1.Our router GL-E750 is intended to work ONLY in corporate VPN environment providing corporate’s address space towards WiFi. OpenVPN is used. OpenVPN server (in corporate Data Center) is connected to the Internet of course but not providing the Internet towards VPN tunnel.
2. If GL-E750 rebooted while VPN switch is OFF (and VPN Client is not activated), it gets 3G/4G Internet and it is possible to enable VPN and it will work as expected. Looking into logread I can see that initially GL-E750 is started with some strange time 21-Aug-2022 but later it is synchronized with the defined NTP servers.
3. However if GL-E750 rebooted while VPN switch is ON (and VPN Client is activated), GL-E750 is not able to get the correct time. It gets 3G/4G Internet and immediately opens VPN (as the client was activated before reboot). But here it is querying the NTP servers over VPN tunnel where we do not provide Internet - so GL-E750 failed to get the time, then OpenVPN client fails as well and not restarted (this is another issue, not for this post). Then I replaces the standard NTP servers IPs in /etc/config/system to IP of my OpenVPN Server where ntpd is also running. In that case I can see in tcpdump that the OpenVPN server provides the correct time in response to GL-E750 ntp query, but the box probably does with that nothing. As I said the time remains 21-Aug-2022 and the OpenVPN client fails in couple of minutes.
@alzhao thank you. Does it mean this behavior is “as designed”? I mean, that the box is starting with some internal time (since it does not have RTC installed) and then, after successful NTP sync the time is changed. And in my case, if the VPN is already ON, the NTP failed and the whole process failed also.
What if I put the NTP closer to the modem initialization in /etc/rc.d/ and put some delay in openvpn initialization? Will it help, what do you think?
Another question - why the NTP failed over VPN if my VPN server provides the NTP reply. Which LOGs can I collect and send you for this?
You can enable vpn policy and do not use vpn for the processes on the router. In that case, your ntp can be connected before vpn tunnel is established.
Thank you @alzhao .
No, this is not my post however I will try what they are explaining.
So, what kind of vpn policy should I apply on GL-E750? Route all NTP traffic over WAN? Will try.
Thank you @alzhao for the fast reply.
It does not work: If I apply this policy, ie go to “Admin Panel” → “VPN Policies” → “Enable VPN Policy” and unselect “Use VPN for all processes on the router” - then VPN failed, I have no ping in both directions Server <–> Client.
Thank you @alzhao .
Correct, in this case VPN is not connecting. As soon as I select the “Use VPN for all processes on the router” back, VPN is connecting.