Anyone can help please. I cannot solve this. Without vpn everything is working ok. With vpn I have not internet but the vpn connects tomavam provider?
Help please.
Posting error messages/logs of your VPN connection would help. 
Hi thanks for remembering it.
When I start openvpn I lost internet connection (no RX on nordVPN)
I've change the DNS to nordvpn but got the same issue
Sat Aug 25 23:17:14 2018 daemon.notice openvpn(nordvpn)[2094]: OpenVPN 2.4.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Aug 25 23:17:14 2018 daemon.notice openvpn(nordvpn)[2094]: library versions: OpenSSL 1.0.2p 14 Aug 2018, LZO 2.10
Sat Aug 25 23:17:14 2018 daemon.warn openvpn(nordvpn)[2094]: WARNING: --ping should normally be used with --ping-restart or --ping-exit
Sat Aug 25 23:17:14 2018 daemon.notice openvpn(nordvpn)[2094]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat Aug 25 23:17:14 2018 daemon.notice openvpn(nordvpn)[2094]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat Aug 25 23:17:14 2018 daemon.notice openvpn(nordvpn)[2094]: TCP/UDP: Preserving recently used remote address: [AF_INET]89.238.178.214:1194
Sat Aug 25 23:17:14 2018 daemon.notice openvpn(nordvpn)[2094]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Sat Aug 25 23:17:14 2018 daemon.notice openvpn(nordvpn)[2094]: UDP link local: (not bound)
Sat Aug 25 23:17:14 2018 daemon.notice openvpn(nordvpn)[2094]: UDP link remote: [AF_INET]89.238.178.214:1194
Sat Aug 25 23:17:14 2018 daemon.notice openvpn(nordvpn)[2094]: TLS: Initial packet from [AF_INET]89.238.178.214:1194, sid=eb8a1434 c9fdf9c3
Sat Aug 25 23:17:14 2018 daemon.warn openvpn(nordvpn)[2094]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Aug 25 23:17:14 2018 daemon.notice openvpn(nordvpn)[2094]: VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Sat Aug 25 23:17:14 2018 daemon.notice openvpn(nordvpn)[2094]: VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA2
Sat Aug 25 23:17:14 2018 daemon.notice openvpn(nordvpn)[2094]: VERIFY KU OK
Sat Aug 25 23:17:14 2018 daemon.notice openvpn(nordvpn)[2094]: Validating certificate extended key usage
Sat Aug 25 23:17:14 2018 daemon.notice openvpn(nordvpn)[2094]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Aug 25 23:17:14 2018 daemon.notice openvpn(nordvpn)[2094]: VERIFY EKU OK
Sat Aug 25 23:17:14 2018 daemon.notice openvpn(nordvpn)[2094]: VERIFY OK: depth=0, CN=es45.nordvpn.com
Sat Aug 25 23:17:14 2018 daemon.notice openvpn(nordvpn)[2094]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sat Aug 25 23:17:14 2018 daemon.notice openvpn(nordvpn)[2094]: [es45.nordvpn.com] Peer Connection Initiated with [AF_INET]89.238.178.214:1194
Sat Aug 25 23:17:15 2018 daemon.notice openvpn(nordvpn)[2094]: SENT CONTROL [es45.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Sat Aug 25 23:17:16 2018 daemon.notice openvpn(nordvpn)[2094]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,sndbuf 524288,rcvbuf 524288,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,comp-lzo no,route-gateway 10.8.8.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.8.30 255.255.255.0,peer-id 19,cipher AES-256-GCM'
Sat Aug 25 23:17:16 2018 daemon.notice openvpn(nordvpn)[2094]: OPTIONS IMPORT: timers and/or timeouts modified
Sat Aug 25 23:17:16 2018 daemon.notice openvpn(nordvpn)[2094]: OPTIONS IMPORT: compression parms modified
Sat Aug 25 23:17:16 2018 daemon.notice openvpn(nordvpn)[2094]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Sat Aug 25 23:17:16 2018 daemon.notice openvpn(nordvpn)[2094]: Socket Buffers: R=[163840->327680] S=[163840->327680]
Sat Aug 25 23:17:16 2018 daemon.notice openvpn(nordvpn)[2094]: OPTIONS IMPORT: --ifconfig/up options modified
Sat Aug 25 23:17:16 2018 daemon.notice openvpn(nordvpn)[2094]: OPTIONS IMPORT: route options modified
Sat Aug 25 23:17:16 2018 daemon.notice openvpn(nordvpn)[2094]: OPTIONS IMPORT: route-related options modified
Sat Aug 25 23:17:16 2018 daemon.notice openvpn(nordvpn)[2094]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Aug 25 23:17:16 2018 daemon.notice openvpn(nordvpn)[2094]: OPTIONS IMPORT: peer-id set
Sat Aug 25 23:17:16 2018 daemon.notice openvpn(nordvpn)[2094]: OPTIONS IMPORT: adjusting link_mtu to 1657
Sat Aug 25 23:17:16 2018 daemon.notice openvpn(nordvpn)[2094]: OPTIONS IMPORT: data channel crypto options modified
Sat Aug 25 23:17:16 2018 daemon.notice openvpn(nordvpn)[2094]: Data Channel: using negotiated cipher 'AES-256-GCM'
Sat Aug 25 23:17:16 2018 daemon.notice openvpn(nordvpn)[2094]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Aug 25 23:17:16 2018 daemon.notice openvpn(nordvpn)[2094]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Aug 25 23:17:16 2018 daemon.notice netifd: Interface 'nordvpntun' is enabled
Sat Aug 25 23:17:16 2018 daemon.notice netifd: Network device 'tun0' link is up
Sat Aug 25 23:17:16 2018 daemon.notice netifd: Interface 'nordvpntun' has link connectivity
Sat Aug 25 23:17:16 2018 daemon.notice netifd: Interface 'nordvpntun' is setting up now
Sat Aug 25 23:17:16 2018 daemon.notice netifd: Interface 'nordvpntun' is now up
Sat Aug 25 23:17:16 2018 daemon.notice openvpn(nordvpn)[2094]: TUN/TAP device tun0 opened
Sat Aug 25 23:17:16 2018 daemon.notice openvpn(nordvpn)[2094]: TUN/TAP TX queue length set to 100
Sat Aug 25 23:17:16 2018 daemon.notice openvpn(nordvpn)[2094]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Aug 25 23:17:16 2018 daemon.notice openvpn(nordvpn)[2094]: /sbin/ifconfig tun0 10.8.8.30 netmask 255.255.255.0 mtu 1500 broadcast 10.8.8.255
Sat Aug 25 23:17:16 2018 daemon.notice openvpn(nordvpn)[2094]: /sbin/route add -net 89.238.178.214 netmask 255.255.255.255 gw 192.168.1.254
Sat Aug 25 23:17:16 2018 daemon.notice openvpn(nordvpn)[2094]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.8.1
Sat Aug 25 23:17:16 2018 daemon.notice openvpn(nordvpn)[2094]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.8.1
Sat Aug 25 23:17:16 2018 daemon.notice openvpn(nordvpn)[2094]: Initialization Sequence Completed
Sat Aug 25 23:17:16 2018 user.notice firewall: Reloading firewall due to ifup of nordvpntun (tun0)
Sat Aug 25 23:17:17 2018 daemon.warn odhcpd[978]: A default route is present but there is no public prefix on br-lan thus we don't announce a default route!
Firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'vpnfirewall'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'nordvpntun'
config forwarding
option src 'lan'
option dest 'vpnfirewall'
Network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd97:6e4c:ca12::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth1.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
option peerdns '0'
list dns '103.86.96.100'
list dns '103.86.99.100'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6t'
config interface 'nordvpntun'
option proto 'none'
option ifname 'tun0'
option auto '1'
Openvpn
config openvpn 'custom_config'
option config '/etc/openvpn/my-vpn.conf'
config openvpn 'sample_server'
option port '1194'
option proto 'udp'
option dev 'tun'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/server.crt'
option key '/etc/openvpn/server.key'
option dh '/etc/openvpn/dh1024.pem'
option server '10.8.0.0 255.255.255.0'
option ifconfig_pool_persist '/tmp/ipp.txt'
option keepalive '10 120'
option compress 'lzo'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option status '/tmp/openvpn-status.log'
option verb '3'
config openvpn 'sample_client'
option client '1'
option dev 'tun'
option proto 'udp'
list remote 'my_server_1 1194'
option resolv_retry 'infinite'
option nobind '1'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/client.crt'
option key '/etc/openvpn/client.key'
option compress 'lzo'
option verb '3'
config openvpn 'nordvpn'
option enabled '1'
option config '/etc/openvpn/es45.nordvpn.com.udp.ovpn'
I am lost. In the 17 version it works, after upgrade to 18 i stops. I have the last firmware version...
Best Regards
Hi,
Replace "es45.nordvpn.com.udp.ovpn" in /etc/openvpn/ with the one below.
Create file in /etc/openvpn/ named "secret" save username on top line and password on bottom line.
client
fast-io
ifconfig-nowarn
mute-replay-warnings
nobind
persist-key
persist-tun
auth SHA512
auth-user-pass secret
cipher AES-256-CBC
compress lzo
dev tun
keepalive 10 120
key-direction 1
log /tmp/openvpn.log
port 1194
proto udp
remote es45.nordvpn.com
remote-cert-tls server
resolv-retry infinite
status /tmp/openvpn-status.log
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIFCjCCAvKgAwIBAgIBATANBgkqhkiG9w0BAQ0FADA5MQswCQYDVQQGEwJQQTEQ
MA4GA1UEChMHTm9yZFZQTjEYMBYGA1UEAxMPTm9yZFZQTiBSb290IENBMB4XDTE2
MDEwMTAwMDAwMFoXDTM1MTIzMTIzNTk1OVowOTELMAkGA1UEBhMCUEExEDAOBgNV
BAoTB05vcmRWUE4xGDAWBgNVBAMTD05vcmRWUE4gUm9vdCBDQTCCAiIwDQYJKoZI
hvcNAQEBBQADggIPADCCAgoCggIBAMkr/BYhyo0F2upsIMXwC6QvkZps3NN2/eQF
kfQIS1gql0aejsKsEnmY0Kaon8uZCTXPsRH1gQNgg5D2gixdd1mJUvV3dE3y9FJr
XMoDkXdCGBodvKJyU6lcfEVF6/UxHcbBguZK9UtRHS9eJYm3rpL/5huQMCppX7kU
eQ8dpCwd3iKITqwd1ZudDqsWaU0vqzC2H55IyaZ/5/TnCk31Q1UP6BksbbuRcwOV
skEDsm6YoWDnn/IIzGOYnFJRzQH5jTz3j1QBvRIuQuBuvUkfhx1FEwhwZigrcxXu
MP+QgM54kezgziJUaZcOM2zF3lvrwMvXDMfNeIoJABv9ljw969xQ8czQCU5lMVmA
37ltv5Ec9U5hZuwk/9QO1Z+d/r6Jx0mlurS8gnCAKJgwa3kyZw6e4FZ8mYL4vpRR
hPdvRTWCMJkeB4yBHyhxUmTRgJHm6YR3D6hcFAc9cQcTEl/I60tMdz33G6m0O42s
Qt/+AR3YCY/RusWVBJB/qNS94EtNtj8iaebCQW1jHAhvGmFILVR9lzD0EzWKHkvy
WEjmUVRgCDd6Ne3eFRNS73gdv/C3l5boYySeu4exkEYVxVRn8DhCxs0MnkMHWFK6
MyzXCCn+JnWFDYPfDKHvpff/kLDobtPBf+Lbch5wQy9quY27xaj0XwLyjOltpiST
LWae/Q4vAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqG
SIb3DQEBDQUAA4ICAQC9fUL2sZPxIN2mD32VeNySTgZlCEdVmlq471o/bDMP4B8g
nQesFRtXY2ZCjs50Jm73B2LViL9qlREmI6vE5IC8IsRBJSV4ce1WYxyXro5rmVg/
k6a10rlsbK/eg//GHoJxDdXDOokLUSnxt7gk3QKpX6eCdh67p0PuWm/7WUJQxH2S
DxsT9vB/iZriTIEe/ILoOQF0Aqp7AgNCcLcLAmbxXQkXYCCSB35Vp06u+eTWjG0/
pyS5V14stGtw+fA0DJp5ZJV4eqJ5LqxMlYvEZ/qKTEdoCeaXv2QEmN6dVqjDoTAo
k0t5u4YRXzEVCfXAC3ocplNdtCA72wjFJcSbfif4BSC8bDACTXtnPC7nD0VndZLp
+RiNLeiENhk0oTC+UVdSc+n2nJOzkCK0vYu0Ads4JGIB7g8IB3z2t9ICmsWrgnhd
NdcOe15BincrGA8avQ1cWXsfIKEjbrnEuEk9b5jel6NfHtPKoHc9mDpRdNPISeVa
wDBM1mJChneHt59Nh8Gah74+TM1jBsw4fhJPvoc7Atcg740JErb904mZfkIEmojC
VPhBHVQ9LHBAdM8qFI2kRK0IynOmAZhexlP/aT/kpEsEPyaZQlnBn3An1CRz8h0S
PApL8PytggYKeQmRhl499+6jLxcZ2IegLfqq41dzIjwHwTMplg+1pKIOVojpWA==
-----END CERTIFICATE-----
</ca>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
e685bdaf659a25a200e2b9e39e51ff03
0fc72cf1ce07232bd8b2be5e6c670143
f51e937e670eee09d4f2ea5a6e4e6996
5db852c275351b86fc4ca892d78ae002
d6f70d029bd79c4d1c26cf14e9588033
cf639f8a74809f29f72b9d58f9b8f5fe
fc7938eade40e9fed6cb92184abb2cc1
0eb1a296df243b251df0643d53724cdb
5a92a1d6cb817804c4a9319b57d53be5
80815bcfcb2df55018cc83fc43bc7ff8
2d51f9b88364776ee9d12fc85cc7ea5b
9741c4f598c485316db066d52db4540e
212e1518a9bd4828219e24b20d88f598
a196c9de96012090e333519ae18d3509
9427e7b372d348d352dc4c85e18cd4b9
3f8a56ddb2e64eb67adfc9b337157ff4
-----END OpenVPN Static key V1-----
</tls-auth>
Btw, is there any valid and up-to-date guide for using the OpenVPN-client with OpenWrt 18.06.1?
Thanks tmomas, i'll give it a try with this guide.
I was using OpenVPN + VPN Policy Routing with Lede 17.01.4 but i don't remember exactly how i got it done at the end.
But i have to say the OpenVPN Client (Basic) is actually real "basic" and if i remember correctly it wasn't that easy with my last setup. There is also nothing written about leaks, which is imho very importand when running a vpn client on the router.
I am also searching for it #Btw, is there any valid and up-to-date guide for using the OpenVPN-client with OpenWrt 18.06.1?# in Lede 17xxx it was working but now I can connect but no RX packages!!! For several days I am trying ...but I cannot have a working VPN on lede 18xxx I am not a IT specialist....but I am almost giving it up...I anyone can help it will be great.
Thanks
There were a few minor changes in the OpenVPN directives that were included in the latest OpenWRT releases such as the compress lzo syntax. You might try posting your OpenVPN config file (remove any personally identifiable or non-public information first, of course) for people to review.
In my case I've downloaded the needed files for my VPN provider and the setup wasn't too complicated.
Who is your VPN provider? Mine provided me with a ca.crt, client.crt and a openvpn.ovpn file.
My openvpn.config looks like this:
config openvpn 'myvpn'
option enabled '1'
option config '/etc/openvpn/openvpn.ovpn'
And my openvpn.ovpn file:
client
remote SERVERNAME PORT
dev tun
tun-ipv6
proto udp
auth-user-pass userpass.txt
route-nopull
reneg-sec 0
remote-random
ping-restart 0
resolv-retry infinite
persist-key
persist-tun
nobind
cipher AES-256-CBC
auth SHA256
ping 5
ping-exit 60
ping-timer-rem
explicit-exit-notify 2
script-security 2
remote-cert-tls server
route-delay 5
tun-mtu 1500
fragment 1300
mssfix 1300
comp-lzo
fast-io
verb 4
ca ca.crt
cert client.crt
key client.key
The only thing i needed to create was the userpass.txt...
For the firewall settings i've followed the guide in the wiki: https://wiki.openwrt.org/doc/howto/vpn.openvpn#tab__client
I'm using a build of davidc502 which is based on the latest snapshot for my WRT3200ACM.
Half go my day trying to run nordvpn on openwrt latest version with no luck. Like i said before I can connect to VPN provider but I have no internet after that. If I disable VPN interface I have internet!
This is what I am using and its logs/configuration. Everything was working good on v17xx but when update to 18xxx no vpn! Thank you all...
Open VPN configuration file
config openvpn 'custom_config'
option config '/etc/openvpn/my-vpn.conf'
config openvpn 'sample_server'
option port '1194'
option proto 'udp'
option dev 'tun'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/server.crt'
option key '/etc/openvpn/server.key'
option dh '/etc/openvpn/dh1024.pem'
option server '10.8.0.0 255.255.255.0'
option ifconfig_pool_persist '/tmp/ipp.txt'
option keepalive '10 120'
option compress 'lzo'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option status '/tmp/openvpn-status.log'
option verb '3'
config openvpn 'sample_client'
option client '1'
option dev 'tun'
option proto 'udp'
list remote 'my_server_1 1194'
option resolv_retry 'infinite'
option nobind '1'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/client.crt'
option key '/etc/openvpn/client.key'
option compress 'lzo'
option verb '3'
config openvpn 'nordvpn'
option enabled '1'
option config '/etc/openvpn/es21.nordvpn.com.udp.ovpn'
**NORDVPN CONFIG FILE(** es21.nordvpn.com.udp.ovpn) **:**
client
dev tun
proto udp
remote 185.183.106.22 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
explicit-exit-notify 3
remote-cert-tls server
#mute 10000
auth-user-pass secret.txt
comp-lzo
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512
<ca>
-----BEGIN CERTIFICATE-----
MIIFCjCCAvKgAwIBAgIBATANBgkqhkiG9w0BAQ0FADA5MQswCQYDVQQGEwJQQTEQ
MA4GA1UEChMHTm9yZFZQTjEYMBYGA1UEAxMPTm9yZFZQTiBSb290IENBMB4XDTE2
MDEwMTAwMDAwMFoXDTM1MTIzMTIzNTk1OVowOTELMAkGA1UEBhMCUEExEDAOBgNV
BAoTB05vcmRWUE4xGDAWBgNVBAMTD05vcmRWUE4gUm9vdCBDQTCCAiIwDQYJKoZI
hvcNAQEBBQADggIPADCCAgoCggIBAMkr/BYhyo0F2upsIMXwC6QvkZps3NN2/eQF
kfQIS1gql0aejsKsEnmY0Kaon8uZCTXPsRH1gQNgg5D2gixdd1mJUvV3dE3y9FJr
XMoDkXdCGBodvKJyU6lcfEVF6/UxHcbBguZK9UtRHS9eJYm3rpL/5huQMCppX7kU
eQ8dpCwd3iKITqwd1ZudDqsWaU0vqzC2H55IyaZ/5/TnCk31Q1UP6BksbbuRcwOV
skEDsm6YoWDnn/IIzGOYnFJRzQH5jTz3j1QBvRIuQuBuvUkfhx1FEwhwZigrcxXu
MP+QgM54kezgziJUaZcOM2zF3lvrwMvXDMfNeIoJABv9ljw969xQ8czQCU5lMVmA
37ltv5Ec9U5hZuwk/9QO1Z+d/r6Jx0mlurS8gnCAKJgwa3kyZw6e4FZ8mYL4vpRR
hPdvRTWCMJkeB4yBHyhxUmTRgJHm6YR3D6hcFAc9cQcTEl/I60tMdz33G6m0O42s
Qt/+AR3YCY/RusWVBJB/qNS94EtNtj8iaebCQW1jHAhvGmFILVR9lzD0EzWKHkvy
WEjmUVRgCDd6Ne3eFRNS73gdv/C3l5boYySeu4exkEYVxVRn8DhCxs0MnkMHWFK6
MyzXCCn+JnWFDYPfDKHvpff/kLDobtPBf+Lbch5wQy9quY27xaj0XwLyjOltpiST
LWae/Q4vAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqG
SIb3DQEBDQUAA4ICAQC9fUL2sZPxIN2mD32VeNySTgZlCEdVmlq471o/bDMP4B8g
nQesFRtXY2ZCjs50Jm73B2LViL9qlREmI6vE5IC8IsRBJSV4ce1WYxyXro5rmVg/
k6a10rlsbK/eg//GHoJxDdXDOokLUSnxt7gk3QKpX6eCdh67p0PuWm/7WUJQxH2S
DxsT9vB/iZriTIEe/ILoOQF0Aqp7AgNCcLcLAmbxXQkXYCCSB35Vp06u+eTWjG0/
pyS5V14stGtw+fA0DJp5ZJV4eqJ5LqxMlYvEZ/qKTEdoCeaXv2QEmN6dVqjDoTAo
k0t5u4YRXzEVCfXAC3ocplNdtCA72wjFJcSbfif4BSC8bDACTXtnPC7nD0VndZLp
+RiNLeiENhk0oTC+UVdSc+n2nJOzkCK0vYu0Ads4JGIB7g8IB3z2t9ICmsWrgnhd
NdcOe15BincrGA8avQ1cWXsfIKEjbrnEuEk9b5jel6NfHtPKoHc9mDpRdNPISeVa
wDBM1mJChneHt59Nh8Gah74+TM1jBsw4fhJPvoc7Atcg740JErb904mZfkIEmojC
VPhBHVQ9LHBAdM8qFI2kRK0IynOmAZhexlP/aT/kpEsEPyaZQlnBn3An1CRz8h0S
PApL8PytggYKeQmRhl499+6jLxcZ2IegLfqq41dzIjwHwTMplg+1pKIOVojpWA==
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
e685bdaf659a25a200e2b9e39e51ff03
0fc72cf1ce07232bd8b2be5e6c670143
f51e937e670eee09d4f2ea5a6e4e6996
5db852c275351b86fc4ca892d78ae002
d6f70d029bd79c4d1c26cf14e9588033
cf639f8a74809f29f72b9d58f9b8f5fe
fc7938eade40e9fed6cb92184abb2cc1
0eb1a296df243b251df0643d53724cdb
5a92a1d6cb817804c4a9319b57d53be5
80815bcfcb2df55018cc83fc43bc7ff8
2d51f9b88364776ee9d12fc85cc7ea5b
9741c4f598c485316db066d52db4540e
212e1518a9bd4828219e24b20d88f598
a196c9de96012090e333519ae18d3509
9427e7b372d348d352dc4c85e18cd4b9
3f8a56ddb2e64eb67adfc9b337157ff4
-----END OpenVPN Static key V1-----
</tls-auth>
**Firewall Config File**
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'vpnfirewall'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'nordvpntun'
config forwarding
option src 'lan'
option dest 'vpnfirewall'
Did you follow the official guide from nordvpn? Try it with tcp... i had some problems with udp in the beginning but with my current config udp did work somehow.
https://nordvpn.com/de/tutorials/openwrt/openvpn/
Or you can use this guide: https://www.lteforum.at/mobilfunk/setup-openvpn-with-openwrt-lede.6831/
I'm pretty sure it will work with 18.06, if not there must be something wrong with your config or setup.
And if i get it right you only need the following in your openvpn.config located at /etc/config/openvpn:
config openvpn 'nordvpn'
option enabled '1'
option config '/etc/openvpn/es21.nordvpn.com.udp.ovpn'
And create the secret.txt with your usename + password (auth-user-pass secret.txt) and place it at /etc/openvpn.
Should work....
Dear all, first of all I want to say thanks to all who try to help me.
I give up trying to use NordVPN on LEDE 18x! I follow several times the nordvpn guide...and repeat and try and repeat and try but no RX on NordVpn interface and no internet.
I even found a 17x configuration backup that I have and try to use the files on 18x...I can connect and everything goes well (as previous) except that no RX on nordvpn interface. I can connect to vpn but I have no internet.
The solution that I find was to downgrade to 17x lede version and use my last backup files. Everything is working great with the nordvpn guide!
I've been trying to put it to work on 18x for almost a month...without success . If anyone find a solution to put nordvpn and lede 18x please let us know.
Best regards and thanks for all the help.
fwiw, I just tested 18.06.1 with NordVPN and it works fine on my HH5A.
The HH5A was already configured as described in the PDF linked in 2nd post of this thread with 17.01.4 to connect to another VPN provider.
I'm not a subscriber to NordVPN so I just took out another 3 day trial sub today to test.
I updated the HH5A to 17.01.6.
Copied over .ovpn file (udp).
Only modification to this file was path to the username&password text file.
I confirmed NordVPN was working with 17.01.6 and backed up the working config.
Then installed 18.06.1 without keeping any settings.
Installed openvpn-openssl and luci-app-openvpn packages.
Restored working config.
Rebooted HH5A and I am connected and using NordVPN as I type.
I forgot to add that I am using google DNS.
Update: I have just completed setting up NordVPN (uk240.nordvpn.com.udp1194.ovpn) onto 18.06.1 following the HH5A guide without deviating from the instructions. NordVPN working fine.
I also tested 'es45.nordvpn.com.udp1194.ovpn' and this works OK. Your system log dump of openvpn messages looks similar to mine. ie. you are connected to NordVPN end point.
Despite being poorly formatted, your /etc/config/network and firewall files appear to look fine at first glance too.
Could you ping 8.8.8.8 to verify there is a route to the net ?
I wonder if you have a DNS problem?
Could there be some sort of bug specific to your router which is not visible with other routers using 18.06 ?
Update: This thread describes similar problem where no packets received on VPN interface. Turned out it was because WAN and LAN subnets were the same.
OpenVPN with windscribe
Purevpn? Only if you dont mind being logged
Hi. I know a lot of solutions and suggestions have been made here. I can suggest some but I need to know what OS are you using?
Hello,
I am beginner and I am trying to setup VPN on LinkSys WRT 3200.
I have used guide: https://www.reddit.com/r/openwrt/comments/b1r79u/nordvpn_on_1806_luci_help/
and https://support.nordvpn.com/Connectivity/Router/1047411192/OpenWRT-setup-with-NordVPN.htm.
Unfortunatelly the VPN Interface does not work.
I have attached screenshots of main screens + logs. Any help would be very appreciated.
Thank you very much
Log:
Thu Sep 26 17:49:38 2019 daemon.notice openvpn(NordVPN)[3235]: Validating certificate extended key usage
Thu Sep 26 17:49:38 2019 daemon.notice openvpn(NordVPN)[3235]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Sep 26 17:49:38 2019 daemon.notice openvpn(NordVPN)[3235]: VERIFY EKU OK
Thu Sep 26 17:49:38 2019 daemon.notice openvpn(NordVPN)[3235]: VERIFY OK: depth=0, CN=bg28.nordvpn.com
Thu Sep 26 17:49:40 2019 daemon.notice openvpn(NordVPN)[3235]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Thu Sep 26 17:49:40 2019 daemon.notice openvpn(NordVPN)[3235]: [bg28.nordvpn.com] Peer Connection Initiated with [AF_INET]185.216.32.253:1194
Thu Sep 26 17:49:41 2019 daemon.notice openvpn(NordVPN)[3235]: SENT CONTROL [bg28.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Thu Sep 26 17:49:41 2019 daemon.notice openvpn(NordVPN)[3235]: AUTH: Received control message: AUTH_FAILED
Thu Sep 26 17:49:41 2019 daemon.notice openvpn(NordVPN)[3235]: SIGTERM[soft,auth-failure] received, process exiting
Thu Sep 26 17:49:46 2019 daemon.notice openvpn(NordVPN)[3236]: OpenVPN 2.4.5 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Thu Sep 26 17:49:46 2019 daemon.notice openvpn(NordVPN)[3236]: library versions: OpenSSL 1.0.2t 10 Sep 2019, LZO 2.10
Thu Sep 26 17:49:46 2019 daemon.warn openvpn(NordVPN)[3236]: WARNING: --ping should normally be used with --ping-restart or --ping-exit
Thu Sep 26 17:49:46 2019 daemon.notice openvpn(NordVPN)[3236]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Sep 26 17:49:46 2019 daemon.notice openvpn(NordVPN)[3236]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Sep 26 17:49:46 2019 daemon.notice openvpn(NordVPN)[3236]: TCP/UDP: Preserving recently used remote address: [AF_INET]185.216.32.253:1194
Thu Sep 26 17:49:46 2019 daemon.notice openvpn(NordVPN)[3236]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Thu Sep 26 17:49:46 2019 daemon.notice openvpn(NordVPN)[3236]: UDP link local: (not bound)
Thu Sep 26 17:49:46 2019 daemon.notice openvpn(NordVPN)[3236]: UDP link remote: [AF_INET]185.216.32.253:1194
Thu Sep 26 17:49:46 2019 daemon.notice openvpn(NordVPN)[3236]: TLS: Initial packet from [AF_INET]185.216.32.253:1194, sid=bb6a568e 2888d19a
Thu Sep 26 17:49:46 2019 daemon.warn openvpn(NordVPN)[3236]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Sep 26 17:49:46 2019 daemon.notice openvpn(NordVPN)[3236]: VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Thu Sep 26 17:49:46 2019 daemon.notice openvpn(NordVPN)[3236]: VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA3
Thu Sep 26 17:49:46 2019 daemon.notice openvpn(NordVPN)[3236]: VERIFY KU OK
Thu Sep 26 17:49:46 2019 daemon.notice openvpn(NordVPN)[3236]: Validating certificate extended key usage
Thu Sep 26 17:49:46 2019 daemon.notice openvpn(NordVPN)[3236]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Sep 26 17:49:46 2019 daemon.notice openvpn(NordVPN)[3236]: VERIFY EKU OK
Thu Sep 26 17:49:46 2019 daemon.notice openvpn(NordVPN)[3236]: VERIFY OK: depth=0, CN=bg28.nordvpn.com
Thu Sep 26 17:49:48 2019 daemon.notice openvpn(NordVPN)[3236]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Thu Sep 26 17:49:48 2019 daemon.notice openvpn(NordVPN)[3236]: [bg28.nordvpn.com] Peer Connection Initiated with [AF_INET]185.216.32.253:1194
Thu Sep 26 17:49:49 2019 daemon.notice openvpn(NordVPN)[3236]: SENT CONTROL [bg28.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Thu Sep 26 17:49:49 2019 daemon.notice openvpn(NordVPN)[3236]: AUTH: Received control message: AUTH_FAILED
Thu Sep 26 17:49:49 2019 daemon.notice openvpn(NordVPN)[3236]: SIGTERM[soft,auth-failure] received, process exiting
Thu Sep 26 17:49:54 2019 daemon.notice openvpn(NordVPN)[3237]: OpenVPN 2.4.5 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Thu Sep 26 17:49:54 2019 daemon.notice openvpn(NordVPN)[3237]: library versions: OpenSSL 1.0.2t 10 Sep 2019, LZO 2.10
Thu Sep 26 17:49:54 2019 daemon.warn openvpn(NordVPN)[3237]: WARNING: --ping should normally be used with --ping-restart or --ping-exit
Thu Sep 26 17:49:54 2019 daemon.notice openvpn(NordVPN)[3237]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Sep 26 17:49:54 2019 daemon.notice openvpn(NordVPN)[3237]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Sep 26 17:49:54 2019 daemon.notice openvpn(NordVPN)[3237]: TCP/UDP: Preserving recently used remote address: [AF_INET]185.216.32.253:1194
fwiw, see if using this in your .conf file makes any difference.
auth-user-pass /etc/openvpn/secret
I also observe your custom /etc/config/openvpn config file is pointing to certificate and key files which don't exist. The contents of the file may be conflicting with the .conf file. I would suggest removing entries from the file so it just reads:
config openvpn 'NordVPN'
option enabled '1'
option config '/etc/openvpn/my-vpn.conf'
Otherwise, review my v1.1 guide (for 17.01/18.06) which I know works with Nordvpn the last time I tested it.
https://openwrt.ebilan.co.uk/viewtopic.php?f=7&t=279
Other info
https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci
3 Likes
Hello,
it works. I have included the path to the "secret" file with login info. I had also in this file the word password and the password itself which is wrong. The guide is very good.
THANK YOU VERY MUCH.
1 Like
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.