OpenVPN on OpenWRT router can't connect behind Inseego M2000

pseudomancer · November 5, 2025, 8:36am

I am trying to use Policy-Based Routing(PBR) to connect my TV to ProtonVPN. I can install ProtonVPN on the TV, but it has a service which kills the app whenever another app is launched. I can also install put the VPN on my Inseego M2000 hotspot, but I don’t want all of my traffic running through the VPN. There is no way to do PBR on the hotspot.

I’ve gone through all the steps of setting up OpenVPN on the router.

root@OpenWrt:~# openvpn --config /etc/openvpn/protonvpn.ovpn
2025-11-05 05:32:39 OpenVPN 2.6.14 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] [DCO]
2025-11-05 05:32:39 library versions: OpenSSL 3.0.18 30 Sep 2025, LZO 2.10
2025-11-05 05:32:39 DCO version: N/A
Enter Auth Username:<my-email@google.com>
Enter Auth Password:
2025-11-05 05:33:51 TCP/UDP: Preserving recently used remote address: [AF_INET]138.199.50.98:7770
2025-11-05 05:33:51 Attempting to establish TCP connection with [AF_INET]138.199.50.98:7770
2025-11-05 05:33:52 TCP connection established with [AF_INET]138.199.50.98:7770
2025-11-05 05:33:52 TCPv4_CLIENT link local: (not bound)
2025-11-05 05:33:52 TCPv4_CLIENT link remote: [AF_INET]138.199.50.98:7770
2025-11-05 05:33:52 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2025-11-05 05:33:52 [node-us-139.protonvpn.net] Peer Connection Initiated with [AF_INET]138.199.50.98:7770
2025-11-05 05:34:56 No reply from server to push requests in 64s
2025-11-05 05:34:56 SIGUSR1[soft,no-push-reply] received, process restarting
2025-11-05 05:34:57 TCP/UDP: Preserving recently used remote address: [AF_INET]138.199.50.98:8443
2025-11-05 05:34:57 Attempting to establish TCP connection with [AF_INET]138.199.50.98:8443
2025-11-05 05:34:57 TCP connection established with [AF_INET]138.199.50.98:8443
2025-11-05 05:34:57 TCPv4_CLIENT link local: (not bound)
2025-11-05 05:34:57 TCPv4_CLIENT link remote: [AF_INET]138.199.50.98:8443
2025-11-05 05:34:57 [node-us-139.protonvpn.net] Peer Connection Initiated with [AF_INET]138.199.50.98:8443
2025-11-05 05:35:59 No reply from server to push requests in 62s
2025-11-05 05:35:59 SIGUSR1[soft,no-push-reply] received, process restarting
2025-11-05 05:36:00 TCP/UDP: Preserving recently used remote address: [AF_INET]138.199.50.98:443
2025-11-05 05:36:00 Attempting to establish TCP connection with [AF_INET]138.199.50.98:443
2025-11-05 05:36:00 TCP connection established with [AF_INET]138.199.50.98:443
2025-11-05 05:36:00 TCPv4_CLIENT link local: (not bound)
2025-11-05 05:36:00 TCPv4_CLIENT link remote: [AF_INET]138.199.50.98:443
2025-11-05 05:36:00 [node-us-139.protonvpn.net] Peer Connection Initiated with [AF_INET]138.199.50.98:443
2025-11-05 05:37:03 No reply from server to push requests in 63s
2025-11-05 05:37:03 SIGUSR1[soft,no-push-reply] received, process restarting

This is the output when I try to start openvpn.

I modified the .ovpn file to include my credentials and that seems to allow me to start the service through LuCI, but it starts failing to authenticate from the command line when running openvpn --config /etc/openvpn/protonvpn.ovpn and the interface tun0 is never created, so I can’t finish setting up the connection. I assume this is because SIGUSR1[soft,no-push-reply] received, process restartingmeans a tunnel is never established.

root@OpenWrt:~# nc -v -z 138.199.50.98 443
Warning: Host 138.199.50.98 isn't authoritative! (direct lookup failed)
138.199.50.98 443 (https) open

I seem to be able to connect to the endpoint over TCP and downloaded the TCP .ovpn file from ProtonVPN:

client
dev tun
proto tcp

remote 138.199.50.98 443
remote 138.199.50.98 8443
remote 138.199.50.98 7770

remote-random
resolv-retry infinite
nobind

cipher AES-256-GCM

setenv CLIENT_CERT 0
tun-mtu 1500
mssfix 0
persist-key
persist-tun

reneg-sec 0

remote-cert-tls server
auth-user-pass


<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>

<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-crypt>

I did change one line of the .ovpn.

As you can see below, the vpn is running.

But there is no tun0 interface created. Again, I don’t think it’s connecting.

root@OpenWrt:~# ifconfig tun0
ifconfig: tun0: error fetching interface information: Device not found

I can connect to ProtonVPN using their app from my phone from behind the router.

This is what ChatGPT thinks is the issue.

# Why TCP VPN Fails on Your OpenWRT Router Behind the Hotspot

## 1. Setup Context
- **Router:** WRT3200ACM running OpenWRT 24.10.4  
- **WAN:** Inseego M2000 LTE hotspot  
- **VPN:** ProtonVPN over TCP (ports 443, 8443, 7770)  
- **Problem:** OpenWRT cannot establish a `tun0` interface; TCP connection to VPN endpoint fails  
- **Observation:** ProtonVPN app on clients behind the same hotspot works fine

---

## 2. Key Differences Between Router and Client App
**ProtonVPN app works because:**
- It handles **NAT traversal automatically**  
- Uses **UDP or TCP encapsulation** intelligently  
- May use **obfuscated connections** to bypass restrictive NAT/firewalls  

**Router behavior:**
- OpenWRT initiates **raw TCP connections** directly to the VPN server  
- Router’s WAN IP is **behind carrier NAT (the hotspot)**  
- TCP connections fail if the NAT/firewall blocks or drops packets

---

## 3. Likely Primary Issue
**The router is behind a double NAT:**
1. Hotspot NAT  
2. Router NAT  

**Problems caused by double NAT:**
- TCP sessions may fail  
- Hotspot may block or throttle certain outbound TCP ports  
- Some carriers actively block VPN traffic  

**Why the app works:**  
- ProtonVPN app may use **UDP with TCP fallback**, obfuscation, or unusual ports to bypass NAT restrictions  
- OpenWRT’s raw TCP connection lacks these advanced techniques

---

## 4. Supporting Evidence
- Multiple TCP ports (443, 8443, 7770) fail  
- This is classic behavior for **CGNAT / restrictive hotspot firewall**  

---

## 5. Additional Factors
- OpenVPN TCP on OpenWRT may **not handle NAT hairpinning** correctly  
- Hotspot may implement **stateful firewall rules** that block unknown TCP connections  
- ProtonVPN app may use **packet fragmentation or TLS wrapping** that OpenVPN client does not

---

## 6. Implications
- **Not a router configuration problem**  
- **Not a VPN server problem**  
- Primary issue: **carrier NAT / hotspot restrictions breaking TCP VPN connections from the router**  

**Workarounds:**
1. Use **WireGuard** instead of OpenVPN TCP — often works better through CGNAT  
2. Put the router in **bridge mode** behind the hotspot (gets a public IP)  
3. Use the **hotspot’s VPN** and implement **policy-based routing** on the router  
4. Use a **VPN client on each device** behind the router if router-based VPN fails

I’ve already tried WireGuard, but my provider seems to block all UDP. Option 4 is not really an option for me as I’ve explained. I don’t think bridge mode will work, my hotspot does not have IP Passthrough (though it does have IPv6 Transparent Mode). Option 3 doesn’t seem possible as I think I would need PBR on the hotspot which its firmare does not support.

Sorry for such a long post. Any help is appreciated.

egc · November 5, 2025, 9:22am

For OpenVPN to work you also have to setup an interface (well that is technically not necessary for OpenVPN but it is for PBR) and setup the firewall.

It can help if you show us your configs, for that please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have but do not redact private RFC 1918 IP addresses as that is not needed:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show
ip -6 route show
cat /etc/config/openvpn
for ovpn in $(ls /etc/openvpn/*.ovpn);do echo $ovpn; cat $ovpn; echo;done
for vpn in $(ls /tmp/etc/openvpn*.conf);do echo $vpn;cat $vpn;echo;done
logread | grep openvpn

mk24 · November 5, 2025, 11:16am

There was no reply from port 7770. That happened long before the username and password come into play. Remove the 7770 line from the configuration and probably also 8443 so it only tries port 443. That is more likely to work if the ISP is blocking unconventional ports.

pseudomancer · November 5, 2025, 7:58pm

root@OpenWrt:~# ubus call system board
{
        "kernel": "6.6.110",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 1 (v7l)",
        "model": "Linksys WRT3200ACM",
        "board_name": "linksys,wrt3200acm",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.4",
                "revision": "r28959-29397011cc",
                "target": "mvebu/cortexa9",
                "description": "OpenWrt 24.10.4 r28959-29397011cc",
                "builddate": "1760891865"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdfa:5584:10ef::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'wan'
        option macaddr '62:38:e0:b3:54:40'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'wanusb'
        option proto 'dhcp'
        option device 'eth1'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
        option piofolder '/tmp/odhcpd-piofolder'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'wanusb'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'wan'

root@OpenWrt:~# ip route show
default via 192.168.10.1 dev eth1 proto static src 192.168.10.104 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
192.168.10.0/24 dev eth1 proto kernel scope link src 192.168.10.104 
root@OpenWrt:~# ip -6 route show
fdfa:5584:10ef::/64 dev br-lan proto static metric 1024 pref medium
unreachable fdfa:5584:10ef::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
root@OpenWrt:~# cat /etc/config/openvpn

config openvpn 'custom_config'
        option config '/etc/openvpn/my-vpn.conf'

config openvpn 'sample_server'
        option port '1194'
        option proto 'udp'
        option dev 'tun'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/server.crt'
        option key '/etc/openvpn/server.key'
        option dh '/etc/openvpn/dh2048.pem'
        option server '10.8.0.0 255.255.255.0'
        option ifconfig_pool_persist '/tmp/ipp.txt'
        option keepalive '10 120'
        option persist_key '1'
        option persist_tun '1'
        option user 'nobody'
        option status '/tmp/openvpn-status.log'
        option verb '3'

config openvpn 'sample_client'
        option client '1'
        option dev 'tun'
        option proto 'udp'
        list remote 'my_server_1 1194'
        option resolv_retry 'infinite'
        option nobind '1'
        option persist_key '1'
        option persist_tun '1'
        option user 'nobody'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/client.crt'
        option key '/etc/openvpn/client.key'
        option verb '3'

config openvpn 'protonvpn'
        option config '/etc/openvpn/protonvpn.ovpn'
        option enabled '1'

root@OpenWrt:~# for ovpn in $(ls /etc/openvpn/*.ovpn);do echo $ovpn; cat $ovpn; echo;done
/etc/openvpn/protonvpn.ovpn
# ==============================================================================
# Copyright (c) 2023 Proton AG (Switzerland)
# Email: contact@protonvpn.com
#
# The MIT License (MIT)
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR # OTHERWISE, ARISING
# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
# IN THE SOFTWARE.
# ==============================================================================

# The server you are connecting to is using a circuit in order to separate entry IP from exit IP
# The same entry IP allows to connect to multiple exit IPs in the same data center.

# If you want to explicitly select the exit IP corresponding to server US-FREE#18 you need to
# append a special suffix to your OpenVPN username.
# Please use "nyeqgRhR8waQx5eT+b:0" in order to enforce exiting through US-FREE#18.

# If you are a paying user you can also enable the ProtonVPN ad blocker (NetShield) or Moderate NAT:
# Use: "nyeqgRhR8waQx5eT+b:0+f1" to enable anti-malware filtering
# Use: "nyeqgRhR8waQx5eT+b:0+f2" to additionally enable ad-blocking filtering
# Use: "nyeqgRhR8waQx5eT+b:0+nr" to enable Moderate NAT
# Note that you can combine the "+nr" suffix with other suffixes.

client
dev tun
proto tcp

remote 138.199.50.98 443
remote 138.199.50.98 8443
remote 138.199.50.98 7770

remote-random
resolv-retry infinite
nobind

cipher AES-256-GCM

setenv CLIENT_CERT 0
tun-mtu 1500
mssfix 0
persist-key
persist-tun

reneg-sec 0

remote-cert-tls server
auth-user-pass /etc/openvpn/protonvpn.auth


<ca>
-----BEGIN CERTIFICATE-----
<redacted>
-----END CERTIFICATE-----
</ca>

<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
<redacted>
-----END OpenVPN Static key V1-----
</tls-crypt>

pseudomancer · November 5, 2025, 8:00pm

root@OpenWrt:~# for vpn in $(ls /tmp/etc/openvpn*.conf);do echo $vpn;cat $vpn;echo;done
ls: /tmp/etc/openvpn*.conf: No such file or directory
root@OpenWrt:~# logread | grep openvpn
Wed Nov  5 13:01:51 2025 daemon.notice openvpn(protonvpn)[8419]: Attempting to establish TCP connection with [AF_INET]138.199.50.98:8443
Wed Nov  5 13:01:52 2025 daemon.notice openvpn(protonvpn)[8419]: TCP connection established with [AF_INET]138.199.50.98:8443
Wed Nov  5 13:01:52 2025 daemon.notice openvpn(protonvpn)[8419]: TCPv4_CLIENT link local: (not bound)
Wed Nov  5 13:01:52 2025 daemon.notice openvpn(protonvpn)[8419]: TCPv4_CLIENT link remote: [AF_INET]138.199.50.98:8443
Wed Nov  5 13:01:52 2025 daemon.notice openvpn(protonvpn)[8419]: [node-us-139.protonvpn.net] Peer Connection Initiated with [AF_INET]138.199.50.98:8443
Wed Nov  5 13:02:54 2025 daemon.err openvpn(protonvpn)[8419]: No reply from server to push requests in 62s
Wed Nov  5 13:02:54 2025 daemon.notice openvpn(protonvpn)[8419]: SIGUSR1[soft,no-push-reply] received, process restarting
Wed Nov  5 13:02:55 2025 daemon.warn openvpn(protonvpn)[8419]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Nov  5 13:02:55 2025 daemon.notice openvpn(protonvpn)[8419]: TCP/UDP: Preserving recently used remote address: [AF_INET]138.199.50.98:443
Wed Nov  5 13:02:55 2025 daemon.notice openvpn(protonvpn)[8419]: Attempting to establish TCP connection with [AF_INET]138.199.50.98:443
Wed Nov  5 13:02:56 2025 daemon.notice openvpn(protonvpn)[8419]: TCP connection established with [AF_INET]138.199.50.98:443
Wed Nov  5 13:02:56 2025 daemon.notice openvpn(protonvpn)[8419]: TCPv4_CLIENT link local: (not bound)
Wed Nov  5 13:02:56 2025 daemon.notice openvpn(protonvpn)[8419]: TCPv4_CLIENT link remote: [AF_INET]138.199.50.98:443
Wed Nov  5 13:02:56 2025 daemon.notice openvpn(protonvpn)[8419]: [node-us-139.protonvpn.net] Peer Connection Initiated with [AF_INET]138.199.50.98:443
Wed Nov  5 13:03:58 2025 daemon.err openvpn(protonvpn)[8419]: No reply from server to push requests in 62s
Wed Nov  5 13:03:58 2025 daemon.notice openvpn(protonvpn)[8419]: SIGUSR1[soft,no-push-reply] received, process restarting
Wed Nov  5 13:03:59 2025 daemon.warn openvpn(protonvpn)[8419]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Nov  5 13:03:59 2025 daemon.notice openvpn(protonvpn)[8419]: TCP/UDP: Preserving recently used remote address: [AF_INET]138.199.50.98:7770
Wed Nov  5 13:03:59 2025 daemon.notice openvpn(protonvpn)[8419]: Attempting to establish TCP connection with [AF_INET]138.199.50.98:7770
Wed Nov  5 13:03:59 2025 daemon.notice openvpn(protonvpn)[8419]: TCP connection established with [AF_INET]138.199.50.98:7770
Wed Nov  5 13:03:59 2025 daemon.notice openvpn(protonvpn)[8419]: TCPv4_CLIENT link local: (not bound)
Wed Nov  5 13:03:59 2025 daemon.notice openvpn(protonvpn)[8419]: TCPv4_CLIENT link remote: [AF_INET]138.199.50.98:7770
Wed Nov  5 13:03:59 2025 daemon.notice openvpn(protonvpn)[8419]: [node-us-139.protonvpn.net] Peer Connection Initiated with [AF_INET]138.199.50.98:7770
Wed Nov  5 13:05:01 2025 daemon.err openvpn(protonvpn)[8419]: No reply from server to push requests in 62s
Wed Nov  5 13:05:01 2025 daemon.notice openvpn(protonvpn)[8419]: SIGUSR1[soft,no-push-reply] received, process restarting
Wed Nov  5 13:05:02 2025 daemon.warn openvpn(protonvpn)[8419]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Nov  5 13:05:02 2025 daemon.notice openvpn(protonvpn)[8419]: TCP/UDP: Preserving recently used remote address: [AF_INET]138.199.50.98:8443
Wed Nov  5 13:05:02 2025 daemon.notice openvpn(protonvpn)[8419]: Attempting to establish TCP connection with [AF_INET]138.199.50.98:8443
Wed Nov  5 13:05:02 2025 daemon.notice openvpn(protonvpn)[8419]: TCP connection established with [AF_INET]138.199.50.98:8443
Wed Nov  5 13:05:02 2025 daemon.notice openvpn(protonvpn)[8419]: TCPv4_CLIENT link local: (not bound)
Wed Nov  5 13:05:02 2025 daemon.notice openvpn(protonvpn)[8419]: TCPv4_CLIENT link remote: [AF_INET]138.199.50.98:8443
Wed Nov  5 13:05:02 2025 daemon.notice openvpn(protonvpn)[8419]: [node-us-139.protonvpn.net] Peer Connection Initiated with [AF_INET]138.199.50.98:8443
Wed Nov  5 13:06:02 2025 daemon.notice openvpn(protonvpn)[8419]: AUTH: Received control message: AUTH_FAILED
Wed Nov  5 13:06:02 2025 daemon.notice openvpn(protonvpn)[8419]: SIGTERM[soft,auth-failure] received, process exiting
Wed Nov  5 13:06:07 2025 daemon.notice openvpn(protonvpn)[8453]: OpenVPN 2.6.14 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] [DCO]
Wed Nov  5 13:06:07 2025 daemon.notice openvpn(protonvpn)[8453]: library versions: OpenSSL 3.0.18 30 Sep 2025, LZO 2.10
Wed Nov  5 13:06:07 2025 daemon.notice openvpn(protonvpn)[8453]: DCO version: N/A
Wed Nov  5 13:06:07 2025 daemon.warn openvpn(protonvpn)[8453]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Nov  5 13:06:07 2025 daemon.notice openvpn(protonvpn)[8453]: TCP/UDP: Preserving recently used remote address: [AF_INET]138.199.50.98:7770
Wed Nov  5 13:06:07 2025 daemon.notice openvpn(protonvpn)[8453]: Attempting to establish TCP connection with [AF_INET]138.199.50.98:7770
Wed Nov  5 13:06:07 2025 daemon.notice openvpn(protonvpn)[8453]: TCP connection established with [AF_INET]138.199.50.98:7770
Wed Nov  5 13:06:07 2025 daemon.notice openvpn(protonvpn)[8453]: TCPv4_CLIENT link local: (not bound)
Wed Nov  5 13:06:07 2025 daemon.notice openvpn(protonvpn)[8453]: TCPv4_CLIENT link remote: [AF_INET]138.199.50.98:7770
Wed Nov  5 13:06:07 2025 daemon.warn openvpn(protonvpn)[8453]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Nov  5 13:06:07 2025 daemon.notice openvpn(protonvpn)[8453]: [node-us-139.protonvpn.net] Peer Connection Initiated with [AF_INET]138.199.50.98:7770
Wed Nov  5 13:07:09 2025 daemon.err openvpn(protonvpn)[8453]: No reply from server to push requests in 62s
Wed Nov  5 13:07:09 2025 daemon.notice openvpn(protonvpn)[8453]: SIGUSR1[soft,no-push-reply] received, process restarting
Wed Nov  5 13:07:10 2025 daemon.warn openvpn(protonvpn)[8453]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Nov  5 13:07:10 2025 daemon.notice openvpn(protonvpn)[8453]: TCP/UDP: Preserving recently used remote address: [AF_INET]138.199.50.98:443
Wed Nov  5 13:07:10 2025 daemon.notice openvpn(protonvpn)[8453]: Attempting to establish TCP connection with [AF_INET]138.199.50.98:443
Wed Nov  5 13:07:10 2025 daemon.notice openvpn(protonvpn)[8453]: TCP connection established with [AF_INET]138.199.50.98:443
Wed Nov  5 13:07:10 2025 daemon.notice openvpn(protonvpn)[8453]: TCPv4_CLIENT link local: (not bound)
Wed Nov  5 13:07:10 2025 daemon.notice openvpn(protonvpn)[8453]: TCPv4_CLIENT link remote: [AF_INET]138.199.50.98:443
Wed Nov  5 13:07:10 2025 daemon.notice openvpn(protonvpn)[8453]: [node-us-139.protonvpn.net] Peer Connection Initiated with [AF_INET]138.199.50.98:443
Wed Nov  5 13:08:12 2025 daemon.err openvpn(protonvpn)[8453]: No reply from server to push requests in 62s
Wed Nov  5 13:08:13 2025 daemon.notice openvpn(protonvpn)[8453]: SIGUSR1[soft,no-push-reply] received, process restarting
Wed Nov  5 13:08:14 2025 daemon.warn openvpn(protonvpn)[8453]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Nov  5 13:08:14 2025 daemon.notice openvpn(protonvpn)[8453]: TCP/UDP: Preserving recently used remote address: [AF_INET]138.199.50.98:8443
Wed Nov  5 13:08:14 2025 daemon.notice openvpn(protonvpn)[8453]: Attempting to establish TCP connection with [AF_INET]138.199.50.98:8443
Wed Nov  5 13:08:14 2025 daemon.notice openvpn(protonvpn)[8453]: TCP connection established with [AF_INET]138.199.50.98:8443
Wed Nov  5 13:08:14 2025 daemon.notice openvpn(protonvpn)[8453]: TCPv4_CLIENT link local: (not bound)
Wed Nov  5 13:08:14 2025 daemon.notice openvpn(protonvpn)[8453]: TCPv4_CLIENT link remote: [AF_INET]138.199.50.98:8443
Wed Nov  5 13:08:14 2025 daemon.notice openvpn(protonvpn)[8453]: [node-us-139.protonvpn.net] Peer Connection Initiated with [AF_INET]138.199.50.98:8443
Wed Nov  5 13:09:14 2025 daemon.notice openvpn(protonvpn)[8453]: AUTH: Received control message: AUTH_FAILED
Wed Nov  5 13:09:14 2025 daemon.notice openvpn(protonvpn)[8453]: SIGTERM[soft,auth-failure] received, process exiting
Wed Nov  5 13:09:19 2025 daemon.notice openvpn(protonvpn)[8467]: OpenVPN 2.6.14 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] [DCO]
Wed Nov  5 13:09:19 2025 daemon.notice openvpn(protonvpn)[8467]: library versions: OpenSSL 3.0.18 30 Sep 2025, LZO 2.10
Wed Nov  5 13:09:19 2025 daemon.notice openvpn(protonvpn)[8467]: DCO version: N/A
Wed Nov  5 13:09:19 2025 daemon.warn openvpn(protonvpn)[8467]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Nov  5 13:09:19 2025 daemon.notice openvpn(protonvpn)[8467]: TCP/UDP: Preserving recently used remote address: [AF_INET]138.199.50.98:8443
Wed Nov  5 13:09:19 2025 daemon.notice openvpn(protonvpn)[8467]: Attempting to establish TCP connection with [AF_INET]138.199.50.98:8443
Wed Nov  5 13:09:19 2025 daemon.notice openvpn(protonvpn)[8467]: TCP connection established with [AF_INET]138.199.50.98:8443
Wed Nov  5 13:09:19 2025 daemon.notice openvpn(protonvpn)[8467]: TCPv4_CLIENT link local: (not bound)
Wed Nov  5 13:09:19 2025 daemon.notice openvpn(protonvpn)[8467]: TCPv4_CLIENT link remote: [AF_INET]138.199.50.98:8443
Wed Nov  5 13:09:19 2025 daemon.warn openvpn(protonvpn)[8467]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Nov  5 13:09:20 2025 daemon.notice openvpn(protonvpn)[8467]: [node-us-139.protonvpn.net] Peer Connection Initiated with [AF_INET]138.199.50.98:8443
Wed Nov  5 13:10:24 2025 daemon.err openvpn(protonvpn)[8467]: No reply from server to push requests in 64s
Wed Nov  5 13:10:24 2025 daemon.notice openvpn(protonvpn)[8467]: SIGUSR1[soft,no-push-reply] received, process restarting
Wed Nov  5 13:10:25 2025 daemon.warn openvpn(protonvpn)[8467]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Nov  5 13:10:25 2025 daemon.notice openvpn(protonvpn)[8467]: TCP/UDP: Preserving recently used remote address: [AF_INET]138.199.50.98:443
Wed Nov  5 13:10:25 2025 daemon.notice openvpn(protonvpn)[8467]: Attempting to establish TCP connection with [AF_INET]138.199.50.98:443
Wed Nov  5 13:10:25 2025 daemon.notice openvpn(protonvpn)[8467]: TCP connection established with [AF_INET]138.199.50.98:443
Wed Nov  5 13:10:25 2025 daemon.notice openvpn(protonvpn)[8467]: TCPv4_CLIENT link local: (not bound)
Wed Nov  5 13:10:25 2025 daemon.notice openvpn(protonvpn)[8467]: TCPv4_CLIENT link remote: [AF_INET]138.199.50.98:443
Wed Nov  5 13:10:25 2025 daemon.notice openvpn(protonvpn)[8467]: [node-us-139.protonvpn.net] Peer Connection Initiated with [AF_INET]138.199.50.98:443
Wed Nov  5 13:11:29 2025 daemon.err openvpn(protonvpn)[8467]: No reply from server to push requests in 64s
Wed Nov  5 13:11:29 2025 daemon.notice openvpn(protonvpn)[8467]: SIGUSR1[soft,no-push-reply] received, process restarting
...

egc · November 5, 2025, 8:24pm

I do not see any firewall settings for the OpenVPN interface so add list device 'tun+' to the firewall wan zone

pseudomancer:

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'wanusb'
        list device 'tun+'        # <<<<< add this

Furthermore take the advice of mk24 remove from the openvpn config:

Reboot and check again with the output of logread | grep openvpn

pseudomancer · November 5, 2025, 9:12pm

Can I get some clarity on this part:

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'wanusb'
        list device 'tun+'        # <<<<< add this

Is this a config file? Can you tell me where it is located? If it’s a command I can’t run config because it’s not found, so I might be missing a package. I haven’t yet set up firewall rules because the tun0 interface(?) never seems to be created.

These are the only interfaces I can see under Covered networks in LuCI.

pseudomancer · November 6, 2025, 2:50am

Question: Would a local obfs4proxy help?

egc · November 6, 2025, 7:44am

I usually edit the config files directly with nano

But if you need to use the GUI then on the Firewall zone go to Advanced settings and under Devices add custom: tun+ , press enter afterwards and Save and Apply

egc · November 6, 2025, 7:46am

No idea as we do not know what the problem is, it looks like you are using a proton openvpn server, those can be down/unavailable/overcrowded especially if yo use a free account so at least try another server e.g. make another config

pseudomancer · November 6, 2025, 11:53pm

I figured it out and I feel like an idiot. This is what I get for using ChatGPT instead of tutorials.

I just assumed my credentials would be my username and password that I usually use, but I had to use the IKEv2 username which is found at https://account.protonvpn.com/account-password.

Thanks for all the help even if it was my own stupidity.

The good news is that the VPN works, but the bad news is PBR won’t start. I think it’s because it’s trying to detect the gateway via wan. I’ve disabled it, but haven’t deleted it entirely because I don’t know if there is a simpler solution. I planned on using it to bridge to another router eventually.

Here is what I get when I try to start PBR:

root@OpenWrt:~# /etc/init.d/pbr start
Using uplink IPv4 interface (on_start): wan [✓]
Using uplink IPv6 interface (on_start): wan6 [✓]
Processing environment (on_start) ERROR: Uplink/WAN interface is still down, increase value of 'procd_boot_trigger_delay' option!
Setting interface trigger for wanusb [✓]
Setting interface trigger for wanusb6 [✓]
Setting interface trigger for ovpntun [✓]
pbr 1.2.0-r2 FAILED TO START in fw4 nft file mode!!!Check the output of nft -c -f /var/run/pbr.nftERROR: The pbr 1.2.0-r2 service failed to discover WAN gateway!
ERROR: Errors encountered, please check https://docs.openwrt.melmac.ca/pbr/1.2.0/#ErrorMessagesDetails!

pseudomancer · November 7, 2025, 6:36am

I got PBR working by deleting wan and wan6 and renaming wanusb to wan and wanusb6 to wan6, but it broke my routers ability to get an IPv6 address and everytime I reboot now I have to add the new wanand wan6 to the firewall manually. It seems everytime I solve one problem, I break at least two more things. I submitted a bug report to PBR.

github.com/stangri/pbr

PBR ignores custom `wan_interfaces` (e.g., `wanusb`), defaults to `wan` causing startup failures; workaround breaks global IPv6 assignment

opened 06:31AM - 07 Nov 25 UTC

BradRWeir

#### Summary PBR 1.2.0-r2 fails to start when using a non-standard WAN interface… name like `wanusb` (e.g., for a USB hotspot on `eth1`), despite correctly configuring `pbr.config.wan_interfaces='wanusb'`. It defaults to detecting/using `wan` (even if `wan` is disabled in network config), leading to "Uplink/WAN interface is still down" and "failed to discover WAN gateway" errors. Workaround requires renaming `wanusb` to `wan`, but this breaks global IPv6 address assignment on the corresponding `wanusb6` → `wan6` interface, causing `odhcp6c` failures ("Failed to send RS/SOLICIT message to ff02::1:2 (Address not available)"). This seems like a bug in PBR's interface detection logic, where it hardcodes or prioritizes `wan` over the UCI `wan_interfaces` setting. #### Environment - OpenWrt version: 24.10.4 - PBR version: 1.2.0-r2 - Firewall backend: fw4 (nftables mode) - Hardware: WRT3200ACM with USB hotspot - WAN setup: USB hotspot (Inseego M2000) on `eth1`, providing IPv4 (DHCP, gateway 192.168.10.1) and global IPv6 (via DHCPv6/PD). #### Steps to Reproduce 1. Configure network interfaces: ``` uci set network.wanusb=interface uci set network.wanusb.proto='dhcp' uci set network.wanusb.device='eth1' uci set network.wanusb.gateway='192.168.10.1' # Optional, from DHCP uci set network.wanusb6=interface uci set network.wanusb6.proto='dhcpv6' uci set network.wanusb6.device='eth1' uci set network.wanusb6.reqaddress='try' uci set network.wanusb6.reqprefix='auto' uci set network.wanusb6.norelease='1' uci commit network /etc/init.d/network restart ``` - Disable default `wan`/`wan6` if present: `uci set network.wan.disabled='1'; uci set network.wan6.disabled='1'` - Firewall zone: Assign `wanusb` and `wanusb6` to the WAN zone. 2. Configure PBR: ``` uci set pbr.config.enabled='1' uci set pbr.config.wan_interfaces='wanusb' uci set pbr.config.supported_interface='wanusb wanusb6 ovpntun' # Example, include your VPN uci set pbr.config.ipv6_enabled='1' # IPv6 enabled uci set pbr.config.procd_boot_trigger_delay='30' # Tried increasing, no fix uci commit pbr ``` 3. Restart PBR: ``` /etc/init.d/pbr restart ``` #### Expected Behavior - PBR detects and uses `wanusb` as the uplink interface. - Startup succeeds, with logs showing "Using uplink IPv4 interface: wanusb" and gateway detection. - Global IPv6 addresses (e.g., `2607:fb90:...`) remain assigned to `eth1` via `wanusb6`. #### Actual Behavior - PBR logs show "Using uplink IPv4 interface (on_start): wan [✓]" (ignores config, uses `wan`). - Fails with: ``` Processing environment (on_start) ERROR: Uplink/WAN interface is still down, increase value of 'procd_boot_trigger_delay' option! pbr 1.2.0-r2 FAILED TO START in fw4 nft file mode!!! ... ERROR: The pbr 1.2.0-r2 service failed to discover WAN gateway! ``` - `/var/run/pbr.nft` is not generated. - Increasing `procd_boot_trigger_delay` to 30+ doesn't help. - `ip route show` correctly shows default via 192.168.10.1 dev eth1, and `ping 192.168.10.1` succeeds. #### Workaround (But Breaks IPv6) - Rename interfaces: ``` uci rename network.wanusb='wan' uci rename network.wanusb6='wan6' uci commit network /etc/init.d/network restart ``` - Update firewall zone: Assign `wan` and `wan6` to WAN zone. - PBR now starts: "Using uplink IPv4 interface: wan [✓]" and "Found uplink IPv4 gateway: 192.168.10.1 [✓]". - But IPv6 breaks: No global IPv6 on `eth1` (only link-local `fe80::...`). - `ifconfig eth1` shows no `2607:...` addresses (had them before rename). - `odhcp6c` logs: "Failed to send RS (Address not available)" and "Failed to send SOLICIT message to ff02::1:2 (Address not available)". - Renewing (`ifdown wan6; ifup wan6`) fails; hotspot's IPv6 Transparent Mode is enabled but ineffective post-rename. - Temporary fix: Disable IPv6 in PBR (`uci set pbr.config.ipv6_enabled='0'`), but loses IPv6 routing. #### Logs - PBR startup log (with `wanusb`): ``` Using uplink IPv4 interface (on_start): wan [✓] Using uplink IPv6 interface (on_start): wan6 [✓] Processing environment (on_start) ERROR: Uplink/WAN interface is still down... pbr 1.2.0-r2 FAILED TO START... failed to discover WAN gateway! ``` - `logread | grep pbr` shows repeated failures referencing `wan`. - Pre-rename `ifconfig eth1` (working IPv6): ``` inet6 addr: 2607:fb90:b51e:ce6:215:ffff:fe06:4631/64 Scope:Global inet6 addr: 2607:fb90:b51e:ce6:f17f:2ef:86da:cbaf/128 Scope:Global inet6 addr: fe80::215:ffff:fe06:4631/64 Scope:Link ``` - Post-rename: Only link-local. #### UCI Configs - Network (pre-rename): ``` network.wanusb=interface ... proto='dhcp' device='eth1' gateway='192.168.10.1' network.wanusb6=interface ... proto='dhcpv6' device='eth1' ... network.wan=interface ... disabled='1' ``` - PBR: ``` pbr.config.wan_interfaces='wanusb' pbr.config.supported_interface='wanusb wanusb6 ovpntun' ``` #### Proposed Fix - In PBR's detection script (likely `/usr/sbin/pbr`), ensure `wan_interfaces` from UCI is always used for uplink detection, overriding any default `wan` fallback. - Example diff (hypothetical, based on common logic): ```diff - uplink_ifaces="wan" + uplink_ifaces=$(uci -q get pbr.config.wan_interfaces || echo "wan") ``` - Document that custom interface names like `wanusb` require explicit `wan_interfaces` config. #### Additional Notes - This affects USB/mobile hotspot users who avoid the default `wan` name. - IPv6 breakage post-rename suggests a deeper interaction with OpenWrt's netifd or odhcp6c when interface names change—PBR's triggers might interfere. - Tested on November 7, 2025; willing to test patches.

pseudomancer · November 7, 2025, 7:29am

Fixed. I just needed to remove wanusb and wanusb6 from the wan firewall zone by running the following in ssh:

uci set firewall.@zone[1].network='wan wan6' uci commit firewall

Now IPv6 and my firewall issue are solved.

egc · November 7, 2025, 11:26am

From the PBR read.me already from version 1.1.6:
The WAN interface name is no longer auto-detected. If you use a non-standard name for WAN interface, you can set it in [options](https://docs.openwrt.melmac.ca/pbr/#procd_wan_interface).

For versions 1.2.X you use option uplink_interface/uplink_interface6 to set the logical name which holds the physical device (which can be seen with ifconfig) with the IPv4/IPv6 wan address usually both point to the physical device wan.