Openvpn not starting

hourmazdmarduk · July 20, 2023, 8:17am

Hello everyone

I have difficulty getting my windscribe VPn starting on openwrt 22.0 and double checked with a bunch of guides

here's my system log whenever I try to connect:

[   23.548941] IPv6: ADDRCONF(NETDEV_CHANGE): br-lan: link becomes ready
[   24.237500] mt7530 mdio-bus:1f wan: Link is Up - 100Mbps/Full - flow control rx/tx
[   24.245191] IPv6: ADDRCONF(NETDEV_CHANGE): wan: link becomes ready
[   25.458546] mt7530 mdio-bus:1f lan2: Link is Up - 1Gbps/Full - flow control rx/tx
[   25.466105] br-lan: port 2(lan2) entered blocking state
[   25.471313] br-lan: port 2(lan2) entered forwarding state

frollic · July 20, 2023, 8:21am

there's nothing in the snippet you posted about the VPN.

have you seen https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci ?

hourmazdmarduk · July 20, 2023, 8:31am

I went through the guide again.

This is what I get when I tried booting up the vpn again:


Thu Jul 20 12:00:02 2023 daemon.err uhttpd[1718]: sh: /etc/init.d/openvpn: not found
Thu Jul 20 12:00:05 2023 daemon.warn odhcpd[1594]: A default route is present but there is no public prefix on lan thus we don't announce a default route!

frollic · July 20, 2023, 8:32am

have you installed all required openvpn packages ?

if I were you, I'd switch to wireguard, it's easier to set up, and windscribe seem to support it.

hourmazdmarduk · July 20, 2023, 8:34am

I have the following installed:

kmod-ovpn-dco	5.10.176+2021-10-05-1017d4ad-2	-	-
luci-app-openvpn	git-23.093.42303-4b07c72	-
luci-i18n-openvpn-en	git-23.183.45793-499a6c1

hourmazdmarduk · July 20, 2023, 8:36am

my wireguard page is empty going " WireGuard Status

No WireGuard interfaces configured.

with no button or interface to add

frollic · July 20, 2023, 8:39am

you didn't even get to the 1st chapter of the of the wiki i linked to, did you ?

hourmazdmarduk · July 20, 2023, 8:41am

I did. I have had the openvpn luci interface installed for a year now if that's the package installation u mean

hourmazdmarduk · July 20, 2023, 8:42am

I've also uploaded the config files and set up the user and pass

frollic · July 20, 2023, 8:43am

if you did, you still failed to follow it ...

get back to us when you've read, understood, and executed it.

hourmazdmarduk · July 20, 2023, 8:44am

Will do! tanx

hourmazdmarduk · July 20, 2023, 9:42am

So the vpn does get enabled now but I think the issue is I don't get the VPN connection routed through the firewall properly. here's my system log:

Thu Jul 20 09:40:46 2023 daemon.err openvpn(wind)[5709]: RESOLVE: Cannot resolve host address: jfk-322.whiskergalaxy.com:443 (Name does not resolve)
Thu Jul 20 09:40:46 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: jfk-322.whiskergalaxy.com
Thu Jul 20 09:40:46 2023 daemon.err openvpn(wind)[5709]: RESOLVE: Cannot resolve host address: jfk-322.whiskergalaxy.com:443 (Name does not resolve)
Thu Jul 20 09:40:46 2023 daemon.warn openvpn(wind)[5709]: Could not determine IPv4/IPv6 protocol
Thu Jul 20 09:40:46 2023 daemon.notice openvpn(wind)[5709]: SIGUSR1[soft,init_instance] received, process restarting

iplaywithtoys · July 20, 2023, 9:51am

That looks like a pretty big clue.

Probably worth first working out why that name isn't resolving.

hourmazdmarduk · July 20, 2023, 9:53am

so it might have to do with the VPN service ?

iplaywithtoys · July 20, 2023, 10:00am

No idea. I don't know or recognise the domain name in your log extract, and a 5-second WHOIS query shows that the domain in question is registered via one of those shady "privacy service" providers. I have no clue whether or not the domain is related to Windscribe.

But I assumed it was relevant, because you took the time to isolate and extract that excerpt.

The FQDN does resolve for me, so it's not a big leap to speculate that the lack of resolution for you might be a contributory factor:

D:\>dig jfk-322.whiskergalaxy.com @1.1.1.1

; <<>> DiG 9.10.3-P4 <<>> jfk-322.whiskergalaxy.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45433
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;jfk-322.whiskergalaxy.com.     IN      A

;; ANSWER SECTION:
jfk-322.whiskergalaxy.com. 60   IN      A       206.217.129.227
jfk-322.whiskergalaxy.com. 60   IN      A       206.217.128.3

;; Query time: 34 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu Jul 20 11:03:13 GMT Summer Time 2023
;; MSG SIZE  rcvd: 86

frollic · July 20, 2023, 12:08pm

For fun, I just now followed https://www.vpnunlimited.com/help/manuals/open-wrt-wireguard-setup for wireguard, it worked really well.

Obviously I skipped the VPN provider specific parts (and the killswitch), since I'm tunneling to my home server, and I already had a conf file available for import.

There's also a guide for OpenVPN on the same page (top left).

mk24 · July 20, 2023, 12:44pm

If you configure the path to the VPN server by its FQDN DNS name, you need to have a configuration with DNS that works before the VPN comes up. Actually, before starting to configure a VPN client at all, make sure your router setup can resolve DNS and route from the LAN to the Internet. If you start with something that is fundamentally broken, adding another layer of complexity isn't likely to fix it.

The potential DNS issues are the same with either OpenVPN or Wireguard.