Hello everyone! I'm new to OpenWRT just moved my TP-Link Archer C7v4 from stock firmware to OpenWRT and got one problem - outgoing connections to PIA VPN from local network are blocked (I tried from Android phone and Arch PC). Configuration of OpenWRT on router is almost default by now, connection to PIA is via OpenVPN and Shadowsocks.
It'll be great if anyone can help, or at least point to part of the manual where I can find the answer.
Thank you. 
Did you assign the vpn to a firewall zone with forwarding from the lan?
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
Also the zone that the VPN tunnel is in needs to have masquerade (SNAT) enabled. Typically the wan zone that is present by default is used for Internet access via a commercial VPN service.
1 Like
{
"kernel": "6.6.73",
"hostname": "T_Hub",
"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
"model": "TP-Link Archer C7 v4",
"board_name": "tplink,archer-c7-v4",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.0",
"revision": "r28427-6df0e3d02a",
"target": "ath79/generic",
"description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
"builddate": "1738624177"
}
}
# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd0c:8b5:e083::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'eth0.2'
option macaddr '50:c7:bf:d1:a0:3d'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
As you can see, wan zone has masquerade enabled.
Yes, but nowhere is your OpenVPN tunnel listed in the firewall. That's the problem.
Add a line to the wan zone like this:
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list device 'tun+'
Then restart and test again.
Tried, not working.
Is there a way to show firewall output to terminal? I see logs are disabled by default... At least I can see the connection attempts ~_~.
let's see the updated firewall config as well as the output of:
logread -e openvpn
Here's output of firewall config:
cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list device 'tun+'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
And I have no openvpn on router at all - I just want my router to forward pia-vpn traffic from lan client to wan (I use client apps on my Android and Linux PC devices in lan, I don't need VPN on my router 'cause I choose location every time I use it, and I need my gaming consoles to bypass any vpn).
Oh... that was not clear. You can undo the change I suggested.
OpenWrt is does not block anything in terms of lan > wan, and your firewall confirms this.
Please explain what is giving you the impression that the VPN is being blocked (in general as well as by OpenWrt specifically).
When there was stock firmware on router pia-vpn connects just fine, when I install OpenWRT it's just trying and can't connect from any devices (Android or Linux PC, as I sad). And if I switch to mobile internet connection, it connects just fine. So my suggestions - something in OpenWRT firmware blocks pia-vpn traffic 
So here I am, asking you dump questions what can be reason for my problem.
I can see a few other possible scenarios that could cause this -- none of them directly related to OpenWrt, though.
Let's start here... what is the output of the first two octets (in bold: aaa.bbb.ccc.ddd) of the following command:
ifstatus wan | grep address
It's
37.110
Ok. That is a public ip, so you donβt have any issues with an ip/subnet conflict or double nat.
Letβs see the logs from the OpenVPN connection attempt. That may reveal what is happening.
It's pia-vpn client with method 'OpenVPN' so their logs are not so helpful but here it is:
/opt/piavpn/bin/pia-client
[2025-06-07 22:23:38.814][033c][client.clientsettings][src/clientsettings.cpp:59][info] XDG_SESSION_TYPE "X11"
[2025-06-07 22:23:38.814][033c][client.clientsettings][src/clientsettings.cpp:60][info] XDG_CURRENT_DESKTOP "KDE"
[2025-06-07 22:23:38.814][033c][common.json][src/json.cpp:377][debug] Successfully read clientsettings.json
[2025-06-07 22:23:38.814][033c][client.linux_env][src/linux/linux_env.cpp:21][info] XDG_CURRENT_DESKTOP= "KDE"
[2025-06-07 22:23:38.814][033c][client.linux_env][src/linux/linux_env.cpp:69][info] Detected desktop KDE and RTL: 0
[2025-06-07 22:23:38.819][033c][common.util][src/builtin/util.cpp:246][info] Initializing crash handler
[2025-06-07 22:23:38.820][033c][common.logging][src/builtin/logging.cpp:314][info] Initializing LoggerPrivate
[2025-06-07 22:23:38.820][033c][common.logging][src/builtin/logging.cpp:340][info] Loaded debug.txt with filter rules: (" ", "[rules]", "*.debug=false", "*.info=false", "*.warning=false")
[2025-06-07 22:23:38.820][033c][common.logging][src/builtin/logging.cpp:428][info] Starting log session (v3.6.1+08339)
[2025-06-07 22:23:38.820][033c][common.appsingleton][src/appsingleton.cpp:43][warning] Unable to attach to shared memory ""
[2025-06-07 22:23:38.820][033c][common.appsingleton][src/appsingleton.cpp:136][debug] Checking for another instance
[2025-06-07 22:23:38.820][033c][common.appsingleton][src/appsingleton.cpp:160][debug] Value of shared memory data is 0
[2025-06-07 22:23:38.820][033c][client.main][src/main.cpp:431][info] Current launch-on-login: 1
[2025-06-07 22:23:38.820][033c][client.clientsettings][src/clientsettings.cpp:59][info] XDG_SESSION_TYPE "X11"
[2025-06-07 22:23:38.820][033c][client.clientsettings][src/clientsettings.cpp:60][info] XDG_CURRENT_DESKTOP "KDE"
[2025-06-07 22:23:38.820][033c][regions.displaytext][src/displaytext.cpp:83][error] Invalid language code in language tag
[2025-06-07 22:23:38.820][033c][regions.displaytext][src/displaytext.cpp:54][error] Invalid language tag: - Invalid language code
[2025-06-07 22:23:38.820][033c][client.clientsettings][src/clientsettings.cpp:80][warning] Current language "" is not a valid BCP-47 tag, defaulting to en-US
[2025-06-07 22:23:38.837][033c][client.client][src/client.cpp:427][info] Changed to locale "en-US"
[2025-06-07 22:23:38.864][033c][qml][qrc:/components/helpers/ConnStateHelper.qml:44][error] Unhandled connection state:
[2025-06-07 22:23:38.871][033c][client.platformscreens][src/platformscreens.cpp:34][info] Updating screens due to notification
[2025-06-07 22:23:38.871][033c][client.platformscreens][src/platformscreens.cpp:46][info] Screens changed from ( 0 ):
[2025-06-07 22:23:38.871][033c][client.platformscreens][src/platformscreens.cpp:48][info] to ( 1 ):
[2025-06-07 22:23:38.871][033c][client.platformscreens][src/platformscreens.cpp:42][info] - 0 QRect(0,0 2560x1440) QRect(40,32 2520x1408) (primary)
[2025-06-07 22:23:38.873][033c][client.nativehelpers][src/nativehelpers.cpp:189][info] requested alpha: -1 - actual alpha: -1
[2025-06-07 22:23:38.918][033c][client.client][src/client.cpp:853][debug] Sending activate notification
[2025-06-07 22:23:38.918][033c][common.jsonrpc][src/jsonrpc.cpp:322][info] Sending request QJsonValue(double, 1) to invoke RPC method "notifyClientActivate"
[2025-06-07 22:23:39.060][033c][common.jsonrpc][src/jsonrpc.cpp:409][info] Request 1 succeeded
[2025-06-07 22:23:39.060][033c][client.client][src/client.cpp:873][info] Client connected, loading UI
[2025-06-07 22:23:39.111][033c][client.client][src/client.cpp:434][debug] Applying settings: {"themeName":"dark"}
[2025-06-07 22:23:39.111][033c][common.json][src/json.cpp:391][debug] Successfully wrote clientsettings.json
[2025-06-07 22:23:39.276][033c][client.nativehelpers][src/nativehelpers.cpp:855][info] Observed connection to urlOpenRequested, check for queued URL event on main thread
[2025-06-07 22:23:39.946][033c][client.nativehelpers][src/nativehelpers.cpp:189][info] requested alpha: -1 - actual alpha: -1
[2025-06-07 22:23:40.084][033c][client.nativetrayqt][src/linux/nativetrayqt.cpp:433][info] guess tray icon QRect(2559,32 1x1) with screen QRect(0,0 2560x1440) and work area QRect(40,32 2520x1408)
[2025-06-07 22:23:40.092][033c][client.linux_scaler][src/linux/linux_scaler.cpp:197][info] DPI setting '"Xft.dpi: 96"' from xrdb results in scale -> 1
[2025-06-07 22:23:40.092][033c][client.linux_scaler][src/linux/linux_scaler.cpp:223][info] Scale factors:
[2025-06-07 22:23:40.092][033c][client.linux_scaler][src/linux/linux_scaler.cpp:224][info] - PIA: 0
[2025-06-07 22:23:40.092][033c][client.linux_scaler][src/linux/linux_scaler.cpp:225][info] - Qt: 0
[2025-06-07 22:23:40.092][033c][client.linux_scaler][src/linux/linux_scaler.cpp:226][info] - Qt(screen): 0
[2025-06-07 22:23:40.092][033c][client.linux_scaler][src/linux/linux_scaler.cpp:227][info] - Xft.dpi: 1
[2025-06-07 22:23:40.092][033c][client.trayiconmanager][src/trayiconmanager.cpp:121][debug] Tray icon: QRect(2559,32 1x1) - Screen bound: QRect(0,0 2560x1440) - work area: QRect(40,32 2520x1408) - scale: 1
[2025-06-07 22:23:40.152][033c][client.window][src/nativeacc/window.cpp:355][info] window "PIA Dashboard" focus 0 -> 1
[2025-06-07 22:23:44.933][033c][common.jsonrpc][src/jsonrpc.cpp:322][info] Sending request QJsonValue(undefined) to invoke RPC method "connectVPN"
That log has almost zero output about anything network related. You may need to talk to PIA to troubleshoot this one.
The only thing I see as an error is this:
But the lack of any actual information means there's no way to know what is wrong.
That said, I have one idea we can try on OpenWrt...
delete the wan6 interface:
Then restart and try again.
I think the problem can be related to multi-hop connection - it first connects to SOCKS5 or SHADOWSOCKS and then to OpenVPN server itself. I tried both methods with same results (both works on mobile connection though).
I suspect that this is related to either your ISP (possibly blocking the connection) or something in the VPN context (the SOCKS or OpenVPN server itself) not allowing your IP.
Do you have another router you can use in place of the OpenWrt router? Or maybe can you reflash your C7v4 to the stock firmware (which you said was working). When you do so, the key thing is to compare the WAN IP address -- is it the same or different than the one you currently have on your OpenWrt wan (make a note of the full IP per the previous check for comparison).
I can connect wan cable directly to laptop and find out. Is it credible?
sure. That should be fine. Make note of the IP address you get on your laptop.
From laptop it's 95.84 (pia-vpn connects without problems). And when I plug it back to router it shows again 37.110. I have no static IP so I think it's normal.
Is there some NAT options which can cause this problem?