[SOLVED] OpenVPN Internet Access but no Ping/ICMP or SSH access

alixyz · February 1, 2020, 9:23pm

I'm on 19.07 Stable and connecting to NordVPN via OpenVPN. After the connection I'm able to access the internet using a browser or nslookup and my IP address is changed but unable to ping or ssh anything outside of my network even via ip address (e.g. ping 8.8.8.8)

I'm pasting some of the config below, any advise would be appreciated. I'm able to use the same OVPN file on my laptop using TunnelBlick and after connection is established, I'm still able to ping external IP's

Also I've tried adding --pull-filter ignore redirect-gateway to the OVPN file and use VPN Policy Routing to divert traffic with same results.

OVPN File

client
dev tun
proto udp
remote x.x.x.x 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no
remote-cert-tls server

auth-user-pass secret
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512


<ca>
-----BEGIN CERTIFICATE-----
...

firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule                            
        option name 'Allow-IGMP'       
        option src 'wan'               
        option proto 'igmp'            
        option family 'ipv4'           
        option target 'ACCEPT'         
                                       
config rule                            
        option name 'Allow-IPSec-ESP'  
        option src 'wan'               
        option dest 'lan'              
        option proto 'esp'             
        option target 'ACCEPT'         
        option family 'ipv4'           
                                       
config rule                            
        option name 'Allow-ISAKMP'     
        option src 'wan'               
        option dest 'lan'              
        option dest_port '500'         
        option proto 'udp'             
        option target 'ACCEPT'         
                                       
config include                         
        option path '/etc/firewall.user'
                                        
config zone                             
        option network 'guest'          
        option forward 'REJECT'         
        option name 'guest'             
        option output 'ACCEPT'          
        option input 'REJECT'           
                                        
config forwarding                       
        option dest 'wan'               
        option src 'guest'     

config rule                             
        option dest_port '53'           
        option src 'guest'              
        option name 'Allow-Guest-DNS'   
        option target 'ACCEPT'          
        option proto 'tcp udp'          
        option family 'ipv4'            
                                        
config rule                             
        option dest_port '67-68'        
        option src 'guest'              
        option name 'Allow-Guest-DHCP'  
        option target 'ACCEPT'          
        option proto 'udp'              
        option family 'ipv4'            
                                        
config zone                             
        option name 'vpnfirewall'       
        option output 'ACCEPT'          
        option mtu_fix '1'              
        list network 'nordvpntun'       
        option masq '1'                 
        option input 'REJECT'           
        option forward 'REJECT'         
                                        
config forwarding                       
        option src 'lan'                
        option dest 'vpnfirewall'       
                                        
config forwarding                       
        option dest 'vpnfirewall'                          
        option src 'guest'                                 
                                                           
config include 'miniupnpd'                                 
        option type 'script'                               
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'                                
        option reload '1'            

config rule                                                
        option target 'ACCEPT'                             
        option src 'vpnfirewall'                           
        option family 'ipv4'                               
        option name 'Allow-VPN-Ping'                       
        list icmp_type 'echo-request'                      
        option proto 'icmp'

firewall.user

if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
       iptables -I forwarding_rule -j REJECT
fi

trendy · February 1, 2020, 9:57pm

From a first look I don't see anything wrong in the config.
Is there any proxy configured on the host you are using for troubleshooting?

Try with traceroute 8.8.8.8 or mtr 8.8.8.8 (you'll need to install it first) to see where the replies stop.

alixyz · February 1, 2020, 10:27pm

Ran both commands and here is the output

                                                               My traceroute  [v0.93]
OpenWrt (10.8.1.56)                                                                                                        2020-02-01T14:22:09-0800
Keys:  Help   Display mode   Restart statistics   Order of fields   quit
                                                                                                           Packets               Pings
 Host                                                                                                    Loss%   Snt   Last   Avg  Best  Wrst StDev
 1. 10.8.1.1                                                                                              0.0%   259   12.6  14.1  11.5  38.7   3.0
 2. (waiting for reply)

root@OpenWrt:~# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 38 byte packets
 1  10.8.1.1 (10.8.1.1)  17.779 ms  25.972 ms  13.714 ms
 2  *  *  *
 3  *  *  *
 4  *  *  *
 5  *  *  *
 6  *  *  *
 7  *  *  *
 8  *  *  *
 9  *  *  *
10  *  *  *
11  *  *  *
12  *  *  *
13  *  *  *
14  *  *  *
15  *  *  *
16  *  *  *
17  *  *  *
18  *  *  *
19  *  *  *
20  *  *  *
...

Also started to test out outgoing ports on some clients using nc -v portquiz.net 443 and used a script as a wrapper and from port 1-1000, only ports that seems to be open is 80 and 443.

Also no proxy's setup. I've tried testing from the OpenWRT router, a FreeBSD and MacOS clients connected to the router.

trendy · February 1, 2020, 10:51pm

Let's try another thing. Install tcpdump in OpenWrt and run this command
tcpdump -i any -vn icmp and host 8.8.8.8
Then start pinging from a host behind the OpenWrt. Paste here the output.

alixyz · February 2, 2020, 12:16am

Here is the output

root@OpenWrt:~# tcpdump -i any -vn icmp and host 8.8.8.8
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
16:14:37.508605 IP (tos 0x0, ttl 64, id 44037, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.176 > 8.8.8.8: ICMP echo request, id 17135, seq 1, length 64
16:14:37.508605 IP (tos 0x0, ttl 64, id 44037, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.176 > 8.8.8.8: ICMP echo request, id 17135, seq 1, length 64
16:14:37.508658 IP (tos 0x0, ttl 63, id 44037, offset 0, flags [DF], proto ICMP (1), length 84)
    24.6.138.180 > 8.8.8.8: ICMP echo request, id 17135, seq 1, length 64
16:14:37.521829 ethertype IPv4, IP (tos 0x20, ttl 54, id 0, offset 0, flags [none], proto ICMP (1), length 84)
    8.8.8.8 > 24.6.138.180: ICMP echo reply, id 17135, seq 1, length 64
16:14:37.521829 IP (tos 0x20, ttl 54, id 0, offset 0, flags [none], proto ICMP (1), length 84)
    8.8.8.8 > 24.6.138.180: ICMP echo reply, id 17135, seq 1, length 64
16:14:37.521856 IP (tos 0x20, ttl 53, id 0, offset 0, flags [none], proto ICMP (1), length 84)
    8.8.8.8 > 192.168.1.176: ICMP echo reply, id 17135, seq 1, length 64
16:14:37.521861 IP (tos 0x20, ttl 53, id 0, offset 0, flags [none], proto ICMP (1), length 84)
    8.8.8.8 > 192.168.1.176: ICMP echo reply, id 17135, seq 1, length 64
16:14:38.509274 IP (tos 0x0, ttl 64, id 44050, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.176 > 8.8.8.8: ICMP echo request, id 17135, seq 2, length 64
16:14:38.509274 IP (tos 0x0, ttl 64, id 44050, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.176 > 8.8.8.8: ICMP echo request, id 17135, seq 2, length 64
16:14:38.509309 IP (tos 0x0, ttl 63, id 44050, offset 0, flags [DF], proto ICMP (1), length 84)
    24.6.138.180 > 8.8.8.8: ICMP echo request, id 17135, seq 2, length 64
16:14:38.523231 ethertype IPv4, IP (tos 0x20, ttl 54, id 0, offset 0, flags [none], proto ICMP (1), length 84)
    8.8.8.8 > 24.6.138.180: ICMP echo reply, id 17135, seq 2, length 64
16:14:38.523231 IP (tos 0x20, ttl 54, id 0, offset 0, flags [none], proto ICMP (1), length 84)
    8.8.8.8 > 24.6.138.180: ICMP echo reply, id 17135, seq 2, length 64
16:14:38.523248 IP (tos 0x20, ttl 53, id 0, offset 0, flags [none], proto ICMP (1), length 84)
    8.8.8.8 > 192.168.1.176: ICMP echo reply, id 17135, seq 2, length 64
16:14:38.523252 IP (tos 0x20, ttl 53, id 0, offset 0, flags [none], proto ICMP (1), length 84)
    8.8.8.8 > 192.168.1.176: ICMP echo reply, id 17135, seq 2, length 64
16:15:40.860269 IP (tos 0x0, ttl 64, id 51053, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.176 > 8.8.8.8: ICMP echo request, id 17750, seq 1, length 64
16:15:40.860269 IP (tos 0x0, ttl 64, id 51053, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.176 > 8.8.8.8: ICMP echo request, id 17750, seq 1, length 64
16:15:40.860309 IP (tos 0x0, ttl 63, id 51053, offset 0, flags [DF], proto ICMP (1), length 84)
    24.6.138.180 > 8.8.8.8: ICMP echo request, id 17750, seq 1, length 64
16:15:40.876912 ethertype IPv4, IP (tos 0x20, ttl 54, id 0, offset 0, flags [none], proto ICMP (1), length 84)
    8.8.8.8 > 24.6.138.180: ICMP echo reply, id 17750, seq 1, length 64
16:15:40.876912 IP (tos 0x20, ttl 54, id 0, offset 0, flags [none], proto ICMP (1), length 84)
    8.8.8.8 > 24.6.138.180: ICMP echo reply, id 17750, seq 1, length 64
16:15:40.876934 IP (tos 0x20, ttl 53, id 0, offset 0, flags [none], proto ICMP (1), length 84)
    8.8.8.8 > 192.168.1.176: ICMP echo reply, id 17750, seq 1, length 64
16:15:40.876939 IP (tos 0x20, ttl 53, id 0, offset 0, flags [none], proto ICMP (1), length 84)
    8.8.8.8 > 192.168.1.176: ICMP echo reply, id 17750, seq 1, length 64
16:15:41.867892 IP (tos 0x0, ttl 64, id 51144, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.176 > 8.8.8.8: ICMP echo request, id 17750, seq 2, length 64
16:15:41.867892 IP (tos 0x0, ttl 64, id 51144, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.176 > 8.8.8.8: ICMP echo request, id 17750, seq 2, length 64
16:15:41.867920 IP (tos 0x0, ttl 63, id 51144, offset 0, flags [DF], proto ICMP (1), length 84)
    24.6.138.180 > 8.8.8.8: ICMP echo request, id 17750, seq 2, length 64
16:15:41.879666 ethertype IPv4, IP (tos 0x20, ttl 54, id 0, offset 0, flags [none], proto ICMP (1), length 84)
    8.8.8.8 > 24.6.138.180: ICMP echo reply, id 17750, seq 2, length 64
16:15:41.879666 IP (tos 0x20, ttl 54, id 0, offset 0, flags [none], proto ICMP (1), length 84)
    8.8.8.8 > 24.6.138.180: ICMP echo reply, id 17750, seq 2, length 64
16:15:41.879683 IP (tos 0x20, ttl 53, id 0, offset 0, flags [none], proto ICMP (1), length 84)
    8.8.8.8 > 192.168.1.176: ICMP echo reply, id 17750, seq 2, length 64
16:15:41.879686 IP (tos 0x20, ttl 53, id 0, offset 0, flags [none], proto ICMP (1), length 84)
    8.8.8.8 > 192.168.1.176: ICMP echo reply, id 17750, seq 2, length 64

alixyz · February 2, 2020, 12:23am

@trendy Thanks for your help, it's working now Spent hours on this and when you asked me to run the last command I was out and had some time away from it to think about it. I simply tried a different NordVPN server and everything works again.
I've tried several servers now and all seem to be working, looks like that one server was the culprit.

tmomas · February 12, 2020, 12:23am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.