Network Unreachable

Dash · February 13, 2019, 7:57pm

Hey there!

I'm setting up a VPN between a cloud server (my server, created following this guide, and a router (my client, a Linksys AE5800 configured with OpenWRT as outlined on this page, and while things have gone relatively smoothly thus far, I've run into a snag where my client isn't able to connect.

As you'll see below, the I get a "Network unreachable (code=101)" error, and the folks over on the OpenVPN forum suggested it was likely an issue with my network configuration, but I believe I've properly followed the instructions, and since this is my first time setting up with OpenWRT, that leaves me a bit stuck.

Hoping someone can help me understand where I've gone wrong with my setup.

Here are my configuration files and logs (redacted for the private stuff of course), as outlined on the troubleshooting page:

OpenVPN Client Config File

client
dev tun
proto udp
remote {server address} 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
key-direction 1
verb 4
# script-security 2
# up /etc/openvpn/update-resolve-conf
# down /etc/openvpn/update-resolve-conf
<ca>
	{removed}
</ca>
<cert>
	{removed}
</cert>
<key>
	{removed}
</key>
<tls-auth>
	{removed}
</tls-auth>

OpenVPN Client Log

Tue Feb  5 09:51:26 2019 daemon.notice openvpn(vpnclient)[11056]: Re-using SSL/TLS context
Tue Feb  5 09:51:26 2019 daemon.notice openvpn(vpnclient)[11056]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
Tue Feb  5 09:51:26 2019 daemon.notice openvpn(vpnclient)[11056]: Control Channel MTU parms [ L:1621 D:1172 EF:78 EB:0 ET:0 EL:3 ]
Tue Feb  5 09:51:26 2019 daemon.notice openvpn(vpnclient)[11056]: Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Tue Feb  5 09:51:26 2019 daemon.notice openvpn(vpnclient)[11056]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 68 bytes
Tue Feb  5 09:51:26 2019 daemon.notice openvpn(vpnclient)[11056]: calc_options_string_link_mtu: link-mtu 1621 -> 1569
Tue Feb  5 09:51:26 2019 daemon.notice openvpn(vpnclient)[11056]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 68 bytes
Tue Feb  5 09:51:26 2019 daemon.notice openvpn(vpnclient)[11056]: calc_options_string_link_mtu: link-mtu 1621 -> 1569
Tue Feb  5 09:51:26 2019 daemon.notice openvpn(vpnclient)[11056]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
Tue Feb  5 09:51:26 2019 daemon.notice openvpn(vpnclient)[11056]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
Tue Feb  5 09:51:26 2019 daemon.notice openvpn(vpnclient)[11056]: TCP/UDP: Preserving recently used remote address: [AF_INET]{server address}:1194
Tue Feb  5 09:51:26 2019 daemon.notice openvpn(vpnclient)[11056]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Tue Feb  5 09:51:26 2019 daemon.notice openvpn(vpnclient)[11056]: UDP link local: (not bound)
Tue Feb  5 09:51:26 2019 daemon.notice openvpn(vpnclient)[11056]: UDP link remote: [AF_INET]{server address}:1194
Tue Feb  5 09:51:26 2019 daemon.notice openvpn(vpnclient)[11056]: UDP WRITE [54] to [AF_INET]{server address}:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0
Tue Feb  5 09:51:26 2019 daemon.err openvpn(vpnclient)[11056]: write UDP: Network unreachable (code=101)
Tue Feb  5 09:51:26 2019 daemon.notice openvpn(vpnclient)[11056]: Network unreachable, restarting
Tue Feb  5 09:51:26 2019 daemon.notice openvpn(vpnclient)[11056]: TCP/UDP: Closing socket
Tue Feb  5 09:51:26 2019 daemon.notice openvpn(vpnclient)[11056]: SIGUSR1[soft,network-unreachable] received, process restarting
Tue Feb  5 09:51:26 2019 daemon.notice openvpn(vpnclient)[11056]: Restart pause, 160 second(s)

Runtime Configuration

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 1e:4e:9a:7c:04:fb brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
17: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 14:91:82:9f:5c:c4 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fdbf:86f5:f8ca::1/60 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::1691:82ff:fe9f:5cc4/64 scope link
       valid_lft forever preferred_lft forever
18: eth0.1@eth0: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop master br-lan state DOWN qlen 1000
    link/ether 14:91:82:9f:5c:c4 brd ff:ff:ff:ff:ff:ff
19: eth0.2@eth0: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 14:91:82:9f:5c:c4 brd ff:ff:ff:ff:ff:ff
20: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 14:91:82:9f:5c:c5 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::1691:82ff:fe9f:5cc5/64 scope link
       valid_lft forever preferred_lft forever
21: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 14:91:82:9f:5c:c6 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::1691:82ff:fe9f:5cc6/64 scope link
       valid_lft forever preferred_lft forever
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
# Generated by iptables-save v1.6.2 on Wed Feb 13 20:13:18 2019
*nat
:PREROUTING ACCEPT [20808:1371045]
:INPUT ACCEPT [13682:998548]
:OUTPUT ACCEPT [11719:803727]
:POSTROUTING ACCEPT [11719:803727]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_vpnclient_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_vpnclient_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_vpnclient_postrouting - [0:0]
:zone_vpnclient_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_vpnclient_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_vpnclient_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_vpnclient_postrouting -m comment --comment "!fw3: Custom vpnclient postrouting rule chain" -j postrouting_vpnclient_rule
-A zone_vpnclient_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_vpnclient_prerouting -m comment --comment "!fw3: Custom vpnclient prerouting rule chain" -j prerouting_vpnclient_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Wed Feb 13 20:13:18 2019
# Generated by iptables-save v1.6.2 on Wed Feb 13 20:13:18 2019
*mangle
:PREROUTING ACCEPT [122295:8551116]
:INPUT ACCEPT [115169:8178619]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [115179:11377728]
:POSTROUTING ACCEPT [115179:11377728]
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone vpnclient MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed Feb 13 20:13:18 2019
# Generated by iptables-save v1.6.2 on Wed Feb 13 20:13:18 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpnclient_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_vpnclient_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_vpnclient_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_vpnclient_dest_ACCEPT - [0:0]
:zone_vpnclient_dest_REJECT - [0:0]
:zone_vpnclient_forward - [0:0]
:zone_vpnclient_input - [0:0]
:zone_vpnclient_output - [0:0]
:zone_vpnclient_src_REJECT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_vpnclient_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_vpnclient_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_vpnclient_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to vpnclient forwarding policy" -j zone_vpnclient_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_vpnclient_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_vpnclient_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_vpnclient_dest_REJECT -o tun0 -m comment --comment "!fw3" -j reject
-A zone_vpnclient_forward -m comment --comment "!fw3: Custom vpnclient forwarding rule chain" -j forwarding_vpnclient_rule
-A zone_vpnclient_forward -m comment --comment "!fw3: Zone vpnclient to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_vpnclient_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_vpnclient_forward -m comment --comment "!fw3" -j zone_vpnclient_dest_REJECT
-A zone_vpnclient_input -m comment --comment "!fw3: Custom vpnclient input rule chain" -j input_vpnclient_rule
-A zone_vpnclient_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_vpnclient_input -m comment --comment "!fw3" -j zone_vpnclient_src_REJECT
-A zone_vpnclient_output -m comment --comment "!fw3: Custom vpnclient output rule chain" -j output_vpnclient_rule
-A zone_vpnclient_output -m comment --comment "!fw3" -j zone_vpnclient_dest_ACCEPT
-A zone_vpnclient_src_REJECT -i tun0 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Wed Feb 13 20:13:18 2019

Persistent Configuration

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdbf:86f5:f8ca::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan_dev=device
network.lan_dev.name='eth0.1'
network.lan_dev.macaddr='14:91:82:9f:5c:c4'
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='dhcp'
network.wan_dev=device
network.wan_dev.name='eth0.2'
network.wan_dev.macaddr='14:91:82:9f:5c:c4'
network.wan6=interface
network.wan6.ifname='eth0.2'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='1 2 3 4 0t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='5 0t'
network.vpnclient=interface
network.vpnclient.ifname='tun0'
network.vpnclient.proto='none'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan wan6'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[2]=zone
firewall.@zone[2].name='vpnclient'
firewall.@zone[2].network='vpnclient'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].masq='1'
firewall.@zone[2].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest='wan'
firewall.@forwarding[0].src='vpnclient'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='vpnclient'
firewall.@forwarding[1].src='lan'
openvpn.custom_config=openvpn
openvpn.custom_config.config='/etc/openvpn/my-vpn.conf'
openvpn.sample_server=openvpn
openvpn.sample_server.port='1194'
openvpn.sample_server.proto='udp'
openvpn.sample_server.dev='tun'
openvpn.sample_server.ca='/etc/openvpn/ca.crt'
openvpn.sample_server.cert='/etc/openvpn/server.crt'
openvpn.sample_server.key='/etc/openvpn/server.key'
openvpn.sample_server.dh='/etc/openvpn/dh1024.pem'
openvpn.sample_server.server='10.8.0.0 255.255.255.0'
openvpn.sample_server.ifconfig_pool_persist='/tmp/ipp.txt'
openvpn.sample_server.keepalive='10 120'
openvpn.sample_server.compress='lzo'
openvpn.sample_server.persist_key='1'
openvpn.sample_server.persist_tun='1'
openvpn.sample_server.user='nobody'
openvpn.sample_server.status='/tmp/openvpn-status.log'
openvpn.sample_server.verb='3'
openvpn.sample_client=openvpn
openvpn.sample_client.client='1'
openvpn.sample_client.dev='tun'
openvpn.sample_client.proto='udp'
openvpn.sample_client.remote='my_server_1 1194'
openvpn.sample_client.resolv_retry='infinite'
openvpn.sample_client.nobind='1'
openvpn.sample_client.persist_key='1'
openvpn.sample_client.persist_tun='1'
openvpn.sample_client.user='nobody'
openvpn.sample_client.ca='/etc/openvpn/ca.crt'
openvpn.sample_client.cert='/etc/openvpn/client.crt'
openvpn.sample_client.key='/etc/openvpn/client.key'
openvpn.sample_client.compress='lzo'
openvpn.sample_client.verb='3'
openvpn.enabled=1
openvpn.config=/etc/openvpn/client1.ovpn
openvpn.vpnclient=openvpn
openvpn.vpnclient.enabled='1'
openvpn.vpnclient.client='1'
openvpn.vpnclient.dev='tun0'
openvpn.vpnclient.config='/etc/openvpn/client1.ovpn'

vgaetera · February 13, 2019, 9:32pm

Where is your default gateway and DNS-server?

Dash · February 13, 2019, 9:41pm

If I correctly understand the way all of this works, those are provided by the VPN server (server configuration). Am I missing some sort of configuration on the router that passes that on to the connected devices?

vgaetera · February 13, 2019, 9:47pm

It looks like your device has no internet connectivity:

WAN-interface eth0.2 is DOWN.
LAN-interface br-lan has no gateway.

Dash · February 13, 2019, 9:57pm

Hmm...

I tested the connectivity before beginning all of my configuration changes, and things worked fine, so I must have broken something in the configuration process. Any guidance on further diagnosing and addressing the issue there?

Also, are those likely to be two independent issues, or is one the consequence of the other (e.g: it can't get the gateway or anything else from the VPN server because the WAN is down)?

vgaetera · February 13, 2019, 10:05pm

When interface is down, it means:

The cable is not connected properly or damaged.
The port is broken.
Upper level router is down.

That's the root cause.

Dash · February 13, 2019, 10:29pm

Thanks a ton for your patience with my noob questions here!

I think it's unlikely the port or cable are the issue. The device had been basically untouched since the successful preliminary test I mentioned, but I swapped out the cable and tried an alternate port on the modem with no results. I'm don't know if there's a configuration I could use to try one of the other ports on the OpenWRT router though (I'm currently using the designated WAN port on the device).

I'm also not sure how to investigate the "upper level router" issue you mentioned - by that do you mean the router/cable modem to which my OpenWRT router is connected? If that's the case, it both worked previously and is currently providing the connection I'm using to post, so it's at least basically functional and providing its own WiFi network as expected.

vgaetera · February 13, 2019, 10:45pm

uci delete openvpn.enabled
uci delete openvpn.config
uci set openvpn.vpnclient.enabled="0"
uci commit openvpn
sync
reboot

ip a; ip r; traceroute example.org

Dash · February 13, 2019, 10:53pm

That gives me:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether aa:c3:38:02:25:c0 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 14:91:82:9f:5c:c4 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fdbf:86f5:f8ca::1/60 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::1691:82ff:fe9f:5cc4/64 scope link
       valid_lft forever preferred_lft forever
8: eth0.1@eth0: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop master br-lan state DOWN qlen 1000
    link/ether 14:91:82:9f:5c:c4 brd ff:ff:ff:ff:ff:ff
9: eth0.2@eth0: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 14:91:82:9f:5c:c4 brd ff:ff:ff:ff:ff:ff
10: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 14:91:82:9f:5c:c5 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::1691:82ff:fe9f:5cc5/64 scope link
       valid_lft forever preferred_lft forever
11: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 14:91:82:9f:5c:c6 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::1691:82ff:fe9f:5cc6/64 scope link
       valid_lft forever preferred_lft forever
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1
traceroute: bad address 'openwrt.org'

Hegabo · February 13, 2019, 11:04pm

Could you try trace-routing or pinging say 8.8.8.8 from OpenWrt, and also the other router's IP

Dash · February 13, 2019, 11:08pm

Sure thing. Both result in:

1traceroute: sendto: Network unreachable

vgaetera · February 13, 2019, 11:12pm

ip -6 r; ip -6 ru

Dash · February 13, 2019, 11:15pm

Here you go:

fdbf:86f5:f8ca::/64 dev br-lan  metric 1024
unreachable fdbf:86f5:f8ca::/48 dev lo  metric 2147483647  error -113
fe80::/64 dev wlan0  metric 256
fe80::/64 dev br-lan  metric 256
fe80::/64 dev wlan1  metric 256
anycast fdbf:86f5:f8ca:: dev br-lan  metric 0
anycast fe80:: dev br-lan  metric 0
anycast fe80:: dev wlan1  metric 0
anycast fe80:: dev wlan0  metric 0
ff00::/8 dev br-lan  metric 256
ff00::/8 dev wlan0  metric 256
ff00::/8 dev wlan1  metric 256
0:      from all lookup local
32766:  from all lookup main
4200000001:     from all iif lo lookup unspec 12
4200000007:     from all iif br-lan lookup unspec 12

Hegabo · February 13, 2019, 11:16pm

Apologies for the question, but just to be sure, the upper modem/router is currently doing routing already and outputting IP not PPPoE, right?

Dash · February 13, 2019, 11:19pm

I believe so. The modem is a CBN brand cable modem provided by my ISP, and I haven't changed its configuration at all.

mk24 · February 14, 2019, 1:57am

Plug your PC directly to the modem and confirm that you can reach the Internet.

The modem has not given your router an IP address. There should be an IP shown on eth0.2.

Dash · February 15, 2019, 9:19pm

Had to get an ethernet adapter for my laptop, so that took a little while, but using that I get a normal internet connection from the modem.

That would seem to isolate the problem to the router configuration somewhere, no?

vgaetera · February 15, 2019, 9:24pm

It seems so.

You can try the following:

Reset the settings to factory defaults.
Reflash the firmware.

Dash · February 16, 2019, 12:10pm

Reflashing the router and starting from scratch resolved this issue. Thanks much for the help everyone.

Wish I knew what was wrong, but at least it's working now.

system · February 26, 2019, 12:10pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.