Renew request while using a VPN

Installing and Using OpenWrt
1

Hello,
I have been using ddwrt before but recently decided to switch over to openwrt 19.07.7 on my Linkys WRT3200ACM router. Liking the experience so far.

However, I followed Proton VPNs guide on how to setup the vpnclient.

And now I have problems keeping the lease from my ISP. I think the renew request is lost (sent to through vpn tunnel?) because I have the UDP:68 (DHCP Renew) open.

Mon Mar 15 16:45:43 2021 daemon.notice netifd: wan (2358): udhcpc: sending renew to X.X.X.X
Mon Mar 15 16:46:20 2021 daemon.notice netifd: wan (2358): udhcpc: sending renew to 0.0.0.0
Mon Mar 15 16:46:41 2021 daemon.notice netifd: wan (2358): udhcpc: sending renew to 0.0.0.0
Mon Mar 15 16:46:51 2021 daemon.notice netifd: wan (2358): udhcpc: sending renew to 0.0.0.0
Mon Mar 15 16:46:55 2021 daemon.notice netifd: wan (2358): udhcpc: sending renew to 0.0.0.0
Mon Mar 15 16:46:58 2021 daemon.notice netifd: wan (2358): udhcpc: sending renew to 0.0.0.0
Mon Mar 15 16:46:59 2021 daemon.notice netifd: wan (2358): udhcpc: sending renew to 0.0.0.0
Mon Mar 15 16:46:59 2021 daemon.notice netifd: wan (2358): udhcpc: lease lost, entering init state
Mon Mar 15 16:46:59 2021 daemon.notice netifd: Interface 'wan' has lost the connection
Mon Mar 15 16:46:59 2021 daemon.notice netifd: wan (2358): udhcpc: sending discover
Mon Mar 15 16:47:02 2021 daemon.notice netifd: wan (2358): udhcpc: sending select for Y.Y.Y.Y
Mon Mar 15 16:47:03 2021 daemon.notice netifd: wan (2358): udhcpc: lease of Y.Y.Y.Y obtained, lease time 1200
Mon Mar 15 16:47:03 2021 daemon.notice netifd: Interface 'wan' is now up

Anyone have any ideas on what I can try next? Can I (or rather, should I) change the sh script that udhcpc uses to renew: /lib/netifd/dhcp.script?

Thanks!

3

Add to the VPN client profile:

redirect-gateway def1 bypass-dhcp

https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage#:~:text=bypass-dhcp

1 Like
4

I have added in the proton.ovpn the pull-filter ignore "redirect-gateway" so that I can control what goes to the tunnel with vpn-policy-routing.

1 Like
5
  1. Check, what IP it sends requests, and how route is defined after establishing OpenVPN-connection.
  2. Add manually corresponding commands to
up /etc/openvpn/client.sh
down /etc/openvpn/client.sh

script, see example in manual.

6

Hello.
Im sorry but Im quite new in all of this, please explain a bit more what your proposed solutions are supposed to do.

For instance, ulmwind, can you elaborate how I should edit the script client.sh?

7

Edit the configuration file, for example /etc/openvpn/proton.ovpn and add the line pull-filter ignore "redirect-gateway", restart the openvpn, verify that the default gateway is via the isp ip -4 ro | grep default
Then install package vpn-pbr and make rules for the devices or services which you wish to use proton.

1 Like
8

Hi, thank you,

I solved it (although not robustly), I manually added a static route for the wan interface.

ip route show:
X.X.X.X via Y.Y.Y.Y dev eth1.2 onlink

However, the solution is not robust, e.g. what if my ISP change ip or renew address?

How do I modify the client.sh above so that this route is added dynamically? i.e how do I read the wan ip and renew ip ?

10

Hi, I tried that option, it does not work for me, the renew request to X.X.X.X is still sent via the vpn.

11

Also add this:

pull-filter ignore block-local

And remove that if any:

redirect-gateway block-local

If the issue persists, post the VPN client connection log.

12

added:

redirect-gateway def1 bypass-dhcp
pull-filter ignore block-local

I get the following connection log:

Sun Mar 21 12:23:25 2021 daemon.notice openvpn(se_protonvpn)[5670]: [se-XX.protonvpn.com] Peer Connection Initiated with [AF_INET]Z.Z.Z.Z:80
Sun Mar 21 12:23:26 2021 daemon.notice openvpn(se_protonvpn)[5670]: SENT CONTROL [se-XX.protonvpn.com]: 'PUSH_REQUEST' (status=1)
Sun Mar 21 12:23:31 2021 daemon.notice openvpn(se_protonvpn)[5670]: SENT CONTROL [se-XX.protonvpn.com]: 'PUSH_REQUEST' (status=1)
Sun Mar 21 12:23:32 2021 daemon.notice openvpn(se_protonvpn)[5670]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.20.0.1,redirect-gateway def1,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.20.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.20.0.10 255.255.0.0,peer-id XXXXXX,cipher AES-256-GCM'
Sun Mar 21 12:23:32 2021 daemon.notice openvpn(se_protonvpn)[5670]: OPTIONS IMPORT: timers and/or timeouts modified
Sun Mar 21 12:23:32 2021 daemon.notice openvpn(se_protonvpn)[5670]: OPTIONS IMPORT: explicit notify parm(s) modified
Sun Mar 21 12:23:32 2021 daemon.notice openvpn(se_protonvpn)[5670]: OPTIONS IMPORT: compression parms modified
Sun Mar 21 12:23:32 2021 daemon.notice openvpn(se_protonvpn)[5670]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Sun Mar 21 12:23:32 2021 daemon.notice openvpn(se_protonvpn)[5670]: Socket Buffers: R=[163840->1048576] S=[163840->1048576]
Sun Mar 21 12:23:32 2021 daemon.notice openvpn(se_protonvpn)[5670]: OPTIONS IMPORT: --ifconfig/up options modified
Sun Mar 21 12:23:32 2021 daemon.notice openvpn(se_protonvpn)[5670]: OPTIONS IMPORT: route options modified
Sun Mar 21 12:23:32 2021 daemon.notice openvpn(se_protonvpn)[5670]: OPTIONS IMPORT: route-related options modified
Sun Mar 21 12:23:32 2021 daemon.notice openvpn(se_protonvpn)[5670]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Mar 21 12:23:32 2021 daemon.notice openvpn(se_protonvpn)[5670]: OPTIONS IMPORT: peer-id set
Sun Mar 21 12:23:32 2021 daemon.notice openvpn(se_protonvpn)[5670]: OPTIONS IMPORT: adjusting link_mtu to 1657
Sun Mar 21 12:23:32 2021 daemon.notice openvpn(se_protonvpn)[5670]: OPTIONS IMPORT: data channel crypto options modified
Sun Mar 21 12:23:32 2021 daemon.notice openvpn(se_protonvpn)[5670]: Data Channel: using negotiated cipher 'AES-256-GCM'
Sun Mar 21 12:23:32 2021 daemon.notice openvpn(se_protonvpn)[5670]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Mar 21 12:23:32 2021 daemon.notice openvpn(se_protonvpn)[5670]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Mar 21 12:23:32 2021 daemon.notice openvpn(se_protonvpn)[5670]: TUN/TAP device tun0 opened
Sun Mar 21 12:23:32 2021 daemon.notice openvpn(se_protonvpn)[5670]: TUN/TAP TX queue length set to 100
Sun Mar 21 12:23:32 2021 daemon.notice openvpn(se_protonvpn)[5670]: /sbin/ifconfig tun0 10.20.0.10 netmask 255.255.0.0 mtu 1500 broadcast 10.20.255.255
Sun Mar 21 12:23:32 2021 daemon.notice openvpn(se_protonvpn)[5670]: /etc/openvpn/client.sh tun0 1500 1585 10.20.0.10 255.255.0.0 init
Sun Mar 21 12:23:32 2021 daemon.notice openvpn(se_protonvpn)[5670]: /sbin/route add -net Z.Z.Z.Z netmask 255.255.255.255 gw Y.Y.Y.Y
Sun Mar 21 12:23:32 2021 daemon.notice openvpn(se_protonvpn)[5670]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.20.0.1
Sun Mar 21 12:23:32 2021 daemon.notice openvpn(se_protonvpn)[5670]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.20.0.1
Sun Mar 21 12:23:32 2021 daemon.notice openvpn(se_protonvpn)[5670]: Initialization Sequence Completed

Any ideas?

1 Like
13

https://openwrt.org/docs/guide-user/network/protocol.dhcp#dhcp_client_route

14

Hi,
So I solved it proper.. Now the renew to 0.0.0.0 works (the renew ip does not but thats fine I guess).

I realized that the problem was due to bufferbloat. I have a transmission client running on the router but for some reason the traffic was directed outside the tunnel and it clogged up the link.

What I had to do to fix it was I had to create a separate interface (tun0) and fw zone for the vpn. Then I blocked everything and just opened the transmission port through the fw zone.

Thank you for the help though I learned a lot.

1 Like
15

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.