No internet for WiFi clients

Technical Support for Routers
1

I’m attempting to troubleshoot a bit of an odd problem.

I have a GL-MT300Nv2 on an OpenVPN tunnel. I can plug into the LAN ethernet interface and my computer can reach the internet (IP and domain resolution works fine). If I unplug the ethernet cable and connect to the WiFi network, my computer can no longer reach the internet (pings to both IP addresses and domain names time out).

Even while the WiFi client cannot reach the internet, the GL-MT300Nv2 is accessible through the VPN, so it has internet (can successfully ping IPs and resolve domain names).

Any ideas on why local WiFi clients can’t reach the internet when local ethernet-connected clients can?

2

How about stop openvpn?

3

Stopping the OpenVPN connection does restore internet access. It seems that reconnecting to the VPN enables access temporarily, but then WiFi clients lose access once again.

I do need to route all traffic through an encrypted tunnel, however, so abandoning the VPN is not really an option. Going to try disabling DHCPv6 on the router and see if that plays nicer with OpenVPN.

4

I turned off IPv6 services on the LAN interface, and this seemed to help. (In Luci, Network → Interfaces → LAN → DHCP server → IPv6 Settings: change Router Advertisement-Service and DHCPv6-Service to ‘disabled’).

Prior to this, the router had much higher ping latency when connected to the ovpn server, and would oscillate between a sequence of high-ping successful transmissions and a series of drops. With IPv6 settings disabled, ping times were lower and drops did not occur.

I’m not sure why this would be happening, but it seems to be working for the time being. Now to figure out why the VPN is dropping intermittently without restarting…

5

Still having issues with clients dropping the connection. Seeing tons of DHCP chatter, perhaps they are having trouble getting an address from the router? Why would there be so many rounds of acknowledgements, lease time is 12h?

Sun Sep 2 00:18:33 2018 daemon.info dnsmasq-dhcp[2529]: DHCPACK(br-lan) 10.29.7.151 34:08:bc:3b:9c:42 Hannahs-phone
Sun Sep 2 00:19:24 2018 daemon.info dnsmasq-dhcp[2529]: DHCPREQUEST(br-lan) 10.29.7.151 34:08:bc:3b:9c:42
Sun Sep 2 00:19:24 2018 daemon.info dnsmasq-dhcp[2529]: DHCPACK(br-lan) 10.29.7.151 34:08:bc:3b:9c:42 Hannahs-phone
Sun Sep 2 00:20:07 2018 daemon.info dnsmasq-dhcp[2529]: DHCPREQUEST(br-lan) 10.29.7.151 34:08:bc:3b:9c:42
Sun Sep 2 00:20:07 2018 daemon.info dnsmasq-dhcp[2529]: DHCPACK(br-lan) 10.29.7.151 34:08:bc:3b:9c:42 Hannahs-phone
Sun Sep 2 00:20:49 2018 daemon.info dnsmasq-dhcp[2529]: DHCPREQUEST(br-lan) 10.29.7.151 34:08:bc:3b:9c:42
Sun Sep 2 00:20:49 2018 daemon.info dnsmasq-dhcp[2529]: DHCPACK(br-lan) 10.29.7.151 34:08:bc:3b:9c:42 Hannahs-phone
Sun Sep 2 00:21:47 2018 daemon.info dnsmasq-dhcp[2529]: DHCPREQUEST(br-lan) 10.29.7.151 34:08:bc:3b:9c:42
Sun Sep 2 00:21:47 2018 daemon.info dnsmasq-dhcp[2529]: DHCPACK(br-lan) 10.29.7.151 34:08:bc:3b:9c:42 Hannahs-phone
Sun Sep 2 00:41:05 2018 daemon.info dnsmasq-dhcp[2529]: DHCPREQUEST(br-lan) 10.29.7.151 34:08:bc:3b:9c:42
Sun Sep 2 00:41:05 2018 daemon.info dnsmasq-dhcp[2529]: DHCPACK(br-lan) 10.29.7.151 34:08:bc:3b:9c:42 Hannahs-phone

6

OK. I think I’ve isolated the issue. Every so often, it looks like the VPN client is attempting to reconnect. While it looks as though it fails, I think the router thinks it is connected. Here is what the status page in the GL.iNet UI looks like:

image
image1857×1053 327 KB

And here is the logfile showing the reconnect with connectivity down:

Sun Sep 2 13:31:22 2018 daemon.warn openvpn[1493]: WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Sun Sep 2 13:31:22 2018 daemon.notice openvpn[1493]: TCP/UDP: Preserving recently used remote address: [AF_INET][Server IP Removed]
Sun Sep 2 13:31:22 2018 daemon.notice openvpn[1493]: Socket Buffers: R=[163840->200000] S=[163840->200000]
Sun Sep 2 13:31:22 2018 daemon.notice openvpn[1493]: UDP link local: (not bound)
Sun Sep 2 13:31:22 2018 daemon.notice openvpn[1493]: UDP link remote: [AF_INET][Server IP Removed]
Sun Sep 2 13:31:22 2018 daemon.notice openvpn[1493]: TLS: Initial packet from [AF_INET][Server IP Removed], sid=28f3c7fd 16395d6f
Sun Sep 2 13:31:22 2018 daemon.notice openvpn[1493]: VERIFY OK: depth=1, CN=OpenVPN CA
Sun Sep 2 13:31:22 2018 daemon.notice openvpn[1493]: VERIFY OK: nsCertType=SERVER
Sun Sep 2 13:31:22 2018 daemon.notice openvpn[1493]: VERIFY OK: depth=0, CN=OpenVPN Server
Sun Sep 2 13:31:24 2018 daemon.notice openvpn[1493]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sun Sep 2 13:31:24 2018 daemon.notice openvpn[1493]: [OpenVPN Server] Peer Connection Initiated with [AF_INET][Server IP Removed]
Sun Sep 2 13:31:25 2018 daemon.notice openvpn[1493]: Key [AF_INET][Server IP Removed] [0] not initialized (yet), dropping packet.
Sun Sep 2 13:31:25 2018 daemon.notice openvpn[1493]: SENT CONTROL [OpenVPN Server]: ‘PUSH_REQUEST’ (status=1)
Sun Sep 2 13:31:25 2018 daemon.notice openvpn[1493]: PUSH: Received control message: ‘PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 15,ping-restart 75,comp-lzo yes,redirect-gateway def1,redirect-gateway bypass-dhcp,redirect-gateway autolocal,route-gateway 10.27.0.145,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,register-dns,block-ipv6,ifconfig 10.27.0.156 255.255.255.240’
Sun Sep 2 13:31:25 2018 daemon.warn openvpn[1493]: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.4.3)
Sun Sep 2 13:31:25 2018 daemon.warn openvpn[1493]: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.4.3)
Sun Sep 2 13:31:25 2018 daemon.warn openvpn[1493]: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.4.3)
Sun Sep 2 13:31:25 2018 daemon.warn openvpn[1493]: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:17: register-dns (2.4.3)
Sun Sep 2 13:31:25 2018 daemon.warn openvpn[1493]: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:18: block-ipv6 (2.4.3)
Sun Sep 2 13:31:25 2018 daemon.notice openvpn[1493]: OPTIONS IMPORT: timers and/or timeouts modified
Sun Sep 2 13:31:25 2018 daemon.notice openvpn[1493]: OPTIONS IMPORT: explicit notify parm(s) modified
Sun Sep 2 13:31:25 2018 daemon.notice openvpn[1493]: OPTIONS IMPORT: compression parms modified
Sun Sep 2 13:31:25 2018 daemon.notice openvpn[1493]: OPTIONS IMPORT: --ifconfig/up options modified
Sun Sep 2 13:31:25 2018 daemon.notice openvpn[1493]: OPTIONS IMPORT: route options modified
Sun Sep 2 13:31:25 2018 daemon.notice openvpn[1493]: OPTIONS IMPORT: route-related options modified
Sun Sep 2 13:31:25 2018 daemon.notice openvpn[1493]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Sep 2 13:31:25 2018 daemon.notice openvpn[1493]: Data Channel Encrypt: Cipher ‘AES-128-CBC’ initialized with 128 bit key
Sun Sep 2 13:31:25 2018 daemon.notice openvpn[1493]: Data Channel Encrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Sun Sep 2 13:31:25 2018 daemon.notice openvpn[1493]: Data Channel Decrypt: Cipher ‘AES-128-CBC’ initialized with 128 bit key
Sun Sep 2 13:31:25 2018 daemon.notice openvpn[1493]: Data Channel Decrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Sun Sep 2 13:31:25 2018 daemon.notice netifd: Interface ‘VPN_client’ is enabled
Sun Sep 2 13:31:25 2018 daemon.notice netifd: Network device ‘tun0’ link is up
Sun Sep 2 13:31:25 2018 daemon.notice netifd: Interface ‘VPN_client’ has link connectivity
Sun Sep 2 13:31:25 2018 daemon.notice netifd: Interface ‘VPN_client’ is setting up now
Sun Sep 2 13:31:25 2018 daemon.notice netifd: Interface ‘VPN_client’ is now up
Sun Sep 2 13:31:25 2018 daemon.notice openvpn[1493]: TUN/TAP device tun0 opened
Sun Sep 2 13:31:25 2018 daemon.notice openvpn[1493]: TUN/TAP TX queue length set to 100
Sun Sep 2 13:31:25 2018 daemon.notice openvpn[1493]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Sep 2 13:31:25 2018 daemon.notice openvpn[1493]: /sbin/ip link set dev tun0 up mtu 1500
Sun Sep 2 13:31:25 2018 daemon.notice openvpn[1493]: /sbin/ip addr add dev tun0 10.27.0.156/28 broadcast 10.27.0.159
Sun Sep 2 13:31:25 2018 user.notice firewall: Reloading firewall due to ifup of VPN_client (tun0)
Sun Sep 2 13:31:30 2018 daemon.notice openvpn[1493]: /sbin/ip route add [Server IP Removed] via [ISP IP Removed] > Sun Sep 2 13:31:30 2018 daemon.notice openvpn[1493]: /sbin/ip route add 0.0.0.0/1 via 10.27.0.145
Sun Sep 2 13:31:30 2018 daemon.notice openvpn[1493]: /sbin/ip route add 128.0.0.0/1 via 10.27.0.145
Sun Sep 2 13:31:30 2018 daemon.warn openvpn[1493]: WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Sun Sep 2 13:31:30 2018 daemon.notice openvpn[1493]: Initialization Sequence Completed
Sun Sep 2 13:31:42 2018 daemon.info dnsmasq[2307]: read /etc/hosts - 4 addresses
Sun Sep 2 13:31:42 2018 daemon.info dnsmasq[2307]: read /tmp/hosts/dhcp.cfg02411c - 3 addresses
Sun Sep 2 13:31:42 2018 daemon.info dnsmasq-dhcp[2307]: read /etc/ethers - 0 addresses
Sun Sep 2 13:31:42 2018 daemon.warn openvpn[2905]: WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Sun Sep 2 13:31:43 2018 daemon.notice openvpn[2905]: TCP/UDP: Preserving recently used remote address: [AF_INET][Server IP Removed]
Sun Sep 2 13:31:43 2018 daemon.notice openvpn[2905]: Socket Buffers: R=[163840->200000] S=[163840->200000]
Sun Sep 2 13:31:43 2018 daemon.notice openvpn[2905]: UDP link local: (not bound)
Sun Sep 2 13:31:43 2018 daemon.notice openvpn[2905]: UDP link remote: [AF_INET][Server IP Removed]
Sun Sep 2 13:31:43 2018 daemon.notice openvpn[2905]: TLS: Initial packet from [AF_INET][Server IP Removed], sid=a3898673 1c17e09e
Sun Sep 2 13:31:43 2018 daemon.notice openvpn[2905]: VERIFY OK: depth=1, CN=OpenVPN CA
Sun Sep 2 13:31:43 2018 daemon.notice openvpn[2905]: VERIFY OK: nsCertType=SERVER
Sun Sep 2 13:31:43 2018 daemon.notice openvpn[2905]: VERIFY OK: depth=0, CN=OpenVPN Server
Sun Sep 2 13:31:44 2018 daemon.notice openvpn[2905]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sun Sep 2 13:31:44 2018 daemon.notice openvpn[2905]: [OpenVPN Server] Peer Connection Initiated with [AF_INET][Server IP Removed]
> Sun Sep 2 13:31:44 2018 daemon.err openvpn[1493]: Halt command was pushed by server (‘disconnected due to new connection by same user’)
> Sun Sep 2 13:31:44 2018 daemon.notice openvpn[1493]: SIGTERM received, sending exit notification to peer
Sun Sep 2 13:31:45 2018 daemon.notice openvpn[2905]: Key [AF_INET][Server IP Removed] [0] not initialized (yet), dropping packet.
Sun Sep 2 13:31:45 2018 daemon.notice openvpn[2905]: SENT CONTROL [OpenVPN Server]: ‘PUSH_REQUEST’ (status=1)
Sun Sep 2 13:31:45 2018 daemon.notice openvpn[2905]: Key [AF_INET][Server IP Removed] [0] not initialized (yet), dropping packet.
Sun Sep 2 13:31:45 2018 daemon.notice openvpn[2905]: Key [AF_INET][Server IP Removed] [0] not initialized (yet), dropping packet.
Sun Sep 2 13:31:45 2018 daemon.notice openvpn[2905]: PUSH: Received control message: ‘PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 15,ping-restart 75,comp-lzo yes,redirect-gateway def1,redirect-gateway bypass-dhcp,redirect-gateway autolocal,route-gateway 10.27.0.145,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,register-dns,block-ipv6,ifconfig 10.27.0.158 255.255.255.240’
Sun Sep 2 13:31:45 2018 daemon.warn openvpn[2905]: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.4.3)
Sun Sep 2 13:31:45 2018 daemon.warn openvpn[2905]: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.4.3)
Sun Sep 2 13:31:45 2018 daemon.warn openvpn[2905]: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.4.3)
Sun Sep 2 13:31:45 2018 daemon.warn openvpn[2905]: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:17: register-dns (2.4.3)
Sun Sep 2 13:31:45 2018 daemon.warn openvpn[2905]: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:18: block-ipv6 (2.4.3)
Sun Sep 2 13:31:45 2018 daemon.notice openvpn[2905]: OPTIONS IMPORT: timers and/or timeouts modified
Sun Sep 2 13:31:45 2018 daemon.notice openvpn[2905]: OPTIONS IMPORT: explicit notify parm(s) modified
Sun Sep 2 13:31:45 2018 daemon.notice openvpn[2905]: OPTIONS IMPORT: compression parms modified
Sun Sep 2 13:31:45 2018 daemon.notice openvpn[2905]: OPTIONS IMPORT: --ifconfig/up options modified
Sun Sep 2 13:31:45 2018 daemon.notice openvpn[2905]: OPTIONS IMPORT: route options modified
Sun Sep 2 13:31:45 2018 daemon.notice openvpn[2905]: OPTIONS IMPORT: route-related options modified
Sun Sep 2 13:31:45 2018 daemon.notice openvpn[2905]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Sep 2 13:31:45 2018 daemon.notice openvpn[2905]: Data Channel Encrypt: Cipher ‘AES-128-CBC’ initialized with 128 bit key
Sun Sep 2 13:31:45 2018 daemon.notice openvpn[2905]: Data Channel Encrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Sun Sep 2 13:31:45 2018 daemon.notice openvpn[2905]: Data Channel Decrypt: Cipher ‘AES-128-CBC’ initialized with 128 bit key
Sun Sep 2 13:31:45 2018 daemon.notice openvpn[2905]: Data Channel Decrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Sun Sep 2 13:31:45 2018 daemon.notice openvpn[2905]: TUN/TAP device tun1 opened
Sun Sep 2 13:31:45 2018 daemon.notice openvpn[2905]: TUN/TAP TX queue length set to 100
Sun Sep 2 13:31:45 2018 daemon.notice openvpn[2905]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Sep 2 13:31:45 2018 daemon.notice openvpn[2905]: /sbin/ip link set dev tun1 up mtu 1500
Sun Sep 2 13:31:45 2018 daemon.notice openvpn[2905]: /sbin/ip addr add dev tun1 10.27.0.158/28 broadcast 10.27.0.159
Sun Sep 2 13:31:45 2018 daemon.notice openvpn[1493]: /sbin/ip route del [Server IP Removed] > Sun Sep 2 13:31:45 2018 daemon.notice openvpn[1493]: /sbin/ip route del 0.0.0.0/1
Sun Sep 2 13:31:45 2018 daemon.notice openvpn[1493]: /sbin/ip route del 128.0.0.0/1
> Sun Sep 2 13:31:45 2018 daemon.notice openvpn[1493]: Closing TUN/TAP interface
> Sun Sep 2 13:31:45 2018 daemon.notice openvpn[1493]: /sbin/ip addr del dev tun0 10.27.0.156/28
> Sun Sep 2 13:31:45 2018 daemon.notice netifd: Network device ‘tun0’ link is down
> Sun Sep 2 13:31:45 2018 daemon.notice netifd: Interface ‘VPN_client’ has link connectivity loss
> Sun Sep 2 13:31:45 2018 daemon.notice netifd: Interface ‘VPN_client’ is now down
> Sun Sep 2 13:31:45 2018 daemon.notice openvpn[1493]: SIGTERM[soft,exit-with-notification] received, process exiting
> Sun Sep 2 13:31:45 2018 daemon.notice netifd: Interface ‘VPN_client’ is disabled
Sun Sep 2 13:31:50 2018 daemon.notice openvpn[2905]: /sbin/ip route add [Server IP Removed]via [ISP IP Removed]
Sun Sep 2 13:31:50 2018 daemon.notice openvpn[2905]: /sbin/ip route add 0.0.0.0/1 via 10.27.0.145
Sun Sep 2 13:31:50 2018 daemon.notice openvpn[2905]: /sbin/ip route add 128.0.0.0/1 via 10.27.0.145
Sun Sep 2 13:31:50 2018 daemon.warn openvpn[2905]: WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Sun Sep 2 13:31:50 2018 daemon.notice openvpn[2905]: Initialization Sequence Completed
Sun Sep 2 13:54:41 2018 daemon.info dnsmasq-dhcp[2307]: DHCPREQUEST(br-lan) 10.29.7.151 34:08:bc:3b:9c:42
Sun Sep 2 13:54:41 2018 daemon.info dnsmasq-dhcp[2307]: DHCPACK(br-lan) 10.29.7.151 34:08:bc:3b:9c:42 Hannahs-phone
Sun Sep 2 14:15:41 2018 daemon.info dnsmasq-dhcp[2307]: DHCPDISCOVER(br-lan) 10.29.7.214 24:77:03:51:0f:50
Sun Sep 2 14:15:41 2018 daemon.info dnsmasq-dhcp[2307]: DHCPOFFER(br-lan) 10.29.7.214 24:77:03:51:0f:50
Sun Sep 2 14:15:41 2018 daemon.info dnsmasq-dhcp[2307]: DHCPREQUEST(br-lan) 10.29.7.214 24:77:03:51:0f:50
Sun Sep 2 14:15:41 2018 daemon.info dnsmasq-dhcp[2307]: DHCPACK(br-lan) 10.29.7.214 24:77:03:51:0f:50 DESKTOP-605D4QH

7

Seems in your ovpn there are a lot of unsupported options.
I also doubt that the router created multiple connections so the server kick you out.

SSH to the router and check by using ifconfig if there are multiple tun command.

8

If you have the routers switch configured to enable/disable VPN - configure it to be disabled (default) and reboot the router.

9

Wow, I think this may have worked. Though I’m not sure why.

At startup, I could clearly see two OpenVPN processes sort of ‘leap frogging’ eachother. With the switch off, there is only one.

And the connection also appears much more stable after startup. Clients appear to keep and hold a VPN connection and it looks like all the DHCPINFORM DHCPACK traffic has subsided.

What about the switch could have led to all of that instability? The physical switch is one of the reasons we went with these units, as the ability for edge users to disable the VPN for certain applications is important. Is there a way to reintroduce the switch functionality without compromising VPN stability?

Thanks for your help!

10

There is a race condition in the initscripts. /etc/init.d/initswitch first starts openvpn, then in /etc/init.d/startvpn starts openvpn agian. They conflict with each other. Disabling the switch masks the problem.

For more info see: VPN Instability getting old - #5 by nopro404

In that post I list a few lines you can add to the startvpn script to get the switch to work again.

11

So far this is working great, thanks for the assistance!