OpenVPN issues

Hi friends,

I've been a part of the OpenWRT world since 2017 and so far I have found sufficient documentation to guide me.
I have never been a network guru but once I bought my Linksys 1900ac and discovered OpenWRT, I was determined to at least learn the basics so I installed OpenWRT 19.07 and Luci.
It has worked well over all these years.

Recently I have decided to take the plunge and attempt to install openvpn on my OpenWRT router. After much research and trial and error, I managed to install openvpn server (by the way, my server is powered by my keep solid VPN unlimited lifetime subscription) on my router and openvpn clients on 3 of my household devices. All 3 devices work great on my VPN now.

Let me give you a little detail of my home network. Sorry I don't use the technical lingo. So my ISP is Spectrum (charter), I have a really old modem they installed 10 or more years ago but it works. I have my OpenWRT Linksys 1900ac router, 1 windows 10 laptop, 2 Linux laptops, 2 mobile phones, 1 Nintendo switch and 6 outside cameras.

So here is the part I need your expert advice. When I activate my VPN, it seems to automatically deactivate my WAN and LAN. For instance if I wanted to connect one of my devices to WiFi and not VPN, I cannot reach the internet.
My wife's biggest per peeve is once I activate the VPN, none of our cameras can connect.

This is a very old and EOL version of OpenWrt. It has many known security vulnerabilities and should not be used and it is completely unsupported.

This device is indeed supported by the latest OpenWrt as of this writing (23.05), so you should upgrade. The configurations will not be compatible from the old version, so you'll need to start from scratch.

If you're setting up OpenVPN as a server on your router, there are no subscriptions required. So not sure what you're referencing here.

Is OpenVPN being activated on your router, or on a device (i.e. laptop or phone)?

Is the modem a pure modem, or is it a modem+router combo unit?
What is connected to the modem? What is connected to the 1900AC?

1 Like

@psherman ,

Thank you for replying so fast. As for my keepsolid VPN unlimited, I generated a .ovpn configuration file and used it for my openvpn server settings. My server is activated on my router.
My modem is a pure modem. It has no router capabilities. It is an Arris tm902a. The only thing connected to my modem is my Linksys 1900ac router. Then everything else in our house is connected to the 1900ac. 6 cameras + 7 devices.
Also, I was afraid you were gonna say I needed to update my OpenWRT. I will focus on starting from scratch next weekend.

Are you sure you are talking about a server? Sounds like you are setting up a client configuration.

Maybe you are correct. Maybe what I have set up is a client configuration. I am not experienced in networking.
I started out seeking a way to install vpn unlimited on my new os (lmde 6). I discovered that Debian 12 bookworm (which is what lmde is based on) has left VPN unlimited behind. One of the dependencies VPN unlimited requires is llvm11 and it is so outdated you can't even install it on lmde.
So I was looking for solutions on the keepsolid website and they recommended installing openvpn on my router. They said, that way I could connect ALL of my devices to my VPN instead of installing VPN unlimited on each device. In their tutorial they instructed me to login to my keepsolid account and generate a .ovpn configuration file and then, on my OpenWRT router (1900ac) go to the VPN tab and upload my configuration file and then enable and start it. After successfully doing all of that, whenever I would go into network settings on lmde, a new option is now available. Instead of my normal WiFi options, there was a new one called OpenWRT.
I could click on it and it would say I was connected but I had no internet access. Then I discovered I must also add an openvpn client configuration to any of my devices that I wished to connect to openvpn. I tried it with my wife's android phone, and after downloading the openvpn connect app and uploading the keepsolid ovpn configuration file, it automatically connected me to the VPN on my router.
Next I tried it with my rooted android phone and an open sourced app on github by Schwabe called openvpn for android. After I uploaded my .ovpn file it immediately connected to my openvpn on the router.
Lastly I tried and successfully uploaded my .ovpn configuration file on lmde in network connections settings and again it immediately connected to my VPN.
I checked all 3 devices by going to an IP leak test site and it could not discover my actual IP address or location.

This is absolutely not necessary.

I suspect you have issues with the configuration of your router. Let's take a look:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Thank you PSherman. Sorry it took me so long to reply. I've had to return to work and I'm usually gone Monday through Friday so it may be the weekend before I can ssh into my router and input those commands. If I am able to get home a day in the middle of the week I will try it even sooner.
Again thank for helping me with my VPN and networking issue!

Hi friends,

Finally home from work now. i did the ssh and issued the commands requested by PSherman. Also,to clarify, this vpn that I have attempted to set up on my router is not a vpn so that i can access my home network remotely. It is intended to be a vpn that i can access the internet while I'm at home.

	"kernel": "4.14.221",
	"hostname": "OpenWrt",
	"system": "ARMv7 Processor rev 1 (v7l)",
	"model": "Linksys WRT1900ACS",
	"board_name": "linksys,shelby",
	"release": {
		"distribution": "OpenWrt",
		"version": "19.07.7",
		"revision": "r11306-c4a6851c72",
		"target": "mvebu/cortexa9",
		"description": "OpenWrt 19.07.7 r11306-c4a6851c72"



config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '***.*.*.*.'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdee:dc65:ebf0::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '***.***.*.*'
	list dns '192.168.1.***/**'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'dhcp'
	option type 'bridge'

config interface 'wan6'
	option ifname 'eth1.2'
	option proto 'dhcpv6'
	option type 'bridge'
	option peerdns '0'
	option reqaddress 'try'
	option reqprefix 'auto'
	list dns '192.168.1.***/**'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'



config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
	option htmode 'VHT80'
	option country 'US'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option macaddr '**:**:**:**:**:**'
	option key '***************'
	option ssid 'surveillance'
	option encryption 'psk2'
	option network 'lan'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
	option htmode 'HT20'
	option country 'US'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option encryption 'none'
	option macaddr '**:**:**:**:**:**'
	option ssid 'OpenWrt2'
	option disabled '1'

config wifi-iface 'wifinet2'
	option ssid 'OpenWrt'
	option encryption 'none'
	option device 'radio0'
	option mode 'ap'

config wifi-iface 'wifinet3'
	option ssid 'OpenWrt'
	option encryption 'none'
	option device 'radio0'
	option mode 'ap'

config wifi-iface 'wifinet4'
	option device 'radio1'
	option mode 'ap'
	option key '***************'
	option encryption 'psk2'
	option ssid 'FBI task force'
	option network 'lan'

config wifi-iface 'wifinet5'
	option network 'wan'
	option encryption 'none'
	option device 'radio1'
	option mesh_fwding '1'
	option mesh_rssi_threshold '0'
	option mode 'mesh'

config wifi-iface 'wifinet6'
	option network 'wan'
	option encryption 'none'
	option device 'radio0'
	option mesh_fwding '1'
	option mesh_rssi_threshold '0'
	option mode 'mesh'

config wifi-iface 'wifinet7'
	option device 'radio0'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'




config dnsmasq
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'




config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone 'lan'
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'tun+'

config zone 'wan'
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule 'ovpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '1194'
	option proto 'udp'
	option target 'ACCEPT'

That is a really old build with known security issues. Updating to 23.05.3 is highly recommended.

Regarding this old build and not knowing your openvpn setup just some general advice.

The tun (tun+) interface should added to the WAN firewall zone and not to the LAN zone.

This to isolate your router but more importantly you need the masquerading on the tun interface.

The following is redundant for a client setup and can be removed:

Thank you EGC,

I will get busy this weekend updating to 23.05.3.
Also I can give you all the details of my openvpn setup. Exactly what additional information do you want me to post? I mentioned some things in my previous posts but maybe not enough?

Update first and change the other settings I mentioned.

If it is not working then report back

Ok thank you. I shall report back after upgrade complete.

1 Like