Hello. I am new user or OpenWrt, great software. I want to use Surfshark VPN on my Archer C6 v3.0.
They have guide how to setup Openvpn on OpenWrt.
I did all steps, VPN works, but without enabled VPN no internet. I tried to ask surfshark support, but they have no idea what's wrong.
Anyone have idea what's wrong?
Did you revert all the routing settings when you turned "off"?
2 Likes
trendy
November 29, 2022, 2:46pm
3
More specifically these settings:
(Optional) To prevent traffic leakage outside the VPN-tunnel you need to remove the forwarding rule from LAN to WAN. In the default configuration, there is a single forwarding rule, and the command is:
uci del firewall.@forwarding [0]
You can also set the "masquerading" option to '0' for wan zone, it goes after lan zone, so the command is:
uci set firewall.@zone [1].masq=0
After configuration you should commit changes:
uci commit firewall
4 Likes
mk24
November 29, 2022, 3:09pm
4
Also the SurfShark DNS servers will only be accessible from inside the VPN, so you will need to use other DNS servers when VPN is off. Pings and traceroutes to well-known numeric IPs such as 8.8.8.8 are useful to differentiate if the lack of Internet is a general routing problem or only a DNS problem.
4 Likes
No. I should revert all settings when i turn vpn off?
When i've ping 8.8.8.8, message given: destination cannot be reach. when vpn is on, ping fine.
i tried to not apply this settings, but vpn not working in that case.
trendy
November 30, 2022, 12:07pm
8
VPN doesn't have anything to do with these settings. These are blocking communication from lan to the wan only.
1 Like
ulmwind
November 30, 2022, 6:12pm
9
From my experience OpenWRT starting 22 version does not revert routing table. So try to restart network, and wait 5 minutes:
service network restart
1 Like
ulmwind
November 30, 2022, 6:15pm
10
It is my manual, written about 5 years ago for AirVPN, NordVPN. Surfshark just copied it, without any word about me.
In 22 version OpenWRT there is no file /etc/firewall.user
Manual contains implemented kill-switch, so it is absolutely desired behavior to block traffic, when VPN is down.
So it is at your disposal, whether to use kill-switch.
Now I recommend easiest solution for kill-switch:
Remove masq=1 from wan zone.
Remove forwarding lan->wan
1 Like
There's been a lot of good advice here, but it might be most useful to see your current configuration -- this will give us a much better understanding of the potential causes:
Please copy the output of the following commands and post it here using the "Preformatted text </>
" button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/firewall
2 Likes
mk24
November 30, 2022, 7:01pm
12
So also inspect the routing table with ip route show
. When the VPN stops (cleanly) OpenVPN is supposed to remove the routes that it installed and go back to having a default route via the wan interface and the regular ISP.
ulmwind
December 1, 2022, 1:29pm
13
Sorry, do you agree with my statement, or not?
mk24
December 1, 2022, 1:34pm
14
I'm saying that yes the routing table could be the problem.
2 Likes
Sorry i had some delay. Here files.
Summary
Network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fde4:20ca:74bf::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
list dns '162.252.172.57'
list dns '149.154.159.92'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'surfsharktun'
option proto 'none'
option ifname 'tun0'
Firewall
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option masq '0'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'vpnfirewall'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'surfsharktun'
config forwarding
option src 'lan'
option dest 'vpnfirewall'
mk24
December 30, 2022, 2:41am
17
In the firewall you need to allow forwarding from lan to wan for the Internet to be accessible from lan while the VPN is stopped.
3 Likes
Here content of network and firewall.
Summary
Network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fde4:20ca:74bf::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
list dns '162.252.172.57'
list dns '149.154.159.92'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'surfsharktun'
option proto 'none'
option ifname 'tun0'
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option masq '0'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'vpnfirewall'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'surfsharktun'
config forwarding
option src 'lan'
option dest 'vpnfirewall'
Sorry i have no idea how to realize this one. uci syntax like dark magic right now for me.
As stated by @mk24 , you're missing a firewall allowance for lan > wan. This means that there is no forwarding allowed to the WAN form the LAN, and this will mean that internet does not work when the VPN is not running.
add this to the firewall and it will fix your problem:
config forwarding
option src 'lan'
option dest 'wan'
2 Likes