OpenVPN PC to LAN unstable

Hi everyone,
I recently installed openwrt on a Fritz!Box 4040 to access the Internet. I have a Windows PC with openvpn 2.5 client that I use to access company servers. Before flashing the router, openvpn worked fine. Now I can connect trough the VPN and ping those servers. But when I try to open an rdp connection, the ping fails and the rdp connection becomes unstable and unusable. I use ip addresses so I exclude name resolution problems. The openwrt version is 23.05.0 r23497-6637af95aa / LuCI openwrt-23.05 branch git-23.236.53405-fc638c8. I tried to set the correct mssfix parameter on the openvpn client configuration file, but without success.

I'm a newbie so I apologize in advance for the non-technical explanation.

Thank you,
Flavio

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

oot@FLYNETBOX:~# ubus call system board
{
	"kernel": "5.15.134",
	"hostname": "FLYNETBOX",
	"system": "ARMv7 Processor rev 5 (v7l)",
	"model": "AVM FRITZ!Box 4040",
	"board_name": "avm,fritzbox-4040",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.0",
		"revision": "r23497-6637af95aa",
		"target": "ipq40xx/generic",
		"description": "OpenWrt 23.05.0 r23497-6637af95aa"
	}
}
root@FLYNETBOX:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd90:d1f4:6d39::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan.9'
	option proto 'static'
	option ipaddr '10.1.9.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config bridge-vlan
	option device 'br-lan'
	option vlan '4'
	list ports 'lan1:t'
	list ports 'lan2:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '9'
	list ports 'lan1:t'
	list ports 'lan2:t'
	list ports 'lan3:u*'
	list ports 'lan4:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'lan1:t'
	list ports 'lan2:t'

config interface 'IOT'
	option proto 'static'
	option device 'br-lan.3'
	option ipaddr '10.1.3.1'
	option netmask '255.255.255.0'

config interface 'GUEST'
	option proto 'static'
	option device 'br-lan.4'
	option ipaddr '10.1.4.1'
	option netmask '255.255.255.0'

config device
	option name 'wan'
	option mtu '1500'

root@FLYNETBOX:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/a000000.wifi'
	option channel '5'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'
	option disabled '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/a800000.wifi'
	option channel '100'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'Flynet'
	option encryption 'psk2'
	option key '******'
	option disabled '1'
	option ieee80211r '1'
	option mobility_domain '999a'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'Inter Net'
	option encryption 'psk2'
	option network 'GUEST'
	option key '******'
	option ieee80211r '1'
	option mobility_domain '444a'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option disabled '1'

config wifi-iface 'wifinet4'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Service WiFi'
	option encryption 'psk2'
	option network 'IOT'
	option key 'IIOTService'
	option disabled '1'
	option ieee80211r '1'
	option mobility_domain '333a'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'

root@FLYNETBOX:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list rebind_domain '/dns.msftncsi.com/'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '100'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'IOT'
	option interface 'IOT'
	option start '100'
	option limit '100'
	option leasetime '12h'

config dhcp 'GUEST'
	option interface 'GUEST'
	option start '100'
	option limit '100'
	option leasetime '12h'

config host
	option name 'AP-TAVERNA'
	option ip '10.1.9.3'
	option mac 'XX:XX:XX:XX:XX:XX'

config host
	option name 'AP-UFFICIO'
	option ip '10.1.9.2'
	option mac 'XX:XX:XX:XX:XX:XX'

root@FLYNETBOX:~# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'IOTZone'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'IOT'

config zone
	option name 'GuestZone'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'GUEST'

config forwarding
	option src 'GuestZone'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'IOTZone'

config rule
	option name 'Guest DHCP and DNS'
	option src 'GuestZone'
	option dest_port '53 67 68'
	option target 'ACCEPT'

Is your PC connected via wifi?

If so, two things:

1. I assume you have more than one AP... your computer may be roaming across the APs in a sub-optimal way. It's important to make sure the radios are tuned properly.
2. Remove all of the 802.11r stuff (from all APs). This tends to cause more problems than it solves.

Thanks Peter for your help. The PC is connected via cable directly to the router.

Are other devices impacted, or just that one PC?

On github I found this issue: FS#3830 - OpenVPN Client Using TCP Connection Has MTU or TCPMSS Issue #8828

weikai:

OpenVPN Client connects to a TCP based OpenVPN server connects fine. However, the connections to remote network servers connect but can't transfer data. The mangle rule with clamp-mss-to-pmtu won't receive any data. Setting tcpmss to something around 1000 will only receive the first 100 - 200 bytes and hang. It's not working until reduced tcpmss to 59.

iptables -t nat -A postrouting_rule -o tun0 -j MASQUERADE
iptables -t mangle -A POSTROUTING -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 59
#iptables -t mangle -A POSTROUTING -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

I don't know if it's related to my problem and I'm not able to test it. If someone could explain to me how to do it, I would gladly test it.

I tested same problem with two different PCs (Windows 10 and Windows 11)

Are you running OpenVPN client on either the router or the PC? I didn't see any indications of this in your OpenWrt config and you haven't mentioned it previously.

On the PCs.

What happens if you disable the VPN -- do the PCs remain stable?

PCs are stable. It's the rdp connection via VPN that causes problems: I start the rdp connection to a server and the connection succeeds. But the server immediately stops responding to the ping and the connection via rdp is unusable. When I terminate the rdp connection, after a few minutes the server responds to the ping. This leaving the VPN always active. If I try the rdp connection again, the same story happens. I tried to activate the VPN on one of the two PCs via wifi using my mobile phone as a hotspot: in this case everything works normally.

Does this cause other devices on the network to become stable, or only the PC being used for this RDP connection?

I am convinced that it is only the VPN connection that is unstable: I also tried to get help from a remote technical friend with teamviewer and during the various tests we had no other problems. Furthermore, at the same time, my family members used their devices without problems.

Yes, this sounds like it is indeed unrelated to OpenWrt.

I think it is related to OpenWrt because the problem is only there if the VPN goes through the flashed router.

So if you replace the OpenWrt router with another one (or flash the vendor firmware back onto the OpenWrt device), it works? Can you please confirm that with an actual experiment (rather than the observation from the past)?

Yes I'm sure. I encountered this problem after flashing the Fritz!Box. I already tried with another router without problems a few days ago. I also have no problem via wifi using my cell phone as a hotspot.

Can you try it back-to-back now to make sure that this holds true?

It takes me a bit of time... Do you think the test via wifi using my cell phone as a hotspot is not enough?