I want to set up my router as VPN client and route internet traffic via that VPN. This is what the routing table looks like before and after connecting to the VPN. Once connected to VPN, I can't reach any remote destination anymore (e.g. ping 8.8.8.8), anything wrong with that routing table ??
root@LEDE:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.0.254 0.0.0.0 UG 0 0 0 eth1
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
192.168.1.0 * 255.255.255.0 U 10 0 0 br-lan
root@LEDE:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.252.200.177 128.0.0.0 UG 0 0 0 tun0
default 192.168.0.254 0.0.0.0 UG 0 0 0 eth1
10.252.200.1 10.252.200.177 255.255.255.255 UGH 0 0 0 tun0
10.252.200.177 * 255.255.255.255 UH 0 0 0 tun0
128.0.0.0 10.252.200.177 128.0.0.0 UG 0 0 0 tun0
185.93.180.52 192.168.0.254 255.255.255.255 UGH 0 0 0 eth1
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
192.168.1.0 * 255.255.255.0 U 10 0 0 br-lan
Please post here the output of the following command, all in one line cat /etc/config/network; cat /etc/config/firewall; cat /etc/config/wireless ; cat /etc/config/dhcp ; ip -4 addr ; ip -4 ro ; ip -4 ru
root@LEDE:~# cat /etc/config/network; cat /etc/config/firewall; cat /etc/config/
wireless ; cat /etc/config/dhcp ; ip -4 addr ; ip -4 ro ; ip -4 ru
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdba:9fcf:fd6c::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option ifname 'eth0'
option metric '10'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth1'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0 1 2 3t 5'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6'
option vid '2'
config switch_vlan
option device 'switch0'
option vlan '3'
option ports '3t 4t'
option vid '100'
config interface 'VPNDEWAN'
option ifname 'tun0'
option proto 'dhcp'
option auto '0'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
option input 'REJECT'
option forward 'REJECT'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option network 'VPNDEWAN'
option output 'ACCEPT'
option name 'vpndewan'
option input 'REJECT'
option forward 'REJECT'
config forwarding
option dest 'vpndewan'
option src 'lan'
config forwarding
option dest 'wan'
option src 'lan'
config wifi-device 'radio0'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option htmode 'VHT80'
option country 'DE'
option txpower '20'
option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option macaddr '62:38:e0:d7:87:dd'
option ssid 'Livebox-557c'
option encryption 'psk2'
option key '6130E238E4625E1FE9A605E481'
config wifi-device 'radio1'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option htmode 'HT20'
option country 'DE'
option txpower '20'
option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option macaddr '62:38:e0:d7:87:dc'
option ssid 'Livebox-557c'
option encryption 'psk2'
option key '6130E238E4625E1FE9A605E481'
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'
option serversfile '/tmp/adb_list.overall'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 532
inet 192.168.0.10/24 brd 192.168.0.255 scope global eth1
valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
inet 10.250.202.66 peer 10.250.202.65/32 scope global tun0
valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.250.202.65 dev tun0
default via 192.168.0.254 dev eth1 proto static src 192.168.0.10
10.250.200.1 via 10.250.202.65 dev tun0
10.250.202.65 dev tun0 proto kernel scope link src 10.250.202.66
128.0.0.0/1 via 10.250.202.65 dev tun0
178.162.209.79 via 192.168.0.254 dev eth1
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.10
192.168.1.0/24 dev br-lan proto static scope link metric 10
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
tried it, seems somewhat better but still no connection:
root@LEDE:~# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 38 byte packets
1 192.168.0.254 (192.168.0.254) 0.827 ms 0.608 ms 0.598 ms
2 ama63-1-88-188-201-254.fbx.proxad.net (88.188.201.254) 22.880 ms 19.472 ms 20.386 ms
3 213.228.36.190 (213.228.36.190) 21.992 ms 21.464 ms 22.563 ms
4 194.149.165.77 (194.149.165.77) 28.417 ms 26.914 ms 25.551 ms
5 194.149.166.58 (194.149.166.58) 25.927 ms 26.954 ms 25.777 ms
6 72.14.221.62 (72.14.221.62) 27.172 ms 26.396 ms 25.597 ms
7 108.170.245.1 (108.170.245.1) 26.423 ms 108.170.244.225 (108.170.244.225) 27.551 ms 108.170.244.193 (108.170.244.193) 27.244 ms
8 209.85.251.153 (209.85.251.153) 27.009 ms * *
9 * * *
10 * * *
11 * * *
12 * * *
13^C
Yes and no. If the VPN provider is blocking the pings you won't see replies. You should try to ping something that for certain replies back, like 1.1.1.1 or 8.8.8.8
This line looks weird to me:
It wasn't there in the original post and I doubt that you should route this private IP via your ISP.
Do a reboot on the router just to make sure there are no stale entries.
OpenVPN log clearly states that your client MTU-related options don't match the server side.
Show your client configuration except private keys and certificates.