NordVPN Wireguard and Gmail

c-riccio · January 8, 2024, 1:12am

Hi all I'm a new openwrt user coming from DD-WRT, been using openwrt for about 1 month now. After familiarization everything appears to work well. However today I noticed that I cannot receive emails from my gmail account using outlook, I think it has been like this from the start. The error I receive is "cannot connect to the server" I have 6 email accounts and they all work.
These are the things I have tried reading from some users with similar issues:

Connect to another server
Reduced MTU from 1420 - 1280 in small increments.
I remember having issues with DD-WRT with my own ISP email and that was rectified by setting my MTU to 1420, never with gmail.

Is there anything else i can try?

Thanks in advance.

slh · January 8, 2024, 4:50am

Did you embark into any forms of adblock, banip, proxying, DNS modifications or similar things that might overblock? gmail's webinterface should work on OpenWrt.

c-riccio · January 8, 2024, 5:00am

No everything is stock...i did change the nordvpn wireguard dns to 1.1.1.1 and 1.0.0.1 i did try the original dns from nord but that made no difference so went back to cloudfare
Keep in mind im accessing gmail via outlook not online gui

c-riccio · January 9, 2024, 10:10am

Just as a test i installed my backup router with DDWRT and using the same wireguard config file and gmail works fine. Not sure where else to investigate.

egc · January 9, 2024, 10:26am

Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
wg show

The handling of DNS is differently between DDWRT and OpenWRT but as long as you are not using PBR that should not matter.

c-riccio · January 9, 2024, 11:07am

Thanks for replying....i am using PBR, i have one device that uses the tunnel, this is my pc where i have all my email accounts.Will this cause problems?

egc · January 9, 2024, 11:26am

Just a theory but maybe google checks origin of DNS location (ECS) and if your DNS is using a different route then other traffic then that might explain it.

DDWRT handles DNS differently (I know because I implemented it in DDWRT).

The PC you are talking about does it use the WAN or the VPN?

You can check if the DNS is using the same route via ipleak.net and dnsleaktest.com

c-riccio · January 9, 2024, 12:08pm

Ive setup my default route to be WAN. I have 2 physical lan cards in my pc, one has a static ip which is setup to use the VPN the other is WAN. When i want to use VPN i disable one lan card and enable the other. It works well as my ip address matches my lan cards either VPN ip or WAN ip.I have setup my DNS for both WAN and VPN to use cloudfare 1.1.1.1 and 1.0.0.1. Ive checked my DNS using ipleak.net and it matches the cloudfare DNS. Strange because my other 5 email accounts are fine.
Thanks again, i will deinstall PBR module to see if this makes a difference and route everything via vpn..you think this is good idea?

egc · January 9, 2024, 12:12pm

You have to check if ipleak.net not only uses cloudfare but also if the origin is according to the route the traffic takes, so when using WAN it should be your home location and when using the VPN ipleak.net should show the VPN location for DNS.

If it does there is no VPN leak and the problem is probably located elsewhere

c-riccio · January 9, 2024, 12:36pm

Well i should change my vpn server, because my vpn server is in my current location. I did this so i dont lose any speed....is this bad?

egc · January 9, 2024, 12:56pm

If your VPN server is in your home location then it does not matter and your problem is probably not DNS related

c-riccio · January 9, 2024, 1:24pm

Where do i go from here...do you still need to ssh and run those commands?

egc · January 9, 2024, 1:47pm

That is always a good idea so that the community can review your config.

c-riccio · January 9, 2024, 1:49pm

I just disabled PBR, so my whole network is using VPN and I also changed my DNS for both wan and vpn to nords dns 103.86.96.100, unfortunately its still the same.
Ill grab those outputs

c-riccio · January 9, 2024, 2:08pm

So the following log is with my wan and vpn dns set to nordvpn, policy routing disabled and my whole network using vpn.
Using my backup router R7000

{
        "kernel": "5.15.134",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 0 (v7l)",
        "model": "Netgear R7000",
        "board_name": "netgear,r7000",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.0",
                "revision": "r23497-6637af95aa",
                "target": "bcm53xx/generic",
                "description": "OpenWrt 23.05.0 r23497-6637af95aa"
        }


config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd54:c331:e7fb::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'wan'
        option macaddr 'Retracted'

config interface 'wan'
        option device 'wan'
        option proto 'pppoe'
        option username 'Retracted'
        option password 'Retracted'
        option ipv6 '0'
        option peerdns '0'
        list dns '103.86.96.100'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'Retracted'
        list addresses '10.5.0.2/32'
        list dns '103.86.96.100'

config wireguard_wg0
        option description 'NordVPN'
        option public_key 'Retracted'
        list allowed_ips '0.0.0.0/1'
        list allowed_ips '128.0.0.0/1'
        option endpoint_host 'Retracted'
        option endpoint_port '51820'
        option route_allowed_ips '1'

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
		
		
		config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wg0'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'vpn'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Cameras'
        list proto 'tcp'
        option src 'wan'
        option src_dport 'Retract'
        option dest_ip '192.168.1.90'
        option dest_port 'Retract'
		
		interface: wg0
  public key: Retract
  private key: (hidden)
  listening port: 51156

peer: Retract
  endpoint: Retract:51820
  allowed ips: 0.0.0.0/1, 128.0.0.0/1
  latest handshake: 9 seconds ago
  transfer: 58.63 MiB received, 12.77 MiB sent

egc · January 9, 2024, 2:30pm

Try adding option mtu_fix '1' to the vpn zone

You are using PPPoE so you really should check MTU settings (ip a), luckily I do not use it so someone with more knowledge probably need to chime in but WAN should be MTU-8 and WG WAN-80 (so that the max for WG is 1412 but sometimes lower is necessary)

c-riccio · January 9, 2024, 3:33pm

Please confirm that I understood your instructions:

1.Adjust MTU to 1412
2.Add mtu_fix '1' vpn zone

I set MTU to 1412, worked once then subsequent send/receive emails it would still fail checking gmail email.

Not sure where to set mtu_fix, however i enabled mss clamping in the vpn zone and it works. (Is this the mtu_fix?) I then put MTU back to 1420 and it still works. So should i use 1412 or 1420 MTU

Tomorrow I'll reflash my R7800 and make this changes, hopefully its all good fingers crossed.

egc · January 9, 2024, 3:37pm

mtu_fix is the MSS clamping

MTU 1412 is for WG it should be set automatically which you can see with ip a

For now just leave MTU alone, I have hopes that the mtu_fix should be sufficient (DDWRT automatically sets MSS clamping)

c-riccio · January 9, 2024, 3:39pm

I really appreciate your help, cant thankyou enough. Off to bed now its 2am.