Hello All!
I've read several similar topics on this forum but still need support to set up by openVPN client on router.
I used instructions shared by my VPN provider https://nordvpn.com/ru/tutorials/openwrt/openvpn/
Spent many hours with no success. Eventually i see that open vpn client is connected to remote server, but by now lan is not connected to the web. Router is online as ping from it works to google and other sites.
Even if i disconnect vpn via LUCI interface there is no connection from lan side to internet.
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'vpnfirewall'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'nordvpntun'
option input 'REJECT'
option forward 'REJECT'
config forwarding
option src 'lan'
option dest 'vpnfirewall'
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdff:78ee:05b0::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device 'lan_dev'
option name 'eth0.1'
option macaddr 'b0:4e:26:8e:26:5f'
config interface 'wan'
option ifname 'eth0.2'
option force_link '1'
option proto 'dhcp'
option peerdns '0'
list dns '8.8.8.8'
list dns '8.8.4.4'
list dns '103.86.96.100'
list dns '103.86.99.100'
config device 'wan_dev'
option name 'eth0.2'
option macaddr 'b0:4e:26:8e:26:60'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'
config switch_vlan
option device 'switch0'a
option vlan '2'
option ports '0 6t'
config interface 'nordvpntun'
option proto 'none'
option ifname 'tun0'
config openvpn 'nordvpn'
option config '/etc/openvpn/de451.nordvpn.com.udp1194.ovpn'
option enabled '1'
Ping tests from router
OVPN file contents
client
dev tun
proto udp
remote 5.254.16.83 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no
remote-cert-tls server
auth-user-pass secret
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512
ca ca.crt
tls-auth ta.key 1
key-direction 1
So far your configuration looks okay to me. I think there may be a configuration issue with NordVPN somewhere because I have seen some people getting into connectivity problems with it on this forum. You may want to search for similar issues. Also please consider putting config in the </> tag. It makes it easier to read it. Also try to ping google.com from vpn itself. The command would be to use ping -I tun0 google.com. This will make sure vpn is connected and there is no problem with vpn itself.
I just tried ping -I tun0 google.com. There is a response from remote server. Thanks for </> idea. I am very rare participant at any forum, did not know this thing.
Looks like you have connectivity from vpn. I wonder why it's not passing through to lan. Maybe someone else can better explain what's going on here. Because configuration looks okay to me as I use vpn myself so it's almost identical.
Well, I don't know what was wrong, but I made following. I recet all settings of the router to defaults and made all the steps very slow once again. When reset to dafualts there is a connection to the internet. I installed openvpn-openssl and ip-full, then made inputs into config files making incremental commits and checking connectivity after each step. It works for now.
Having all that settled I was unpleasantyly suprised with low speed results on speedtest.com. When I start VPN on computer or iphone it shows at least 14Mbit downlaod and 70Mbit uplink speeds, Making test with vpn on router gives 4 down and 7 Mbit upload. Is it a limitation of router hardware? I just purchased TP Link Archer C20 V4 for the purposes of VPN only.
Yes I think it could be limited due to router hardware but you need to see how the router behaves when you do a speed test. Install htop and run it, it will show you currently running programs along with the cpu usage etc. Then run speed test and see how is the cpu behaving. If the cpu reaches 100% usage even with 1 core then it could be the hardware issue otherwise something else may be the problem.
Mark the topic as solved if your problem is resolved.
1 Like
I checked with htop. Looks like I should have bought more expensive device for VPN. This one is spending all CPU resources during speedtest and probably is a bottleneck in my network. Many thanks to ahmar16 for all the advices.