 2021 daemon.notice openvpn(russia)[2623]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.0.1
Thu Feb 18 20:03:04 2021 daemon.notice openvpn(russia)[2623]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.0.1
Thu Feb 18 20:03:04 2021 daemon.notice openvpn(russia)[2623]: Initialization Sequence Completed

vgaetera · February 18, 2021, 11:21pm

This will be ignored since you are using the config option.
Make sure the server side subnet doesn't overlap with the client side LAN subnet.
If you really want that IP to be your DNS, add it to the client profile and then apply this script:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/extras#dns_and_domain

In addition, set up firewall:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/client#firewall

If the problem persists, establish the VPN connection, collect the diagnostics from both VPN server and client, and post it to pastebin.com redacting the private parts:

ip address show; ip route show table all; ip rule show; \
iptables-save; sysctl net 2> /dev/null | grep -e forward

system · February 28, 2021, 11:21pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.