No internet connetion after setting up VPN client

cmonty14 · June 25, 2022, 4:12pm

Hello,
I completed setup of VPN client base on this guide provided by my VPN service provider IVPN.

With the newly created interface wgivpn up there's no connection to the internet.
Verifying the VPN connection shows this:

root@eddie:~# pgrep -f -a wg; wg show; wg showconf wgivpn
9915 wg-crypt-wgivpn
interface: wgivpn
  public key: tpPbyjXdaulS2EpXhtGqzOW1LwTxJo3yYBODCf1iIG8=
  private key: (hidden)
  listening port: 52628

peer: mS3/WpXjnMAMmXxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  endpoint: 185.102.219.26:51820
  allowed ips: 0.0.0.0/0, ::/0
  transfer: 0 B received, 148 B sent
  persistent keepalive: every 25 seconds
[Interface]
ListenPort = 52628
PrivateKey = kCeaGP2XqsjNAexxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

[Peer]
PublicKey = mS3/WpXjnMAMmXxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 185.102.219.26:51820
PersistentKeepalive = 25

The new routing table is this:

root@eddie:~# ip r
default dev wgivpn proto static scope link metric 10 
default via 192.168.1.1 dev wan proto static src 192.168.1.2 metric 20 
172.16.0.0/29 dev lan5 proto kernel scope link src 172.16.0.1 
172.16.20.0/24 dev lan3.20 proto kernel scope link src 172.16.20.1 linkdown 
172.16.30.0/24 dev lan3.30 proto kernel scope link src 172.16.30.1 linkdown 
172.17.213.235 dev wgivpn proto static scope link metric 10 
172.21.1.0/24 dev lan2 proto kernel scope link src 172.21.1.2 
172.23.0.0/16 via 172.16.0.1 dev lan5 proto static 
185.102.219.26 via 192.168.1.1 dev wan proto static metric 20 
192.168.1.0/24 dev wan proto static scope link metric 20

I can ping the endpoint IP 185.102.219.26 w/o problems:

root@eddie:~# ping -c 3 185.102.219.26
PING 185.102.219.26 (185.102.219.26): 56 data bytes
64 bytes from 185.102.219.26: seq=0 ttl=55 time=14.876 ms
64 bytes from 185.102.219.26: seq=1 ttl=55 time=32.598 ms
64 bytes from 185.102.219.26: seq=2 ttl=55 time=13.869 ms

--- 185.102.219.26 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss

However I can't ping any of IPVN's DNS servers, e.g.

root@eddie:~# ping -c 3 10.0.254.2
PING 10.0.254.2 (10.0.254.2): 56 data bytes

--- 10.0.254.2 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

Actually I can't ping any IP:

root@eddie:~# ping -c 3 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

If I shutdown / stop the new interface wgivpn the routing table looks different:

root@eddie:~# ip r
default via 192.168.1.1 dev wan proto static src 192.168.1.2 metric 20 
172.16.0.0/29 dev lan5 proto kernel scope link src 172.16.0.1 
172.16.20.0/24 dev lan3.20 proto kernel scope link src 172.16.20.1 linkdown 
172.16.30.0/24 dev lan3.30 proto kernel scope link src 172.16.30.1 linkdown 
172.21.1.0/24 dev lan2 proto kernel scope link src 172.21.1.2 
172.23.0.0/16 via 172.16.0.1 dev lan5 proto static 
192.168.1.0/24 dev wan proto static scope link metric 20

There are no connection issues with this setup.

My interpretation is that routing traffic through VPN connection is not working.
And this could be related to the network architecture where OpenWrt router is behind another router provided by ISP; this router setup is in NAT mode, means networks behind OpenWrt router are double-NAT.

Could you please advise how to troubleshoot this issue?

THX

psherman · June 25, 2022, 4:18pm

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

cmonty14 · June 25, 2022, 4:33pm

root@eddie:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'xxxx:xxxx:1dd7::/48'

config device
	option name 'wan'
	option macaddr '08:55:31:4c:b7:5c'

config device
	option name 'lan2'
	option macaddr '08:55:31:4c:b7:5d'

config device
	option name 'lan3'
	option macaddr '08:55:31:4c:b7:5d'

config device
	option name 'lan4'
	option macaddr '08:55:31:4c:b7:5d'

config device
	option name 'lan5'
	option macaddr '08:55:31:4c:b7:5d'

config device
	option name 'sfp'
	option macaddr '08:55:31:4c:b7:5c'

config device
	option name 'lan3.20'
	option type '8021ad'
	option ifname 'lan3'
	option vid '20'

config device
	option name 'lan3.30'
	option type '8021ad'
	option ifname 'lan3'
	option vid '30'

config wireguard_wgivpn
	option description 'Germany'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'
	option public_key 'mS3/WpXjnMAMmXjSxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	option route_allowed_ips '1'
	option endpoint_host '185.102.219.26'
	option persistent_keepalive '25'

config interface 'wan'
	option proto 'dhcp'
	option device 'wan'
	option peerdns '0'
	option dns '127.0.0.1'
	option metric '20'

config interface 'wan6'
	option proto 'dhcpv6'
	option device 'wan'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'
	option dns '0::1'
	option metric '20'

config interface 'wgivpn'
	option proto 'wireguard'
	option private_key 'kCeaGP2XqsjNAegxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	list addresses '172.17.xxx.xxx/32'
	list addresses 'xxxx:xxxx:xxxx:ffff::ac11:d5eb/128'
	option mtu '1412'
	option peerdns '0'
	list dns '10.0.254.2'
	option auto '0'
	option metric '10'

config interface 'lan'
	option proto 'static'
	option device 'lan2'
	option ipaddr '172.21.1.2'
	option netmask '255.255.255.0'

config interface 'proxy'
	option proto 'static'
	option device 'lan3.20'
	option ipaddr '172.16.20.1'
	option netmask '255.255.255.0'

config interface 'guest'
	option proto 'static'
	option device 'lan3.30'
	option ipaddr '172.16.30.1'
	option netmask '255.255.255.0'

config interface 'dmz'
	option proto 'static'
	option ip6assign '64'
	option device 'lan4'
	option force_link '0'
	option ipaddr '172.16.10.1'
	option netmask '255.255.255.0'

config interface 'homelab'
	option proto 'static'
	option ip6assign '64'
	option device 'lan5'
	option force_link '0'
	option ipaddr '172.16.0.1'
	option netmask '255.255.255.248'

config route
	option interface 'homelab'
	option target '172.23.0.0'
	option netmask '255.255.0.0'
	option gateway '172.16.0.1'

root@eddie:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config include
	option path '/etc/firewall.user'
	option reload '1'

config zone
	option name 'dmz'
	option network 'dmz'
	option log '1'
	option log_limit '10/second'
	option input 'REJECT'
	option output 'REJECT'
	option forward 'REJECT'

config zone
	option name 'guest'
	option network 'guest'
	option log '1'
	option log_limit '10/second'
	option input 'REJECT'
	option output 'REJECT'
	option forward 'REJECT'

config zone
	option name 'homelab'
	option network 'homelab'
	option log '0'
	option log_limit '10/second'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option network 'lan'
	option log '0'
	option log_limit '10/second'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'proxy'
	option network 'proxy'
	option log '1'
	option log_limit '10/second'
	option input 'REJECT'
	option output 'REJECT'
	option forward 'REJECT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option log '1'
	option log_limit '10/second'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'wgivpn'
	list network 'wgivpn'
	option mtu_fix '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'

config forwarding
	option src 'dmz'
	option dest 'wan'

config forwarding
	option src 'guest'
	option dest 'wan'

config forwarding
	option src 'homelab'
	option dest 'wan'

config forwarding
	option src 'homelab'
	option dest 'dmz'

config forwarding
	option src 'homelab'
	option dest 'proxy'

config forwarding
	option src 'homelab'
	option dest 'wgivpn'

config forwarding
	option src 'lan'
	option dest 'dmz'

config forwarding
	option src 'lan'
	option dest 'guest'

config forwarding
	option src 'lan'
	option dest 'proxy'

config forwarding
	option src 'proxy'
	option dest 'wan'

config forwarding
	option src 'proxy'
	option dest 'dmz'

config forwarding
	option src 'proxy'
	option dest 'homelab'

config rule
	option name 'Allow-DHCP-Renew'
	option proto 'udp'
	option src 'wan'
	option dest_port '68'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option proto 'udp'
	option src 'wan'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-Ping'
	option proto 'icmp'
	option src 'wan'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option proto 'igmp'
	option src 'wan'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option proto 'icmp'
	option src 'wan'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option proto 'icmp'
	option src 'wan'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option proto 'icmp'
	option src 'wan'
	option dest '*'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option proto 'esp'
	option src 'wan'
	option dest 'lan'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option proto 'udp'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option proto 'udp'
	option src 'wan'
	option dest_port '33434:33689'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config rule
	option name 'DMZ: Allow DHCP client'
	option proto 'udp'
	option src 'dmz'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'DMZ: Allow DHCP server'
	option proto 'udp'
	option dest 'dmz'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'DMZ: Allow DHCPv6 client'
	option proto 'udp'
	option src 'dmz'
	option dest_port '546-547'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'DMZ: Allow DHCPv6 server'
	option proto 'udp'
	option dest 'dmz'
	option dest_port '546-547'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'DMZ: Allow DNS primary router'
	list proto 'tcp'
	list proto 'udp'
	option src 'dmz'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'DMZ: Block DNS other networks'
	list proto 'tcp'
	list proto 'udp'
	option src 'dmz'
	option dest '*'
	option dest_port '53'
	option target 'REJECT'

config rule
	option name 'DMZ: Allow chronyd primary router'
	option proto 'udp'
	option src 'dmz'
	option dest_port '123'
	option target 'ACCEPT'

config rule
	option name 'DMZ: Allow internet and block private networks'
	list proto 'tcp'
	list proto 'udp'
	option src 'dmz'
	option dest '*'
	list dest_ip '!10.0.0.0/8'
	list dest_ip '!172.16.0.0/12'
	list dest_ip '!192.168.0.0/16'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'DMZ: Block all'
	list proto 'tcp'
	list proto 'udp'
	option src 'dmz'
	option dest '*'
	option target 'REJECT'

config rule
	option name 'Guest: Allow DHCP client'
	option proto 'udp'
	option src 'guest'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'Guest: Allow DHCP server'
	option proto 'udp'
	option dest 'guest'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'Guest: Allow DHCPv6 client'
	option proto 'udp'
	option src 'guest'
	option dest_port '546-547'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Guest: Allow DHCPv6 server'
	option proto 'udp'
	option dest 'guest'
	option dest_port '546-547'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Guest: Allow DNS primary router'
	list proto 'tcp'
	list proto 'udp'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Guest: Block DNS other networks'
	list proto 'tcp'
	list proto 'udp'
	option src 'guest'
	option dest '*'
	option dest_port '53'
	option target 'REJECT'

config rule
	option name 'Guest: Block chronyd primary router'
	option proto 'udp'
	option src 'guest'
	option dest_port '123'
	option target 'REJECT'

config rule
	option name 'Guest: Allow internet and block private networks'
	list proto 'tcp'
	list proto 'udp'
	option src 'guest'
	option dest '*'
	list dest_ip '!10.0.0.0/8'
	list dest_ip '!172.16.0.0/12'
	list dest_ip '!192.168.0.0/16'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Guest: Block all'
	list proto 'tcp'
	list proto 'udp'
	option src 'guest'
	option dest '*'
	option target 'REJECT'

config rule
	option name 'Homelab: Allow chronyd primary router'
	list proto 'udp'
	option src 'homelab'
	option dest_port '123'
	option target 'ACCEPT'

config rule
	option name 'Homelab: Allow DNS primary router'
	list proto 'tcp'
	list proto 'udp'
	option src 'homelab'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Homelab: Block DNS other networks'
	list proto 'tcp'
	list proto 'udp'
	option src 'homelab'
	option dest '*'
	option dest_port '53'
	option target 'REJECT'

config rule
	option name 'Homelab: Block access Guest'
	list proto 'tcp'
	list proto 'udp'
	option src 'homelab'
	option dest 'guest'
	option target 'REJECT'

config rule
	option name 'Homelab: Allow access WAN'
	list proto 'tcp'
	list proto 'udp'
	option src 'homelab'
	option dest 'wan'
	option target 'ACCEPT'

config rule
	option name 'Homelab: Allow access WGIVPN'
	list proto 'tcp'
	list proto 'udp'
	option src 'homelab'
	option dest 'wgivpn'
	option target 'ACCEPT'

config rule
	option name 'Homelab: Block all'
	list proto 'tcp'
	list proto 'udp'
	option src 'homelab'
	option dest '*'
	option target 'REJECT'

config rule
	option name 'LAN: Allow access any network'
	list proto 'all'
	option src 'lan'
	option dest '*'
	option target 'ACCEPT'

config rule
	option name 'Proxy: Allow DHCP client'
	option proto 'udp'
	option src 'proxy'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'Proxy: Allow DHCP server'
	option proto 'udp'
	option dest 'proxy'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'Proxy: Allow DHCPv6 client'
	option proto 'udp'
	option src 'proxy'
	option dest_port '546-547'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Proxy: Allow DHCPv6 server'
	option proto 'udp'
	option dest 'proxy'
	option dest_port '546-547'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Proxy: Allow DNS primary router'
	list proto 'tcp'
	list proto 'udp'
	option src 'proxy'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Proxy: Block DNS other networks'
	list proto 'tcp'
	list proto 'udp'
	option src 'proxy'
	option dest '*'
	option dest_port '53'
	option target 'REJECT'

config rule
	option name 'Proxy: Allow chronyd primary router'
	option proto 'udp'
	option src 'proxy'
	option dest_port '123'
	option target 'ACCEPT'

config rule
	option name 'Proxy: Allow SSH DMZ'
	option proto 'tcp'
	option src 'proxy'
	option dest 'dmz'
	option dest_port '22'
	option target 'ACCEPT'

config rule
	option name 'Proxy: Allow SSH Homelab'
	option proto 'tcp'
	option src 'proxy'
	option dest 'homelab'
	option dest_port '22'
	option target 'ACCEPT'

config rule
	option name 'Proxy: Allow internet and block private networks'
	list proto 'tcp'
	list proto 'udp'
	option src 'proxy'
	option dest '*'
	list dest_ip '!10.0.0.0/8'
	list dest_ip '!172.16.0.0/12'
	list dest_ip '!192.168.0.0/16'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Proxy: Block all'
	list proto 'tcp'
	list proto 'udp'
	option src 'proxy'
	option dest '*'
	option target 'REJECT'

config nat
	option name 'Forward HTTP to reverse proxy'
	list proto 'tcp'
	option src '*'
	option dest_port '80'
	option target 'SNAT'
	option snat_ip '172.16.20.10'
	option enabled '0'

config nat
	option name 'Forward HTTPS to reverse proxy'
	list proto 'tcp'
	option src '*'
	option dest_port '443'
	option target 'SNAT'
	option snat_ip '172.16.20.10'
	option enabled '0'

psherman · June 25, 2022, 4:46pm

Remove this and all of the similar ones. You only need standard forwarding rules like this (make sure you have one of the below for each network... I only have time to skim at the moment)

cmonty14 · June 25, 2022, 4:52pm

Did you notice this rule at the bottom of all rules for src homelab?

config rule
	option name 'Homelab: Block all'
	list proto 'tcp'
	list proto 'udp'
	option src 'homelab'
	option dest '*'
	option target 'REJECT'

My understanding is that I need an allow-rule if a block-all-rule is configured.
And all rules are working w/o VPN interface up.

psherman · June 25, 2022, 5:14pm

Remove that rule.

cmonty14 · June 25, 2022, 7:07pm

I disabled 3 rules:

config rule
        option name 'Homelab: Allow access WAN'
        list proto 'tcp'
        list proto 'udp'
        option src 'homelab'
        option dest 'wan'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Homelab: Allow access WGIVPN'
        list proto 'tcp'
        list proto 'udp'
        option src 'homelab'
        option dest 'wgivpn'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Homelab: Block all'
        list proto 'tcp'
        list proto 'udp'
        option src 'homelab'
        option dest '*'
        option target 'REJECT'
        option enabled '0'

However, the issue still persists.

Could you please explain why this should solve the issue?

psherman · June 25, 2022, 9:03pm

Taking a few steps back...

Does the no-internet issue affect all of your networks, or only some of them?
What about the router itself?

With the VPN running, if you run ping tests to 8.8.8.8 and then google.com, first from the router, and then from the a computer on one of the networks, what happens?

cmonty14 · June 25, 2022, 9:24pm

All checks are done from router itself.
Unless this is working I will not check from any subnet provided by the router.

psherman · June 25, 2022, 9:26pm

and does 8.8.8.8 fail?

cmonty14 · June 26, 2022, 8:01am

Any IP fails.

grrr2 · June 26, 2022, 8:44am

cmonty14:

peer: mS3/WpXjnMAMmXxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  endpoint: 185.102.219.26:51820
  allowed ips: 0.0.0.0/0, ::/0
  transfer: 0 B received, 148 B sent
  persistent keepalive: every 25 seconds

hi,

are you sure VPN is working? you received no bytes while you sent 148 bytes already. maybe it is due to showing this report right after wg0 started, so could you please wait at least 2x 25 sec to see at least one keepalive cycle and verify again pls?

according to routing table pinging the endpoint 185.102.219.26 will use your normal wan link not the vpn so it may appear as ok but not necessary.

also, if you're behind double nat your listening port 52628 is open on the primary router side as well and properly forwarded to owrt wg interface?

grrr2 · June 26, 2022, 8:51am

just a note:
well, you'd be surprised what is working from subnet while not working from router itself ... keep in mind that owrt acts as router and network client as well. i.e. it can properly forward traffic from lan to wan for example, while cannot dns resolve from the router itself due to owrt as a network client would use it is own resolv.conf and not the lan interface's setting.

pavelgl · June 26, 2022, 10:44am

You haven't specified an endpoint_port, so the default one (51820) is used.
However, I do not see it in the guide you have provided.

Set a port from the list above and restart the network.
When you run wg show, you should see also infotmation about the "latest handshake".

system · July 10, 2022, 9:01am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.