[Solved] Problem with vpn configuration (Nordvpn)

Hello !

I am a new Openwrt user.

What I want is to have a router connected to a vpn provider (NordPN) in order to have a secure connection for the device plugged to the router.

Device <-> Router <-> ISP Modem - Router <-> VPN Provider <-> Internet

I have put OpenWrt 22.03.2 r19803-9a599fee93 on a Raspberry Pi 4 Model B.

I used this image : https://downloads.openwrt.org/releases/22.03.3/targets/bcm27xx/bcm2711/openwrt-22.03.3-bcm27xx-bcm2711-rpi-4-squashfs-sysupgrade.img.gz

What i have done first is to transform the Raspberry in a basic router with 2 ethernet ports (one from the Raspberry Pi and another with an ethernet - usb adapter.

eth0 for the lan
eth1 for the wan

It works for the basic router configuration but the problem I encounter comes from the vpn side.

I followed exactly the tutorial given on the NordVPN web site : https://support.nordvpn.com/Connectivity/Router/1047411192/OpenWrt-CI-setup-with-NordVPN.htm

Unfortunately, it doesn't work.

I tried many things but nothing works.

I tried to ping google dns server 8.8.8.8 but no response.

So I supposed the vpn connection doesn't work but I don't know why.

Is anyone can help me ?

Here are my configuration files

/etc/config/network

  GNU nano 7.1                        network                                   
 1
 2 config interface 'loopback'
 3         option device 'lo'
 4         option proto 'static'
 5         option ipaddr '127.0.0.1'
 6         option netmask '255.0.0.0'
 7
 8 config globals 'globals'
 9         option ula_prefix 'fdbc:f3c8:9afa::/48'
10
11 config device
12         option name 'br-lan'
13         option type 'bridge'
14         list ports 'eth0'
15
16 config interface 'lan'
17         option device 'br-lan'
18         option proto 'static'
19         option ipaddr '192.168.1.200'
20         option netmask '255.255.255.0'
21         list dns '8.8.8.8'
22
23 config interface 'wan'
24         option proto 'dhcp'
25         option device 'eth1'
26
27 config interface 'nordvpntun'
28         option proto 'none'
29         option device 'tun0'
30
31

/etc/config/firewall

  GNU nano 7.1                        firewall


1
2 config defaults
3         option input 'ACCEPT'
4         option output 'ACCEPT'
5         option forward 'REJECT'
6         option synflood_protect '1'
7
8 config zone
9         option name 'lan'
10         list network 'lan'
11         option input 'ACCEPT'
12         option output 'ACCEPT'
13         option forward 'ACCEPT'
14
15 config zone
16         option name 'wan'
17         list network 'wan'
18         list network 'wan6'
19         option input 'REJECT'
20         option output 'ACCEPT'
21         option forward 'REJECT'
22         option masq '1'
23         option mtu_fix '1'
24
25 config forwarding
26         option src 'lan'
27         option dest 'wan'
28
29 config rule
30         option name 'Allow-DHCP-Renew'
31         option src 'wan'
32         option proto 'udp'
33         option dest_port '68'
34         option target 'ACCEPT'
35         option family 'ipv4'
36
37 config rule
38         option name 'Allow-Ping'
39         option src 'wan'
40         option proto 'icmp'
41         option icmp_type 'echo-request'
42         option family 'ipv4'
43         option target 'ACCEPT'
44
45 config rule
46         option name 'Allow-IGMP'
47         option src 'wan'
48         option proto 'igmp'
49         option family 'ipv4'
50         option target 'ACCEPT'
51
52 config rule
53         option name 'Allow-DHCPv6'
54         option src 'wan'
55         option proto 'udp'
56         option dest_port '546'
57         option family 'ipv6'
58         option target 'ACCEPT'
59
60 config rule
61         option name 'Allow-MLD'
62         option src 'wan'
63         option proto 'icmp'
64        option src_ip 'fe80::/10'
65         list icmp_type '130/0'
66         list icmp_type '131/0'
67         list icmp_type '132/0'
68         list icmp_type '143/0'
69         option family 'ipv6'
70         option target 'ACCEPT'
71
72 config rule
73         option name 'Allow-ICMPv6-Input'
74         option src 'wan'
75         option proto 'icmp'
76         list icmp_type 'echo-request'
77         list icmp_type 'echo-reply'
78         list icmp_type 'destination-unreachable'
79         list icmp_type 'packet-too-big'
80         list icmp_type 'time-exceeded'
81         list icmp_type 'bad-header'
82         list icmp_type 'unknown-header-type'
83         list icmp_type 'router-solicitation'
84         list icmp_type 'neighbour-solicitation'
85         list icmp_type 'router-advertisement'
86         list icmp_type 'neighbour-advertisement'
87         option limit '1000/sec'
88         option family 'ipv6'
89         option target 'ACCEPT'
90
91 config rule
92         option name 'Allow-ICMPv6-Forward'
93         option src 'wan'
94         option dest '*'
95         option proto 'icmp'
96         list icmp_type 'echo-request'
97         list icmp_type 'echo-reply'
98         list icmp_type 'destination-unreachable'
99         list icmp_type 'packet-too-big'
100        list icmp_type 'time-exceeded'
101        list icmp_type 'bad-header'
102        list icmp_type 'unknown-header-type'
103        option limit '1000/sec'
104        option family 'ipv6'
105        option target 'ACCEPT'
106
107 config rule
108        option name 'Allow-IPSec-ESP'
109        option src 'wan'
110        option dest 'lan'
111        option proto 'esp'
112        option target 'ACCEPT'
113
114 config rule
115        option name 'Allow-ISAKMP'
116        option src 'wan'
117        option dest 'lan'
118        option dest_port '500'
119        option proto 'udp'
120        option target 'ACCEPT'
121
122 config zone
123        option name 'vpnfirewall'
124        option input 'REJECT'
125        option output 'ACCEPT'
126        option forward 'REJECT'
127        option masq '1'
128        option mtu_fix '1'
129        list network 'nordvpntun'
130
131 config forwarding
132         option src 'lan'
133         option dest 'vpnfirewall'

/etc/config/dhcp

GNU nano 7.1                        dhcp

 1
 2 config dnsmasq
 3         option domainneeded '1'
 4         option localise_queries '1'
 5         option rebind_protection '1'
 6         option rebind_localhost '1'
 7         option local '/lan/'
 8         option domain 'lan'
 9         option expandhosts '1'
10         option authoritative '1'
11         option readethers '1'
12         option leasefile '/tmp/dhcp.leases'
13         option localservice '1'
14         option ednspacket_max '1232'
15         list server '103.86.96.100'
16         list server '103.86.99.100'
17         option noresolv '1'
18
19 config dhcp 'lan'
20         option interface 'lan'
21         option leasetime '12h'
22         option dhcpv4 'server'
23         list ra_flags 'managed-config'
24         list ra_flags 'other-config'
25         option ra 'hybrid'
26         option dhcpv6 'hybrid'
27         option start '201'
28         option limit '50'
29
30 config dhcp 'wan'
31         option interface 'wan'
32         option ignore '1'
33
34 config odhcpd 'odhcpd'
35         option maindhcp '0'
36         option leasefile '/tmp/hosts/odhcpd'
37         option leasetrigger '/usr/sbin/odhcpd-update'
38         option loglevel '4'

/etc/config/openvpn

GNU nano 7.1                                                                       openvpn                                                                                 
 1
 2 config openvpn 'custom_config'
 3         option config '/etc/openvpn/my-vpn.conf'
 4
 5 config openvpn 'sample_server'
 6         option port '1194'
 7         option proto 'udp'
 8         option dev 'tun'
 9         option ca '/etc/openvpn/ca.crt'
10         option cert '/etc/openvpn/server.crt'
11         option key '/etc/openvpn/server.key'
12         option dh '/etc/openvpn/dh2048.pem'
13         option server '10.8.0.0 255.255.255.0'
14         option ifconfig_pool_persist '/tmp/ipp.txt'
15         option keepalive '10 120'
16         option persist_key '1'
17         option persist_tun '1'
18         option user 'nobody'
19         option status '/tmp/openvpn-status.log'
20         option verb '3'
21
22 config openvpn 'sample_client'
23         option client '1'
24         option dev 'tun'
25         option proto 'udp'
26         list remote 'my_server_1 1194'
27         option resolv_retry 'infinite'
28         option nobind '1'
29         option persist_key '1'
30         option persist_tun '1'
31         option user 'nobody'
32         option ca '/etc/openvpn/ca.crt'
33         option cert '/etc/openvpn/client.crt'
34         option key '/etc/openvpn/client.key'
35         option verb '3'
36
37 config openvpn 'nordvpn_fr'
38         option config '/etc/openvpn/nordvpn_fr.ovpn'
39         option enabled '1'

/etc/openvpn/nordvpn_fr.ovpn

  GNU nano 7.1                                                                   nordvpn_fr.ovpn                                                                             
 1 client
 2 dev tun
 3 proto udp
 4 remote 185.61.156.24 1194
 5 resolv-retry infinite
 6 remote-random
 7 nobind
 8 tun-mtu 1500
 9 tun-mtu-extra 32
10 mssfix 1450
11 persist-key
12 persist-tun
13 ping 15
14 ping-restart 0
15 ping-timer-rem
16 reneg-sec 0
17 comp-lzo no
18 verify-x509-name CN=fr906.nordvpn.com
19
20 remote-cert-tls server
21
22 auth-user-pass /etc/openvpn/nordvpn_fr.auth
23 verb 3
24 pull
25 fast-io
26 cipher AES-256-CBC
27 auth SHA512
28 <ca>
29 -----BEGIN CERTIFICATE-----

30-----END CERTIFICATE-----
58 </ca>
59 key-direction 1
60 <tls-auth>
61 #
62 # 2048 bit OpenVPN static key
63 #
64 -----BEGIN OpenVPN Static key V1-----

81 -----END OpenVPN Static key V1-----
82 </tls-auth>
83

Following tutorial may be more recent: TechNadu

Thank you Warlock but I already have tried this tutorial with no success.

Compared to the linked guide, you are missing the DNS servers on the WAN device:

uci set network.wan.peerdns='0'
uci del network.wan.dns
uci add_list network.wan.dns='103.86.96.100'
uci add_list network.wan.dns='103.86.99.100'
uci commit

Thank you for your answer Mathhias17.

I have tried your solution but it does not work.

It does not appear in the file /etc/config/network but it has been already taken into account via the web site interface.

15861×518 21.6 KB

Maybe there is a DNS problem but anyway I think before the DNS level, the openvn connection has a problem.

I watched the openvpn logs but I don't see any issue (Maybe it's normal because I have not many skills in this )

I don't know if it could help but i made a mistake about the version.
I put openwrt-22.03.2-bcm27xx-bcm2711-rpi-4-squashfs-factory.img on the Raspberry Pi instead of
openwrt-22.03.3-bcm27xx-bcm2711-rpi-4-squashfs-sysupgrade.img

It takes me several days to make the Raspberry Pi work but I have no success with the vpn.

I tried many tutos on the web but nothing works.

Can it be the openwrt version that is the problem ?

It will be very nice is someone can help me making it work.

Thank you by advance.

Hera are the logs when the openvpn client is activated.

Wed Jan 18 05:31:25 2023 daemon.warn openvpn(nordvpn_fr)[9159]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Wed Jan 18 05:31:25 2023 daemon.notice openvpn(nordvpn_fr)[9159]: OpenVPN 2.5.7 aarch64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Wed Jan 18 05:31:25 2023 daemon.notice openvpn(nordvpn_fr)[9159]: library versions: OpenSSL 1.1.1s  1 Nov 2022, LZO 2.10
Wed Jan 18 05:31:25 2023 daemon.warn openvpn(nordvpn_fr)[9159]: WARNING: --ping should normally be used with --ping-restart or --ping-exit
Wed Jan 18 05:31:25 2023 daemon.warn openvpn(nordvpn_fr)[9159]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Jan 18 05:31:25 2023 daemon.notice openvpn(nordvpn_fr)[9159]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Jan 18 05:31:25 2023 daemon.notice openvpn(nordvpn_fr)[9159]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Jan 18 05:31:25 2023 daemon.notice openvpn(nordvpn_fr)[9159]: TCP/UDP: Preserving recently used remote address: [AF_INET]185.61.156.24:1194
Wed Jan 18 05:31:25 2023 daemon.notice openvpn(nordvpn_fr)[9159]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Jan 18 05:31:25 2023 daemon.notice openvpn(nordvpn_fr)[9159]: UDP link local: (not bound)
Wed Jan 18 05:31:25 2023 daemon.notice openvpn(nordvpn_fr)[9159]: UDP link remote: [AF_INET]185.61.156.24:1194
Wed Jan 18 05:31:25 2023 daemon.notice openvpn(nordvpn_fr)[9159]: TLS: Initial packet from [AF_INET]185.61.156.24:1194, sid=618f66ae 0e912996
Wed Jan 18 05:31:25 2023 daemon.notice openvpn(nordvpn_fr)[9159]: VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Wed Jan 18 05:31:25 2023 daemon.notice openvpn(nordvpn_fr)[9159]: VERIFY OK: depth=1, O=NordVPN, CN=NordVPN CA8
Wed Jan 18 05:31:25 2023 daemon.notice openvpn(nordvpn_fr)[9159]: VERIFY KU OK
Wed Jan 18 05:31:25 2023 daemon.notice openvpn(nordvpn_fr)[9159]: Validating certificate extended key usage
Wed Jan 18 05:31:25 2023 daemon.notice openvpn(nordvpn_fr)[9159]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Jan 18 05:31:25 2023 daemon.notice openvpn(nordvpn_fr)[9159]: VERIFY EKU OK
Wed Jan 18 05:31:25 2023 daemon.notice openvpn(nordvpn_fr)[9159]: VERIFY X509NAME OK: CN=fr906.nordvpn.com
Wed Jan 18 05:31:25 2023 daemon.notice openvpn(nordvpn_fr)[9159]: VERIFY OK: depth=0, CN=fr906.nordvpn.com
Wed Jan 18 05:31:25 2023 daemon.notice openvpn(nordvpn_fr)[9159]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512
Wed Jan 18 05:31:25 2023 daemon.notice openvpn(nordvpn_fr)[9159]: [fr906.nordvpn.com] Peer Connection Initiated with [AF_INET]185.61.156.24:1194
Wed Jan 18 05:31:26 2023 daemon.notice openvpn(nordvpn_fr)[9159]: SENT CONTROL [fr906.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Wed Jan 18 05:31:26 2023 daemon.notice openvpn(nordvpn_fr)[9159]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.1.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.1.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Wed Jan 18 05:31:26 2023 daemon.notice openvpn(nordvpn_fr)[9159]: OPTIONS IMPORT: timers and/or timeouts modified
Wed Jan 18 05:31:26 2023 daemon.notice openvpn(nordvpn_fr)[9159]: OPTIONS IMPORT: explicit notify parm(s) modified
Wed Jan 18 05:31:26 2023 daemon.notice openvpn(nordvpn_fr)[9159]: OPTIONS IMPORT: compression parms modified
Wed Jan 18 05:31:26 2023 daemon.notice openvpn(nordvpn_fr)[9159]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Wed Jan 18 05:31:26 2023 daemon.notice openvpn(nordvpn_fr)[9159]: Socket Buffers: R=[212992->425984] S=[212992->425984]
Wed Jan 18 05:31:26 2023 daemon.notice openvpn(nordvpn_fr)[9159]: OPTIONS IMPORT: --ifconfig/up options modified
Wed Jan 18 05:31:26 2023 daemon.notice openvpn(nordvpn_fr)[9159]: OPTIONS IMPORT: route options modified
Wed Jan 18 05:31:26 2023 daemon.notice openvpn(nordvpn_fr)[9159]: OPTIONS IMPORT: route-related options modified
Wed Jan 18 05:31:26 2023 daemon.notice openvpn(nordvpn_fr)[9159]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Jan 18 05:31:26 2023 daemon.notice openvpn(nordvpn_fr)[9159]: OPTIONS IMPORT: peer-id set
Wed Jan 18 05:31:26 2023 daemon.notice openvpn(nordvpn_fr)[9159]: OPTIONS IMPORT: adjusting link_mtu to 1657
Wed Jan 18 05:31:26 2023 daemon.notice openvpn(nordvpn_fr)[9159]: OPTIONS IMPORT: data channel crypto options modified
Wed Jan 18 05:31:26 2023 daemon.notice openvpn(nordvpn_fr)[9159]: Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Jan 18 05:31:26 2023 daemon.notice openvpn(nordvpn_fr)[9159]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jan 18 05:31:26 2023 daemon.notice openvpn(nordvpn_fr)[9159]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jan 18 05:31:26 2023 daemon.notice openvpn(nordvpn_fr)[9159]: net_route_v4_best_gw query: dst 0.0.0.0
Wed Jan 18 05:31:26 2023 daemon.notice openvpn(nordvpn_fr)[9159]: net_route_v4_best_gw result: via 192.168.1.1 dev eth1
Wed Jan 18 05:31:26 2023 daemon.notice netifd: Interface 'nordvpntun' is enabled
Wed Jan 18 05:31:26 2023 daemon.notice netifd: Network device 'tun0' link is up
Wed Jan 18 05:31:26 2023 daemon.notice netifd: Interface 'nordvpntun' has link connectivity
Wed Jan 18 05:31:26 2023 daemon.notice netifd: Interface 'nordvpntun' is setting up now
Wed Jan 18 05:31:26 2023 daemon.notice openvpn(nordvpn_fr)[9159]: TUN/TAP device tun0 opened
Wed Jan 18 05:31:26 2023 daemon.notice openvpn(nordvpn_fr)[9159]: net_iface_mtu_set: mtu 1500 for tun0
Wed Jan 18 05:31:26 2023 daemon.notice openvpn(nordvpn_fr)[9159]: net_iface_up: set tun0 up
Wed Jan 18 05:31:26 2023 daemon.notice openvpn(nordvpn_fr)[9159]: net_addr_v4_add: 10.8.1.2/24 dev tun0
Wed Jan 18 05:31:26 2023 daemon.notice netifd: Interface 'nordvpntun' is now up
Wed Jan 18 05:31:26 2023 daemon.notice openvpn(nordvpn_fr)[9159]: /usr/libexec/openvpn-hotplug up nordvpn_fr tun0 1500 1585 10.8.1.2 255.255.255.0 init
Wed Jan 18 05:31:26 2023 daemon.notice openvpn(nordvpn_fr)[9159]: net_route_v4_add: 185.61.156.24/32 via 192.168.1.1 dev [NULL] table 0 metric -1
Wed Jan 18 05:31:26 2023 daemon.notice openvpn(nordvpn_fr)[9159]: net_route_v4_add: 0.0.0.0/1 via 10.8.1.1 dev [NULL] table 0 metric -1
Wed Jan 18 05:31:26 2023 daemon.notice openvpn(nordvpn_fr)[9159]: net_route_v4_add: 128.0.0.0/1 via 10.8.1.1 dev [NULL] table 0 metric -1
Wed Jan 18 05:31:26 2023 daemon.warn openvpn(nordvpn_fr)[9159]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Jan 18 05:31:26 2023 daemon.notice openvpn(nordvpn_fr)[9159]: Initialization Sequence Completed
Wed Jan 18 05:31:27 2023 user.notice firewall: Reloading firewall due to ifup of nordvpntun (tun0)

What is the address on the wan of the OpenWrt Pi? It will be in the subnet of the ISP router. You can check this by looking at the web interface main status page > IPv4 upstream... what do you see there?

On the ISP router web interface, I saw the IP address of the Raspberry Pi is 192.168.1.114.

I precise the Raspberry Pi works as a simple router. It is just (way of talking ) the vpn client that I can't making work fine.

This is likely your issue...

You have your lan and your wan on the using the same subnet. One of them must change.

Try changing the lan address of your OpenWrt router to 192.168.2.1 and then try again (don't forget to renew your DHCP lease on your computers).

Thank you Peter !!!

It seems to work.

But I don't really understand why.

Why does it work as a basic router and not with the vpn added ?

Theoretically, Th IP address range on the Raspberry Pi DHCP server (lan side 192.168.1.[1-199]) does not disturb the IP address range of the ISP Router DHCP server [192.168.1.[200-255].

I'm surprised it was working as a basic router in the first place... it shouldn't have been able to route at all.

basically, you cannot have subnets on your wan and lan that are the same or overlap. This configuration creates ambiguity in the routing table. Simple analogy -- you walk into a room with a package to deliver to John... you get in there, and there are two people named John. Now you cannot reliably complete the task because you cannot be certain which John is supposed to get the package.

No, it doesn't work that way. The subnet you were using on both your lan and wan was 192.168.1.0/24 (/24 or subnet mask 255.255.255.0 -- these are equivalent ways of expressing it). The subnet mask/CIDR bits value defines the size of the network... in this case:

• The network ID is 192.168.1.0
• host ranges from 192.168.1.1-192.168.1.254.
• The broadcast address is 192.168.1.255.

The DHCP server doesn't play into the size -- that is defined by the CIDR/subnet mask values. All the DHCP server actually does is assign addresses to hosts on the network. So, let's use another analogy... a theater with ushers who seat the guests (let's assume that the ushers select the seats)... what you did previously was assign two ushers with different sections of the same theater. What needs to happen is that you need two ushers who seat guests in two entirely different theaters.

By changing the address to 192.168.2.1, you've made a non-overlapping network.

You can read more about subnets in lots of places like this wikipedia article, and also play with a subnet calculator.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

Thank you Peter, you saved my day by figuring out.

Your explanation is great too.

I also thank the other users who tried to help.

Have a nice day !

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.