OpenVPN Connectivity Issues with PPPoE

Hello,

I am having issues getting OpenVPN to work on OpenWrt 23.05.3. I am using PPPoE on my WAN I believe that may be the issue as once everything is connected I lose all connection, not able to ping outside of the network (Tried both google and cf ips).

I have followed the official guide here and also the alternative guide at the bottom here

Completely lost with this one. Any help would be great!

Add this in place of default mss fixup (assuming different zone used for vpn check fw4 print | head -20 for correct device list name)
And set vpn mtu to 1500-8(ppoe)-28(openvpn udp)=1464 or less.

chain mangle_postrouting {
                type filter hook postrouting priority mangle; policy accept;
                oif $wan_devices,$vpn_devices tcp flags syn / syn,fin,rst tcp option maxseg size set rt mtu
}
1 Like

No luck with that unfortunately. Still unable to both ping and tracert hostnames and access anything.

Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
for ovpn in $(ls /etc/openvpn/*.ovpn);do echo $ovpn; cat $ovpn; echo;done
logread | grep openvpn

No Problem, here it is.

All commands except log

root@OpenWrt:~# ubus call system board
{
"kernel": "5.15.150",
"hostname": "OpenWrt",
"system": "MediaTek MT7628AN ver:1 eco:2",
"model": "Xiaomi Mi Router 4A (100M Edition)",
"board_name": "xiaomi,mi-router-4a-100m",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.3",
"revision": "r23809-234f1a2efa",
"target": "ramips/mt76x8",
"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
}
}

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd0e:4fb6:4142::/48'

config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'

config device
option name 'eth0.2'
option macaddr ''

config interface 'wan'
option device 'eth0.2'
option proto 'pppoe'
option username ''
option password ''
option ipv6 'auto'

config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option ports '4 2 6t'

config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 6t'

config interface 'VPNtun0'
option proto 'none'
option device 'tun0'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'

config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'

config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config zone
option name 'VPN_zone'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'VPNtun0'

config forwarding
option src 'lan'
option dest 'VPN_zone'

root@OpenWrt:~# ip route show
0.0.0.0/1 via 10.185.1.77 dev tun0
default via 88.80.38.1 dev pppoe-wan
5.157.128.46 via 88.80.38.1 dev pppoe-wan
10.185.0.1 via 10.185.1.77 dev tun0
10.185.1.77 dev tun0 scope link src 10.185.1.78
88.80.38.1 dev pppoe-wan scope link src 100.125.108.215
128.0.0.0/1 via 10.185.1.77 dev tun0
192.168.1.0/24 dev br-lan scope link src 192.168.1.1

root@OpenWrt:~# for ovpn in $(ls /etc/openvpn/*.ovpn);do echo $ovpn; cat $ovpn; echo;done
/etc/openvpn/london.ovpn
dev tun
fast-io
persist-key
persist-tun
nobind
remote uk-london-ca-version-2.expressnetw.com 1195

remote-random
pull
comp-lzo no
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
key-direction 1
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1200
verb 3
cipher AES-256-GCM
auth SHA512
sndbuf 524288
rcvbuf 524288
auth-user-pass /etc/openvpn/london.auth

And the log is too big to post directly here so its here https://pastebin.com/Nb6Br5Lj

with:
remote-cert-tls server

But that is not the real problem.

This looks like the problem:

Mon May 20 11:30:36 2024 daemon.notice openvpn(london)[5517]: Initialization Sequence Completed
Mon May 20 11:31:33 2024 daemon.notice openvpn(london)[5517]: [Server-10738-2a] Inactivity timeout (--ping-restart), restarting
Mon May 20 11:31:33 2024 daemon.notice openvpn(london)[5517]: SIGUSR1[soft,ping-restart] received, process restarting

Initialization Sequence Completed signals everything is fine and dandy but then the servers throws you out.
Not sure why maybe the server is overcrowded or you have used all slots e.g. running this same config from another router/PC or forgot to pay the bill?

Only advice I have is to try another server, sorry I cannot be more helpful :frowning:

No luck with that either unfortunately.

However I have stumbled upon something.

In OpenWRT
traceroute to google.com (64.233.165.100), 20 hops max, 46 byte packets
1 88.80.38.1 1.630 ms
2 88.80.38.138 2.148 ms
3 212.188.61.141 0.385 ms
4 212.188.42.90 18.428 ms
5 212.188.2.246 18.821 ms
6 212.188.56.130 18.759 ms
7 212.188.29.161 18.283 ms
8 195.34.53.30 18.395 ms
9 195.34.50.222 17.872 ms
10 195.34.50.206 17.853 ms
11 195.34.50.226 31.389 ms
12 195.34.53.29 31.573 ms
13 212.188.29.85 31.217 ms
14 195.34.50.161 31.290 ms
15 212.188.28.102 31.615 ms
16 212.188.0.170 31.484 ms
17 74.125.118.22 31.283 ms
18 *
19 *
20 *

In Windows
Tracing route to google.com [64.233.165.100]
over a maximum of 30 hops:

1 3 ms 1 ms 1 ms OpenWrt.lan [192.168.1.1]
2 * * * Request timed out.
3 * * OpenWrt.lan [192.168.1.1] reports: Destination protocol unreachable.

Trace complete.

So perhaps something to do with PPPoE not giving out a DNS server.

Probably domething in fireall config not allowing to forward from lan to vpn interface.

Had a little mess around with changing the dns server on both the router and the dns that is given by dhcp and still no luck. Had a look in the firewall config and i've tried re-doing the config from scratch both ways that is said in the official guide.