Openvpn Client configured but internet not working

Clem313 · October 27, 2019, 8:20pm

Hello all,

I have configured my Openvpn Client on my new openWRT router with the help of this userguide: https://openwrt.org/docs/guide-user/services/vpn/openvpn/client.

Please note that:

My router is connected to my box with ethernet cable
my VPN server-client work perfectly using the windows openclient GUI on my windows with my box wifi but not with the openWRT wifi

When i launch the VPN client there is an error in the log "logread -e openvpn" and I am not able to access internet, see below:

Sun Oct 27 19:32:52 2019 daemon.notice openvpn(hometest)[3502]: Initialization Sequence Completed
Sun Oct 27 19:37:17 2019 daemon.err openvpn(hometest)[3502]: event_wait : Interrupted system call (code=4)
Sun Oct 27 19:37:17 2019 daemon.notice openvpn(hometest)[3502]: /sbin/route del -net XX.XXX.XXX.XXX netmask 255.255.255.255
Sun Oct 27 19:37:17 2019 daemon.warn openvpn(hometest)[3502]: ERROR: Linux route delete command failed: external program exited with error status: 1
Sun Oct 27 19:37:17 2019 daemon.notice openvpn(hometest)[3502]: /sbin/route del -net 0.0.0.0 netmask 128.0.0.0
Sun Oct 27 19:37:17 2019 daemon.warn openvpn(hometest)[3502]: ERROR: Linux route delete command failed: external program exited with error status: 1
Sun Oct 27 19:37:17 2019 daemon.notice openvpn(hometest)[3502]: /sbin/route del -net 128.0.0.0 netmask 128.0.0.0
Sun Oct 27 19:37:17 2019 daemon.warn openvpn(hometest)[3502]: ERROR: Linux route delete command failed: external program exited with error status: 1
Sun Oct 27 19:37:17 2019 daemon.notice openvpn(hometest)[3502]: Closing TUN/TAP interface
Sun Oct 27 19:37:17 2019 daemon.notice openvpn(hometest)[3502]: /sbin/ifconfig tun0 0.0.0.0
Sun Oct 27 19:37:17 2019 daemon.warn openvpn(hometest)[3502]: Linux ip addr del failed: external program exited with error status: 1

Could you please help me to fix that issue?

bill888 · October 28, 2019, 2:12am

What is model of openwrt router?
Is it direct wired to internet or connected to another router?
What version of OpenWrt installed?

Clem313 · October 28, 2019, 7:44am

Router Linksys WRT3200ACM.
Router wired to internet to my ISP Box connected with ethernet cable.
Version [18.06.4]

bill888 · October 28, 2019, 8:04am

Are you trying to use openvpn client on your WRT3200 to connect to a 3rd party VPN service provider ?

Who is the VPN provider?

Clem313 · October 28, 2019, 8:31am

No, I have setup my own private openVPN server on a raspberry located at home’s familly.
OpenVPN client works perfecty well using windows openVPN Gui connected to the wifi of my ISP box wifi connexion.(without router Linksys)
I just try to setup openVPN client directly on my router Linksys to use VPN for All my devices (computer, iPhone etc.)

eduperez · October 28, 2019, 8:33am

Key message is here:

Sun Oct 27 19:37:17 2019 daemon.err openvpn(hometest)[3502]: event_wait : Interrupted system call (code=4)

And it means you pressed CTRL+C on the console, or perhaps some other process sent a TERM signal. Are there any other messages (by any process) just before that one? Can we see your config file, please?

Clem313 · October 28, 2019, 5:21pm

you are right, the message comes from the interruption of the VPN in LUCI, that's why we see this message in the log. Sorry

I have just re-launched the VPN to show you the log without interrupt it but i still cannot connect to internet. It seems there are no error in the log.

Openvpn client log with command "logread -e openvpn" (all personal information replaced by XXXXX):

Mon Oct 28 17:00:46 2019 daemon.notice openvpn(hometest)[3279]: OpenVPN 2.4.5 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Mon Oct 28 17:00:46 2019 daemon.notice openvpn(hometest)[3279]: library versions: OpenSSL 1.0.2t  10 Sep 2019, LZO 2.10
Mon Oct 28 17:00:46 2019 daemon.notice openvpn(hometest)[3279]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Mon Oct 28 17:00:46 2019 daemon.notice openvpn(hometest)[3279]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Oct 28 17:00:46 2019 daemon.notice openvpn(hometest)[3279]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Mon Oct 28 17:00:46 2019 daemon.notice openvpn(hometest)[3279]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Oct 28 17:00:46 2019 daemon.notice openvpn(hometest)[3279]: TCP/UDP: Preserving recently used remote address: [AF_INET]XX.XXX.XXX.XXX_IP_ADRESS:1194
Mon Oct 28 17:00:46 2019 daemon.notice openvpn(hometest)[3279]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Mon Oct 28 17:00:46 2019 daemon.notice openvpn(hometest)[3279]: UDP link local: (not bound)
Mon Oct 28 17:00:46 2019 daemon.notice openvpn(hometest)[3279]: UDP link remote: [AF_INET]XX.XXX.XXX.XXX_IP_ADRESS:1194
Mon Oct 28 17:00:46 2019 daemon.notice openvpn(hometest)[3279]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Mon Oct 28 17:00:46 2019 daemon.notice openvpn(hometest)[3279]: TLS: Initial packet from [AF_INET]XX.XXX.XXX.XXX_IP_ADRESS:1194, sid=a21e54e2 1e327252
Mon Oct 28 17:00:46 2019 daemon.notice openvpn(hometest)[3279]: VERIFY OK: depth=1, CN=ChangeMe
Mon Oct 28 17:00:46 2019 daemon.notice openvpn(hometest)[3279]: VERIFY KU OK
Mon Oct 28 17:00:46 2019 daemon.notice openvpn(hometest)[3279]: Validating certificate extended key usage
Mon Oct 28 17:00:46 2019 daemon.notice openvpn(hometest)[3279]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Oct 28 17:00:46 2019 daemon.notice openvpn(hometest)[3279]: VERIFY EKU OK
Mon Oct 28 17:00:46 2019 daemon.notice openvpn(hometest)[3279]: VERIFY X509NAME OK: CN=server_xxxxxxxxxx
Mon Oct 28 17:00:46 2019 daemon.notice openvpn(hometest)[3279]: VERIFY OK: depth=0, CN=server_xxxxxxxxxx
Mon Oct 28 17:00:47 2019 daemon.notice openvpn(hometest)[3279]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit EC, curve: prime256v1
Mon Oct 28 17:00:47 2019 daemon.notice openvpn(hometest)[3279]: [server_xxxxxxxxxx] Peer Connection Initiated with [AF_INET]XX.XXX.XXX.XXX_IP_ADRESS:1194
Mon Oct 28 17:00:48 2019 daemon.notice openvpn(hometest)[3279]: SENT CONTROL [server_xxxxxxxxxx]: 'PUSH_REQUEST' (status=1)
Mon Oct 28 17:00:48 2019 daemon.notice openvpn(hometest)[3279]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,block-outside-dns,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ping 1800,ping-restart 3600,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Mon Oct 28 17:00:48 2019 daemon.err openvpn(hometest)[3279]: Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:3: block-outside-dns (2.4.5)
Mon Oct 28 17:00:48 2019 daemon.notice openvpn(hometest)[3279]: OPTIONS IMPORT: timers and/or timeouts modified
Mon Oct 28 17:00:48 2019 daemon.notice openvpn(hometest)[3279]: OPTIONS IMPORT: --ifconfig/up options modified
Mon Oct 28 17:00:48 2019 daemon.notice openvpn(hometest)[3279]: OPTIONS IMPORT: route options modified
Mon Oct 28 17:00:48 2019 daemon.notice openvpn(hometest)[3279]: OPTIONS IMPORT: route-related options modified
Mon Oct 28 17:00:48 2019 daemon.notice openvpn(hometest)[3279]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Oct 28 17:00:48 2019 daemon.notice openvpn(hometest)[3279]: OPTIONS IMPORT: peer-id set
Mon Oct 28 17:00:48 2019 daemon.notice openvpn(hometest)[3279]: OPTIONS IMPORT: adjusting link_mtu to 1624
Mon Oct 28 17:00:48 2019 daemon.notice openvpn(hometest)[3279]: OPTIONS IMPORT: data channel crypto options modified
Mon Oct 28 17:00:48 2019 daemon.notice openvpn(hometest)[3279]: Data Channel: using negotiated cipher 'AES-256-GCM'
Mon Oct 28 17:00:48 2019 daemon.notice openvpn(hometest)[3279]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Oct 28 17:00:48 2019 daemon.notice openvpn(hometest)[3279]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Oct 28 17:00:48 2019 daemon.notice openvpn(hometest)[3279]: TUN/TAP device tun0 opened
Mon Oct 28 17:00:48 2019 daemon.notice openvpn(hometest)[3279]: TUN/TAP TX queue length set to 100
Mon Oct 28 17:00:48 2019 daemon.notice openvpn(hometest)[3279]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Oct 28 17:00:48 2019 daemon.notice openvpn(hometest)[3279]: /sbin/ifconfig tun0 10.8.0.2 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Mon Oct 28 17:00:48 2019 daemon.notice openvpn(hometest)[3279]: /sbin/route add -net XX.XXX.XXX.XXX_IP_ADRESS netmask 255.255.255.255 gw 192.168.1.254
Mon Oct 28 17:00:48 2019 daemon.notice openvpn(hometest)[3279]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.0.1
Mon Oct 28 17:00:48 2019 daemon.notice openvpn(hometest)[3279]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.0.1
Mon Oct 28 17:00:48 2019 daemon.notice openvpn(hometest)[3279]: GID set to nogroup
Mon Oct 28 17:00:48 2019 daemon.notice openvpn(hometest)[3279]: UID set to nobody
Mon Oct 28 17:00:48 2019 daemon.notice openvpn(hometest)[3279]: Initialization Sequence Completed

Openvpn client .conf stored in "/etc/openvpn/" (all personal information replaced by XXXXX):

client
#dev tun
proto udp
remote XX.XX.XX.XX 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server_xxxxxxxxxx name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
<ca>
-----BEGIN CERTIFICATE-----
xxxxxxxxxx
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
xxxxxxxxxx
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
xxxxxxxxxx
-----END PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
xxxxxxxxxx
-----END OpenVPN Static key V1-----
</tls-crypt>
user nobody
group nogroup
dev tun0

bill888 · October 28, 2019, 6:29pm

Firewall problem?

Can you post your /etc/config/firewall config file?

Clem313 · October 28, 2019, 6:32pm

Here we go:

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone 'wan'
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list device 'tun0'

config forwarding 'lan_wan'
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

bill888 · October 28, 2019, 6:50pm

Could you also post an image of LuCI > Network > Firewall > Zones

and LuCI > Network > Interfaces

Clem313 · October 28, 2019, 6:54pm

bill888 · October 28, 2019, 6:58pm

I can see what seems to be one immediate problem at first glance. Your WAN and LAN interface are on same subnet, 192.168.1.x

Change the IP address of the LAN interface of your WRT3200 to eg. 192.168.111.1.

Clem313 · October 28, 2019, 7:54pm

Thank you, could you explain how to do it on openWRT? Sorry i am beginner

ulmwind · October 28, 2019, 8:03pm

You should isolate LAN and WAN IP's, they should be in different subnetworks! If you ISP provides 192.168.1.X for WAN, set e.g. 192.168.0.X for LAN.
You should add zone for VPN, and enable forwarding rule LAN-to-VPN.

See my guide https://airvpn.org/forums/topic/20303-airvpn-configuration-on-openwrt-preventing-traffic-leakage-outside-tunnel/, it is rather common.

bill888 · October 28, 2019, 8:33pm

LuCI > Network > Interfaces > LAN

Edit IPv4 address

Save & Apply

A warning popup message should appear after 30 seconds. Click 'Apply Unchecked'.

Restart your computer to connect to OpenWrt router's new LAN subnet.

(Your firewall and forwarding settings appear to be correct as you used the CLI instructions from openwrt wiki, which differs slightly from the usual convention where there are often separate zones for WAN and VPN)

There is also LuCI instructions for configuring the openvpn client fyi.
https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci
Do not try to use the 'Alternate Guide' at bottom of the page at this time because it is incompatible with the CLI method for configuring the firewall and zones.

Clem313 · October 28, 2019, 9:10pm

Thank you so much bill888!!! I have followed your instruction and my OpenVPN works!!! :)
Topic solved

bill888 · October 28, 2019, 9:12pm

Please remember to click on '...' on earlier post containing solution, and mark as solved. Tnx

system · November 7, 2019, 9:12pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.