OpenVPN Client connects but no Internet

Hi !
I followed this guide: https://openwrt.org/docs/guide-user/services/vpn/openvpn/client

As I see in the logs, it seems to connect, but I cannot reach the WAN.

My setup:

Alfa121U with external Wifi-card (UPLINK)
Ideally, I would only like WIFI clients to use the VPN, Connections though LAN-Port should not (PS4, too much lag).

Here a paste of the requested infos:

Big thanks in advance for anyone willing to help !!

OS: OpenWrt 18.06.1


root@b0x:~# uci show firewall; echo && uci show network; echo && uci show openvpn; echo && logread -e openvpn
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan wan6 Uplink'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[2]=zone
firewall.@zone[2].name='vpnclient'
firewall.@zone[2].network='vpnclient'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].masq='​1​'
firewall.@zone[2].mtu_fix='1'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='lan'
firewall.@forwarding[1].dest='vpnclient'

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd0c:3a5a:c902::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.gateway='192.168.1.1'
network.wan=interface
network.wan.ifname='eth1'
network.wan.proto='dhcp'
network.wan.auto='0'
network.wan6=interface
network.wan6.ifname='eth1'
network.wan6.proto='dhcpv6'
network.wan6.auto='0'
network.Uplink=interface
network.Uplink.proto='static'
network.Uplink.ipaddr='192.168.0.11'
network.Uplink.netmask='255.255.255.0'
network.Uplink.gateway='192.168.0.1'
network.Uplink.broadcast='192.168.0.255'
network.Uplink.ip6assign='64'
network.Uplink.dns='8.8.8.8'
network.vpnclient=interface
network.vpnclient.ifname='tun0'
network.vpnclient.proto='none'

openvpn.custom_config=openvpn
openvpn.custom_config.config='/etc/openvpn/my-vpn.conf'
openvpn.sample_server=openvpn
openvpn.sample_server.port='1194'
openvpn.sample_server.proto='udp'
openvpn.sample_server.dev='tun'
openvpn.sample_server.ca='/etc/openvpn/ca.crt'
openvpn.sample_server.cert='/etc/openvpn/server.crt'
openvpn.sample_server.key='/etc/openvpn/server.key'
openvpn.sample_server.dh='/etc/openvpn/dh1024.pem'
openvpn.sample_server.server='10.8.0.0 255.255.255.0'
openvpn.sample_server.ifconfig_pool_persist='/tmp/ipp.txt'
openvpn.sample_server.keepalive='10 120'
openvpn.sample_server.compress='lzo'
openvpn.sample_server.persist_key='1'
openvpn.sample_server.persist_tun='1'
openvpn.sample_server.user='nobody'
openvpn.sample_server.status='/tmp/openvpn-status.log'
openvpn.sample_server.verb='3'
openvpn.sample_client=openvpn
openvpn.sample_client.client='1'
openvpn.sample_client.dev='tun'
openvpn.sample_client.proto='udp'
openvpn.sample_client.remote='my_server_1 1194'
openvpn.sample_client.resolv_retry='infinite'
openvpn.sample_client.nobind='1'
openvpn.sample_client.persist_key='1'
openvpn.sample_client.persist_tun='1'
openvpn.sample_client.user='nobody'
openvpn.sample_client.ca='/etc/openvpn/ca.crt'
openvpn.sample_client.cert='/etc/openvpn/client.crt'
openvpn.sample_client.key='/etc/openvpn/client.key'
openvpn.sample_client.compress='lzo'
openvpn.sample_client.verb='3'
openvpn.vpnclient=openvpn
openvpn.vpnclient.config='/etc/openvpn/vpnclient.ovpn'
openvpn.vpnclient.enabled='1'

Tue Dec  4 13:29:26 2018 daemon.err uhttpd[1288]: luci: accepted login on /admin/services/openvpn for root from 192.168.1.101
Tue Dec  4 13:29:39 2018 daemon.notice openvpn(vpnclient)[11533]: OpenVPN 2.4.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Tue Dec  4 13:29:39 2018 daemon.notice openvpn(vpnclient)[11533]: library versions: OpenSSL 1.0.2p  14 Aug 2018, LZO 2.10
Tue Dec  4 13:29:39 2018 daemon.notice openvpn(vpnclient)[11533]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Dec  4 13:29:39 2018 daemon.notice openvpn(vpnclient)[11533]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Dec  4 13:29:39 2018 daemon.notice openvpn(vpnclient)[11533]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Dec  4 13:29:39 2018 daemon.notice openvpn(vpnclient)[11533]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Dec  4 13:29:39 2018 daemon.notice openvpn(vpnclient)[11533]: TCP/UDP: Preserving recently used remote address: [AF_INET]185.xx.xxx.100:1194
Tue Dec  4 13:29:39 2018 daemon.notice openvpn(vpnclient)[11533]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Tue Dec  4 13:29:39 2018 daemon.notice openvpn(vpnclient)[11533]: UDP link local: (not bound)
Tue Dec  4 13:29:39 2018 daemon.notice openvpn(vpnclient)[11533]: UDP link remote: [AF_INET]185.xx.xxx.100:1194
Tue Dec  4 13:29:39 2018 daemon.notice openvpn(vpnclient)[11533]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Tue Dec  4 13:29:40 2018 daemon.notice openvpn(vpnclient)[11533]: TLS: Initial packet from [AF_INET]185.xx.xxx.100:1194, sid=cb29637e ec2a41c8
Tue Dec  4 13:29:40 2018 daemon.notice openvpn(vpnclient)[11533]: VERIFY OK: depth=1, C=xx, ST=xx, L=xx, O=xx.xx, OU=OU, CN=xxxxx.xxx CA, name=EasyRSA, emailAddress=admin@xxx.xxx
Tue Dec  4 13:29:40 2018 daemon.notice openvpn(vpnclient)[11533]: VERIFY KU OK
Tue Dec  4 13:29:40 2018 daemon.notice openvpn(vpnclient)[11533]: Validating certificate extended key usage
Tue Dec  4 13:29:40 2018 daemon.notice openvpn(vpnclient)[11533]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Dec  4 13:29:40 2018 daemon.notice openvpn(vpnclient)[11533]: VERIFY EKU OK
Tue Dec  4 13:29:40 2018 daemon.notice openvpn(vpnclient)[11533]: VERIFY OK: depth=0, C=xx, ST=xx, L=xx, O=xxxx.xxx, OU=OU, CN=server, name=EasyRSA, emailAddress=admin@xxx.xxx
Tue Dec  4 13:29:47 2018 daemon.notice openvpn(vpnclient)[11533]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Tue Dec  4 13:29:47 2018 daemon.notice openvpn(vpnclient)[11533]: [server] Peer Connection Initiated with [AF_INET]185.22.172.100:1194
Tue Dec  4 13:29:48 2018 daemon.notice openvpn(vpnclient)[11533]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Dec  4 13:29:48 2018 daemon.notice openvpn(vpnclient)[11533]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 185.xx.xxx.100,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
Tue Dec  4 13:29:48 2018 daemon.notice openvpn(vpnclient)[11533]: OPTIONS IMPORT: timers and/or timeouts modified
Tue Dec  4 13:29:48 2018 daemon.notice openvpn(vpnclient)[11533]: OPTIONS IMPORT: --ifconfig/up options modified
Tue Dec  4 13:29:48 2018 daemon.notice openvpn(vpnclient)[11533]: OPTIONS IMPORT: route options modified
Tue Dec  4 13:29:48 2018 daemon.notice openvpn(vpnclient)[11533]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Dec  4 13:29:48 2018 daemon.notice openvpn(vpnclient)[11533]: OPTIONS IMPORT: peer-id set
Tue Dec  4 13:29:48 2018 daemon.notice openvpn(vpnclient)[11533]: OPTIONS IMPORT: adjusting link_mtu to 1624
Tue Dec  4 13:29:48 2018 daemon.notice openvpn(vpnclient)[11533]: OPTIONS IMPORT: data channel crypto options modified
Tue Dec  4 13:29:48 2018 daemon.notice openvpn(vpnclient)[11533]: Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Dec  4 13:29:48 2018 daemon.notice openvpn(vpnclient)[11533]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Dec  4 13:29:48 2018 daemon.notice openvpn(vpnclient)[11533]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Dec  4 13:29:50 2018 daemon.notice openvpn(vpnclient)[11533]: TUN/TAP device tun0 opened
Tue Dec  4 13:29:50 2018 daemon.notice openvpn(vpnclient)[11533]: TUN/TAP TX queue length set to 100
Tue Dec  4 13:29:50 2018 daemon.notice openvpn(vpnclient)[11533]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Dec  4 13:29:50 2018 daemon.notice openvpn(vpnclient)[11533]: /sbin/ifconfig tun0 10.8.0.6 pointopoint 10.8.0.5 mtu 1500
Tue Dec  4 13:29:52 2018 daemon.notice openvpn(vpnclient)[11533]: /sbin/route add -net 185.22.172.100 netmask 255.255.255.255 gw 192.168.0.1
Tue Dec  4 13:29:52 2018 daemon.notice openvpn(vpnclient)[11533]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.0.5
Tue Dec  4 13:29:52 2018 daemon.notice openvpn(vpnclient)[11533]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.0.5
Tue Dec  4 13:29:52 2018 daemon.notice openvpn(vpnclient)[11533]: /sbin/route add -net 10.8.0.1 netmask 255.255.255.255 gw 10.8.0.5
Tue Dec  4 13:29:52 2018 daemon.notice openvpn(vpnclient)[11533]: GID set to nogroup
Tue Dec  4 13:29:52 2018 daemon.notice openvpn(vpnclient)[11533]: UID set to nobody
Tue Dec  4 13:29:52 2018 daemon.warn openvpn(vpnclient)[11533]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Dec  4 13:29:52 2018 daemon.notice openvpn(vpnclient)[11533]: Initialization Sequence Completed

Is there any config options in /etc/openvpn/vpnclient.ovpn?

If yes, then that config may be causing the problem. If you put route-nopull in the config there then no traffic will be redirected from VPN. Make sure that option is not there.

Here the options:
I use the same config to connect from my computer. Keys and certs are cut.

client
dev tun
proto udp
remote 185.xx.xxx.100 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
auth SHA512
dhcp-option DNS 185.xx.xxx.100
verb 3

<ca>

</ca>

<cert>

</cert>

<key>

</key>

<tls-crypt>

</tls-crypt>

Your config seems okay to me, I use vpn-policy-routing with VPN so that not all the traffic goes through VPN but only the selected one and for that reason I put route-nopull in the VPN config. Are you using any other packages with VPN to bypass the traffic? Have you tried restarting the router? Maybe some config changes haven't been committed yet. So restarting would probably make it work.

Edit: You can create another network and map the LAN ports with that network. That way VPN will not be affecting PS4 or use the above package.

Thanks ahmar! I rebooted, and did a ping from the router. By the huge delay, it looks like it is going through the server. However, any client connecting to the router has no internet.
I think this is not openvpn related, but rather about forwarding. Thoughts on this continue to be very apreciated...

Have a look at your firewall config again, you need something like this:

config zone
        option name 'vpnclient'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        option network 'vpnclient'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'vpnclient'

Maybe it will help. I think it looks more like wan config. Although this is what I am using from day one and never encountered a problem with VPN.

Thats the config from the manual which i entered line by line. Right now, Uplink, Lanport and Wifi-Master are bridged. Would that setup require a different firewall-setup maybe ?

This config should work out of box. Most of the time errors happen in the openvpn config itself but yours seems fine and Vpn is connected and other config seems fine to me as well. So I'm not really sure what I'm missing here. Because practically it should work.

Can you try a different vpn server? Can someone else provide any help here? @tmomas

Weird right ? Just tried disabling SQM QoS but to no avail. Again, the Router can ping and resolve hostnames, just connected clients cannot. Also tried a different ClientComputer, but no success...

How is this relevant to the OP's situation? Does OP uses NordVPN?

I see the relevance- openvpn connects, router has internet but router-clients don´t. Unfortunately I am not seeing any ideas there, except downgrading to 17.06.

Try to add this iptables rule:

iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o br-lan -j MASQUERADE

replace the 10.0.0.0 with your server ip address defined in /etc/config/openvpn

oops, you are correct. I mistakenly thought I saw nordvpn mentioned earlier in the thread.

Out of the openvpn log:

33]: /sbin/route add -net 185.22.172.100 netmask 255.255.255.255 gw 192.168.0.1
Tue Dec  4 13:29:52 2018 daemon.notice openvpn(vpnclient)[11533]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.0.5
Tue Dec  4 13:29:52 2018 daemon.notice openvpn(vpnclient)[11533]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.0.5
Tue Dec  4 13:29:52 2018 daemon.notice openvpn(vpnclient)[11533]: /sbin/route add -net 10.8.0.1 netmask 255.255.255.255 gw 10.8.0.5

So I use 10.8.0.1, I assume ?

use

cat /etc/config/openvpn

it is in the server line.

But 10.8.0.0 might be correct.

10.8.0.0 was the ip I found in the server.conf. However, even after restarts, same situation, router connects trough VPN, wifi-client does not.

Iptables are not my strongsuite.

Would any of this help maybe ?

echo 1 &gt; /proc/sys/net/ipv4/ip_forward

#Reset iptables

iptables -F

iptables -X

iptables -A FORWARD -o wlan1 -i br-lan -s 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT


iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -A POSTROUTING -t nat -j MASQUERADE

echo 1 | /proc/sys/net/ipv4/ip_forward

This enables your forwarding in the kernel, use cat /proc/sys/net/ipv4/ip_forward to verify. For forwarding enabled it should display 1.

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o br-lan -j MASQUERADE

Enables the masquerading of the packets that does not do not find the destination within your LAN.
You need to Postroute and masquerade the packets originating from the 10.8.0.0 source address. In fact is is an equivalent to iptables -A POSTROUTING -t nat -j MASQUERADE but is more strict and safer.

Thanks for explaining.
so I added

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o br-lan -j MASQUERADE

No success though. Are there any more logs, that may show why traffic to to wifi-client is dropped ? As soon as I disable openvpn, it works flawlessly.

What routes gets the client when connected? Can you check openvpn.log in /tmp when connected?