VPN connected, no internet (NordVPN)

Erezperetz · December 22, 2021, 11:44pm

I did it. Unfortunately it didn't work

Here is the log


BusyBox v1.30.1 () built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 19.07.7, r11306-c4a6851c72
 -----------------------------------------------------
root@GL-AR750S:~# logread -e openvpn
Thu Dec 23 01:39:27 2021 daemon.notice procd: /etc/rc.d/S90vpn-service: cat: can't open '/etc/openvpn/ovpn/server.ovpn': No such file or directory
Thu Dec 23 01:40:46 2021 daemon.warn openvpn[4094]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Thu Dec 23 01:40:46 2021 daemon.notice openvpn[4094]: OpenVPN 2.5.0 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Thu Dec 23 01:40:46 2021 daemon.notice openvpn[4094]: library versions: OpenSSL 1.1.1i  8 Dec 2020Thu Dec 23 01:40:46 2021 daemon.warn openvpn[4226]: WARNING: --ping should normally be used with --ping-restart or --ping-exit
Thu Dec 23 01:40:46 2021 daemon.warn openvpn[4226]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Dec 23 01:40:46 2021 daemon.notice openvpn[4226]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Dec 23 01:40:46 2021 daemon.notice openvpn[4226]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Dec 23 01:40:46 2021 daemon.notice openvpn[4226]: TCP/UDP: Preserving recently used remote address: [AF_INET]81.19.217.3:1194
Thu Dec 23 01:40:46 2021 daemon.notice openvpn[4226]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Thu Dec 23 01:40:46 2021 daemon.notice openvpn[4226]: UDP link local: (not bound)
Thu Dec 23 01:40:46 2021 daemon.notice openvpn[4226]: UDP link remote: [AF_INET]81.19.217.3:1194
Thu Dec 23 01:40:46 2021 daemon.notice openvpn[4226]: TLS: Initial packet from [AF_INET]81.19.217.3:1194, sid=85fc1f24 8b916d1d
Thu Dec 23 01:40:46 2021 daemon.warn openvpn[4226]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Dec 23 01:40:46 2021 daemon.notice openvpn[4226]: VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Thu Dec 23 01:40:46 2021 daemon.notice openvpn[4226]: VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA6
Thu Dec 23 01:40:46 2021 daemon.notice openvpn[4226]: VERIFY KU OK
Thu Dec 23 01:40:46 2021 daemon.notice openvpn[4226]: Validating certificate extended key usage
Thu Dec 23 01:40:46 2021 daemon.notice openvpn[4226]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Dec 23 01:40:46 2021 daemon.notice openvpn[4226]: VERIFY EKU OK
Thu Dec 23 01:40:46 2021 daemon.notice openvpn[4226]: VERIFY OK: depth=0, CN=uk877.nordvpn.com
Thu Dec 23 01:40:46 2021 daemon.notice openvpn[4226]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA
Thu Dec 23 01:40:46 2021 daemon.notice openvpn[4226]: [uk877.nordvpn.com] Peer Connection Initiated with [AF_INET]81.19.217.3:1194
Thu Dec 23 01:40:47 2021 daemon.notice openvpn[4226]: SENT CONTROL [uk877.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Thu Dec 23 01:40:47 2021 daemon.notice openvpn[4226]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.0.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.254.61 255.255.0.0,peer-id 3,cipher AES-256-GCM'
Thu Dec 23 01:40:47 2021 daemon.notice openvpn[4226]: OPTIONS IMPORT: timers and/or timeouts modified
Thu Dec 23 01:40:47 2021 daemon.notice openvpn[4226]: OPTIONS IMPORT: explicit notify parm(s) modified
Thu Dec 23 01:40:47 2021 daemon.notice openvpn[4226]: OPTIONS IMPORT: compression parms modified
Thu Dec 23 01:40:47 2021 daemon.notice openvpn[4226]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Thu Dec 23 01:40:47 2021 daemon.notice openvpn[4226]: Socket Buffers: R=[163840->327680] S=[163840->327680]
Thu Dec 23 01:40:47 2021 daemon.notice openvpn[4226]: OPTIONS IMPORT: --ifconfig/up options modified
Thu Dec 23 01:40:47 2021 daemon.notice openvpn[4226]: OPTIONS IMPORT: route options modified
Thu Dec 23 01:40:47 2021 daemon.notice openvpn[4226]: OPTIONS IMPORT: route-related options modified
Thu Dec 23 01:40:47 2021 daemon.notice openvpn[4226]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Dec 23 01:40:47 2021 daemon.notice openvpn[4226]: OPTIONS IMPORT: peer-id set
Thu Dec 23 01:40:47 2021 daemon.notice openvpn[4226]: OPTIONS IMPORT: adjusting link_mtu to 1657
Thu Dec 23 01:40:47 2021 daemon.notice openvpn[4226]: OPTIONS IMPORT: data channel crypto options modified
Thu Dec 23 01:40:47 2021 daemon.notice openvpn[4226]: Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Dec 23 01:40:47 2021 daemon.notice openvpn[4226]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Dec 23 01:40:47 2021 daemon.notice openvpn[4226]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Dec 23 01:40:47 2021 daemon.notice openvpn[4226]: net_route_v4_best_gw query: dst 0.0.0.0
Thu Dec 23 01:40:47 2021 daemon.notice openvpn[4226]: net_route_v4_best_gw result: via 192.168.1.1 dev wlan-sta
Thu Dec 23 01:40:47 2021 daemon.notice openvpn[4226]: TUN/TAP device tun0 opened
Thu Dec 23 01:40:47 2021 daemon.notice openvpn[4226]: net_iface_mtu_set: mtu 1500 for tun0
Thu Dec 23 01:40:47 2021 daemon.notice openvpn[4226]: net_iface_up: set tun0 up
Thu Dec 23 01:40:47 2021 daemon.notice openvpn[4226]: net_addr_v4_add: 10.8.254.61/16 dev tun0
Thu Dec 23 01:40:47 2021 daemon.notice openvpn[4226]: /etc/openvpn/update-resolv-conf tun0 1500 1585 10.8.254.61 255.255.0.0 init
Thu Dec 23 01:40:50 2021 daemon.notice openvpn[4226]: net_route_v4_add: 81.19.217.3/32 via 192.168.1.1 dev [NULL] table 0 metric -1
Thu Dec 23 01:40:50 2021 daemon.notice openvpn[4226]: net_route_v4_add: 0.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1
Thu Dec 23 01:40:50 2021 daemon.notice openvpn[4226]: net_route_v4_add: 128.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1
Thu Dec 23 01:40:53 2021 daemon.warn openvpn[4852]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Thu Dec 23 01:40:53 2021 daemon.notice openvpn[4852]: OpenVPN 2.5.0 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Thu Dec 23 01:40:53 2021 daemon.notice openvpn[4852]: library versions: OpenSSL 1.1.1i  8 Dec 2020Thu Dec 23 01:40:53 2021 daemon.warn openvpn[4887]: WARNING: --ping should normally be used with --ping-restart or --ping-exit
Thu Dec 23 01:40:53 2021 daemon.warn openvpn[4887]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Dec 23 01:40:53 2021 daemon.notice openvpn[4887]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Dec 23 01:40:53 2021 daemon.notice openvpn[4887]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Dec 23 01:40:53 2021 daemon.notice openvpn[4887]: TCP/UDP: Preserving recently used remote address: [AF_INET]81.19.217.3:1194
Thu Dec 23 01:40:53 2021 daemon.notice openvpn[4887]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Thu Dec 23 01:40:53 2021 daemon.notice openvpn[4887]: UDP link local: (not bound)
Thu Dec 23 01:40:53 2021 daemon.notice openvpn[4887]: UDP link remote: [AF_INET]81.19.217.3:1194
Thu Dec 23 01:40:53 2021 daemon.notice openvpn[4887]: TLS: Initial packet from [AF_INET]81.19.217.3:1194, sid=c143125f 91e5031c
Thu Dec 23 01:40:53 2021 daemon.warn openvpn[4887]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Dec 23 01:40:53 2021 daemon.notice openvpn[4887]: VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Thu Dec 23 01:40:53 2021 daemon.notice openvpn[4887]: VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA6
Thu Dec 23 01:40:53 2021 daemon.notice openvpn[4887]: VERIFY KU OK
Thu Dec 23 01:40:53 2021 daemon.notice openvpn[4887]: Validating certificate extended key usage
Thu Dec 23 01:40:53 2021 daemon.notice openvpn[4887]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Dec 23 01:40:53 2021 daemon.notice openvpn[4887]: VERIFY EKU OK
Thu Dec 23 01:40:53 2021 daemon.notice openvpn[4887]: VERIFY OK: depth=0, CN=uk877.nordvpn.com
Thu Dec 23 01:40:53 2021 daemon.notice openvpn[4887]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA
Thu Dec 23 01:40:53 2021 daemon.notice openvpn[4887]: [uk877.nordvpn.com] Peer Connection Initiated with [AF_INET]81.19.217.3:1194
Thu Dec 23 01:40:54 2021 daemon.notice openvpn[4887]: SENT CONTROL [uk877.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Thu Dec 23 01:40:54 2021 daemon.notice openvpn[4887]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.0.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.254.61 255.255.0.0,peer-id 9,cipher AES-256-GCM'
Thu Dec 23 01:40:54 2021 daemon.notice openvpn[4887]: OPTIONS IMPORT: timers and/or timeouts modified
Thu Dec 23 01:40:54 2021 daemon.notice openvpn[4887]: OPTIONS IMPORT: explicit notify parm(s) modified
Thu Dec 23 01:40:54 2021 daemon.notice openvpn[4887]: OPTIONS IMPORT: compression parms modified
Thu Dec 23 01:40:54 2021 daemon.notice openvpn[4887]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Thu Dec 23 01:40:54 2021 daemon.notice openvpn[4887]: Socket Buffers: R=[163840->327680] S=[163840->327680]
Thu Dec 23 01:40:54 2021 daemon.notice openvpn[4887]: OPTIONS IMPORT: --ifconfig/up options modified
Thu Dec 23 01:40:54 2021 daemon.notice openvpn[4887]: OPTIONS IMPORT: route options modified
Thu Dec 23 01:40:54 2021 daemon.notice openvpn[4887]: OPTIONS IMPORT: route-related options modified
Thu Dec 23 01:40:54 2021 daemon.notice openvpn[4887]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Dec 23 01:40:54 2021 daemon.notice openvpn[4887]: OPTIONS IMPORT: peer-id set
Thu Dec 23 01:40:54 2021 daemon.notice openvpn[4887]: OPTIONS IMPORT: adjusting link_mtu to 1657
Thu Dec 23 01:40:54 2021 daemon.notice openvpn[4887]: OPTIONS IMPORT: data channel crypto options modified
Thu Dec 23 01:40:54 2021 daemon.notice openvpn[4887]: Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Dec 23 01:40:54 2021 daemon.notice openvpn[4887]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Dec 23 01:40:54 2021 daemon.notice openvpn[4887]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Dec 23 01:40:54 2021 daemon.notice openvpn[4887]: net_route_v4_best_gw query: dst 0.0.0.0
Thu Dec 23 01:40:54 2021 daemon.notice openvpn[4887]: net_route_v4_best_gw result: via 192.168.1.1 dev wlan-sta
Thu Dec 23 01:40:54 2021 daemon.err openvpn[4887]: ERROR: Cannot ioctl TUNSETIFF tun0: Resource busy (errno=16)
Thu Dec 23 01:40:54 2021 daemon.notice openvpn[4887]: Exiting due to fatal error
Thu Dec 23 01:41:01 2021 daemon.notice openvpn[4226]: Initialization Sequence Completed
root@GL-AR750S:~#

psherman · December 23, 2021, 12:12am

clearly that didn't work. Sorry. Let's set that back to just dev tun

Then, once you have started the tunnel, what do you see on the output of the following things:
ifconfig

route

ping 8.8.8.8

mike · December 23, 2021, 12:34am

If 192.168.1.1 is the gateway and 192.168.8.1 is the vpn, maybe the problem is that when 8.1 is rebooted the connection between the two isn't made in time so the tun can't be created and exits?

Erezperetz · December 23, 2021, 6:34am

Pay attention that the error you mentioned appeared before as well.

This is after I reconnect to vpn:

root@GL-AR750S:~# ifconfig
br-lan    Link encap:Ethernet  HWaddr 94:83:C4:0C:D0:CD
          inet addr:192.168.8.1  Bcast:192.168.8.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1816 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1160 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:294322 (287.4 KiB)  TX bytes:278708 (272.1 KiB)

eth0      Link encap:Ethernet  HWaddr 94:83:C4:0C:D0:CD
          inet6 addr: fe80::9683:c4ff:fe0c:d0cd/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:262 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:55896 (54.5 KiB)
          Interrupt:4

eth0.1    Link encap:Ethernet  HWaddr 94:83:C4:0C:D0:CD
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:129 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:14858 (14.5 KiB)

eth0.2    Link encap:Ethernet  HWaddr 94:83:C4:0C:D0:CD
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:111 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:37962 (37.0 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:18 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1312 (1.2 KiB)  TX bytes:1312 (1.2 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.254.61  P-t-P:10.8.254.61  Mask:255.255.0.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:59 errors:0 dropped:0 overruns:0 frame:0
          TX packets:61 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:17633 (17.2 KiB)  TX bytes:7216 (7.0 KiB)

wlan-sta  Link encap:Ethernet  HWaddr 94:83:C4:0C:D0:CD
          inet addr:192.168.1.33  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1882 errors:0 dropped:6 overruns:0 frame:0
          TX packets:1302 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:316854 (309.4 KiB)  TX bytes:249612 (243.7 KiB)

wlan0     Link encap:Ethernet  HWaddr 94:83:C4:0C:D0:CE
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1816 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1285 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:319838 (312.3 KiB)  TX bytes:318909 (311.4 KiB)

root@GL-AR750S:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.8.0.1        128.0.0.0       UG    0      0        0 tun0
default         192.168.1.1     0.0.0.0         UG    20     0        0 wlan-sta
10.8.0.0        *               255.255.0.0     U     0      0        0 tun0
81.19.217.3     192.168.1.1     255.255.255.255 UGH   0      0        0 wlan-sta
128.0.0.0       10.8.0.1        128.0.0.0       UG    0      0        0 tun0
192.168.1.0     *               255.255.255.0   U     20     0        0 wlan-sta
192.168.8.0     *               255.255.255.0   U     0      0        0 br-lan
root@GL-AR750S:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=60 time=34.259 ms
64 bytes from 8.8.8.8: seq=1 ttl=60 time=34.570 ms
64 bytes from 8.8.8.8: seq=2 ttl=60 time=33.858 ms
64 bytes from 8.8.8.8: seq=3 ttl=60 time=33.661 ms
64 bytes from 8.8.8.8: seq=4 ttl=60 time=34.203 ms
64 bytes from 8.8.8.8: seq=5 ttl=60 time=34.427 ms
64 bytes from 8.8.8.8: seq=6 ttl=60 time=34.106 ms
64 bytes from 8.8.8.8: seq=7 ttl=60 time=34.228 ms
64 bytes from 8.8.8.8: seq=8 ttl=60 time=36.931 ms
64 bytes from 8.8.8.8: seq=9 ttl=60 time=34.606 ms
^Z[2]+  Stopped                    ping 8.8.8.8

psherman · December 23, 2021, 6:41am

This suggests that internet connectivity is working -- hopefully through the tunnel. It is possible the problem is actually related to DNS.

Let's try this:

test pings to 8.8.8.8 again.
then test pings to google.com
Test traceroute to 8.8.8.8
and then traceroute to google.com

Erezperetz · December 23, 2021, 6:44am

No problem, but keep in mind that it is not after reboot. It was after reconnecting to vpn.

After reboot i had this:

root@GL-AR750S:~# ifconfig
br-lan    Link encap:Ethernet  HWaddr 94:83:C4:0C:D0:CD
          inet addr:192.168.8.1  Bcast:192.168.8.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:390 errors:0 dropped:0 overruns:0 frame:0
          TX packets:107 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:32919 (32.1 KiB)  TX bytes:13341 (13.0 KiB)

eth0      Link encap:Ethernet  HWaddr 94:83:C4:0C:D0:CD
          inet6 addr: fe80::9683:c4ff:fe0c:d0cd/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:172 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:30872 (30.1 KiB)
          Interrupt:4

eth0.1    Link encap:Ethernet  HWaddr 94:83:C4:0C:D0:CD
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:105 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:12766 (12.4 KiB)

eth0.2    Link encap:Ethernet  HWaddr 94:83:C4:0C:D0:CD
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:45 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:15390 (15.0 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:18 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1312 (1.2 KiB)  TX bytes:1312 (1.2 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.254.61  P-t-P:10.8.254.61  Mask:255.255.0.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:3 errors:0 dropped:0 overruns:0 frame:0
          TX packets:216 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:156 (156.0 B)  TX bytes:13988 (13.6 KiB)

wlan-sta  Link encap:Ethernet  HWaddr 94:83:C4:0C:D0:CD
          inet addr:192.168.1.33  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:590 errors:0 dropped:2 overruns:0 frame:0
          TX packets:373 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:49963 (48.7 KiB)  TX bytes:59854 (58.4 KiB)

wlan0     Link encap:Ethernet  HWaddr 94:83:C4:0C:D0:CE
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:388 errors:0 dropped:0 overruns:0 frame:0
          TX packets:208 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:38339 (37.4 KiB)  TX bytes:29958 (29.2 KiB)

root@GL-AR750S:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.8.0.1        128.0.0.0       UG    0      0        0 tun0
default         192.168.1.1     0.0.0.0         UG    20     0        0 wlan-sta
10.8.0.0        *               255.255.0.0     U     0      0        0 tun0
81.19.217.3     192.168.1.1     255.255.255.255 UGH   0      0        0 wlan-sta
128.0.0.0       10.8.0.1        128.0.0.0       UG    0      0        0 tun0
192.168.1.0     *               255.255.255.0   U     20     0        0 wlan-sta
192.168.8.0     *               255.255.255.0   U     0      0        0 br-lan
root@GL-AR750S:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
^Z[1]+  Stopped                    ping 8.8.8.8

psherman · December 23, 2021, 6:57am

So, is the issue that you can your internet connectivity fails after a reboot (and auto-start of the VPN), but you are able to get internet connectivity if you stop the VPN and then reconnect?

Erezperetz · December 23, 2021, 6:59am

Yes, exactly.

psherman · December 23, 2021, 7:36am

Doh....

I can't believe I missed/forgot about this...
Yeah, the solution may be fairly simple. This is most likely an issue of time. Specifically, there is no real time clock (RTC) to keep persistent time on most routers. This means that when you restart the router, the current time gets cleared and the time must sync with an NTP server. IIRC, OpenWrt does set the time to the value of the most recently written file, thus making it not-as-far-off as if it just didn't have any time reference at all (think the beginning of the unix epoch - Jan 1, 1970, midnight UTC). Here is a thread discussing the time issues.

Anyway, I think that OpenVPN will not connect properly if the time isn't right. I know this to be true for Wireguard, but I think it matters for OpenVPN as well, although the time tolerance may be bigger.

I'd recommend trying to either delay the OpenVPN initialization until after NTP has successfully sync'd, or to bounce it after the NTP sync. This thread deals with the issue for Wireguard, as an example.

If the OpenVPN init upon reboot results in the router itself not having connectivity, the router obviously won't be able to sync time until you stop OpenVPN. However, if the time can sync properly, you can just restart the tunnel.

There are probably a bunch of ways to test this theory (do these individually, not combined)...

add a delay (maybe 10-60 seconds) in the OpenWrt init sequence
push OpenVPN's init sequence number to 99, with the hopes that the time has sync'd by the time OpenVPN is started (this is not guaranteed to work, though)
disable the OpenVPN service on boot and then use the hot plug scripts described in the WG thread to start OpenVPN when NTP has sync'd
leave OpenVPN enabled on-boot, add the hot plug script to restart OpenVPN after NTP success.

Whichever of these options seems resonate with you as a reasonable solution is probably worth trying.... try other options if it doesn't resolve the issue.

Erezperetz · December 23, 2021, 7:44am

Wow, thanks.
I will try it.

Where can i find how to add a delay and where can i find this script?

psherman · December 23, 2021, 8:08am

/etc/init.d/openvpn

You will see a start function. adding a delay at the beginning of the start function would be a method to try.

sleep 30 in that script would cause that function to wait 30 seconds before continuing.

alternatively, you could use the hotplug scripts described in the wireguard link. There, you would start or restart the OpenVPN process
/etc/init.d/openvpn start
Or
/etc/init.d/openvpn restart

Erezperetz · December 24, 2021, 8:51am

added sleep to start_service method (there is no start, only start instance and start service. start service calling start instance), it didn't work. I would try the scripts.

Erezperetz · December 24, 2021, 9:50am

well, I added this hotplug script to the ntp folder

#!/bin/sh
[ $ACTION = stratum ] && /etc/init.d/openvpn start

rebooted and it still didn't work. Still no internet.
when I disable the vpn client to connect automatically, and rebooted - it didn't connect to the vpn at all.

Erezperetz · December 24, 2021, 10:38am

ok, I just turned a button at the router which was configured to start vpn automatically and it seems that the scripts works fine. have to try it with more networks to be sure.
wow.

psherman · December 24, 2021, 5:04pm

So to clarify, is the idea here that you are not auto-starting the VPN on boot... the router boots without starting the VPN and then you start it by pressing the button?

Erezperetz · December 24, 2021, 6:02pm

There is a buttin in the router you can configure for action. Its action was vpn on or off. It was always IN "ON" mode.
So the solution of hotplug script could'nt work properly.
I removed the button function, so it's doing nothing.
And now it seems that the solution works properly and it seems that the openvpn starts on time.

psherman · December 24, 2021, 6:06pm

oh... I see. Aside from making sure that button didn't auto-start the VPN, did you need to make any other changes?

Erezperetz · December 24, 2021, 6:58pm

Just stopped the openvpn in the rc.local,
Starting it again in the ntp script.

psherman · December 24, 2021, 6:59pm

Great. Glad to hear it is working now. That does seem to confirm that it was an issue with the time not being sync'd.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

Erezperetz · December 24, 2021, 7:07pm

Yeah. Want to check it on one another place to be sure and then.