Hi all. Something is going wrong with my setup so I would really appreciate it if this can be fixed.
Before I used to have an Archer C2 running on stock firmware, with a VPN "gateway" VM. I followed instructions from this YouTube video to set up this VM: https://www.youtube.com/watch?v=gyatgrlqFtE just not on a Pi. Then I put the VM's IP in the default gateway section in the DHCP settings of the router. It worked really well.
That is until I decided to switch out the firmware of the router to OpenWRT. So the installation went fine and I managed to get OpenWRT installed on the router. I changed the DHCP options to push the VM's IP to the DHCP clients. So far so good. Then I verified Internet was working when the VPN was off. I tried traceroute and it correctly showed the traffic first went through the VPN gateway VM, before going through the router and to the Internet.
But when I switched on the VPN, the connection established successfully as far as I could tell (OpenVPN showed Initialized connection successfully or something like that) but no traffic would go across. When I tried pinging anything, there would be zero packets going through. Running traceroute showed that packets just stopped going anywhere after the first hop to the VPN gateway VM.
I tried running traceroute on the VM itself - when the VPN was off it correctly hopped to the router, and then to the Internet. When the VPN was on, however, it jumped to this random IP: 10.64.0.1 - which, I presume, is some IP used for the VPN client or something like that - and then didn't go anywhere. Didn't go to the router IP.
Can somebody tell me what I'm doing wrong here? Here's a network diagram that might be useful: https://imgur.com/L92zHPO
I run a similar setup and the edge router needs nothing special. The only difference is that my DNS / DHCP client options are not fed from the edge. And because you gave us the critical info about the vpn being operational with alternate edge, we can pretty much exclude rpfiltering and unwanted NAT on the vpn stick router, which can commonly interfere with this type of setup.
So if I had to guess.... I would think it's your DHCP servers DNS options.
Can you please post the output of; ( in code tags ^ < / > )
uci show dhcp
uci show | grep mss
Hi! Here's the output:
root@OpenWrt:~# uci show dhcp
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].nonwildcard='0'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.lan.ra_management='1'
dhcp.lan.leasetime='1h'
dhcp.lan.dhcp_option='3,192.168.0.103' '6,192.168.0.102'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.@host[0]=host
dhcp.@host[0].mac='00:0e:04:b7:65:df'
dhcp.@host[0].ip='192.168.0.100'
dhcp.@host[0].name='derrickserver'
dhcp.@host[0].dns='1'
dhcp.@host[1]=host
dhcp.@host[1].name='pi-hole'
dhcp.@host[1].dns='1'
dhcp.@host[1].mac='52:54:00:16:c0:79'
dhcp.@host[1].ip='192.168.0.102'
dhcp.@host[2]=host
dhcp.@host[2].name='vpn'
dhcp.@host[2].dns='1'
dhcp.@host[2].mac='52:54:00:17:a4:cd'
dhcp.@host[2].ip='192.168.0.103'
dhcp.@host[3]=host
dhcp.@host[3].name='octopi'
dhcp.@host[3].dns='1'
dhcp.@host[3].mac='b8:27:eb:63:97:94'
dhcp.@host[3].ip='192.168.0.104'
Here's the second command's output:
root@OpenWrt:~# uci show | grep mss
Nothing is coming up for the second command....?
One more thing. As you can see in the diagram I also have a pi-hole running, and the IP of the pi-hole (192.168.0.102) is being pushed to the DHCP clients via the DHCP options. But I really don't think DNS is the issue, because whenever I test ping I make sure to ping 8.8.8.8 first.
It seems like the gateway is working properly with the VPN off; therefore I know the packet routing is going well. I confirmed this with traceroute: the packet correctly goes to the VM first, then the router, then the "carrier router (inaccessible)" then out to the Internet.
So it's the VPN, but I don't understand why it won't work. Running a traceroute shows that the packet stops within the internal VPN network (the first hop is to some random 10.64.0.1 IP, and then the packet goes nowhere) inside the VM. I would presume this means the packet never goes through to the VPN, which is why our Internet goes off whenever the VPN comes on.
Strangely, this would indicate a connection problem between the VPN and the VM. But, if this was the case, the initial connection would never be made. Since it does correctly connect ("Initialization sequence completed" in OpenVPN), I'm at a loss here. The VPN tunnel does not seem to forward any packets once the connection is established.
If anybody knows why this is the case it would be appreciated. The only thing that changed in the setup is the firmware 
I tried tracerouting while specifying the interface (enp1s0). This is the output (with the VPN on):
ideaman924@vpn-passthrough:~$ sudo traceroute -4 -i enp1s0 8.8.8.8
[sudo] password for ideaman924:
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 192.168.0.1 (192.168.0.1) 0.538 ms 0.518 ms 0.659 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
This is really confusing me. Why won't the packet make it past the router? As a reference, enp1s0 is the default Ethernet interface, and tun0 is the VPN interface. If I run it with tun0:
ideaman924@vpn-passthrough:~$ sudo traceroute -4 -i tun0 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 10.116.0.1 (10.116.0.1) 256.082 ms 256.106 ms 256.064 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
With the VPN off I get this:
ideaman924@vpn-passthrough:~$ sudo traceroute -4 -i enp1s0 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 192.168.0.1 (192.168.0.1) 0.400 ms 0.418 ms 0.548 ms
2 192.168.2.1 (192.168.2.1) 2.319 ms 2.327 ms 2.213 ms
3 42.84.128.1 (42.84.128.1) 9.946 ms 10.184 ms 11.368 ms
4 61.189.67.137 (61.189.67.137) 7.755 ms 61.189.67.141 (61.189.67.141) 11.973 ms 61.189.67.137 (61.189.67.137) 7.949 ms
... // useless output
Any ideas why the router will stop transporting packets when the VPN is on?
is it ipsec? not openvpn?
I tried flushing all iptables rules on the VM box. No change. So it's not a routing issue within the VM itself. Something is going horribly wrong with the OpenWRT firmware and the default gateway.
A Redditor mentioned that it might be the router and gateway ping-ponging the packet so it never goes through. Assuming that is the case, what do I need to change on the router in order to fix this problem?
Bump. It's been three days and I have yet to find a solution...
Can somebody check if these routing tables look good? This is on the VPN VM gateway.
VPN OFF:
ideaman924@vpn-passthrough:~$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 enp1s0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 enp1s0
VPN ON:
ideaman924@vpn-passthrough:~$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.66.0.13 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 enp1s0
10.66.0.1 10.66.0.13 255.255.255.255 UGH 0 0 0 tun0
10.66.0.13 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
128.0.0.0 10.66.0.13 128.0.0.0 UG 0 0 0 tun0
173.239.199.119 192.168.0.1 255.255.255.255 UGH 0 0 0 enp1s0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 enp1s0
@anon50098793 how did you set your network up? I still don't understand what the heck is going on. If I try connecting to the VPN on my clients then it works perfectly fine. I don't understand why the gateway is suddenly not working. Is there some setting in OpenWRT that prevents the gateway from passing packets?
Days of debugging were all for nothing. Turns out, the VPN provider sunsetted that particular location, so connections always established but did not transport any packets. Which is why I was running around in circles looking for problems that were not there.
Kill me now. Well, thank you all for the help! Coincidences
2 Likes