Vpn interface does not get dhcp reply

I'm running openwrt 24.10.1 on a Vbox VM, and have been doing so for several years without too many issues. About a year ago, I decided to add a VPN, and for the most part, it has also worked fairly reliably. But getting an address every time is unreliable.

I have a half-dozen VPN servers configured on my openwrt (and the corresponding devices are "configured" in the devices tab), and I have selected a specific tunnel (device) corresponding to one of those in my VPN interface. (NB: I define specific tunnel devices for each VPN server rather than "tun0," "tun1," etc., to make them easily distinguishable). Upon initial boot, openvpn works as expected, getting an IP address from the VPN's DHCP server the connection on the VPN interface/device.

However, if I decide to switch to a different server by changing the VPN device associated with the VPN interface, that interface does not get a DHCP lease/address even after several minutes. I have tried restarting network, firewall, openvpn, and some others just to see if I could coerce the interface to fetch a new lease. (EDIT: tcpdump does show DHCP requests going out but no replies.) So far, I have come up empty. The only thing that seems to work is to reboot the router.

Rebooting does not take long, and it usually gains a new lease (but not always, even with a reboot). It's mainly the nuisance about having to do this, and not understanding why I must reboot to get the new configuration to work. I hope someone can explain possible reasons which could lead to a solution.

• How are you "changing the VPN device associated with the VPN interface"?
• Is this configuration done via UCI commands?

• Have you tried /etc/init.d/network reload or restart ?

I change the VPN device by selecting the desired tunnel device (associated with a particular VPN server/configuration) in the interface, saving it, and even manually restarting the interface (although I expected that that would be done by the system itself already; just to make sure).

All of this is done via LuCI, not uci and not by editing the /etc/config files. However, this should not make a difference, assuming manual editing or uci calls were done correctly. I find the LuCI more convenient and less prone to me causing config mismatches, at least until I am knowledgeable about various aspects of the configuration files.

Yes (see my OP). And firewall and openvpn as well. To be really thorough, I even ran stop and start separately for each; sometimes stop-then-start commands work better than restart/reload commands on other types of systems.

(Sorry for all the edits in my responses; I'm struggling slightly with the mark-up language quoting.)

One thing I should have mentioned in my OP is that all of the VPN configurations are enabled and seem to have been successfully started at boot.

Maybe that is the culprit, if you have all your traffic routed via the VPN then if you want to switch you just stop one VPN tunnel and start another.

Note that you can use Policy Based Routing to route different LAN clients to different VPN tunnels

It can also help if you show us your configs, in that case please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show

In case you are using WireGuard as VPN also show:

wg show

In case you are using OpenVPN please show:

for ovpn in $(ls /etc/openvpn/*.ovpn);do echo $ovpn; cat $ovpn; echo;done

{
	"kernel": "6.6.86",
	"hostname": "my-router",
	"system": "AMD Phenom(tm) II X6 1075T Processor",
	"model": "innotek GmbH VirtualBox",
	"board_name": "innotek-gmbh-virtualbox",
	"rootfs_type": "ext4",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.1",
		"revision": "r28597-0425664679",
		"target": "x86/64",
		"description": "OpenWrt 24.10.1 r28597-0425664679",
		"builddate": "1744562312"
	}
}

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option ipv6 '0'

config device
	option name 'eth0'
	option ipv6 '0'

config device
	option name 'eth1'
	option ipv6 '0'

config device
	option name 'eth2'
	option ipv6 '0'

config globals 'globals'
	option ula_prefix 'fdbd:2bc1:e3fc::/48'
	option packet_steering '1'

config interface 'mng'
	option device 'eth0'
	option proto 'static'
	option ipaddr '172.25.2.4'
	option netmask '255.255.255.0'
	option defaultroute '0'

config interface 'wan'
	option device 'eth2'
	option proto 'dhcp'
	option hostname '*'
	option peerdns '0'
	list dns '192.168.20.1'

config interface 'lan'
	option proto 'static'
	option device 'eth1'
	option ipaddr '192.168.90.1'
	option netmask '255.255.255.0'
	option defaultroute '0'

config interface 'modem'
	option proto 'static'
	option device 'eth2'
	option ipaddr '192.168.100.2'
	option netmask '255.255.255.0'

config interface 'vpn'
	option proto 'dhcp'
	option device 'tun5748t'
	option hostname '*'

config device
	option name 'tun5748t'
	option ipv6 '0'

config device
	option name 'tun9637t'
	option ipv6 '0'

config device
	option name 'tun9663t'
	option ipv6 '0'

config route
	option interface 'lan'
	option target '172.25.80.0/24'
	option gateway '172.25.90.2'


config defaults
	option input 'DROP'
	option output 'DROP'
	option forward 'DROP'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	list network 'lan'

config zone
	option name 'vpn'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	list network 'vpn'
	option masq '1'

config zone
	option name 'ISP'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option mtu_fix '1'
	list network 'wan'
	list network 'modem'

config zone
	option name 'mng'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	list network 'mng'

config rule
	option name 'Allow-Ping'
	option src 'ISP'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option src 'mng'
	option name 'isolated ssh/luci'
	option dest_port '22 443'
	option target 'ACCEPT'
	option family 'ipv4'
	list src_ip '172.25.2.1'

config rule
	option src 'lan'
	option dest 'ISP'
	option name 'forward to modem ui interface'
	option src_port '443'
	list dest_ip '192.168.100.1'
	option dest_port '443'
	option target 'ACCEPT'
	option family 'ipv4'

config forwarding
	option src 'lan'
	option dest 'vpn'

config rule
	option src '*'
	option dest '*'
	option name 'Allow ICMP'
	option family 'ipv4'
	list proto 'icmp'
	option target 'ACCEPT'

config rule
	option src '*'
	option name 'Allow ICMP'
	option family 'ipv4'
	list proto 'icmp'
	option target 'ACCEPT'

default via 10.10.10.1 dev eth2  src 10.10.10.247 
10.10.10.0/24 dev eth2 scope link  src 10.10.10.247 
172.25.2.0/24 dev eth0 scope link  src 172.25.2.4 
192.168.90.0/24 dev eth1 scope link  src 192.168.90.1 
192.168.100.0/24 dev eth2 scope link  src 192.168.100.2 
/etc/openvpn/us5748_tcp.ovpn
client
dev tun5748t
proto tcp
ifconfig 192.168.200.1 192.168.200.2
nobind
remote 185.245.86.27 443
resolv-retry infinite
remote-random
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no
verify-x509-name CN=us5748.nordvpn.com

remote-cert-tls server

auth-user-pass /etc/openvpn/us5748_tcp.auth
verb 4
pull
fast-io
cipher AES-256-CBC
auth SHA512
<ca>
-----BEGIN CERTIFICATE-----
blah
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
blah
-----END OpenVPN Static key V1-----
</tls-auth>

/etc/openvpn/us9637_tcp.ovpn
client
dev tun9637t
proto tcp
local 10.100.0.2/16
#nobind
remote 181.214.150.50 443
resolv-retry infinite
remote-random
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no
verify-x509-name CN=us9637.nordvpn.com

remote-cert-tls server

auth-user-pass /etc/openvpn/us9637_tcp.auth
verb 4
pull
fast-io
cipher AES-256-CBC
auth SHA512
<ca>
-----BEGIN CERTIFICATE-----
blah
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
blah
-----END OpenVPN Static key V1-----
</tls-auth>

/etc/openvpn/us9663_tcp.ovpn
client
dev tun9663t
proto tcp
local 10.100.0.6/16
#nobind
remote 181.214.151.210 443
resolv-retry infinite
remote-random
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no
verify-x509-name CN=us9663.nordvpn.com

remote-cert-tls server

auth-user-pass /etc/openvpn/us9663_tcp.auth
verb 4
pull
fast-io
cipher AES-256-CBC
auth SHA512
<ca>
-----BEGIN CERTIFICATE-----
blah
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
blah
-----END OpenVPN Static key V1-----
</tls-auth>

I was not receiving notifications from the forum so I did not see your reply until I checked the forum today. I have supplied the info you requested and I removed the long keys since they might be sensitive (idk) and take up space that is probably not useful.

As far as the router config w/r/t virtualbox, all of the NICs are configured for full promiscuity ("Allow All") and they are connected with the correct vbox networks. I can hit the Internet without a problem. It is only when I try to muck with the openvpn config/server after boot up (as I described in my OP) that problems arise.

I am not using policy-based routing at this point, although I might try that in the future. For now, I just want to achieve the freedom to switch VPN servers on the fly--without rebooting--in case of some issue or another. I have checked for dns leakage also.

Thank you for your assistance.

This does not look right, you do not need anything of this as OpenVPN setups its own devices.

It is good practice to add an interface with a device associated (which is the device name from the OpenVPN config) which you can then use for firewall and e.g. PBR so it should look like:

config interface 'vpn5748t'
	option proto 'none'
	option device 'tun5748t'

config interface 'vpn9637t'
	option proto 'none'
	option device 'tun9637t'

config interface 'vpntun9663t'
	option proto 'none'
	option device 'tun9663t'

proto is always 'none'

Add all the newly created interfaces to your VPN firewall zone.

I did not check the rest of your settings but start with this

I didn't create those devices; they were created by openvpn or one of the system programs. Unless somehow some step I alone took along the way triggered their creation, but I don't recall anything specifically. The only "step" I can think of is when I configured (in the devices tab for) the devices which were already created by openvpn.

And my one interface for the VPN is already in the VPN firewall zone.

In my example I have created three VPN interfaces if you follow my example then you have to add them all three to the VPN firewall zone

if you use tunX where X is a number you can get away with using tun+ but I do not think this works in your case as you use e.g. tun5748t

All of the VPN servers I have defined are ultimately in the VPN firewall zone because the one interface I have defined for VPN is in the VPN firewall zone. Again, there is only one interface for VPN.

Screenshot_2025-05-28_06-56-25-devices1373×550 54.2 KB

Screenshot_2025-05-28_06-55-15-interfaces1325×810 83.1 KB

Screenshot_2025-05-28_06-57-42-openvpn1328×728 54.6 KB

OK well there is a difference between a device and an interface, see:

You have added all three devices to the VPN firewall zone which is fine as nowadays you can add a device. In this case there is no need to have anything regarding VPN in the interface section

In my example I do create VPN interfaces with proto none and then add a device, this can be useful for other things which you want to do with the interface in that case you add the three interfaces to the VPN zone (which causes the corresponding devices to be added)

You are now mixing things which makes it unnecessary complicated in my opinion although it can work of course.

But feel free to do what ever you want

I'm not sure what you mean. An interface requires a device, doesn't it? Is there some trick you are using to run an interface without associating a device to it?

What is it I am mixing? Sorry I am not following what you are saying. It is the interface, not the device, that is associated with the firewall zone. BTW, all of this comes from the wiki page on setting up VPN on openwrt, which per NordVPN's site, was developed by people on the openwrt project. I think I have followed the steps faithfully, but it could be that there have been some changes to openwrt since that wiki page was written.

In recent versions these stub interfaces are no longer needed. Their only function was to attach an Interface name to a Device, since the firewall config only recognized Interface names. Now the firewall has a new option list device which allows Devices to be placed directly into firewall zones.

OpenVPN in tun mode (being a layer 3 VPN) cannot send dhcpv4 through the tunnel as that involves making layer 2 broadcasts. OpenVPN server pushes the client address out of band as part of the connection handshake. The OpenVPN client then applies the IP to the tun interface as it creates it.

I know but an interface can have much more functions, e.g. DNS and it is necessary for PBR.

See also what I wrote earlier

But the proto should be none as OpenVPN deals with this itself