Problems with internet connectivity after setting up VPN-Only Router

Hi everyone,

I figure it best to make a new post since the initial problems I have been having are resolved.

Right now, my ISP combo modem/router is plugged into the WAN port of my TP-Link Router. I have set up NordVPN successfully and can see via traceroute that it is going through the correct server, and not my ISP.

However, the issue is that now I cannot access the internet, or even get served a DHCP address when connecting wirelessly to the router. Connecting to either radio forces me to need to hardcode an IP and while if I do that I can access the web interface, I cannot access the internet from those devices.

My network setup is:

ISP Modem/Router Combo (192.168.1.254) ----> WAN port of Open WRT Router (LAN port 192.168.2.1) ----> Wireless clients connecting in order to access VPN (192.168.2.X)

Here are the config files

Network
https://pastebin.com/qVU8VFEr

Firewall
https://pastebin.com/0dDjZym9

OpenVPN
https://pastebin.com/svm9nN1R

As for my other setup, I've included the DHCP and DNS tab, Lan, Switch and Wan Interfaces and the interface main page as per attached images:

If there's anything I'm missing, please let me know and I'll get that for you.

TL;DR Summary: NordVPN up and running on my VPN-Only router, no DHCP served to wirelessly connected clients, when assigning static IP addresses, I'm only able to connect to the router management page, no internet.

Thanks as always.

uci -q delete network.lan.gateway
uci commit network
service network restart
1 Like

Awesome. That worked and I’m now able to pull IP addresses.

Unfortunately I still don’t have internet access. Is there something else that could be causing that?

I can still ping from the diagnostics and command line but I can’t get internet when connecting to the router via either wifi radio

traceroute example.org

From Router diagnostics page:

traceroute to openwrt.org (139.59.209.225), 30 hops max, 38 byte packets
 1  10.8.2.1  3.027 ms
 2  104.200.132.190  3.400 ms
 3  104.200.132.142  2.673 ms
 4  173.205.42.93  2.810 ms
 5  154.24.61.69  3.453 ms
 6  154.54.27.161  8.374 ms
 7  64.86.123.93  160.234 ms
 8  62.115.117.49  56.031 ms
 9  *
10  62.115.112.245  146.032 ms
11  80.231.130.105  160.773 ms
12  80.231.154.142  175.105 ms
13  62.115.120.6  155.850 ms
14  195.219.87.13  167.036 ms
15  195.219.87.18  173.663 ms
16  139.59.209.225  163.435 ms

From windows 10 machine connected to either radio:

tracert openwrt.org
Unable to resolve target system name openwrt.org.

Also, here's the result from the following command:

cat /etc/config/network; cat /etc/config/firewall; cat /etc/config/wireless ; cat /etc/config/dhcp ; ip -4 addr ; ip -4 ro ; ip -4 ru
config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7d:3874:5a29::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1.1'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option dns '192.168.1.254 8.8.8.1'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 0t'

config interface 'openvpn'
        option proto 'none'
        option ifname 'eth0'
        option auto '1'
        option type 'bridge'


config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'lan'
        option forward 'DROP'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option network 'wan wan6'
        option input 'DROP'
        option forward 'DROP'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'vpn'
        option output 'ACCEPT'
        option network 'openvpn'
        option input 'DROP'
        option forward 'DROP'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option dest 'vpn'
        option src 'lan'


config wifi-device 'radio0'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
        option htmode 'VHT80'
        option country 'US'
        option legacy_rates '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'psk2'
        option key 'xxxxxxxxxx'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
        option htmode 'HT20'
        option country 'US'
        option legacy_rates '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option ssid 'serenity'
        option encryption 'psk2'
        option key 'xxxxxxxxxx'
        option network 'lan'


config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option nonwildcard '1'
        option localservice '1'
        option noresolv '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        list dhcp_option '6,103.86.96.100,103.86.99.100'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
       valid_lft forever preferred_lft forever
10: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.69/24 brd 192.168.1.255 scope global eth0.2
       valid_lft forever preferred_lft forever
13: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
    inet 10.8.2.7/24 brd 10.8.2.255 scope global tun0
       valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.8.2.1 dev tun0 
default via 192.168.1.254 dev eth0.2  src 192.168.1.69 
10.8.2.0/24 dev tun0 scope link  src 10.8.2.7 
104.200.132.172 via 192.168.1.254 dev eth0.2 
128.0.0.0/1 via 10.8.2.1 dev tun0 
192.168.1.0/24 dev eth0.2 scope link  src 192.168.1.69 
192.168.2.0/24 dev br-lan scope link  src 192.168.2.1 
0:      from all lookup local 
32766:  from all lookup main 
32767:  from all lookup default 

OpenVPN (NordVPN) Setup and seemingly working on TP-Link C2600 but not connecting and proving VPN IP

2 Likes