No internet connection after disabling openvpn

Marlaton · August 8, 2019, 5:26pm

Hello,

I used openwrt on my GL.iNet150. I used the openvpn script from ipredator website to configure openvpn. All is working fine so far.

My final goal would be to use the physical switch to disable/enable the openvpn tunnel but the first problem is, that if I disable the openvpn via webinterface or /etc/init.d/openvpn stop, I am not able to browse to the internet (not via ip and not via fqdn).

If I restart the openvpn I am able to see the following log entries: https://pastebin.com/y4EGgQQC

If I check the route via route -n before and after restarting I am able to see the following https://pastebin.com/QUer81Gu.

Does anyone has an idea or hint for me ?

BR

tectonic · August 8, 2019, 5:45pm

Sounds like there's a kill switch in-use, preventing connectivity if the tunnel is down. If I recall correctly, there's a 'Force VPN' checkbox somewhere, which you'll need to untick.

Marlaton · August 8, 2019, 6:21pm

Hi tectonic,
I didn't find any kill-switch in the web-ui and I didn't find it in the cli. Do you have any hint ?

jeff · August 8, 2019, 6:50pm

If you’re running GL.iNet firmware, it often uses the toggle switch many GL.iNet devices have to set “mode”.

Marlaton · August 8, 2019, 7:33pm

Yes I used the GL-iNet firmware. I used the physical switch but nothing happened.

Marlaton · August 8, 2019, 8:06pm

(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)
I don't what this means. Did I something wrong ?

vgaetera · August 8, 2019, 10:08pm

It's fine but your issue requires non-standard approach.

Please, provide the exact link.

Marlaton · August 8, 2019, 10:12pm

Hi vgaetera,

the link to the script is:
https://www.ipredator.se/static/downloads/openvpn/router/openwrt/install_iprvpn_owrt.sh

BR

Marlaton · August 9, 2019, 12:22pm

Hello vgaetera,

thank you for the hint. I learned a lot when I implemented and checked the uci show parameter.

Unfortunately after implementing the settings I am not able to browse to the internet, regardless of using /etc/openvpn/vpnclient.sh up or down. I am not even able to ping 8.8.8.8.

I pasted the output for uci show here: https://pastebin.com/Emb8Z6QV
Maybe you still have some hint for me.

BR

Marlaton · August 9, 2019, 8:29pm

Hello vgaetera,

now I see another issues. Here the steps I reproduced multiple times:

Restart Router
Ping is possible, connection is unencrypted (myip.is shows the real ip)
Use /etc/openvpn/vpnclient.sh up
No ping to 8.8.8.8 possible
Use /etc/openvpn/vpnclient.sh down
Ping is possible again, connection is unencrypted (myip.is shows the real ip)
Use /etc/openvpn/vpnclient.sh up
Ping is still possible, connection is unencrypted (myip.is shows the real ip)

BR

Marlaton · August 9, 2019, 9:19pm

I restarted the router again and used the commands provided from your side.
This was the output: https://pastebin.com/2NuzBevU

Even it looks like that the vpn connection was established I still see the original ip address when I use myip.is.

vgaetera · August 9, 2019, 10:35pm

Unfortunately OpenWrt web interface doesn't make difference between the process and the result because OpenVPN service doesn't interact with network service.
The log you posted indicates that the connection is not established yet and there's even a failed authentication attempt leading to an unfinished re-connection attempt:

A successuful connection attempt should end with the message:

# Fix configuration
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci set firewall.lan.forward="ACCEPT"
uci set firewall.wan.input="REJECT"
uci set firewall.wan.masq="1"
uci set firewall.wan.mtu_fix="1"
uci set firewall.lan_wan="forwarding"
uci set firewall.lan_wan.src="lan"
uci set firewall.lan_wan.dest="wan"
uci set firewall.lan_wan.enabled="0"
uci commit firewall
/etc/init.d/firewall restart
uci -q delete openvpn.IPredator.script_security
uci -q delete openvpn.IPredator.up
uci -q delete openvpn.IPredator.down
uci commit openvpn
/etc/init.d/openvpn restart

# Kill switch
cat << "EOF" > /etc/openvpn/killswitch.sh
#!/bin/sh
if pgrep openvpn
then
uci set firewall.lan_wan.enabled="1"
/etc/init.d/openvpn stop &
else
uci set firewall.lan_wan.enabled="0"
/etc/init.d/openvpn start &
fi
/etc/init.d/firewall restart &
EOF
chmod +x /etc/openvpn/killswitch.sh

This will keep the state of LAN to WAN forwarding until you run the script or reboot.
There was a fatal flaw in the original concept, that the OpenVPN down script is not guaranteed to be invoked upon the service stop action.

system · October 4, 2021, 10:40am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.