Openvpn routing problem

I have two routers. The first router has a cable inserted from the provider into the wan, and it distributes the Internet over Lan and Wlan, i.e. it works in standard mode. The second router connected to the first ( Lan-Lan) and works in the switch mode and as an openvpn server, for this I disabled dhcp on the Lan interface, registered a static ip from my local network and configured openvpn on the second router according to the openwrt wiki. Now I can connect to my home vpn server from my phone using a mobile network and the 'openvpn for android' application downloaded from f-droid. The problem is that the traffic does not pass beyond my openvpn server. when I try to ping google dns or my home gateway, I get...

From icmp_seq=4 Destination Port Unreachable

i also wanted to say that I turned off the firewall on the second router to avoid unnecessary settings and wanted to mention that according to the wiki I configured the routing in this way:

uci add_list openvpn.myvpn.push='route'
uci add_list openvpn.myvpn.push='redirect-gateway def1'

In the settings of the openvpn for android application, I tried to leave the default routes and force all traffic through the vpn, but it didn't work

Guys, tell me, what kind of logs should I send you to understand the problem?

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

It is bad idea. I suppose, you are going to configure tun interface. How second router running OpenVPN server connect to Internet? See routing table. The 'standard' configuration is to connect WAN port of second router into LAN port of first router.

From a first look R1 doesn't seem to have a static route for via R2. This is necessary, since you have disabled firewall on R2 and you cannot masquerade traffic from tunnel.

1 Like

There is a lack of free lan ports on R1. Therefore, in order for the devices connected to the lan ports of R2 to be in the same subnet as the devices connected to the lan ports of R1, I do not use wan on R2. In order for the Internet to work on R2, I also prescribed gateway and dns R1. And of course I configured the openvpn port forwarding to R1.

As for routing R1 and R2:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default           My-static-IP         UG    0      0        0 wan
My-static-IP   *      U     0      0        0 wan     *        U     0      0        0 br-lan

R2 with installed openvpn server

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         UG    0      0        0 br-lan   UG    0      0        0 tun0        *      UH    0      0        0 tun0     *        U     0      0        0 br-lan

Like Trendy said, in R1 you need to install a route via 192.168.1.X where X is R2's IP on the R1 LAN. Then when Internet or LAN request packets from the phone appear on the R1 LAN, R1 knows to send the replies to R2 so they can be forwarded into the VPN tunnel and sent back to the phone.

The other approach is to use NAT in R2, which requires re-enabling the firewall and setting up two firewall zones such as vpn and lan and enabling forwarding from vpn to lan, and enable masquerade on lan. Now an Internet request from the phone will be translated inside R2 to appear to be from R2's interface on the LAN, and R1 can deal with it directly without an additional route.


thanks for anwer, I understand you about routing. I read a little wiki, and I see that not everything is so simple for me. routing commands vary depending on the windows, unix, and openwrt platforms. Could you give an example of a command to route traffic to R1 in my case...

Then you'd want to look at the other way, which would be to have R2 NAT the phone into your LAN. That is done entirely within R2.

Can I just use the route command to add a route? It's just that when I try to add a route manually on R1, I get an error.

root@OpenWrt:~# route add
route: netmask 000000ff and host route conflict

You can. You are usinging it wrongly though:

root@whale:[~]#route --help
BusyBox v1.33.2 (2022-02-16 20:29:10 UTC) multi-call binary.

Usage: route [-ne] [-A inet[6]] [{add|del} [-net|-host] TARGET [netmask MASK]
        [gw GATEWAY] [metric N] [mss BYTES] [window BYTES] [reject] [IFACE]]

Moreover it will not be restored if the interface goes down or router is reloaded.
It's better to use the uci static routes.

I added a route to r2 on r1. Now r1 can ping the openvpn gateway However, from my phone, I still cannot ping any subnet address, except for the address of openvpn itself and, only these two addresses pinged normally from my phone.

Upon successful connection to openvpn, the phone receives the ip address, I also tried to ping the phone with r1, and the ping also failed.
Also in the logs of the 'openvpn for android' application I see that the routes are assigned correctly:

19:31 Routes:,,

That doesn't seem right. Your network is a /24.

Can you ping from the OpenWrt router? Assuming the phone answers those pings it should also answer them originated from the main router.

I cannot ping the phone from the OpenWRT router(R1), the phone normally pings from the OpenVPN server(R2), and also from the phone itself I can only ping the OpenVPN server and But no other resources networks are not available from the phone.

You probably still have a routing issue and R1 doesn't know where to find the OpenVPN subnet. You can quickly bypass that by enabling masquerade on lan zone of R2.

Hi guys. Yesterday I spent several hours trying to figure out why the routing does not work, although I added a route to the network on R1. But it never worked, and it was already late and I just went to bed). And so, this morning I just rebooted R2 , and after turning it on everything works and now I can ping my local network from phone! I suspect that after adding a new route on R1, I just needed to restart two services on R2, first network and then openvpn. Thank you all!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.