OpenVpn Client problem - No internet connection

Hi,

I have a problem with my Openvpn Setup. It works fine until last week, but no internet connection since 2 or 3 days. I'm home worker and i need to use office VPN connection.

I configure it by luci interface. If i use openvpn directly from my PC, all works, but i need my router use this VPN for mobiles devices i used via wifi.

The VPN connection seems established, i can ping the office output IP, but nothing external (ex: 8.8.4.4 or 8.8.8.8).

Mon Oct  2 08:40:47 2023 daemon.notice netifd: Interface 'nextootun0' is enabled
Mon Oct  2 08:40:47 2023 daemon.info ipsec: 16[KNL] interface tun0 activated
Mon Oct  2 08:40:47 2023 daemon.notice netifd: Network device 'tun0' link is up
Mon Oct  2 08:40:47 2023 daemon.notice netifd: Interface 'nextootun0' has link connectivity
Mon Oct  2 08:40:47 2023 daemon.notice netifd: Interface 'nextootun0' is setting up now
Mon Oct  2 08:40:47 2023 daemon.info ipsec: 06[KNL] fe80::8a3c:c0b6:1a1a:83ba appeared on tun0
Mon Oct  2 08:40:47 2023 daemon.notice netifd: Interface 'nextootun0' is now up
Mon Oct  2 08:40:47 2023 daemon.info ipsec: 11[KNL] 172.22.38.38 appeared on tun0
Mon Oct  2 08:40:48 2023 user.notice mwan3-hotplug[26481]: mwan3 hotplug on nextootun0 not called because interface disabled
Mon Oct  2 08:40:49 2023 user.notice firewall: Reloading firewall due to ifup of nextootun0 (tun0)

image957×550 39.8 KB

How check what is wrong ?

PS: Sorry for my poor english

Firewall settings:

image975×920 67.8 KB

I looks like that:

image937×660 39.9 KB

What is the output of these commands when the VPN is enabled?
traceroute 1.1.1.1; traceroute one.one.one.one
Are you able to reach the work related services without problems?

root@OpenWrt:~# traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 46 byte packets
 1traceroute: sendto: Network unreachable
root@OpenWrt:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: sendto: Network unreachable

I'm not using services on work network. I need to going out with the public office IP to access to my customers services (restricted by ip)

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

root@OpenWrt:~# traceroute one.one.one.one
traceroute to one.one.one.one (2606:4700:4700::1111), 30 hops max, 72 byte packets
 1  2a01:e0a:285:7500::1 (2a01:e0a:285:7500::1)  0.694 ms  0.376 ms  0.385 ms
 2  2a01:e06:1:f836:91fe::ffff (2a01:e06:1:f836:91fe::ffff)  2.783 ms  3.120 ms  2.385 ms
 3  *  *  *
 4  *  *  *
 5  *  *  2a01:e00:6003::5 (2a01:e00:6003::5)  6.367 ms
 6  *  *  *
 7  be3594.rcr21.b019498-0.par01.atlas.cogentco.com (2001:550:0:1000::9a36:3c7e)  7.123 ms  7.007 ms  6.710 ms
 8  *  2001:978:2:3d::18:2 (2001:978:2:3d::18:2)  6.944 ms  *
 9  2400:cb00:538:3:: (2400:cb00:538:3::)  6.223 ms  2400:cb00:534:3:: (2400:cb00:534:3::)  15.258 ms  2400:cb00:19:3:: (2400:cb00:19:3::)  5.979 ms
10  2400:cb00:538:1024::ac47:856f (2400:cb00:538:1024::ac47:856f)  6.719 ms  2400:cb00:534:1024::ac47:7d21 (2400:cb00:534:1024::ac47:7d21)  7.049 ms  2400:cb00:534:1024::ac47:7d11 (2400:cb00:534:1024::ac47:7d11)  7.038 ms

root@OpenWrt:~# ubus call system board; \
> uci export network; \
> uci export dhcp; uci export firewall; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
{
	"kernel": "5.10.138",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "Cudy WR1300",
	"board_name": "cudy,wr1300",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.0",
		"revision": "r19685-512e76967f",
		"target": "ramips/mt7621",
		"description": "OpenWrt 22.03.0 r19685-512e76967f"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd8f:9862:2df5::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option force_link '1'
	option peerdns '0'
	list dns '8.8.4.4'
	list dns '8.8.8.8'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'nextootun0'
	option proto 'none'
	option device 'tun0'
	option metric '50'

package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ra_default '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'ubuntu'
	option dns '1'
	option mac '2C:0D:A7:3B:DA:CB'
	option ip '192.168.1.42'

config domain
	option ip '192.168.1.42'
	option name 'www.smatch.test'

config domain
	option ip '192.168.1.42'
	option name 'api.smatch.test'

config domain
	option ip '192.168.1.42'
	option name 'vins.smatch.test'

config domain
	option ip '192.168.1.42'
	option name 'api-client.smatch.test'

config domain
	option ip '192.168.1.42'
	option name 'api-back.smatch.test'

config host
	option name 'FiF-Ubuntu'
	option duid '0004408D61FD5FE3AED5B4D78E730A9A7824'

config domain
	option ip 'fd8f:9862:2df5::4f3/128'
	option name 'www.smatch.test'

config domain
	option ip '192.168.1.42'
	option name 'api-client.smatch.test'

config domain
	option ip '192.168.1.42'
	option name 'drive.smatch.test'

config domain
	option ip '192.168.1.42'
	option name 'admin.smatch.test'

config domain
	option ip '192.168.1.42'
	option name 'assets.smatch.test'

config domain
	option ip '192.168.1.42'
	option name 'mercure.smatch.test'

config domain
	option ip '192.168.1.42'
	option name 'borne.smatch.test'

config domain
	option name 'apptabd01s.nocibe.net'
	option ip '192.168.19.3'

config domain
	option name 'wam.nocibe.net'
	option ip '192.168.19.10'

config domain
	option name 'wab.nocibe.net'
	option ip '192.168.19.11'

config domain
	option name 'collector.smatch.test'
	option ip '192.168.1.42'

config domain
	option name 'api-borne.smatch.test'
	option ip '192.168.1.42'

config domain
	option name 'caviste.smatch.test'
	option ip '192.168.1.42'

config domain
	option name 'api.jeboursicote.test'
	option ip '192.168.1.42'

config domain
	option name 'www.jeboursicote.test'
	option ip '192.168.1.42'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'nextoofw'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	list network 'nextootun0'
	option input 'DROP'
	option forward 'DROP'

config forwarding
	option src 'lan'
	option dest 'nextoofw'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.64.30/24 brd 192.168.64.255 scope global wan
       valid_lft forever preferred_lft forever
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
19: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    inet 172.22.38.38 peer 172.22.38.37/32 scope global tun0
       valid_lft forever preferred_lft forever
172.22.38.1 via 172.22.38.37 dev tun0 table 1 
172.22.38.37 dev tun0 table 1 proto kernel scope link src 172.22.38.38 
185.31.151.230 via 192.168.64.254 dev wan table 1 
192.168.1.0/24 dev br-lan table 1 proto kernel scope link src 192.168.1.1 
192.168.64.0/24 dev wan table 1 proto kernel scope link src 192.168.64.30 
default via 172.22.38.37 dev tun0 
172.22.38.1 via 172.22.38.37 dev tun0 
172.22.38.37 dev tun0 proto kernel scope link src 172.22.38.38 
185.31.151.230 via 192.168.64.254 dev wan 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
192.168.64.0/24 dev wan proto kernel scope link src 192.168.64.30 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
local 172.22.38.38 dev tun0 table local proto kernel scope host src 172.22.38.38 
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1 
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1 
broadcast 192.168.64.0 dev wan table local proto kernel scope link src 192.168.64.30 
local 192.168.64.30 dev wan table local proto kernel scope host src 192.168.64.30 
broadcast 192.168.64.255 dev wan table local proto kernel scope link src 192.168.64.30 
0:	from all lookup local
220:	from all lookup 220
1001:	from all iif wan lookup 1
2001:	from all fwmark 0x100/0x3f00 lookup 1
2061:	from all fwmark 0x3d00/0x3f00 blackhole
2062:	from all fwmark 0x3e00/0x3f00 unreachable
3001:	from all fwmark 0x100/0x3f00 unreachable
32766:	from all lookup main
32767:	from all lookup default
lrwxrwxrwx    1 root     root            16 Sep  3  2022 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            47 Sep 29 09:48 /tmp/resolv.conf
-rw-r--r--    1 root     root           142 Sep 29 09:48 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root           142 Sep 29 09:48 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wan
nameserver 8.8.4.4
nameserver 8.8.8.8
# Interface wan6
nameserver 2a01:e00::2
nameserver 2a01:e00::1
nameserver fd0f:ee:b0::1

There is table1 configured in the routing table, as well as some ip rules. Are you using PBR or MWAN3?
Furthermore the table1 doesn't have a default gateway, so this is the root cause of your problem.

I don't know what is PBR, but i saw mwan3 in logs

Mon Oct  2 08:40:47 2023 user.info mwan3track[1911]: Check (ping) success for target "8.8.8.8" on interface wan (wan). Current score: 2

How i repair that, because last week all works fine and i don't change anything

root@OpenWrt:~# uci export mwan3
package mwan3

config globals 'globals'
	option mmx_mask '0x3F00'

config interface 'wan'
	option enabled '1'
	list track_ip '8.8.4.4'
	list track_ip '8.8.8.8'
	list track_ip '208.67.222.222'
	list track_ip '208.67.220.220'
	option family 'ipv4'
	option reliability '2'

config interface 'wan6'
	option enabled '0'
	list track_ip '2001:4860:4860::8844'
	list track_ip '2001:4860:4860::8888'
	list track_ip '2620:0:ccd::2'
	list track_ip '2620:0:ccc::2'
	option family 'ipv6'
	option reliability '2'

config interface 'wanb'
	option enabled '0'
	list track_ip '8.8.4.4'
	list track_ip '8.8.8.8'
	list track_ip '208.67.222.222'
	list track_ip '208.67.220.220'
	option family 'ipv4'
	option reliability '1'

config interface 'wanb6'
	option enabled '0'
	list track_ip '2001:4860:4860::8844'
	list track_ip '2001:4860:4860::8888'
	list track_ip '2620:0:ccd::2'
	list track_ip '2620:0:ccc::2'
	option family 'ipv6'
	option reliability '1'

config member 'wan_m1_w3'
	option interface 'wan'
	option metric '1'
	option weight '3'

config member 'wan_m2_w3'
	option interface 'wan'
	option metric '2'
	option weight '3'

config member 'wanb_m1_w2'
	option interface 'wanb'
	option metric '1'
	option weight '2'

config member 'wanb_m2_w2'
	option interface 'wanb'
	option metric '2'
	option weight '2'

config member 'wan6_m1_w3'
	option interface 'wan6'
	option metric '1'
	option weight '3'

config member 'wan6_m2_w3'
	option interface 'wan6'
	option metric '2'
	option weight '3'

config member 'wanb6_m1_w2'
	option interface 'wanb6'
	option metric '1'
	option weight '2'

config member 'wanb6_m2_w2'
	option interface 'wanb6'
	option metric '2'
	option weight '2'

config policy 'wan_only'
	list use_member 'wan_m1_w3'
	list use_member 'wan6_m1_w3'

config policy 'wanb_only'
	list use_member 'wanb_m1_w2'
	list use_member 'wanb6_m1_w2'

config policy 'balanced'
	list use_member 'wan_m1_w3'
	list use_member 'wanb_m1_w2'
	list use_member 'wan6_m1_w3'
	list use_member 'wanb6_m1_w2'

config policy 'wan_wanb'
	list use_member 'wan_m1_w3'
	list use_member 'wanb_m2_w2'
	list use_member 'wan6_m1_w3'
	list use_member 'wanb6_m2_w2'

config policy 'wanb_wan'
	list use_member 'wan_m2_w3'
	list use_member 'wanb_m1_w2'
	list use_member 'wan6_m2_w3'
	list use_member 'wanb6_m1_w2'

config rule 'https'
	option sticky '1'
	option dest_port '443'
	option proto 'tcp'
	option use_policy 'balanced'

config rule 'default_rule_v4'
	option dest_ip '0.0.0.0/0'
	option use_policy 'balanced'
	option family 'ipv4'

config rule 'default_rule_v6'
	option dest_ip '::/0'
	option use_policy 'balanced'
	option family 'ipv6'

Is there any reason to have the mwan3 in the first place?
I can see only one custom table there, so you are not splitting the traffic.
Furthermore you have not configured it properly, so it would never work correctly.

i don't know, i take the openwrt firmware on the device support of the constructor (cudy wr1300). I just update packages et configure the OpenVPN and DNS Hostname.

I'm not network engineer, just a basic user.

if mwan is for multiple Wan interface, i think i don't need it ?

The mwan3 is not part of the OpenWrt base image, it is provided as an add-on to manipulate multiple internet connections.
If you didn't install it, then you should ask in the cudy forums what can be the reason that it stopped working out of a sudden.

can i uninstall mwan3 ?

I try to uninstall mwan3 and now it works.

Thank you very much for your time.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.