OpenVPN Client gets connection but internet doesn't work

aberkoke · April 8, 2019, 4:06pm

Hi there,

I have followed this guide to connect to my router as a client to a VPN (using Windscribe): https://openwrt.org/docs/guide-user/services/vpn/openvpn/client

It seems it connects but I have no internet. I have tried many guides to make it work with no luck. This topic is very similar but the potential solutions didn't work for me: OpenVPN Client connects but no Internet

My setup:
Archer C7 v2, openwrt 18.06.2 r7676-cddd7b4c77
I have restarted the router several times, starting from scratch without success. I don't know what else I can try.

Any help is highly appreciated.
Regards

root@OpenWrt:~# uci show firewall; echo && uci show network; echo && uci show openvpn; echo && logread -e openvpn
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].device='tun0'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdb8:88a6:168b::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth1.1'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.ifname='eth0.2'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='2 3 4 5 0t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='1 6t'

openvpn.custom_config=openvpn
openvpn.custom_config.enabled='0'
openvpn.custom_config.config='/etc/openvpn/my-vpn.conf'
openvpn.sample_server=openvpn
openvpn.sample_server.enabled='0'
openvpn.sample_server.port='1194'
openvpn.sample_server.proto='udp'
openvpn.sample_server.dev='tun'
openvpn.sample_server.ca='/etc/openvpn/ca.crt'
openvpn.sample_server.cert='/etc/openvpn/server.crt'
openvpn.sample_server.key='/etc/openvpn/server.key'
openvpn.sample_server.dh='/etc/openvpn/dh1024.pem'
openvpn.sample_server.server='10.8.0.0 255.255.255.0'
openvpn.sample_server.ifconfig_pool_persist='/tmp/ipp.txt'
openvpn.sample_server.keepalive='10 120'
openvpn.sample_server.compress='lzo'
openvpn.sample_server.persist_key='1'
openvpn.sample_server.persist_tun='1'
openvpn.sample_server.user='nobody'
openvpn.sample_server.status='/tmp/openvpn-status.log'
openvpn.sample_server.verb='3'
openvpn.sample_client=openvpn
openvpn.sample_client.enabled='0'
openvpn.sample_client.client='1'
openvpn.sample_client.dev='tun'
openvpn.sample_client.proto='udp'
openvpn.sample_client.remote='my_server_1 1194'
openvpn.sample_client.resolv_retry='infinite'
openvpn.sample_client.nobind='1'
openvpn.sample_client.persist_key='1'
openvpn.sample_client.persist_tun='1'
openvpn.sample_client.user='nobody'
openvpn.sample_client.ca='/etc/openvpn/ca.crt'
openvpn.sample_client.cert='/etc/openvpn/client.crt'
openvpn.sample_client.key='/etc/openvpn/client.key'
openvpn.sample_client.compress='lzo'
openvpn.sample_client.verb='3'

Mon Apr  8 15:24:45 2019 daemon.notice openvpn(vpnclient)[1178]: OpenVPN 2.4.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Mon Apr  8 15:24:45 2019 daemon.notice openvpn(vpnclient)[1178]: library versions: OpenSSL 1.0.2q  20 Nov 2018, LZO 2.10
Mon Apr  8 15:24:47 2019 daemon.notice openvpn(vpnclient)[1178]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Apr  8 15:24:47 2019 daemon.notice openvpn(vpnclient)[1178]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Apr  8 15:24:47 2019 daemon.notice openvpn(vpnclient)[1178]: TCP/UDP: Preserving recently used remote address: [AF_INET]89.238.178.43:1194
Mon Apr  8 15:24:47 2019 daemon.notice openvpn(vpnclient)[1178]: UDP link local: (not bound)
Mon Apr  8 15:24:47 2019 daemon.notice openvpn(vpnclient)[1178]: UDP link remote: [AF_INET]89.238.178.43:1194
Mon Apr  8 15:24:47 2019 daemon.notice openvpn(vpnclient)[1178]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Mon Apr  8 15:24:47 2019 daemon.warn openvpn(vpnclient)[1178]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Apr  8 15:24:48 2019 daemon.notice openvpn(vpnclient)[1178]: VERIFY OK: depth=1, C=CA, ST=ON, L=Toronto, O=Windscribe Limited, OU=Operations, CN=Windscribe Node CA
Mon Apr  8 15:24:48 2019 daemon.notice openvpn(vpnclient)[1178]: VERIFY KU OK
Mon Apr  8 15:24:48 2019 daemon.notice openvpn(vpnclient)[1178]: Validating certificate extended key usage
Mon Apr  8 15:24:48 2019 daemon.notice openvpn(vpnclient)[1178]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Apr  8 15:24:48 2019 daemon.notice openvpn(vpnclient)[1178]: VERIFY EKU OK
Mon Apr  8 15:24:48 2019 daemon.notice openvpn(vpnclient)[1178]: VERIFY OK: depth=0, C=CA, ST=ON, O=Windscribe Limited, OU=Operations, CN=Windscribe Node Server 4096
Mon Apr  8 15:24:48 2019 daemon.warn openvpn(vpnclient)[1178]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1602', remote='link-mtu 1550'
Mon Apr  8 15:24:48 2019 daemon.warn openvpn(vpnclient)[1178]: WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher AES-256-GCM'
Mon Apr  8 15:24:48 2019 daemon.warn openvpn(vpnclient)[1178]: WARNING: 'auth' is used inconsistently, local='auth SHA512', remote='auth [null-digest]'
Mon Apr  8 15:24:48 2019 daemon.notice openvpn(vpnclient)[1178]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Mon Apr  8 15:24:48 2019 daemon.notice openvpn(vpnclient)[1178]: [Windscribe Node Server 4096] Peer Connection Initiated with [AF_INET]89.238.178.43:1194
Mon Apr  8 16:03:18 2019 daemon.notice openvpn(vpnclient)[1178]: [Windscribe Node Server 4096] Inactivity timeout (--ping-restart), restarting
Mon Apr  8 16:03:18 2019 daemon.notice openvpn(vpnclient)[1178]: SIGUSR1[soft,ping-restart] received, process restarting
Mon Apr  8 16:03:23 2019 daemon.notice openvpn(vpnclient)[1178]: TCP/UDP: Preserving recently used remote address: [AF_INET]185.253.99.131:1194
Mon Apr  8 16:03:23 2019 daemon.notice openvpn(vpnclient)[1178]: UDP link local: (not bound)
Mon Apr  8 16:03:23 2019 daemon.notice openvpn(vpnclient)[1178]: UDP link remote: [AF_INET]185.253.99.131:1194
Mon Apr  8 16:03:23 2019 daemon.notice openvpn(vpnclient)[1178]: VERIFY OK: depth=1, C=CA, ST=ON, L=Toronto, O=Windscribe Limited, OU=Operations, CN=Windscribe Node CA
Mon Apr  8 16:03:23 2019 daemon.notice openvpn(vpnclient)[1178]: VERIFY KU OK
Mon Apr  8 16:03:23 2019 daemon.notice openvpn(vpnclient)[1178]: Validating certificate extended key usage
Mon Apr  8 16:03:23 2019 daemon.notice openvpn(vpnclient)[1178]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Apr  8 16:03:23 2019 daemon.notice openvpn(vpnclient)[1178]: VERIFY EKU OK
Mon Apr  8 16:03:23 2019 daemon.notice openvpn(vpnclient)[1178]: VERIFY OK: depth=0, C=CA, ST=ON, O=Windscribe Limited, OU=Operations, CN=Windscribe Node Server 4096
Mon Apr  8 16:03:23 2019 daemon.warn openvpn(vpnclient)[1178]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1602', remote='link-mtu 1550'
Mon Apr  8 16:03:23 2019 daemon.warn openvpn(vpnclient)[1178]: WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher AES-256-GCM'
Mon Apr  8 16:03:23 2019 daemon.warn openvpn(vpnclient)[1178]: WARNING: 'auth' is used inconsistently, local='auth SHA512', remote='auth [null-digest]'
Mon Apr  8 16:03:23 2019 daemon.notice openvpn(vpnclient)[1178]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Mon Apr  8 16:03:23 2019 daemon.notice openvpn(vpnclient)[1178]: [Windscribe Node Server 4096] Peer Connection Initiated with [AF_INET]185.253.99.131:1194
Mon Apr  8 16:03:25 2019 daemon.notice openvpn(vpnclient)[1178]: Data Channel: using negotiated cipher 'AES-256-GCM'
Mon Apr  8 16:03:25 2019 daemon.notice openvpn(vpnclient)[1178]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Apr  8 16:03:25 2019 daemon.notice openvpn(vpnclient)[1178]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Apr  8 16:03:25 2019 daemon.notice openvpn(vpnclient)[1178]: TUN/TAP device tun0 opened
Mon Apr  8 16:03:25 2019 daemon.notice openvpn(vpnclient)[1178]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Apr  8 16:03:25 2019 daemon.notice openvpn(vpnclient)[1178]: /sbin/ifconfig tun0 10.116.110.12 netmask 255.255.254.0 mtu 1500 broadcast 10.116.111.255
Mon Apr  8 16:03:25 2019 daemon.notice openvpn(vpnclient)[1178]: GID set to nogroup
Mon Apr  8 16:03:25 2019 daemon.notice openvpn(vpnclient)[1178]: UID set to nobody
Mon Apr  8 16:03:25 2019 daemon.notice openvpn(vpnclient)[1178]: Initialization Sequence Completed

root@OpenWrt:~# cat /etc/openvpn/vpnclient.conf
client
dev tun0
proto udp
remote es.windscribe.com 1194 #I've tried also with 443

nobind

resolv-retry infinite

auth SHA512
cipher AES-256-CBC
comp-lzo
verb 2
mute-replay-warnings
remote-cert-tls server
persist-key
persist-tun

key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
removed
-----END CERTIFICATE-----
</ca>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
removed
-----END OpenVPN Static key V1-----
</tls-auth>
user nobody
group nogroup
#dev tun0
auth-user-pass /etc/openvpn/vpnclient.auth
#redirect-gateway def1 ipv6 # I've tried with and without this option```

trendy · April 8, 2019, 9:09pm

What are the output of the following commands?
ip -4 addr ; ip -4 ro ; ip -4 ru ; nslookup www.google.com ; traceroute 8.8.8.8

aberkoke · April 9, 2019, 5:37am

Hi. Thanks for answering.

root@OpenWrt:~# ip -4 addr ; ip -4 ro ; ip -4 ru ; nslookup www.google.com ; traceroute 8.8.8.8
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.101/24 brd 192.168.1.255 scope global eth0.2
       valid_lft forever preferred_lft forever
11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
    inet 10.116.110.2/23 brd 10.116.111.255 scope global tun0
       valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.116.110.1 dev tun0
default via 192.168.1.1 dev eth0.2  src 192.168.1.101
10.116.110.0/23 dev tun0 scope link  src 10.116.110.2
128.0.0.0/1 via 10.116.110.1 dev tun0
185.253.99.131 via 192.168.1.1 dev br-lan
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1
192.168.1.0/24 dev eth0.2 scope link  src 192.168.1.101
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
;; connection timed out; no servers could be reached

traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 38 byte packets
 1  *  *  *
 2  *  *  *
 3  *  *  *
 4  *  *  *
 5  *  *  *
 6  *  *  *
 7  *  *  *
 8  *  *  *
 9  *  *  *
10  *  *  *
11  *  *  *
12  *  *  *
13  *  *  *
14  *  *  *
15  *  *  *
16  *  *  *
17  *  *  *
18  *  *  *
19^C

vgaetera · April 9, 2019, 7:07am

Your LAN address space overlaps with WAN, so routing is incorrect.

ip route del 185.253.99.131 via 192.168.1.1 dev br-lan
uci set network.lan.ipaddr="192.168.2.1"
service network restart
service dnsmasq restart
service odhcpd restart
service openvpn restart
uci commit network

Also reconnect your LAN-clients if required.

aberkoke · April 9, 2019, 2:17pm

Hi,
I've followed your suggestions but no success. When I stop the openvpn daemon, it works but not with it running. Results from traceroute seem a bit different now..

root@OpenWrt:~# ip -4 addr ; ip -4 ro ; ip -4 ru ; nslookup www.google.com ; traceroute 8.8.8.8
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
       valid_lft forever preferred_lft forever
8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.100/24 brd 192.168.1.255 scope global eth0.2
       valid_lft forever preferred_lft forever
11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
    inet 10.116.110.73/23 brd 10.116.111.255 scope global tun0
       valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.116.110.1 dev tun0
default via 192.168.1.1 dev eth0.2  src 192.168.1.100
10.116.110.0/23 dev tun0 scope link  src 10.116.110.73
128.0.0.0/1 via 10.116.110.1 dev tun0
185.253.99.131 via 192.168.1.1 dev eth0.2
192.168.1.0/24 dev eth0.2 scope link  src 192.168.1.100
192.168.2.0/24 dev br-lan scope link  src 192.168.2.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
;; connection timed out; no servers could be reached

traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 38 byte packets
 1  10.116.110.1 (10.116.110.1)  69.961 ms  69.589 ms  75.383 ms
 2  185.253.99.129 (185.253.99.129)  91.297 ms  76.556 ms  64.060 ms
 3  82.102.29.118 (82.102.29.118)  78.903 ms  *  71.809 ms
 4  213.242.112.193 (213.242.112.193)  56.660 ms  98.167 ms  72.341 ms
 5  4.68.73.34 (4.68.73.34)  67.724 ms  90.718 ms  57.771 ms
 6  74.125.242.177 (74.125.242.177)  77.830 ms  108.170.253.225 (108.170.253.225)  58.384 ms  81.866 ms

vgaetera · April 9, 2019, 2:30pm

It seems your ISP DNS is not accessible via VPN.
You can either configure a static route to the ISP DNS, or use a public DNS-provider:
https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#upstream_dns_provider

aberkoke · April 10, 2019, 5:46am

It worked

Many thanks!

system · April 20, 2019, 5:46am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.