OVPN on OpenWrt repeater

anilw · October 10, 2020, 2:02pm

Dear All;
Need your help, i am using my OpenWRT router in wired repeater mode and under status reads as follows;

Protocol: DHCP client
Address: 192.168.1.2/24
Gateway: 192.168.1.1
DNS 1: XXX.XXX.XXX.XXX #(this shows my ISP's DNS1)
DNS 2: XXX.XXX.XXX.XXX #(this shows my ISP's DNS2)
Expires: 23h 54m 17s
Connected: 0h 5m 43s

Device: Bridge: "br-lan"
MAC-Address: xx:xx:xx:xx:xx:xx

i have installed OVPN and i can start VPN session, and on openwrt router, "traceroute openwrt.org" reads as follows

root@OpenWrt:~# traceroute openwrt.org
traceroute to openwrt.org (139.59.209.225), 30 hops max, 38 byte packets
 1  *  *  *
 2  100.65.0.1 (100.65.0.1)  2.819 ms  3.520 ms  2.736 ms
 3  198.51.100.2 (198.51.100.2)  8.401 ms  3.438 ms  3.794 ms
 4  198.51.100.1 (198.51.100.1)  5.185 ms  5.010 ms  6.958 ms
 5  103.87.125.17 (103.87.125.17)  13.840 ms  5.803 ms  8.512 ms
 6  103.87.124.46 (103.87.124.46)  116.315 ms  115.571 ms  116.193 ms
 7  fra2-edge1.digitalocean.com (80.81.195.151)  137.194 ms  140.843 ms  138.046 ms
 8  *  *  138.197.250.138 (138.197.250.138)  138.217 ms
 9  *  *  *
10  *  *  *
11  wiki-01.infra.openwrt.org (139.59.209.225)  137.735 ms  137.810 ms  135.296 ms

but i have "NO" VPN service for clients connected to openwrt repeater, when i look for my IP from PC connected to openwrt.. it just shows IP given by my ISP

but "tracert openwrt.org" on CMD reads as follows

C:\Windows\System32>tracert openwrt.org

Tracing route to openwrt.org [139.59.209.225]
over a maximum of 30 hops:

  1     *        *        *     Request timed out.
  2     7 ms     7 ms    10 ms  100.65.0.1
  3    15 ms     6 ms     5 ms  198.51.100.2
  4    14 ms     5 ms     5 ms  198.51.100.1
  5    23 ms     7 ms     6 ms  103.87.125.17
  6   118 ms   115 ms   114 ms  103.87.124.42
  7   141 ms   145 ms   137 ms  fra2-edge1.digitalocean.com [80.81.195.151]
  8   140 ms   140 ms   143 ms  138.197.250.138
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11   138 ms   143 ms   140 ms  wiki-01.infra.openwrt.org [139.59.209.225]

Trace complete.

Hope i have made issue clearly here..

can somebody pls help me with this

vgaetera · October 10, 2020, 2:14pm

You need to switch to the routed mode if you want to route LAN clients to the VPN.
It's problematic to implement using the bridged/repeater mode.

anilw · October 10, 2020, 2:18pm

Tks.... can you pls guide me here

vgaetera · October 10, 2020, 2:22pm

Can you add static routes on the main router, i.e. 192.168.1.1?

anilw · October 10, 2020, 2:51pm

You mean this?

vgaetera · October 10, 2020, 3:39pm

Yes, add this route assuming that 192.168.2.0/24 is not in use yet:

Interface	LAN
Network		192.168.2.0
Mask		255.255.255.0
Gateway		192.168.1.2

Also post the output from OpenWrt redacting the private parts:

uci show network; uci show wireless; uci show dhcp; uci show firewall

anilw · October 10, 2020, 3:49pm


root@OpenWrt:~# uci show network; uci show wireless; uci show dhcp; uci show firewall
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fda5:ac8f:40f8::/48'
network.wan=interface
network.wan.ifname='eth0.1'
network.wan.proto='dhcp'
network.wan.peerdns='0'
network.wan.dns='103.86.96.100' '103.86.99.100'
network.wan6=interface
network.wan6.ifname='eth0.1'
network.wan6.proto='dhcpv6'
network.wan6.disabled='1'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.2'
network.lan.delegate='0'
network.lan.proto='dhcp'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch[0].ar8xxx_mib_type='0'
network.@switch[0].ar8xxx_mib_poll_interval='500'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='1 0t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='2 0t'
network.tun0=interface
network.tun0.ifname='tun0'
network.tun0.proto='none'
network.tun0.auto='0'
wireless.radio0=wifi-device
wireless.radio0.type='mac80211'
wireless.radio0.hwmode='11a'
wireless.radio0.path='pci0000:00/0000:00:00.0'
wireless.radio0.htmode='VHT80'
wireless.radio0.channel='auto'
wireless.default_radio0=wifi-iface
wireless.default_radio0.device='radio0'
wireless.default_radio0.network='lan'
wireless.default_radio0.mode='ap'
wireless.default_radio0.key='kumu-LK*netSAT@1981'
wireless.default_radio0.ssid='MH370-5G'
wireless.default_radio0.encryption='psk2'
wireless.radio1=wifi-device
wireless.radio1.type='mac80211'
wireless.radio1.hwmode='11g'
wireless.radio1.path='platform/qca956x_wmac'
wireless.radio1.htmode='HT20'
wireless.radio1.channel='auto'
wireless.default_radio1=wifi-iface
wireless.default_radio1.device='radio1'
wireless.default_radio1.network='lan'
wireless.default_radio1.mode='ap'
wireless.default_radio1.key='kumu-LK*netSAT@1981'
wireless.default_radio1.ssid='MH370'
wireless.default_radio1.encryption='psk2'
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
dhcp.@dnsmasq[0].boguspriv='0'
dhcp.@dnsmasq[0].localservice='0'
dhcp.@dnsmasq[0].sequential_ip='1'
dhcp.@dnsmasq[0].rebind_protection='0'
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.ignore='1'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
dhcp.@domain[0]=domain
dhcp.@domain[0].name='LG_WebOS_TV'
dhcp.@domain[0].ip='192.168.1.10'
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].masq='1'
firewall.@zone[0].network='lan tun0'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].device='tun0'
firewall.@zone[1].network='wan wan6'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@rule[9]=rule
firewall.@rule[9].name='Allow-OpenVPN-Inbound'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[9].src='wan'
firewall.@rule[9].proto='udp'
firewall.@rule[9].dest_port='1194'
firewall.@zone[2]=zone
firewall.@zone[2].name='vpn'
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].forward='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].masq='1'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='vpn'
firewall.@forwarding[1].dest='wan'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].src='vpn'
firewall.@forwarding[2].dest='lan'
firewall.@redirect[0]=redirect
firewall.@redirect[0].dest_port='443'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].name='OVPN_UDP'
firewall.@redirect[0].src_dport='443'
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].dest='lan'
firewall.@redirect[1]=redirect
firewall.@redirect[1].dest_port='1194'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].name='OVPN_TCP'
firewall.@redirect[1].src_dport='1194'
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].dest='lan'
firewall.@zone[3]=zone
firewall.@zone[3].name='vpnfirewall'
firewall.@zone[3].input='REJECT'
firewall.@zone[3].output='ACCEPT'
firewall.@zone[3].forward='REJECT'
firewall.@zone[3].masq='1'
firewall.@zone[3].mtu_fix='1'
firewall.@forwarding[3]=forwarding
firewall.@forwarding[3].src='lan'
firewall.@forwarding[3].dest='vpnfirewall'

anilw · October 10, 2020, 3:54pm

now what should i do.....

vgaetera · October 10, 2020, 4:13pm

# Configure firewall
uci -q delete firewall.@zone[0].network
uci add_list firewall.@zone[0].network="lan"
uci -q delete firewall.@zone[1].device
uci set firewall.@zone[1].input="ACCEPT"
uci set firewall.@zone[1].forward="ACCEPT"
uci set firewall.@zone[2].input="REJECT"
uci set firewall.@zone[2].output="ACCEPT"
uci set firewall.@zone[2].forward="REJECT"
uci set firewall.@zone[2].mtu_fix="1"
uci add_list firewall.@zone[2].network="tun0"
uci -q delete firewall.@zone[3]
uci set firewall.@forwarding[2].src="lan"
uci set firewall.@forwarding[2].dest="vpn"
uci -q delete firewall.@forwarding[3]
uci commit firewall
/etc/init.d/firewall restart

# Configure DHCP
uci -q delete dhcp.lan.ignore
uci set dhcp.lan.start="100"
uci set dhcp.lan.limit="150"
uci set dhcp.lan.leasetime="1h"
uci commit dhcp
/etc/init.d/dnsmasq restart

# Configure network
uci set network.lan.proto="static"
uci set network.lan.ipaddr="192.168.2.1"
uci set network.lan.netmask="255.255.255.0"
uci commit network
/etc/init.d/network restart

# Restart OpenVPN
sleep 10
/etc/init.d/openvpn restart

And reconnect the upstream cable to the WAN interface.

anilw · October 10, 2020, 4:32pm

ok tks lot.. let try this and come back..
tks again

vgaetera · October 10, 2020, 4:47pm

If the issue persists, then post the updated configs:

uci show network; uci show dhcp; uci show firewall

anilw · October 10, 2020, 5:45pm

Hi yes... still not success.. pla have a look below


root@OpenWrt:~# uci show network; uci show dhcp; uci show firewall
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd7f:7ca7:9bce::/48'
network.wan=interface
network.wan.ifname='eth0.1'
network.wan.proto='dhcp'
network.wan.peerdns='0'
network.wan.dns='8.8.8.8' '8.8.4.4'
network.wan6=interface
network.wan6.ifname='eth0.1'
network.wan6.proto='dhcpv6'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.2'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.2.1'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch[0].ar8xxx_mib_type='0'
network.@switch[0].ar8xxx_mib_poll_interval='500'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='1 0t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='2 0t'
network.nordvpntun=interface
network.nordvpntun.proto='none'
network.nordvpntun.ifname='tun0'
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].boguspriv='1'
dhcp.@dnsmasq[0].filterwin2k='0'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].nonegcache='0'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
dhcp.@dnsmasq[0].nonwildcard='1'
dhcp.@dnsmasq[0].localservice='1'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.lan.leasetime='1h'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].input='ACCEPT'
firewall.@zone[1].forward='ACCEPT'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[2]=zone
firewall.@zone[2].name='vpnfirewall'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].masq='1'
firewall.@zone[2].mtu_fix='1'
firewall.@zone[2].network='nordvpntun' 'tun0'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='lan'
firewall.@forwarding[1].dest='vpnfirewall'
root@OpenWrt:~#

vgaetera · October 10, 2020, 6:13pm

Check if you can reach the internet from OpenWrt and from the clients behind it when the VPN is disconnected.

anilw · October 11, 2020, 10:36am

yes i can.... client reached out to internet while VPN is ON or OFF

but when i search for IP with VPN connected.. it shows the IP given by local ISP

tracert from a clinet shows the following

C:\Windows\System32>tracert openwrt.org

Tracing route to openwrt.org [139.59.209.225]
over a maximum of 30 hops:

  1     4 ms     5 ms     4 ms  OpenWrt.lan [192.168.2.1]
  2     *        *        *     Request timed out.
  3    10 ms     6 ms     9 ms  100.65.0.1
  4     *        9 ms     5 ms  198.51.100.2
  5    11 ms     6 ms     5 ms  198.51.100.1
  6     7 ms     7 ms     9 ms  103.87.125.17
  7   168 ms   200 ms   200 ms  103.87.124.42
  8   194 ms   200 ms   200 ms  fra2-edge1.digitalocean.com [80.81.195.151]
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12   206 ms   137 ms   140 ms  wiki-01.infra.openwrt.org [139.59.209.225]

Trace complete.

and from openwrt router..


root@OpenWrt:~# traceroute openwrt.org
traceroute to openwrt.org (139.59.209.225), 30 hops max, 38 byte packets
 1  *  *  *
 2  100.65.0.1 (100.65.0.1)  4.534 ms  2.497 ms  2.880 ms
 3  198.51.100.2 (198.51.100.2)  3.208 ms  2.062 ms  2.345 ms
 4  198.51.100.1 (198.51.100.1)  2.444 ms  18.876 ms  6.805 ms
 5  103.87.125.17 (103.87.125.17)  5.957 ms  5.744 ms  3.219 ms
 6  103.87.124.42 (103.87.124.42)  111.660 ms  112.808 ms  113.580 ms
 7  fra2-edge1.digitalocean.com (80.81.195.151)  137.406 ms  140.261 ms  139.207 ms
 8  *  138.197.250.152 (138.197.250.152)  137.531 ms  *
 9  *  *  *
10  *  *  *
11  wiki-01.infra.openwrt.org (139.59.209.225)  138.059 ms  137.318 ms  137.616 ms

pls help

vgaetera · October 11, 2020, 10:48am

Check the logs and runtime configuration:

/etc/init.d/log restart; /etc/init.d/openvpn restart; sleep 10; \
logread -e openvpn; pgrep -f -a openvpn; \
ip address show; ip route show table all; ip rule show; \
iptables-save; head -n -0 /etc/resolv.* /tmp/resolv.*

anilw · October 11, 2020, 10:55am

hi.. this is what it was giving

root@OpenWrt:~# /etc/init.d/log restart
root@OpenWrt:~# /etc/init.d/openvpn restart
root@OpenWrt:~# sleep 10
root@OpenWrt:~# logread -e openvpn
Sun Oct 11 10:51:27 2020 daemon.err openvpn(PLUSCHANNEL)[6509]: event_wait : Interrupted system call (code=4)
Sun Oct 11 10:51:27 2020 daemon.notice openvpn(PLUSCHANNEL)[6509]: /sbin/route del -net 185.40.20.153 netmask 255.255.255.255
Sun Oct 11 10:51:27 2020 daemon.notice openvpn(PLUSCHANNEL)[6509]: /sbin/route del -net 0.0.0.0 netmask 128.0.0.0
Sun Oct 11 10:51:27 2020 daemon.warn openvpn(PLUSCHANNEL)[6509]: ERROR: Linux route delete command failed: external program exited with error status: 1
Sun Oct 11 10:51:27 2020 daemon.notice openvpn(PLUSCHANNEL)[6509]: /sbin/route del -net 128.0.0.0 netmask 128.0.0.0
Sun Oct 11 10:51:27 2020 daemon.warn openvpn(PLUSCHANNEL)[6509]: ERROR: Linux route delete command failed: external program exited with error status: 1
Sun Oct 11 10:51:27 2020 daemon.notice openvpn(PLUSCHANNEL)[6509]: Closing TUN/TAP interface
Sun Oct 11 10:51:27 2020 daemon.notice openvpn(PLUSCHANNEL)[6509]: SIGTERM[hard,] received, process exiting
Sun Oct 11 10:51:28 2020 daemon.warn openvpn(PLUSCHANNEL)[6611]: Unrecognized option or missing or extra parameter(s) in /etc/openvpn/PLUSCHANNEL.ovpn:21: block-outside-dns (2.4.7)
Sun Oct 11 10:51:28 2020 daemon.notice openvpn(PLUSCHANNEL)[6611]: OpenVPN 2.4.7 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sun Oct 11 10:51:28 2020 daemon.notice openvpn(PLUSCHANNEL)[6611]: library versions: OpenSSL 1.1.1h  22 Sep 2020, LZO 2.10
Sun Oct 11 10:51:28 2020 daemon.notice openvpn(PLUSCHANNEL)[6611]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Oct 11 10:51:28 2020 daemon.notice openvpn(PLUSCHANNEL)[6611]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Oct 11 10:51:28 2020 daemon.notice openvpn(PLUSCHANNEL)[6611]: TCP/UDP: Preserving recently used remote address: [AF_INET]185.40.20.153:8080
Sun Oct 11 10:51:28 2020 daemon.notice openvpn(PLUSCHANNEL)[6611]: Socket Buffers: R=[87380->87380] S=[16384->16384]
Sun Oct 11 10:51:28 2020 daemon.notice openvpn(PLUSCHANNEL)[6611]: Attempting to establish TCP connection with [AF_INET]185.40.20.153:8080 [nonblock]
Sun Oct 11 10:51:29 2020 daemon.notice openvpn(PLUSCHANNEL)[6611]: TCP connection established with [AF_INET]185.40.20.153:8080
Sun Oct 11 10:51:29 2020 daemon.notice openvpn(PLUSCHANNEL)[6611]: Send to HTTP proxy: 'CONNECT /SSHPLUS?:1195 HTTP/1.0'
Sun Oct 11 10:51:29 2020 daemon.notice openvpn(PLUSCHANNEL)[6611]: Send to HTTP proxy: 'Host: netflix.com'
Sun Oct 11 10:51:29 2020 daemon.notice openvpn(PLUSCHANNEL)[6611]: HTTP proxy returned: 'HTTP/1.1 200 Connection established'
Sun Oct 11 10:51:31 2020 daemon.notice openvpn(PLUSCHANNEL)[6611]: TCP_CLIENT link local: (not bound)
Sun Oct 11 10:51:31 2020 daemon.notice openvpn(PLUSCHANNEL)[6611]: TCP_CLIENT link remote: [AF_INET]185.40.20.153:8080
Sun Oct 11 10:51:31 2020 daemon.notice openvpn(PLUSCHANNEL)[6611]: TLS: Initial packet from [AF_INET]185.40.20.153:8080, sid=cf633335 3f78c37f
Sun Oct 11 10:51:31 2020 daemon.warn openvpn(PLUSCHANNEL)[6611]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Oct 11 10:51:32 2020 daemon.notice openvpn(PLUSCHANNEL)[6611]: VERIFY KU OK
Sun Oct 11 10:51:32 2020 daemon.notice openvpn(PLUSCHANNEL)[6611]: Validating certificate extended key usage
Sun Oct 11 10:51:32 2020 daemon.notice openvpn(PLUSCHANNEL)[6611]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Oct 11 10:51:32 2020 daemon.notice openvpn(PLUSCHANNEL)[6611]: VERIFY EKU OK
Sun Oct 11 10:51:32 2020 daemon.notice openvpn(PLUSCHANNEL)[6611]: VERIFY OK: depth=0, CN=server
Sun Oct 11 10:51:32 2020 daemon.notice openvpn(PLUSCHANNEL)[6611]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Sun Oct 11 10:51:32 2020 daemon.notice openvpn(PLUSCHANNEL)[6611]: [server] Peer Connection Initiated with [AF_INET]185.40.20.153:8080
Sun Oct 11 10:51:33 2020 daemon.notice openvpn(PLUSCHANNEL)[6611]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sun Oct 11 10:51:33 2020 daemon.notice openvpn(PLUSCHANNEL)[6611]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,peer-id 0,cipher AES-256-GCM'
Sun Oct 11 10:51:33 2020 daemon.notice openvpn(PLUSCHANNEL)[6611]: OPTIONS IMPORT: timers and/or timeouts modified
Sun Oct 11 10:51:33 2020 daemon.notice openvpn(PLUSCHANNEL)[6611]: OPTIONS IMPORT: --ifconfig/up options modified
Sun Oct 11 10:51:33 2020 daemon.notice openvpn(PLUSCHANNEL)[6611]: OPTIONS IMPORT: route options modified
Sun Oct 11 10:51:33 2020 daemon.notice openvpn(PLUSCHANNEL)[6611]: OPTIONS IMPORT: route-related options modified
Sun Oct 11 10:51:33 2020 daemon.notice openvpn(PLUSCHANNEL)[6611]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Oct 11 10:51:33 2020 daemon.notice openvpn(PLUSCHANNEL)[6611]: OPTIONS IMPORT: peer-id set
Sun Oct 11 10:51:33 2020 daemon.notice openvpn(PLUSCHANNEL)[6611]: OPTIONS IMPORT: adjusting link_mtu to 1627
Sun Oct 11 10:51:33 2020 daemon.notice openvpn(PLUSCHANNEL)[6611]: OPTIONS IMPORT: data channel crypto options modified
Sun Oct 11 10:51:33 2020 daemon.notice openvpn(PLUSCHANNEL)[6611]: Data Channel: using negotiated cipher 'AES-256-GCM'
Sun Oct 11 10:51:33 2020 daemon.notice openvpn(PLUSCHANNEL)[6611]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Oct 11 10:51:33 2020 daemon.notice openvpn(PLUSCHANNEL)[6611]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Oct 11 10:51:33 2020 daemon.notice openvpn(PLUSCHANNEL)[6611]: TUN/TAP device tun0 opened
Sun Oct 11 10:51:33 2020 daemon.notice openvpn(PLUSCHANNEL)[6611]: TUN/TAP TX queue length set to 100
Sun Oct 11 10:51:33 2020 daemon.notice openvpn(PLUSCHANNEL)[6611]: /sbin/route add -net 185.40.20.153 netmask 255.255.255.255 gw 192.168.1.1
Sun Oct 11 10:51:33 2020 daemon.notice openvpn(PLUSCHANNEL)[6611]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.0.1
Sun Oct 11 10:51:33 2020 daemon.warn openvpn(PLUSCHANNEL)[6611]: ERROR: Linux route add command failed: external program exited with error status: 1
Sun Oct 11 10:51:33 2020 daemon.notice openvpn(PLUSCHANNEL)[6611]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.0.1
Sun Oct 11 10:51:33 2020 daemon.warn openvpn(PLUSCHANNEL)[6611]: ERROR: Linux route add command failed: external program exited with error status: 1
Sun Oct 11 10:51:33 2020 daemon.notice openvpn(PLUSCHANNEL)[6611]: Initialization Sequence Completed
root@OpenWrt:~# pgrep -f -a openvpn
6611 /usr/sbin/openvpn --syslog openvpn(PLUSCHANNEL) --status /var/run/openvpn.PLUSCHANNEL.status --cd /etc/openvpn --config /etc/openvpn/PLUSCHANNEL.ovpn
root@OpenWrt:~# ip address show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 20:0d:b0:74:4a:30 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::220d:b0ff:fe74:4a30/64 scope link
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 20:0d:b0:74:4a:30 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fd7f:7ca7:9bce::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::220d:b0ff:fe74:4a30/64 scope link
       valid_lft forever preferred_lft forever
6: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether 20:0d:b0:74:4a:30 brd ff:ff:ff:ff:ff:ff
7: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 20:0d:b0:74:4a:30 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0.1
       valid_lft forever preferred_lft forever
    inet6 fe80::220d:b0ff:fe74:4a30/64 scope link
       valid_lft forever preferred_lft forever
8: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether 12:34:56:78:90:12 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::1034:56ff:fe78:9012/64 scope link
       valid_lft forever preferred_lft forever
9: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether 20:0d:b0:74:4a:31 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::220d:b0ff:fe74:4a31/64 scope link
       valid_lft forever preferred_lft forever
13: tun0: <POINTOPOINT,MULTICAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 100
    link/none
root@OpenWrt:~# ip route show table all
default via 192.168.1.1 dev eth0.1 proto static src 192.168.1.2
185.40.20.153 via 192.168.1.1 dev eth0.1
192.168.1.0/24 dev eth0.1 proto kernel scope link src 192.168.1.2
192.168.2.0/24 dev br-lan proto kernel scope link src 192.168.2.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev eth0.1 table local proto kernel scope link src 192.168.1.2
local 192.168.1.2 dev eth0.1 table local proto kernel scope host src 192.168.1.2
broadcast 192.168.1.255 dev eth0.1 table local proto kernel scope link src 192.168.1.2
broadcast 192.168.2.0 dev br-lan table local proto kernel scope link src 192.168.2.1
local 192.168.2.1 dev br-lan table local proto kernel scope host src 192.168.2.1
broadcast 192.168.2.255 dev br-lan table local proto kernel scope link src 192.168.2.1
fd7f:7ca7:9bce::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd7f:7ca7:9bce::/48 dev lo proto static metric 2147483647 error 4294967148 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0.1 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 256 pref medium
fe80::/64 dev wlan1 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast fd7f:7ca7:9bce:: dev br-lan table local proto kernel metric 0 pref medium
local fd7f:7ca7:9bce::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0.1 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan0 table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan1 table local proto kernel metric 0 pref medium
local fe80::1034:56ff:fe78:9012 dev wlan0 table local proto kernel metric 0 pref medium
local fe80::220d:b0ff:fe74:4a30 dev eth0.1 table local proto kernel metric 0 pref medium
local fe80::220d:b0ff:fe74:4a30 dev eth0 table local proto kernel metric 0 pref medium
local fe80::220d:b0ff:fe74:4a30 dev br-lan table local proto kernel metric 0 pref medium
local fe80::220d:b0ff:fe74:4a31 dev wlan1 table local proto kernel metric 0 pref medium
ff00::/8 dev eth0 table local metric 256 pref medium
ff00::/8 dev br-lan table local metric 256 pref medium
ff00::/8 dev eth0.1 table local metric 256 pref medium
ff00::/8 dev wlan0 table local metric 256 pref medium
ff00::/8 dev wlan1 table local metric 256 pref medium
root@OpenWrt:~# ip rule show
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
root@OpenWrt:~# iptables-save
# Generated by iptables-save v1.8.3 on Sun Oct 11 10:54:01 2020
*nat
:PREROUTING ACCEPT [840:238439]
:INPUT ACCEPT [240:16388]
:OUTPUT ACCEPT [517:41205]
:POSTROUTING ACCEPT [856:219581]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_vpnfirewall_postrouting - [0:0]
:zone_vpnfirewall_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth0.1 -m comment --comment "!fw3" -j zone_wan_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth0.1 -m comment --comment "!fw3" -j zone_wan_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Sun Oct 11 10:54:01 2020
# Generated by iptables-save v1.8.3 on Sun Oct 11 10:54:01 2020
*mangle
:PREROUTING ACCEPT [30229:18399097]
:INPUT ACCEPT [1728:273326]
:FORWARD ACCEPT [28240:18082096]
:OUTPUT ACCEPT [2188:294304]
:POSTROUTING ACCEPT [30430:18377056]
-A FORWARD -o eth0.1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth0.1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sun Oct 11 10:54:01 2020
# Generated by iptables-save v1.8.3 on Sun Oct 11 10:54:01 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_vpnfirewall_dest_ACCEPT - [0:0]
:zone_vpnfirewall_dest_REJECT - [0:0]
:zone_vpnfirewall_forward - [0:0]
:zone_vpnfirewall_input - [0:0]
:zone_vpnfirewall_output - [0:0]
:zone_vpnfirewall_src_REJECT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_ACCEPT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth0.1 -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth0.1 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth0.1 -m comment --comment "!fw3" -j zone_wan_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to vpnfirewall forwarding policy" -j zone_vpnfirewall_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_vpnfirewall_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_vpnfirewall_forward -m comment --comment "!fw3" -j zone_vpnfirewall_dest_REJECT
-A zone_vpnfirewall_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_vpnfirewall_input -m comment --comment "!fw3" -j zone_vpnfirewall_src_REJECT
-A zone_vpnfirewall_output -m comment --comment "!fw3" -j zone_vpnfirewall_dest_ACCEPT
-A zone_wan_dest_ACCEPT -o eth0.1 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_ACCEPT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_ACCEPT -i eth0.1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
COMMIT
# Completed on Sun Oct 11 10:54:01 2020
root@OpenWrt:~# head -n -0 /etc/resolv.* /tmp/resolv.*
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver 222.165.171.1
nameserver 222.165.171.2
root@OpenWrt:~#

vgaetera · October 11, 2020, 11:04am

This could be a race condition.
Let's try to avoid the interface declaration:

uci add_list firewall.@zone[2].device="tun0"
uci commit firewall
/etc/init.d/firewall restart
uci -q delete network.nordvpntun
uci commit network
/etc/init.d/network restart; \
sleep 10; \
/etc/init.d/openvpn restart

anilw · October 11, 2020, 11:10am

done.. but still this is what get

root@OpenWrt:~# ip address show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 20:0d:b0:74:4a:30 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::220d:b0ff:fe74:4a30/64 scope link
       valid_lft forever preferred_lft forever
14: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 20:0d:b0:74:4a:30 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fd7f:7ca7:9bce::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::220d:b0ff:fe74:4a30/64 scope link
       valid_lft forever preferred_lft forever
15: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether 20:0d:b0:74:4a:30 brd ff:ff:ff:ff:ff:ff
16: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 20:0d:b0:74:4a:30 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0.1
       valid_lft forever preferred_lft forever
    inet6 fe80::220d:b0ff:fe74:4a30/64 scope link
       valid_lft forever preferred_lft forever
17: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether 20:0d:b0:74:4a:31 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::220d:b0ff:fe74:4a31/64 scope link
       valid_lft forever preferred_lft forever
18: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether 12:34:56:78:90:12 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::1034:56ff:fe78:9012/64 scope link
       valid_lft forever preferred_lft forever
19: tun0: <POINTOPOINT,MULTICAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 100
    link/none

vgaetera · October 11, 2020, 11:18am

It looks like a problem with the current OpenVPN server as it doesn't provide a valid IP address to the client despite the connection being successful.

anilw · October 11, 2020, 11:20am

hmm true.. so what is your advice sir