OpenVPN is up and running, I still cannot access some of the sites, IP unchanged

6v87qe · August 29, 2019, 2:39pm

Dear Forum, I've tried to cofigure the ExpressVPN with OpenVPN on OpenWRT 18.06. I followed the instructions exactly on this post https://enterpriseadmins.blogspot.com/2017/08/how-to-setup-expressvpn-using-openvpn.html
Everything went smoothly, and I finally got the message "Initialization sequence completed". I can see the OpenVPN is up and runnning in the status.

However, when I try to access some of the websites, they are still blocked. my IP is still unchanged.

Do I miss anyghing here?

bill888 · August 29, 2019, 3:01pm

Those instructions look incomplete/out-of-date imho. There is likely to be a problem with the firewall configuration.

Someone else may be able to suggest a newer guide for ExpressVPN. Otherwise, refer to OpenWrt Guides for generic openvpn client instructions:
https://openwrt.org/docs/guide-user/start

fwiw, you could try my openvpn client setup guide for HH5a. I've never tested it with Expressvpn but no reason why it should not work if the file paths within the .ovpn file are correct. Reset the router to return openwrt settings to defaults before you start!
https://openwrt.ebilan.co.uk/viewtopic.php?f=7&t=279
Works with TPlink C50v4 and Linksys EA6350v3 OpenWrt 19.07 snapshot too.

vgaetera · August 29, 2019, 3:11pm

Collect the diagnostics from OpenWrt after establishing the VPN connection:

ip address show; ip route show; ip rule show; iptables-save

ulmwind · August 29, 2019, 9:05pm

Check my manual in sections corresponding firewall and network configuration. You can also configure kill-switch to prevent traffic leakage. https://airvpn.org/forums/topic/20303-airvpn-configuration-on-openwrt-preventing-traffic-leakage-outside-tunnel/

6v87qe · August 30, 2019, 12:29am

Here is the info,please help

IP ADRESS SHOW
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet 192.168.1.1/32 scope global lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 532
    link/ether 24:f5:a2:c2:3e:58 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::26f5:a2ff:fec2:3e58/64 scope link
       valid_lft forever preferred_lft forever
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 532
    link/ether 26:f5:a2:c2:3e:58 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::24f5:a2ff:fec2:3e58/64 scope link
       valid_lft forever preferred_lft forever
5: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/sit 0.0.0.0 brd 0.0.0.0
6: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 32
    link/ether 3e:14:f1:5b:41:a0 brd ff:ff:ff:ff:ff:ff
7: ifb1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 32
    link/ether e6:6d:2c:7a:01:8e brd ff:ff:ff:ff:ff:ff
8: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1000
    link/gre 0.0.0.0 brd 0.0.0.0
9: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
10: erspan0@NONE: <BROADCAST,MULTICAST> mtu 1450 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
13: teql0: <NOARP> mtu 1500 qdisc noop state DOWN group default qlen 100
    link/void
14: imq0: <NOARP> mtu 16000 qdisc noop state DOWN group default qlen 11000
    link/void
15: imq1: <NOARP> mtu 16000 qdisc noop state DOWN group default qlen 11000
    link/void
16: mlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 24:f5:a2:c2:3e:5b brd ff:ff:ff:ff:ff:ff
17: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 26:f5:a2:c2:3e:58 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 2001:f40:909:fb8b::1/64 scope global dynamic noprefixroute
       valid_lft 208911sec preferred_lft 122511sec
    inet6 fdc8:744:71b2::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::24f5:a2ff:fec2:3e58/64 scope link
       valid_lft forever preferred_lft forever
18: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether 26:f5:a2:c2:3e:58 brd ff:ff:ff:ff:ff:ff
19: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 24:f5:a2:c2:3e:58 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::26f5:a2ff:fec2:3e58/64 scope link
       valid_lft forever preferred_lft forever
21: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN group default qlen 3
    link/ppp
    inet 202.187.141.233 peer 202.187.128.1/32 scope global pppoe-wan
       valid_lft forever preferred_lft forever
    inet6 2001:f40:918::7717/128 scope global dynamic noprefixroute
       valid_lft 208911sec preferred_lft 122511sec
    inet6 fe80::1d77:5975:b189:1b89/10 scope link
       valid_lft forever preferred_lft forever
26: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP group default qlen 1000
    link/ether 24:f5:a2:c2:3e:5a brd ff:ff:ff:ff:ff:ff
    inet6 fe80::26f5:a2ff:fec2:3e5a/64 scope link
       valid_lft forever preferred_lft forever
27: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP group default qlen 1000
    link/ether 24:f5:a2:c2:3e:59 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::26f5:a2ff:fec2:3e59/64 scope link
       valid_lft forever preferred_lft forever
36: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none
    inet 10.123.0.46 peer 10.123.0.45/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::a7d3:630c:f867:e565/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

IP ROUTE SHOW

0.0.0.0/1 via 10.123.0.45 dev tun0
default via 202.187.128.1 dev pppoe-wan proto static
10.123.0.1 via 10.123.0.45 dev tun0
10.123.0.45 dev tun0 proto kernel scope link src 10.123.0.46
45.56.152.72 via 202.187.128.1 dev pppoe-wan
128.0.0.0/1 via 10.123.0.45 dev tun0
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
202.187.128.1 dev pppoe-wan proto kernel scope link src 202.187.141.233

IP RULE SHOW

0:      from all lookup local
1001:   from all iif pppoe-wan lookup main
2001:   from all fwmark 0x100/0x3f00 lookup 1
2061:   from all fwmark 0x3d00/0x3f00 blackhole
2062:   from all fwmark 0x3e00/0x3f00 unreachable
32766:  from all lookup main
32767:  from all lookup default

IPTABLES-SAVE
# Generated by iptables-save v1.6.2 on Fri Aug 30 08:28:28 2019
*nat
:PREROUTING ACCEPT [29:1886]
:INPUT ACCEPT [29:1886]
:OUTPUT ACCEPT [117:10016]
:POSTROUTING ACCEPT [3:440]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth1.2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth1.2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.107/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: HTTPS (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.107/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: HTTPS (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.1/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Forward446 (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.1/32 -p udp -m udp --dport 80 -m comment --comment "!fw3: Forward446 (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.201/32 -p tcp -m tcp --dport 3389 -m comment --comment "!fw3: Forward447 (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.201/32 -p udp -m udp --dport 3389 -m comment --comment "!fw3: Forward447 (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_lan_prerouting -s 192.168.1.0/24 -d 202.187.141.233/32 -p tcp -m tcp --dport 445 -m comment --comment "!fw3: HTTPS (reflection)" -j DNAT --to-destination 192.168.1.107:443
-A zone_lan_prerouting -s 192.168.1.0/24 -d 202.187.141.233/32 -p udp -m udp --dport 445 -m comment --comment "!fw3: HTTPS (reflection)" -j DNAT --to-destination 192.168.1.107:443
-A zone_lan_prerouting -s 192.168.1.0/24 -d 202.187.141.233/32 -p tcp -m tcp --dport 446 -m comment --comment "!fw3: Forward446 (reflection)" -j DNAT --to-destination 192.168.1.1:80
-A zone_lan_prerouting -s 192.168.1.0/24 -d 202.187.141.233/32 -p udp -m udp --dport 446 -m comment --comment "!fw3: Forward446 (reflection)" -j DNAT --to-destination 192.168.1.1:80
-A zone_lan_prerouting -s 192.168.1.0/24 -d 202.187.141.233/32 -p tcp -m tcp --dport 447 -m comment --comment "!fw3: Forward447 (reflection)" -j DNAT --to-destination 192.168.1.201:3389
-A zone_lan_prerouting -s 192.168.1.0/24 -d 202.187.141.233/32 -p udp -m udp --dport 447 -m comment --comment "!fw3: Forward447 (reflection)" -j DNAT --to-destination 192.168.1.201:3389
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -p tcp -m tcp --dport 445 -m comment --comment "!fw3: HTTPS" -j DNAT --to-destination 192.168.1.107:443
-A zone_wan_prerouting -p udp -m udp --dport 445 -m comment --comment "!fw3: HTTPS" -j DNAT --to-destination 192.168.1.107:443
-A zone_wan_prerouting -p tcp -m tcp --dport 446 -m comment --comment "!fw3: Forward446" -j DNAT --to-destination 192.168.1.1:80
-A zone_wan_prerouting -p udp -m udp --dport 446 -m comment --comment "!fw3: Forward446" -j DNAT --to-destination 192.168.1.1:80
-A zone_wan_prerouting -p tcp -m tcp --dport 447 -m comment --comment "!fw3: Forward447" -j DNAT --to-destination 192.168.1.201:3389
-A zone_wan_prerouting -p udp -m udp --dport 447 -m comment --comment "!fw3: Forward447" -j DNAT --to-destination 192.168.1.201:3389
-A zone_wan_prerouting -j MINIUPNPD
-A zone_wan_prerouting -j MINIUPNPD
COMMIT
# Completed on Fri Aug 30 08:28:28 2019
# Generated by iptables-save v1.6.2 on Fri Aug 30 08:28:28 2019
*mangle
:PREROUTING ACCEPT [2907:243870]
:INPUT ACCEPT [2874:234186]
:FORWARD ACCEPT [33:9684]
:OUTPUT ACCEPT [3083:406337]
:POSTROUTING ACCEPT [3132:416477]
:mwan3_connected - [0:0]
:mwan3_hook - [0:0]
:mwan3_iface_in_wan - [0:0]
:mwan3_iface_out_wan - [0:0]
:mwan3_ifaces_in - [0:0]
:mwan3_ifaces_out - [0:0]
:mwan3_policy_balanced - [0:0]
:mwan3_policy_wan_only - [0:0]
:mwan3_policy_wan_wanb - [0:0]
:mwan3_policy_wanb_only - [0:0]
:mwan3_policy_wanb_wan - [0:0]
:mwan3_rule_https - [0:0]
:mwan3_rules - [0:0]
-A PREROUTING -j mwan3_hook
-A FORWARD -o eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -j mwan3_hook
-A mwan3_connected -m set --match-set mwan3_connected dst -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_hook -j CONNMARK --restore-mark --nfmask 0x3f00 --ctmask 0x3f00
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_ifaces_in
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_connected
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_ifaces_out
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_rules
-A mwan3_hook -j CONNMARK --save-mark --nfmask 0x3f00 --ctmask 0x3f00
-A mwan3_hook -m mark ! --mark 0x3f00/0x3f00 -j mwan3_connected
-A mwan3_iface_in_wan -i pppoe-wan -m set --match-set mwan3_connected src -m mark --mark 0x0/0x3f00 -m comment --comment default -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_iface_in_wan -i pppoe-wan -m mark --mark 0x0/0x3f00 -m comment --comment wan -j MARK --set-xmark 0x100/0x3f00
-A mwan3_iface_out_wan -o pppoe-wan -m mark --mark 0x0/0x3f00 -m comment --comment wan -j MARK --set-xmark 0x100/0x3f00
-A mwan3_ifaces_in -m mark --mark 0x0/0x3f00 -j mwan3_iface_in_wan
-A mwan3_ifaces_out -m mark --mark 0x0/0x3f00 -j mwan3_iface_out_wan
-A mwan3_policy_balanced -m mark --mark 0x0/0x3f00 -m comment --comment "wan 3 3" -j MARK --set-xmark 0x100/0x3f00
-A mwan3_policy_wan_only -m mark --mark 0x0/0x3f00 -m comment --comment "wan 3 3" -j MARK --set-xmark 0x100/0x3f00
-A mwan3_policy_wan_wanb -m mark --mark 0x0/0x3f00 -m comment --comment "wan 3 3" -j MARK --set-xmark 0x100/0x3f00
-A mwan3_policy_wanb_only -m mark --mark 0x0/0x3f00 -m comment --comment unreachable -j MARK --set-xmark 0x3e00/0x3f00
-A mwan3_policy_wanb_wan -m mark --mark 0x0/0x3f00 -m comment --comment "wan 3 3" -j MARK --set-xmark 0x100/0x3f00
-A mwan3_rule_https -m mark --mark 0x0/0x3f00 -j MARK --set-xmark 0x100/0x3f00
-A mwan3_rule_https -m mark --mark 0x100/0x3f00 -m set ! --match-set mwan3_sticky_https src,src -j MARK --set-xmark 0x0/0x3f00
-A mwan3_rule_https -m mark --mark 0x0/0x3f00 -j mwan3_policy_balanced
-A mwan3_rule_https -m mark ! --mark 0xfc00/0xfc00 -j SET --del-set mwan3_sticky_https src,src
-A mwan3_rule_https -m mark ! --mark 0xfc00/0xfc00 -j SET --add-set mwan3_sticky_https src,src
-A mwan3_rules -p tcp -m multiport --sports 0:65535 -m multiport --dports 443 -m mark --mark 0x0/0x3f00 -m comment --comment https -j mwan3_rule_https
-A mwan3_rules -m mark --mark 0x0/0x3f00 -m comment --comment default_rule -j mwan3_policy_balanced
COMMIT
# Completed on Fri Aug 30 08:28:28 2019
# Generated by iptables-save v1.6.2 on Fri Aug 30 08:28:28 2019
*filter
:INPUT ACCEPT [13:937]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_ACCEPT - [0:0]
-A INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth1.2 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth1.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth1.2 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
-A forwarding_rule -i ppp+ -j ACCEPT
-A forwarding_rule -o ppp+ -j ACCEPT
-A forwarding_rule -i ppp+ -j ACCEPT
-A forwarding_rule -o ppp+ -j ACCEPT
-A forwarding_rule -i ppp+ -j ACCEPT
-A forwarding_rule -o ppp+ -j ACCEPT
-A forwarding_rule -i ppp+ -j ACCEPT
-A forwarding_rule -o ppp+ -j ACCEPT
-A forwarding_rule -i ppp+ -j ACCEPT
-A forwarding_rule -o ppp+ -j ACCEPT
-A forwarding_rule -i ppp+ -j ACCEPT
-A forwarding_rule -o ppp+ -j ACCEPT
-A forwarding_rule -i ppp+ -j ACCEPT
-A forwarding_rule -o ppp+ -j ACCEPT
-A forwarding_rule -i ppp+ -j ACCEPT
-A forwarding_rule -o ppp+ -j ACCEPT
-A forwarding_rule -i ppp+ -j ACCEPT
-A forwarding_rule -o ppp+ -j ACCEPT
-A forwarding_rule -i ppp+ -j ACCEPT
-A forwarding_rule -o ppp+ -j ACCEPT
-A forwarding_rule -i ppp+ -j ACCEPT
-A forwarding_rule -o ppp+ -j ACCEPT
-A forwarding_rule -i ppp+ -j ACCEPT
-A forwarding_rule -o ppp+ -j ACCEPT
-A forwarding_rule -i ppp+ -j ACCEPT
-A forwarding_rule -o ppp+ -j ACCEPT
-A forwarding_rule -i ppp+ -j ACCEPT
-A forwarding_rule -o ppp+ -j ACCEPT
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -p igmp -m comment --comment "!fw3: ubus:igmpproxy[instance1] rule 2" -j ACCEPT
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth1.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth1.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -d 224.0.0.0/4 -p udp -m comment --comment "!fw3: ubus:igmpproxy[instance1] rule 1" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m comment --comment "!fw3: Zone wan to lan forwarding policy" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p igmp -m comment --comment "!fw3: ubus:igmpproxy[instance1] rule 0" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 1723 -m comment --comment "!fw3: pptp" -j ACCEPT
-A zone_wan_input -p gre -m comment --comment "!fw3: gre" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_ACCEPT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_ACCEPT -i eth1.2 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_src_ACCEPT -i pppoe-wan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
COMMIT
# Completed on Fri Aug 30 08:28:28 2019

6v87qe · August 30, 2019, 2:34am

thanks, will try that

vgaetera · August 30, 2019, 7:09am

Your ISP provides dual stack.

To prevent IPv6 traffic leak, you have the following options:

Redirect both IPv4 and IPv6.
- Requires your VPN provider to support IPv6.
Disable IPv6.

Also make sure you have no DNS leak.

https://openwrt.org/docs/guide-user/services/vpn/openvpn/client

6v87qe · September 10, 2019, 2:51pm

Thanks vgaetera, and sorry for the late reply. I've only got sometime recently to retried the config. with my old configuration, I took your advice, disabled the WAN6 chanel, after which I lost the internet connection. OpenVPN is up and runing, there must be something wrong with interface and firewall setting problem.

6v87qe · September 10, 2019, 3:10pm

Tried your firewall and interface setting with HH5a, but in the firewall "zone forwardings" section, I cannot select "VPN_FW"as the "allow forwad to destination zones"，even I select it somehow it cannot be saved. So, it's showing lan--->Reject. In this way, with or withour OpenVPN service is up and running, I did not have the internet connection at all.

bill888 · September 10, 2019, 4:57pm

What router are you using?

Did you reset openwrt (Luci->System->Backup/flash firmware->Perform Reset), and then follow all steps as instructed in my guide, or are you trying to modify your earlier openvpn client installation using portions of my guide?

Perhaps you can upload the contents of the /etc/config/firewall configuration file?

6v87qe · September 18, 2019, 3:01pm

Hi, Bill
Thanks for the reply. I did reset and followed the instructions, but still VPN is up and running with no internet. something must be wrong with the firewall setup. Here is the config for your referece.

config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
list device 'eth0'

config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'
option network 'wan6 wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config include
option path '/etc/firewall.user'

config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'

config include 'bcp38'
option type 'script'
option path '/usr/lib/bcp38/run.sh'
option family 'IPv4'
option reload '1'

config redirect
option target 'DNAT'
option name 'Router'
option proto 'tcp udp'
option src 'wan'
option dest 'lan'
option dest_ip '192.168.1.1'
option dest_port '443'
option src_dport '555'

config redirect
option target 'DNAT'
option name 'ESXi'
option proto 'tcp udp'
option src 'wan'
option src_dport '666'
option dest 'lan'
option dest_ip '192.168.1.106'
option dest_port '443'

config redirect
option target 'DNAT'
option name 'Remote windows desktop'
option proto 'tcp udp'
option src 'wan'
option src_dport '777'
option dest 'lan'
option dest_ip '192.168.1.201'
option dest_port '3389'

config redirect
option target 'DNAT'
option proto 'tcp udp'
option src 'wan'
option dest 'lan'
option name 'Web HTTP'
option dest_ip '192.168.1.214'
option src_dport '80'
option dest_port '80'

config redirect
option target 'DNAT'
option proto 'tcp udp'
option src 'wan'
option dest 'lan'
option dest_port '443'
option name 'Web HTTPS'
option dest_ip '192.168.1.214'
option src_dport '443'

config forwarding
option src 'lan'
option dest 'wan'

config redirect
option target 'DNAT'
option proto 'tcp udp'
option src 'wan'
option src_dport '999'
option dest 'lan'
option dest_ip '192.168.1.159'
option dest_port '5000'
option name 'DSM_621'

config redirect
option target 'DNAT'
option proto 'tcp udp'
option src 'wan'
option dest 'lan'
option dest_port '5901'
option name 'Centos RD'
option src_dport '5901'
option dest_ip '192.168.1.214'

config redirect
option target 'DNAT'
option name 'Debian RD'
option proto 'tcp udp'
option src 'wan'
option src_dport '5902'
option dest 'lan'
option dest_ip '192.168.1.144'
option dest_port '5901'

config redirect
option target 'DNAT'
option name 'Ubuntu'
option proto 'tcp udp'
option src 'wan'
option dest 'lan'
option src_dport '5903'
option dest_port '5901'
option dest_ip '192.168.1.210'

config redirect
option target 'DNAT'
option name 'MintLinux'
option proto 'tcp udp'
option src 'wan'
option src_dport '5904'
option dest 'lan'
option dest_port '5900'
option dest_ip '192.168.1.195'

config redirect
option target 'DNAT'
option name 'ClearOS'
option proto 'tcp udp'
option src 'wan'
option src_dport '5905'
option dest 'lan'
option dest_port '81'
option dest_ip '192.168.1.172'

config redirect
option target 'DNAT'
option name 'SSH'
option proto 'tcp udp'
option src 'wan'
option src_dport '22'
option dest 'lan'
option dest_ip '192.168.1.1'
option dest_port '22'

config forwarding
option dest 'wan'

config zone
option name 'zerotier'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'Zerotier'
option forward 'ACCEPT'

config forwarding
option src 'zerotier'
option dest 'wan'

config redirect
option target 'DNAT'
option name 'ESXi SSH'
option proto 'tcp udp'
option src 'wan'
option src_dport '23'
option dest 'lan'
option dest_ip '192.168.1.106'
option dest_port '22'

config rule
option name 'FTP'
option proto 'tcp udp'
option src 'wan'
option target 'ACCEPT'
option dest_port '10060-10090'

config rule
option proto 'tcp udp'
option src 'wan'
option src_port '21'
option target 'ACCEPT'

config redirect
option target 'DNAT'
option name 'Transmission'
option proto 'tcp udp'
option src 'wan'
option dest 'lan'
option dest_ip '192.168.1.1'
option src_dport '9091'
option dest_port '9091'

config redirect
option target 'DNAT'
option name 'FTP'
option proto 'tcp udp'
option src 'wan'
option src_dport '21'
option dest 'lan'
option dest_ip '192.168.1.1'
option dest_port '21'

config redirect
option target 'DNAT'
option name 'FTP passive'
option proto 'tcp udp'
option src 'wan'
option dest 'lan'
option dest_ip '192.168.1.1'
option dest_port '10060-10090'
option src_dport '10060-10090'

config redirect
option target 'DNAT'
option name 'DSM FTP'
option proto 'tcp udp'
option src 'wan'
option dest 'lan'
option dest_ip '192.168.1.159'
option dest_port '21'
option src_dport '23'

config zone
option name 'tun0'
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
option network 'expressvpn'

config forwarding
option src 'lan'
option dest 'tun0'

bill888 · September 18, 2019, 5:16pm

At first glance, there are errors in your firewall config.

What is the name of your VPN firewall zone? I use 'VPN_FW' in my guide v1.1. But your firewall config file suggests you have named it 'tun0' ?

I don't think you followed my guide correctly in the light of these errors.

You can try fixing these errors I found:


config forwarding  #  Remove it if you require a Kill Switch.
option src 'lan'
option dest 'wan'   
                              


config forwarding         # These lines should not exist
option dest 'wan'

config forwarding         # These lines should not exist
option dest 'wan'

config forwarding    # These lines should not exist
option dest 'wan'

config forwarding   # assumed to be valid
option src 'lan'
option dest 'tun0'    #  Is this your VPN firewall zone name ?

If you still have problems after correcting above errors, can I suggest you reset router and try again from beginning.

Perhaps set it up to connect to the free vpn provider vpnbook and follow instructions exactly in the guide v1.1, using same interface and zone names to see if you can get it working with this provider first.

Once you are successful, you can then modify it for ExpressVPN.

What router and what version of 18.06 are you using?

(There is also a new v1.2 guide for OpenWrt 19.07. ovpn files can be uploaded using LuCI)

Update: I'm no expert, but naming your firewall zone as 'tun0' may create problems because it is also the name of an interface !

lleachii · September 18, 2019, 7:53pm

It doesn't.

vgaetera · September 19, 2019, 1:38am

Make sure you override ISP DNS:
https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#upstream_dns_provider

bill888 · September 19, 2019, 5:02am

Following @vgaetera tip, I've amended my guides to check the DNS resolvers are working.

ie. Ping a known website such as 8.8.8.8 to see if there is connectivity through the VPN from an attached computer.

6v87qe · September 19, 2019, 2:49pm

tried that, still no internet access

6v87qe · September 19, 2019, 2:55pm

Thanks ,kill for keeping this post alive. This is what I did tonight on Linksys WRT3200ACM on David502 build (4.19.69-OpenWrt SNAPSHOT r10899-1c0290c5cc / LuCI Master (git-19.241.65047-dffe9ca)

corrected the errors in the firewall file as you mentioned
disabled WAN6
added extra DNS by using
uci add_list dhcp.lan.dhcp_option='6,8.8.8.8,8.8.4.4'
uci commit

Then I started the OpenVPN , againt VPN is up and runing like a charm, but there is no internet connection at all. I can see that "tun0" is sending and receiving data.

root@OpenWrt:~# openvpn --cd /etc/openvpn --config /etc/openvpn/my_expressvpn_ho
ng_kong_-_2_udp.ovpn
Thu Sep 19 22:25:15 2019 WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6
Thu Sep 19 22:25:15 2019 OpenVPN 2.4.7 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Thu Sep 19 22:25:15 2019 library versions: OpenSSL 1.1.1c 28 May 2019, LZO 2.10
Thu Sep 19 22:25:15 2019 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Thu Sep 19 22:25:15 2019 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Sep 19 22:25:15 2019 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Sep 19 22:25:15 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]45.56.152.81:1195
Thu Sep 19 22:25:15 2019 Socket Buffers: R=[163840->1048576] S=[163840->1048576]
Thu Sep 19 22:25:15 2019 UDP link local: (not bound)
Thu Sep 19 22:25:15 2019 UDP link remote: [AF_INET]45.56.152.81:1195
Thu Sep 19 22:25:15 2019 TLS: Initial packet from [AF_INET]45.56.152.81:1195, sid=ead074ab 91eaa9c9
Thu Sep 19 22:25:15 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Sep 19 22:25:15 2019 VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
Thu Sep 19 22:25:15 2019 VERIFY OK: nsCertType=SERVER
Thu Sep 19 22:25:15 2019 VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-990-2a, emailAddress=support@expressvpn.com
Thu Sep 19 22:25:15 2019 VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-990-2a, emailAddress=support@expressvpn.com
Thu Sep 19 22:25:15 2019 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Thu Sep 19 22:25:15 2019 [Server-990-2a] Peer Connection Initiated with [AF_INET]45.56.152.81:1195
Thu Sep 19 22:25:16 2019 SENT CONTROL [Server-990-2a]: 'PUSH_REQUEST' (status=1)
Thu Sep 19 22:25:16 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.55.0.1,comp-lzo no,route 10.55.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.55.0.50 10.55.0.49,peer-id 6,cipher AES-256-GCM'
Thu Sep 19 22:25:16 2019 OPTIONS IMPORT: timers and/or timeouts modified
Thu Sep 19 22:25:16 2019 OPTIONS IMPORT: compression parms modified
Thu Sep 19 22:25:16 2019 OPTIONS IMPORT: --ifconfig/up options modified
Thu Sep 19 22:25:16 2019 OPTIONS IMPORT: route options modified
Thu Sep 19 22:25:16 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Sep 19 22:25:16 2019 OPTIONS IMPORT: peer-id set
Thu Sep 19 22:25:16 2019 OPTIONS IMPORT: adjusting link_mtu to 1629
Thu Sep 19 22:25:16 2019 OPTIONS IMPORT: data channel crypto options modified
Thu Sep 19 22:25:16 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Sep 19 22:25:16 2019 NCP: overriding user-set keysize with default
Thu Sep 19 22:25:16 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Sep 19 22:25:16 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Sep 19 22:25:16 2019 TUN/TAP device tun0 opened
Thu Sep 19 22:25:16 2019 TUN/TAP TX queue length set to 100
Thu Sep 19 22:25:16 2019 /sbin/ifconfig tun0 10.55.0.50 pointopoint 10.55.0.49 mtu 1500
Thu Sep 19 22:25:18 2019 /sbin/route add -net 45.56.152.81 netmask 255.255.255.255 gw 202.187.160.1
Thu Sep 19 22:25:18 2019 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.55.0.49
Thu Sep 19 22:25:18 2019 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.55.0.49
Thu Sep 19 22:25:18 2019 /sbin/route add -net 10.55.0.1 netmask 255.255.255.255 gw 10.55.0.49
Thu Sep 19 22:25:18 2019 Initialization Sequence Completed

my firewall configuration is like this