GL-MT3000 Unable connect to OpenVpn at Hotel

Routers
1

Good day.

I have such a problem, I am in a hotel and almost all sites and VPN are blocked on the hotel router, but when I use the NordVPN program on Windows in the OpenVPN (TCP) protocol, then everything works fine (but only in this protocol everything works).
I connected my GL-MT3000 router to the hotel router and configured it manually using the ovpn file downloaded from the NordVPN account and entered the login and password from the VPN file (as per the instructions). Since NordVPN is blocked in the hotel, this is the only way to upload the settings to the router through the file.

But the router cannot connect to the VPN file (it says
The client is starting, please wait… and that's it), I am connected to the hotel router in repeater mode.

I am attaching the log:

Sun May 11 15:25:47 2025 daemon.notice ovpnclient[13934]: TLS: Initial packet from [AF_INET]45.136.155.142:443, sid=ddf21db9 a93c589f
Sun May 11 15:26:47 2025 daemon.err ovpnclient[13934]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun May 11 15:26:47 2025 daemon.err ovpnclient[13934]: TLS Error: TLS handshake failed
Sun May 11 15:26:47 2025 daemon.err ovpnclient[13934]: Fatal TLS error (check_tls_errors_co), restarting
Sun May 11 15:26:47 2025 daemon.notice ovpnclient[13934]: SIGHUP[soft,tls-error] received, process restarting
Sun May 11 15:26:47 2025 daemon.notice ovpnclient[13934]: OpenVPN 2.5.3 aarch64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sun May 11 15:26:47 2025 daemon.notice ovpnclient[13934]: library versions: OpenSSL 1.1.1q 5 Jul 2022, LZO 2.10
Sun May 11 15:26:47 2025 daemon.notice ovpnclient[13934]: Restart pause, 2 second(s)
Sun May 11 15:26:49 2025 daemon.warn ovpnclient[13934]: WARNING: --ping should normally be used with --ping-restart or --ping-exit
Sun May 11 15:26:49 2025 daemon.warn ovpnclient[13934]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun May 11 15:26:49 2025 daemon.notice ovpnclient[13934]: NOTE: --fast-io is disabled since we are not using UDP
Sun May 11 15:26:49 2025 daemon.notice ovpnclient[13934]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun May 11 15:26:49 2025 daemon.notice ovpnclient[13934]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun May 11 15:26:49 2025 daemon.notice ovpnclient[13934]: TCP/UDP: Preserving recently used remote address: [AF_INET]45.136.155.142:443
Sun May 11 15:26:49 2025 daemon.notice ovpnclient[13934]: Socket Buffers: R=[131072->131072] S=[16384->16384]
Sun May 11 15:26:49 2025 daemon.notice ovpnclient[13934]: Attempting to establish TCP connection with [AF_INET]45.136.155.142:443 [nonblock]
Sun May 11 15:26:49 2025 daemon.notice ovpnclient[13934]: TCP connection established with [AF_INET]45.136.155.142:443
Sun May 11 15:26:49 2025 daemon.notice ovpnclient[13934]: TCP_CLIENT link local: (not bound)
Sun May 11 15:26:49 2025 daemon.notice ovpnclient[13934]: TCP_CLIENT link remote: [AF_INET]45.136.155.142:443
Sun May 11 15:26:49 2025 daemon.notice ovpnclient[13934]: TLS: Initial packet from [AF_INET]45.136.155.142:443, sid=f7591b45 b9e7eb94

When I connect the router in repeater mode to the access point of my mobile phone and turn on VPN on the router - then everything works - the VPN is configured correctly.

Also, when I connect the router in repeater mode to the hotel WIFI, it works only the hotel restrictions are imposed.

I would like to ask you for help with my problem to configure NordVPN to work on the router when connected to the hotel WIFI

Device:
GL.iNet GL-MT3000
OpenWrt 21.02-SNAPSHOT r15812+912-46b6ee7ffc
Kernel 5.4.211
Admin Panel:4.7.4

3

Hi,

  1. Checked the VPN log attached, find that there may be some network firewall restrictions, identify the OpenVPN feature traffic, and may block this kind traffic from the OVPN protocol.

  2. Test NordVPN APP on PC is normal, is it connected to a server that supports obfuscation?

  3. Test router is connected to the phone hotspot through repeater, and the NordVPN is normal, it may be that the phone operator has no network restrictions.

If there is indeed such limitation in hotel WiFi, we have no solution to make NordVPN connect.

1 Like
4

Good day,

Yes i am in Turkey and Hotel's Wifi i am using and here will stay few monthes

First of all i want to inform that GL Router is always working as repeter in all tests below:

  1. Yes they are blocking, Hotel's Wifi is using FortiGuard protection for blocking a lot of websites, even youtube i can watch only like children and cannot remove this restriction.
    -Without VPN sometimes message appear instead of website "FortiGuard Intrusion Prevention Access Blocked, Web Page Blocked, This is violation of your internet usage policy/illegal or Unerhical"

  2. When I start NordVPN APP on PC is working normal only when in the NordVPN APP Settings i choose protocol "OpenVPN (TCP)"
    Tests of protocols:
    -Auto Protocol is not working
    -NordLynx Protocol is not working
    -OpenVPN (TCP) is working well, all restrictions are gone and all websites available
    -OpenVPN (UDP) is not working
    -NordWhisper is not working

3.True. In my Turkish simcard operator without network restrictions, thats why when i connect GL Router to my mobile Hotspot as repeater, then i can Start OpenVPN on the Router

It is something strange that on router is not working OpenVPN (TCP), because i put TCP config there, but still router cannot connect.

Thank you for your checks and reply

I would like the router to work with OpenVPN TCP protocol well like in the NordVPN application.

I really want to make it so that the VPN works on the router, and not through the application

Maybe there are some ideas how to makes it work?

6

Hi,

I checked the server location information through the server IP in the log. I found that the server is located in your country. So, I guess your DNS may have been hijacked.

1748222684331_E944CE79-B3D7-41d1-9AD8-FFB8F6BE1BD6
1748222684331_E944CE79-B3D7-41d1-9AD8-FFB8F6BE1BD61016×686 123 KB

You can also do some verification. Use the same VPN configuration, connect through a mobile hotspot, or connect as a repeater. Are they connected to the same IP server?

I suggest you turn on encrypted DNS and try again.

8

The GL router is connected to the hotel's Wi-Fi in repeater mode and to the same IP server.And I connect to Turkey via VPN because it gives the highest speed, since sites are not blocked in Turkey itself, they are blocked at the hotel's Wi-Fi level.

I tried to do it according to your instructions and connect in DNS encryption mode. The router was able to connect with DNS encryption mode only in WireGuard Client mode, in OpenVPN Client mode it still does not connect, what could be the reason?

But in WireGuardClient mode and with DNS encryption enabled, everything worked, all sites and torrents were unblocked and the Internet speed is about 80 Mbps, which is very good.

I also want to ask you, which DNS encryption mode is better to choose? Based on your experience

Thank you very much, with respect. I will wait for your answer.

9

Using different DNS upstreams may resolve the VPN server domain name to different IP addresses to avoid firewall interception.
Maybe the IP address of the server you selected is still on the list blocked by the hotel firewall.

The purpose of using encrypted DNS is to prevent firewalls from hijacking DNS requests. In your case, it is recommended to use DNS-over-HTTPS, which can be mixed in with regular HTTPS traffic to avoid being identified and discarded by firewalls.