[SOLVED]Help on OpenVPN client, connected but no internet

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
winterfly
DD-WRT Novice


Joined: 13 Apr 2022
Posts: 3

PostPosted: Wed Apr 13, 2022 20:32    Post subject: [SOLVED]Help on OpenVPN client, connected but no internet Reply with quote
I've been learning great suggestions in this forum (kudos!), hoping to get some advice here to troubleshoot my current issue that keeps me from resting.

Router Model: ASUS RT-N66U
Firmware Version: DD-WRT v3.0-r44715 mega (11/03/20)

Key configurations (that have been mentioned in various posts this forum and others and could matter to the issue):
- DHCP: three DNSs: 8.8.8.8; 208.67.222.222;8.8.4.4
- IPv6: disabled
- using TUN/UDP for tunnel
- With Compression disabled and NAT enabled
- Has firewall setup as:
Code:
iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
iptables -I INPUT -i tun1 -j REJECT
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE


Once turning on the OpenVPN client, the status shows it "connected success" with local and remote address IPs. Also, the client stats all have big numbers for bytes read/writes. However, I cannot access any internet, not being able to open webpages etc.

A few that I've tried:
- 188.241.80.135 is the IP that I hope to VPN to. ping works returning 0 packet loss, however nslookup failed.
- 10.8.4.89, seems to be a IPv4 addressed assigned during the connection. However, I cannot ping nor nslookup to this address.

Appreciative any suggestions or leads!

The full clientlog:

Clientlog:
Code:
20220414 04:02:15 W DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated debug feature that will be removed in OpenVPN 2.6
20220414 04:02:15 W WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
20220414 04:02:15 W WARNING: file '/tmp/openvpncl/client.key' is group or others accessible
20220414 04:02:15 W WARNING: file '/tmp/openvpncl/credentials' is group or others accessible
20220414 04:02:15 Current Parameter Settings:
20220414 04:02:15 config = '/tmp/openvpncl/openvpn.conf'
20220414 04:02:15 mode = 0
20220414 04:02:15 NOTE: --mute triggered...
20220414 04:02:15 234 variation(s) on previous 3 message(s) suppressed by --mute
20220414 04:02:15 I OpenVPN 2.5.0 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 3 2020
20220414 04:02:15 I library versions: OpenSSL 1.1.1h 22 Sep 2020 LZO 2.09
20220414 04:02:15 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
20220414 04:02:15 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20220414 04:02:15 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
20220414 04:02:15 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
20220414 04:02:15 Local Options String (VER=V4): 'V4 dev-type tun link-mtu 1569 tun-mtu 1500 proto UDPv4 cipher AES-256-CBC auth SHA256 keysize 256 key-method 2 tls-client'
20220414 04:02:15 Expected Remote Options String (VER=V4): 'V4 dev-type tun link-mtu 1569 tun-mtu 1500 proto UDPv4 cipher AES-256-CBC auth SHA256 keysize 256 key-method 2 tls-server'
20220414 04:02:15 I TCP/UDP: Preserving recently used remote address: [AF_INET]188.241.80.138:443
20220414 04:02:15 Socket Buffers: R=[172032->172032] S=[172032->172032]
20220414 04:02:15 I UDPv4 link local: (not bound)
20220414 04:02:15 I UDPv4 link remote: [AF_INET]188.241.80.138:443
20220414 04:02:15 TLS: Initial packet from [AF_INET]188.241.80.138:443 sid=2601e869 d965bed6
20220414 04:02:15 W WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
20220414 04:02:15 VERIFY KU OK
20220414 04:02:15 Validating certificate extended key usage
20220414 04:02:15 ++ Certificate has EKU (str) TLS Web Server Authentication expects TLS Web Server Authentication
20220414 04:02:15 NOTE: --mute triggered...
20220414 04:02:17 2 variation(s) on previous 3 message(s) suppressed by --mute
20220414 04:02:17 W WARNING: 'link-mtu' is used inconsistently local='link-mtu 1569' remote='link-mtu 1549'
20220414 04:02:17 W WARNING: 'auth' is used inconsistently local='auth SHA256' remote='auth [null-digest]'
20220414 04:02:17 W WARNING: 'keysize' is used inconsistently local='keysize 256' remote='keysize 128'
20220414 04:02:17 Control Channel: TLSv1.3 cipher TLSv1.3 TLS_AES_256_GCM_SHA384 4096 bit RSA
20220414 04:02:17 I [shenzhen-rack403.nodes.gen4.ninja] Peer Connection Initiated with [AF_INET]188.241.80.138:443
20220414 04:02:18 SENT CONTROL [shenzhen-rack403.nodes.gen4.ninja]: 'PUSH_REQUEST' (status=1)
20220414 04:02:18 PUSH: Received control message: 'PUSH_REPLY redirect-gateway def1 route-ipv6 2000::/3 dhcp-option DNS 10.0.0.243 route-gateway 10.8.4.1 topology subnet ping 10 ping-restart 60 ifconfig 10.8.4.89 255.255.255.0 peer-id 1'
20220414 04:02:18 W WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
20220414 04:02:18 OPTIONS IMPORT: timers and/or timeouts modified
20220414 04:02:18 OPTIONS IMPORT: --ifconfig/up options modified
20220414 04:02:18 OPTIONS IMPORT: route options modified
20220414 04:02:18 NOTE: --mute triggered...
20220414 04:02:18 4 variation(s) on previous 3 message(s) suppressed by --mute
20220414 04:02:18 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
20220414 04:02:18 Outgoing Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
20220414 04:02:18 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
20220414 04:02:18 NOTE: --mute triggered...
20220414 04:02:18 1 variation(s) on previous 3 message(s) suppressed by --mute
20220414 04:02:18 net_route_v4_best_gw query: dst 0.0.0.0
20220414 04:02:18 net_route_v4_best_gw result: via 98.33.104.1 dev vlan2
20220414 04:02:18 GDG6: remote_host_ipv6=n/a
20220414 04:02:18 net_route_v6_best_gw query: dst ::
20220414 04:02:18 net_route_v6_best_gw result: via fe80::201:5cff:fe75:2c46 dev vlan2
20220414 04:02:18 I TUN/TAP device tun1 opened
20220414 04:02:18 do_ifconfig ipv4=1 ipv6=0
20220414 04:02:18 I net_iface_mtu_set: mtu 1500 for tun1
20220414 04:02:18 I net_iface_up: set tun1 up
20220414 04:02:18 I net_addr_v4_add: 10.8.4.89/24 dev tun1
20220414 04:02:24 net_route_v4_add: 188.241.80.138/32 via 98.33.104.1 dev [NULL] table 0 metric -1
20220414 04:02:24 net_route_v4_add: 0.0.0.0/1 via 10.8.4.1 dev [NULL] table 0 metric -1
20220414 04:02:24 net_route_v4_add: 128.0.0.0/1 via 10.8.4.1 dev [NULL] table 0 metric -1
20220414 04:02:24 I WARNING: OpenVPN was configured to add an IPv6 route. However no IPv6 has been configured for tun1 therefore the route installation may fail or may not work as expected.
20220414 04:02:24 I add_route_ipv6(2000::/3 -> :: metric -1) dev tun1
20220414 04:02:24 net_route_v6_add: 2000::/3 via :: dev tun1 table 0 metric -1
20220414 04:02:24 I Initialization Sequence Completed
20220414 04:02:42 N write UDPv4: Message too large (code=97)
20220414 04:02:43 N write UDPv4: Message too large (code=97)
20220414 04:02:43 N write UDPv4: Message too large (code=97)
20220414 04:02:50 NOTE: --mute triggered...
20220414 04:04:01 8 variation(s) on previous 3 message(s) suppressed by --mute
20220414 04:04:01 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16

Sponsor
blkt
DD-WRT Guru


Joined: 20 Jan 2019
Posts: 4585

PostPosted: Wed Apr 13, 2022 21:16    Post subject: Reply with quote
r44715 is too old as well as the config generated from it. Flash a new build, and then reset to reconfigure.

https://wiki.dd-wrt.com/wiki/index.php?title=Asus_RT-N66U - - https://wikidevi.wi-cat.ru/ASUS_RT-N66U

New Build - 03/23/2022 - r48567 -> New Build - 04/08/2022 - r48607 -> New Build - 04/12/2022 - r48646

Recent report from Zyxx on r48607 with broadcom_K3X/dd-wrt.v24-48607_NEWD-2_K3.x-big-RT-N66U.trx

WireGuard guides and documentation, OpenVPN guides and documentation, Forum guidelines and pointers
winterfly
DD-WRT Novice


Joined: 13 Apr 2022
Posts: 3

PostPosted: Thu Apr 14, 2022 4:11    Post subject: Reply with quote
Thanks blkt! I've flashed to the r48067 build, did see new config options. However, still the same problem (and nearly identical clientlog mesgs), VPN connected but no internet (or extremely little traffic/bandwidth that webpage doesn't load).

Any others that I shall change/troubleshoot?

Clientlog:
Code:
Clientlog:
20220414 05:58:00 W DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated debug feature that will be removed in OpenVPN 2.6
20220414 05:58:00 W WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
20220414 05:58:00 W WARNING: file '/tmp/openvpncl/credentials' is group or others accessible
20220414 05:58:00 Current Parameter Settings:
20220414 05:58:00 config = '/tmp/openvpncl/openvpn.conf'
20220414 05:58:00 mode = 0
20220414 05:58:00 NOTE: --mute triggered...
20220414 05:58:00 238 variation(s) on previous 3 message(s) suppressed by --mute
20220414 05:58:00 I OpenVPN 2.5.6 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 8 2022
20220414 05:58:00 I library versions: OpenSSL 1.1.1n 15 Mar 2022 LZO 2.10
20220414 05:58:00 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
20220414 05:58:00 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20220414 05:58:00 W WARNING: normally if you use --mssfix and/or --fragment you should also set --tun-mtu 1500 (currently it is 1400)
20220414 05:58:00 Control Channel MTU parms [ L:1521 D:1212 EF:38 EB:0 ET:0 EL:3 ]
20220414 05:58:00 Data Channel MTU parms [ L:1521 D:1450 EF:121 EB:389 ET:0 EL:3 ]
20220414 05:58:00 Local Options String (VER=V4): 'V4 dev-type tun link-mtu 1469 tun-mtu 1400 proto UDPv4 cipher AES-256-CBC auth SHA256 keysize 256 key-method 2 tls-client'
20220414 05:58:00 Expected Remote Options String (VER=V4): 'V4 dev-type tun link-mtu 1469 tun-mtu 1400 proto UDPv4 cipher AES-256-CBC auth SHA256 keysize 256 key-method 2 tls-server'
20220414 05:58:00 I TCP/UDP: Preserving recently used remote address: [AF_INET]188.241.80.132:443
20220414 05:58:00 Socket Buffers: R=[262144->262144] S=[262144->262144]
20220414 05:58:00 W --mtu-disc is not supported on this OS
20220414 05:58:00 I UDP link local: (not bound)
20220414 05:58:00 I UDP link remote: [AF_INET]188.241.80.132:443
20220414 05:58:01 TLS: Initial packet from [AF_INET]188.241.80.132:443 sid=4efbd51a 70fec7ef
20220414 05:58:01 VERIFY OK: depth=1 C=RO L=Bucharest O=CyberGhost S.A. CN=CyberGhost Root CA emailAddress=info@cyberghost.ro
20220414 05:58:01 VERIFY KU OK
20220414 05:58:01 NOTE: --mute triggered...
20220414 05:58:03 4 variation(s) on previous 3 message(s) suppressed by --mute
20220414 05:58:03 W WARNING: 'link-mtu' is used inconsistently local='link-mtu 1469' remote='link-mtu 1549'
20220414 05:58:03 W WARNING: 'tun-mtu' is used inconsistently local='tun-mtu 1400' remote='tun-mtu 1500'
20220414 05:58:03 W WARNING: 'auth' is used inconsistently local='auth SHA256' remote='auth [null-digest]'
20220414 05:58:03 W WARNING: 'keysize' is used inconsistently local='keysize 256' remote='keysize 128'
20220414 05:58:03 Control Channel: TLSv1.3 cipher TLSv1.3 TLS_AES_256_GCM_SHA384 peer certificate: 4096 bit RSA signature: RSA-SHA256
20220414 05:58:03 I [shenzhen-rack403.nodes.gen4.ninja] Peer Connection Initiated with [AF_INET]188.241.80.132:443
20220414 05:58:05 SENT CONTROL [shenzhen-rack403.nodes.gen4.ninja]: 'PUSH_REQUEST' (status=1)
20220414 05:58:05 PUSH: Received control message: 'PUSH_REPLY redirect-gateway def1 route-ipv6 2000::/3 dhcp-option DNS 10.0.0.243 route-gateway 10.2.4.1 topology subnet ping 10 ping-restart 60 ifconfig 10.2.4.81 255.255.255.0 peer-id 2'
20220414 05:58:05 W WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
20220414 05:58:05 OPTIONS IMPORT: timers and/or timeouts modified
20220414 05:58:05 OPTIONS IMPORT: --ifconfig/up options modified
20220414 05:58:05 OPTIONS IMPORT: route options modified
20220414 05:58:05 NOTE: --mute triggered...
20220414 05:58:05 4 variation(s) on previous 3 message(s) suppressed by --mute
20220414 05:58:05 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
20220414 05:58:05 Outgoing Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
20220414 05:58:05 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
20220414 05:58:05 NOTE: --mute triggered...
20220414 05:58:05 1 variation(s) on previous 3 message(s) suppressed by --mute
20220414 05:58:05 net_route_v4_best_gw query: dst 0.0.0.0
20220414 05:58:05 net_route_v4_best_gw result: via 98.33.104.1 dev vlan2
20220414 05:58:05 GDG6: remote_host_ipv6=n/a
20220414 05:58:05 net_route_v6_best_gw query: dst ::
20220414 05:58:05 net_route_v6_best_gw result: via fe80::201:5cff:fe75:2c46 dev vlan2
20220414 05:58:05 I TUN/TAP device tun1 opened
20220414 05:58:05 do_ifconfig ipv4=1 ipv6=0
20220414 05:58:05 I net_iface_mtu_set: mtu 1400 for tun1
20220414 05:58:05 I net_iface_up: set tun1 up
20220414 05:58:05 I net_addr_v4_add: 10.2.4.81/24 dev tun1
20220414 05:58:10 net_route_v4_add: 188.241.80.132/32 via 98.33.104.1 dev [NULL] table 0 metric -1
20220414 05:58:10 net_route_v4_add: 0.0.0.0/1 via 10.2.4.1 dev [NULL] table 0 metric -1
20220414 05:58:10 net_route_v4_add: 128.0.0.0/1 via 10.2.4.1 dev [NULL] table 0 metric -1
20220414 05:58:10 I WARNING: OpenVPN was configured to add an IPv6 route. However no IPv6 has been configured for tun1 therefore the route installation may fail or may not work as expected.
20220414 05:58:10 I add_route_ipv6(2000::/3 -> :: metric -1) dev tun1
20220414 05:58:10 net_route_v6_add: 2000::/3 via :: dev tun1 table 0 metric -1
20220414 05:58:10 W WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
20220414 05:58:10 I Initialization Sequence Completed
20220414 05:58:21 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20220414 05:58:21 D MANAGEMENT: CMD 'state'
20220414 05:58:21 MANAGEMENT: Client disconnected
20220414 05:58:21 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16

20220414 05:58:21 D MANAGEMENT: CMD 'state'
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 10805
Location: Netherlands

PostPosted: Thu Apr 14, 2022 5:50    Post subject: Reply with quote
Is this setup to a a VPN provider?

If so to which one and what instructions are you following?
Note: almost all instructions of VPN providers are outdated and/or wrong

Without knowing your setup it is difficult to troubleshoot, so post a screenshot of your OpenVPN setup page, content of the Additional config and any extra scripts/firewall rules you have added ans screenshot of the OpenVPN status page.

The number one mistake is adding settings in the additional config and/or adding extra scripts/firewall rules.

For a regular setup everything can be done with the GUI.

@bLkt already pointed you to the documentation:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398
You probably want the Client setup guide Smile

_________________
Routers:Netgear R7800, R7000, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 5390
Location: UK, London, just across the river..

PostPosted: Thu Apr 14, 2022 7:13    Post subject: Reply with quote
I can see you are using CyberGhost
and probably those settings from here:
https://support.cyberghostvpn.com/hc/en-us/articles/213811885-Router-How-to-Set-Up-OpenVPN-on-DD-WRT-Routers

and those are a bit outdated..


read those guides recommended by EGC and tailor your set up accordingly....

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398

some options required from CyberGhostVPN, for advanced VPN set up box are not needed on the new DDWRT builds...

last build 48646 https://download1.dd-wrt.com/dd-wrtv2/downloads/betas/2022/

the other confusing bit is, i guess you dont need the startup script posted on their picture, if you set up your router manually...

tips:
-you can use 256-GCM instead of CBC or even chachapoly if its supported
-in DDWRT there is and option for killswitch in the VPN GUI--use it if you have only VPN use...
-if you need to use your preferred DNS and the VPN provider allows it read here https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 50500 WAP
TP-Link WR1043NDv2 -DD-WRT 50963 Gateway,DNS,AP Isolation,Ad-Block,Firewall,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 -DD-WRT 50841 Gateway,DNS,Ad-Block,Firewall,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 -Gargoyle OS 1.13.0 AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 --DD-WRT 50963 Gateway,DNS,AD-Block,AP&Net Isolation,VLAN's,Firewall,DoT,Vanilla
Netgear R9000 --DD-WRT 50927 Gateway,DNS,AD-Block,AP Isolation,Firewall,Forced DNS,DoT,2,4Ghz only,Vanilla
Broadcom
Netgear R7000 ---DD-WRT 50927 Gateway,DNS,AD-Block,Firewall,Forced DNS,VLAN's,DoT,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913
winterfly
DD-WRT Novice


Joined: 13 Apr 2022
Posts: 3

PostPosted: Thu Apr 14, 2022 7:46    Post subject: Reply with quote
Huge thanks to EGC and Alozaros. Surely it works. You guys rock!

I followed the "DDWRT OpenVPN Client setup guide v15.pdf" EGC wrote, keys are completely rewriting the additional config as in the guide and do not use any firewall rules.

There are some other minor changes too, I opt for: UDP as tunnel protocol (instead of UDP4), AES-256-CBC as the third data cipher (as the SHA256 recd. in the guide is not available to choose).

I'm using Zenmate as the VPN provider. It has the same setup as CyberGhost. Do they share the same engineers/business, just different branding? LOL.

Again, appreciated all these advice! Now time for a rest with fully satisfied geek mind. Smile
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum