OpenVPN is connected but NO internet - Xiaomi 4A Gigabit

ghermez · October 17, 2021, 12:01pm

I have OpenWRT 21.02 on my Xiaomi 4A -Gigabit. I could enable OpenVPN on luci.
In addition, I have a private OpenVPN server that is configured by the following script and export password less OVPN files:

https://github.com/angristan/openvpn-install

and here is my OVPN file sample:

client
proto udp
explicit-exit-notify
remote xx.xx.xx.xx yyyyy
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_GkiaLVIBVyh7CA15 name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
<ca>
-----BEGIN CERTIFICATE-----
#CERTIFICATE[DELETED]
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
#CERTIFICATE[DELETED]
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
#PRIVATE_KEY [DELETED]
-----END PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
#Deleted
-----END OpenVPN Static key V1-----
</tls-crypt>

Furthermore, I configured the network interface and firewall by using different tutorials including the following:

https://www.ovpn.com/en/guides/openwrt
&
https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci

Now, when I enable my VPN on the router, I cannot connect to the internet.
Please advise how to solve the issue.

In advance, your comments and help are highly appreciated.

ulmwind · October 17, 2021, 6:57pm

Have you created interface in network, and zone in firewall?

faser · October 18, 2021, 2:43am

How is your Server configuration looking?
What is are the routes on the Client after establishing the Tunnel?

ghermez · October 18, 2021, 4:55am

@ulmwind
Yes, I created a network interface and firewall zone

@faser

A) My VPN server works well; I can connect to VPN with the same configuration file through Windows 'OpenVPN connect' and several android devices.
B) Would you please explain where should I check the routes on the client?

ghermez · October 18, 2021, 5:34am

here is the system log when I started OpenVPN:

Mon Oct 18 05:26:24 2021 daemon.notice openvpn(MyServer)[2007]: VERIFY OK: depth=1, CN=cn_UtLCDVehB60eUoAm
Mon Oct 18 05:26:24 2021 daemon.notice openvpn(MyServer)[2007]: VERIFY KU OK
Mon Oct 18 05:26:24 2021 daemon.notice openvpn(MyServer)[2007]: Validating certificate extended key usage
Mon Oct 18 05:26:24 2021 daemon.notice openvpn(MyServer)[2007]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Oct 18 05:26:24 2021 daemon.notice openvpn(MyServer)[2007]: VERIFY EKU OK
Mon Oct 18 05:26:24 2021 daemon.notice openvpn(MyServer)[2007]: VERIFY X509NAME OK: CN=server_GkiaLVIBVyh7CA15
Mon Oct 18 05:26:24 2021 daemon.notice openvpn(MyServer)[2007]: VERIFY OK: depth=0, CN=server_GkiaLVIBVyh7CA15
Mon Oct 18 05:26:24 2021 daemon.notice openvpn(MyServer)[2007]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bit EC, curve prime256v1, signature: ecdsa-with-SHA256
Mon Oct 18 05:26:24 2021 daemon.notice openvpn(MyServer)[2007]: [server_GkiaLVIBVyh7CA15] Peer Connection Initiated with [AF_INET]5.61.27.19:52826
Mon Oct 18 05:26:25 2021 daemon.notice openvpn(MyServer)[2007]: SENT CONTROL [server_GkiaLVIBVyh7CA15]: 'PUSH_REQUEST' (status=1)
Mon Oct 18 05:26:26 2021 daemon.notice openvpn(MyServer)[2007]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.8.0.1,redirect-gateway def1 bypass-dhcp,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.16 255.255.255.0,peer-id 3,cipher AES-128-GCM'
Mon Oct 18 05:26:26 2021 daemon.notice openvpn(MyServer)[2007]: OPTIONS IMPORT: timers and/or timeouts modified
Mon Oct 18 05:26:26 2021 daemon.notice openvpn(MyServer)[2007]: OPTIONS IMPORT: --ifconfig/up options modified
Mon Oct 18 05:26:26 2021 daemon.notice openvpn(MyServer)[2007]: OPTIONS IMPORT: route options modified
Mon Oct 18 05:26:26 2021 daemon.notice openvpn(MyServer)[2007]: OPTIONS IMPORT: route-related options modified
Mon Oct 18 05:26:26 2021 daemon.notice openvpn(MyServer)[2007]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Oct 18 05:26:26 2021 daemon.notice openvpn(MyServer)[2007]: OPTIONS IMPORT: peer-id set
Mon Oct 18 05:26:26 2021 daemon.notice openvpn(MyServer)[2007]: OPTIONS IMPORT: adjusting link_mtu to 1624
Mon Oct 18 05:26:26 2021 daemon.notice openvpn(MyServer)[2007]: OPTIONS IMPORT: data channel crypto options modified
Mon Oct 18 05:26:26 2021 daemon.notice openvpn(MyServer)[2007]: Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Mon Oct 18 05:26:26 2021 daemon.notice openvpn(MyServer)[2007]: Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Mon Oct 18 05:26:26 2021 daemon.notice openvpn(MyServer)[2007]: net_route_v4_best_gw query: dst 0.0.0.0
Mon Oct 18 05:26:26 2021 daemon.notice openvpn(MyServer)[2007]: net_route_v4_best_gw result: via 192.168.1.1 dev wan
Mon Oct 18 05:26:26 2021 daemon.notice openvpn(MyServer)[2007]: TUN/TAP device tun0 opened
Mon Oct 18 05:26:26 2021 daemon.notice openvpn(MyServer)[2007]: net_iface_mtu_set: mtu 1500 for tun0
Mon Oct 18 05:26:26 2021 daemon.notice openvpn(MyServer)[2007]: net_iface_up: set tun0 up
Mon Oct 18 05:26:26 2021 daemon.notice netifd: Network device 'tun0' link is up
Mon Oct 18 05:26:26 2021 daemon.notice netifd: Interface 'OpenVPN' has link connectivity
Mon Oct 18 05:26:26 2021 daemon.notice openvpn(MyServer)[2007]: net_addr_v4_add: 10.8.0.16/24 dev tun0
Mon Oct 18 05:26:26 2021 daemon.notice openvpn(MyServer)[2007]: /usr/libexec/openvpn-hotplug up MyServer tun0 1500 1624 10.8.0.16 255.255.255.0 init
Mon Oct 18 05:26:26 2021 daemon.notice openvpn(MyServer)[2007]: net_route_v4_add: 5.61.27.19/32 via 192.168.1.1 dev [NULL] table 0 metric -1
Mon Oct 18 05:26:26 2021 daemon.notice openvpn(MyServer)[2007]: net_route_v4_add: 0.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1
Mon Oct 18 05:26:26 2021 daemon.notice openvpn(MyServer)[2007]: net_route_v4_add: 128.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1
Mon Oct 18 05:26:26 2021 daemon.notice openvpn(MyServer)[2007]: Initialization Sequence Completed

faser · October 18, 2021, 5:40am

Your routes from the syslog look ok, you always can check them if you login via SSH into the Xiaomi and run ip ro

ghermez · October 18, 2021, 5:50am

@faser Thanks for your reply and here are the routes:

0.0.0.0/1 via 10.8.0.1 dev tun0
default via 192.168.0.3 dev wan  src 192.168.0.55
xx.yy.zz.ww via 192.168.0.3 dev wan
10.8.0.0/24 dev tun0 scope link  src 10.8.0.16
128.0.0.0/1 via 10.8.0.1 dev tun0
192.168.0.0/24 dev wan scope link  src 192.168.0.55
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1

192.168.0.3 is the wan default gateway
xx.yy is my server IP
192.168.0.55 is the router IP

I can ping 10.8.0.16 (the router IP when VPN is connected) but I cannot ping 10.8.0.1

pavelgl · October 18, 2021, 9:37am

From the router itself or from a client PC?

ghermez · October 18, 2021, 10:09am

I checked both;
NOW, I CHANGED 'DNS weight' TO '0' and I can connect to the internet and My public IP is my VPN server IP.
BUT, some websites including facebook, twitter which are blocked here, I cannot connect to. however, I can connect to telegram without any problem!

ghermez · October 20, 2021, 6:08am

No Help?!

ghermez · October 21, 2021, 7:40pm

Finally, I could run OpenVPN on Xiaomi 4A Gigabit!!!
The problem which I mentioned in this topic was solved by changing the Internet connection!!

system · October 31, 2021, 7:40pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.