Unable to configure NordVPN

Dear Experts,

I am running OpenWRT on some TP Link router. It is connected to the main router of the internet provider. The cable goes from a normal (yellow colored) networking port of the main router and goes into the WAN port of the TP Link device.I am trying to set it up with NordVPN. Here is the guide, which I am using:

I have applied the command line configuration steps. I have followed and implemented the guide to the letter! However, it doesn't work and the router behaves very weird. Usually,when I power the TP Link up, there is internet connection for a few minutes. However, with my original IP. After a while the internet stops. I think that it might be due to the leak prevention script kicking in.
Eventually, internet might start working for a while again. But the VPN never seems to kick in. Within several days of experimenting and troubleshooting, just one time I saw an IP from the country I am trying to configure a VPN connection to. This happened after I restarted the openvpn service. But that worked just once, I could never reproduce this success.
I am not very good at networking, though I know some stuff. I started suspecting, that there is something wrong with the routing table.
When I powered on the router today, the routing table looked like this:

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.0.1.138 0.0.0.0 UG 0 0 0 eth0.2
10.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0.2
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan

After some minutes, the internet connection stopped and when checking the routing table, it had changed completely and now looks like this:

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.7.0.1 128.0.0.0 UG 0 0 0 tun1
0.0.0.0 10.7.1.1 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 10.0.1.138 0.0.0.0 UG 0 0 0 eth0.2
10.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0.2
10.7.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun1
10.7.1.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
82.180.148.251 10.0.1.138 255.255.255.255 UGH 0 0 0 eth0.2
128.0.0.0 10.7.0.1 128.0.0.0 UG 0 0 0 tun1
128.0.0.0 10.7.1.1 128.0.0.0 UG 0 0 0 tun0
185.156.174.91 10.0.1.138 255.255.255.255 UGH 0 0 0 eth0.2
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan

As I am not very good at interpreting routing tables, I showed it to a friend and he said that it looks like I have two VPNs and the configuration is a mess. However I have no idea neither how to fix it, nor how to troubleshoot it and what steps to take further.

One more thing which I noticed is, that when the computer has no internet connection. Internet seems to be working on the router itself, as I have no problem pinging various websites when connected to the router with putty. But on my computer, all ping packets are timing out.

Please kindly help me, I am getting really desperate here... Many thanks !!

Please post console output in code tags it will be easier to read.

Yes you are running two instances of OpenVPN, so delete one of them-- you should only have a tun0 interface and not tun1. Once you can run one instance you could configure another one e.g. for another country but you have to be careful that only one is ever enabled at a time.

I would not install the "leak prevent" and "restart" scripts at the end of the page-- that was written for old versions and that functionality is now built into new versions.

Thanks a lot, but could you be so kind and provide some instructions ? How to get rid of tun1 ?
I have no idea how to do it...
I will try to revert back the leak prevent and the restart scripts.
Many many thanks!

Go to the OpenVPN GUI page list of instances and click the delete button on the extra one(s).

Also note that those instructions on the Nord site have a method to set up under GUI and a section for CLI-- choose one do not do both.

Yes, I confirm. There are 3 predefined connections, However they are inactive. I have only been activating the OpenVPN config.
I am ONLY doing the CLI part. I am running OpenWRT version 18, which does not have the possibility to upload .ovpn configuration files in the GUI (LUCI). So I need to stick to uci.
Will implement all your recommendations and will report back here. Many thanks so far.

You probably have multiple VPN configs:

ls -a -l /etc/openvpn
1 Like

Hello everybody, I have done the following:

  1. I have removed the reconnect configuration
  2. I have removed the link prevention script and settings
  3. I have deleted other instances from the OpenVPN menu in LUCI
  4. Yes, I had profiles for two countries in /etc/openvpn. I did not have a clue, that this might cause a problem, because I thought, that the configuration file to be used is specified in /etc/config/openvpn. Nevertheless, I moved those files to another location and now there is just one openvpn config file in /etc/openvpn

Then I have rebooted the router. Here is the resulting routing table:

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.8.1.1 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 10.0.1.138 0.0.0.0 UG 0 0 0 eth0.2
10.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0.2
10.8.1.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
128.0.0.0 10.8.1.1 128.0.0.0 UG 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
195.206.105.123 10.0.1.138 255.255.255.255 UGH 0 0 0 eth0.2

Nevertheless, there is still NO internet connection on the PC. On the router, pinging several websites
works, so I believe that the router itself does have an internet connection.

Please kindly advise what to do next ? Many thanks!

The routing looks correct now, so next consider the firewall. Please use the </> button (Format as code) at the top of the editor window and post your /etc/config/firewall file.

1 Like
# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6 wwan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'vpnfirewall'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'nordvpntun'

config forwarding
        option src 'lan'
        option dest 'vpnfirewall'

Thanks a lot for your fast reply! I have send the file, it's a little long. I hope that thing with the button worked too.
Many thanks for your help!

And a few more thoughts...
That OpenWRT router will always be connected to a main router. Do I need a firewall in this case at all ? Thinking about that, I have tried

# service firewall stop
Warning: Unable to locate ipset utility, disabling ipset support
Warning: Section @zone[1] (wan) cannot resolve device of network 'wwan'
 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv4 raw table
 * Flushing IPv6 filter table
 * Flushing IPv6 mangle table
 * Flushing conntrack table ...

However this didn't change a thing. There is still internet connection on the router and no internet on the PC:

C:\>ping yahoo.com
Ping request could not find host yahoo.com. Please check the name and try again.

So I believe not even DNS is working :frowning:
Looking forward to your advice on how to fix this. Many thanks!

Any ideas please ? I am completely stuck with this problem and I have no idea how to go on...

Hello, can anyone please help me ? I am totally desperate with this problem :frowning:

Check if you have flag use default gateway under interface - tun0

Which router are you trying to install OpenVPN on?

The firewall looks generally correct. I would suggest that since the new syntax allows declaring devices into a firewall zone, you do that. Use list device 'tun0' directly in the vpn firewall zone instead of setting up a "stub" network to link a name like nordvpntun to the device tun0.

The OpenVPN userspace process completely controls the creation, configuration, and destruction of tun0, and setting up / removing the three routes (two for the "split default" and one for the "hole punch" to use the regular wan to communicate (encrypted) with the VPN server). It is not necessary to reference tun0 anywhere in the network config other than to attach it to a firewall zone.

Dear mk24,

many thanks for your reply.
Could you kindly provide the exact commands to implement these modifications ?
Or if it is necessary to edit the firewall config file, then how exactly should the new file look like ?

You mention some new syntax. Do I have it in version 18 ?

And it would be nice if someone could reply to my concerns about DNS. Thanks a lot!

Hello notthesun,

I am not sure to understand how exactly to follow your advice. I have tried to google it, but all I get is "select use default gateway in LUCI". However I do not have such option on OpenWRT 18. So what I have done was to modify /etc/config/network like this and reboot:

config interface 'nordvpntun'
        option proto 'none'
        option ifname 'tun0'
        option use default gateway

Unfortunately it made things even worse. Even the router did not have internet anymore. So I have reverted this change back.

You also had asked about the router - it is TL-WDR4300.
Please kindly advise how to fix the problem. Many thanks!

Dear mk24,

I have removed the line

list network 'nordvpntun'

from /etc/config/firewall and I have added the following line instead:

list device 'tun0'

So, the entire section looks like this now:

config zone
        option name 'vpnfirewall'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list device 'tun0'

Then I have rebooted. Unfortunately everything is still the same. There is internet on the router itself, but no internet on my laptop, when I am connected to the TP Link router :frowning: Please help, it has been too long, I need to finally get this working. Many thanks.

Hello, could you please advise on how solve the problem ? I need to get this working... Thank you!

Collect comprehensive diagnostics and post it to pastebin.com redacting the private parts.