I'm trying to set up NordVPN on a NETGEAR R7500 with OpenWrt 22.03.5 using this guide https://support.nordvpn.com/Connectivity/Router/1047411192/OpenWrt-CI-setup-with-NordVPN.htm#GUI . As far as I can see (I doublechecked twice) I have configured everything exactly as the guide says.
I'm having internet connectivity, but as soon as I start the VPN, internet connectivity goes down. When I'm looking at the logs I'm seeing the vpn connecting succesfully to the server.
The NETGEAR router sits between the modem and the laptop.
What could be the problem?
With the VPN activated please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </>
" button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; \
ping -c 3 8.8.8.8; ping -c 3 www.google.com
1 Like
Hi, thanks for your quick reply! See the logs below.
BusyBox v1.35.0 (2023-04-27 20:28:15 UTC) built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 22.03.5, r20134-5f15225c1e
-----------------------------------------------------
root@OpenWrt:~# ubus call system board
{
"kernel": "5.10.176",
"hostname": "OpenWrt",
"system": "ARMv7 Processor rev 0 (v7l)",
"model": "Netgear Nighthawk X4 R7500",
"board_name": "netgear,r7500",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "22.03.5",
"revision": "r20134-5f15225c1e",
"target": "ipq806x/generic",
"description": "OpenWrt 22.03.5 r20134-5f15225c1e"
}
}
root@OpenWrt:~# uci export network
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd2d:f263:f22c::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.1.2'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 0t'
config interface 'nordvpn'
option proto 'none'
option device 'tun0'
root@OpenWrt:~# uci export dhcp
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
list server '103.86.96.100'
list server '103.86.99.100'
option noresolv '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
root@OpenWrt:~# uci export firewall
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'vpnfirewall'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'nordvpn'
config forwarding
option src 'lan'
option dest 'wan'
root@OpenWrt:~# ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.1.2/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.1.76/24 brd 192.168.1.255 scope global eth0.2
valid_lft forever preferred_lft forever
10: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
inet 10.8.1.9/24 scope global tun0
valid_lft forever preferred_lft forever
root@OpenWrt:~# ip -4 ro li tab all
0.0.0.0/1 via 10.8.1.1 dev tun0
default via 192.168.1.1 dev eth0.2 proto static src 192.168.1.76
10.8.1.0/24 dev tun0 proto kernel scope link src 10.8.1.9
103.50.33.94 via 192.168.1.1 dev br-lan
128.0.0.0/1 via 10.8.1.1 dev tun0
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.2
192.168.1.0/24 dev eth0.2 proto kernel scope link src 192.168.1.76
broadcast 10.8.1.0 dev tun0 table local proto kernel scope link src 10.8.1.9
local 10.8.1.9 dev tun0 table local proto kernel scope host src 10.8.1.9
broadcast 10.8.1.255 dev tun0 table local proto kernel scope link src 10.8.1.9
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.2
broadcast 192.168.1.0 dev eth0.2 table local proto kernel scope link src 192.168.1.76
local 192.168.1.2 dev br-lan table local proto kernel scope host src 192.168.1.2
local 192.168.1.76 dev eth0.2 table local proto kernel scope host src 192.168.1.76
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.2
broadcast 192.168.1.255 dev eth0.2 table local proto kernel scope link src 192.168.1.76
root@OpenWrt:~# ip -4 ru
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
root@OpenWrt:~# ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
lrwxrwxrwx 1 root root 16 Apr 27 20:28 /etc/resolv.conf -> /tmp/resolv.conf
lrwxrwxrwx 1 root root 35 May 2 20:48 /tmp/resolv.conf -> /tmp/resolv.conf.d/resolv.conf.auto
-rw-r--r-- 1 root root 76 May 4 08:20 /tmp/resolv.conf.d/resolv.conf.auto
/tmp/resolv.conf.d:
-rw-r--r-- 1 root root 76 May 4 08:20 resolv.conf.auto
root@OpenWrt:~# head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
==> /etc/resolv.conf <==
# Interface wan
nameserver 94.140.14.15
nameserver 94.140.15.16
search home
==> /tmp/resolv.conf <==
# Interface wan
nameserver 94.140.14.15
nameserver 94.140.15.16
search home
==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error
==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wan
nameserver 94.140.14.15
nameserver 94.140.15.16
search home
root@OpenWrt:~# ping -c 3 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
root@OpenWrt:~# ping -c 3 www.google.com
ping: bad address 'www.google.com'
root@OpenWrt:~#
Configure LAN to VPN forwarding:
uci -q delete firewall.lan_vpn
uci set firewall.lan_vpn="forwarding"
uci set firewall.lan_vpn.src="lan"
uci set firewall.lan_vpn.dest="vpnfirewall"
uci commit firewall
/etc/init.d/firewall restart
If the issue persists, replace peer DNS with a public DNS provider:
https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#upstream_dns_provider
2 Likes
fwiw, looks like you skipped the last few steps from Nordvpn instructions.
2 Likes
Another issue is I note the LAN IP address is changed to 192.168.1 .2, and WAN IP address is 192.168.1 .76 retrieved by DHCP.
The WAN and LAN must be on different subnets.
eg. change LAN IP address of the openvpn client router to say 192.168.2 .1
2 Likes
Cool, this was the issue! As soon as I changed the IP to .2.1 it worked. Thanks a million!
Ah yes, I needed to do the last few steps from the NordVpn instructions as well. I think I forgot the final "Accept & Save" button. Three times.
system
Closed
May 14, 2023, 1:00pm
9
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.