Openconnect there is a connection but no Internet

Hello,
I am using a Xiaomi 4C router with the OpenWrt 23.05 version installed, and the OpenConnect 9.12-4 client installed as well. The connection to the server is working, but when I enable the "Use default gateway" option, the ping stops working.
I have tried adding a new route to the network based on a nearby topic I read, but it did not help. Could you please advise me on what else I can do?

Can you ping other vpn end?

I'm sorry, I didn't understand you. why would I ping another server?

I can show the network and firewall settings

To determine if encrypted link is up and route is missing?

this is with the "Use default gateway" enabled
root@ImmortalWrt:~# ping -I vpn-oc google.com
PING google.com (108.177.14.138): 56 data bytes
^C
--- google.com ping statistics ---
68 packets transmitted, 0 packets received, 100% packet loss
this is with the "Use default gateway" turned off
root@ImmortalWrt:~# ping -I vpn-oc google.com
PING google.com (173.194.222.113): 56 data bytes
64 bytes from 173.194.222.113: seq=0 ttl=59 time=144.035 ms
64 bytes from 173.194.222.113: seq=1 ttl=59 time=143.549 ms
64 bytes from 173.194.222.113: seq=2 ttl=106 time=143.868 ms
64 bytes from 173.194.222.113: seq=3 ttl=106 time=143.535 ms
64 bytes from 173.194.222.113: seq=4 ttl=106 time=144.523 ms
64 bytes from 173.194.222.113: seq=5 ttl=106 time=143.400 ms
^C
--- google.com ping statistics ---
6 packets transmitted, 6 packets received, 0% packet loss
round-trip min/avg/max = 143.400/143.818/144.523 ms

It appears you are using firmware that is not from the official OpenWrt project.

When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.

You may find that the best options are:

  1. Install an official version of OpenWrt, if your device is supported (see https://firmware-selector.openwrt.org).
  2. Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
  3. Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).

If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.

You are not using OpenWRT, you have to ask ImmortalWRT forums.

root@OpenWrt:~# ping -I vpn-oc google.com
PING google.com (142.250.206.110): 56 data bytes
64 bytes from 142.250.206.110: seq=0 ttl=108 time=507.452 ms
64 bytes from 142.250.206.110: seq=1 ttl=108 time=507.565 ms
64 bytes from 142.250.206.110: seq=2 ttl=108 time=507.507 ms
64 bytes from 142.250.206.110: seq=3 ttl=108 time=507.504 ms
64 bytes from 142.250.206.110: seq=4 ttl=108 time=507.327 ms
64 bytes from 142.250.206.110: seq=5 ttl=108 time=506.642 ms
^C
--- google.com ping statistics ---
7 packets transmitted, 6 packets received, 14% packet loss
round-trip min/avg/max = 506.642/507.332/507.565 ms
install openwrt

open wrt 23.05.3
this is with the "Use default gateway" enabled
root@OpenWrt:~# ping -I vpn-oc google.com
PING google.com (142.250.206.110): 56 data bytes
^C
--- google.com ping statistics ---
12 packets transmitted, 0 packets received, 100% packet loss

Is your openvpn server for tunneling internet or just for office access?

I don't have an openvpn, I have Anyconnect. it is needed to access the Internet and bypass locks

ubus call system board

And did you reset configuration converting immortalwrt to openwrt?

Yes, of course

How did you add the static route for the vpn server via the wan interface?
Do you see it if you run ip route list?

Not relevant when pinging from the router, but is the vpn interface assigned to the wan firewall zone?

Oh yes, it was YOU who helped that guy

Now I'll show you all the settings

root@OpenWrt:~# ip address show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
link/ether cc:d8:43:9e:e1:b7 brd ff:ff:ff:ff:ff:ff
inet6 fe80::ced8:43ff:fe9e:e1b7/64 scope link
valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether cc:d8:43:9e:e1:b7 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
inet6 fd6a:7360:2c::1/60 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::ced8:43ff:fe9e:e1b7/64 scope link
valid_lft forever preferred_lft forever
6: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
link/ether cc:d8:43:9e:e1:b7 brd ff:ff:ff:ff:ff:ff
7: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether cc:d8:43:9e:e1:b8 brd ff:ff:ff:ff:ff:ff
inet 192.168.31.128/24 brd 192.168.31.255 scope global eth0.2
valid_lft forever preferred_lft forever
inet6 fe80::ced8:43ff:fe9e:e1b8/64 scope link
valid_lft forever preferred_lft forever
8: phy0-ap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
link/ether cc:d8:43:9e:e1:b8 brd ff:ff:ff:ff:ff:ff
inet6 fe80::ced8:43ff:fe9e:e1b8/64 scope link
valid_lft forever preferred_lft forever
10: vpn-oc: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 500
link/[65534]
inet 192.168.7.216/32 brd 255.255.255.255 scope global vpn-oc
valid_lft forever preferred_lft forever
inet6 fe80::d035:e897:eb23:c8e9/64 scope link flags 800
valid_lft forever preferred_lft forever

root@OpenWrt:~# ip route show
default via 192.168.31.1 dev eth0.2 src 192.168.31.128 metric 10
192.168.1.0/24 dev br-lan scope link src 192.168.1.1
192.168.7.0/24 dev vpn-oc scope link
192.168.31.0/24 dev eth0.2 scope link metric 10

root@OpenWrt:~# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='REJECT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].flow_offloading='1'
firewall.@defaults[0].flow_offloading_hw='1'
firewall.@defaults[0].fullcone='1'
firewall.@defaults[0].synflood_protect='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@zone[2]=zone
firewall.@zone[2].name='oc'
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].masq='1'
firewall.@zone[2].mtu_fix='1'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='lan'
firewall.@forwarding[1].dest='oc'
root@OpenWrt:~#