Cool, setting my laptop's IP manually helped me apply the setting and I could still connect to the router at 192.168.2.1, but not to the internet. After manually setting the DNS Server to 192.168.1.1 (the stock router), things were working. Unfortunately, I am now stuck with manual IP settings on my laptop - when switching to automatic, it doesn't get an IP assigned. This is my first problem, but not my main problem.
As the setup was now fine, I proceeded to install openvpn-openssl which worked fine, and I configured the connection for ProtonVPN. There were foursettings in the configuration file that I could not match in LuCI:
- comp-lzo no
- reneg-sec 0
- mssfix 1450
- block-outside-dns
Going without those, it seems I actually managed to connect. When I started OpenVPN, my laptop couldn't access the internet anymore. I figured out that I needed to add tun0 to the LAN bridge. This restored internet access. However, from both my laptop and the OpenWRT router, my external IP as observed by my remote webserver is still the normal one assigned by my ISP. After a reboot of the OpenWRT router, the laptop cannot access the internet anymore despite tun0 being bridged. Pings are answered by the OpenWRT router:
C:\Users\Dany>ping google.com
Pinging google.com [216.58.215.238] with 32 bytes of data:
Reply from 192.168.2.1: Destination port unreachable.
Reply from 192.168.2.1: Destination port unreachable.
Reply from 192.168.2.1: Destination port unreachable.
Reply from 192.168.2.1: Destination port unreachable.
Ping statistics for 216.58.215.238:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
These are the system logs from the router when establishing the VPN connection:
Sat Sep 7 23:15:18 2019 daemon.notice openvpn(protonvpn_us)[2694]: OpenVPN 2.4.5 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Sep 7 23:15:18 2019 daemon.notice openvpn(protonvpn_us)[2694]: library versions: OpenSSL 1.0.2s 28 May 2019, LZO 2.10
Sat Sep 7 23:15:18 2019 daemon.notice openvpn(protonvpn_us)[2694]: NOTE: --fast-io is disabled since we are not using UDP
Sat Sep 7 23:15:18 2019 daemon.notice openvpn(protonvpn_us)[2694]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat Sep 7 23:15:18 2019 daemon.notice openvpn(protonvpn_us)[2694]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat Sep 7 23:15:18 2019 daemon.notice openvpn(protonvpn_us)[2694]: TCP/UDP: Preserving recently used remote address: [AF_INET]209.58.142.155:443
Sat Sep 7 23:15:18 2019 daemon.notice openvpn(protonvpn_us)[2694]: Socket Buffers: R=[87380->87380] S=[16384->16384]
Sat Sep 7 23:15:18 2019 daemon.notice openvpn(protonvpn_us)[2694]: Attempting to establish TCP connection with [AF_INET]209.58.142.155:443 [nonblock]
Sat Sep 7 23:15:19 2019 daemon.notice openvpn(protonvpn_us)[2694]: TCP connection established with [AF_INET]209.58.142.155:443
Sat Sep 7 23:15:19 2019 daemon.notice openvpn(protonvpn_us)[2694]: TCP_CLIENT link local: (not bound)
Sat Sep 7 23:15:19 2019 daemon.notice openvpn(protonvpn_us)[2694]: TCP_CLIENT link remote: [AF_INET]209.58.142.155:443
Sat Sep 7 23:15:19 2019 daemon.notice openvpn(protonvpn_us)[2694]: TLS: Initial packet from [AF_INET]209.58.142.155:443, sid=e8681164 af593b22
Sat Sep 7 23:15:19 2019 daemon.warn openvpn(protonvpn_us)[2694]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Sep 7 23:15:20 2019 daemon.notice openvpn(protonvpn_us)[2694]: VERIFY OK: depth=2, C=CH, O=ProtonVPN AG, CN=ProtonVPN Root CA
Sat Sep 7 23:15:20 2019 daemon.notice openvpn(protonvpn_us)[2694]: VERIFY OK: depth=1, C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1
Sat Sep 7 23:15:20 2019 daemon.notice openvpn(protonvpn_us)[2694]: VERIFY KU OK
Sat Sep 7 23:15:20 2019 daemon.notice openvpn(protonvpn_us)[2694]: Validating certificate extended key usage
Sat Sep 7 23:15:20 2019 daemon.notice openvpn(protonvpn_us)[2694]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Sep 7 23:15:20 2019 daemon.notice openvpn(protonvpn_us)[2694]: VERIFY EKU OK
Sat Sep 7 23:15:20 2019 daemon.notice openvpn(protonvpn_us)[2694]: VERIFY OK: depth=0, CN=us-ca-102.protonvpn.com
Sat Sep 7 23:15:21 2019 daemon.warn openvpn(protonvpn_us)[2694]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1635', remote='link-mtu 1636'
Sat Sep 7 23:15:21 2019 daemon.warn openvpn(protonvpn_us)[2694]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Sat Sep 7 23:15:21 2019 daemon.notice openvpn(protonvpn_us)[2694]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Sat Sep 7 23:15:21 2019 daemon.notice openvpn(protonvpn_us)[2694]: [us-ca-102.protonvpn.com] Peer Connection Initiated with [AF_INET]209.58.142.155:443
Sat Sep 7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: SENT CONTROL [us-ca-102.protonvpn.com]: 'PUSH_REQUEST' (status=1)
Sat Sep 7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.8.8.1,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.7.1.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.7.1.5 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Sat Sep 7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: OPTIONS IMPORT: timers and/or timeouts modified
Sat Sep 7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp
Sat Sep 7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: OPTIONS IMPORT: compression parms modified
Sat Sep 7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Sat Sep 7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: Socket Buffers: R=[341760->327680] S=[44800->327680]
Sat Sep 7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: OPTIONS IMPORT: --ifconfig/up options modified
Sat Sep 7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: OPTIONS IMPORT: route options modified
Sat Sep 7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: OPTIONS IMPORT: route-related options modified
Sat Sep 7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Sep 7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: OPTIONS IMPORT: peer-id set
Sat Sep 7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: OPTIONS IMPORT: adjusting link_mtu to 1658
Sat Sep 7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: OPTIONS IMPORT: data channel crypto options modified
Sat Sep 7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: Data Channel: using negotiated cipher 'AES-256-GCM'
Sat Sep 7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Sep 7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Sep 7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: TUN/TAP device tun0 opened
Sat Sep 7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: TUN/TAP TX queue length set to 100
Sat Sep 7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Sep 7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: /sbin/ifconfig tun0 10.7.1.5 netmask 255.255.255.0 mtu 1500 broadcast 10.7.1.255
Sat Sep 7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: /sbin/route add -net 209.58.142.155 netmask 255.255.255.255 gw 192.168.1.1
Sat Sep 7 23:15:22 2019 daemon.notice netifd: Network device 'tun0' link is up
Sat Sep 7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.7.1.1
Sat Sep 7 23:15:22 2019 kern.info kernel: [ 134.866924] IPv6: ADDRCONF(NETDEV_UP): tun0: link is not ready
Sat Sep 7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.7.1.1
Sat Sep 7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: Initialization Sequence Completed