Openconnect gets as gateway

I am new to this but I followed every suggestion I found on the forum and used all the guides on both Luci interface and ssh.

Scenario: TP-Link Archer C50 V4 with a custom Openwrt 22.03.2 with Luci and openconnect vpn client (Device storage is low and I could not use the provided rom and install openconnect as a package later)

everything works fine with default config and I have internet on Lan side. I configure Openconnect with server address, Port, username and password. I dont have a server hash but I dont think its needed because I use Openconnect on my phone and my pc without the server hash and it works perfectly.

Anyway, I put the vpn in Wan zone in the firewall. the vpn connects and gets IP and DNS from server but the gateway is, at the same time vpn is connecting to the same server in my other setups and the gateway is there so I dont think its the server problem.

any suggestions ?

Do you control both sides of the VPN? If so, maybe you'll have better luck with Wireguard. (if you can't use WG for any reason, just disregard this comment).

I'm not an Openconnect user, so I cannot help with this particular VPN protocol and its configuration, but hopefully someone else can assist.

Unfortunately no. it is a paid vpn service that I am using that only works with Cisco Anyconnect at the moment. I have to use openconnect here.

right now I am using an old laptop to share the vpn to the network but since I had this Archer C50 around I thought it is way easier just to use a router like normal people do :smiley:

I guess I need to force the vpn interface (openconnect) to also take the gateway address from server's dhcp because it is already getting the DNS and IP address perfectly fine.

but I dont know how to do this

Do you have vpnc-scripts package installed?

What's ip ro output after openconnect is connected?

As a workaround you could try to create a file in /etc/hotplug.d/iface and deal with the route.

# cat /etc/hotplug.d/iface/99-vpn 

if [ "$DEVICE" == "vpn-X" ]; then
  if [ "$ACTION" == "ifup" ]; then
    ip ro add 0/0 dev vpn-X
    logger -t hotplug "DEVICE: ${INTERFACE} /Action: ${ACTION}"
root@OpenWrt:~# ip ro
default dev vpn-vpn scope link
1**.30.0.0/20 dev vpn-vpn scope link    (I masked the IP) dev br-lan scope link  src dev eth0.2 scope link  src

There should be a gateway on the interface so the route can work. gateway is simply not there as you can see in below picture

This "route without gateway" situation is perfectly normal for point-to-point VPNs that operate on layer 3. The gateway IP is needed only for layer-2 links that use MAC addresses, as it is used in the ARP packet to find the MAC address of the gateway and send Ethernet frames there. However, with OpenConnect, everything is already on layer 3, there are no MAC addresses, no Ethernet frames, and no ARP. The phrase "the other end of the link" uniquely identifies the gateway, and so there is no use for the gateway IP.

If the VPN does not work, it is for some other reason. E.g., I don't see the route to the VPN server that bypasses the VPN.

And the two conflicting 192.168.1/24 routes are not right.

started from the scratch today.
Followed this guide

result is still the same. no internet after vpn is connected

Please use tcpdump to debug. As a minimum, run this in two terminal windows:

tcpdump -pni eth0.2
tcpdump -pni vpn-vpn

Then connect the VPN and ping If you see a LOT of activity (thousands of packets per second) on vpn-vpn and nothing on eth0.2, then we have a problem of the VPN eating its own packets. Otherwise, something else.

1 Like

Also please post the output of all commands from the troubleshooting section.

1 Like

Fix that first. Your upstream network is the same IP range as the LAN, which will not work. You need to change OpenWrt's lan to something else, such as

A "whole house" VPN client starts as a lan->wan router then becomes a lan->vpn router. In other words there needs to be routing active, it can't be a single network bridge like a dumb AP. There are three networks: the regular (untrusted) Internet, usually wan, the users (usually lan) and the VPN tunnel.

The VPN should set up a new default route into the VPN interface. This can be a single or a split setup. Since this directs every IP into the VPN, there also needs to be a "hole punch" /32 route to send the encrypted packets to the one IP of the VPN server via the regular Internet (eth0.2). Some VPN software does this automatically, with others you need an "up" script to install it (and usually a "down" script to reverse it).


Oh, I don't know how I missed the same ip range. I think its because before the vpn everything is working even with the same ip range.

I will try to change lan ip range first and retry.


I will do this and get back with the results, thanks

Ok I tried again, separated the IP range for lan and internet. same result.

I played with gateway metrics a bit and successfully made the router to use VPN gateway for Lan devices. but since the gateway is it is still not working.

I think I give up and continue using my old laptop as a router.

thank you

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.