Outdoor Router / OpenVPN / EZR33 (how to VPN an LTE connection)

Hi everyone i don't like posting new topics because with a little time and reading I can work most things out but i'm simply out of options. (im not an IT guy but i know a small amount)

My set up:

Hostname OutdoorRouter
Model EZR33
Architecture Qualcomm Atheros QCA9531 ver 2 rev 0
Firmware VersionEV3108
Kernel Version4.9.152
Mobile Modem EP06ELAR03A08M4G

As you might already know this is a GSM/LTE based router. i have it because i cant get a good wired connection where i am.

Everything is set up and working as it should however when i enable the vpn in openvpn it connects and the interface tun0 is connected but no RX data and very little TX data. i also lose internet when the tunnel is open.

i guess its a routing problem in the firewall. i've tried everything i can think of, i followed many guides with the same result. (vpn up internet down or even worse i lock myself out and have to climb on the roof to reset it.)

a guide to what im doing.
install and start device

opkg update
opkg install openvpn-openssl luci-app-openvpn ca-certificates

enter exrpess vpn ovpn file data or shh in and load it that way
ive uploaded the correct files via winscp and via the gui.
ive tried enabling and disabling PULL

ive finally decided that the VPN settings are correct and it must be sometimes silly im overlooking or firewall/port issue

i could be wrong but interface "wan and "mobile" are in the same firewall group and if i move and add anything to this group i lose internet. my feeling is that the mobile supplies the wan and supplies both Ethernet and wifi over a bridge

ive been at this for 7 weeks almost every day and night. ive gotten to the point where i feel like im doing the same thing over and over.

I NEED SOMEONE WHO KNOWS HOW TO VPN AN LTE CONNECTION. PLEASE

any more info or questions i will be happy to help. Have anyone dont this before with an EZR30 or EZR33.

My only goal is to vpn on the router so i dont need to do it on all my families devices and devices that dont support vpn.

IM WILLING TO PAY IF SOMEONE CAN SHOW ME WHAT IM DOING WRONG

Confing for reference

//NETWORK

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ifname 'eth1'
	option ipaddr '192.168.0.2'

config interface 'wan'
	option proto 'dhcp'
	option ifname 'eth0'
	option metric '1'

config interface 'MOBILE'
	option proto 'qmi'
	option device '/dev/cdc-wdm0'
	option metric '3'

config interface 'VPN'
	option proto 'none'
	option ifname 'tun0'
	option auto '1'
// FIREWALL

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6 MOBILE'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config zone
	option name 'exp_fw'
	option input 'ACCEPT'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'ExpressVPN VPN'
// EXPRESS VPN OPENVPN Config

config openvpn 'express_vpn'
	option dev 'tun'
	option ifconfig ''
	option nobind '1'
	option verb '3'
	option port '1195'
	option ca '/etc/luci-uploads/cbid.openvpn.express_vpn.ca'
	option cert '/etc/luci-uploads/cbid.openvpn.express_vpn.cert'
	option key '/etc/luci-uploads/cbid.openvpn.express_vpn.key'
	option proto 'udp'
	option persist_tun '1'
	option persist_key '1'
	option tun_mtu '1500'
	option sndbuf '524288'
	option rcvbuf '524288'
	option tls_client '1'
	option cipher 'AES-256-CBC'
	option auth 'SHA512'
	option keysize '256'
	option tls_auth '/etc/openvpn/tlsauth.key'
	option key_direction '1'
	option fast_io '1'
	option route_delay '2'
	option ns_cert_type 'server'
	option client '1'
	option pull '1'
	option remote_random '1'
	option auth_user_pass '/etc/openvpn/userpass.txt'
	list remote 'uk-berkshire-2-ca-version-2.expressnetw.com 1195'

PS THIS IS THE DEFAULT FIREWALL SETTINGS AS I JUST HAD TO CLIMB UP AND HARD RESET IT :frowning:

So if I understand correctly, you do have internet access when VPN is connected, but very bad?

Looks like packages are getting dropped. You should test your MTU settings with a simple ping from a client while OpenVPN is connected to the VPN. Let's start with your setting (MTU = 1500, therefore packet size should be 1500 - 28 bytes = 1472). First command is for Linux, second is for Windows

ping -M do -s 1472 google.com
ping -f -l 1472 google.com

OpenVPN logs should be really handy too to look what is going wrong. Please post them.

Also note that VPN over UDP relies on a stable internet connection (which isn't always the case mobile connections). You should try to run a OpenVPN client on a desktop instead of OpenWRT to exclude configuration errors.

STEP BY STEP

power on device.
internet is there for a few seconds
tunnel opens and nothing
i can ping 8.8.8.8.-t
forever and get nothiing back

played my mtu settings

i understand but im about 200m form the mast and my internet is perfect when vpn not enabled. the limiting factor on the internet sepped is the LAN connection on the router 100meg. the gsm connection maxes this out every speedtest.

open vpn runs no problems on desktop

Okay so we can exclude that. A quick read of your config indicates that your hunch may be right when it comes to the firewall. Unfortunately I can't test it for you. Please provide the route information from your OpenWRT router.

You might want to reset your firewall rules and try 4.1b of this guide. Ofcourse, for the WAN zone options your mobile connection must be included in the covered networks (general settings tab), and tun0 should be selected in the covered devices (advanced settings tab)

(btw you don't have a wired WAN connection connected to your OpenWRT right?)

i think the firewall and port forwarding (dont know that much about it) but it doesn't look too hard and ive tried 100's of different things. but nothing works. so i reset the firewall settings to normal minus the firewall zone for vpn with can be deleted with a click. ive followed that guide to the letter and nothing. i followed many many guide but i always end up wit the same result no internet or no access to router. ill get the system log shortly

The configuration you have looks designed to run primarily Ethernet for the ISP and "fail over" to LTE. If your Internet is exclusively by LTE you should change the wan to proto qmi, so the modem is always the main WAN and not reference ethernet at all. Then you don't need a "modem" network or consideration in the firewall beyond the default "wan."

Convention is to use lowercase for network names. Using uppercase isn't going to break it but you have to be very careful to stay consistent and match the names exactly.

Check that it is fully authenticating and connecting to the VPN service, and that you can ping the VPN server IP at the other side of the tunnel.

It is necessary to masquerade into the VPN tunnel. Typically this is done by adding it to the wan zone which already has masquerading enabled.

After the VPN comes up examine the routing table.

Big Thanks to everyone for the help, I've spent some time reading and researching as I'm away for work and don't want to risk cutting the internet off until im physically there to reset any problems.

Mk24 I think you are on to something.
I also found this post

So my thinking is to just set up the wan interface as the lte connection and route the firewall as if it was a normal router. I haven't tested anything but I'm hopeful it might work.

Also seen some posts relation to Nat problems and lte connections. Not sure exactly what Nat is or why it effects VPN traffic , more research needed.

Solved Ronn?