Problem setting up OpenVPN Client on EA4500 running 21.02.0-rc4

Hi,

I've been trying to setup OpenVPN in client mode on my EA4500 router. When I first tried it a couple of weeks ago I couldn't make it work and gave up. Today I took the opportunity of upgrading to the latest release candidate 21.02.0-rc4 to reset the router to factory defaults and then setup OpenVPN client on a "clean" router.

After the factory-reset I configured the Wi-Fi radios (SSIDs and security) and installed the packages "openvpn-openssl" and "luci-app-openvpn".
Then I followed the procedure for configuring the OpenVPN client. I actually tried procedures from three different places (including the one on openwrt.org), but can't get it to work properly with any of them.
I am using a *.ovpn file that I exported from my VPN server router to configure the client.

The OpenVPN client itself appears to connect fine and I can ping the home router and the devices in my home network, as well as ping websites on the Internet through the VPN connection, like "ping www.speedtest.net".
However, I am unable to open the configuration webpages of my devices in my home network (e.g. router, Wi-Fi power switches) and about 2 out of 3 websites on the Internet will not open as well (for example, wikipedia.org, google.com, youtube.com work excellent, while many others, including speedtest.net and openwrt.org, won't open at all). Similar is the situation on my smartphone, where a few apps work fine (e.g. Google maps, YouTube), while many others appear to be unable to connect to the Internet.

What could be causing these problems?

Does anyone have a setup procedure that is proven to be working if it's just followed step by step?

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

Thanks for the reply. Here is the output from the commands.

root@OpenWrt:/tmp# ubus call system board; \
> uci export network; uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.*
/tmp/resolv.* /tmp/resolv.*/*
{
        "kernel": "5.4.137",
        "hostname": "OpenWrt",
        "system": "Feroceon 88FR131 rev 1 (v5l)",
        "model": "Linksys EA4500 (Viper)",
        "board_name": "linksys,ea4500",
        "release": {
                "distribution": "OpenWrt",
                "version": "21.02.0-rc4",
                "revision": "r16256-2d5ee43dc6",
                "target": "kirkwood/generic",
                "description": "OpenWrt 21.02.0-rc4 r16256-2d5ee43dc6"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fde2:f01e:xxxx::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'ethernet1'
        list ports 'ethernet2'
        list ports 'ethernet3'
        list ports 'ethernet4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'internet'
        option macaddr '58:6d:8f:f1:xx:xx'

config interface 'wan'
        option device 'internet'
        option proto 'dhcp'

config interface 'wan6'
        option device 'internet'
        option proto 'dhcpv6'

config interface 'tun0'
        option proto 'none'
        option device 'tun0'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'tun0'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: internet@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.6.103/24 brd 192.168.6.255 scope global internet
       valid_lft forever preferred_lft forever
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
12: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 500
    inet 10.8.0.14 peer 10.8.0.13/32 scope global tun0
       valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.8.0.13 dev tun0
default via 10.8.0.13 dev tun0
10.8.0.0/24 via 10.8.0.13 dev tun0
10.8.0.13 dev tun0 scope link  src 10.8.0.14
128.0.0.0/1 via 10.8.0.13 dev tun0
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1
192.168.6.0/24 dev internet scope link  src 192.168.6.103
192.168.6.50 via 192.168.6.1 dev internet
192.168.200.0/24 via 10.8.0.13 dev tun0
local 10.8.0.14 dev tun0 table local scope host  src 10.8.0.14
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local scope link  src 192.168.1.1
local 192.168.1.1 dev br-lan table local scope host  src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local scope link  src 192.168.1.1
broadcast 192.168.6.0 dev internet table local scope link  src 192.168.6.103
local 192.168.6.103 dev internet table local scope host  src 192.168.6.103
broadcast 192.168.6.255 dev internet table local scope link  src 192.168.6.103
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
lrwxrwxrwx    1 root     root            16 Jul 31 17:21 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            47 Aug  2 22:14 /tmp/resolv.conf
-rw-r--r--    1 root     root           109 Aug  2 22:16 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root           109 Aug  2 22:16 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wan
nameserver 192.168.6.1
search fritz.box
# Interface wan6
nameserver fd00::9ec7:a6ee:xxxx:xxx
root@OpenWrt:/tmp#

OpenVPN layer 2 between 2 OpenWrt Routers - #2 by trendy

Thanks for the link to the post!

I understand the solution is "Remove compression and mssfix for a start.", however there is no mention of how this is to be implemented.

The router where the OpenVPN server is running on is a TP-Link with stock firmware that is very likely based on OpenWrt.

Below is the content of the 'openvpn' configuration file of the EA4500 that runs the client and also the settings section from within the *.ovpn config file.

I previously tried to replace "comp-lzo adaptive" with "comp-lzo no", but at the time it didn't appear to make any difference.
Do I maybe need to put something other than "no" there?
Where and how do I set "mssfix" to none?

/etc/config/openvpn of the EA4500 (client)

config openvpn 'custom_config'
        option config '/etc/openvpn/my-vpn.conf'

config openvpn 'sample_server'
        option port '1194'
        option proto 'udp'
        option dev 'tun'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/server.crt'
        option key '/etc/openvpn/server.key'
        option dh '/etc/openvpn/dh2048.pem'
        option server '10.8.0.0 255.255.255.0'
        option ifconfig_pool_persist '/tmp/ipp.txt'
        option keepalive '10 120'
        option persist_key '1'
        option persist_tun '1'
        option user 'nobody'
        option status '/tmp/openvpn-status.log'
        option verb '3'

config openvpn 'sample_client'
        option client '1'
        option dev 'tun'
        option proto 'udp'
        list remote 'my_server_1 1194'
        option resolv_retry 'infinite'
        option nobind '1'
        option persist_key '1'
        option persist_tun '1'
        option user 'nobody'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/client.crt'
        option key '/etc/openvpn/client.key'
        option verb '3'

config openvpn 'OPENVPN_1'
        option config '/etc/openvpn/OPENVPN_1.ovpn'
        option enabled '1'

OPENVPN_1.ovpn settings section

client
dev tun
proto udp
float
nobind
cipher AES-128-CBC
comp-lzo adaptive
resolv-retry infinite
remote-cert-tls server
persist-key
persist-tun
remote 192.168.6.50 1194

Here you are, change it to #comp-lzo adaptive

Thanks for your input.

After I comment out that line on the OpenVPN client (or delete the whole line completely) and then restart openvpn I can't open any websites at all and also can't ping any server or device through the VPN. Furthermore, in OpenWrt's System Log I see the line "daemon.err openvpn(OPENVPN_1)[4242]: write to TUN/TAP : Invalid argument (code=22)" being added every 10 seconds.

If I reactivate the comp-lzo line and restart openvpn, then it works again as described in my original post and that error doesn't get added to the System Log every 10 seconds.

By the way, I believe the TP-Link router that acts as the VPN Server is running a variant of OpenVPN 2.3.

Upgrade the other side as well. Make sure you follow the server is configured according to the tutorial.

I wish I could, but this is not possible.
The OpenVPN server is running on an Archer AX50 router. Its configuration GUI only allows to modify a few basic options (protocol udp or tcp, port number, access local or internet). There is no newer firmware available from TP-Link and neither is there a third-party firmware I could flash.

Disable/remove compression for both client and server and try to play with MTU/MSS.
I'm afraid that upgrading to OpenVPN 2.5 involves some compatibility breaking changes.
Perhaps it would be best keep the VPN versions in sync and reconsider your upgrade strategy.

Can you see server logs? Does the server allow TAP? Why are you needing TAP? TAP should only be used for single endpoints (road warriors) not site to site.

Ok, thanks, I understand. I didn't know that openvpn-openssl version 2.5 wouldn't be able to cope with an older OpenVPN server version. I have always nicely connected to that AX50 router's OpenVPN server using various versions of the OpenVPN Connect Windows client software and Android app from openvpn.net, including the very latest versions of them.

OpenVPN for OpenWrt is built with some legacy features/options disabled/excluded.
Thus the packages may not be fully compatible with earlier versions.

This is all I can see and adjust on the TP-Link router that is running the OpenVPN server. No more, no less.

AX50_OpenVPN702×544 11.9 KB

Thanks again for everyone's help.

In the end, disabling lzo-compression on the VPN server router is the solution to the problem and the sole change that was required in this case. (edited the option "comp_lzo yes" in /etc/config/openvpn to "comp_lzo no")
Nothing else needed to be modified on either side.

However, this modification was only possible after installing an unofficial and unreleased test version of the stock firmware that is different from the release firmware in that it allows to get to the command line of the router's Linux system.

So, anyone whose OpenVPN server runs on a device with stock firmware that has been locked down by the manufacturer or anyone who doesn't own the equipment that is running the OpenVPN server and thus can't modify the compression setting would be pretty much out of luck here.
Besides, most of those users likely do not know which version of OpenVPN that equipment is running, because such information is normally nowhere to be found in the documentation of retail products. Hence, if told to keep their version of the OpenWrt OpenVPN client "in sync" with that of the OpenVPN server, then they might end up clueless.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.