OpenVPN client Failed running command (--up/--down)


#1

First openvpn install. From a user level perspective this seems to be a permissions issue but my searches here and DuckDuckGo do not quite match what I see from logread.

config and logread

Thanks.

edit 1: I followed only 'client openvpn' instructions. My goal is connect to a VPN Provider service, not run a VPN server on my router. But now I wonder if 'client only' instructions are adequate..

edit 2: The error msg:

Thu Dec 6 02:14:25 2018 daemon.notice openvpn(vpnclient)[6860]: /sbin/ifconfig tun0 10.8.4.3 netmask 255.255.255.0 mtu 1500 broadcast 10.8.4.255
Thu Dec 6 02:14:25 2018 daemon.notice openvpn(vpnclient)[6860]: /etc/openvpn/update-resolv-conf tun0 1500 1585 10.8.4.3 255.255.255.0 init
Thu Dec 6 02:14:25 2018 daemon.err openvpn(vpnclient)[6860]: WARNING: Failed running command (--up/--down): could not execute external program

occurs since /etc/openvpn/update-resolv-conf does not exist. The .opvn file provided by my VPN Provider invokes it:

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

This script addresses DNS leaks in Ubuntu and is available here: edit 3: I do not know what causes leaks.

github openvpn-update-resolv

edit 4: Add .ovpn file via pastebin and added OpenVPN to title:
.ovpn file

Has anyone seen this before? Is there a workaround?

Thanks.


#2

From my personal experience, those instructions are adequate for most users. But as you suggested that your VPN provider has some extra config it is possible that you need some extra files. I would suggest you to comment out those lines in the config and restart the OpenVPN and see if it works and as for the up/down command lines I think someone with more knowledge on this can help you better.


#3

ahmar16,

I tried commenting out the up/down lines. Pardon me for not noting that..

The parts seem to be there but over my head to put them in place as needed.

Thanks much.


#4

Seeing that both pkgs, openresolv and openvpn-update-resolv, are scripts and text files only I scp'ed to my router preserving permissions. Now, the log shows error 2:

Mon Dec 10 14:02:35 2018 daemon.notice openvpn(vpnclient)[12089]: TUN/TAP device tun0 opened
Mon Dec 10 14:02:35 2018 daemon.notice openvpn(vpnclient)[12089]: TUN/TAP TX queue length set to 100
Mon Dec 10 14:02:35 2018 daemon.notice openvpn(vpnclient)[12089]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Dec 10 14:02:35 2018 daemon.notice openvpn(vpnclient)[12089]: /sbin/ifconfig tun0 10.8.0.2 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Mon Dec 10 14:02:35 2018 daemon.notice openvpn(vpnclient)[12089]: /etc/openvpn/update-resolv-conf.sh tun0 1500 1585 10.8.0.2 255.255.255.0 init
Mon Dec 10 14:02:35 2018 daemon.err openvpn(vpnclient)[12089]: WARNING: Failed running command (--up/--down): external program exited with error status: 2
Mon Dec 10 14:02:35 2018 daemon.notice openvpn(vpnclient)[12089]: Exiting due to fatal error

Lamely, I have not found why yet. But this whole situation raises other questions:

  • How does OpenWRT handle other VPN providers push DNS info to resolv.conf?
  • Openresolv (etc) seems to be geared for x86 env, should I expect problems migrating to OpenWRT?

btw, I should say that though this issue seems the fault of ProtonVPN their droid app works well on my phone. Indeed that is their business model, x number of devices allowed per customer. But I see the router as the correct node for the VPN client. As a longtime customer of free ProtonMail I jumped at a deal for both.

Thanks.


#5

Delete these lines from the *.ovpn file. Does it now start?

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

#6

spindoctor,

Yes, it does start and the log looks good:

root@OpenWRT:~# logread
Wed Dec 12 17:10:02 2018 authpriv.notice dropbear[8143]: Pubkey auth succeeded for 'root' with key sha1!! 12:e4:ec:77:52:52:a9:87:b9:df:7b:ed:51:bc:1e:28:c4:89:09:2b from 192.168.1.174:34360
Wed Dec 12 17:21:02 2018 daemon.notice openvpn(vpnclient)[8531]: OpenVPN 2.4.6 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Wed Dec 12 17:21:02 2018 daemon.notice openvpn(vpnclient)[8531]: library versions: OpenSSL 1.0.2p  14 Aug 2018, LZO 2.10
Wed Dec 12 17:21:02 2018 daemon.notice openvpn(vpnclient)[8531]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Dec 12 17:21:02 2018 daemon.notice openvpn(vpnclient)[8531]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Dec 12 17:21:02 2018 daemon.notice openvpn(vpnclient)[8531]: TCP/UDP: Preserving recently used remote address: [AF_INET]198.52.36.21:443
Wed Dec 12 17:21:02 2018 daemon.notice openvpn(vpnclient)[8531]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Wed Dec 12 17:21:02 2018 daemon.notice openvpn(vpnclient)[8531]: UDP link local: (not bound)
Wed Dec 12 17:21:02 2018 daemon.notice openvpn(vpnclient)[8531]: UDP link remote: [AF_INET]198.52.36.21:443
Wed Dec 12 17:21:02 2018 daemon.notice openvpn(vpnclient)[8531]: TLS: Initial packet from [AF_INET]198.52.36.21:443, sid=37534205 918762ca
Wed Dec 12 17:21:02 2018 daemon.notice openvpn(vpnclient)[8531]: VERIFY OK: depth=2, C=CH, O=ProtonVPN AG, CN=ProtonVPN Root CA
Wed Dec 12 17:21:02 2018 daemon.notice openvpn(vpnclient)[8531]: VERIFY OK: depth=1, C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1
Wed Dec 12 17:21:02 2018 daemon.notice openvpn(vpnclient)[8531]: VERIFY KU OK
Wed Dec 12 17:21:02 2018 daemon.notice openvpn(vpnclient)[8531]: Validating certificate extended key usage
Wed Dec 12 17:21:02 2018 daemon.notice openvpn(vpnclient)[8531]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Dec 12 17:21:02 2018 daemon.notice openvpn(vpnclient)[8531]: VERIFY EKU OK
Wed Dec 12 17:21:02 2018 daemon.notice openvpn(vpnclient)[8531]: VERIFY OK: depth=0, CN=us-co-11.protonvpn.com
Wed Dec 12 17:21:02 2018 daemon.notice openvpn(vpnclient)[8531]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Wed Dec 12 17:21:02 2018 daemon.notice openvpn(vpnclient)[8531]: [us-co-11.protonvpn.com] Peer Connection Initiated with [AF_INET]198.52.36.21:443
Wed Dec 12 17:21:03 2018 daemon.notice openvpn(vpnclient)[8531]: SENT CONTROL [us-co-11.protonvpn.com]: 'PUSH_REQUEST' (status=1)
Wed Dec 12 17:21:09 2018 daemon.notice openvpn(vpnclient)[8531]: SENT CONTROL [us-co-11.protonvpn.com]: 'PUSH_REQUEST' (status=1)
Wed Dec 12 17:21:09 2018 daemon.notice openvpn(vpnclient)[8531]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.8.8.1,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.1.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.8.1.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Wed Dec 12 17:21:09 2018 daemon.notice openvpn(vpnclient)[8531]: OPTIONS IMPORT: timers and/or timeouts modified
Wed Dec 12 17:21:09 2018 daemon.notice openvpn(vpnclient)[8531]: OPTIONS IMPORT: explicit notify parm(s) modified
Wed Dec 12 17:21:09 2018 daemon.notice openvpn(vpnclient)[8531]: OPTIONS IMPORT: compression parms modified
Wed Dec 12 17:21:09 2018 daemon.notice openvpn(vpnclient)[8531]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Wed Dec 12 17:21:09 2018 daemon.notice openvpn(vpnclient)[8531]: Socket Buffers: R=[163840->327680] S=[163840->327680]
Wed Dec 12 17:21:09 2018 daemon.notice openvpn(vpnclient)[8531]: OPTIONS IMPORT: --ifconfig/up options modified
Wed Dec 12 17:21:09 2018 daemon.notice openvpn(vpnclient)[8531]: OPTIONS IMPORT: route options modified
Wed Dec 12 17:21:09 2018 daemon.notice openvpn(vpnclient)[8531]: OPTIONS IMPORT: route-related options modified
Wed Dec 12 17:21:09 2018 daemon.notice openvpn(vpnclient)[8531]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Dec 12 17:21:09 2018 daemon.notice openvpn(vpnclient)[8531]: OPTIONS IMPORT: peer-id set
Wed Dec 12 17:21:09 2018 daemon.notice openvpn(vpnclient)[8531]: OPTIONS IMPORT: adjusting link_mtu to 1657
Wed Dec 12 17:21:09 2018 daemon.notice openvpn(vpnclient)[8531]: OPTIONS IMPORT: data channel crypto options modified
Wed Dec 12 17:21:09 2018 daemon.notice openvpn(vpnclient)[8531]: Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Dec 12 17:21:09 2018 daemon.notice openvpn(vpnclient)[8531]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Dec 12 17:21:09 2018 daemon.notice openvpn(vpnclient)[8531]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Dec 12 17:21:09 2018 daemon.notice openvpn(vpnclient)[8531]: TUN/TAP device tun0 opened
Wed Dec 12 17:21:09 2018 daemon.notice openvpn(vpnclient)[8531]: TUN/TAP TX queue length set to 100
Wed Dec 12 17:21:09 2018 daemon.notice openvpn(vpnclient)[8531]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Dec 12 17:21:09 2018 daemon.notice openvpn(vpnclient)[8531]: /sbin/ifconfig tun0 10.8.1.2 netmask 255.255.255.0 mtu 1500 broadcast 10.8.1.255
Wed Dec 12 17:21:09 2018 daemon.notice netifd: Interface 'vpnclient' is enabled
Wed Dec 12 17:21:09 2018 daemon.notice netifd: Network device 'tun0' link is up
Wed Dec 12 17:21:09 2018 daemon.notice netifd: Interface 'vpnclient' has link connectivity
Wed Dec 12 17:21:09 2018 daemon.notice netifd: Interface 'vpnclient' is setting up now
Wed Dec 12 17:21:09 2018 daemon.notice netifd: Interface 'vpnclient' is now up
Wed Dec 12 17:21:09 2018 daemon.notice openvpn(vpnclient)[8531]: /sbin/route add -net 198.52.36.21 netmask 255.255.255.255 gw 24.51.149.1
Wed Dec 12 17:21:09 2018 daemon.notice openvpn(vpnclient)[8531]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.1.1
Wed Dec 12 17:21:09 2018 daemon.notice openvpn(vpnclient)[8531]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.1.1
Wed Dec 12 17:21:09 2018 daemon.notice openvpn(vpnclient)[8531]: Initialization Sequence Completed
Wed Dec 12 17:21:09 2018 user.notice firewall: Reloading firewall due to ifup of vpnclient (tun0)
Wed Dec 12 17:21:11 2018 user.info : dnscrypt-proxy - [fvz-anyone] does not support DNS Security Extensions
Wed Dec 12 17:21:11 2018 user.info : dnscrypt-proxy + Provider supposedly doesn't keep logs
Wed Dec 12 17:21:11 2018 daemon.notice dnscrypt-proxy[8868]: dnscrypt-proxy Starting dnscrypt-proxy 1.9.5
Wed Dec 12 17:21:11 2018 daemon.info dnscrypt-proxy[8868]: dnscrypt-proxy Generating a new session key pair
Wed Dec 12 17:21:11 2018 daemon.info dnscrypt-proxy[8868]: dnscrypt-proxy Done

But, name resolution stops.. I can not browse web sites.

Thanks.


#7

I notice you're using dnscrypt-proxy. You may want to check your settings.
You could use proton vpn's DNS resolver 10.8.8.1.


#8

spindoctor,

I wondered about dnscrypt-proxy too. I have disabled it for the time being.

I have added proton's resolver to OpenWRT's dhcp,

root@OpenWRT:~# uci show dhcp
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].nonwildcard='1'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].server='10.8.8.1'
dhcp.@dnsmasq[0].serversfile='/tmp/adb_list.overall'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'

but the ISP's name servers are defined also. I am guessing that the ISP's name servers are not valid (public?) after openvpn.client is up. And that's the trick isn't it; redefine DNS after openvpn.client is up?

Here's a snippet from latest logread sans dnscrypt:

Thu Dec 13 05:12:57 2018 daemon.notice openvpn(vpnclient)[6254]: SENT CONTROL [us-co-12.protonvpn.com]: 'PUSH_REQUEST' (status=1)
Thu Dec 13 05:12:57 2018 daemon.notice openvpn(vpnclient)[6254]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.8.8.1,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.3.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.8.3.5 255.255.255.0,peer-id 3,cipher AES-256-GCM'
Thu Dec 13 05:12:57 2018 daemon.notice openvpn(vpnclient)[6254]: OPTIONS IMPORT: timers and/or timeouts modified
Thu Dec 13 05:12:57 2018 daemon.notice openvpn(vpnclient)[6254]: OPTIONS IMPORT: explicit notify parm(s) modified
Thu Dec 13 05:12:57 2018 daemon.notice openvpn(vpnclient)[6254]: OPTIONS IMPORT: compression parms modified
Thu Dec 13 05:12:57 2018 daemon.notice openvpn(vpnclient)[6254]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Thu Dec 13 05:12:57 2018 daemon.notice openvpn(vpnclient)[6254]: Socket Buffers: R=[163840->327680] S=[163840->327680]
Thu Dec 13 05:12:57 2018 daemon.notice openvpn(vpnclient)[6254]: OPTIONS IMPORT: --ifconfig/up options modified
Thu Dec 13 05:12:57 2018 daemon.notice openvpn(vpnclient)[6254]: OPTIONS IMPORT: route options modified
Thu Dec 13 05:12:57 2018 daemon.notice openvpn(vpnclient)[6254]: OPTIONS IMPORT: route-related options modified
Thu Dec 13 05:12:57 2018 daemon.notice openvpn(vpnclient)[6254]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Dec 13 05:12:57 2018 daemon.notice openvpn(vpnclient)[6254]: OPTIONS IMPORT: peer-id set
Thu Dec 13 05:12:57 2018 daemon.notice openvpn(vpnclient)[6254]: OPTIONS IMPORT: adjusting link_mtu to 1657
Thu Dec 13 05:12:57 2018 daemon.notice openvpn(vpnclient)[6254]: OPTIONS IMPORT: data channel crypto options modified
Thu Dec 13 05:12:57 2018 daemon.notice openvpn(vpnclient)[6254]: Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Dec 13 05:12:57 2018 daemon.notice openvpn(vpnclient)[6254]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Dec 13 05:12:57 2018 daemon.notice openvpn(vpnclient)[6254]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Dec 13 05:12:57 2018 daemon.notice openvpn(vpnclient)[6254]: TUN/TAP device tun0 opened
Thu Dec 13 05:12:57 2018 daemon.notice openvpn(vpnclient)[6254]: TUN/TAP TX queue length set to 100
Thu Dec 13 05:12:57 2018 daemon.notice openvpn(vpnclient)[6254]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Dec 13 05:12:57 2018 daemon.notice openvpn(vpnclient)[6254]: /sbin/ifconfig tun0 10.8.3.5 netmask 255.255.255.0 mtu 1500 broadcast 10.8.3.255
Thu Dec 13 05:12:57 2018 daemon.notice netifd: Interface 'vpnclient' is enabled
Thu Dec 13 05:12:57 2018 daemon.notice netifd: Network device 'tun0' link is up
Thu Dec 13 05:12:57 2018 daemon.notice netifd: Interface 'vpnclient' has link connectivity
Thu Dec 13 05:12:57 2018 daemon.notice netifd: Interface 'vpnclient' is setting up now
Thu Dec 13 05:12:57 2018 daemon.notice netifd: Interface 'vpnclient' is now up
Thu Dec 13 05:12:57 2018 daemon.notice openvpn(vpnclient)[6254]: /sbin/route add -net 198.52.36.22 netmask 255.255.255.255 gw 24.51.149.1
Thu Dec 13 05:12:57 2018 daemon.notice openvpn(vpnclient)[6254]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.3.1
Thu Dec 13 05:12:57 2018 daemon.notice openvpn(vpnclient)[6254]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.3.1
Thu Dec 13 05:12:57 2018 daemon.notice openvpn(vpnclient)[6254]: Initialization Sequence Completed
Thu Dec 13 05:12:57 2018 daemon.info dnsmasq[6048]: read /etc/hosts - 4 addresses
Thu Dec 13 05:12:57 2018 daemon.info dnsmasq[6048]: read /tmp/hosts/dhcp.cfg01411c - 2 addresses
Thu Dec 13 05:12:57 2018 daemon.info dnsmasq-dhcp[6048]: read /etc/ethers - 0 addresses
Thu Dec 13 05:12:57 2018 daemon.info dnsmasq[6048]: using local addresses only for domain adsrv.iol.co.za
Thu Dec 13 05:12:57 2018 daemon.info dnsmasq[6048]: using local addresses only for domain banner.img.co.za
Thu Dec 13 05:12:57 2018 daemon.info dnsmasq[6048]: using local addresses only for domain ads.img.co.za
Thu Dec 13 05:12:57 2018 daemon.info dnsmasq[6048]: using local addresses only for domain wpnrtnmrewunrtok.xyz
Thu Dec 13 05:12:57 2018 daemon.info dnsmasq[6048]: using local addresses only for domain htmlhubing.xyz
Thu Dec 13 05:12:57 2018 daemon.info dnsmasq[6048]: using local addresses only for domain downloadr.xyz
Thu Dec 13 05:12:57 2018 daemon.info dnsmasq[6048]: using local addresses only for domain btez8.xyz
Thu Dec 13 05:12:57 2018 daemon.info dnsmasq[6048]: using local addresses only for domain ya-googl.ws
Thu Dec 13 05:12:57 2018 daemon.info dnsmasq[6048]: using nameserver 10.8.8.1#53
Thu Dec 13 05:12:57 2018 daemon.info dnsmasq[6048]: using nameserver 74.81.99.1#53
Thu Dec 13 05:12:57 2018 daemon.info dnsmasq[6048]: using nameserver 74.81.99.2#53
Thu Dec 13 05:12:57 2018 daemon.info dnsmasq[6048]: using 3837 more local addresses
Thu Dec 13 05:12:58 2018 user.info adblock-3.5.5-4[5505]: blocklist with overall 3838 domains loaded successfully (Linksys WRT1900ACv2, Lede SNAPSHOT r8614-78ca6a5578)
Thu Dec 13 05:14:04 2018 user.notice firewall: Reloading firewall due to ifup of vpnclient (tun0)
Thu Dec 13 05:14:04 2018 daemon.err smbd[6747]: [2018/12/13 05:14:04.883233,  0] ../lib/util/become_daemon.c:138(daemon_ready)
Thu Dec 13 05:14:04 2018 daemon.err smbd[6747]:   daemon_ready: STATUS=daemon 'smbd' finished starting up and ready to serve connections
Thu Dec 13 05:14:06 2018 daemon.err uhttpd[4962]: luci: accepted login on /admin for root from 192.168.1.174
Thu Dec 13 05:14:21 2018 daemon.info dnsmasq-dhcp[6048]: DHCPREQUEST(br-lan) 192.168.1.174 4c:ed:fb:94:3a:b8
Thu Dec 13 05:14:21 2018 daemon.info dnsmasq-dhcp[6048]: DHCPACK(br-lan) 192.168.1.174 4c:ed:fb:94:3a:b8 Raven_A
Thu Dec 13 05:14:23 2018 daemon.warn odhcpd[2474]: DHCPV6 CONFIRM IA_NA from 000489e91e687f7e5ad5f0e34cedfb943ab8 on br-lan: not on-link
Thu Dec 13 05:14:23 2018 daemon.info dnsmasq[6048]: read /etc/hosts - 4 addresses
Thu Dec 13 05:14:23 2018 daemon.info dnsmasq[6048]: read /tmp/hosts/odhcpd - 0 addresses
Thu Dec 13 05:14:23 2018 daemon.info dnsmasq[6048]: read /tmp/hosts/dhcp.cfg01411c - 2 addresses
Thu Dec 13 05:14:23 2018 daemon.info dnsmasq-dhcp[6048]: read /etc/ethers - 0 addresses
Thu Dec 13 05:14:23 2018 daemon.info dnsmasq[6048]: using local addresses only for domain adsrv.iol.co.za
Thu Dec 13 05:14:23 2018 daemon.info dnsmasq[6048]: using local addresses only for domain banner.img.co.za
Thu Dec 13 05:14:23 2018 daemon.info dnsmasq[6048]: using local addresses only for domain ads.img.co.za
Thu Dec 13 05:14:23 2018 daemon.info dnsmasq[6048]: using local addresses only for domain wpnrtnmrewunrtok.xyz
Thu Dec 13 05:14:23 2018 daemon.info dnsmasq[6048]: using local addresses only for domain htmlhubing.xyz
Thu Dec 13 05:14:23 2018 daemon.info dnsmasq[6048]: using local addresses only for domain downloadr.xyz
Thu Dec 13 05:14:23 2018 daemon.info dnsmasq[6048]: using local addresses only for domain btez8.xyz
Thu Dec 13 05:14:23 2018 daemon.info dnsmasq[6048]: using local addresses only for domain ya-googl.ws
Thu Dec 13 05:14:23 2018 daemon.info dnsmasq[6048]: using nameserver 10.8.8.1#53
Thu Dec 13 05:14:23 2018 daemon.info dnsmasq[6048]: using nameserver 74.81.99.1#53
Thu Dec 13 05:14:23 2018 daemon.info dnsmasq[6048]: using nameserver 74.81.99.2#53
Thu Dec 13 05:14:23 2018 daemon.info dnsmasq[6048]: using 3837 more local addresses
Thu Dec 13 05:14:24 2018 daemon.warn odhcpd[2474]: DHCPV6 SOLICIT IA_NA from 000489e91e687f7e5ad5f0e34cedfb943ab8 on br-lan: ok fdfc:fc8e:66da::dec/128
Thu Dec 13 05:14:24 2018 daemon.warn odhcpd[2474]: DHCPV6 REQUEST IA_NA from 000489e91e687f7e5ad5f0e34cedfb943ab8 on br-lan: ok fdfc:fc8e:66da::dec/128
Thu Dec 13 05:14:24 2018 daemon.info dnsmasq[6048]: read /etc/hosts - 4 addresses
Thu Dec 13 05:14:24 2018 daemon.info dnsmasq[6048]: read /tmp/hosts/odhcpd - 1 addresses
Thu Dec 13 05:14:24 2018 daemon.info dnsmasq[6048]: read /tmp/hosts/dhcp.cfg01411c - 2 addresses
Thu Dec 13 05:14:24 2018 daemon.info dnsmasq-dhcp[6048]: read /etc/ethers - 0 addresses
Thu Dec 13 05:14:24 2018 daemon.info dnsmasq[6048]: using local addresses only for domain adsrv.iol.co.za
Thu Dec 13 05:14:24 2018 daemon.info dnsmasq[6048]: using local addresses only for domain banner.img.co.za
Thu Dec 13 05:14:24 2018 daemon.info dnsmasq[6048]: using local addresses only for domain ads.img.co.za
Thu Dec 13 05:14:24 2018 daemon.info dnsmasq[6048]: using local addresses only for domain wpnrtnmrewunrtok.xyz
Thu Dec 13 05:14:24 2018 daemon.info dnsmasq[6048]: using local addresses only for domain htmlhubing.xyz
Thu Dec 13 05:14:24 2018 daemon.info dnsmasq[6048]: using local addresses only for domain downloadr.xyz
Thu Dec 13 05:14:24 2018 daemon.info dnsmasq[6048]: using local addresses only for domain btez8.xyz
Thu Dec 13 05:14:24 2018 daemon.info dnsmasq[6048]: using local addresses only for domain ya-googl.ws
Thu Dec 13 05:14:24 2018 daemon.info dnsmasq[6048]: using nameserver 10.8.8.1#53
Thu Dec 13 05:14:24 2018 daemon.info dnsmasq[6048]: using nameserver 74.81.99.1#53
Thu Dec 13 05:14:24 2018 daemon.info dnsmasq[6048]: using nameserver 74.81.99.2#53
Thu Dec 13 05:14:24 2018 daemon.info dnsmasq[6048]: using 3837 more local addresses

Thanks again.


#9

Add to /etc/config/dhcp

config dnsmasq
option noresolv '1'

Reboot router.

Check DNS leak.
Choose extended test.
https://www.dnsleaktest.com/

Did that work?


#10

spindoctor,

Done. And that's with openvpn enabled. The web browser failed to resolve the dns leak test site. As usual ping failed too (ex. ping openwrt.org). Recently, I discovered that ping succeeds from the router, console or Luci (Network > Diagnostics), openvpn enabled or not. To be clear, the desktop PC's resolv.conf defines the router as its nameserver.

And check this out:

root@OpenWRT:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.8.1.1        128.0.0.0       UG    0      0        0 tun0
default         24.51.149.1     0.0.0.0         UG    0      0        0 eth1.2
10.8.1.0        *               255.255.255.0   U     0      0        0 tun0
24.51.149.0     *               255.255.255.0   U     0      0        0 eth1.2
128.0.0.0       10.8.1.1        128.0.0.0       UG    0      0        0 tun0
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan
209.58.129.97   24.51.149.1     255.255.255.255 UGH   0      0        0 eth1.2
root@OpenWRT:~#
root@OpenWRT:~#
root@OpenWRT:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         24.51.149.1     0.0.0.0         UG    0      0        0 eth1.2
24.51.149.0     *               255.255.255.0   U     0      0        0 eth1.2
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan

tun0 means openvpn enabled.

From another angle, if you think it would help, I could install a minimal image to the router and configure by hand.

Thanks.


#11

What I would do is 'perform reset' reset to defaults.
Install only packages luci-app-openvpn openvpn-openssl
No adblock or dns-crypt etc.
Setup tun0 interface and upload ovpn file.
Once protonvpn is operational do below steps.

Add 10.8.8.1 resolver to 'Network->'DHCP and DNS->'General Settings tab'->'DNS Forwardings'->10.8.8.1
Under 'Resolv and Hosts file' tab ->Check 'Ignore resolve file'.
Save and Apply.
Reboot.
See how you go.


#12

spindoctor,

I performed a sys-upgrade to alternate partition on router using OpenWrt 18.06.1, r7258-5eb055306f. Then followed openvpn-client doc. Then followed your instructions.

Below are before/after sys logs with regard to 'DNS Forwardings 10.8.8.1 and Ignore resolv file'. Problems with resolving still occur with ping, etc.

sys-log_Before

sys-log_After

Thanks.


#13

Were you able to visit a website while connected to protonvpn before adding (10.8.8.1) protonvpn resolver and disabling resolv file?


#14

I've tried to setup my router like you have. That is, direct connect to the internet.

I had the same problem as you, connection made but no web browsing. Able to get online and visit protonvpn.com using protonvpn resolver.

Try this.
Replace your current *.ovpn contents with this one here.

Add protonvpn resolver 10.8.8.1 to 'Network->'DHCP and DNS->'General Settings tab'->'DNS Forwardings'->10.8.8.1

Do not select 'Ignore resolve file' checkbox under 'Resolv and Hosts Files' tab. ie. empty checkbox.

Save and Apply
Reboot.

Visit https://protonvpn.com

Able to view site?


#15

spindoctor,

Negative. Still cannot browse websites including protonvpn.com. Syslog is here.

I was gonna mention free protonvpn earlier but it seemed.. unseemly. :slight_smile: Thanks for that effort.


#16

Are these settings in your firewall.

firewall.@zone[2]=zone
firewall.@zone[2].name='vpnclient'
firewall.@zone[2].network='vpnclient'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].masq='​1​'
firewall.@zone[2].mtu_fix='1'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='lan'
firewall.@forwarding[1].dest='vpnclient'

If it is we'll need to try coming from another angle.


#17

spindoctor,

Yes.

firewall.@zone[2]=zone
firewall.@zone[2].name='vpnclient'
firewall.@zone[2].network='vpnclient'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].masq='1'
firewall.@zone[2].mtu_fix='1'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='lan'
firewall.@forwarding[1].dest='vpnclient'

Still setup for free protonvpn too.


#18

The difference is that your router is not using my isp.
This could be the problem. My previous provider would allow a connection but I was not able to browse the web when the vpn was enabled. Instrestingly I could torrent. To get it to actually work involved turning off the modem for a period of time until I received a new IP address. Magically it all worked. That's until the isp renewed my IP address and it stopped working again. The solution in the end was a new isp.

In your situation I'd install ddwrt on the router if possible. Setup OpenVPN. If you get a working connection that allows browsing then we know that it is some setting on openwrt and not the isp.


#19

spindoctor,

Still considering..

  • There is but one ISP in my area considering bandwidth offerings.
  • Experiment with per device openvpn. The ProtonVPN app works on droid (whatsmyip and DNSleak look ok), it should work on Desktop machines.
  • The DD WRT option.

I will update here.

Again, many thanks for your guidance.


#20

Using this guide I installed and tested protonvpn on a linux x86 box on my lan. By tested I mean ping (ping yahoo.com) and whatsmyip show DNS is working and the IP is not from my isp. Also, /etc/resolv.conf showed 10.8.8.1 only. I suppose a direct to cable modem test would be better but I think this demonstrates that the ISP is not an issue.

DD-WRT does have a how-to for protonvpn but it is for a dual router setup.

Thanks.