OpenVPN: Internet connection drops after connecting VPN

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
probity
DD-WRT Novice


Joined: 02 Aug 2018
Posts: 25

PostPosted: Sun May 26, 2019 10:23    Post subject: OpenVPN: Internet connection drops after connecting VPN Reply with quote
Hello,

I'm not too experienced in networks, but I would like to use VPN connection for some addresses. I bought VPS and installed OpenVPN there. I'm able to use OpenVPN client for Windows, it works perfectly. But also I have DD-WRT ( DD-WRT v3.0-r39827 std (05/20/19)) on my router (Netgear R7800) and it would be much preferable for me to use OpenVPN client on DD-WRT.

I set up OpenVPN client and can connect to my VPN, at least I see on the "Status→OpenVPN" page: Client: CONNECTED SUCCESS. But right after that, my connection breaks down and I cannot get access to any internet address.

I guess, my issue is a wrong routing, but I'm not sure I know how to fix it. I tried with many variations, but without success.

Please, help me. Thank you in advance.

Here are my configurations:

1. OpenVPN server config(on VPS)

Code:

port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem


2. OpenVPN Client config (on DD-WRT)
Code:
remote %VPS_IP% 1194

client
dev tun
proto udp
sndbuf 0
rcvbuf 0
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
ns-cert-type server
auth SHA512
cipher AES-256-CBC
setenv opt block-outside-dns
key-direction 1
verb 3
redirect-gateway


3. Firewall rules:
Code:
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE


4. ifcongig output
Code:
ath0      Link encap:Ethernet  HWaddr A0:40:A0:7C:C8:26 
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:95 errors:0 dropped:0 overruns:0 frame:0
          TX packets:914 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:10580 (10.3 KiB)  TX bytes:128034 (125.0 KiB)

ath1      Link encap:Ethernet  HWaddr A0:40:A0:7C:C8:27 
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

br0       Link encap:Ethernet  HWaddr A0:40:A0:7C:C8:24 
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:13673 errors:0 dropped:347 overruns:0 frame:0
          TX packets:10347 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1891608 (1.8 MiB)  TX bytes:5793556 (5.5 MiB)

eth0      Link encap:Ethernet  HWaddr A0:40:A0:7C:C8:25 
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:681 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2365 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:149850 (146.3 KiB)  TX bytes:375217 (366.4 KiB)
          Interrupt:100

eth1      Link encap:Ethernet  HWaddr A0:40:A0:7C:C8:24 
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:13605 errors:0 dropped:8 overruns:0 frame:0
          TX packets:12463 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2074303 (1.9 MiB)  TX bytes:5913924 (5.6 MiB)
          Interrupt:101

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING MULTICAST  MTU:65536  Metric:1
          RX packets:612 errors:0 dropped:0 overruns:0 frame:0
          TX packets:612 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:65964 (64.4 KiB)  TX bytes:65964 (64.4 KiB)

ppp0      Link encap:Point-to-Point Protocol 
          inet addr:%ISP_IP%  P-t-P:217.14.207.51  Mask:255.255.255.255
          UP POINTOPOINT RUNNING MULTICAST  MTU:1472  Metric:1
          RX packets:542 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2230 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:129420 (126.3 KiB)  TX bytes:321891 (314.3 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          inet addr:10.8.0.2  P-t-P:10.8.0.2  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2047 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:181403 (177.1 KiB)


5. iptables -vnL INPUT

Code:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  tun1   *       0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     0    --  tun0   *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable
 6168  943K ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 logdrop    udp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:520
    0     0 logdrop    udp  --  br0    *       0.0.0.0/0            0.0.0.0/0           udp dpt:520
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:520
    0     0 logdrop    icmp --  ppp0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 logdrop    2    --  *      *       0.0.0.0/0            0.0.0.0/0           
   25  1500 ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0           state NEW
 1727  183K ACCEPT     0    --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW
  343 40419 logdrop    0    --  *      *       0.0.0.0/0            0.0.0.0/0


6. iptables -vnL FORWARD
Code:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.200       tcp dpt:443
    0     0 ACCEPT     0    --  tun0   br0     0.0.0.0/0            0.0.0.0/0           
 2823  283K ACCEPT     0    --  br0    tun0    0.0.0.0/0            0.0.0.0/0           
  334 88467 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     47   --  *      ppp0    192.168.1.0/24       0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      ppp0    192.168.1.0/24       0.0.0.0/0           tcp dpt:1723
   63  6698 lan2wan    0    --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  br0    br0     0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.254       tcp dpts:7:9
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.254       udp dpts:7:9
    0     0 TRIGGER    0    --  ppp0   br0     0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
   63  6698 trigger_out  0    --  br0    *       0.0.0.0/0            0.0.0.0/0           
    0     0 TRIGGER    0    --  ppp0   eth0    0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  0    --  eth0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  eth0   *       0.0.0.0/0            0.0.0.0/0           state NEW
    0     0 TRIGGER    0    --  ppp0   eth1    0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  0    --  eth1   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  eth1   *       0.0.0.0/0            0.0.0.0/0           state NEW
    0     0 TRIGGER    0    --  ppp0   ath0    0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  0    --  ath0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  ath0   *       0.0.0.0/0            0.0.0.0/0           state NEW
    0     0 TRIGGER    0    --  ppp0   ath1    0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  0    --  ath1   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  ath1   *       0.0.0.0/0            0.0.0.0/0           state NEW
   63  6698 ACCEPT     0    --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW
    0     0 logdrop    0    --  *      *       0.0.0.0/0            0.0.0.0/0   


7. iptables -t nat -vnL
Code:
Chain PREROUTING (policy ACCEPT 2147 packets, 186K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            %ISP_IP%       tcp dpt:443 to:192.168.1.200:443
    0     0 DNAT       icmp --  *      *       0.0.0.0/0            %ISP_IP%       to:192.168.1.1
    0     0 DNAT       udp  --  ppp0   *       0.0.0.0/0            %ISP_IP%       udp dpt:56749
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            %ISP_IP%       tcp dpts:7:9 to:192.168.1.254
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            %ISP_IP%       udp dpts:7:9 to:192.168.1.254
  412 49762 TRIGGER    0    --  *      *       0.0.0.0/0            %ISP_IP%3       TRIGGER type:dnat match:0 relate:0

Chain INPUT (policy ACCEPT 1953 packets, 125K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 1404 packets, 93523 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 36 packets, 3915 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  0    --  *      tun1    0.0.0.0/0            0.0.0.0/0           
   62  6637 SNAT       0    --  *      ppp0    192.168.1.0/24       0.0.0.0/0           to:%ISP_IP%
    0     0 MASQUERADE  0    --  *      *       0.0.0.0/0            0.0.0.0/0           mark match 0x80000000/0x80000000
 1788  127K MASQUERADE  0    --  *      tun0    0.0.0.0/0            0.0.0.0/0     
Sponsor
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Sun May 26, 2019 11:27    Post subject: Reply with quote
Remove "redirect-gateway" that will send all Internet traffic through the VPN. I presume you only want the Site-Site traffic routed over the VPN.
probity
DD-WRT Novice


Joined: 02 Aug 2018
Posts: 25

PostPosted: Sun May 26, 2019 11:34    Post subject: Reply with quote
Per Yngve Berg, eibgrad, thank you!

Following your advises I got it worked. Only one detail - I've changed LZO Compression to None - that was a bottleneck fist of all.

Now I'd like go only selective traffic though the VPN connection.

I hope something like

route-nopull
route %remote_ip% 255.255.255.255 vpn_gateway
route %remote_ip% 255.255.255.255 net_gateway

should be enough.

But I'm curious, is it possible to use an address instead of ip there?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sun May 26, 2019 12:05    Post subject: Reply with quote
You probably want Policy based routing

Have a look at my signature at the bottom of this post for a thread with some explanation

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Sun May 26, 2019 12:27    Post subject: Reply with quote
PBR is for client specific routing.

Remove "route-nopull" and push the network from the VPS.
probity
DD-WRT Novice


Joined: 02 Aug 2018
Posts: 25

PostPosted: Sun May 26, 2019 15:20    Post subject: Reply with quote
Per Yngve Berg
Quote:
Remove "route-nopull" and push the network from the VPS.


I don't want to have all the traffic through the VPN, only several addresses (up to 50). Thus the variant with

route-nopull
route %remote_ip% 255.255.255.255 vpn_gateway
route %remote_ip% 255.255.255.255 net_gateway

is perfect for me. I've tried with real addresses - works like a charm. Only one problem for now - it would be nice to have URLs instead of IPs.

egc
Looks promising, thank you.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum