No internet when Openvpn is off

Hello. I am new user or OpenWrt, great software. I want to use Surfshark VPN on my Archer C6 v3.0.

They have guide how to setup Openvpn on OpenWrt.

I did all steps, VPN works, but without enabled VPN no internet. I tried to ask surfshark support, but they have no idea what's wrong.

Anyone have idea what's wrong?

Did you revert all the routing settings when you turned "off"?

2 Likes

More specifically these settings:

(Optional) To prevent traffic leakage outside the VPN-tunnel you need to remove the forwarding rule from LAN to WAN. In the default configuration, there is a single forwarding rule, and the command is:
uci del firewall.@forwarding[0]

You can also set the "masquerading" option to '0' for wan zone, it goes after lan zone, so the command is:
uci set firewall.@zone[1].masq=0

After configuration you should commit changes:
uci commit firewall

4 Likes

Also the SurfShark DNS servers will only be accessible from inside the VPN, so you will need to use other DNS servers when VPN is off. Pings and traceroutes to well-known numeric IPs such as 8.8.8.8 are useful to differentiate if the lack of Internet is a general routing problem or only a DNS problem.

4 Likes

No. I should revert all settings when i turn vpn off?

When i've ping 8.8.8.8, message given: destination cannot be reach. when vpn is on, ping fine.

i tried to not apply this settings, but vpn not working in that case.

VPN doesn't have anything to do with these settings. These are blocking communication from lan to the wan only.

1 Like

From my experience OpenWRT starting 22 version does not revert routing table. So try to restart network, and wait 5 minutes:
service network restart

1 Like

It is my manual, written about 5 years ago for AirVPN, NordVPN. Surfshark just copied it, without any word about me.

In 22 version OpenWRT there is no file /etc/firewall.user

Manual contains implemented kill-switch, so it is absolutely desired behavior to block traffic, when VPN is down.

So it is at your disposal, whether to use kill-switch.

Now I recommend easiest solution for kill-switch:

  1. Remove masq=1 from wan zone.
  2. Remove forwarding lan->wan
1 Like

There's been a lot of good advice here, but it might be most useful to see your current configuration -- this will give us a much better understanding of the potential causes:

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall
2 Likes

So also inspect the routing table with ip route show. When the VPN stops (cleanly) OpenVPN is supposed to remove the routes that it installed and go back to having a default route via the wan interface and the regular ISP.

Sorry, do you agree with my statement, or not?

I'm saying that yes the routing table could be the problem.

2 Likes

Sorry i had some delay. Here files.

Summary

Network


config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fde4:20ca:74bf::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '162.252.172.57'
        list dns '149.154.159.92'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'surfsharktun'
        option proto 'none'
        option ifname 'tun0'

Firewall


config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        option masq '0'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpnfirewall'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'surfsharktun'

config forwarding
        option src 'lan'
        option dest 'vpnfirewall'

I got routes here.

Summary

Routes with VPN

0.0.0.0/1 via 10.7.7.1 dev tun0
default via 192.168.0.1 dev wan  src 192.168.0.16
10.7.7.0/24 dev tun0 scope link  src 10.7.7.7
128.0.0.0/1 via 10.7.7.1 dev tun0
192.168.0.0/24 dev wan scope link  src 192.168.0.16
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1
193.176.86.171 via 192.168.0.1 dev wan

Routes without VPN

default via 192.168.0.1 dev wan  src 192.168.0.16
192.168.0.0/24 dev wan scope link  src 192.168.0.16
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1

In the firewall you need to allow forwarding from lan to wan for the Internet to be accessible from lan while the VPN is stopped.

3 Likes

Here content of network and firewall.

Summary

Network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fde4:20ca:74bf::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '162.252.172.57'
        list dns '149.154.159.92'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'surfsharktun'
        option proto 'none'
        option ifname 'tun0'

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        option masq '0'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpnfirewall'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'surfsharktun'

config forwarding
        option src 'lan'
        option dest 'vpnfirewall'

Sorry i have no idea how to realize this one. uci syntax like dark magic right now for me.

As stated by @mk24, you're missing a firewall allowance for lan > wan. This means that there is no forwarding allowed to the WAN form the LAN, and this will mean that internet does not work when the VPN is not running.

add this to the firewall and it will fix your problem:

config forwarding
        option src 'lan'
        option dest 'wan'
2 Likes